From acd5babe2942caa0d23d85ff441c9ff76704d97f Mon Sep 17 00:00:00 2001
From: Loren Yu <loren@navapbc.com>
Date: Thu, 16 Jan 2025 15:15:55 -0800
Subject: [PATCH] Organize service root module main.tf into separate files
 (#837)

- Move incident management resources into monitoring.tf
- Move database related resources into database.tf
- Move VPC related resources into network.tf
- Move custom domain related resources into domain.tf
- Move identity_provider_config variable to identity_provider.tf
- Move notifications_config variable to notifications.tf

## Context

The main.tf file for the service layer root module
(/infra/{{app_name}}/service) was getting unwieldy, making it hard to
read, hard to find specific resources, and also increases the chance of
conflicts for projects that need to add customizations to the service
layer. This change splits main.tf into separate files based on logical
groupings.
---
 infra/{{app_name}}/service/database.tf        | 19 ++++
 infra/{{app_name}}/service/domain.tf          | 14 +++
 .../{{app_name}}/service/identity_provider.tf |  2 +
 infra/{{app_name}}/service/main.tf            | 94 +------------------
 infra/{{app_name}}/service/monitoring.tf      | 21 +++++
 infra/{{app_name}}/service/network.tf         | 38 ++++++++
 infra/{{app_name}}/service/notifications.tf   |  2 +
 7 files changed, 100 insertions(+), 90 deletions(-)
 create mode 100644 infra/{{app_name}}/service/database.tf
 create mode 100644 infra/{{app_name}}/service/domain.tf
 create mode 100644 infra/{{app_name}}/service/monitoring.tf
 create mode 100644 infra/{{app_name}}/service/network.tf

diff --git a/infra/{{app_name}}/service/database.tf b/infra/{{app_name}}/service/database.tf
new file mode 100644
index 000000000..571bcef88
--- /dev/null
+++ b/infra/{{app_name}}/service/database.tf
@@ -0,0 +1,19 @@
+locals {
+  database_config = local.environment_config.database_config
+}
+
+data "aws_rds_cluster" "db_cluster" {
+  count              = module.app_config.has_database ? 1 : 0
+  cluster_identifier = local.database_config.cluster_name
+}
+
+data "aws_iam_policy" "app_db_access_policy" {
+  count = module.app_config.has_database ? 1 : 0
+  name  = local.database_config.app_access_policy_name
+}
+
+data "aws_iam_policy" "migrator_db_access_policy" {
+  count = module.app_config.has_database ? 1 : 0
+  name  = local.database_config.migrator_access_policy_name
+}
+
diff --git a/infra/{{app_name}}/service/domain.tf b/infra/{{app_name}}/service/domain.tf
new file mode 100644
index 000000000..9dba9f91d
--- /dev/null
+++ b/infra/{{app_name}}/service/domain.tf
@@ -0,0 +1,14 @@
+locals {
+  domain_name    = local.service_config.domain_name
+  hosted_zone_id = local.domain_name != null ? data.aws_route53_zone.zone[0].zone_id : null
+}
+
+data "aws_acm_certificate" "certificate" {
+  count  = local.service_config.enable_https ? 1 : 0
+  domain = local.domain_name
+}
+
+data "aws_route53_zone" "zone" {
+  count = local.domain_name != null ? 1 : 0
+  name  = local.network_config.domain_config.hosted_zone
+}
diff --git a/infra/{{app_name}}/service/identity_provider.tf b/infra/{{app_name}}/service/identity_provider.tf
index 84871292c..4398167ce 100644
--- a/infra/{{app_name}}/service/identity_provider.tf
+++ b/infra/{{app_name}}/service/identity_provider.tf
@@ -1,4 +1,6 @@
 locals {
+  identity_provider_config = local.environment_config.identity_provider_config
+
   # If this is a temporary environment, re-use an existing Cognito user pool. Otherwise, create a new one.
   identity_provider_user_pool_id = module.app_config.enable_identity_provider ? (
     local.is_temporary ? module.existing_identity_provider[0].user_pool_id : module.identity_provider[0].user_pool_id
diff --git a/infra/{{app_name}}/service/main.tf b/infra/{{app_name}}/service/main.tf
index 71ee152ea..c5ca883ab 100644
--- a/infra/{{app_name}}/service/main.tf
+++ b/infra/{{app_name}}/service/main.tf
@@ -1,26 +1,3 @@
-data "aws_vpc" "network" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-  }
-}
-
-data "aws_subnets" "public" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-    subnet_type  = "public"
-  }
-}
-
-data "aws_subnets" "private" {
-  tags = {
-    project      = module.project_config.project_name
-    network_name = local.environment_config.network_name
-    subnet_type  = "private"
-  }
-}
-
 locals {
   # The prefix is used to create uniquely named resources per terraform workspace, which
   # are needed in CI/CD for preview environments and tests.
@@ -40,19 +17,11 @@ locals {
   # Examples: pull request preview environments are temporary.
   is_temporary = terraform.workspace != "default"
 
-  build_repository_config                        = module.app_config.build_repository_config
-  environment_config                             = module.app_config.environment_configs[var.environment_name]
-  service_config                                 = local.environment_config.service_config
-  database_config                                = local.environment_config.database_config
-  incident_management_service_integration_config = local.environment_config.incident_management_service_integration
-  identity_provider_config                       = local.environment_config.identity_provider_config
-  notifications_config                           = local.environment_config.notifications_config
-
-  network_config = module.project_config.network_configs[local.environment_config.network_name]
+  build_repository_config = module.app_config.build_repository_config
+  environment_config      = module.app_config.environment_configs[var.environment_name]
+  service_config          = local.environment_config.service_config
 
-  service_name   = "${local.prefix}${local.service_config.service_name}"
-  domain_name    = local.service_config.domain_name
-  hosted_zone_id = local.domain_name != null ? data.aws_route53_zone.zone[0].zone_id : null
+  service_name = "${local.prefix}${local.service_config.service_name}"
 }
 
 terraform {
@@ -85,50 +54,6 @@ module "app_config" {
   source = "../app-config"
 }
 
-data "aws_rds_cluster" "db_cluster" {
-  count              = module.app_config.has_database ? 1 : 0
-  cluster_identifier = local.database_config.cluster_name
-}
-
-data "aws_iam_policy" "app_db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.app_access_policy_name
-}
-
-data "aws_iam_policy" "migrator_db_access_policy" {
-  count = module.app_config.has_database ? 1 : 0
-  name  = local.database_config.migrator_access_policy_name
-}
-
-# Retrieve url for external incident management tool (e.g. Pagerduty, Splunk-On-Call)
-
-data "aws_ssm_parameter" "incident_management_service_integration_url" {
-  count = module.app_config.has_incident_management_service ? 1 : 0
-  name  = local.incident_management_service_integration_config.integration_url_param_name
-}
-
-data "aws_security_groups" "aws_services" {
-  filter {
-    name   = "group-name"
-    values = ["${module.project_config.aws_services_security_group_name_prefix}*"]
-  }
-
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.network.id]
-  }
-}
-
-data "aws_acm_certificate" "certificate" {
-  count  = local.service_config.enable_https ? 1 : 0
-  domain = local.domain_name
-}
-
-data "aws_route53_zone" "zone" {
-  count = local.domain_name != null ? 1 : 0
-  name  = local.network_config.domain_config.hosted_zone
-}
-
 module "service" {
   source       = "../../modules/service"
   service_name = local.service_name
@@ -203,14 +128,3 @@ module "service" {
 
   is_temporary = local.is_temporary
 }
-
-module "monitoring" {
-  source = "../../modules/monitoring"
-  #Email subscription list:
-  #email_alerts_subscription_list = ["email1@email.com", "email2@email.com"]
-
-  # Module takes service and ALB names to link all alerts with corresponding targets
-  service_name                                = local.service_name
-  load_balancer_arn_suffix                    = module.service.load_balancer_arn_suffix
-  incident_management_service_integration_url = module.app_config.has_incident_management_service && !local.is_temporary ? data.aws_ssm_parameter.incident_management_service_integration_url[0].value : null
-}
diff --git a/infra/{{app_name}}/service/monitoring.tf b/infra/{{app_name}}/service/monitoring.tf
new file mode 100644
index 000000000..61dc8bd2c
--- /dev/null
+++ b/infra/{{app_name}}/service/monitoring.tf
@@ -0,0 +1,21 @@
+locals {
+  incident_management_service_integration_config = local.environment_config.incident_management_service_integration
+}
+
+# Retrieve url for external incident management tool (e.g. Pagerduty, Splunk-On-Call)
+
+data "aws_ssm_parameter" "incident_management_service_integration_url" {
+  count = module.app_config.has_incident_management_service ? 1 : 0
+  name  = local.incident_management_service_integration_config.integration_url_param_name
+}
+
+module "monitoring" {
+  source = "../../modules/monitoring"
+  #Email subscription list:
+  #email_alerts_subscription_list = ["email1@email.com", "email2@email.com"]
+
+  # Module takes service and ALB names to link all alerts with corresponding targets
+  service_name                                = local.service_name
+  load_balancer_arn_suffix                    = module.service.load_balancer_arn_suffix
+  incident_management_service_integration_url = module.app_config.has_incident_management_service && !local.is_temporary ? data.aws_ssm_parameter.incident_management_service_integration_url[0].value : null
+}
diff --git a/infra/{{app_name}}/service/network.tf b/infra/{{app_name}}/service/network.tf
new file mode 100644
index 000000000..8ea58e337
--- /dev/null
+++ b/infra/{{app_name}}/service/network.tf
@@ -0,0 +1,38 @@
+locals {
+  network_config = module.project_config.network_configs[local.environment_config.network_name]
+}
+
+data "aws_vpc" "network" {
+  tags = {
+    project      = module.project_config.project_name
+    network_name = local.environment_config.network_name
+  }
+}
+
+data "aws_subnets" "public" {
+  tags = {
+    project      = module.project_config.project_name
+    network_name = local.environment_config.network_name
+    subnet_type  = "public"
+  }
+}
+
+data "aws_subnets" "private" {
+  tags = {
+    project      = module.project_config.project_name
+    network_name = local.environment_config.network_name
+    subnet_type  = "private"
+  }
+}
+
+data "aws_security_groups" "aws_services" {
+  filter {
+    name   = "group-name"
+    values = ["${module.project_config.aws_services_security_group_name_prefix}*"]
+  }
+
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.network.id]
+  }
+}
diff --git a/infra/{{app_name}}/service/notifications.tf b/infra/{{app_name}}/service/notifications.tf
index 8d3aad2c1..7a9e1e957 100644
--- a/infra/{{app_name}}/service/notifications.tf
+++ b/infra/{{app_name}}/service/notifications.tf
@@ -1,4 +1,6 @@
 locals {
+  notifications_config = local.environment_config.notifications_config
+
   # If this is a temporary environment, re-use an existing email identity. Otherwise, create a new one.
   domain_identity_arn = local.notifications_config != null ? (
     !local.is_temporary ?