refactor: extract all hard coded stuff and calculated stuff in locals

Rahul-4480 · Rahul-4480 · commit a673f82fdc3f · 2024-08-04T22:52:26.000+05:30
diff --git a/locals.tf b/locals.tf
@@ -1,21 +1,44 @@
 locals {
-  google_oidc_endpoint                     = "https://accounts.google.com"
-  container_port                           = 4141
-  alb_ip_target_type                       = "ip"
-  ecs_container_definations_name           = "atlantis"
-  alb_system_name                          = "atlantis"
-  domain_parts                             = split(".", var.atlantis_url)
-  base_domain                              = join(".", slice(local.domain_parts, length(local.domain_parts) - 2, length(local.domain_parts)))
-  sub_domain                               = join(".", slice(local.domain_parts, 0, length(local.domain_parts) - 2))
-  ecs_task_definition_family               = "atlantis"
-  task_definition_network_mode             = "awsvpc"
-  load_balancer_internal                   = "false"
-  ecs_service_name                         = "atlantis"
-  container_memory_reservation             = 10
-  authenticate_oidc_issuer                 = "https://accounts.google.com"
-  authenticate_oidc_user_info_endpoint     = "https://openidconnect.googleapis.com/v1/userinfo"
-  authenticate_oidc_token_endpoint         = "https://oauth2.googleapis.com/token"
-  authenticate_oidc_authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth"
+  google_oidc_endpoint                         = "https://accounts.google.com"
+  container_port                               = 4141
+  alb_ip_target_type                           = "ip"
+  ecs_container_definations_name               = "atlantis"
+  alb_system_name                              = "atlantis"
+  domain_parts                                 = split(".", var.atlantis_url)
+  base_domain                                  = join(".", slice(local.domain_parts, length(local.domain_parts) - 2, length(local.domain_parts)))
+  sub_domain                                   = join(".", slice(local.domain_parts, 0, length(local.domain_parts) - 2))
+  ecs_task_definition_family                   = "atlantis"
+  task_definition_network_mode                 = "awsvpc"
+  load_balancer_internal                       = "false"
+  ecs_service_name                             = "atlantis"
+  container_memory_reservation                 = 10
+  authenticate_oidc_issuer                     = "https://accounts.google.com"
+  authenticate_oidc_user_info_endpoint         = "https://openidconnect.googleapis.com/v1/userinfo"
+  authenticate_oidc_token_endpoint             = "https://oauth2.googleapis.com/token"
+  authenticate_oidc_authorization_endpoint     = "https://accounts.google.com/o/oauth2/v2/auth"
+  ecs_task_assume_policy_actions               = ["sts:AssumeRole"]
+  ecs_task_assume_policy_principal_type        = "Service"
+  ecs_task_assume_policy_principal_identifiers = ["ecs-tasks.amazonaws.com"]
+  acm_certificate_statuses                     = ["ISSUED"]
+  default_desired_count                        = 1
+  target_group_name                            = "atlantis-target-group"
+  target_group_protocol                        = "HTTP"
+  listener_protocol                            = "HTTPS"
+  listener_port                                = 443
+  default_action_type                          = "fixed-response"
+  fixed_response_content_type                  = "application/json"
+  fixed_response_message_body                  = "Unauthorised"
+  fixed_response_status_code                   = 404
+  listener_name                                = "https-listener"
+  listener_priority                            = 10
+  authenticate_oidc_type                       = "authenticate-oidc"
+  authenticate_oidc_scope                      = "openid email"
+  authenticate_oidc_on_unauthenticated_request = "authenticate"
+  forward_action_type                          = "forward"
+  http_listener_priority                       = 1
+  path_pattern_values                          = ["/events"]
+  http_request_method_values                   = ["POST"]
+  create_capacity_provider                     = false
 
   env_variables = [
     {
diff --git a/main.tf b/main.tf
@@ -8,29 +8,28 @@ data "aws_vpc" "selected" {
 }
 
 data "aws_ecs_cluster" "default" {
-  cluster_name = "default"
+  cluster_name = var.ecs_cluster_name
 }
 
 data "aws_iam_policy_document" "ecs_task_assume_policy" {
   statement {
-    actions = ["sts:AssumeRole"]
+    actions = local.ecs_task_assume_policy_actions
     principals {
-      type        = "Service"
-      identifiers = ["ecs-tasks.amazonaws.com"]
+      type        = local.ecs_task_assume_policy_principal_type
+      identifiers = local.ecs_task_assume_policy_principal_identifiers
     }
   }
 }
 
 data "aws_acm_certificate" "base_domain_certificate" {
   domain   = local.base_domain
-  statuses = ["ISSUED"]
+  statuses = local.acm_certificate_statuses
 }
 
 data "aws_route53_zone" "zone" {
   name = local.base_domain
 }
 
-
 module "ecs_deployment" {
   source  = "infraspecdev/ecs-deployment/aws"
   version = "3.0.1"
@@ -63,11 +62,11 @@ module "ecs_deployment" {
   }
   service = {
     name          = local.ecs_service_name
-    desired_count = var.ecs_service_desired_count != null ? var.ecs_service_desired_count : 1
+    desired_count = var.ecs_service_desired_count != null ? var.ecs_service_desired_count : local.default_desired_count
     load_balancer = [{
       container_name = local.ecs_container_definations_name
       container_port = local.container_port
-      target_group   = "atlantis-target-group"
+      target_group   = local.target_group_name
     }]
 
     network_configuration = {
@@ -86,25 +85,25 @@ module "ecs_deployment" {
       atlantis-target-group = {
         name        = format("%s-%s-ip", local.alb_system_name, terraform.workspace)
         port        = local.container_port
-        protocol    = "HTTP"
+        protocol    = local.target_group_protocol
         target_type = local.alb_ip_target_type
       }
     }
 
     listeners = {
       https-listener = {
-        protocol        = "HTTPS"
-        port            = 443
+        protocol        = local.listener_protocol
+        port            = local.listener_port
         certificate_arn = data.aws_acm_certificate.base_domain_certificate.arn
 
         default_action = [
           {
-            type         = "fixed-response"
-            target_group = "atlantis-target-group"
+            type         = local.default_action_type
+            target_group = local.target_group_name
             fixed_response = {
-              content_type = "application/json"
-              message_body = "Unauthorised"
-              status_code  = 404
+              content_type = local.fixed_response_content_type
+              message_body = local.fixed_response_message_body
+              status_code  = local.fixed_response_status_code
             }
           }
         ]
@@ -113,8 +112,8 @@ module "ecs_deployment" {
 
     listener_rules = {
       https-listener-rules = {
-        listener = "https-listener"
-        priority = 10
+        listener = local.listener_name
+        priority = local.listener_priority
 
         condition = [
           {
@@ -126,39 +125,39 @@ module "ecs_deployment" {
 
         action = [
           {
-            type = "authenticate-oidc"
+            type = local.authenticate_oidc_type
 
             authenticate_oidc = {
               authorization_endpoint     = local.authenticate_oidc_authorization_endpoint
               token_endpoint             = local.authenticate_oidc_token_endpoint
               user_info_endpoint         = local.authenticate_oidc_user_info_endpoint
               issuer                     = local.authenticate_oidc_issuer
               session_cookie_name        = format("TOKEN-OIDC-%s", data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value)
-              scope                      = "openid email"
-              on_unauthenticated_request = "authenticate"
+              scope                      = local.authenticate_oidc_scope
+              on_unauthenticated_request = local.authenticate_oidc_on_unauthenticated_request
               client_id                  = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value
               client_secret              = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_SECRET"].value
             }
           },
           {
-            target_group = "atlantis-target-group"
-            type         = "forward"
+            target_group = local.target_group_name
+            type         = local.forward_action_type
           }
         ]
       },
       http-listener-rules = {
-        listener = "https-listener"
-        priority = 1
+        listener = local.listener_name
+        priority = local.http_listener_priority
 
         condition = [
           {
             path_pattern = {
-              values = ["/events"]
+              values = local.path_pattern_values
             }
           },
           {
             http_request_method = {
-              values = ["POST"]
+              values = local.http_request_method_values
             }
           },
           {
@@ -170,13 +169,13 @@ module "ecs_deployment" {
 
         action = [
           {
-            target_group = "atlantis-target-group"
-            type         = "forward"
+            target_group = local.target_group_name
+            type         = local.forward_action_type
           }
         ]
       }
     }
   }
 
-  create_capacity_provider = false
+  create_capacity_provider = local.create_capacity_provider
 }
diff --git a/variables.tf b/variables.tf
@@ -49,9 +49,17 @@ variable "atlantis_gh_user" {
 variable "thumbprint_list" {
   description = "The thumbprint of the OIDC provider"
   type        = list(string)
+  default     = ["e252aa6e92432f32cbc1b182056627c239652678"]
 }
 
 variable "atlantis_docker_image" {
   description = "The Docker image to use for the Atlantis server"
   type        = string
+  default     = "ghcr.io/runatlantis/atlantis:v0.23.1"
+}
+
+variable "ecs_cluster_name" {
+  description = "The name of the ECS cluster"
+  type        = string
+  default     = "default"
 }

Original file line number	Diff line number	Diff line change
`@@ -8,29 +8,28 @@ data "aws_vpc" "selected" {`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`data "aws_ecs_cluster" "default" {`
`11`		`- cluster_name = "default"`
	`11`	`+ cluster_name = var.ecs_cluster_name`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`data "aws_iam_policy_document" "ecs_task_assume_policy" {`
`15`	`15`	`statement {`
`16`		`- actions = ["sts:AssumeRole"]`
	`16`	`+ actions = local.ecs_task_assume_policy_actions`
`17`	`17`	`principals {`
`18`		`- type = "Service"`
`19`		`- identifiers = ["ecs-tasks.amazonaws.com"]`
	`18`	`+ type = local.ecs_task_assume_policy_principal_type`
	`19`	`+ identifiers = local.ecs_task_assume_policy_principal_identifiers`
`20`	`20`	`}`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`data "aws_acm_certificate" "base_domain_certificate" {`
`25`	`25`	`domain = local.base_domain`
`26`		`- statuses = ["ISSUED"]`
	`26`	`+ statuses = local.acm_certificate_statuses`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`data "aws_route53_zone" "zone" {`
`30`	`30`	`name = local.base_domain`
`31`	`31`	`}`
`32`	`32`
`33`		`-`
`34`	`33`	`module "ecs_deployment" {`
`35`	`34`	`source = "infraspecdev/ecs-deployment/aws"`
`36`	`35`	`version = "3.0.1"`
`@@ -63,11 +62,11 @@ module "ecs_deployment" {`
`63`	`62`	`}`
`64`	`63`	`service = {`
`65`	`64`	`name = local.ecs_service_name`
`66`		`- desired_count = var.ecs_service_desired_count != null ? var.ecs_service_desired_count : 1`
	`65`	`+ desired_count = var.ecs_service_desired_count != null ? var.ecs_service_desired_count : local.default_desired_count`
`67`	`66`	`load_balancer = [{`
`68`	`67`	`container_name = local.ecs_container_definations_name`
`69`	`68`	`container_port = local.container_port`
`70`		`- target_group = "atlantis-target-group"`
	`69`	`+ target_group = local.target_group_name`
`71`	`70`	`}]`
`72`	`71`
`73`	`72`	`network_configuration = {`
`@@ -86,25 +85,25 @@ module "ecs_deployment" {`
`86`	`85`	`atlantis-target-group = {`
`87`	`86`	`name = format("%s-%s-ip", local.alb_system_name, terraform.workspace)`
`88`	`87`	`port = local.container_port`
`89`		`- protocol = "HTTP"`
	`88`	`+ protocol = local.target_group_protocol`
`90`	`89`	`target_type = local.alb_ip_target_type`
`91`	`90`	`}`
`92`	`91`	`}`
`93`	`92`
`94`	`93`	`listeners = {`
`95`	`94`	`https-listener = {`
`96`		`- protocol = "HTTPS"`
`97`		`- port = 443`
	`95`	`+ protocol = local.listener_protocol`
	`96`	`+ port = local.listener_port`
`98`	`97`	`certificate_arn = data.aws_acm_certificate.base_domain_certificate.arn`
`99`	`98`
`100`	`99`	`default_action = [`
`101`	`100`	`{`
`102`		`- type = "fixed-response"`
`103`		`- target_group = "atlantis-target-group"`
	`101`	`+ type = local.default_action_type`
	`102`	`+ target_group = local.target_group_name`
`104`	`103`	`fixed_response = {`
`105`		`- content_type = "application/json"`
`106`		`- message_body = "Unauthorised"`
`107`		`- status_code = 404`
	`104`	`+ content_type = local.fixed_response_content_type`
	`105`	`+ message_body = local.fixed_response_message_body`
	`106`	`+ status_code = local.fixed_response_status_code`
`108`	`107`	`}`
`109`	`108`	`}`
`110`	`109`	`]`
`@@ -113,8 +112,8 @@ module "ecs_deployment" {`
`113`	`112`
`114`	`113`	`listener_rules = {`
`115`	`114`	`https-listener-rules = {`
`116`		`- listener = "https-listener"`
`117`		`- priority = 10`
	`115`	`+ listener = local.listener_name`
	`116`	`+ priority = local.listener_priority`
`118`	`117`
`119`	`118`	`condition = [`
`120`	`119`	`{`
`@@ -126,39 +125,39 @@ module "ecs_deployment" {`
`126`	`125`
`127`	`126`	`action = [`
`128`	`127`	`{`
`129`		`- type = "authenticate-oidc"`
	`128`	`+ type = local.authenticate_oidc_type`
`130`	`129`
`131`	`130`	`authenticate_oidc = {`
`132`	`131`	`authorization_endpoint = local.authenticate_oidc_authorization_endpoint`
`133`	`132`	`token_endpoint = local.authenticate_oidc_token_endpoint`
`134`	`133`	`user_info_endpoint = local.authenticate_oidc_user_info_endpoint`
`135`	`134`	`issuer = local.authenticate_oidc_issuer`
`136`	`135`	`session_cookie_name = format("TOKEN-OIDC-%s", data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value)`
`137`		`- scope = "openid email"`
`138`		`- on_unauthenticated_request = "authenticate"`
	`136`	`+ scope = local.authenticate_oidc_scope`
	`137`	`+ on_unauthenticated_request = local.authenticate_oidc_on_unauthenticated_request`
`139`	`138`	`client_id = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_ID"].value`
`140`	`139`	`client_secret = data.aws_ssm_parameter.environment["ATLANTIS_GOOGLE_CLIENT_SECRET"].value`
`141`	`140`	`}`
`142`	`141`	`},`
`143`	`142`	`{`
`144`		`- target_group = "atlantis-target-group"`
`145`		`- type = "forward"`
	`143`	`+ target_group = local.target_group_name`
	`144`	`+ type = local.forward_action_type`
`146`	`145`	`}`
`147`	`146`	`]`
`148`	`147`	`},`
`149`	`148`	`http-listener-rules = {`
`150`		`- listener = "https-listener"`
`151`		`- priority = 1`
	`149`	`+ listener = local.listener_name`
	`150`	`+ priority = local.http_listener_priority`
`152`	`151`
`153`	`152`	`condition = [`
`154`	`153`	`{`
`155`	`154`	`path_pattern = {`
`156`		`- values = ["/events"]`
	`155`	`+ values = local.path_pattern_values`
`157`	`156`	`}`
`158`	`157`	`},`
`159`	`158`	`{`
`160`	`159`	`http_request_method = {`
`161`		`- values = ["POST"]`
	`160`	`+ values = local.http_request_method_values`
`162`	`161`	`}`
`163`	`162`	`},`
`164`	`163`	`{`
`@@ -170,13 +169,13 @@ module "ecs_deployment" {`
`170`	`169`
`171`	`170`	`action = [`
`172`	`171`	`{`
`173`		`- target_group = "atlantis-target-group"`
`174`		`- type = "forward"`
	`172`	`+ target_group = local.target_group_name`
	`173`	`+ type = local.forward_action_type`
`175`	`174`	`}`
`176`	`175`	`]`
`177`	`176`	`}`
`178`	`177`	`}`
`179`	`178`	`}`
`180`	`179`
`181`		`- create_capacity_provider = false`
	`180`	`+ create_capacity_provider = local.create_capacity_provider`
`182`	`181`	`}`