Assignee policy

connector-deployment/connector.tf

@@ -0,0 +1,63 @@
+#
+#  Copyright (c) 2024 Metaform Systems, Inc.
+#
+#  This program and the accompanying materials are made available under the
+#  terms of the Apache License, Version 2.0 which is available at
+#  https://www.apache.org/licenses/LICENSE-2.0
+#
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  Contributors:
+#       Metaform Systems, Inc. - initial API and implementation
+#
+
+# This file deploys all the components needed for the consumer side of the scenario,
+# i.e. the connector, an identityhub and a vault.
+
+#
+resource "kubernetes_namespace_v1" "ns_participant" {
+  metadata {
+    name = var.participant
+  }
+}
+
+# connector
+module "participant-connector" {
+  source            = "./modules/connector"
+  humanReadableName = var.participant
+  participantId     = local.participant-did
+  database = {
+    user     = var.participant
+    password = random_password.participant_password.result
+    url      = local.database_url
+  }
+  vault-url     = local.vault_url
+  namespace     = kubernetes_namespace_v1.ns_participant.metadata.0.name
+  sts-token-url = "${module.participant-identityhub.sts-token-url}/token"
+  useSVE        = var.useSVE
+}
+
+# consumer identity hub
+module "participant-identityhub" {
+  depends_on        = [module.participant-vault]
+  source            = "./modules/identity-hub"
+  credentials-dir   = dirname("./assets/credentials/k8s/consumer/") # To~Do
+  humanReadableName = "${var.participant}-identityhub"
+  participantId     = local.participant-did
+  vault-url         = local.vault_url
+  service-name      = var.participant
+  database = {
+    user     = var.participant
+    password = random_password.participant_password.result
+    url      = local.database_url
+  }
+  namespace = kubernetes_namespace_v1.ns_participant.metadata.0.name
+  useSVE    = var.useSVE
+}
+
+# participant vault
+module "participant-vault" {
+  source            = "./modules/vault"
+  humanReadableName = "${var.participant}-vault"
+  namespace         = kubernetes_namespace_v1.ns_participant.metadata.0.name
+}

connector-deployment/database.tf

@@ -0,0 +1,46 @@
+resource "random_password" "participant_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&()-_=+[]{}<>?"
+}
+
+provider "postgresql" {
+  host            = var.postgres_endpoint
+  port            = var.postgres_port
+  database        = "participants"
+  username        = "dbadmin"
+  password        = var.postgres_admin_password
+  sslmode         = "require"
+  connect_timeout = 15
+  superuser       = false
+}
+
+resource "postgresql_role" "participant_user" {
+  name     = var.participant
+  login    = true
+  password = random_password.participant_password.result
+}
+
+resource "postgresql_database" "participant_database" {
+  name              = var.participant
+  owner             = postgresql_role.participant_user.name
+  lc_collate        = "en_US.UTF-8"
+  lc_ctype          = "en_US.UTF-8"
+  template          = "template0"
+  allow_connections = true
+}
+
+resource "postgresql_grant" "db_privs" {
+  database    = postgresql_database.participant_database.name
+  role        = postgresql_role.participant_user.name
+  object_type = "database"
+  privileges  = ["CONNECT", "CREATE", "TEMPORARY"]
+}
+
+resource "postgresql_grant" "schema_privs" {
+  database    = postgresql_database.participant_database.name
+  role        = postgresql_role.participant_user.name
+  schema      = "public"
+  object_type = "schema"
+  privileges  = ["CREATE", "USAGE"]
+}

connector-deployment/kms.tf

@@ -0,0 +1,7 @@
+module "kms" {
+  source      = "./modules/kms"
+  environment = var.environment
+  project     = "kordat"
+  alias       = "${var.participant}-key"
+  role        = "kms"
+}

connector-deployment/locals.tf

@@ -0,0 +1,5 @@
+locals {
+    participant-did = "did:web:${var.participant}-identityhub%3A7083:${var.participant}"
+    database_url = "jdbc:postgresql://${var.postgres_endpoint}:${var.postgres_port}/${var.participant}"
+    vault_url = "http://${var.participant}-vault:8200"
+}

deployment/modules/connector/controlplane.tf → connector-deployment/modules/connector/controlplane.tf

@@ -44,8 +44,8 @@ resource "kubernetes_deployment" "controlplane" {
       spec {
         container {
           name              = "connector-${lower(var.humanReadableName)}"
-          image             = "controlplane:latest"
-          image_pull_policy = "Never"
+          image             = "150073872684.dkr.ecr.eu-west-1.amazonaws.com/kordat-dev-controlplane:latest"
+          image_pull_policy = "IfNotPresent"
 
           env_from {
             config_map_ref {

deployment/modules/connector/dataplane.tf → connector-deployment/modules/connector/dataplane.tf

@@ -46,8 +46,8 @@ resource "kubernetes_deployment" "dataplane" {
       spec {
         container {
           name              = "dataplane-${lower(var.humanReadableName)}"
-          image             = "dataplane:latest"
-          image_pull_policy = "Never"
+          image             = "150073872684.dkr.ecr.eu-west-1.amazonaws.com/kordat-dev-dataplane:latest"
+          image_pull_policy = "IfNotPresent"
 
           env_from {
             config_map_ref {

deployment/modules/identity-hub/main.tf → connector-deployment/modules/identity-hub/main.tf

@@ -37,8 +37,8 @@ resource "kubernetes_deployment" "identityhub" {
 
       spec {
         container {
-          image_pull_policy = "Never"
-          image             = "identity-hub:latest"
+          image_pull_policy = "IfNotPresent"
+          image             = "150073872684.dkr.ecr.eu-west-1.amazonaws.com/kordat-dev-identity-hub:latest"
           name              = "identity-hub"
 
           env_from {

connector-deployment/modules/kms/README.md

@@ -0,0 +1,44 @@
+# kms
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.master_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.master_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key_policy.master_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alias"></a> [alias](#input\_alias) | KMS alias | `string` | `""` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment (dev\|pre\|pro) | `string` | n/a | yes |
+| <a name="input_policy"></a> [policy](#input\_policy) | KMS policy | `string` | `""` | no |
+| <a name="input_project"></a> [project](#input\_project) | Project | `string` | n/a | yes |
+| <a name="input_role"></a> [role](#input\_role) | Role into the product | `string` | `"kms"` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags to use | `map(any)` | `{}` | no |
+| <a name="input_tenant"></a> [tenant](#input\_tenant) | Tenant name | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_key_arn"></a> [key\_arn](#output\_key\_arn) | n/a |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | n/a |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

connector-deployment/modules/kms/input.tf

@@ -0,0 +1,25 @@
+# Common variables
+variable "environment" {
+  type        = string
+  description = "Environment (dev|pre|pro)"
+}
+variable "role" {
+  type        = string
+  description = "Role into the product"
+  default     = "kms"
+}
+variable "project" {
+  type        = string
+  description = "Project"
+}
+variable "tags" {
+  type        = map(any)
+  description = "Tags to use"
+  default     = {}
+}
+
+# Config vars
+variable "alias" {
+  type        = string
+  description = "KMS alias"
+}

connector-deployment/modules/kms/kms.tf

@@ -0,0 +1,52 @@
+# Current AWS account
+data "aws_caller_identity" "current" {}
+
+# Create and name kms key
+resource "aws_kms_key" "master_key" {
+  deletion_window_in_days = 15
+  enable_key_rotation     = true
+}
+
+resource "aws_kms_alias" "master_key_alias" {
+  name          = "alias/${var.alias}"
+  target_key_id = aws_kms_key.master_key.key_id
+}
+
+resource "aws_kms_key_policy" "master_key_policy" {
+  key_id = aws_kms_key.master_key.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      # Admin de la key (tu cuenta)
+      {
+        Sid      = "AllowAccountAdmin"
+        Effect   = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      # Permitir a S3 usar la key para este bucket (vía servicio s3 y en tu cuenta)
+      {
+        Sid    = "AllowS3UseOfKey"
+        Effect = "Allow"
+        Principal = { Service = "s3.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:CallerAccount" = data.aws_caller_identity.current.account_id
+          }
+          StringLike = {
+            "kms:ViaService" = "s3.eu-west-1.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+}

connector-deployment/modules/kms/output.tf

@@ -0,0 +1,6 @@
+output "key_id" {
+  value = aws_kms_key.master_key.key_id
+}
+output "key_arn" {
+  value = aws_kms_key.master_key.arn
+}

connector-deployment/modules/s3_bucket/README.md

@@ -0,0 +1,79 @@
+# S3 Bucket Module
+
+Creates a S3 bucket and configure the acl, versioning, encryption and objects ownership.
+
+## How to use
+Include this code in your `main.tf`:
+
+```
+module "example_bucket" {
+  source            = "./modules/s3_bucket"
+  project           = var.project
+  environment       = var.environment
+  role              = "Descriptive functionality"
+  bucket_name       = "The name of the bucket"
+  object_ownership  = "ObjectWriter"
+  object_expiration = 90 # Days
+  acl               = "private"
+  versioning        = "Enabled"
+  encryption        = true
+}
+```
+
+## Outputs
+The name and arn of the new s3 bucket created
+```
+module.example_bucket.bucket_name
+module.example_bucket.bucket_arn
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.bucket_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_cors_configuration.cors_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_cors_configuration) | resource |
+| [aws_s3_bucket_lifecycle_configuration.lifecycle_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_ownership_controls.bucket_ownership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.bucket_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.bucket_versioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_acl"></a> [acl](#input\_acl) | Bucket Acl | `string` | `"private"` | no |
+| <a name="input_application"></a> [application](#input\_application) | Role into the product | `string` | n/a | yes |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Bucket Name | `string` | n/a | yes |
+| <a name="input_cors"></a> [cors](#input\_cors) | CORS configuration | <pre>object({<br/>    apply           = bool<br/>    allowed_headers = list(string)<br/>    allowed_methods = list(string)<br/>    allowed_origins = list(string)<br/>    expose_headers  = list(string)<br/>  })</pre> | <pre>{<br/>  "allowed_headers": [],<br/>  "allowed_methods": [],<br/>  "allowed_origins": [],<br/>  "apply": false,<br/>  "expose_headers": []<br/>}</pre> | no |
+| <a name="input_encryption"></a> [encryption](#input\_encryption) | Bucket Encryption | `string` | `true` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | Environment (dev\|pre\|pro) | `string` | n/a | yes |
+| <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | JSON containing rules for lifecycle | <pre>list(object({<br/>    id     = string<br/>    status = string<br/>    prefix = string<br/>    transitions = list(object({<br/>      days          = number<br/>      storage_class = string<br/>    }))<br/>    expiration = number<br/>  }))</pre> | `[]` | no |
+| <a name="input_object_ownership"></a> [object\_ownership](#input\_object\_ownership) | Bucket Objects ownership | `string` | `"ObjectWriter"` | no |
+| <a name="input_project"></a> [project](#input\_project) | project name | `string` | n/a | yes |
+| <a name="input_versioning"></a> [versioning](#input\_versioning) | Bucket Versioning | `string` | `"Disabled"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | n/a |
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | n/a |
+| <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | n/a |
+<!-- END_TF_DOCS -->