data "aws_caller_identity" "current" {} //------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ Region----------------------------------------------------------------// data "aws_region" "current" {} //------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ Network----------------------------------------------------------------// data "aws_vpc" "vpc" { filter { name = "tag:Security" values = [upper(var.security)] } filter { name = "tag:Company" values = [upper(var.company)] } filter { name = "tag:ServiceID" values = [upper(var.service_id)] } } data "aws_subnets" "frontend_subnets" { filter { name = "tag:Name" values = ["*front*"] } filter { name = "vpc-id" values = [data.aws_vpc.vpc.id] } # filter { # name = "tag:Security" # values = [upper(var.security)] # } filter { name = "tag:Environment" values = [upper(var.environment), "PPD"] # Adding PPD because in dev all the environment tags have this value # } } } data "aws_subnets" "backend_subnets" { filter { name = "tag:Name" values = ["*private*", "*back*"] } filter { name = "vpc-id" values = [data.aws_vpc.vpc.id] } filter { name = "tag:Security" values = [upper(var.security)] } filter { name = "tag:Environment" values = [upper(var.environment), "PPD"] # Adding PPD because in dev all the environment tags have this value } } //------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ SGs -------------------------------------------------------------------// data "aws_security_groups" "allin" { filter { name = "tag:Name" values = [local.allin_security_group_name] } filter { name = "vpc-id" values = [data.aws_vpc.vpc.id] } } //-------------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ Api Gateway ----------------------------------------------------------------// data "aws_vpc_endpoint" "apigateway" { vpc_id = data.aws_vpc.vpc.id service_name = "com.amazonaws.${data.aws_region.current.region}.execute-api" } data "template_file" "openapi_template" { template = file("${path.module}/openapi.template.yaml") # template = file("${path.module}/openapi.dummy.yaml.tpl") vars = { appname = var.appname environment = var.environment apigateway_vpc_endpoint_id = data.aws_vpc_endpoint.apigateway.id lambda_arn = module.lambda_backend.lambda_function_arn # "lambda_role_dummy" # api_gateway_execution_role_arn = aws_iam_role.api_gateway_execution_role.arn } } data "aws_iam_policy_document" "api_gateway_execution_assume_role_policy" { statement { effect = "Allow" actions = ["sts:AssumeRole"] principals { type = "Service" identifiers = ["apigateway.amazonaws.com"] } } } data "aws_iam_policy_document" "api_gateway_execution_role_policy" { statement { effect = "Allow" actions = [ "lambda:InvokeFunction", ] resources = [ "arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.appname}*" ] } } data "aws_iam_policy_document" "api_gateway_invoke_policy" { statement { effect = "Allow" principals { type = "*" identifiers = ["*"] } actions = ["execute-api:Invoke"] resources = ["*"] condition { test = "StringEquals" variable = "aws:sourceVpc" values = [data.aws_vpc.vpc.id] } } } data "aws_iam_policy_document" "cloudwatch" { #checkov:skip=CKV_AWS_111: resources is * for DescribeLogGroups statement { effect = "Allow" actions = [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:FilterLogEvents", ] resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*"] } statement { effect = "Allow" actions = [ "logs:PutLogEvents", "logs:GetLogEvents" ] resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:*"] } } //-------------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ ECS frontend ----------------------------------------------------------------// data "aws_iam_policy_document" "frontend_ecs_task_role_policy" { statement { #checkov:skip=CKV_AWS_356:: resources is * for ListAllMyBuckets and GetBucketLocation sid = "FrontendTaskRoleInvokeAPI" effect = "Allow" actions = [ "execute-api:Invoke", ] resources = [ "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/*/*/*", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/get_keyword_from_email", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/summarize_questions", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/search_engine", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/query_simple", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/ai_filter", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/dica_detect", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/hardware_detect", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/esm_detect", "arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/esm_content_analyse" ] } statement { sid = "AllowS3GetObjectESM" effect = "Allow" actions = [ "s3:GetObject", ] resources = [ "arn:aws:s3:::${data.aws_ssm_parameter.s3_bucket_name_esm_pdf.value}/*" ] } } //-------------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ Lambda -----------------------------------------------------------------------// data "aws_iam_policy_document" "lambda_execution_role_policy" { statement { sid = "LambdaEcrPullAccess" effect = "Allow" actions = [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:ListImages" ] resources = [ "arn:aws:ecr:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:repository/*" ] } statement { effect = "Allow" actions = ["logs:CreateLogGroup"] resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:*"] } statement { sid = "CloudwatchLogAccess" effect = "Allow" actions = [ "logs:CreateLogStream", "logs:PutLogEvents" ] resources = [ "arn:aws:logs:eu-west-3:${data.aws_caller_identity.current.account_id}:log-group:${data.aws_ssm_parameter.ecs_backend_log_group_name.value}:*" ] } statement { sid = "CloudwatchLogKeyAccess" effect = "Allow" actions = [ "kms:DescribeKey" ] resources = [ # "arn:*:kms:*:::*" data.aws_ssm_parameter.kms_cloudwatch_arn.value ] } # statement { # effect = "Allow" # actions = ["ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces"] # resources = ["*"] # } statement { sid = "S3Access" effect = "Allow" actions = [ "s3:*", "s3-object-lambda:*" ] resources = [ "${data.aws_ssm_parameter.s3_bucket_arn_cas.value}", "${data.aws_ssm_parameter.s3_bucket_arn_cas.value}/*", "${data.aws_ssm_parameter.s3_bucket_arn_esm.value}", "${data.aws_ssm_parameter.s3_bucket_arn_esm.value}/*", "${data.aws_ssm_parameter.s3_bucket_arn_ar.value}", "${data.aws_ssm_parameter.s3_bucket_arn_ar.value}/*", "${data.aws_ssm_parameter.s3_bucket_arn_classifier.value}", "${data.aws_ssm_parameter.s3_bucket_arn_classifier.value}/*", "${data.aws_ssm_parameter.s3_bucket_arn_esm_pdf.value}", "${data.aws_ssm_parameter.s3_bucket_arn_esm_pdf.value}/*", "${data.aws_ssm_parameter.s3_bucket_arn_esm_xml.value}", "${data.aws_ssm_parameter.s3_bucket_arn_esm_xml.value}/*", ] } # statement { # sid = "BedrockAll" # effect = "Allow" # actions = ["bedrock:*"] # resources = ["*"] # } # statement { # sid = "DescribeKey" # effect = "Allow" # actions = ["kms:DescribeKey"] # resources = ["arn:*:kms:*:::*"] # } # statement { # sid = "APIsWithAllResourceAccess" # effect = "Allow" # actions = [ # "iam:ListRoles", # "ec2:DescribeVpcs", # "ec2:DescribeSubnets", # "ec2:DescribeSecurityGroups" # ] # resources = ["*"] # } statement { sid = "MarketplaceModelEndpointMutatingAPIs" effect = "Allow" actions = [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:DeleteEndpoint", "sagemaker:UpdateEndpoint" ] resources = [ "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:model/*" ] condition { test = "StringEquals" variable = "aws:CalledViaLast" values = ["bedrock.amazonaws.com"] } condition { test = "StringEquals" variable = "aws:ResourceTag/sagemaker-sdk:bedrock" values = ["compatible"] } } statement { sid = "MarketplaceModelEndpointAddTagsOperations" effect = "Allow" actions = ["sagemaker:AddTags"] resources = [ "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:model/*" ] condition { test = "ForAllValues:StringEquals" variable = "aws:TagKeys" values = [ "sagemaker-sdk:bedrock", "bedrock:marketplace-registration-status", "sagemaker-studio:hub-content-arn" ] } condition { test = "StringLike" variable = "aws:RequestTag/sagemaker-sdk:bedrock" values = ["compatible"] } condition { test = "StringLike" variable = "aws:RequestTag/bedrock:marketplace-registration-status" values = ["registered"] } condition { test = "StringLike" variable = "aws:RequestTag/sagemaker-studio:hub-content-arn" values = ["arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*"] } } statement { sid = "MarketplaceModelEndpointDeleteTagsOperations" effect = "Allow" actions = ["sagemaker:DeleteTags"] resources = [ "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:model/*" ] condition { test = "ForAllValues:StringEquals" variable = "aws:TagKeys" values = [ "sagemaker-sdk:bedrock", "bedrock:marketplace-registration-status", "sagemaker-studio:hub-content-arn" ] } condition { test = "StringLike" variable = "aws:ResourceTag/sagemaker-sdk:bedrock" values = ["compatible"] } condition { test = "StringLike" variable = "aws:ResourceTag/bedrock:marketplace-registration-status" values = ["registered"] } condition { test = "StringLike" variable = "aws:ResourceTag/sagemaker-studio:hub-content-arn" values = ["arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*"] } } statement { sid = "MarketplaceModelEndpointNonMutatingAPIs" effect = "Allow" actions = [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:ListTags" ] resources = [ "arn:aws:sagemaker:*:*:endpoint/*", "arn:aws:sagemaker:*:*:endpoint-config/*", "arn:aws:sagemaker:*:*:model/*" ] condition { test = "StringEquals" variable = "aws:CalledViaLast" values = ["bedrock.amazonaws.com"] } } statement { sid = "MarketplaceModelEndpointInvokingOperations" effect = "Allow" actions = [ "sagemaker:InvokeEndpoint", "sagemaker:InvokeEndpointWithResponseStream" ] resources = ["arn:aws:sagemaker:*:*:endpoint/*"] } statement { sid = "DiscoveringMarketplaceModel" effect = "Allow" actions = ["sagemaker:DescribeHubContent"] resources = [ "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*", "arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub" ] } statement { sid = "AllowMarketplaceModelsListing" effect = "Allow" actions = ["sagemaker:ListHubContents"] resources = ["arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"] } statement { sid = "PassRoleToSageMaker" effect = "Allow" actions = ["iam:PassRole"] resources = ["arn:aws:iam::*:role/*SageMaker*ForBedrock*"] condition { test = "StringEquals" variable = "iam:PassedToService" values = ["sagemaker.amazonaws.com", "bedrock.amazonaws.com"] } } statement { sid = "PassRoleToBedrock" effect = "Allow" actions = ["iam:PassRole"] resources = ["arn:aws:iam::*:role/*AmazonBedrock*"] condition { test = "StringEquals" variable = "iam:PassedToService" values = ["bedrock.amazonaws.com"] } } } # data "aws_iam_roles" "devops_roles" { # name_regex = "^(AWSReservedSSO_SafranDev[oO]ps.*|role-devops-cicd-ecs)" # } # data "aws_iam_policy_document" "sagemaker_for_devops_roles_document" { # statement { # #checkov:skip=CKV_AWS_356:: resources * # sid = "SageMakerAccessPolicyForDevopsRoles" # effect = "Allow" # actions = [ # "sagemaker:CreatePresignedDomainUrl" # ] # resources = [ # "arn:aws:sagemaker:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:*" # ] # } # } //-------------------------------------------------------------------------------------------------------------------------------------------// //------------------------------------------------------------ SSM Parameters----------------------------------------------------------------// data "aws_ssm_parameter" "ecs_cluster_name" { name = local.ecs_cluster_name_parameter } data "aws_ssm_parameter" "ecs_cluster_id" { name = local.ecs_cluster_id_parameter } data "aws_ssm_parameter" "ecs_frontend_log_group_name" { name = local.ecs_frontend_log_group_name_parameter } data "aws_ssm_parameter" "ecs_ingestion_log_group_name" { name = local.ecs_ingestion_log_group_name_parameter } data "aws_ssm_parameter" "ecs_backend_log_group_name" { name = local.ecs_backend_log_group_name_parameter } data "aws_ssm_parameter" "ecr_repository_backend_url" { name = local.ecr_repository_url_backend_parameter } data "aws_ssm_parameter" "docker_image_tag_backend" { name = local.docker_image_tag_backend_parameter } data "aws_ssm_parameter" "ecr_repository_frontend_url" { name = local.ecr_repository_url_frontend_parameter } data "aws_ssm_parameter" "docker_image_tag_frontend" { name = local.docker_image_tag_frontend_parameter } data "aws_ssm_parameter" "ecs_task_execution_role_arn" { name = local.ecs_task_execution_role_arn_parameter } data "aws_ssm_parameter" "s3_bucket_name_classifier" { name = local.s3_bucket_name_classifier_parameter } data "aws_ssm_parameter" "s3_bucket_name_ar" { name = local.s3_bucket_name_ar_parameter } data "aws_ssm_parameter" "s3_bucket_name_cas" { name = local.s3_bucket_name_cas_parameter } data "aws_ssm_parameter" "s3_bucket_name_esm_pdf" { name = local.s3_bucket_name_esm_pdf_parameter } data "aws_ssm_parameter" "s3_bucket_name_esm_xml" { name = local.s3_bucket_name_esm_xml_parameter } data "aws_ssm_parameter" "s3_bucket_name_esm" { name = local.s3_bucket_name_esm_parameter } data "aws_ssm_parameter" "s3_bucket_arn_classifier" { name = local.s3_bucket_arn_classifier_parameter } data "aws_ssm_parameter" "s3_bucket_arn_ar" { name = local.s3_bucket_arn_ar_parameter } data "aws_ssm_parameter" "s3_bucket_arn_cas" { name = local.s3_bucket_arn_cas_parameter } data "aws_ssm_parameter" "s3_bucket_arn_esm_pdf" { name = local.s3_bucket_arn_esm_pdf_parameter } data "aws_ssm_parameter" "s3_bucket_arn_esm_xml" { name = local.s3_bucket_arn_esm_xml_parameter } data "aws_ssm_parameter" "s3_bucket_arn_esm" { name = local.s3_bucket_arn_esm_parameter } data "aws_ssm_parameter" "dynamo_request_table_name" { name = local.dynamo_request_table_name_parameter } data "aws_ssm_parameter" "dynamo_users_table_name" { name = local.dynamo_users_table_name_parameter } data "aws_ssm_parameter" "target_group_arn" { name = local.target_group_arn_parameter } # data "aws_ssm_parameter" "ecs_task_role_backend_arn" { # name = local.ecs_task_role_backend_arn_parameter # } data "aws_ssm_parameter" "ecs_task_role_frontend_arn" { name = local.ecs_task_role_frontend_arn_parameter } data "aws_ssm_parameter" "ecs_task_role_frontend_name" { name = local.ecs_task_role_frontend_name_parameter } data "aws_ssm_parameter" "lambda_role_arn" { name = local.lambda_role_arn_parameter } data "aws_ssm_parameter" "lambda_role_name" { name = local.lambda_role_name_parameter } data "aws_ssm_parameter" "kms_cloudwatch_arn" { name = local.kms_cloudwatch_arn_parameter } data "aws_ssm_parameter" "sqs_ingestion_queue_url" { name = local.sqs_backend_url_parameter } data "aws_ssm_parameter" "sqs_ingestion_queue_name" { name = local.sqs_backend_name_parameter } data "aws_ssm_parameter" "cognito_user_pool_id" { name = local.cognito_user_pool_id_parameter } data "aws_ssm_parameter" "cognito_client_id" { name = local.cognito_client_id_parameter } data "aws_ssm_parameter" "cognito_domain" { name = local.cognito_domain_parameter } data "aws_ssm_parameter" "cognito_identity_provider_name" { name = local.cognito_identity_provider_name_parameter }