No longer use terraform to manage the state of the cloudHSMs.

Due to: hashicorp/terraform-provider-aws#8648 and the inability to scale an HSM cluster out from terraform it makes sense to not manage the cloudHSMs from terraform.
alphagov · Jul 2, 2019 · f10952d · f10952d
1 parent a71a918
commit f10952d
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 23 deletions.
diff --git a/charts/gsp-cluster/values.yaml b/charts/gsp-cluster/values.yaml
@@ -15,6 +15,9 @@ global:
   ci:
     privateKey: ""
     publicKey: ""
+  cloudHsm:
+    enabled: false
+    ipAddress: 127.0.0.1
 
 adminRoleARNs: []
 adminUserARNs: []

diff --git a/modules/gsp-cluster/data/values.yaml b/modules/gsp-cluster/data/values.yaml
@@ -12,7 +12,9 @@ global:
   # move these to gsp-namespace terraform output
   canary:
     verificationKeys: []
-
+  cloudHsm:
+    enabled: false
+
 adminRoleARNs: ${admin_role_arns}
 adminUserARNs: ${admin_user_arns}
 sreRoleARNs: ${sre_role_arns}

diff --git a/modules/hsm/main.tf b/modules/hsm/main.tf
@@ -47,16 +47,6 @@ resource "aws_security_group_rule" "hsm-worker-ingress" {
   source_security_group_id = "${var.source_security_group_id}"
 }
 
-# We can only create one HSM in Terraform rather than the multiple we require for high availability as you must create
-# a single HSM, initialise and activate it (which is done manually) before you can create more as they are clones of the
-# first HSM. The other HSMs will need to be created after the Terraform apply
-# Manual steps to initalise and activate the HSM can be followed from
-# https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html onwards
-resource "aws_cloudhsm_v2_hsm" "cloudhsm_v2_hsm" {
-  subnet_id  = "${aws_cloudhsm_v2_cluster.cluster.subnet_ids[0]}"
-  cluster_id = "${aws_cloudhsm_v2_cluster.cluster.cluster_id}"
-}
-
 module "lambda_splunk_forwarder" {
   source = "../lambda_splunk_forwarder"
 
@@ -69,11 +59,3 @@ module "lambda_splunk_forwarder" {
   splunk_hec_url            = "${var.splunk_hec_url}"
   splunk_index              = "${var.splunk_index}"
 }
-
-data "aws_network_interface" "hsm" {
-  id = "${aws_cloudhsm_v2_hsm.cloudhsm_v2_hsm.hsm_eni_id}"
-}
-
-output "hsm_ips" {
-  value = ["${data.aws_network_interface.hsm.private_ips}"]
-}
diff --git a/pipelines/deployer/deployer.tf b/pipelines/deployer/deployer.tf
@@ -163,7 +163,3 @@ output "values" {
   sensitive = true
   value     = "${module.gsp-cluster.values}"
 }
-
-output "hsm_ips" {
-  value = "${module.hsm.hsm_ips}"
-}