chore: remove IdP and API feature flags (#841)

Remove the feature flags from the code as both services have now been deployed to Production.

The `moved.tf` files can be removed once this has been released to Prod.

.github/workflows/terragrunt-apply-production.yml

@@ -22,7 +22,6 @@ env:
   TERRAGRUNT_VERSION: 0.63.2
   TF_INPUT: false
   # API
-  FF_API: true
   TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }}
@@ -42,7 +41,6 @@ env:
   TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }}
   TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }}
   # IdP
-  FF_IDP: true
   TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
   TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
   TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }}

.github/workflows/terragrunt-apply-staging.yml

@@ -27,7 +27,6 @@ env:
   TERRAGRUNT_VERSION: 0.63.2
   TF_INPUT: false
   # API
-  FF_API: true
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
@@ -49,7 +48,6 @@ env:
   TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }}
   TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }}
   # IdP
-  FF_IDP: true
   TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
   TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
   TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}

.github/workflows/terragrunt-plan-all-staging.yml

@@ -19,7 +19,6 @@ env:
   TERRAGRUNT_VERSION: 0.63.2
   TF_INPUT: false
   # API
-  FF_API: true
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
@@ -41,7 +40,6 @@ env:
   TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }}
   TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }}
   # IdP
-  FF_IDP: true
   TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
   TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
   TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}

.github/workflows/terragrunt-plan-production.yml

@@ -24,7 +24,6 @@ env:
   TERRAGRUNT_VERSION: 0.63.2
   TF_INPUT: false
   # API
-  FF_API: true
   TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }}
@@ -44,7 +43,6 @@ env:
   TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }}
   TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }}
   # IdP
-  FF_IDP: true
   TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
   TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
   TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }}

.github/workflows/terragrunt-plan-staging.yml

@@ -29,7 +29,6 @@ env:
   TERRAGRUNT_VERSION: 0.63.2
   TF_INPUT: false
   # API
-  FF_API: true
   TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
   # App
   TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
@@ -51,7 +50,6 @@ env:
   TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }}
   TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }}
   # IdP
-  FF_IDP: true
   TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
   TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
   TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}

aws/alarms/cloudwatch_api.tf

@@ -2,8 +2,6 @@
 # ECS resource usage alarms
 #
 resource "aws_cloudwatch_metric_alarm" "api_cpu_utilization_high_warn" {
-  count = var.feature_flag_api ? 1 : 0
-
   alarm_name          = "API-CpuUtilizationWarn"
   alarm_description   = "API ECS Warning - High CPU usage has been detected."
   comparison_operator = "GreaterThanThreshold"
@@ -25,8 +23,6 @@ resource "aws_cloudwatch_metric_alarm" "api_cpu_utilization_high_warn" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "api_memory_utilization_high_warn" {
-  count = var.feature_flag_api ? 1 : 0
-
   alarm_name          = "API-MemoryUtilizationWarn"
   alarm_description   = "API ECS Warning - High memory usage has been detected."
   comparison_operator = "GreaterThanThreshold"
@@ -48,8 +44,6 @@ resource "aws_cloudwatch_metric_alarm" "api_memory_utilization_high_warn" {
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "api_error_detection" {
-  count = var.feature_flag_api ? 1 : 0
-
   name            = "error_detection_in_api_logs"
   log_group_name  = var.ecs_api_cloudwatch_log_group_name
   filter_pattern  = "level=error"
@@ -60,8 +54,6 @@ resource "aws_cloudwatch_log_subscription_filter" "api_error_detection" {
 # Load balancer
 #
 resource "aws_cloudwatch_metric_alarm" "api_lb_unhealthy_host_count" {
-  count = var.feature_flag_api ? 1 : 0
-
   alarm_name          = "API-UnhealthyHostCount"
   alarm_description   = "API LB Warning - unhealthy host count >= 1 in a 1 minute period"
   comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -83,8 +75,6 @@ resource "aws_cloudwatch_metric_alarm" "api_lb_unhealthy_host_count" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "api_lb_healthy_host_count" {
-  count = var.feature_flag_api ? 1 : 0
-
   alarm_name          = "API-HealthyHostCount" # TODO: bump to SEV1 once this is in production
   alarm_description   = "API LB Critical - no healthy hosts in a 1 minute period"
   comparison_operator = "LessThanThreshold"
@@ -104,8 +94,6 @@ resource "aws_cloudwatch_metric_alarm" "api_lb_healthy_host_count" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "api_response_time_warn" {
-  count = var.feature_flag_api ? 1 : 0
-
   alarm_name          = "API-ResponseTimeWarn"
   alarm_description   = "API LB Warning - The latency of response times from the API are abnormally high."
   comparison_operator = "GreaterThanThreshold"

aws/alarms/cloudwatch_idp.tf

@@ -2,8 +2,6 @@
 # ECS resource usage alarms
 #
 resource "aws_cloudwatch_metric_alarm" "idp_cpu_utilization_high_warn" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-CpuUtilizationWarn"
   alarm_description   = "IdP ECS Warning - High CPU usage has been detected."
   comparison_operator = "GreaterThanThreshold"
@@ -25,8 +23,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_cpu_utilization_high_warn" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "idp_memory_utilization_high_warn" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-MemoryUtilizationWarn"
   alarm_description   = "IdP ECS Warning - High memory usage has been detected."
   comparison_operator = "GreaterThanThreshold"
@@ -48,8 +44,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_memory_utilization_high_warn" {
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "idp_error_detection" {
-  count = var.feature_flag_idp ? 1 : 0
-
   name            = "error_detection_in_idp_logs"
   log_group_name  = var.ecs_idp_cloudwatch_log_group_name
   filter_pattern  = local.idp_error_pattern
@@ -60,7 +54,7 @@ resource "aws_cloudwatch_log_subscription_filter" "idp_error_detection" {
 # Load balancer
 #
 resource "aws_cloudwatch_metric_alarm" "idb_lb_unhealthy_host_count" {
-  for_each = var.feature_flag_idp ? var.lb_idp_target_groups_arn_suffix : {}
+  for_each = var.lb_idp_target_groups_arn_suffix
 
   alarm_name          = "IdP-UnhealthyHostCount-${each.key}"
   alarm_description   = "IdP LB Warning - unhealthy ${each.key} host count >= 1 in a 1 minute period"
@@ -83,7 +77,7 @@ resource "aws_cloudwatch_metric_alarm" "idb_lb_unhealthy_host_count" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "idb_lb_healthy_host_count" {
-  for_each = var.feature_flag_idp ? var.lb_idp_target_groups_arn_suffix : {}
+  for_each = var.lb_idp_target_groups_arn_suffix
 
   alarm_name          = "IdP-HealthyHostCount-${each.key}" # TODO: bump to SEV1 once in production
   alarm_description   = "IdP LB Critical - no healthy ${each.key} hosts in a 1 minute period"
@@ -104,8 +98,6 @@ resource "aws_cloudwatch_metric_alarm" "idb_lb_healthy_host_count" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "idp_response_time_warn" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-ResponseTimeWarn"
   alarm_description   = "IdP LB Warning - The latency of response times from the IdP are abnormally high."
   comparison_operator = "GreaterThanThreshold"
@@ -135,8 +127,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_response_time_warn" {
 # RDS
 #
 resource "aws_cloudwatch_metric_alarm" "idp_rds_cpu_utilization" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-RDSCpuUtilization"
   alarm_description   = "IdP RDS Warning - high CPU use for RDS cluster in a 5 minute period"
   comparison_operator = "GreaterThanThreshold"
@@ -160,8 +150,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_rds_cpu_utilization" {
 # SES bounces and complaints
 #
 resource "aws_cloudwatch_metric_alarm" "idp_bounce_rate_high" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-SESBounceRate"
   alarm_description   = "IdP SES Warning - bounce rate >=7% over the last 12 hours"
   comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -178,8 +166,6 @@ resource "aws_cloudwatch_metric_alarm" "idp_bounce_rate_high" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "idp_complaint_rate_high" {
-  count = var.feature_flag_idp ? 1 : 0
-
   alarm_name          = "IdP-SESComplaintRate"
   alarm_description   = "IdP SES Warning - complaint rate >=0.4% over the last 12 hours"
   comparison_operator = "GreaterThanOrEqualToThreshold"

aws/alarms/moved.tf

@@ -0,0 +1,64 @@
+moved {
+  from = aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn[0]
+  to   = aws_cloudwatch_metric_alarm.api_cpu_utilization_high_warn
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn[0]
+  to   = aws_cloudwatch_metric_alarm.api_memory_utilization_high_warn
+}
+
+moved {
+  from = aws_cloudwatch_log_subscription_filter.api_error_detection[0]
+  to   = aws_cloudwatch_log_subscription_filter.api_error_detection
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count[0]
+  to   = aws_cloudwatch_metric_alarm.api_lb_unhealthy_host_count
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.api_lb_healthy_host_count[0]
+  to   = aws_cloudwatch_metric_alarm.api_lb_healthy_host_count
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.api_response_time_warn[0]
+  to   = aws_cloudwatch_metric_alarm.api_response_time_warn
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_cpu_utilization_high_warn[0]
+  to   = aws_cloudwatch_metric_alarm.idp_cpu_utilization_high_warn
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_memory_utilization_high_warn[0]
+  to   = aws_cloudwatch_metric_alarm.idp_memory_utilization_high_warn
+}
+
+moved {
+  from = aws_cloudwatch_log_subscription_filter.idp_error_detection[0]
+  to   = aws_cloudwatch_log_subscription_filter.idp_error_detection
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_response_time_warn[0]
+  to   = aws_cloudwatch_metric_alarm.idp_response_time_warn
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_rds_cpu_utilization[0]
+  to   = aws_cloudwatch_metric_alarm.idp_rds_cpu_utilization
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_bounce_rate_high[0]
+  to   = aws_cloudwatch_metric_alarm.idp_bounce_rate_high
+}
+
+moved {
+  from = aws_cloudwatch_metric_alarm.idp_complaint_rate_high[0]
+  to   = aws_cloudwatch_metric_alarm.idp_complaint_rate_high
+}

aws/ecr/ecr.tf

@@ -71,8 +71,6 @@ resource "aws_ecr_lifecycle_policy" "lambda" {
 }
 
 resource "aws_ecr_repository" "idp" {
-  count = var.feature_flag_idp ? 1 : 0
-
   name                 = "idp/zitadel"
   image_tag_mutability = "MUTABLE"
 
@@ -82,15 +80,11 @@ resource "aws_ecr_repository" "idp" {
 }
 
 resource "aws_ecr_lifecycle_policy" "idp" {
-  count = var.feature_flag_idp ? 1 : 0
-
-  repository = aws_ecr_repository.idp[0].name
+  repository = aws_ecr_repository.idp.name
   policy     = file("${path.module}/policy/lifecycle.json")
 }
 
 resource "aws_ecr_repository" "api" {
-  count = var.feature_flag_api ? 1 : 0
-
   name                 = "forms/api"
   image_tag_mutability = "MUTABLE"
 
@@ -100,8 +94,6 @@ resource "aws_ecr_repository" "api" {
 }
 
 resource "aws_ecr_lifecycle_policy" "api" {
-  count = var.feature_flag_api ? 1 : 0
-
-  repository = aws_ecr_repository.api[0].name
+  repository = aws_ecr_repository.api.name
   policy     = file("${path.module}/policy/lifecycle.json")
 }

aws/ecr/moved.tf

@@ -0,0 +1,19 @@
+moved {
+  from = aws_ecr_repository.idp[0]
+  to   = aws_ecr_repository.idp
+}
+
+moved {
+  from = aws_ecr_lifecycle_policy.idp[0]
+  to   = aws_ecr_lifecycle_policy.idp
+}
+
+moved {
+  from = aws_ecr_repository.api[0]
+  to   = aws_ecr_repository.api
+}
+
+moved {
+  from = aws_ecr_lifecycle_policy.api[0]
+  to   = aws_ecr_lifecycle_policy.api
+}

aws/ecr/outputs.tf

@@ -70,10 +70,10 @@ output "ecr_repository_url_vault_integrity_lambda" {
 
 output "ecr_repository_url_idp" {
   description = "URL of the Zitadel IdP's ECR"
-  value       = var.feature_flag_idp ? aws_ecr_repository.idp[0].repository_url : ""
+  value       = aws_ecr_repository.idp.repository_url
 }
 
 output "ecr_repository_url_api" {
   description = "URL of the Forms API's ECR"
-  value       = var.feature_flag_api ? aws_ecr_repository.api[0].repository_url : ""
+  value       = aws_ecr_repository.api.repository_url
 }

aws/load_balancer/certificates.tf

@@ -27,8 +27,6 @@ resource "aws_acm_certificate" "form_viewer_maintenance_mode" {
 }
 
 resource "aws_acm_certificate" "forms_api" {
-  count = var.feature_flag_api ? 1 : 0
-
   domain_name       = var.domain_api
   validation_method = "DNS"
 
@@ -37,11 +35,6 @@ resource "aws_acm_certificate" "forms_api" {
   }
 }
 
-moved {
-  from = aws_acm_certificate.form_api
-  to   = aws_acm_certificate.forms_api
-}
-
 resource "aws_acm_certificate_validation" "form_viewer_maintenance_mode_cloudfront_certificate" {
   certificate_arn         = aws_acm_certificate.form_viewer_maintenance_mode.arn
   validation_record_fqdns = [for record in aws_route53_record.form_viewer_maintenance_mode_certificate_validation : record.fqdn]
@@ -50,9 +43,7 @@ resource "aws_acm_certificate_validation" "form_viewer_maintenance_mode_cloudfro
 }
 
 resource "aws_acm_certificate_validation" "forms_api" {
-  count = var.feature_flag_api ? 1 : 0
-
-  certificate_arn         = aws_acm_certificate.forms_api[0].arn
+  certificate_arn         = aws_acm_certificate.forms_api.arn
   validation_record_fqdns = [for record in aws_route53_record.forms_api_certificate_validation : record.fqdn]
 }