diff --git a/.gitignore b/.gitignore
index 02391594..a229d1e0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,4 +23,5 @@ test.py
.idea
**/wandb/*
-policy.json
\ No newline at end of file
+policy.json
+results.json
diff --git a/.tflint.hcl b/.tflint.hcl
index 22c4bb2e..246db036 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -4,6 +4,6 @@ config {
plugin "aws" {
enabled = true
- version = "0.7.2"
+ version = "0.26.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
-}
\ No newline at end of file
+}
diff --git a/Makefile b/Makefile
new file mode 100644
index 00000000..1be0b8b6
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,28 @@
+.DEFAULT_GOAL := help
+
+.PHONY: format
+format: ## Terraform Format
+ terraform fmt --recursive
+
+.PHONY: lint
+lint: ## Terraform lint
+ tflint --init --recursive --config .tflint.hcl
+
+.PHONY: docs
+docs: ## Update terraform docs
+ terraform-docs -c .terraform-docs.yml . --recursive
+
+.PHONY: sast
+sast: ## Run SAST scan on terraform
+ docker run -t -v ${PWD}:/path checkmarx/kics:latest scan -p /path -o "/path/"
+
+.PHONY: help
+help: ## Shows all targets and help from the Makefile (this message).
+ @grep --no-filename -E '^([a-z.A-Z_%-/]+:.*?)##' $(MAKEFILE_LIST) | sort | \
+ awk 'BEGIN {FS = ":.*?(## ?)"}; { \
+ if (length($$1) > 0) { \
+ printf " \033[36m%-30s\033[0m %s\n", $$1, $$2; \
+ } else { \
+ printf "%s\n", $$2; \
+ } \
+ }'
diff --git a/README.md b/README.md
index ea2c2379..4ac5065b 100644
--- a/README.md
+++ b/README.md
@@ -115,15 +115,15 @@ Upgrades must be executed in step-wise fashion from one version to the next. You
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | ~> 4.6 |
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 4.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.6 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | ~> 4.6 |
+| [aws](#provider\_aws) | 4.67.0 |
## Modules
@@ -157,26 +157,23 @@ Upgrades must be executed in step-wise fashion from one version to the next. You
| [create\_bucket](#input\_create\_bucket) | ######################################### External Bucket # ######################################### Most users will not need these settings. They are ment for users who want a bucket and sqs that are in a different account. | `bool` | `true` | no |
| [create\_elasticache](#input\_create\_elasticache) | Boolean indicating whether to provision an elasticache instance (true) or not (false). | `bool` | `true` | no |
| [create\_vpc](#input\_create\_vpc) | Boolean indicating whether to deploy a VPC (true) or not (false). | `bool` | `true` | no |
-| [database\_binlog\_format](#input\_database\_binlog\_format) | Specifies the binlog\_format value to set for the database | `string` | `"ROW"` | no |
| [database\_engine\_version](#input\_database\_engine\_version) | Version for MySQL Auora | `string` | `"8.0.mysql_aurora.3.03.0"` | no |
-| [database\_innodb\_lru\_scan\_depth](#input\_database\_innodb\_lru\_scan\_depth) | Specifies the innodb\_lru\_scan\_depth value to set for the database | `number` | `128` | no |
| [database\_instance\_class](#input\_database\_instance\_class) | Instance type to use by database master instance. | `string` | `"db.r5.large"` | no |
| [database\_master\_username](#input\_database\_master\_username) | Specifies the master\_username value to set for the database | `string` | `"wandb"` | no |
| [database\_name](#input\_database\_name) | Specifies the name of the database | `string` | `"wandb_local"` | no |
-| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | n/a | yes |
+| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | `null` | no |
| [database\_snapshot\_identifier](#input\_database\_snapshot\_identifier) | Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot | `string` | `null` | no |
| [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no |
| [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / S3 can't be deleted when this value is set to `true`. | `bool` | `true` | no |
| [domain\_name](#input\_domain\_name) | Domain for accessing the Weights & Biases UI. | `string` | n/a | yes |
-| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Indicates EKS cluster version | `string` | `"1.21"` | no |
-| [eks\_policy\_arns](#input\_eks\_policy\_arns) | Additional IAM policy to apply to the EKS cluster | `list(string)` | `[]` | no |
+| [eks\_cluster\_version](#input\_eks\_cluster\_version) | EKS cluster kubernetes version | `string` | n/a | yes |
| [elasticache\_node\_type](#input\_elasticache\_node\_type) | The type of the redis cache node to deploy | `string` | `"cache.t2.medium"` | no |
| [external\_dns](#input\_external\_dns) | Using external DNS. A `subdomain` must also be specified if this value is true. | `bool` | `false` | no |
| [extra\_fqdn](#input\_extra\_fqdn) | n/a | `list(string)` | `[]` | no |
| [kms\_key\_alias](#input\_kms\_key\_alias) | KMS key alias for AWS KMS Customer managed key. | `string` | `null` | no |
| [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Duration in days to destroy the key after it is deleted. Must be between 7 and 30 days. | `number` | `7` | no |
| [kms\_key\_policy](#input\_kms\_key\_policy) | The policy that will define the permissions for the kms key. | `string` | `""` | no |
-| [kubernetes\_instance\_types](#input\_kubernetes\_instance\_types) | EC2 Instance type for primary node group. | `list(string)` | [
"m4.large"
]
| no |
+| [kubernetes\_instance\_types](#input\_kubernetes\_instance\_types) | EC2 Instance type for primary node group. | `list(string)` | [
"m5.large"
]
| no |
| [kubernetes\_map\_accounts](#input\_kubernetes\_map\_accounts) | Additional AWS account numbers to add to the aws-auth configmap. | `list(string)` | `[]` | no |
| [kubernetes\_map\_roles](#input\_kubernetes\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | list(object({
rolearn = string
username = string
groups = list(string)
})) | `[]` | no |
| [kubernetes\_map\_users](#input\_kubernetes\_map\_users) | Additional IAM users to add to the aws-auth configmap. | list(object({
userarn = string
username = string
groups = list(string)
})) | `[]` | no |
diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf
index 505f299b..9ec87657 100644
--- a/examples/public-dns-external/main.tf
+++ b/examples/public-dns-external/main.tf
@@ -26,7 +26,7 @@ module "wandb_infra" {
database_sort_buffer_size = var.database_sort_buffer_size
allowed_inbound_cidr = var.allowed_inbound_cidr
- allowed_inbound_ipv6_cidr = ["::/0"]
+ allowed_inbound_ipv6_cidr = var.allowed_inbound_ipv6_cidr
eks_cluster_version = "1.25"
kubernetes_public_access = true
diff --git a/main.tf b/main.tf
index 5f76257d..21b1a568 100644
--- a/main.tf
+++ b/main.tf
@@ -27,8 +27,8 @@ module "file_storage" {
}
locals {
- bucket_name = local.use_external_bucket ? var.bucket_name : module.file_storage.0.bucket_name
- bucket_queue_name = local.use_internal_queue ? null : module.file_storage.0.bucket_queue_name
+ bucket_name = local.use_external_bucket ? var.bucket_name : module.file_storage[0].bucket_name
+ bucket_queue_name = local.use_internal_queue ? null : module.file_storage[0].bucket_queue_name
}
module "networking" {
@@ -39,7 +39,7 @@ module "networking" {
cidr = var.network_cidr
private_subnet_cidrs = var.network_private_subnet_cidrs
public_subnet_cidrs = var.network_public_subnet_cidrs
- database_subnet_cidrs = var.network_database_subnet_cidrs
+ database_subnet_cidrs = local.network_database_subnet_cidrs
create_elasticache_subnet = var.create_elasticache
elasticache_subnet_cidrs = var.network_elasticache_subnet_cidrs
}
@@ -125,7 +125,7 @@ module "app_eks" {
bucket_kms_key_arn = local.use_external_bucket ? var.bucket_kms_key_arn : local.kms_key_arn
bucket_arn = data.aws_s3_bucket.file_storage.arn
- bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn
+ bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage[0].arn
network_id = local.network_id
network_private_subnets = local.network_private_subnets
@@ -134,13 +134,11 @@ module "app_eks" {
database_security_group_id = module.database.security_group_id
create_elasticache_security_group = var.create_elasticache
- elasticache_security_group_id = var.create_elasticache ? module.redis.0.security_group_id : null
+ elasticache_security_group_id = var.create_elasticache ? module.redis[0].security_group_id : null
cluster_version = var.eks_cluster_version
cluster_endpoint_public_access = var.kubernetes_public_access
cluster_endpoint_public_access_cidrs = var.kubernetes_public_access_cidrs
-
- eks_policy_arns = var.eks_policy_arns
}
module "app_lb" {
@@ -160,6 +158,7 @@ module "app_lb" {
network_id = local.network_id
network_private_subnets = local.network_private_subnets
network_public_subnets = local.network_public_subnets
+ ssl_policy = var.ssl_policy
}
resource "aws_autoscaling_attachment" "autoscaling_attachment" {
diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
index 67865f95..1b8b7a97 100644
--- a/modules/app_eks/iam-policy-docs.tf
+++ b/modules/app_eks/iam-policy-docs.tf
@@ -52,7 +52,7 @@ data "aws_iam_policy_document" "node_s3" {
actions = ["s3:*"]
effect = "Allow"
resources = [
- "${var.bucket_arn}",
+ var.bucket_arn,
"${var.bucket_arn}/*"
]
}
diff --git a/modules/app_eks/main.tf b/modules/app_eks/main.tf
index deb760fb..47a67ad8 100644
--- a/modules/app_eks/main.tf
+++ b/modules/app_eks/main.tf
@@ -15,14 +15,6 @@ resource "aws_eks_addon" "eks" {
]
}
-locals {
- managed_policy_arns = concat([
- "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
- "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
- ], var.eks_policy_arns)
-}
-
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 17.23"
diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf
index e80238e2..e0edf260 100644
--- a/modules/app_eks/variables.tf
+++ b/modules/app_eks/variables.tf
@@ -40,12 +40,6 @@ variable "database_security_group_id" {
type = string
}
-variable "eks_policy_arns" {
- description = "Additional IAM policy to apply to the EKS cluster"
- type = list(string)
- default = []
-}
-
variable "elasticache_security_group_id" {
type = string
default = null
@@ -111,4 +105,3 @@ variable "service_port" {
type = number
default = 32543
}
-
diff --git a/modules/database/main.tf b/modules/database/main.tf
index 789318ec..77497563 100644
--- a/modules/database/main.tf
+++ b/modules/database/main.tf
@@ -114,7 +114,7 @@ module "aurora" {
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
engine = "aurora-mysql"
engine_version = var.engine_version
- iam_database_authentication_enabled = false
+ iam_database_authentication_enabled = var.iam_database_authentication_enabled
iam_role_force_detach_policies = true
iam_role_name = "${var.namespace}-aurora-monitoring"
instance_class = var.instance_class
@@ -134,7 +134,7 @@ module "aurora" {
performance_insights_retention_period = 7
preferred_backup_window = var.preferred_backup_window
preferred_maintenance_window = var.preferred_maintenance_window
- security_group_tags = { "Namespace" : "${var.namespace}" }
+ security_group_tags = { "Namespace" : var.namespace }
skip_final_snapshot = true
snapshot_identifier = var.snapshot_identifier
storage_encrypted = true
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
index d6b74261..c5c13225 100644
--- a/modules/database/variables.tf
+++ b/modules/database/variables.tf
@@ -74,7 +74,7 @@ variable "preferred_maintenance_window" {
variable "iam_database_authentication_enabled" {
description = "Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled"
type = bool
- default = true
+ default = false
}
variable "allowed_cidr_blocks" {
diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf
index 39ced492..e9806ed5 100644
--- a/modules/file_storage/main.tf
+++ b/modules/file_storage/main.tf
@@ -75,7 +75,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "file_storage" {
resource "aws_sqs_queue_policy" "file_storage" {
count = var.create_queue && var.create_queue_policy ? 1 : 0
- queue_url = aws_sqs_queue.file_storage.0.id
+ queue_url = aws_sqs_queue.file_storage[0].id
policy = jsonencode({
"Version" : "2012-10-17",
@@ -84,9 +84,9 @@ resource "aws_sqs_queue_policy" "file_storage" {
"Effect" : "Allow",
"Principal" : "*",
"Action" : ["sqs:SendMessage"],
- "Resource" : "arn:aws:sqs:*:*:${aws_sqs_queue.file_storage.0.name}",
+ "Resource" : "arn:aws:sqs:*:*:${aws_sqs_queue.file_storage[0].name}",
"Condition" : {
- "ArnEquals" : { "aws:SourceArn" : "${aws_s3_bucket.file_storage.arn}" }
+ "ArnEquals" : { "aws:SourceArn" : aws_s3_bucket.file_storage.arn }
}
}
]
@@ -101,7 +101,7 @@ resource "aws_s3_bucket_notification" "file_storage" {
bucket = aws_s3_bucket.file_storage.id
queue {
- queue_arn = aws_sqs_queue.file_storage.0.arn
+ queue_arn = aws_sqs_queue.file_storage[0].arn
events = ["s3:ObjectCreated:*"]
}
}
diff --git a/modules/file_storage/outputs.tf b/modules/file_storage/outputs.tf
index 3e6815e5..8ddd322d 100644
--- a/modules/file_storage/outputs.tf
+++ b/modules/file_storage/outputs.tf
@@ -15,9 +15,9 @@ output "bucket_region" {
}
output "bucket_queue_name" {
- value = var.create_queue ? aws_sqs_queue.file_storage.0.name : null
+ value = var.create_queue ? aws_sqs_queue.file_storage[0].name : null
}
output "bucket_queue_arn" {
- value = var.create_queue ? aws_sqs_queue.file_storage.0.arn : null
-}
\ No newline at end of file
+ value = var.create_queue ? aws_sqs_queue.file_storage[0].arn : null
+}
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
index 75739974..f6a384ef 100644
--- a/modules/kms/main.tf
+++ b/modules/kms/main.tf
@@ -4,6 +4,7 @@ resource "aws_kms_key" "key" {
deletion_window_in_days = var.key_deletion_window
description = "AWS KMS Customer-managed key to encrypt Weights & Biases resources"
key_usage = "ENCRYPT_DECRYPT"
+ enable_key_rotation = var.enable_key_rotation
policy = var.key_policy != "" ? var.key_policy : jsonencode({
"Version" : "2012-10-17",
@@ -11,7 +12,7 @@ resource "aws_kms_key" "key" {
{
"Sid" : "Allow administration of the key",
"Effect" : "Allow",
- "Principal" : { "AWS" : "${data.aws_caller_identity.current.arn}" },
+ "Principal" : { "AWS" : data.aws_caller_identity.current.arn },
"Action" : "kms:*",
"Resource" : "*"
},
@@ -52,7 +53,7 @@ resource "aws_kms_key" "key" {
"Resource" : "*",
"Condition" : {
"StringEquals" : {
- "kms:CallerAccount" : "${data.aws_caller_identity.current.account_id}",
+ "kms:CallerAccount" : data.aws_caller_identity.current.account_id,
},
"StringLike" : {
"kms:ViaService" : "ec2.*.amazonaws.com",
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
index c3dce5b6..404b1db7 100644
--- a/modules/kms/variables.tf
+++ b/modules/kms/variables.tf
@@ -8,6 +8,12 @@ variable "key_deletion_window" {
type = number
}
+variable "enable_key_rotation" {
+ description = "Specifies whether key rotation is enabled. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html"
+ type = bool
+ default = true
+}
+
variable "iam_principal_arn" {
description = "The IAM principal (role or user) ARN that will be authorized to use the key."
type = string
@@ -18,4 +24,4 @@ variable "key_policy" {
description = "The policy that will define the permissions for the kms key."
type = string
default = ""
-}
\ No newline at end of file
+}
diff --git a/modules/networking/main.tf b/modules/networking/main.tf
index 94645d09..b0eeb442 100644
--- a/modules/networking/main.tf
+++ b/modules/networking/main.tf
@@ -8,6 +8,7 @@ module "vpc" {
create_vpc = var.create_vpc
+ amazon_side_asn = var.amazon_side_asn
azs = data.aws_availability_zones.available.names
cidr = var.cidr
create_igw = true
diff --git a/modules/secure_storage_connector/README.md b/modules/secure_storage_connector/README.md
index b2bdee00..c652dfbf 100644
--- a/modules/secure_storage_connector/README.md
+++ b/modules/secure_storage_connector/README.md
@@ -37,33 +37,46 @@ module "secure_storage_connector" {
## Requirements
-| Name | Version |
-| --------------------------------------------------------------------------- | ------- |
-| [terraform](#requirement_terraform) | ~> 1.0 |
-| [aws](#requirement_aws) | ~> 3.60 |
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.0 |
+| [aws](#requirement\_aws) | ~> 4.0 |
## Providers
-| Name | Version |
-| ------------------------------------------------ | ------- |
-| [aws](#provider_aws) | 3.61.0 |
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 4.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [file\_storage](#module\_file\_storage) | ../../modules/file_storage | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_s3_bucket.file_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-|--------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------|:--------:|
-| [namespace](#input_namespace) | Prefix to use when creating resources. | `string` | `null` | yes |
-| [create_kms_key](#input_create_kms_key) | If a KMS key should be created to encrypt S3 storage bucket objects. This can only be used when you set the value of sse_algorithm as aws:kms. | `bool` | `true` | no |
-| [deletion_protection](#input_deletion_protection) | If the bucket should have deletion protection enabled. | `bool` | `false` | no |
-| [sse_algorithm](#input_sse_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `aws:kms` | no |
-| [aws_principal_arn](#input_aws_principal_arn) | AWS principal that can access the bucket | `string` | `null` | yes |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_principal\_arn](#input\_aws\_principal\_arn) | AWS principal that can access the bucket | `string` | n/a | yes |
+| [create\_kms\_key](#input\_create\_kms\_key) | If a KMS key should be created to encrypt S3 storage bucket objects. This can only be used when you set the value of sse\_algorithm as aws:kms. | `bool` | `true` | no |
+| [deletion\_protection](#input\_deletion\_protection) | If the bucket should have deletion protection enabled. | `bool` | `false` | no |
+| [namespace](#input\_namespace) | Prefix to use when creating resources | `string` | n/a | yes |
+| [sse\_algorithm](#input\_sse\_algorithm) | The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` | `string` | `"aws:kms"` | no |
## Outputs
-| Name | Description |
-|-----------------------------------------------------------------------------|-------------------------------------------------------------------------|
-| [bucket_name](#bucket_name) | The name of the bucket created |
-| [bucket_arn](#output_bucket_arn) | The arn of the bucket created |
-| [bucket_kms_key_arn](#bucket_kms_key_arn) | The arn of the kms key created |
+| Name | Description |
+|------|-------------|
+| [bucket](#output\_bucket) | n/a |
+| [bucket\_id](#output\_bucket\_id) | n/a |
+| [bucket\_kms\_key](#output\_bucket\_kms\_key) | n/a |
\ No newline at end of file
diff --git a/modules/secure_storage_connector/main.tf b/modules/secure_storage_connector/main.tf
index 11a4da93..09cad799 100644
--- a/modules/secure_storage_connector/main.tf
+++ b/modules/secure_storage_connector/main.tf
@@ -1,9 +1,10 @@
data "aws_caller_identity" "current" {}
resource "aws_kms_key" "key" {
- count = var.create_kms_key ? 1 : 0
- key_usage = "ENCRYPT_DECRYPT"
- description = "Wandb managed key to encrypt and decrypt file storage"
+ count = var.create_kms_key ? 1 : 0
+ key_usage = "ENCRYPT_DECRYPT"
+ description = "Wandb managed key to encrypt and decrypt file storage"
+ enable_key_rotation = var.enable_key_rotation
policy = jsonencode({
"Version" : "2012-10-17",
@@ -70,7 +71,7 @@ resource "aws_s3_bucket_policy" "s3_policy" {
"s3:GetBucketVersioning"
],
"Resource" : [
- "${module.file_storage.bucket_arn}",
+ module.file_storage.bucket_arn,
"${module.file_storage.bucket_arn}/*",
]
}
diff --git a/modules/secure_storage_connector/outputs.tf b/modules/secure_storage_connector/outputs.tf
index 86a9e1c0..7e84da0e 100644
--- a/modules/secure_storage_connector/outputs.tf
+++ b/modules/secure_storage_connector/outputs.tf
@@ -1,12 +1,14 @@
output "bucket" {
+ description = "WandB S3 Bucketname"
value = data.aws_s3_bucket.file_storage
}
output "bucket_id" {
+ description = "WandB S3 bucket id"
value = data.aws_s3_bucket.file_storage.id
}
output "bucket_kms_key" {
+ description = "WandB S3 bucket kms key"
value = var.create_kms_key ? aws_kms_key.key[0] : null
}
-
diff --git a/modules/secure_storage_connector/variables.tf b/modules/secure_storage_connector/variables.tf
index e933888a..951c3766 100644
--- a/modules/secure_storage_connector/variables.tf
+++ b/modules/secure_storage_connector/variables.tf
@@ -9,6 +9,12 @@ variable "create_kms_key" {
default = true
}
+variable "enable_key_rotation" {
+ description = "Specifies whether key rotation is enabled. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html"
+ type = bool
+ default = true
+}
+
variable "sse_algorithm" {
description = "The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms`"
type = string
diff --git a/modules/secure_storage_connector/versions.tf b/modules/secure_storage_connector/versions.tf
new file mode 100644
index 00000000..3695bc4a
--- /dev/null
+++ b/modules/secure_storage_connector/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+ required_version = "~> 1.0"
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+}
diff --git a/outputs.tf b/outputs.tf
index 293ef8a4..5207de5b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -54,5 +54,5 @@ output "internal_app_port" {
}
output "elasticache_connection_string" {
- value = var.create_elasticache ? module.redis.0.connection_string : null
-}
\ No newline at end of file
+ value = var.create_elasticache ? module.redis[0].connection_string : null
+}
diff --git a/variables.tf b/variables.tf
index 84f85f75..9de80d03 100644
--- a/variables.tf
+++ b/variables.tf
@@ -56,18 +56,6 @@ variable "database_master_username" {
default = "wandb"
}
-variable "database_binlog_format" {
- description = "Specifies the binlog_format value to set for the database"
- type = string
- default = "ROW"
-}
-
-variable "database_innodb_lru_scan_depth" {
- description = "Specifies the innodb_lru_scan_depth value to set for the database"
- type = number
- default = 128
-}
-
variable "database_performance_insights_kms_key_arn" {
default = null
description = "Specifies an existing KMS key ARN to encrypt the performance insights data if performance_insights_enabled is was enabled out of band"
@@ -282,12 +270,6 @@ variable "kubernetes_instance_types" {
default = ["m5.large"]
}
-variable "eks_policy_arns" {
- type = list(string)
- description = "Additional IAM policy to apply to the EKS cluster"
- default = []
-}
-
##########################################
# External Bucket #
##########################################