Skip to content

Commit

Permalink
feat: 🎸 Rework VPC/Security Group to not be SF-specific
Browse files Browse the repository at this point in the history
  • Loading branch information
Clete2 committed Jun 19, 2023
1 parent 4c939e5 commit 0ff5431
Show file tree
Hide file tree
Showing 6 changed files with 21 additions and 68 deletions.
16 changes: 4 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@ No requirements.

| Name | Version |
|------|---------|
| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
| <a name="provider_archive"></a> [archive](#provider\_archive) | 2.4.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.4.0 |

## Modules

Expand All @@ -130,8 +130,6 @@ No modules.
| [aws_cloudwatch_event_target.log_group_creation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.global_log_retention_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_group.log_retention_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_subscription_filter.global_log_retention_lambda_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
| [aws_cloudwatch_log_subscription_filter.log_retention_lambda_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
| [aws_cloudwatch_metric_alarm.alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
| [aws_iam_role.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_lambda_function.global_log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
Expand All @@ -141,7 +139,6 @@ No modules.
| [aws_lambda_invocation.run_on_existing_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource |
| [aws_lambda_permission.global_log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_security_group.https_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_sns_topic.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
| [aws_sns_topic_policy.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
| [aws_sns_topic_subscription.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
Expand All @@ -153,20 +150,15 @@ No modules.
| [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source |
| [aws_kms_key.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
| [aws_lambda_function.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_function) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_security_groups.https_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source |
| [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
| [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_alarm_configuration"></a> [alarm\_configuration](#input\_alarm\_configuration) | Provide either `sns_topic_arn` to an existing SNS topic, or a list of email users `email_notification_list` to subscribe for notifications. Alarm creation is REQUIRED for this module. Note that retention setting is retried automatically, so an alarm may mean that it failed the first time and succeeded the second time. Investigating logs for each failure is recommended. | `any` | n/a | yes |
| <a name="input_global_log_retention_run_period"></a> [global\_log\_retention\_run\_period](#input\_global\_log\_retention\_run\_period) | Set to a number of minutes to invoke the global log retention Lambda on a schedule. Note that running it may cause perpetual diffs in other people's Terraform if they are creating a log group and not setting retention. | `number` | `360` | no |
| <a name="input_https_egress_security_group_name"></a> [https\_egress\_security\_group\_name](#input\_https\_egress\_security\_group\_name) | Pass in the name of a security group to override. Name of a security group which provides egress on port 443 to CloudWatch Logs. | `string` | `null` | no |
| <a name="input_https_egress_security_group_id"></a> [https\_egress\_security\_group\_id](#input\_https\_egress\_security\_group\_id) | If using a VPC, pass the ID of a security group which provides egress on port 443 to CloudWatch Logs. | `string` | `null` | no |
| <a name="input_iam_role_suffix"></a> [iam\_role\_suffix](#input\_iam\_role\_suffix) | Due to Terraform limitations, this module always creates an IAM role. Pass in a suffix for the IAM role name so that it does not conflict between regions. | `string` | `""` | no |
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | If using a KMS key, provide it. | `string` | `null` | no |
| <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | Set of tags to put on all log groups when retention is set. If not set, no tags will be added. If set, a `retention` tag will automatically be added to this list. | `map(string)` | `null` | no |
Expand All @@ -176,8 +168,8 @@ No modules.
| <a name="input_name"></a> [name](#input\_name) | Base name for all resources. E.x. <short product name>. | `string` | n/a | yes |
| <a name="input_permissions_boundary_arn"></a> [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Provide a permissions boundary ARN if you are bound by one. | `string` | `null` | no |
| <a name="input_set_on_all_existing_groups"></a> [set\_on\_all\_existing\_groups](#input\_set\_on\_all\_existing\_groups) | Set to false to disable running a bit of code which will set retention on all existing groups. | `bool` | `true` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | If using a VPC, provide the IDs of the subnets you would like to deploy the Lambda to. | `list(string)` | `null` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Adds tags to all created resources. It is highly recommended to use the AWS Provider's default tags instead of this variable. See: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider. You can also use this input to add additional tags above and beyond the tags that are added by default\_tags. | `map(string)` | `null` | no |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Pass in the ID of the VPC to override. Defaults to the first VPC found in the account. | `string` | `null` | no |

## Outputs

Expand Down
9 changes: 6 additions & 3 deletions tf-global-retention-setter.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,12 @@ resource "aws_lambda_function" "global_log_retention" {
}
}

vpc_config {
subnet_ids = data.aws_subnets.subnets.ids
security_group_ids = [local.https_security_group_id]
dynamic "vpc_config" {
for_each = var.subnet_ids == null ? [] : ["make this block once"]
content {
subnet_ids = var.subnet_ids
security_group_ids = [var.https_egress_security_group_id]
}
}

tags = var.tags
Expand Down
10 changes: 5 additions & 5 deletions tf-inputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,15 @@ variable "name" {
description = "Base name for all resources. E.x. <short product name>."
}

variable "vpc_id" {
type = string
description = "Pass in the ID of the VPC to override. Defaults to the first VPC found in the account."
variable "subnet_ids" {
type = list(string)
description = "If using a VPC, provide the IDs of the subnets you would like to deploy the Lambda to."
default = null
}

variable "https_egress_security_group_name" {
variable "https_egress_security_group_id" {
type = string
description = "Pass in the name of a security group to override. Name of a security group which provides egress on port 443 to CloudWatch Logs."
description = "If using a VPC, pass the ID of a security group which provides egress on port 443 to CloudWatch Logs."
default = null
}

Expand Down
9 changes: 6 additions & 3 deletions tf-log-retention-lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,12 @@ resource "aws_lambda_function" "log_retention" {
}
}

vpc_config {
subnet_ids = data.aws_subnets.subnets.ids
security_group_ids = [local.https_security_group_id]
dynamic "vpc_config" {
for_each = var.subnet_ids == null ? [] : ["make this block once"]
content {
subnet_ids = var.subnet_ids
security_group_ids = [var.https_egress_security_group_id]
}
}

tags = var.tags
Expand Down
27 changes: 0 additions & 27 deletions tf-lookups.tf
Original file line number Diff line number Diff line change
@@ -1,34 +1,7 @@
locals {
vpc_id = var.vpc_id != null ? var.vpc_id : tolist(data.aws_vpcs.vpcs.ids)[0]
https_security_group_id = var.https_egress_security_group_name == null ? aws_security_group.https_egress[0].id : data.aws_security_groups.https_egress[0].ids[0]
}

data "aws_vpcs" "vpcs" {}

data "aws_subnets" "subnets" {
filter {
name = "vpc-id"
values = [local.vpc_id]
}

tags = {
network = "private"
tier = "app"
}
}

data "aws_region" "current" {}
data "aws_iam_account_alias" "current" {}
data "aws_caller_identity" "current" {}

data "aws_security_groups" "https_egress" {
count = var.https_egress_security_group_name == null ? 0 : 1
filter {
name = "group-name"
values = [var.https_egress_security_group_name]
}
}

# .issuer_arn grabs the underlying ARN (removes the assumed-role portion)
data "aws_iam_session_context" "current" {
arn = data.aws_caller_identity.current.arn
Expand Down
18 changes: 0 additions & 18 deletions tf-security-group.tf

This file was deleted.

0 comments on commit 0ff5431

Please sign in to comment.