From 0ff5431fcc7f2cb4b19adf97bfc2a6b432a15802 Mon Sep 17 00:00:00 2001 From: Clete Blackwell II Date: Mon, 19 Jun 2023 08:29:59 -0400 Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=B8=20Rework=20VPC/Security=20?= =?UTF-8?q?Group=20to=20not=20be=20SF-specific?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 16 ++++------------ tf-global-retention-setter.tf | 9 ++++++--- tf-inputs.tf | 10 +++++----- tf-log-retention-lambda.tf | 9 ++++++--- tf-lookups.tf | 27 --------------------------- tf-security-group.tf | 18 ------------------ 6 files changed, 21 insertions(+), 68 deletions(-) delete mode 100644 tf-security-group.tf diff --git a/README.md b/README.md index 47fcc50..51ead50 100644 --- a/README.md +++ b/README.md @@ -113,8 +113,8 @@ No requirements. | Name | Version | |------|---------| -| [archive](#provider\_archive) | n/a | -| [aws](#provider\_aws) | n/a | +| [archive](#provider\_archive) | 2.4.0 | +| [aws](#provider\_aws) | 5.4.0 | ## Modules @@ -130,8 +130,6 @@ No modules. | [aws_cloudwatch_event_target.log_group_creation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_log_group.global_log_retention_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_cloudwatch_log_group.log_retention_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_subscription_filter.global_log_retention_lambda_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource | -| [aws_cloudwatch_log_subscription_filter.log_retention_lambda_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource | | [aws_cloudwatch_metric_alarm.alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | | [aws_iam_role.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_lambda_function.global_log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | @@ -141,7 +139,6 @@ No modules. | [aws_lambda_invocation.run_on_existing_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource | | [aws_lambda_permission.global_log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_lambda_permission.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_security_group.https_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_sns_topic.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | | [aws_sns_topic_policy.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | | [aws_sns_topic_subscription.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | @@ -153,12 +150,7 @@ No modules. | [aws_iam_policy_document.lambda_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.log_retention](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_session_context.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_session_context) | data source | -| [aws_kms_key.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_lambda_function.datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_function) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_security_groups.https_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source | -| [aws_subnets.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | ## Inputs @@ -166,7 +158,7 @@ No modules. |------|-------------|------|---------|:--------:| | [alarm\_configuration](#input\_alarm\_configuration) | Provide either `sns_topic_arn` to an existing SNS topic, or a list of email users `email_notification_list` to subscribe for notifications. Alarm creation is REQUIRED for this module. Note that retention setting is retried automatically, so an alarm may mean that it failed the first time and succeeded the second time. Investigating logs for each failure is recommended. | `any` | n/a | yes | | [global\_log\_retention\_run\_period](#input\_global\_log\_retention\_run\_period) | Set to a number of minutes to invoke the global log retention Lambda on a schedule. Note that running it may cause perpetual diffs in other people's Terraform if they are creating a log group and not setting retention. | `number` | `360` | no | -| [https\_egress\_security\_group\_name](#input\_https\_egress\_security\_group\_name) | Pass in the name of a security group to override. Name of a security group which provides egress on port 443 to CloudWatch Logs. | `string` | `null` | no | +| [https\_egress\_security\_group\_id](#input\_https\_egress\_security\_group\_id) | If using a VPC, pass the ID of a security group which provides egress on port 443 to CloudWatch Logs. | `string` | `null` | no | | [iam\_role\_suffix](#input\_iam\_role\_suffix) | Due to Terraform limitations, this module always creates an IAM role. Pass in a suffix for the IAM role name so that it does not conflict between regions. | `string` | `""` | no | | [kms\_key\_arn](#input\_kms\_key\_arn) | If using a KMS key, provide it. | `string` | `null` | no | | [log\_group\_tags](#input\_log\_group\_tags) | Set of tags to put on all log groups when retention is set. If not set, no tags will be added. If set, a `retention` tag will automatically be added to this list. | `map(string)` | `null` | no | @@ -176,8 +168,8 @@ No modules. | [name](#input\_name) | Base name for all resources. E.x. . | `string` | n/a | yes | | [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | Provide a permissions boundary ARN if you are bound by one. | `string` | `null` | no | | [set\_on\_all\_existing\_groups](#input\_set\_on\_all\_existing\_groups) | Set to false to disable running a bit of code which will set retention on all existing groups. | `bool` | `true` | no | +| [subnet\_ids](#input\_subnet\_ids) | If using a VPC, provide the IDs of the subnets you would like to deploy the Lambda to. | `list(string)` | `null` | no | | [tags](#input\_tags) | Adds tags to all created resources. It is highly recommended to use the AWS Provider's default tags instead of this variable. See: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider. You can also use this input to add additional tags above and beyond the tags that are added by default\_tags. | `map(string)` | `null` | no | -| [vpc\_id](#input\_vpc\_id) | Pass in the ID of the VPC to override. Defaults to the first VPC found in the account. | `string` | `null` | no | ## Outputs diff --git a/tf-global-retention-setter.tf b/tf-global-retention-setter.tf index aeae2d2..f6227f7 100644 --- a/tf-global-retention-setter.tf +++ b/tf-global-retention-setter.tf @@ -28,9 +28,12 @@ resource "aws_lambda_function" "global_log_retention" { } } - vpc_config { - subnet_ids = data.aws_subnets.subnets.ids - security_group_ids = [local.https_security_group_id] + dynamic "vpc_config" { + for_each = var.subnet_ids == null ? [] : ["make this block once"] + content { + subnet_ids = var.subnet_ids + security_group_ids = [var.https_egress_security_group_id] + } } tags = var.tags diff --git a/tf-inputs.tf b/tf-inputs.tf index aed2524..9e3b45f 100644 --- a/tf-inputs.tf +++ b/tf-inputs.tf @@ -3,15 +3,15 @@ variable "name" { description = "Base name for all resources. E.x. ." } -variable "vpc_id" { - type = string - description = "Pass in the ID of the VPC to override. Defaults to the first VPC found in the account." +variable "subnet_ids" { + type = list(string) + description = "If using a VPC, provide the IDs of the subnets you would like to deploy the Lambda to." default = null } -variable "https_egress_security_group_name" { +variable "https_egress_security_group_id" { type = string - description = "Pass in the name of a security group to override. Name of a security group which provides egress on port 443 to CloudWatch Logs." + description = "If using a VPC, pass the ID of a security group which provides egress on port 443 to CloudWatch Logs." default = null } diff --git a/tf-log-retention-lambda.tf b/tf-log-retention-lambda.tf index 0f9e113..93cde3c 100644 --- a/tf-log-retention-lambda.tf +++ b/tf-log-retention-lambda.tf @@ -28,9 +28,12 @@ resource "aws_lambda_function" "log_retention" { } } - vpc_config { - subnet_ids = data.aws_subnets.subnets.ids - security_group_ids = [local.https_security_group_id] + dynamic "vpc_config" { + for_each = var.subnet_ids == null ? [] : ["make this block once"] + content { + subnet_ids = var.subnet_ids + security_group_ids = [var.https_egress_security_group_id] + } } tags = var.tags diff --git a/tf-lookups.tf b/tf-lookups.tf index f235647..5f0b9ec 100644 --- a/tf-lookups.tf +++ b/tf-lookups.tf @@ -1,34 +1,7 @@ -locals { - vpc_id = var.vpc_id != null ? var.vpc_id : tolist(data.aws_vpcs.vpcs.ids)[0] - https_security_group_id = var.https_egress_security_group_name == null ? aws_security_group.https_egress[0].id : data.aws_security_groups.https_egress[0].ids[0] -} - -data "aws_vpcs" "vpcs" {} - -data "aws_subnets" "subnets" { - filter { - name = "vpc-id" - values = [local.vpc_id] - } - - tags = { - network = "private" - tier = "app" - } -} - data "aws_region" "current" {} data "aws_iam_account_alias" "current" {} data "aws_caller_identity" "current" {} -data "aws_security_groups" "https_egress" { - count = var.https_egress_security_group_name == null ? 0 : 1 - filter { - name = "group-name" - values = [var.https_egress_security_group_name] - } -} - # .issuer_arn grabs the underlying ARN (removes the assumed-role portion) data "aws_iam_session_context" "current" { arn = data.aws_caller_identity.current.arn diff --git a/tf-security-group.tf b/tf-security-group.tf deleted file mode 100644 index ede48ae..0000000 --- a/tf-security-group.tf +++ /dev/null @@ -1,18 +0,0 @@ -resource "aws_security_group" "https_egress" { - name = "${var.name}-https-egress" - count = var.https_egress_security_group_name == null ? 1 : 0 - - description = "Allows HTTPS egress for CloudWatch Logs access." - vpc_id = local.vpc_id - - egress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = merge({ - Name = "${var.name}-https-egress" - }, var.tags) -}