diff --git a/terraform/environments/analytical-platform-compute/efs.tf b/terraform/environments/analytical-platform-compute/efs.tf deleted file mode 100644 index 9e0defad2fb..00000000000 --- a/terraform/environments/analytical-platform-compute/efs.tf +++ /dev/null @@ -1,55 +0,0 @@ -module "actions_runner_cache_efs" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 - - source = "terraform-aws-modules/efs/aws" - version = "1.6.3" - - name = "actions-runner-cache" - encrypted = true - kms_key_arn = module.actions_runner_cache_efs_kms[0].key_arn - attach_policy = false - - enable_backup_policy = true - - mount_targets = { - "private-subnets-0" = { - subnet_id = module.vpc.private_subnets[0] - } - "private-subnets-1" = { - subnet_id = module.vpc.private_subnets[1] - } - "private-subnets-2" = { - subnet_id = module.vpc.private_subnets[2] - } - } - - security_group_vpc_id = module.vpc.vpc_id - security_group_rules = { - private-subnets = { - cidr_blocks = module.vpc.private_subnets_cidr_blocks - } - } - - access_points = { - cache = { - name = "cache" - posix_user = { - gid = 10000 - uid = 10000 - } - root_directory = { - path = "/cache" - creation_info = { - owner_gid = 10000 - owner_uid = 10000 - permissions = "775" - } - } - } - } - - tags = local.tags -} diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 3575f976b67..0b829e70437 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -17,7 +17,7 @@ locals { eks_cloudwatch_log_group_retention_in_days = 400 /* Kube Prometheus Stack */ - prometheus_operator_crd_version = "v0.76.0" + prometheus_operator_crd_version = "v0.76.1" /* Environment Configuration */ environment_configuration = local.environment_configurations[local.environment] diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf index b14cabd415d..08c28b51c2e 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-system.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-system.tf @@ -71,7 +71,7 @@ resource "helm_release" "amazon_prometheus_proxy" { name = "amazon-prometheus-proxy" repository = "https://prometheus-community.github.io/helm-charts" chart = "kube-prometheus-stack" - version = "61.9.0" + version = "62.7.0" namespace = kubernetes_namespace.aws_observability.metadata[0].name values = [ templatefile( @@ -119,7 +119,7 @@ resource "helm_release" "karpenter_crd" { name = "karpenter-crd" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter-crd" - version = "1.0.2" + version = "1.0.3" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ @@ -141,7 +141,7 @@ resource "helm_release" "karpenter" { name = "karpenter" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter" - version = "1.0.2" + version = "1.0.3" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 11ea0c06b97..c07701e2968 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -3,7 +3,7 @@ module "vpc_cni_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "vpc-cni" attach_vpc_cni_policy = true @@ -24,7 +24,7 @@ module "ebs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "ebs-csi-driver" attach_ebs_csi_policy = true @@ -44,7 +44,7 @@ module "efs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "efs-csi-driver" attach_efs_csi_policy = true @@ -64,7 +64,7 @@ module "aws_for_fluent_bit_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "aws-for-fluent-bit" @@ -88,7 +88,7 @@ module "amazon_prometheus_proxy_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "amazon-prometheus-proxy" @@ -111,7 +111,7 @@ module "cluster_autoscaler_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "cluster-autoscaler" @@ -133,7 +133,7 @@ module "external_dns_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "external-dns" attach_external_dns_policy = true @@ -154,7 +154,7 @@ module "cert_manager_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "cert-manager" attach_cert_manager_policy = true @@ -175,7 +175,7 @@ module "external_secrets_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "external-secrets" attach_external_secrets_policy = true @@ -196,7 +196,7 @@ module "mlflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" role_name_prefix = "mlflow" @@ -219,7 +219,7 @@ module "gha_mojas_airflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" - version = "5.44.0" + version = "5.44.1" name = "github-actions-mojas-airflow" @@ -237,7 +237,7 @@ module "lake_formation_share_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.44.0" + version = "5.44.1" create_role = true role_requires_mfa = false @@ -265,7 +265,7 @@ module "analytical_platform_ui_service_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.44.0" + version = "5.44.1" create_role = true diff --git a/terraform/environments/analytical-platform-compute/kubernetes-persistent-volume-claims.tf b/terraform/environments/analytical-platform-compute/kubernetes-persistent-volume-claims.tf deleted file mode 100644 index 5b978ff533a..00000000000 --- a/terraform/environments/analytical-platform-compute/kubernetes-persistent-volume-claims.tf +++ /dev/null @@ -1,19 +0,0 @@ -resource "kubernetes_persistent_volume_claim" "actions_runner_cache" { - count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 - - metadata { - name = "actions-runner-cache" - namespace = "actions-runners" - } - spec { - access_modes = ["ReadWriteMany"] - resources { - requests = { - storage = "100Gi" - } - } - storage_class_name = "efs-sc" - volume_name = kubernetes_persistent_volume.actions_runner_cache[0].metadata[0].name - } - wait_until_bound = false -} diff --git a/terraform/environments/analytical-platform-compute/kubernetes-persistent-volumes.tf b/terraform/environments/analytical-platform-compute/kubernetes-persistent-volumes.tf deleted file mode 100644 index 83d7d0770d5..00000000000 --- a/terraform/environments/analytical-platform-compute/kubernetes-persistent-volumes.tf +++ /dev/null @@ -1,21 +0,0 @@ -resource "kubernetes_persistent_volume" "actions_runner_cache" { - count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 - - metadata { - name = "actions-runner-cache" - } - spec { - capacity = { - storage = "100Gi" - } - access_modes = ["ReadWriteMany"] - persistent_volume_reclaim_policy = "Retain" - storage_class_name = "efs-sc" - persistent_volume_source { - csi { - driver = "efs.csi.aws.com" - volume_handle = "${module.actions_runner_cache_efs[0].id}::${module.actions_runner_cache_efs[0].access_points["cache"].id}" - } - } - } -} diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf index b55b38d5f8f..c4c1e02bbf8 100644 --- a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf @@ -2,7 +2,7 @@ module "transfer_structured_logs" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" - version = "5.3.1" + version = "5.6.0" name = "/aws/transfer-structured-logs" kms_key_id = module.transfer_logs_kms.key_arn diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index b34d51982c5..03bd4ff09b2 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -17,7 +17,7 @@ module "transfer_server_iam_policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.42.0" + version = "5.44.1" name_prefix = "transfer-server" diff --git a/terraform/environments/analytical-platform-ingestion/iam-roles.tf b/terraform/environments/analytical-platform-ingestion/iam-roles.tf index 751063e8a69..f7e375fa225 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-roles.tf @@ -2,7 +2,7 @@ module "transfer_server_iam_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.42.0" + version = "5.44.1" create_role = true diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 7a7134a4694..2d3f086f2bc 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -2,7 +2,7 @@ module "transfer_logs_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["logs/transfer"] description = "CloudWatch Logs for the Transfer Server" @@ -42,7 +42,7 @@ module "s3_landing_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["s3/landing"] description = "Family SFTP Server, Landing S3 KMS Key" @@ -55,7 +55,7 @@ module "s3_processed_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["s3/processed"] description = "Family SFTP Server, Processed S3 KMS Key" @@ -68,7 +68,7 @@ module "s3_quarantine_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["s3/quarantine"] description = "Family SFTP Server, Quarantine S3 KMS Key" @@ -81,7 +81,7 @@ module "s3_definitions_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["s3/definitions"] description = "Ingestion Scanning ClamAV S3 KMS Key" @@ -94,7 +94,7 @@ module "s3_bold_egress_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["s3/bold-egress"] description = "Used in the Bold Egress Solution" @@ -123,7 +123,7 @@ module "quarantined_sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["sns/quarantined"] description = "Key for quarantined notifications" @@ -153,7 +153,7 @@ module "transferred_sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["sns/transferred"] description = "Key for transferred notifications" @@ -166,7 +166,7 @@ module "govuk_notify_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["secretsmanager/govuk-notify"] description = "Key for GOV.UK Notify data" @@ -179,7 +179,7 @@ module "supplier_data_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["secretsmanager/supplier-data"] description = "Key for SFTP supplier data" @@ -192,7 +192,7 @@ module "slack_token_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/kms/aws" - version = "2.2.1" + version = "3.1.0" aliases = ["secretsmanager/slack-token"] description = "Slack token for notifications" diff --git a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf index 83294cf7176..5331da09174 100644 --- a/terraform/environments/analytical-platform-ingestion/lambda-functions.tf +++ b/terraform/environments/analytical-platform-ingestion/lambda-functions.tf @@ -2,7 +2,7 @@ module "definition_upload_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" - version = "7.7.1" + version = "7.9.0" publish = true create_package = false @@ -60,7 +60,7 @@ module "scan_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" - version = "7.7.1" + version = "7.9.0" publish = true create_package = false @@ -135,7 +135,7 @@ module "transfer_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" - version = "7.7.1" + version = "7.9.0" publish = true create_package = false @@ -244,7 +244,7 @@ module "notify_quarantined_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" - version = "7.7.1" + version = "7.9.0" publish = true create_package = false @@ -310,7 +310,7 @@ module "notify_transferred_lambda" { #checkov:skip=CKV_TF_1:Module is from Terraform registry source = "terraform-aws-modules/lambda/aws" - version = "7.7.1" + version = "7.9.0" publish = true create_package = false diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf index efea5d3209b..50c08a6f186 100644 --- a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user-with-egress/main.tf @@ -47,7 +47,7 @@ module "policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.42.0" + version = "5.44.1" name_prefix = "transfer-user-${var.name}" @@ -58,7 +58,7 @@ module "role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.42.0" + version = "5.44.1" create_role = true diff --git a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf index 81e2daf0e33..4bc638b957d 100644 --- a/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf +++ b/terraform/environments/analytical-platform-ingestion/modules/transfer-family/user/main.tf @@ -34,7 +34,7 @@ module "policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.42.0" + version = "5.44.1" name_prefix = "transfer-user-${var.name}" @@ -45,7 +45,7 @@ module "role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.42.0" + version = "5.44.1" create_role = true diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf index a2f1b4ce1b7..249254c19ba 100644 --- a/terraform/environments/analytical-platform-ingestion/security-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/security-groups.tf @@ -18,7 +18,7 @@ module "definition_upload_lambda_security_group" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/security-group/aws" - version = "~> 5.0" + version = "5.2.0" name = "${local.application_name}-${local.environment}-definition-upload-lambda" description = "Security Group for Definition Upload Lambda" @@ -36,7 +36,7 @@ module "transfer_lambda_security_group" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/security-group/aws" - version = "~> 5.0" + version = "5.2.0" name = "${local.application_name}-${local.environment}-transfer-lambda" description = "Security Group for Transfer Lambda" @@ -54,7 +54,7 @@ module "scan_lambda_security_group" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/security-group/aws" - version = "~> 5.0" + version = "5.2.0" name = "${local.application_name}-${local.environment}-scan-lambda" description = "Security Group for Scan Lambda" diff --git a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf index 32ffd43d9a2..66eb847d95c 100644 --- a/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/transform-iam-roles.tf @@ -2,7 +2,7 @@ module "transfer_family_service_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.42.0" + version = "5.44.1" create_role = true diff --git a/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf b/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf index b0a60bbff80..2b066ab98f1 100644 --- a/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf +++ b/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf @@ -2,7 +2,7 @@ module "vpc_endpoints" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" - version = "~> 5.0" + version = "5.13.0" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets diff --git a/terraform/environments/analytical-platform-ingestion/vpc.tf b/terraform/environments/analytical-platform-ingestion/vpc.tf index 3cb476a58f4..64da48c0399 100644 --- a/terraform/environments/analytical-platform-ingestion/vpc.tf +++ b/terraform/environments/analytical-platform-ingestion/vpc.tf @@ -2,7 +2,7 @@ module "vpc" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" + version = "5.13.0" name = "${local.application_name}-${local.environment}" azs = slice(data.aws_availability_zones.available.names, 0, 3)