Merge branch 'main' into chore/ARC-890-toggle-features

Author: tsaucier-sf

.github/workflows/snyk.yaml

@@ -12,9 +12,7 @@ on:                # yamllint disable-line rule:truthy
 
 jobs:
   security:
-    runs-on:
-      - self-hosted
-      - refarch
+    runs-on: ubuntu-latest
     name: snyk
     steps:
       - name: checkout

.github/workflows/tag.yml

@@ -9,9 +9,7 @@ on:              # yamllint disable-line rule:truthy
 jobs:
   ## tag
   tag:
-    runs-on:
-      - self-hosted
-      - refarch
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
 

.github/workflows/test.yml

@@ -12,9 +12,7 @@ on:                 # yamllint disable-line rule:truthy
 
 jobs:
   tflint:
-    runs-on:
-      - self-hosted
-      - refarch
+    runs-on: ubuntu-latest
     name: tflint
     steps:
       - uses: actions/checkout@master
@@ -32,24 +30,3 @@ jobs:
       - name: Run tflint
         run: tflint -f compact
 
-  checkov:
-    runs-on: self-hosted
-    name: checkov
-    steps:
-      - uses: actions/checkout@master
-
-      - name: Run Checkov action
-        id: checkov
-        uses: bridgecrewio/checkov-action@master
-        with:
-          directory: .
-          quiet: true           # optional: display only failed checks
-          soft_fail: false      # optional: do not return an error code if there are failed checks.
-          framework: terraform
-          # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
-          output_format: github_failed_only
-          # optional: the output format, one of: cli, json, junitxml, github_failed_only
-          download_external_modules: false
-          log_level: WARNING
-          container_user: 1000
-          # optional: Define what UID and / or what GID to run the container under to prevent permission issues

.version

@@ -1 +1 @@
-1.2.4
+1.2.6

README.md

@@ -1,5 +1,6 @@
-# terraform-aws-ref-arch-ecs
+# [terraform-aws-ref-arch-ecs](https://github.com/sourcefuse/terraform-aws-ref-arch-ecs)
 
+[![Known Vulnerabilities](https://github.com/sourcefuse/terraform-aws-ref-arch-ecs/actions/workflows/snyk.yaml/badge.svg)](https://github.com/sourcefuse/terraform-aws-ref-arch-ecs/actions/workflows/snyk.yaml)
 ## Overview
 
 Terraform Module for AWS ECS by the SourceFuse ARC team.
@@ -86,9 +87,7 @@ module "ecs" {
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_policy.secrets_manager_read_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy_attachment.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
-| [aws_iam_policy_attachment.secrets_manager_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
 | [aws_iam_role.execution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
 | [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

checkov-problem-matcher-softfail.json

@@ -28,33 +28,3 @@ resource "aws_iam_policy_attachment" "execution" {
   policy_arn = each.value
   roles      = [aws_iam_role.execution.name]
 }
-
-################################################################################
-## secrets manager
-################################################################################
-resource "aws_iam_policy" "secrets_manager_read_policy" {
-  name_prefix = "${local.cluster_name}-secrets-manager-ro-"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect   = "Allow",
-        Resource = "*"
-        Action = [
-          "secretsmanager:GetSecretValue"
-        ],
-      }
-    ]
-  })
-
-  tags = merge(var.tags, tomap({
-    NamePrefix = "${local.cluster_name}-secrets-manager-ro-"
-  }))
-}
-
-resource "aws_iam_policy_attachment" "secrets_manager_read" {
-  name       = "${local.cluster_name}-secrets-manager-ro"
-  roles      = [aws_iam_role.execution.name]
-  policy_arn = aws_iam_policy.secrets_manager_read_policy.arn
-}

iam.tf

@@ -17,8 +17,34 @@ locals {
       description = "ALB ARN"
       type        = "String"
     },
+    {
+      name        = "/${var.namespace}/${var.environment}/alb/${module.alb.alb_name}/dns_zone_id"
+      value       = module.alb.alb_zone_id
+      description = "ALB Zone ID"
+      type        = "String"
+    },
+    {
+      name        = "/${var.namespace}/${var.environment}/alb/${module.alb.alb_name}/health_check_fqdn"
+      value       = module.health_check.route_53_fqdn
+      description = "ALB Health Check FQDN."
+      type        = "String"
+    },
+
+    ## acm
+    {
+      name        = "/${var.namespace}/${var.environment}/alb/${module.alb.alb_name}/certificate_arn"
+      value       = try(module.acm.arn, "Not Assigned")
+      description = "ACM Certificate ARN."
+      type        = "String"
+    },
 
     ## ecs
+    {
+      name        = "/${var.namespace}/${var.environment}/ecs/${module.ecs.cluster_name}/cluster_name"
+      value       = module.ecs.cluster_name
+      description = "ECS Cluster Name"
+      type        = "String"
+    },
     {
       name        = "/${var.namespace}/${var.environment}/ecs/${module.ecs.cluster_name}/id"
       value       = module.ecs.cluster_id