diff --git a/.github/pull_request_template.yml b/.github/pull_request_template.yml new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml new file mode 100644 index 0000000..75488f1 --- /dev/null +++ b/.github/workflows/docs.yml @@ -0,0 +1,25 @@ +name: Generate terraform docs + +on: + push: + branches: + - master + +permissions: read-all + +jobs: + docs: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: master + + - name: Render terraform docs inside the README.md and push changes back to pushed branch + uses: DNXLabs/terraform-docs@v1.0.0 + with: + tf_docs_working_dir: . + tf_docs_output_file: README.md + tf_docs_output_method: inject + tf_docs_git_push: "true" + tf_docs_git_commit_message: "terraform-docs: automated update action" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..50e0f3b --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,65 @@ +name: Lint + +on: [push] + +permissions: read-all + +jobs: + tflint: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: TFLint + uses: docker://wata727/tflint + + fmt: + name: Code Format + runs-on: ubuntu-latest + container: + image: hashicorp/terraform:latest + steps: + - uses: actions/checkout@master + - run: terraform fmt --recursive -check=true + + validate: + name: Validate + runs-on: ubuntu-latest + container: + image: hashicorp/terraform:latest + steps: + - uses: actions/checkout@master + - name: Validate Code + env: + AWS_REGION: "us-east-1" + TF_WARN_OUTPUT_ERRORS: 1 + TF_VAR_vpc_id: "vpc-123456" + TF_VAR_subnets: '["subnet-12345a"]' + TF_VAR_workers_ami_id: "ami-123456" + TF_VAR_cluster_name: "test_cluster" + run: | + terraform init + terraform validate + - name: Validate Examples + run: | + for example in $(find examples -maxdepth 1 -mindepth 1 -type d); do + cd $example + terraform init + terraform validate + cd - + done + minimum: + name: Minimum version check + runs-on: ubuntu-latest + container: + image: hashicorp/terraform:1.0.0 + steps: + - uses: actions/checkout@master + - name: Validate Code + env: + AWS_REGION: "us-east-1" + TF_WARN_OUTPUT_ERRORS: 1 + run: | + sed -i -e 's/>=/=/' -e 's/ \(\d\+\.\d\+\)"/ \1.0"/' _versions.tf + terraform init + terraform validate diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000..0bdb344 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,18 @@ +name: Scan + +on: [push] + +permissions: read-all + +jobs: + scan: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v3 + - name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@v12 + with: + directory: . + framework: terraform diff --git a/_data.tf b/_data.tf new file mode 100644 index 0000000..8fc4b38 --- /dev/null +++ b/_data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/_variables.tf b/_variables.tf index 8c10b24..4302ba3 100644 --- a/_variables.tf +++ b/_variables.tf @@ -1,40 +1,47 @@ variable "enabled" { description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." + type = bool default = true } variable "lambda_name" { description = "The name of the lambda which will be notified with a custom message when any alarm is performed." + type = string default = "lambda_alarm_notification" } variable "cloudtrail_log_group_name" { description = "The name of the loggroup that will get information from" + type = string } variable "lambda_timeout" { description = "Set lambda Timeout" - default = 3 + type = number + default = 3 } variable "sns_topic_name" { description = "The name of the SNS Topic which will be notified when any alarm is performed." + type = string default = "CISAlarmV2" -} +} variable "alarm_account_ids" { default = [] + type = list(string) } variable "alarm_mode" { default = "light" + type = string description = "Version of alarms to use. 'light' or 'full' available" } variable "tags" { description = "Specifies object tags key and value. This applies to all resources created by this module." + type = map(string) default = { "Terraform" = true } } - diff --git a/_versions.tf b/_versions.tf index 731c43c..2a4c0d3 100644 --- a/_versions.tf +++ b/_versions.tf @@ -6,5 +6,9 @@ terraform { source = "hashicorp/aws" version = ">= 4.0.0" } + random = { + source = "hashicorp/random" + version = ">= 3.0.0" + } } -} \ No newline at end of file +} diff --git a/alarms.tf b/alarms.tf index 6c8ff94..4fdf6ce 100644 --- a/alarms.tf +++ b/alarms.tf @@ -1,8 +1,6 @@ # -------------------------------------------------------------------------------------------------- # The SNS topic to which CloudWatch alarms send events. # -------------------------------------------------------------------------------------------------- -data "aws_caller_identity" "current" {} - resource "aws_sns_topic" "alarms" { count = var.enabled ? 1 : 0 name = var.sns_topic_name @@ -72,10 +70,8 @@ data "aws_iam_policy_document" "alarms_policy" { type = "AWS" identifiers = ["*"] } - resources = [ - aws_sns_topic.alarms[0].arn, - ] - sid = "allow-org-accounts" + resources = [aws_sns_topic.alarms[0].arn] + sid = "allow-org-accounts" } } @@ -85,7 +81,7 @@ resource "random_string" "cloudtrail_alarm_suffix" { special = false lower = true upper = false - number = false + numeric = false } resource "aws_cloudformation_stack" "cloudtrail_alarm" { diff --git a/event_bridge.tf b/event_bridge.tf index 6cabdbe..f655ce5 100644 --- a/event_bridge.tf +++ b/event_bridge.tf @@ -1,7 +1,7 @@ resource "aws_cloudwatch_event_rule" "alarm_notification" { name = "cloudtrail_alarm_custom_notifications" description = "Will be notified with a custom message when any alarm is performed" - is_enabled = true + is_enabled = true event_pattern = <