Oliver Schenk oliverschenk

## terragrunt.hcl
# bootstrap/terragrunt.hcl
remote_state {
  backend = "s3"
  config = {
    bucket         = local.terraform_state_bucket_name
    key            = local.common_vars.management_terraform_state_path
    region         = local.common_vars.terraform_state_bucket_region
    role_arn       = "arn:aws:iam::${get_env("TF_AWS_ACCT", "")}:role/OrganizationAccountAccessRole"
    encrypt        = true
    dynamodb_table = local.common_vars.terraform_state_dynamodb_table

## terragrunt.hcl
remote_state {
  backend = "s3"
  config = {
    bucket         = local.terraform_state_bucket_name
    key            = "${path_relative_to_include()}/terraform.tfstate"
    region         = local.common_vars.terraform_state_bucket_region
    role_arn       = "arn:aws:iam::${get_env("TF_AWS_ACCT", get_aws_account_id())}:role/TerraformAdministrator"
    encrypt        = true
    dynamodb_table = local.common_vars.terraform_state_dynamodb_table
    s3_bucket_tags = {

## terragrunt.hcl
locals {
  common_vars = yamldecode(file(find_in_parent_folders("common_vars.yaml")))

  region_vars  = read_terragrunt_config(find_in_parent_folders("region.hcl", "ignore"), {locals = { aws_region = local.common_vars.management_aws_region}})
  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"), {})

  account_ids = jsondecode(file("accounts.json"))

  terraform_state_bucket_name = "${local.common_vars.namespace}-${local.common_vars.name}-${local.common_vars.terraform_state_bucket_region}-deployment-${local.common_vars.terraform_state_bucket}"
}

## terragrunt.hcl
generate "provider" {
  path      = "provider.tf"
  if_exists = "overwrite"
  contents = <<EOF
provider "aws" {
  alias  = "noassume"
  region = "${local.region_vars.locals.aws_region}"
}

provider "aws" {

## main.tf
# modules/terraform-codepipeline/main.tf
resource "aws_iam_role" "start_pipeline_execution_role" {
  name = "${local.capitalised_name}StartPipelineExecutionRole"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",

## main.tf
# modules/terraform-codepipeline/main.tf
resource "aws_cloudwatch_event_target" "codepipeline_target" {
  target_id = "${module.this.id}-codepipeline-target"
  rule      = aws_cloudwatch_event_rule.codepipeline_event_rule.name
  arn       = aws_codepipeline.codepipeline.arn

  role_arn = aws_iam_role.start_pipeline_execution_role.arn
}

## main.tf
# modules/terraform-codepipeline/main.tf
resource "aws_cloudwatch_event_rule" "codepipeline_event_rule" {
  name        = "${module.this.id}-codepipeline-rule"
  description = "Trigger CodePipeline when there is a code change in ${var.branch_name}"

  event_pattern = jsonencode({
    source      = ["aws.codecommit"],
    detail-type = ["CodeCommit Repository State Change"],
    resources   = [data.aws_codecommit_repository.repository.arn],
    detail = {

## PostConfirmationConfirmForgotPassword.json
{
    "version": "1",
    "region": "us-east-1",
    "userPoolId": "us-east-1_xxxxxxx",
    "userName": "2d4eb80f-7998-xxxx-xxxx-xxxxxxxxxx",
    "callerContext": {
        "awsSdkVersion": "aws-sdk-unknown-unknown",
        "clientId": "1e919xxxxxxxxxxxxxxx9k4krm"
    },
    "triggerSource": "PostConfirmation_ConfirmForgotPassword",

## PostConfirmationConfirmForgotPasswordHandler.cs
internal class PostConfirmationConfirmForgotPasswordHandler : CognitoTriggerHandler<PostConfirmationEvent>
{
    public const string TRIGGER_SOURCE = "PostConfirmation_ConfirmForgotPassword";

    public override string TriggerSource => TRIGGER_SOURCE;

    public PostConfirmationConfirmForgotPasswordHandler(JsonElement cognitoEvent, ILambdaLogger logger)
        : base(cognitoEvent, logger)
    {
    }

## PostConfirmationConfirmSignUpHandler.cs
internal class PostConfirmationConfirmSignUpHandler : CognitoTriggerHandler<PostConfirmationEvent>
{
    public const string TRIGGER_SOURCE = "PostConfirmation_ConfirmSignUp";

    public override string TriggerSource => TRIGGER_SOURCE;

    private static AmazonDynamoDBClient client = new AmazonDynamoDBClient();

    public PostConfirmationConfirmSignUpHandler(JsonElement cognitoEvent, ILambdaLogger logger)
        : base(cognitoEvent, logger)
	# bootstrap/terragrunt.hcl
	remote_state {
	backend = "s3"
	config = {
	bucket = local.terraform_state_bucket_name
	key = local.common_vars.management_terraform_state_path
	region = local.common_vars.terraform_state_bucket_region
	role_arn = "arn:aws:iam::${get_env("TF_AWS_ACCT", "")}:role/OrganizationAccountAccessRole"
	encrypt = true
	dynamodb_table = local.common_vars.terraform_state_dynamodb_table
	locals {
	common_vars = yamldecode(file(find_in_parent_folders("common_vars.yaml")))

	region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl", "ignore"), {locals = { aws_region = local.common_vars.management_aws_region}})
	account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"), {})

	account_ids = jsondecode(file("accounts.json"))

	terraform_state_bucket_name = "${local.common_vars.namespace}-${local.common_vars.name}-${local.common_vars.terraform_state_bucket_region}-deployment-${local.common_vars.terraform_state_bucket}"
	}
	generate "provider" {
	path = "provider.tf"
	if_exists = "overwrite"
	contents = <<EOF
	provider "aws" {
	alias = "noassume"
	region = "${local.region_vars.locals.aws_region}"
	}

	provider "aws" {
	# modules/terraform-codepipeline/main.tf
	resource "aws_iam_role" "start_pipeline_execution_role" {
	name = "${local.capitalised_name}StartPipelineExecutionRole"

	assume_role_policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	# modules/terraform-codepipeline/main.tf
	resource "aws_cloudwatch_event_target" "codepipeline_target" {
	target_id = "${module.this.id}-codepipeline-target"
	rule = aws_cloudwatch_event_rule.codepipeline_event_rule.name
	arn = aws_codepipeline.codepipeline.arn

	role_arn = aws_iam_role.start_pipeline_execution_role.arn
	}
	# modules/terraform-codepipeline/main.tf
	resource "aws_cloudwatch_event_rule" "codepipeline_event_rule" {
	name = "${module.this.id}-codepipeline-rule"
	description = "Trigger CodePipeline when there is a code change in ${var.branch_name}"

	event_pattern = jsonencode({
	source = ["aws.codecommit"],
	detail-type = ["CodeCommit Repository State Change"],
	resources = [data.aws_codecommit_repository.repository.arn],
	detail = {
	{
	"version": "1",
	"region": "us-east-1",
	"userPoolId": "us-east-1_xxxxxxx",
	"userName": "2d4eb80f-7998-xxxx-xxxx-xxxxxxxxxx",
	"callerContext": {
	"awsSdkVersion": "aws-sdk-unknown-unknown",
	"clientId": "1e919xxxxxxxxxxxxxxx9k4krm"
	},
	"triggerSource": "PostConfirmation_ConfirmForgotPassword",
	internal class PostConfirmationConfirmForgotPasswordHandler : CognitoTriggerHandler<PostConfirmationEvent>
	{
	public const string TRIGGER_SOURCE = "PostConfirmation_ConfirmForgotPassword";

	public override string TriggerSource => TRIGGER_SOURCE;

	public PostConfirmationConfirmForgotPasswordHandler(JsonElement cognitoEvent, ILambdaLogger logger)
	: base(cognitoEvent, logger)
	{
	}
	internal class PostConfirmationConfirmSignUpHandler : CognitoTriggerHandler<PostConfirmationEvent>
	{
	public const string TRIGGER_SOURCE = "PostConfirmation_ConfirmSignUp";

	public override string TriggerSource => TRIGGER_SOURCE;

	private static AmazonDynamoDBClient client = new AmazonDynamoDBClient();

	public PostConfirmationConfirmSignUpHandler(JsonElement cognitoEvent, ILambdaLogger logger)
	: base(cognitoEvent, logger)