update

terraform-modules · Aug 12, 2025 · 494cdd6 · 494cdd6
1 parent 90f4d91
commit 494cdd6
Show file tree

Hide file tree

Showing 18 changed files with 173 additions and 233 deletions.
diff --git a/availabilty_zones.tf b/availabilty_zones.tf
diff --git a/data.tf b/data.tf
@@ -3,5 +3,5 @@ data "aws_kms_key" "s3_key" {
 }
 
 data "aws_s3_bucket" "log_bucket" {
-  bucket = format("inf-logs-%v-%v", var.account_id, local.region)
+  bucket = var.log_bucket == null ? format("inf-logs-%v-%v", var.account_id, local.region) : var.log_bucket
 }
diff --git a/eventbridge.guardduty.tf b/eventbridge.guardduty.tf
@@ -1,12 +1,7 @@
-locals {
-  short_files_in = "files_in"
-}
-
 # https://repost.aws/knowledge-center/cloudwatch-log-group-eventbridge
 # must start with /aws/events
 
 resource "aws_cloudwatch_log_group" "guardduty_event_log" {
-  #  name              = format("/aws/events/%v-%v-%v/%v/%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "gd", local.short_files_in)
   name              = format("/aws/events/%v/%v-%v", var.input_resource_label, "in", "guardduty")
   retention_in_days = var.log_retention_in_days
 
@@ -48,7 +43,6 @@ resource "aws_cloudwatch_log_resource_policy" "guardduty_event_log" {
 
 module "eventbridge_guardduty" {
   source = "terraform-aws-modules/eventbridge/aws"
-  #  role_name = format("r-%v-%v-%v-%v-%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "gd", local.short_files_in)
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "in", "guardduty")
 
   append_rule_postfix = false

diff --git a/eventbridge.s3.tf b/eventbridge.s3.tf
@@ -1,10 +1,5 @@
-locals {
-  short_files_clean = "files_clean"
-}
-
 module "eventbridge_s3" {
   source = "terraform-aws-modules/eventbridge/aws"
-  #  role_name = format("r-%v-%v-%v-%v-%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "s3", local.short_files_clean)
   role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "clean", "s3")
 
   append_rule_postfix = false

diff --git a/lambda.move.tf b/lambda.move.tf
@@ -2,7 +2,6 @@ module "lambda_move" {
   source = "terraform-aws-modules/lambda/aws"
 
   create_function           = true
-#  create_package            = true
   create_package            = false
   create_role               = true
   create_async_event_config = true
@@ -41,14 +40,11 @@ module "lambda_move" {
   environment_variables = merge(
     {
       Enabled                          = true
-      GUARDDUTY_MOVE_ORG               = "default"
       GUARDDUTY_MOVE_VERBOSE           = false
       GUARDDUTY_MOVE_BUCKET_IN         = module.files_in.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_CLEAN      = module.files_clean.s3_bucket_id
       GUARDDUTY_MOVE_BUCKET_QUARANTINE = module.files_quarantine.s3_bucket_id
-
-      #POWERTOOLS_LOG_LEVEL = "INFO"
-      POWERTOOLS_LOG_LEVEL = "DEBUG"
+      POWERTOOLS_LOG_LEVEL = "INFO"
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.notify.tf b/lambda.notify.tf
@@ -1,14 +1,3 @@
-# resource "aws_cloudwatch_log_group" "lambda_notify" {
-#   name = "/aws/lambda/darhts-guardduty-notify"
-#   retention_in_days = var.log_retention_in_days
-# 
-#   tags = merge(
-#     local.base_tags,
-#     var.tags,
-#     local.input_finops_roles["log"],
-#   )
-# }
-
 module "lambda_notify" {
   source = "terraform-aws-modules/lambda/aws"
 
@@ -54,18 +43,13 @@ module "lambda_notify" {
   environment_variables = merge(
     {
       Enabled                                 = true
-      GUARDDUTY_NOTIFY_ORG                    = "default"
       GUARDDUTY_NOTIFY_VERBOSE                = false
       GUARDDUTY_NOTIFY_SECRET_NAME            = var.secret_name
       GUARDDUTY_NOTIFY_ENVIRONMENT            = var.app_info.environment
-#      GUARDDUTY_NOTIFY_AUTH_URL               = "${var.app_info.token_url}/fail"
       GUARDDUTY_NOTIFY_AUTH_URL               = var.app_info.token_url
       GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-#      GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = "FailGuardDutyObjectScan__e"
       GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME    = "GuardDutyObjectScan__e"
-      # use DEBUG for debbuing, along with GUARDDUTY_MOVE_VERBOSE
-      #POWERTOOLS_LOG_LEVEL = "INFO"
-      POWERTOOLS_LOG_LEVEL = "DEBUG"
+      POWERTOOLS_LOG_LEVEL = "INFO"
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.s3-tag.tf b/lambda.s3-tag.tf
@@ -43,7 +43,6 @@ module "lambda_s3_tag" {
   environment_variables = merge(
     {
       Enabled                 = true
-      S3_TAG_ORG              = "default"
       S3_TAG_VERBOSE          = false
       S3_TAG_ENVIRONMENT      = var.app_info.environment
       S3_TAG_BUCKET_CLEAN_IN  = module.files_clean.s3_bucket_id
@@ -53,8 +52,7 @@ module "lambda_s3_tag" {
         darhts_certified           = "true"
       })
       # use DEBUG for debbuing, along with S3_MOVE_VERBOSE
-      #POWERTOOLS_LOG_LEVEL = "INFO"
-      POWERTOOLS_LOG_LEVEL = "DEBUG"
+      POWERTOOLS_LOG_LEVEL = "INFO"
     },
     var.lambda_environment_variables_override,
   )

diff --git a/lambda.s3.tf b/lambda.s3.tf
@@ -43,18 +43,13 @@ module "lambda_s3" {
   environment_variables = merge(
     {
       Enabled                          = true
-      S3_NOTIFY_ORG                    = "default"
       S3_NOTIFY_VERBOSE                = false
       S3_NOTIFY_SECRET_NAME            = var.secret_name
       S3_NOTIFY_ENVIRONMENT            = var.app_info.environment
-#      S3_NOTIFY_AUTH_URL               = "${var.app_info.token_url}/fail"
       S3_NOTIFY_AUTH_URL               = var.app_info.token_url
       S3_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version
-#      S3_NOTIFY_PLATFORM_EVENT_NAME    = "FailDARHTSCleanCreateObjectEvent__e"
       S3_NOTIFY_PLATFORM_EVENT_NAME    = "DARHTSCleanCreateObjectEvent__e"
-      # use DEBUG for debbuing, along with S3_MOVE_VERBOSE
-      #POWERTOOLS_LOG_LEVEL = "INFO"
-      POWERTOOLS_LOG_LEVEL = "DEBUG"
+      POWERTOOLS_LOG_LEVEL = "INFO"
     },
     var.lambda_environment_variables_override,
   )

diff --git a/locals.tf b/locals.tf
diff --git a/locals.tf.initial b/locals.tf.initial
diff --git a/main.tf b/main.tf
@@ -1,112 +1,12 @@
-module "files_in" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
-
-  bucket_name                 = format("%v-in", var.input_resource_label)
-  access_log_bucket           = data.aws_s3_bucket.log_bucket.id
-  bucket_key_enabled          = true
-  use_kms_encryption          = true
-  name_include_region         = true
-  name_include_account        = true
-  name_include_region_compact = true
-  name_enforce_region_compact = true
-  versioning                  = false
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.input_finops_roles["s3"],
-  )
-}
-
-module "files_clean" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
-
-  bucket_name                 = format("%v-clean", var.input_resource_label)
-  access_log_bucket           = data.aws_s3_bucket.log_bucket.id
-  bucket_key_enabled          = true
-  use_kms_encryption          = true
-  name_include_region         = true
-  name_include_account        = true
-  name_include_region_compact = true
-  name_enforce_region_compact = true
-  versioning                  = true
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.input_finops_roles["s3"],
-  )
-}
-
-resource "aws_s3_bucket_notification" "files_clean" {
-  bucket      = module.files_clean.s3_bucket_id
-  eventbridge = true
-}
-
-module "files_quarantine" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
-
-  bucket_name                 = format("%v-quarantine", var.input_resource_label)
-  access_log_bucket           = data.aws_s3_bucket.log_bucket.id
-  bucket_key_enabled          = true
-  use_kms_encryption          = true
-  name_include_region         = true
-  name_include_account        = true
-  name_include_region_compact = true
-  name_enforce_region_compact = true
-  versioning                  = false
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.input_finops_roles["s3"],
-  )
-}
-
-module "files_out_clean" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade"
-
-  bucket_name                 = format("%v-clean", var.output_resource_label)
-  access_log_bucket           = data.aws_s3_bucket.log_bucket.id
-  bucket_key_enabled          = true
-  use_kms_encryption          = true
-  name_include_region         = true
-  name_include_account        = true
-  name_include_region_compact = true
-  name_enforce_region_compact = true
-  versioning                  = true
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.output_finops_roles["s3"],
-  )
-}
-
-resource "aws_s3_bucket_notification" "files_out_clean" {
-  bucket      = module.files_out_clean.s3_bucket_id
-  eventbridge = true
-}
-
-data "aws_guardduty_detector" "main" {}
-
-resource "aws_guardduty_malware_protection_plan" "s3_malware" {
-  role = aws_iam_role.guardduty_malware_role.arn
-
-  protected_resource {
-    s3_bucket {
-      bucket_name = module.files_in.s3_bucket_id
-    }
-  }
-  actions {
-    tagging {
-      status = "ENABLED"
-    }
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)])
+  iam_arn      = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id)
+
+  base_tags = {
+    "boc:created_by"        = "terraform"
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name" = local._module_name
   }
-
-  tags = merge(
-    local.base_tags,
-    var.tags,
-    local.input_finops_roles["guardduty"],
-  )
 }
diff --git a/role.tf b/role.tf
@@ -16,19 +16,6 @@ resource "aws_iam_role_policy" "guardduty_malware_policy" {
   policy = data.aws_iam_policy_document.guardduty_malware_access_policy.json
 }
 
-#data "aws_iam_policy" "guardduty_malware_policy" {
-#  name = format("GuardDutyS3MalwareProtectionPolicy-%v-88686", "v-s3-malwarescanning-ri-files-in")
-#}
-
-#data "aws_iam_role" "role" {
-#  name = "GuardDutyS3MalwareScanRole-53c66456-54d3-426f-ac04-1ce1eb60caac"
-#}
-
-#resource "aws_iam_role_policy_attachment" "guardduty_malware_policy" {
-#  role       = aws_iam_role.guardduty_malware_role.name
-#  policy_arn = data.aws_iam_policy.guardduty_malware_policy.arn
-#}
-
 data "aws_iam_policy_document" "guardduty_malware_assume_role" {
   statement {
     sid    = "GuardDutyMalwareProtectionForS3"