tykayn/ng-implementation
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ng-implementation/data.tf
LEMOINE Baptiste - EXT-SAVANE CONSULTING GROUP (SAFRAN AIRCRAFT ENGINES) e31fdc2c02 up structure for tf
2025-09-19 10:09:31 +02:00

596 lines
20 KiB
HCL
Raw Blame History

data "aws_caller_identity" "current" {}
//------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ Region----------------------------------------------------------------//
data "aws_region" "current" {}
//------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ Network----------------------------------------------------------------//
data "aws_vpc" "vpc" {
filter {
name = "tag:Security"
values = [upper(var.security)]
}
filter {
name = "tag:Company"
values = [upper(var.company)]
}
filter {
name = "tag:ServiceID"
values = [upper(var.service_id)]
}
}
data "aws_subnets" "frontend_subnets" {
filter {
name = "tag:Name"
values = ["*front*"]
}
filter {
name = "vpc-id"
values = [data.aws_vpc.vpc.id]
}
# filter {
# name = "tag:Security"
# values = [upper(var.security)]
# }
filter {
name = "tag:Environment"
values = [upper(var.environment), "PPD"] # Adding PPD because in dev all the environment tags have this value
# }
}
}
data "aws_subnets" "backend_subnets" {
filter {
name = "tag:Name"
values = ["*private*", "*back*"]
}
filter {
name = "vpc-id"
values = [data.aws_vpc.vpc.id]
}
filter {
name = "tag:Security"
values = [upper(var.security)]
}
filter {
name = "tag:Environment"
values = [upper(var.environment), "PPD"] # Adding PPD because in dev all the environment tags have this value
}
}
//------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ SGs -------------------------------------------------------------------//
data "aws_security_groups" "allin" {
filter {
name = "tag:Name"
values = [local.allin_security_group_name]
}
filter {
name = "vpc-id"
values = [data.aws_vpc.vpc.id]
}
}
//-------------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ Api Gateway ----------------------------------------------------------------//
data "aws_vpc_endpoint" "apigateway" {
vpc_id = data.aws_vpc.vpc.id
service_name = "com.amazonaws.${data.aws_region.current.region}.execute-api"
}
data "template_file" "openapi_template" {
template = file("${path.module}/openapi.template.yaml")
# template = file("${path.module}/openapi.dummy.yaml.tpl")
vars = {
appname = var.appname
environment = var.environment
apigateway_vpc_endpoint_id = data.aws_vpc_endpoint.apigateway.id
lambda_arn = module.lambda_backend.lambda_function_arn # "lambda_role_dummy" #
api_gateway_execution_role_arn = aws_iam_role.api_gateway_execution_role.arn
}
}
data "aws_iam_policy_document" "api_gateway_execution_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["apigateway.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "api_gateway_execution_role_policy" {
statement {
effect = "Allow"
actions = [
"lambda:InvokeFunction",
]
resources = [
"arn:aws:lambda:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:function:${var.appname}*"
]
}
}
data "aws_iam_policy_document" "api_gateway_invoke_policy" {
statement {
effect = "Allow"
principals {
type = "*"
identifiers = ["*"]
}
actions = ["execute-api:Invoke"]
resources = ["*"]
condition {
test = "StringEquals"
variable = "aws:sourceVpc"
values = [data.aws_vpc.vpc.id]
}
}
}
data "aws_iam_policy_document" "cloudwatch" {
#checkov:skip=CKV_AWS_111: resources is * for DescribeLogGroups
statement {
effect = "Allow"
actions = [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:FilterLogEvents",
]
resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*"]
}
statement {
effect = "Allow"
actions = [
"logs:PutLogEvents",
"logs:GetLogEvents"
]
resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:*"]
}
}
//-------------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ ECS frontend ----------------------------------------------------------------//
data "aws_iam_policy_document" "frontend_ecs_task_role_policy" {
statement {
#checkov:skip=CKV_AWS_356:: resources is * for ListAllMyBuckets and GetBucketLocation
sid = "FrontendTaskRoleInvokeAPI"
effect = "Allow"
actions = [
"execute-api:Invoke",
]
resources = [
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/*/*/*",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/get_keyword_from_email",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/summarize_questions",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/search_engine",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/query_simple",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/ai_filter",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/dica_detect",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/hardware_detect",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/esm_detect",
"arn:aws:execute-api:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.genai_rag_api.id}/${var.environment}/*/app/esm_content_analyse"
]
}
statement {
sid = "AllowS3GetObjectESM"
effect = "Allow"
actions = [
"s3:GetObject",
]
resources = [
"arn:aws:s3:::${data.aws_ssm_parameter.s3_bucket_name_esm_pdf.value}/*"
]
}
}
//-------------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ Lambda -----------------------------------------------------------------------//
data "aws_iam_policy_document" "lambda_execution_role_policy" {
statement {
sid = "LambdaEcrPullAccess"
effect = "Allow"
actions = [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
]
resources = [
"arn:aws:ecr:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:repository/*"
]
}
statement {
effect = "Allow"
actions = ["logs:CreateLogGroup"]
resources = ["arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:*"]
}
statement {
sid = "CloudwatchLogAccess"
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:PutLogEvents"
]
resources = [
"arn:aws:logs:eu-west-3:${data.aws_caller_identity.current.account_id}:log-group:${data.aws_ssm_parameter.ecs_backend_log_group_name.value}:*"
]
}
statement {
sid = "CloudwatchLogKeyAccess"
effect = "Allow"
actions = [
"kms:DescribeKey"
]
resources = [
# "arn:*:kms:*:::*"
data.aws_ssm_parameter.kms_cloudwatch_arn.value
]
}
# statement {
# effect = "Allow"
# actions = ["ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces"]
# resources = ["*"]
# }
statement {
sid = "S3Access"
effect = "Allow"
actions = [
"s3:*",
"s3-object-lambda:*"
]
resources = [
"${data.aws_ssm_parameter.s3_bucket_arn_cas.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_cas.value}/*",
"${data.aws_ssm_parameter.s3_bucket_arn_esm.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_esm.value}/*",
"${data.aws_ssm_parameter.s3_bucket_arn_ar.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_ar.value}/*",
"${data.aws_ssm_parameter.s3_bucket_arn_classifier.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_classifier.value}/*",
"${data.aws_ssm_parameter.s3_bucket_arn_esm_pdf.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_esm_pdf.value}/*",
"${data.aws_ssm_parameter.s3_bucket_arn_esm_xml.value}",
"${data.aws_ssm_parameter.s3_bucket_arn_esm_xml.value}/*",
]
}
# statement {
# sid = "BedrockAll"
# effect = "Allow"
# actions = ["bedrock:*"]
# resources = ["*"]
# }
# statement {
# sid = "DescribeKey"
# effect = "Allow"
# actions = ["kms:DescribeKey"]
# resources = ["arn:*:kms:*:::*"]
# }
# statement {
# sid = "APIsWithAllResourceAccess"
# effect = "Allow"
# actions = [
# "iam:ListRoles",
# "ec2:DescribeVpcs",
# "ec2:DescribeSubnets",
# "ec2:DescribeSecurityGroups"
# ]
# resources = ["*"]
# }
statement {
sid = "MarketplaceModelEndpointMutatingAPIs"
effect = "Allow"
actions = [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:CreateModel",
"sagemaker:DeleteEndpoint",
"sagemaker:UpdateEndpoint"
]
resources = [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*"
]
condition {
test = "StringEquals"
variable = "aws:CalledViaLast"
values = ["bedrock.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "aws:ResourceTag/sagemaker-sdk:bedrock"
values = ["compatible"]
}
}
statement {
sid = "MarketplaceModelEndpointAddTagsOperations"
effect = "Allow"
actions = ["sagemaker:AddTags"]
resources = [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*"
]
condition {
test = "ForAllValues:StringEquals"
variable = "aws:TagKeys"
values = [
"sagemaker-sdk:bedrock",
"bedrock:marketplace-registration-status",
"sagemaker-studio:hub-content-arn"
]
}
condition {
test = "StringLike"
variable = "aws:RequestTag/sagemaker-sdk:bedrock"
values = ["compatible"]
}
condition {
test = "StringLike"
variable = "aws:RequestTag/bedrock:marketplace-registration-status"
values = ["registered"]
}
condition {
test = "StringLike"
variable = "aws:RequestTag/sagemaker-studio:hub-content-arn"
values = ["arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*"]
}
}
statement {
sid = "MarketplaceModelEndpointDeleteTagsOperations"
effect = "Allow"
actions = ["sagemaker:DeleteTags"]
resources = [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*"
]
condition {
test = "ForAllValues:StringEquals"
variable = "aws:TagKeys"
values = [
"sagemaker-sdk:bedrock",
"bedrock:marketplace-registration-status",
"sagemaker-studio:hub-content-arn"
]
}
condition {
test = "StringLike"
variable = "aws:ResourceTag/sagemaker-sdk:bedrock"
values = ["compatible"]
}
condition {
test = "StringLike"
variable = "aws:ResourceTag/bedrock:marketplace-registration-status"
values = ["registered"]
}
condition {
test = "StringLike"
variable = "aws:ResourceTag/sagemaker-studio:hub-content-arn"
values = ["arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*"]
}
}
statement {
sid = "MarketplaceModelEndpointNonMutatingAPIs"
effect = "Allow"
actions = [
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:ListTags"
]
resources = [
"arn:aws:sagemaker:*:*:endpoint/*",
"arn:aws:sagemaker:*:*:endpoint-config/*",
"arn:aws:sagemaker:*:*:model/*"
]
condition {
test = "StringEquals"
variable = "aws:CalledViaLast"
values = ["bedrock.amazonaws.com"]
}
}
statement {
sid = "MarketplaceModelEndpointInvokingOperations"
effect = "Allow"
actions = [
"sagemaker:InvokeEndpoint",
"sagemaker:InvokeEndpointWithResponseStream"
]
resources = ["arn:aws:sagemaker:*:*:endpoint/*"]
}
statement {
sid = "DiscoveringMarketplaceModel"
effect = "Allow"
actions = ["sagemaker:DescribeHubContent"]
resources = [
"arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*",
"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
]
}
statement {
sid = "AllowMarketplaceModelsListing"
effect = "Allow"
actions = ["sagemaker:ListHubContents"]
resources = ["arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"]
}
statement {
sid = "PassRoleToSageMaker"
effect = "Allow"
actions = ["iam:PassRole"]
resources = ["arn:aws:iam::*:role/*SageMaker*ForBedrock*"]
condition {
test = "StringEquals"
variable = "iam:PassedToService"
values = ["sagemaker.amazonaws.com", "bedrock.amazonaws.com"]
}
}
statement {
sid = "PassRoleToBedrock"
effect = "Allow"
actions = ["iam:PassRole"]
resources = ["arn:aws:iam::*:role/*AmazonBedrock*"]
condition {
test = "StringEquals"
variable = "iam:PassedToService"
values = ["bedrock.amazonaws.com"]
}
}
}
# data "aws_iam_roles" "devops_roles" {
# name_regex = "^(AWSReservedSSO_SafranDev[oO]ps.*|role-devops-cicd-ecs)"
# }
# data "aws_iam_policy_document" "sagemaker_for_devops_roles_document" {
# statement {
# #checkov:skip=CKV_AWS_356:: resources *
# sid = "SageMakerAccessPolicyForDevopsRoles"
# effect = "Allow"
# actions = [
# "sagemaker:CreatePresignedDomainUrl"
# ]
# resources = [
# "arn:aws:sagemaker:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:*"
# ]
# }
# }
//-------------------------------------------------------------------------------------------------------------------------------------------//
//------------------------------------------------------------ SSM Parameters----------------------------------------------------------------//
data "aws_ssm_parameter" "ecs_cluster_name" {
name = local.ecs_cluster_name_parameter
}
data "aws_ssm_parameter" "ecs_cluster_id" {
name = local.ecs_cluster_id_parameter
}
data "aws_ssm_parameter" "ecs_frontend_log_group_name" {
name = local.ecs_frontend_log_group_name_parameter
}
data "aws_ssm_parameter" "ecs_ingestion_log_group_name" {
name = local.ecs_ingestion_log_group_name_parameter
}
data "aws_ssm_parameter" "ecs_backend_log_group_name" {
name = local.ecs_backend_log_group_name_parameter
}
data "aws_ssm_parameter" "ecr_repository_backend_url" {
name = local.ecr_repository_url_backend_parameter
}
data "aws_ssm_parameter" "docker_image_tag_backend" {
name = local.docker_image_tag_backend_parameter
}
data "aws_ssm_parameter" "ecr_repository_frontend_url" {
name = local.ecr_repository_url_frontend_parameter
}
data "aws_ssm_parameter" "docker_image_tag_frontend" {
name = local.docker_image_tag_frontend_parameter
}
data "aws_ssm_parameter" "ecs_task_execution_role_arn" {
name = local.ecs_task_execution_role_arn_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_classifier" {
name = local.s3_bucket_name_classifier_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_ar" {
name = local.s3_bucket_name_ar_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_cas" {
name = local.s3_bucket_name_cas_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_esm_pdf" {
name = local.s3_bucket_name_esm_pdf_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_esm_xml" {
name = local.s3_bucket_name_esm_xml_parameter
}
data "aws_ssm_parameter" "s3_bucket_name_esm" {
name = local.s3_bucket_name_esm_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_classifier" {
name = local.s3_bucket_arn_classifier_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_ar" {
name = local.s3_bucket_arn_ar_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_cas" {
name = local.s3_bucket_arn_cas_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_esm_pdf" {
name = local.s3_bucket_arn_esm_pdf_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_esm_xml" {
name = local.s3_bucket_arn_esm_xml_parameter
}
data "aws_ssm_parameter" "s3_bucket_arn_esm" {
name = local.s3_bucket_arn_esm_parameter
}
data "aws_ssm_parameter" "dynamo_request_table_name" {
name = local.dynamo_request_table_name_parameter
}
data "aws_ssm_parameter" "dynamo_users_table_name" {
name = local.dynamo_users_table_name_parameter
}
data "aws_ssm_parameter" "target_group_arn" {
name = local.target_group_arn_parameter
}
# data "aws_ssm_parameter" "ecs_task_role_backend_arn" {
# name = local.ecs_task_role_backend_arn_parameter
# }
data "aws_ssm_parameter" "ecs_task_role_frontend_arn" {
name = local.ecs_task_role_frontend_arn_parameter
}
data "aws_ssm_parameter" "ecs_task_role_frontend_name" {
name = local.ecs_task_role_frontend_name_parameter
}
data "aws_ssm_parameter" "lambda_role_arn" {
name = local.lambda_role_arn_parameter
}
data "aws_ssm_parameter" "lambda_role_name" {
name = local.lambda_role_name_parameter
}
data "aws_ssm_parameter" "kms_cloudwatch_arn" {
name = local.kms_cloudwatch_arn_parameter
}
data "aws_ssm_parameter" "sqs_ingestion_queue_url" {
name = local.sqs_backend_url_parameter
}
data "aws_ssm_parameter" "sqs_ingestion_queue_name" {
name = local.sqs_backend_name_parameter
}
data "aws_ssm_parameter" "cognito_user_pool_id" {
name = local.cognito_user_pool_id_parameter
}
data "aws_ssm_parameter" "cognito_client_id" {
name = local.cognito_client_id_parameter
}
data "aws_ssm_parameter" "cognito_domain" {
name = local.cognito_domain_parameter
}
data "aws_ssm_parameter" "cognito_identity_provider_name" {
name = local.cognito_identity_provider_name_parameter
}
Reference in a new issue View git blame Copy permalink