From 494cdd6c83bbceb51388ed8aebd7dcb89d9a0b05 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 12 Aug 2025 12:28:33 -0400 Subject: [PATCH] update --- availabilty_zones.tf | 25 ------ data.tf | 2 +- eventbridge.guardduty.tf | 6 -- eventbridge.s3.tf | 5 -- lambda.move.tf | 6 +- lambda.notify.tf | 18 +--- lambda.s3-tag.tf | 4 +- lambda.s3.tf | 7 +- locals.tf | 7 -- locals.tf.initial | 9 -- main.tf | 120 +++---------------------- role.tf | 13 --- s3.tf | 112 +++++++++++++++++++++++ secret.tf | 6 +- settings.default.yml | 21 +++++ settings.tf | 4 + variables.common.availability_zones.tf | 5 -- variables.tf | 36 ++++---- 18 files changed, 173 insertions(+), 233 deletions(-) delete mode 100644 availabilty_zones.tf delete mode 100644 locals.tf delete mode 100644 locals.tf.initial create mode 100644 s3.tf create mode 100644 settings.default.yml create mode 100644 settings.tf delete mode 100644 variables.common.availability_zones.tf diff --git a/availabilty_zones.tf b/availabilty_zones.tf deleted file mode 100644 index 0684edb..0000000 --- a/availabilty_zones.tf +++ /dev/null @@ -1,25 +0,0 @@ -data "aws_availability_zones" "zones" { - state = "available" -} - -data "aws_availability_zone" "zone" { - for_each = toset(data.aws_availability_zones.zones.names) - state = "available" - name = each.key -} - - -output "availability_zone_names" { - description = "VPC Availability zone name list" - value = data.aws_availability_zones.zones.names -} - -output "availability_zone_ids" { - description = "VPC Availability zone id list" - value = data.aws_availability_zones.zones.zone_ids -} - -output "availability_zone_suffixes" { - description = "VPC Availability zone suffix list" - value = [for k, v in data.aws_availability_zone.zone : v.name_suffix] -} diff --git a/data.tf b/data.tf index 2fc0f99..d97daf5 100644 --- a/data.tf +++ b/data.tf @@ -3,5 +3,5 @@ data "aws_kms_key" "s3_key" { } data "aws_s3_bucket" "log_bucket" { - bucket = format("inf-logs-%v-%v", var.account_id, local.region) + bucket = var.log_bucket == null ? format("inf-logs-%v-%v", var.account_id, local.region) : var.log_bucket } diff --git a/eventbridge.guardduty.tf b/eventbridge.guardduty.tf index 4998545..a9ebaa4 100644 --- a/eventbridge.guardduty.tf +++ b/eventbridge.guardduty.tf @@ -1,12 +1,7 @@ -locals { - short_files_in = "files_in" -} - # https://repost.aws/knowledge-center/cloudwatch-log-group-eventbridge # must start with /aws/events resource "aws_cloudwatch_log_group" "guardduty_event_log" { - # name = format("/aws/events/%v-%v-%v/%v/%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "gd", local.short_files_in) name = format("/aws/events/%v/%v-%v", var.input_resource_label, "in", "guardduty") retention_in_days = var.log_retention_in_days @@ -48,7 +43,6 @@ resource "aws_cloudwatch_log_resource_policy" "guardduty_event_log" { module "eventbridge_guardduty" { source = "terraform-aws-modules/eventbridge/aws" - # role_name = format("r-%v-%v-%v-%v-%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "gd", local.short_files_in) role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "in", "guardduty") append_rule_postfix = false diff --git a/eventbridge.s3.tf b/eventbridge.s3.tf index ebc3e63..00d048c 100644 --- a/eventbridge.s3.tf +++ b/eventbridge.s3.tf @@ -1,10 +1,5 @@ -locals { - short_files_clean = "files_clean" -} - module "eventbridge_s3" { source = "terraform-aws-modules/eventbridge/aws" - # role_name = format("r-%v-%v-%v-%v-%v", var.app_info.organization, var.app_info.name, var.app_info.environment, "s3", local.short_files_clean) role_name = format("%v%v-%v-%v", try(module.base.prefixes.role, ""), var.input_resource_label, "clean", "s3") append_rule_postfix = false diff --git a/lambda.move.tf b/lambda.move.tf index 8c39b26..6d11285 100644 --- a/lambda.move.tf +++ b/lambda.move.tf @@ -2,7 +2,6 @@ module "lambda_move" { source = "terraform-aws-modules/lambda/aws" create_function = true -# create_package = true create_package = false create_role = true create_async_event_config = true @@ -41,14 +40,11 @@ module "lambda_move" { environment_variables = merge( { Enabled = true - GUARDDUTY_MOVE_ORG = "default" GUARDDUTY_MOVE_VERBOSE = false GUARDDUTY_MOVE_BUCKET_IN = module.files_in.s3_bucket_id GUARDDUTY_MOVE_BUCKET_CLEAN = module.files_clean.s3_bucket_id GUARDDUTY_MOVE_BUCKET_QUARANTINE = module.files_quarantine.s3_bucket_id - - #POWERTOOLS_LOG_LEVEL = "INFO" - POWERTOOLS_LOG_LEVEL = "DEBUG" + POWERTOOLS_LOG_LEVEL = "INFO" }, var.lambda_environment_variables_override, ) diff --git a/lambda.notify.tf b/lambda.notify.tf index 191ac03..f3b49e2 100644 --- a/lambda.notify.tf +++ b/lambda.notify.tf @@ -1,14 +1,3 @@ -# resource "aws_cloudwatch_log_group" "lambda_notify" { -# name = "/aws/lambda/darhts-guardduty-notify" -# retention_in_days = var.log_retention_in_days -# -# tags = merge( -# local.base_tags, -# var.tags, -# local.input_finops_roles["log"], -# ) -# } - module "lambda_notify" { source = "terraform-aws-modules/lambda/aws" @@ -54,18 +43,13 @@ module "lambda_notify" { environment_variables = merge( { Enabled = true - GUARDDUTY_NOTIFY_ORG = "default" GUARDDUTY_NOTIFY_VERBOSE = false GUARDDUTY_NOTIFY_SECRET_NAME = var.secret_name GUARDDUTY_NOTIFY_ENVIRONMENT = var.app_info.environment -# GUARDDUTY_NOTIFY_AUTH_URL = "${var.app_info.token_url}/fail" GUARDDUTY_NOTIFY_AUTH_URL = var.app_info.token_url GUARDDUTY_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version -# GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME = "FailGuardDutyObjectScan__e" GUARDDUTY_NOTIFY_PLATFORM_EVENT_NAME = "GuardDutyObjectScan__e" - # use DEBUG for debbuing, along with GUARDDUTY_MOVE_VERBOSE - #POWERTOOLS_LOG_LEVEL = "INFO" - POWERTOOLS_LOG_LEVEL = "DEBUG" + POWERTOOLS_LOG_LEVEL = "INFO" }, var.lambda_environment_variables_override, ) diff --git a/lambda.s3-tag.tf b/lambda.s3-tag.tf index c8e525a..f9638c2 100644 --- a/lambda.s3-tag.tf +++ b/lambda.s3-tag.tf @@ -43,7 +43,6 @@ module "lambda_s3_tag" { environment_variables = merge( { Enabled = true - S3_TAG_ORG = "default" S3_TAG_VERBOSE = false S3_TAG_ENVIRONMENT = var.app_info.environment S3_TAG_BUCKET_CLEAN_IN = module.files_clean.s3_bucket_id @@ -53,8 +52,7 @@ module "lambda_s3_tag" { darhts_certified = "true" }) # use DEBUG for debbuing, along with S3_MOVE_VERBOSE - #POWERTOOLS_LOG_LEVEL = "INFO" - POWERTOOLS_LOG_LEVEL = "DEBUG" + POWERTOOLS_LOG_LEVEL = "INFO" }, var.lambda_environment_variables_override, ) diff --git a/lambda.s3.tf b/lambda.s3.tf index 11a0686..f957aab 100644 --- a/lambda.s3.tf +++ b/lambda.s3.tf @@ -43,18 +43,13 @@ module "lambda_s3" { environment_variables = merge( { Enabled = true - S3_NOTIFY_ORG = "default" S3_NOTIFY_VERBOSE = false S3_NOTIFY_SECRET_NAME = var.secret_name S3_NOTIFY_ENVIRONMENT = var.app_info.environment -# S3_NOTIFY_AUTH_URL = "${var.app_info.token_url}/fail" S3_NOTIFY_AUTH_URL = var.app_info.token_url S3_NOTIFY_SALESFORCE_API_VERSION = var.app_info.salesforce_api_version -# S3_NOTIFY_PLATFORM_EVENT_NAME = "FailDARHTSCleanCreateObjectEvent__e" S3_NOTIFY_PLATFORM_EVENT_NAME = "DARHTSCleanCreateObjectEvent__e" - # use DEBUG for debbuing, along with S3_MOVE_VERBOSE - #POWERTOOLS_LOG_LEVEL = "INFO" - POWERTOOLS_LOG_LEVEL = "DEBUG" + POWERTOOLS_LOG_LEVEL = "INFO" }, var.lambda_environment_variables_override, ) diff --git a/locals.tf b/locals.tf deleted file mode 100644 index 8560648..0000000 --- a/locals.tf +++ /dev/null @@ -1,7 +0,0 @@ -locals { - base_tags = { - "boc:created_by" = "terraform" - } - region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) - iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) -} diff --git a/locals.tf.initial b/locals.tf.initial deleted file mode 100644 index 2bd4d7f..0000000 --- a/locals.tf.initial +++ /dev/null @@ -1,9 +0,0 @@ -locals { - account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id - account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" - - base_tags = { - "boc:tf_module_version" = local._module_version - "boc:created_by" = "terraform" - } -} diff --git a/main.tf b/main.tf index a510f12..6e4003c 100644 --- a/main.tf +++ b/main.tf @@ -1,112 +1,12 @@ -module "files_in" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" - - bucket_name = format("%v-in", var.input_resource_label) - access_log_bucket = data.aws_s3_bucket.log_bucket.id - bucket_key_enabled = true - use_kms_encryption = true - name_include_region = true - name_include_account = true - name_include_region_compact = true - name_enforce_region_compact = true - versioning = false - - tags = merge( - local.base_tags, - var.tags, - local.input_finops_roles["s3"], - ) -} - -module "files_clean" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" - - bucket_name = format("%v-clean", var.input_resource_label) - access_log_bucket = data.aws_s3_bucket.log_bucket.id - bucket_key_enabled = true - use_kms_encryption = true - name_include_region = true - name_include_account = true - name_include_region_compact = true - name_enforce_region_compact = true - versioning = true - - tags = merge( - local.base_tags, - var.tags, - local.input_finops_roles["s3"], - ) -} - -resource "aws_s3_bucket_notification" "files_clean" { - bucket = module.files_clean.s3_bucket_id - eventbridge = true -} - -module "files_quarantine" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" - - bucket_name = format("%v-quarantine", var.input_resource_label) - access_log_bucket = data.aws_s3_bucket.log_bucket.id - bucket_key_enabled = true - use_kms_encryption = true - name_include_region = true - name_include_account = true - name_include_region_compact = true - name_enforce_region_compact = true - versioning = false - - tags = merge( - local.base_tags, - var.tags, - local.input_finops_roles["s3"], - ) -} - -module "files_out_clean" { - source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" - - bucket_name = format("%v-clean", var.output_resource_label) - access_log_bucket = data.aws_s3_bucket.log_bucket.id - bucket_key_enabled = true - use_kms_encryption = true - name_include_region = true - name_include_account = true - name_include_region_compact = true - name_enforce_region_compact = true - versioning = true - - tags = merge( - local.base_tags, - var.tags, - local.output_finops_roles["s3"], - ) -} - -resource "aws_s3_bucket_notification" "files_out_clean" { - bucket = module.files_out_clean.s3_bucket_id - eventbridge = true -} - -data "aws_guardduty_detector" "main" {} - -resource "aws_guardduty_malware_protection_plan" "s3_malware" { - role = aws_iam_role.guardduty_malware_role.arn - - protected_resource { - s3_bucket { - bucket_name = module.files_in.s3_bucket_id - } - } - actions { - tagging { - status = "ENABLED" - } +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region_short = join("", [for c in split("-", local.region) : substr(c, 0, 1)]) + iam_arn = format("arn:%v:iam::%v:%%v", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + + base_tags = { + "boc:created_by" = "terraform" + "boc:tf_module_version" = local._module_version + "boc:tf_module_name" = local._module_name } - - tags = merge( - local.base_tags, - var.tags, - local.input_finops_roles["guardduty"], - ) } diff --git a/role.tf b/role.tf index 50a7e37..72d9285 100644 --- a/role.tf +++ b/role.tf @@ -16,19 +16,6 @@ resource "aws_iam_role_policy" "guardduty_malware_policy" { policy = data.aws_iam_policy_document.guardduty_malware_access_policy.json } -#data "aws_iam_policy" "guardduty_malware_policy" { -# name = format("GuardDutyS3MalwareProtectionPolicy-%v-88686", "v-s3-malwarescanning-ri-files-in") -#} - -#data "aws_iam_role" "role" { -# name = "GuardDutyS3MalwareScanRole-53c66456-54d3-426f-ac04-1ce1eb60caac" -#} - -#resource "aws_iam_role_policy_attachment" "guardduty_malware_policy" { -# role = aws_iam_role.guardduty_malware_role.name -# policy_arn = data.aws_iam_policy.guardduty_malware_policy.arn -#} - data "aws_iam_policy_document" "guardduty_malware_assume_role" { statement { sid = "GuardDutyMalwareProtectionForS3" diff --git a/s3.tf b/s3.tf new file mode 100644 index 0000000..a510f12 --- /dev/null +++ b/s3.tf @@ -0,0 +1,112 @@ +module "files_in" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" + + bucket_name = format("%v-in", var.input_resource_label) + access_log_bucket = data.aws_s3_bucket.log_bucket.id + bucket_key_enabled = true + use_kms_encryption = true + name_include_region = true + name_include_account = true + name_include_region_compact = true + name_enforce_region_compact = true + versioning = false + + tags = merge( + local.base_tags, + var.tags, + local.input_finops_roles["s3"], + ) +} + +module "files_clean" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" + + bucket_name = format("%v-clean", var.input_resource_label) + access_log_bucket = data.aws_s3_bucket.log_bucket.id + bucket_key_enabled = true + use_kms_encryption = true + name_include_region = true + name_include_account = true + name_include_region_compact = true + name_enforce_region_compact = true + versioning = true + + tags = merge( + local.base_tags, + var.tags, + local.input_finops_roles["s3"], + ) +} + +resource "aws_s3_bucket_notification" "files_clean" { + bucket = module.files_clean.s3_bucket_id + eventbridge = true +} + +module "files_quarantine" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" + + bucket_name = format("%v-quarantine", var.input_resource_label) + access_log_bucket = data.aws_s3_bucket.log_bucket.id + bucket_key_enabled = true + use_kms_encryption = true + name_include_region = true + name_include_account = true + name_include_region_compact = true + name_enforce_region_compact = true + versioning = false + + tags = merge( + local.base_tags, + var.tags, + local.input_finops_roles["s3"], + ) +} + +module "files_out_clean" { + source = "git@github.e.it.census.gov:terraform-modules/aws-s3.git//standard?ref=tf-upgrade" + + bucket_name = format("%v-clean", var.output_resource_label) + access_log_bucket = data.aws_s3_bucket.log_bucket.id + bucket_key_enabled = true + use_kms_encryption = true + name_include_region = true + name_include_account = true + name_include_region_compact = true + name_enforce_region_compact = true + versioning = true + + tags = merge( + local.base_tags, + var.tags, + local.output_finops_roles["s3"], + ) +} + +resource "aws_s3_bucket_notification" "files_out_clean" { + bucket = module.files_out_clean.s3_bucket_id + eventbridge = true +} + +data "aws_guardduty_detector" "main" {} + +resource "aws_guardduty_malware_protection_plan" "s3_malware" { + role = aws_iam_role.guardduty_malware_role.arn + + protected_resource { + s3_bucket { + bucket_name = module.files_in.s3_bucket_id + } + } + actions { + tagging { + status = "ENABLED" + } + } + + tags = merge( + local.base_tags, + var.tags, + local.input_finops_roles["guardduty"], + ) +} diff --git a/secret.tf b/secret.tf index 18c7ee9..482bc0e 100644 --- a/secret.tf +++ b/secret.tf @@ -4,16 +4,16 @@ data "aws_iam_role" "inf_cloud_admin" { resource "aws_secretsmanager_secret" "app_secret" { name = var.secret_name - description = try(var.app_info.description, var.input_resource_label) + description = try(var.secret_description, var.input_resource_label) kms_key_id = aws_kms_key.app_secret.arn policy = data.aws_iam_policy_document.app_secret.json - recovery_window_in_days = 0 + recovery_window_in_days = 7 tags = merge( local.base_tags, var.tags, local.input_finops_roles["secret"], - { Name = var.app_info.secret_name }, + { Name = var.app_info.secret_name}, ) } diff --git a/settings.default.yml b/settings.default.yml new file mode 100644 index 0000000..a6a4272 --- /dev/null +++ b/settings.default.yml @@ -0,0 +1,21 @@ +default: + log_level: INFO + verbose: false + enabled: true + environment: +guardduty-move: +guardduty-notify: + environment: +# secret_name: "/app/BLF/ENV/salesforce-api" + auth_url: + salesforce_api_version: "64.0" + platform_event_name: "GuardDutyObjectScan__e" +s3-tag: + trigger_tags: + GuardDutyMalwareScanStatus: "NO_THREATS_FOUND" + darhts_certified: "true" +s3: +# secret_name: "/app/BLF/ENV/salesforce-api" + auth_url: + salesforce_api_version: "64.0" + platform_event_name: "DARHTSCleanCreateObjectEvent__e" diff --git a/settings.tf b/settings.tf new file mode 100644 index 0000000..2971f26 --- /dev/null +++ b/settings.tf @@ -0,0 +1,4 @@ +locals { + settings = var.settings + settings_default = yamldecode(file("${path.module}/settings.default.yml")) +} diff --git a/variables.common.availability_zones.tf b/variables.common.availability_zones.tf deleted file mode 100644 index 3e17e57..0000000 --- a/variables.common.availability_zones.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "availability_zones" { - description = "AWS Availability Zones to use (by default will use all available)" - type = list(string) - default = [] -} diff --git a/variables.tf b/variables.tf index a8b8388..b92de42 100644 --- a/variables.tf +++ b/variables.tf @@ -11,29 +11,11 @@ variable "log_retention_in_days" { } } -# variable "app_name" { -# description = "NTS Base Label format {org}-{app}-{env} for application" -# type = string -# } - variable "app_info" { description = "Structure with organization, name, environment" type = map(string) } -# settings = { -# secret_name = "infoblox" -# secret_name_format = "/enterprise/terraform/providers/%v" -# description = "Infoblox provider settings" -# username = "apiadmin" -# hostname = "bcc-inf-gm.console.tco.census.gov" -# port = 443 -# api_version = "2.9" -# ssl_mode = true -# } -# -# - variable "environment_label" { description = "Label to be used as the environment" type = string @@ -54,6 +36,12 @@ variable "secret_name" { type = string } +variable "secret_description" { + description = "Description to be used for the AWS Secret for the Salesforce API" + type = string + default = "Credentials for Salesforce API" +} + variable "dlq_retry_attempts" { description = "Dead Letter Queue maxium_retry_attempts (default: 3)" type = number @@ -77,3 +65,15 @@ variable "output_resource_tags" { type = map(string) default = {} } + +variable "log_bucket" { + description = "AWS Log Bucket (default: inf-logs-ACCOUNT-REGION)" + type = string + default = null +} + +variable "settings" { + description = "Configuration settings map" + type = map() + default = {} +}