From 5615e2f3ccb0b260900a682a95636d013a22baf7 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 31 Aug 2023 10:15:51 +0100
Subject: [PATCH 1/5] created s3 module for terraform

---
 infrastructure/terraform/main.tf              | 55 +++++++++++--------
 infrastructure/terraform/modules/s3/main.tf   | 32 +++++++++++
 .../terraform/modules/s3/outputs.tf           |  4 ++
 .../terraform/modules/s3/variables.tf         | 13 +++++
 4 files changed, 80 insertions(+), 24 deletions(-)
 create mode 100644 infrastructure/terraform/modules/s3/main.tf
 create mode 100644 infrastructure/terraform/modules/s3/outputs.tf
 create mode 100644 infrastructure/terraform/modules/s3/variables.tf

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 95fa5e06..67df1bcd 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -6,10 +6,10 @@ terraform {
     }
   }
   backend "s3" {
-    bucket = "assessment-model-terraform-state"
-    region = "eu-west-2"
-    profile="DevAdmin"
-    key    = "terraform.tfstate"
+    bucket  = "assessment-model-terraform-state"
+    region  = "eu-west-2"
+    profile = "DevAdmin"
+    key     = "terraform.tfstate"
   }
 
   required_version = ">= 1.2.0"
@@ -22,8 +22,8 @@ provider "aws" {
 
 # Additional provider for resources that need to be in us-east-1, specifically the SSL certificate
 provider "aws" {
-  alias   = "aws_use1"
-  region  = "us-east-1"
+  alias  = "aws_use1"
+  region = "us-east-1"
 }
 
 # Assuming the secret is already created and the name is "<stage>/assessment_model/db_credentials"
@@ -56,23 +56,23 @@ resource "aws_security_group" "allow_db" {
   }
 
   egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
 
 resource "aws_db_instance" "default" {
-  allocated_storage    = var.allocated_storage
-  engine               = "postgres"
-  engine_version       = "14.7"
-  instance_class       = var.instance_class
-  db_name              = var.database_name
-  username             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_username"]
-  password             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
-  parameter_group_name = "default.postgres14"
-  skip_final_snapshot  = true
+  allocated_storage      = var.allocated_storage
+  engine                 = "postgres"
+  engine_version         = "14.7"
+  instance_class         = var.instance_class
+  db_name                = var.database_name
+  username               = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_username"]
+  password               = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
+  parameter_group_name   = "default.postgres14"
+  skip_final_snapshot    = true
   vpc_security_group_ids = [aws_security_group.allow_db.id]
   lifecycle {
     prevent_destroy = true
@@ -85,23 +85,30 @@ resource "aws_db_instance" "default" {
 
 # Set up the bucket that recieve the csv uploads of properties to be retrofit
 module "s3_presignable_bucket" {
-  source = "./modules/s3_presignable_bucket"
-  environment = var.stage
+  source          = "./modules/s3_presignable_bucket"
+  environment     = var.stage
+  allowed_origins = var.allowed_origins
+}
+
+module "s3_presignable_bucket" {
+  source          = "./modules/s3_presignable_bucket"
+  name            = "data-lake-${var.stage}"
+  environment     = var.stage
   allowed_origins = var.allowed_origins
 }
 
 # Set up the route53 record for the API
 module "route53" {
-  source = "./modules/route53"
-  domain_name = var.domain_name
+  source         = "./modules/route53"
+  domain_name    = var.domain_name
   api_url_prefix = var.api_url_prefix
-  providers = {
+  providers      = {
     aws.aws_use1 = aws.aws_use1
   }
 }
 
 # Create an ECR repository for storage of the lambda's docker images
 module "ecr" {
-  source = "./modules/ecr"
+  source      = "./modules/ecr"
   environment = var.stage
 }
diff --git a/infrastructure/terraform/modules/s3/main.tf b/infrastructure/terraform/modules/s3/main.tf
new file mode 100644
index 00000000..e2dfb6d9
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/main.tf
@@ -0,0 +1,32 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "${var.bucketname}"
+  acl    = "private"
+
+  #  cors_rule {
+  #    allowed_headers = ["Content-Type", "Authorization"]
+  #    allowed_methods = ["PUT"]
+  #    allowed_origins = var.allowed_origins
+  #    expose_headers  = ["ETag"]
+  #    max_age_seconds = 3000
+  #  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "block_public" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
diff --git a/infrastructure/terraform/modules/s3/outputs.tf b/infrastructure/terraform/modules/s3/outputs.tf
new file mode 100644
index 00000000..a5e7ddb4
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/outputs.tf
@@ -0,0 +1,4 @@
+output "bucket_name" {
+  description = "The name of the S3 bucket"
+  value       = aws_s3_bucket.bucket.bucket
+}
diff --git a/infrastructure/terraform/modules/s3/variables.tf b/infrastructure/terraform/modules/s3/variables.tf
new file mode 100644
index 00000000..ff0fc221
--- /dev/null
+++ b/infrastructure/terraform/modules/s3/variables.tf
@@ -0,0 +1,13 @@
+variable "bucketname" {
+  description = "The name of the bucket to create"
+  type        = string
+}
+
+# Between production and development, we need to specify the
+# allowed origins for CORS differently. This variable is set to allow
+# us to generate pre-signed urls and in development, we want to be able to
+# do so from localhost.
+variable "allowed_origins" {
+  description = "Allowed origins for CORS"
+  type        = list(string)
+}
\ No newline at end of file

From eb852a06106d36c18a065521ed1047b5707bfd93 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 31 Aug 2023 10:37:05 +0100
Subject: [PATCH 2/5] change duplicated bucket module

---
 infrastructure/terraform/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 67df1bcd..7ad8075d 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -90,8 +90,8 @@ module "s3_presignable_bucket" {
   allowed_origins = var.allowed_origins
 }
 
-module "s3_presignable_bucket" {
-  source          = "./modules/s3_presignable_bucket"
+module "s3" {
+  source          = "./modules/s3"
   name            = "data-lake-${var.stage}"
   environment     = var.stage
   allowed_origins = var.allowed_origins

From b3697d32fb36c35c4d4b74f540001d3774fb1bf9 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 31 Aug 2023 10:41:40 +0100
Subject: [PATCH 3/5] fixed bucketname arg

---
 infrastructure/terraform/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 7ad8075d..624a43d4 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -92,7 +92,7 @@ module "s3_presignable_bucket" {
 
 module "s3" {
   source          = "./modules/s3"
-  name            = "data-lake-${var.stage}"
+  bucketname      = "data-lake-${var.stage}"
   environment     = var.stage
   allowed_origins = var.allowed_origins
 }

From 5064ea0a10ab83d9ecc221d7ca76dad26bd5f08c Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 31 Aug 2023 10:44:40 +0100
Subject: [PATCH 4/5] remove unused variables in s3 terraform

---
 infrastructure/terraform/main.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 624a43d4..5ea7745b 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -93,7 +93,6 @@ module "s3_presignable_bucket" {
 module "s3" {
   source          = "./modules/s3"
   bucketname      = "data-lake-${var.stage}"
-  environment     = var.stage
   allowed_origins = var.allowed_origins
 }
 

From 0bd00529344820c484b6a5a594f67810d2246d3b Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Thu, 31 Aug 2023 10:46:53 +0100
Subject: [PATCH 5/5] changing bucketname due to global clash

---
 infrastructure/terraform/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 5ea7745b..81f23f63 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -92,7 +92,7 @@ module "s3_presignable_bucket" {
 
 module "s3" {
   source          = "./modules/s3"
-  bucketname      = "data-lake-${var.stage}"
+  bucketname      = "retrofit-datalake-${var.stage}"
   allowed_origins = var.allowed_origins
 }