Skip to content

Commit

Permalink
Merge pull request #5 from DNXLabs/feature/pipelines
Browse files Browse the repository at this point in the history
Add pipelines
  • Loading branch information
lucasmacedot authored Oct 30, 2023
2 parents bb057ab + 4ed2ae3 commit c1fe84b
Show file tree
Hide file tree
Showing 11 changed files with 148 additions and 35 deletions.
Empty file.
25 changes: 25 additions & 0 deletions .github/workflows/docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Generate terraform docs

on:
push:
branches:
- master

permissions: read-all

jobs:
docs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: master

- name: Render terraform docs inside the README.md and push changes back to pushed branch
uses: DNXLabs/[email protected]
with:
tf_docs_working_dir: .
tf_docs_output_file: README.md
tf_docs_output_method: inject
tf_docs_git_push: "true"
tf_docs_git_commit_message: "terraform-docs: automated update action"
65 changes: 65 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Lint

on: [push]

permissions: read-all

jobs:
tflint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: TFLint
uses: docker://wata727/tflint

fmt:
name: Code Format
runs-on: ubuntu-latest
container:
image: hashicorp/terraform:latest
steps:
- uses: actions/checkout@master
- run: terraform fmt --recursive -check=true

validate:
name: Validate
runs-on: ubuntu-latest
container:
image: hashicorp/terraform:latest
steps:
- uses: actions/checkout@master
- name: Validate Code
env:
AWS_REGION: "us-east-1"
TF_WARN_OUTPUT_ERRORS: 1
TF_VAR_vpc_id: "vpc-123456"
TF_VAR_subnets: '["subnet-12345a"]'
TF_VAR_workers_ami_id: "ami-123456"
TF_VAR_cluster_name: "test_cluster"
run: |
terraform init
terraform validate
- name: Validate Examples
run: |
for example in $(find examples -maxdepth 1 -mindepth 1 -type d); do
cd $example
terraform init
terraform validate
cd -
done
minimum:
name: Minimum version check
runs-on: ubuntu-latest
container:
image: hashicorp/terraform:1.0.0
steps:
- uses: actions/checkout@master
- name: Validate Code
env:
AWS_REGION: "us-east-1"
TF_WARN_OUTPUT_ERRORS: 1
run: |
sed -i -e 's/>=/=/' -e 's/ \(\d\+\.\d\+\)"/ \1.0"/' _versions.tf
terraform init
terraform validate
18 changes: 18 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Scan

on: [push]

permissions: read-all

jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: .
framework: terraform
1 change: 1 addition & 0 deletions _data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
data "aws_caller_identity" "current" {}
13 changes: 10 additions & 3 deletions _variables.tf
Original file line number Diff line number Diff line change
@@ -1,40 +1,47 @@
variable "enabled" {
description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
type = bool
default = true
}

variable "lambda_name" {
description = "The name of the lambda which will be notified with a custom message when any alarm is performed."
type = string
default = "lambda_alarm_notification"
}

variable "cloudtrail_log_group_name" {
description = "The name of the loggroup that will get information from"
type = string
}

variable "lambda_timeout" {
description = "Set lambda Timeout"
default = 3
type = number
default = 3
}

variable "sns_topic_name" {
description = "The name of the SNS Topic which will be notified when any alarm is performed."
type = string
default = "CISAlarmV2"
}
}

variable "alarm_account_ids" {
default = []
type = list(string)
}

variable "alarm_mode" {
default = "light"
type = string
description = "Version of alarms to use. 'light' or 'full' available"
}

variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
type = map(string)
default = {
"Terraform" = true
}
}

6 changes: 5 additions & 1 deletion _versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,9 @@ terraform {
source = "hashicorp/aws"
version = ">= 4.0.0"
}
random = {
source = "hashicorp/random"
version = ">= 3.0.0"
}
}
}
}
10 changes: 3 additions & 7 deletions alarms.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# --------------------------------------------------------------------------------------------------
# The SNS topic to which CloudWatch alarms send events.
# --------------------------------------------------------------------------------------------------
data "aws_caller_identity" "current" {}

resource "aws_sns_topic" "alarms" {
count = var.enabled ? 1 : 0
name = var.sns_topic_name
Expand Down Expand Up @@ -72,10 +70,8 @@ data "aws_iam_policy_document" "alarms_policy" {
type = "AWS"
identifiers = ["*"]
}
resources = [
aws_sns_topic.alarms[0].arn,
]
sid = "allow-org-accounts"
resources = [aws_sns_topic.alarms[0].arn]
sid = "allow-org-accounts"
}
}

Expand All @@ -85,7 +81,7 @@ resource "random_string" "cloudtrail_alarm_suffix" {
special = false
lower = true
upper = false
number = false
numeric = false
}

resource "aws_cloudformation_stack" "cloudtrail_alarm" {

Check failure on line 87 in alarms.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"

Check failure on line 87 in alarms.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
Expand Down
2 changes: 1 addition & 1 deletion event_bridge.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
resource "aws_cloudwatch_event_rule" "alarm_notification" {
name = "cloudtrail_alarm_custom_notifications"
description = "Will be notified with a custom message when any alarm is performed"
is_enabled = true
is_enabled = true

event_pattern = <<PATTERN
{
Expand Down
14 changes: 4 additions & 10 deletions iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ data "aws_iam_policy_document" "lambda_assume_role" {
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
tags = var.tags
tags = var.tags
}

resource "aws_iam_policy" "lambda_cw" {

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"

Check failure on line 17 in iam.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
Expand All @@ -32,20 +32,16 @@ resource "aws_iam_policy" "lambda_cw" {
"logs:DescribeMetricFilters",
"logs:FilterLogEvents"
],
Resource : [aws_lambda_function.lambda.arn,"arn:aws:logs:*:*:*","arn:aws:cloudwatch:*:*:*"]
Resource : [aws_lambda_function.lambda.arn, "arn:aws:logs:*:*:*", "arn:aws:cloudwatch:*:*:*"]
Effect : "Allow"
},
{
Action : [
"SNS:Publish"
],
Action : ["SNS:Publish"],
Resource : "arn:aws:sns:*:*:*",
Effect : "Allow"
},
{
Action : [
"kms:Decrypt", "kms:GenerateDataKey*"
],
Action : ["kms:Decrypt", "kms:GenerateDataKey*"],
Resource : "*",
Effect : "Allow"
}
Expand All @@ -57,5 +53,3 @@ resource "aws_iam_role_policy_attachment" "lambda_cw" {
role = aws_iam_role.iam_for_lambda.name
policy_arn = aws_iam_policy.lambda_cw.arn
}


29 changes: 16 additions & 13 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,17 +1,20 @@
resource "aws_lambda_function" "lambda" {

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_173: "Check encryption settings for Lambda environmental variable"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_173: "Check encryption settings for Lambda environmental variable"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"

Check failure on line 1 in main.tf

View workflow job for this annotation

GitHub Actions / scan

CKV_AWS_363: "Ensure Lambda Runtime is not deprecated"
filename = "${path.module}/lambda.zip"
function_name = var.lambda_name
role = aws_iam_role.iam_for_lambda.arn
handler = "index.handler"
timeout = var.lambda_timeout
filename = "${path.module}/lambda.zip"
function_name = var.lambda_name
role = aws_iam_role.iam_for_lambda.arn
handler = "index.handler"
timeout = var.lambda_timeout
source_code_hash = filebase64sha256("${path.module}/lambda.zip")
runtime = "nodejs12.x"
tags = var.tags
runtime = "nodejs12.x"
tags = var.tags
tracing_config {
mode = "Active"
}
environment {
variables = {
LOG_GROUP = var.cloudtrail_log_group_name,
TOPIC_ARN= aws_sns_topic.alarms[0].arn,
OFFSET=180
TOPIC_ARN = aws_sns_topic.alarms[0].arn,
OFFSET = 180
}
}
}
Expand All @@ -25,7 +28,7 @@ resource "aws_lambda_permission" "default" {
}

resource "aws_cloudwatch_log_group" "alarm_lambda" {
name = "/aws/lambda/${var.lambda_name}"
retention_in_days = 14
tags = var.tags
}
name = "/aws/lambda/${var.lambda_name}"
retention_in_days = 365
tags = var.tags
}

0 comments on commit c1fe84b

Please sign in to comment.