illumio · rlenglet · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024
diff --git a/examples/aws_account/README.md b/examples/aws_account/README.md
@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.1.1 |
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.2.0 |
 
 ## Resources
 

diff --git a/examples/aws_account/main.tf b/examples/aws_account/main.tf
@@ -8,10 +8,10 @@ provider "illumio-cloudsecure" {
 }
 
 module "aws_account_dev" {
-  source        = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.1.1"
-  name          = "Test Account"
-  tags = {
-      Name  = "CloudSecure Account Policy"
-      Owner = "Engineering"
+  source = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.2.0"
+  name   = "Test Account"
+  tags   = {
+    Name  = "CloudSecure Account Policy"
+    Owner = "Engineering"
   }
 }
diff --git a/examples/aws_account/outputs.tf b/examples/aws_account/outputs.tf
diff --git a/examples/aws_account/variables.tf b/examples/aws_account/variables.tf
@@ -2,7 +2,7 @@ variable "illumio_cloudsecure_client_id" {
   type        = string
   description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
   validation {
-    condition     = length(var.name) > 1
+    condition     = length(var.illumio_cloudsecure_client_id) > 0
     error_message = "The illumio_cloudsecure_client_id value must not be empty."
   }
 }
@@ -12,7 +12,7 @@ variable "illumio_cloudsecure_client_secret" {
   sensitive   = true
   description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
   validation {
-    condition     = length(var.name) > 1
+    condition     = length(var.illumio_cloudsecure_client_secret) > 0
     error_message = "The illumio_cloudsecure_client_secret value must not be empty."
   }
 }
diff --git a/examples/aws_flow_logs_s3_buckets/README.md b/examples/aws_flow_logs_s3_buckets/README.md
@@ -0,0 +1,34 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~>3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_account_dev"></a> [aws\_account\_dev](#module\_aws\_account\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account | v1.2.0 |
+| <a name="module_aws_flow_logs_s3_buckets"></a> [aws\_flow\_logs\_s3\_buckets](#module\_aws\_flow\_logs\_s3\_buckets) |  | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_illumio_cloudsecure_client_id"></a> [illumio\_cloudsecure\_client\_id](#input\_illumio\_cloudsecure\_client\_id) | The OAuth 2 client identifier used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+| <a name="input_illumio_cloudsecure_client_secret"></a> [illumio\_cloudsecure\_client\_secret](#input\_illumio\_cloudsecure\_client\_secret) | The OAuth 2 client secret used to authenticate against the CloudSecure Config API. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/aws_flow_logs_s3_buckets/main.tf b/examples/aws_flow_logs_s3_buckets/main.tf
@@ -0,0 +1,25 @@
+provider "aws" {
+  region = "us-west-1"
+}
+
+provider "illumio-cloudsecure" {
+  client_id     = var.illumio_cloudsecure_client_id
+  client_secret = var.illumio_cloudsecure_client_secret
+}
+
+module "aws_account_dev" {
+  source = "github.com/illumio/terraform-illumio-cloudsecure//modules/aws_account?ref=v1.2.0"
+  name   = "Test Account"
+  tags   = {
+    Name  = "CloudSecure Account Policy"
+    Owner = "Engineering"
+  }
+}
+
+module "aws_flow_logs_s3_buckets" {
+  role_id        = aws_account_dev.role_id
+  s3_bucket_arns = [
+    "arn:aws:s3:::vpc1",
+    "arn:aws:s3:::vpc2"
+  ]
+}
diff --git a/examples/aws_flow_logs_s3_buckets/variables.tf b/examples/aws_flow_logs_s3_buckets/variables.tf
@@ -0,0 +1,18 @@
+variable "illumio_cloudsecure_client_id" {
+  type        = string
+  description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_id) > 0
+    error_message = "The illumio_cloudsecure_client_id value must not be empty."
+  }
+}
+
+variable "illumio_cloudsecure_client_secret" {
+  type        = string
+  sensitive   = true
+  description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_secret) > 0
+    error_message = "The illumio_cloudsecure_client_secret value must not be empty."
+  }
+}
diff --git a/examples/aws_flow_logs_s3_buckets/versions.tf b/examples/aws_flow_logs_s3_buckets/versions.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = "~> 1.0.11"
+    }
+    aws = {
+      source = "hashicorp/aws"
+      version = "~>3.0"
+    }
+  }
+}
diff --git a/examples/k8s_cluster/README.md b/examples/k8s_cluster/README.md
@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster | v1.1.1 |
+| <a name="module_k8s_cluster_dev"></a> [k8s\_cluster\_dev](#module\_k8s\_cluster\_dev) | github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster | v1.2.0 |
 
 ## Resources
 

diff --git a/examples/k8s_cluster/main.tf b/examples/k8s_cluster/main.tf
@@ -10,8 +10,8 @@ provider "illumio-cloudsecure" {
 }
 
 module "k8s_cluster_dev" {
-  source            = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.1.1"
-  illumio_region    = "aws-us-west-2"
-  name              = "example-release"
-  description       = "Dev cluster in aws-us-west-2"
+  source         = "github.com/illumio/terraform-illumio-cloudsecure//modules/k8s_cluster?ref=v1.2.0"
+  illumio_region = "aws-us-west-2"
+  name           = "example-release"
+  description    = "Dev cluster in aws-us-west-2"
 }
diff --git a/examples/k8s_cluster/outputs.tf b/examples/k8s_cluster/outputs.tf
diff --git a/examples/k8s_cluster/variables.tf b/examples/k8s_cluster/variables.tf
@@ -1,10 +1,18 @@
 variable "illumio_cloudsecure_client_id" {
   type        = string
   description = "The OAuth 2 client identifier used to authenticate against the CloudSecure Config API."
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_id) > 0
+    error_message = "The illumio_cloudsecure_client_id value must not be empty."
+  }
 }
 
 variable "illumio_cloudsecure_client_secret" {
   type        = string
   sensitive   = true
   description = "The OAuth 2 client secret used to authenticate against the CloudSecure Config API."
-}
+  validation {
+    condition     = length(var.illumio_cloudsecure_client_secret) > 0
+    error_message = "The illumio_cloudsecure_client_secret value must not be empty."
+  }
+}
diff --git a/modules/aws_account/README.md b/modules/aws_account/README.md
@@ -27,7 +27,7 @@ No modules.
 | [aws_iam_role_policy.protection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [illumio-cloudsecure_aws_account.account](https://registry.terraform.io/providers/illumio/illumio-cloudsecure/latest/docs/resources/aws_account) | resource |
-| [random_uuid.role_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_password.role_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_organizations_organization.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -46,5 +46,5 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | The ARN of the IAM role granted to the CloudSecure account. |
+| <a name="output_role_id"></a> [role\_id](#output\_role\_id) | The ID of the IAM role granted to the CloudSecure account. |
 <!-- END_TF_DOCS -->
diff --git a/modules/aws_account/main.tf b/modules/aws_account/main.tf
@@ -1,23 +1,11 @@
-terraform {
-  required_providers {
-    illumio-cloudsecure = {
-      source  = "illumio/illumio-cloudsecure"
-      version = "~> 1.0.11"
-    }
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.0"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
-  }
-}
-
 data "aws_partition" "current" {}
 
-resource "random_uuid" "role_secret" {}
+resource "random_password" "role_secret" {
+  length      = 36
+  special     = false
+  upper       = false
+  min_numeric = 6
+}
 
 resource "aws_iam_role_policy" "read" {
   name = "${var.iam_name_prefix}Policy"
@@ -108,6 +96,7 @@ resource "aws_iam_role_policy" "read" {
     ]
   })
 }
+
 resource "aws_iam_role_policy" "protection" {
   count = var.mode == "ReadWrite" ? 1 : 0
   name = "${var.iam_name_prefix}ProtectionPolicy"
@@ -157,7 +146,7 @@ resource "aws_iam_role" "role" {
         Action    = "sts:AssumeRole"
         Condition = {
           StringEquals = {
-            "sts:ExternalId" = random_uuid.role_secret.result
+            "sts:ExternalId" = random_password.role_secret.result
           }
         }
       }
@@ -182,5 +171,5 @@ resource "illumio-cloudsecure_aws_account" "account" {
   name             = var.name
   organization_id  = data.aws_organizations_organization.current.id
   role_arn         = aws_iam_role.role.arn
-  role_external_id = random_uuid.role_secret.result
+  role_external_id = random_password.role_secret.result
 }
diff --git a/modules/aws_account/outputs.tf b/modules/aws_account/outputs.tf
@@ -1,4 +1,4 @@
-output "role_arn" {
-  value       = aws_iam_role.role.arn
-  description = "The ARN of the IAM role granted to the CloudSecure account."
+output "role_id" {
+  value       = aws_iam_role.role.id
+  description = "The ID of the IAM role granted to the CloudSecure account."
 }
diff --git a/modules/aws_account/variables.tf b/modules/aws_account/variables.tf
@@ -3,7 +3,7 @@ variable "iam_name_prefix" {
   type        = string
   default     = "IllumioCloudIntegration"
   validation {
-    condition     = length(var.iam_name_prefix) > 1
+    condition     = length(var.iam_name_prefix) > 0
     error_message = "The iam_name_prefix value must not be empty."
   }
 }
@@ -32,7 +32,7 @@ variable "name" {
   description = "The name of this account in CloudSecure."
   type        = string
   validation {
-    condition     = length(var.name) > 1
+    condition     = length(var.name) > 0
     error_message = "The name value must not be empty."
   }
 }

diff --git a/modules/aws_account/versions.tf b/modules/aws_account/versions.tf
@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    illumio-cloudsecure = {
+      source  = "illumio/illumio-cloudsecure"
+      version = "~> 1.0.11"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
diff --git a/modules/aws_flow_logs_s3_buckets/README.md b/modules/aws_flow_logs_s3_buckets/README.md
@@ -0,0 +1,39 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+| <a name="requirement_illumio-cloudsecure"></a> [illumio-cloudsecure](#requirement\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 3.0 |
+| <a name="provider_illumio-cloudsecure"></a> [illumio-cloudsecure](#provider\_illumio-cloudsecure) | ~> 1.0.11 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role_policy.s3_bucket_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [illumio-cloudsecure_aws_flow_logs_s3_bucket.bucket_example](https://registry.terraform.io/providers/illumio/illumio-cloudsecure/latest/docs/resources/aws_flow_logs_s3_bucket) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_iam_name_prefix"></a> [iam\_name\_prefix](#input\_iam\_name\_prefix) | The prefix given to all AWS IAM resource names. | `string` | `"IllumioCloudIntegration"` | no |
+| <a name="input_role_id"></a> [role\_id](#input\_role\_id) | The ID of the IAM role granted to the CloudSecure account. | `string` | n/a | yes |
+| <a name="input_s3_bucket_arns"></a> [s3\_bucket\_arns](#input\_s3\_bucket\_arns) | The set of ARNs of AWS S3 buckets containing flow logs. | `set(string)` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/modules/aws_flow_logs_s3_buckets/main.tf b/modules/aws_flow_logs_s3_buckets/main.tf
@@ -0,0 +1,33 @@
+resource "aws_iam_role_policy" "s3_bucket_read" {
+  name   = "${var.iam_name_prefix}BucketReadPolicy"
+  role   = var.role_id
+  policy = jsonencode({
+    Version   = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = [
+          "s3:ListBucket",
+          "s3:ListBucketVersion",
+          "s3:GetBucketLocation"
+        ],
+        Resource = [for arn in var.s3_bucket_arns : regex("^[^/]+", arn)]
+      },
+      {
+        Effect   = "Allow"
+        Action   = [
+          "s3:GetObject"
+        ],
+        Resource = [for arn in var.s3_bucket_arns : replace("${arn}/*", "//*", "/*")]
+      }
+    ]
+  })
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "illumio-cloudsecure_aws_flow_logs_s3_bucket" "bucket_example" {
+  for_each      = var.s3_bucket_arns
+  account_id    = data.aws_caller_identity.current.account_id
+  s3_bucket_arn = each.key
+}
diff --git a/modules/aws_flow_logs_s3_buckets/variables.tf b/modules/aws_flow_logs_s3_buckets/variables.tf
@@ -0,0 +1,27 @@
+variable "iam_name_prefix" {
+  description = "The prefix given to all AWS IAM resource names."
+  type        = string
+  default     = "IllumioCloudIntegration"
+  validation {
+    condition     = length(var.iam_name_prefix) > 0
+    error_message = "The iam_name_prefix value must not be empty."
+  }
+}
+
+variable "role_id" {
+  description = "The ID of the IAM role granted to the CloudSecure account."
+  type        = string
+  validation {
+    condition     = length(var.role_id) > 0
+    error_message = "The role_id value must not be empty."
+  }
+}
+
+variable "s3_bucket_arns" {
+  description = "The set of ARNs of AWS S3 buckets containing flow logs."
+  type        = set(string)
+  validation {
+    condition     = length(var.s3_bucket_arns) > 0
+    error_message = "The s3_bucket_arns value must not be empty."
+  }
+}