From 5a5d436dba2c84d5e7faf0cfe344114222dac88b Mon Sep 17 00:00:00 2001 From: "agustin.celentano" Date: Tue, 23 Jun 2026 17:54:27 -0300 Subject: [PATCH 1/2] feat: enable lambda scope, S3 assets and Lambda@Edge on aws-services - iam: separate the build workflow user into the build-user module and grant S3 publish permissions via s3-assets; ecr now receives build_workflow_group_name and the build credentials come from build-user (tofu-modules v5 layout) - bindings: register the S3 asset repository (asset/s3, bucket lambda-files-aws-services) and the AWS IAM provider (identity-access-control) that publishes the lambda assume-role by selector - agent: add lambda:GetFunction / EnableReplication* so CloudFront can validate Lambda@Edge function associations - scope config: add a Lambda@Edge function association (viewer-response) to the static-files scope configuration Note: tofu-modules refs point to the feature branch (feat/separate-build-user-from-asset-repositories); update to the released tag once nullplatform/tofu-modules#402 is merged. --- .../aws/iam_policies_agent_static_scopes.tf | 12 +++++++ infrastructure/aws/main.tf | 19 +++++++++-- infrastructure/aws/outputs.tf | 13 +++++--- nullplatform-bindings/locals.tf | 4 +++ nullplatform-bindings/main.tf | 33 +++++++++++++++++++ nullplatform/main.tf | 6 ++++ 6 files changed, 81 insertions(+), 6 deletions(-) diff --git a/infrastructure/aws/iam_policies_agent_static_scopes.tf b/infrastructure/aws/iam_policies_agent_static_scopes.tf index 08c57d6..5643cc0 100644 --- a/infrastructure/aws/iam_policies_agent_static_scopes.tf +++ b/infrastructure/aws/iam_policies_agent_static_scopes.tf @@ -74,6 +74,18 @@ resource "aws_iam_policy" "agent_static_scopes" { "wafv2:GetWebACL" ] Resource = "arn:aws:wafv2:us-east-1:*:global/webacl/*/*" + }, + { + # Lambda@Edge function associations on CloudFront cache behaviors. + # CloudFront validates these permissions for the caller when + # creating/updating a distribution that references a Lambda@Edge function. + Sid = "LambdaEdgeAssociation" + Effect = "Allow" + Action = [ + "lambda:GetFunction", + "lambda:EnableReplication*" + ] + Resource = "arn:aws:lambda:us-east-1:*:function:*" } ] }) diff --git a/infrastructure/aws/main.tf b/infrastructure/aws/main.tf index ae539a6..d543d37 100644 --- a/infrastructure/aws/main.tf +++ b/infrastructure/aws/main.tf @@ -131,12 +131,27 @@ module "agent_iam" { assume_role_arns = [aws_iam_role.nullplatform_lambda.arn] } -module "ecr_iam" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.3.0" +module "build_user" { + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/build-user?ref=feat/separate-build-user-from-asset-repositories" cluster_name = module.eks.eks_cluster_name } +module "ecr_iam" { + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=feat/separate-build-user-from-asset-repositories" + + cluster_name = module.eks.eks_cluster_name + build_workflow_group_name = module.build_user.group_name +} + +module "s3_assets_iam" { + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3-assets?ref=feat/separate-build-user-from-asset-repositories" + + cluster_name = module.eks.eks_cluster_name + build_workflow_group_name = module.build_user.group_name + assets_bucket = "lambda-files-aws-services" +} + ############################################################################### # External DNS ############################################################################### diff --git a/infrastructure/aws/outputs.tf b/infrastructure/aws/outputs.tf index c5bd20e..dde35af 100644 --- a/infrastructure/aws/outputs.tf +++ b/infrastructure/aws/outputs.tf @@ -40,12 +40,17 @@ output "ecr_application_role_arn" { } output "ecr_build_workflow_access_key_id" { - description = "Access key ID for the CI/CD build workflow IAM user (consumed by nullplatform/asset/ecr)" - value = module.ecr_iam.build_workflow_access_key_id + description = "Access key ID for the CI/CD build workflow IAM user (created by the build-user module; consumed by nullplatform/asset/ecr and asset/s3)" + value = module.build_user.build_workflow_access_key_id } output "ecr_build_workflow_access_key_secret" { - description = "Secret access key for the CI/CD build workflow IAM user (consumed by nullplatform/asset/ecr)" - value = module.ecr_iam.build_workflow_access_key_secret + description = "Secret access key for the CI/CD build workflow IAM user (created by the build-user module; consumed by nullplatform/asset/ecr and asset/s3)" + value = module.build_user.build_workflow_access_key_secret sensitive = true +} + +output "lambda_assume_role_arn" { + description = "ARN of the Lambda assume-role; consumed by nullplatform-bindings to publish the AWS IAM provider (selector \"lambda\")" + value = aws_iam_role.nullplatform_lambda.arn } \ No newline at end of file diff --git a/nullplatform-bindings/locals.tf b/nullplatform-bindings/locals.tf index 51a4131..2abc183 100644 --- a/nullplatform-bindings/locals.tf +++ b/nullplatform-bindings/locals.tf @@ -34,6 +34,10 @@ locals { ecr_build_workflow_access_key_id = data.terraform_remote_state.infrastructure[0].outputs.ecr_build_workflow_access_key_id ecr_build_workflow_access_key_secret = data.terraform_remote_state.infrastructure[0].outputs.ecr_build_workflow_access_key_secret + # Lambda assume-role ARN (created in infrastructure/aws), published to the AWS + # IAM provider below so the Lambda scope resolves it by selector "lambda". + lambda_assume_role_arn = data.terraform_remote_state.infrastructure[0].outputs.lambda_assume_role_arn + ############################################################################## # Notification API keys catalog # diff --git a/nullplatform-bindings/main.tf b/nullplatform-bindings/main.tf index 139a5f8..3b9d981 100644 --- a/nullplatform-bindings/main.tf +++ b/nullplatform-bindings/main.tf @@ -22,6 +22,16 @@ module "asset_repository" { build_workflow_access_key_secret = local.ecr_build_workflow_access_key_secret } +# ============================================================================= +# Asset Repository (S3 - Lambda/bundle assets) +# ============================================================================= +module "asset_s3" { + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/asset/s3?ref=feat/separate-build-user-from-asset-repositories" + + nrn = var.nrn + bucket_name = "lambda-files-aws-services" +} + # ============================================================================= # Cloud Provider (AWS) # ============================================================================= @@ -34,6 +44,29 @@ module "cloud_provider" { hosted_private_zone_id = local.private_zone_id } +# ============================================================================= +# Identity & Access Control (AWS IAM provider) +# +# Publishes assumable role ARNs keyed by selector. The Lambda scope resolves +# its role here (selector "lambda") via the provider — replacing the +# ASSUME_ROLE_ARN_DEFAULT env var on the agent. The ARN comes from the Lambda +# assume-role created in infrastructure/aws (read via remote state). +# ============================================================================= +module "identity_access_control" { + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/identity-access-control?ref=v4.3.0" + + nrn = var.nrn + + # type defaults to "aws-iam-configuration" + attributes = { + iam_role_arns = { + arns = [ + { selector = "lambda", arn = local.lambda_assume_role_arn } + ] + } + } +} + # ============================================================================= # Notification API Keys # diff --git a/nullplatform/main.tf b/nullplatform/main.tf index c7d726c..57d5d79 100644 --- a/nullplatform/main.tf +++ b/nullplatform/main.tf @@ -65,6 +65,12 @@ module "scope_configuration_static_scope" { } distribution = { aws_distribution = "cloudfront" + lambda_associations = [ + { + event_type = "viewer-response" + function_arn = "arn:aws:lambda:us-east-1:235494813897:function:edge-test-header:1" + } + ] } network = { aws_network = "route53" From 70a61a8c04b91d051c11e898bac1a4bb0afa341a Mon Sep 17 00:00:00 2001 From: "agustin.celentano" Date: Thu, 25 Jun 2026 10:09:54 -0300 Subject: [PATCH 2/2] chore: bump tofu-modules to v4.5.2 and wire lambda scope-configuration - Bump all tagged tofu-modules refs (v4.3.0/v4.5.1) to v4.5.2; feature-branch refs left untouched - Add scope_configuration_lambda module in nullplatform layer (placeholder image + state bucket) - Remove extra_envs (ASSUME_ROLE_ARN_DEFAULT, PLACEHOLDER_IMAGE_URI_DEFAULT) from agent module; now provided via lambda scope-configuration - Run tofu fmt -recursive --- infrastructure/aws/backend.tf | 6 +- infrastructure/aws/backend/main.tf | 6 +- infrastructure/aws/main.tf | 127 ++++++++++++++--------------- infrastructure/aws/outputs.tf | 3 +- nullplatform-bindings/locals.tf | 6 +- nullplatform-bindings/main.tf | 20 ++--- nullplatform/main.tf | 35 ++++++-- rds-setup.tf | 12 +-- 8 files changed, 117 insertions(+), 98 deletions(-) diff --git a/infrastructure/aws/backend.tf b/infrastructure/aws/backend.tf index e1d9253..37f0f21 100644 --- a/infrastructure/aws/backend.tf +++ b/infrastructure/aws/backend.tf @@ -4,9 +4,9 @@ terraform { backend "s3" { - bucket = "tf-state-0269fb2df210b43c" - key = "infrastructure.tfstate" - region = "us-east-1" + bucket = "tf-state-0269fb2df210b43c" + key = "infrastructure.tfstate" + region = "us-east-1" encrypt = true } } diff --git a/infrastructure/aws/backend/main.tf b/infrastructure/aws/backend/main.tf index b5f87d2..fefec43 100644 --- a/infrastructure/aws/backend/main.tf +++ b/infrastructure/aws/backend/main.tf @@ -14,9 +14,9 @@ resource "aws_s3_bucket" "tf_state" { force_destroy = var.force_destroy tags = { - Name = "Terraform State" - ManagedBy = "Terraform" - Purpose = "Terraform remote state storage" + Name = "Terraform State" + ManagedBy = "Terraform" + Purpose = "Terraform remote state storage" } } diff --git a/infrastructure/aws/main.tf b/infrastructure/aws/main.tf index d543d37..0c4a6f1 100644 --- a/infrastructure/aws/main.tf +++ b/infrastructure/aws/main.tf @@ -2,11 +2,11 @@ # VPC ############################################################################### module "vpc" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.5.2" - organization = var.organization - account = var.account - vpc = var.vpc + organization = var.organization + account = var.account + vpc = var.vpc } ############################################################################### @@ -18,7 +18,7 @@ module "vpc" { # aws_vpc_vpc_id / aws_subnets_private_ids references below. ############################################################################### module "eks" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.5.2" name = local.cluster_name aws_vpc_vpc_id = module.vpc.vpc_id @@ -39,7 +39,7 @@ module "eks" { # Route53 DNS ############################################################################### module "dns" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.5.2" depends_on = [module.vpc] @@ -51,7 +51,7 @@ module "dns" { # ALB Controller ############################################################################### module "alb_controller" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.5.2" depends_on = [module.eks] @@ -64,10 +64,10 @@ module "alb_controller" { # Istio ############################################################################### module "istio" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/istio?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/istio?ref=v4.5.2" - service_type = "LoadBalancer" - istiod_replicas = 2 + service_type = "LoadBalancer" + istiod_replicas = 2 depends_on = [module.alb_controller] } @@ -76,52 +76,52 @@ module "istio" { # Prometheus ############################################################################### module "prometheus" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/prometheus?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/prometheus?ref=v4.5.2" } ############################################################################### # IAM Roles ############################################################################### module "external_dns_iam" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.5.2" - hosted_zone_public_id = module.dns.public_zone_id - hosted_zone_private_id = module.dns.private_zone_id + hosted_zone_public_id = module.dns.public_zone_id + hosted_zone_private_id = module.dns.private_zone_id aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn - cluster_name = module.eks.eks_cluster_name + cluster_name = module.eks.eks_cluster_name } module "cert_manager_iam" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.5.2" - hosted_zone_public_id = module.dns.public_zone_id - hosted_zone_private_id = module.dns.private_zone_id + hosted_zone_public_id = module.dns.public_zone_id + hosted_zone_private_id = module.dns.private_zone_id aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn - cluster_name = module.eks.eks_cluster_name + cluster_name = module.eks.eks_cluster_name } module "alb_controller_iam" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.5.2" cluster_name = module.eks.eks_cluster_name aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn } module "agent_iam" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.5.2" aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn agent_namespace = var.agent_namespace cluster_name = module.eks.eks_cluster_name additional_policies = { - "static_scopes_policy" = aws_iam_policy.agent_static_scopes.arn - "rds_policy"= aws_iam_policy.nullplatform_rds_policy.arn - "rds_secret_manager_policy"= aws_iam_policy.nullplatform_rds_secretsmanager_policy.arn - "rds_s3_policy"= aws_iam_policy.nullplatform_rds_s3_policy.arn - "rds_sg_policy"= aws_iam_policy.nullplatform_rds_sg_policy.arn - "s3_policy"= aws_iam_policy.nullplatform_s3_policy.arn - "s3_iam_policy"= aws_iam_policy.nullplatform_s3_iam_policy.arn + "static_scopes_policy" = aws_iam_policy.agent_static_scopes.arn + "rds_policy" = aws_iam_policy.nullplatform_rds_policy.arn + "rds_secret_manager_policy" = aws_iam_policy.nullplatform_rds_secretsmanager_policy.arn + "rds_s3_policy" = aws_iam_policy.nullplatform_rds_s3_policy.arn + "rds_sg_policy" = aws_iam_policy.nullplatform_rds_sg_policy.arn + "s3_policy" = aws_iam_policy.nullplatform_s3_policy.arn + "s3_iam_policy" = aws_iam_policy.nullplatform_s3_iam_policy.arn } # Lambda scope uses assume-role: the agent assumes this dedicated role @@ -156,23 +156,23 @@ module "s3_assets_iam" { # External DNS ############################################################################### module "external_dns_public" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.5.2" depends_on = [module.alb_controller] - type = "public" - zone_type = "public" + type = "public" + zone_type = "public" dns_provider_name = var.dns_provider_name - domain_filters = module.dns.public_zone_name - zone_id_filter = module.dns.public_zone_id - policy = var.policy - sources = var.sources - aws_region = var.aws_region - aws_iam_role_arn = module.external_dns_iam.nullplatform_external_dns_role_arn + domain_filters = module.dns.public_zone_name + zone_id_filter = module.dns.public_zone_id + policy = var.policy + sources = var.sources + aws_region = var.aws_region + aws_iam_role_arn = module.external_dns_iam.nullplatform_external_dns_role_arn } module "external_dns_private" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.5.2" depends_on = [module.alb_controller, module.external_dns_public] @@ -192,39 +192,39 @@ module "external_dns_private" { # Cert Manager ############################################################################### module "cert_manager" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.5.2" depends_on = [module.alb_controller] - cloud_provider = var.cloud_provider - aws_sa_arn = module.cert_manager_iam.nullplatform_cert_manager_role_arn - hosted_zone_name = module.dns.public_zone_name + cloud_provider = var.cloud_provider + aws_sa_arn = module.cert_manager_iam.nullplatform_cert_manager_role_arn + hosted_zone_name = module.dns.public_zone_name private_domain_name = module.dns.private_zone_name - account_slug = var.organization_slug - aws_region = var.aws_region + account_slug = var.organization_slug + aws_region = var.aws_region } ############################################################################### # Security ############################################################################### module "security" { - source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.5.2" depends_on = [module.eks] - cluster_name = module.eks.eks_cluster_name - vpc_id = module.vpc.vpc_id - health_check_rules_enabled = true - gateway_internal_enabled = true - cluster_security_group_id = module.eks.eks_cluster_primary_security_group_id - gateway_port = 443 + cluster_name = module.eks.eks_cluster_name + vpc_id = module.vpc.vpc_id + health_check_rules_enabled = true + gateway_internal_enabled = true + cluster_security_group_id = module.eks.eks_cluster_primary_security_group_id + gateway_port = 443 } ############################################################################### # Nullplatform Agent API Key ############################################################################### module "agent_api_key" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.5.2" nrn = var.nrn type = "agent" @@ -234,10 +234,10 @@ module "agent_api_key" { # Nullplatform Base ############################################################################### module "base" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v4.5.2" - np_api_key = module.agent_api_key.api_key - k8s_provider = var.k8s_provider + np_api_key = module.agent_api_key.api_key + k8s_provider = var.k8s_provider gateway_public_aws_security_group_id = module.security.public_gateway_security_group_id gateway_private_aws_security_group_id = module.security.private_gateway_security_group_id gateway_enabled = true @@ -245,15 +245,15 @@ module "base" { gateway_public_aws_name = "k8s-np-aws-services-public" gateway_internal_aws_name = "k8s-np-aws-services-int" - metrics_server_enabled = true - + metrics_server_enabled = true + } ############################################################################### # Nullplatform Agent ############################################################################### module "agent" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/agent?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/agent?ref=v4.5.2" depends_on = [module.base] @@ -277,13 +277,6 @@ module "agent" { "https://github.com/nullplatform/services-postgresql-k-8-s.git#proposal/align-with-services-s-3", "https://github.com/nullplatform/scopes-lambda.git#feature/assume-role-support" ] - - # Account defaults for the Lambda scope, consumed by the scope's - # assume-role resolution (fallback level 4) and placeholder bootstrap. - extra_envs = { - ASSUME_ROLE_ARN_DEFAULT = aws_iam_role.nullplatform_lambda.arn - PLACEHOLDER_IMAGE_URI_DEFAULT = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/aws-lambda/nullplatform-lambda-placeholder:latest-amd64" - } } ############################################################################### @@ -302,8 +295,8 @@ resource "aws_s3_bucket_policy" "static" { Version = "2012-10-17" Statement = [ { - Sid = "AllowCloudFrontServicePrincipalReadOnly" - Effect = "Allow" + Sid = "AllowCloudFrontServicePrincipalReadOnly" + Effect = "Allow" Principal = { Service = "cloudfront.amazonaws.com" } diff --git a/infrastructure/aws/outputs.tf b/infrastructure/aws/outputs.tf index dde35af..434fc46 100644 --- a/infrastructure/aws/outputs.tf +++ b/infrastructure/aws/outputs.tf @@ -53,4 +53,5 @@ output "ecr_build_workflow_access_key_secret" { output "lambda_assume_role_arn" { description = "ARN of the Lambda assume-role; consumed by nullplatform-bindings to publish the AWS IAM provider (selector \"lambda\")" value = aws_iam_role.nullplatform_lambda.arn -} \ No newline at end of file +} + diff --git a/nullplatform-bindings/locals.tf b/nullplatform-bindings/locals.tf index 2abc183..68dbc21 100644 --- a/nullplatform-bindings/locals.tf +++ b/nullplatform-bindings/locals.tf @@ -25,9 +25,9 @@ locals { service_specification_slug_aws_s3_bucket = local.service_specs["aws_s3_bucket"].slug service_specification_slug_postgres_db = local.service_specs["postgres_db_k8s"].slug - vpc_id = data.terraform_remote_state.infrastructure[0].outputs.vpc_id - vpc_subnets_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_subnets_ids - vpc_security_groups_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_security_groups_ids + vpc_id = data.terraform_remote_state.infrastructure[0].outputs.vpc_id + vpc_subnets_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_subnets_ids + vpc_security_groups_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_security_groups_ids # ECR IAM (created by infrastructure/aws module "ecr_iam", consumed by asset_repository) ecr_application_role_arn = data.terraform_remote_state.infrastructure[0].outputs.ecr_application_role_arn diff --git a/nullplatform-bindings/main.tf b/nullplatform-bindings/main.tf index 3b9d981..7d5b5b9 100644 --- a/nullplatform-bindings/main.tf +++ b/nullplatform-bindings/main.tf @@ -2,7 +2,7 @@ # Code Repository (GitHub) # ============================================================================= module "code_repository" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/code_repository?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/code_repository?ref=v4.5.2" git_provider = "github" nrn = var.nrn @@ -14,7 +14,7 @@ module "code_repository" { # Asset Repository (ECR) # ============================================================================= module "asset_repository" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/asset/ecr?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/asset/ecr?ref=v4.5.2" nrn = var.nrn application_role_arn = local.ecr_application_role_arn @@ -36,7 +36,7 @@ module "asset_s3" { # Cloud Provider (AWS) # ============================================================================= module "cloud_provider" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/cloud/aws/cloud?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/cloud/aws/cloud?ref=v4.5.2" nrn = var.nrn domain_name = local.domain_name @@ -53,7 +53,7 @@ module "cloud_provider" { # assume-role created in infrastructure/aws (read via remote state). # ============================================================================= module "identity_access_control" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/identity-access-control?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/identity-access-control?ref=v4.5.2" nrn = var.nrn @@ -74,7 +74,7 @@ module "identity_access_control" { # (scope_notification and service_notification keys, keyed by scope/service slug). # ============================================================================= module "notification_api_keys" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.5.2" for_each = local.notification_api_keys_catalog type = each.value.type @@ -89,7 +89,7 @@ module "notification_api_keys" { # api_key wires by each.key to module.notification_api_keys. # ============================================================================= module "scope_channel_associations" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition_agent_association?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition_agent_association?ref=v4.5.2" for_each = local.scope_channel_associations_catalog nrn = var.nrn @@ -111,7 +111,7 @@ module "scope_channel_associations" { # ///entrypoint/entrypoint # ============================================================================= module "service_channel_associations" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.5.2" for_each = local.service_channel_associations_catalog nrn = var.nrn @@ -123,7 +123,7 @@ module "service_channel_associations" { } module "vpc" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/cloud/aws/vpc?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/cloud/aws/vpc?ref=v4.5.2" nrn = var.nrn vpc_id = local.vpc_id @@ -136,7 +136,7 @@ module "vpc" { # Monitoring (Prometheus) # ============================================================================= module "monitoring_provider" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/metrics?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/metrics?ref=v4.5.2" - nrn = var.nrn + nrn = var.nrn } diff --git a/nullplatform/main.tf b/nullplatform/main.tf index 57d5d79..4c9a73a 100644 --- a/nullplatform/main.tf +++ b/nullplatform/main.tf @@ -6,7 +6,7 @@ # version per environment from terraform.tfvars (var.scope_definitions). # ============================================================================= module "scope_definitions" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_definition?ref=v4.5.2" for_each = local.scope_definitions_enabled nrn = var.nrn @@ -32,7 +32,7 @@ module "scope_definitions" { # One module instance per enabled entry in local.service_definitions_enabled. # ============================================================================= module "service_definitions" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.5.2" for_each = local.service_definitions_enabled nrn = var.nrn @@ -49,7 +49,7 @@ module "service_definitions" { # Scope Configuration - Static Scope # ============================================================================= module "scope_configuration_static_scope" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_configuration?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_configuration?ref=v4.5.2" nrn = var.nrn np_api_key = var.np_api_key @@ -83,6 +83,31 @@ module "scope_configuration_static_scope" { } } + +# ============================================================================= +# Scope Configuration - Lambda +# ============================================================================= +module "scope_configuration_lambda" { + + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/scope_configuration?ref=v4.5.2" + + nrn = var.nrn + np_api_key = var.np_api_key + provider_specification_slug = module.scope_definitions["aws_lambda"].provider_specification_slug + dimensions = { + environment = "development" + } + + attributes = { + state = { + tofu_state_bucket = "tf-state-0269fb2df210b43c" + } + deployment = { + placeholder_image_uri = "235494813897.dkr.ecr.us-east-1.amazonaws.com/aws-lambda/nullplatform-lambda-placeholder:latest-amd64" + } + } +} + # ============================================================================= # Dimensions # @@ -91,7 +116,7 @@ module "scope_configuration_static_scope" { # environment from terraform.tfvars (var.dimensions). # ============================================================================= module "dimensions" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/dimension?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/dimension?ref=v4.5.2" for_each = local.dimensions_enabled nrn = var.nrn @@ -102,7 +127,7 @@ module "dimensions" { # Extra value for the Environment dimension, scoped to a specific namespace. module "dimension_value_environment_produccion_only" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/dimension_value?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/dimension_value?ref=v4.5.2" dimension_id = module.dimensions["environment"].id name = "produccion-only" diff --git a/rds-setup.tf b/rds-setup.tf index 264832d..bb595e5 100644 --- a/rds-setup.tf +++ b/rds-setup.tf @@ -162,7 +162,7 @@ resource "aws_iam_policy" "nullplatform_rds_secretsmanager_policy" { # --- Service Definitions ----------------------------------------------------- module "service_definition_rds_server" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.5.2" nrn = var.nrn repository_org = "nullplatform" @@ -173,7 +173,7 @@ module "service_definition_rds_server" { } module "service_definition_rds_db" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition?ref=v4.5.2" nrn = var.nrn repository_org = "nullplatform" @@ -221,7 +221,7 @@ output "service_specification_id_rds_db" { # --- API Keys ---------------------------------------------------------------- module "service_notification_api_key_rds_server" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.5.2" type = "service_notification" nrn = var.nrn @@ -229,7 +229,7 @@ module "service_notification_api_key_rds_server" { } module "service_notification_api_key_rds_db" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.5.2" type = "service_notification" nrn = var.nrn @@ -239,7 +239,7 @@ module "service_notification_api_key_rds_db" { # --- Channel Associations (Service to Agent) --------------------------------- module "service_definition_channel_association_rds_server" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.5.2" nrn = var.nrn api_key = module.service_notification_api_key_rds_server.api_key @@ -250,7 +250,7 @@ module "service_definition_channel_association_rds_server" { } module "service_definition_channel_association_rds_db" { - source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.3.0" + source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/service_definition_agent_association?ref=v4.5.2" nrn = var.nrn api_key = module.service_notification_api_key_rds_db.api_key