From cb3d99709fec6b4536452b3bd24e96a08bb9b139 Mon Sep 17 00:00:00 2001 From: Rohith Jayawardene Date: Sat, 2 Nov 2024 09:00:37 +0000 Subject: [PATCH] feat: adding a submodule to generate a nuke configuration --- modules/configuration/README.md | 38 ++ modules/configuration/assets/config.yml | 57 +++ .../examples/basic/.terraform.lock.hcl | 25 ++ modules/configuration/examples/basic/main.tf | 52 +++ .../configuration/examples/basic/outputs.tf | 5 + .../configuration/examples/basic/terraform.tf | 11 + .../configuration/examples/basic/variables.tf | 0 modules/configuration/locals.tf | 238 ++++++++++++ modules/configuration/outputs.tf | 5 + modules/configuration/terraform.tf | 4 + modules/configuration/variables.tf | 358 ++++++++++++++++++ tests/module.configuration.tftest.hcl | 45 +++ 12 files changed, 838 insertions(+) create mode 100644 modules/configuration/README.md create mode 100644 modules/configuration/assets/config.yml create mode 100644 modules/configuration/examples/basic/.terraform.lock.hcl create mode 100644 modules/configuration/examples/basic/main.tf create mode 100644 modules/configuration/examples/basic/outputs.tf create mode 100644 modules/configuration/examples/basic/terraform.tf create mode 100644 modules/configuration/examples/basic/variables.tf create mode 100644 modules/configuration/locals.tf create mode 100644 modules/configuration/outputs.tf create mode 100644 modules/configuration/terraform.tf create mode 100644 modules/configuration/variables.tf create mode 100644 tests/module.configuration.tftest.hcl diff --git a/modules/configuration/README.md b/modules/configuration/README.md new file mode 100644 index 0000000..bb243ad --- /dev/null +++ b/modules/configuration/README.md @@ -0,0 +1,38 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.7 | + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [accounts](#input\_accounts) | A collection of accounts to nuke | `list(string)` | n/a | yes | +| [regions](#input\_regions) | A collection of regions to nuke | `list(string)` | n/a | yes | +| [blocklist](#input\_blocklist) | A collection of resources to block from deletion | `list(string)` |
[
"123456789012"
]
| no | +| [excluded](#input\_excluded) | A collection of resources to exclude from the nuke | `list(string)` |
[
"Cloud9Environment",
"CloudSearchDomain",
"CodeStarConnection",
"CodeStarNotification",
"CodeStarProject",
"EC2DHCPOption",
"EC2NetworkACL",
"EC2NetworkInterface",
"ECSCluster",
"ECSClusterInstance",
"ECSService",
"ECSTaskDefinition",
"FMSNotificationChannel",
"FMSPolicy",
"IAMRole",
"IAMUser",
"MachineLearningBranchPrediction",
"MachineLearningDataSource",
"MachineLearningEvaluation",
"MachineLearningMLModel",
"OpsWorksApp",
"OpsWorksApp",
"OpsWorksCMBackup",
"OpsWorksCMServer",
"OpsWorksCMServerState",
"OpsWorksInstance",
"OpsWorksLayer",
"OpsWorksUserProfile",
"RedshiftServerlessNamespace",
"RedshiftServerlessSnapshot",
"RedshiftServerlessWorkgroup",
"RoboMakerDeploymentJob",
"RoboMakerFleet",
"RoboMakerRobot",
"RoboMakerRobotApplication",
"RoboMakerSimulationApplication",
"RoboMakerSimulationJob",
"S3Object",
"ServiceCatalogTagOption",
"ServiceCatalogTagOptionPortfolioAttachment"
]
| no | +| [filters](#input\_filters) | A collection of filters are applied to all resources |
list(object({
property = string
type = string
value = string
}))
| `[]` | no | +| [include\_presets](#input\_include\_presets) | A collection of preset filters to use for nuke |
object({
enable_control_tower = optional(bool, true)
enable_cost_intelligence = optional(bool, true)
enable_landing_zone = optional(bool, true)
})
|
{
"enable_control_tower": true,
"enable_cost_intelligence": true,
"enable_landing_zone": true
}
| no | +| [included](#input\_included) | A collection of resources to include in the nuke | `list(string)` |
[
"AWSBackupRecoveryPoint",
"AWSBackupSelection",
"BackupVault",
"AppStreamDirectoryConfig",
"AppStreamFleet",
"AppStreamFleetState",
"AppStreamImage",
"AppStreamImageBuilder",
"AppStreamImageBuilderWaiter",
"AppStreamStack",
"AppStreamStackFleetAttachment",
"AutoScalingGroup",
"AutoScalingPlansScalingPlan",
"BatchComputeEnvironment",
"BatchComputeEnvironmentState",
"BatchJobQueue",
"BatchJobQueueState",
"Cloud9Environment",
"CloudDirectoryDirectory",
"CloudDirectorySchema",
"CloudFrontDistribution",
"CloudFrontDistributionDeployment",
"CloudHSMV2Cluster",
"CloudHSMV2ClusterHSM",
"CloudSearchDomain",
"CloudWatchAlarm",
"CloudWatchDashboard",
"CloudWatchLogsDestination",
"CloudWatchLogsLogGroup",
"CodeBuildProject",
"CodeCommitRepository",
"CodeDeployApplication",
"CodePipelinePipeline",
"CodeStarProject",
"CognitoIdentityPool",
"CognitoUserPool",
"CognitoUserPoolDomain",
"DAXCluster",
"DAXParameterGroup",
"DAXSubnetGroup",
"DataPipelinePipeline",
"DatabaseMigrationServiceCertificate",
"DatabaseMigrationServiceEndpoint",
"DatabaseMigrationServiceEventSubscription",
"DatabaseMigrationServiceReplicationInstance",
"DatabaseMigrationServiceReplicationTask",
"DatabaseMigrationServiceSubnetGroup",
"DeviceFarmProject",
"DirectoryServiceDirectory",
"DynamoDBTable",
"EC2Address",
"EC2ClientVpnEndpoint",
"EC2ClientVpnEndpointAttachment",
"EC2CustomerGateway",
"EC2Image",
"EC2Instance",
"EC2InternetGateway",
"EC2InternetGatewayAttachment",
"EC2KeyPair",
"EC2LaunchTemplate",
"EC2NATGateway",
"EC2NetworkACL",
"EC2PlacementGroup",
"EC2RouteTable",
"EC2SecurityGroup",
"EC2Snapshot",
"EC2SpotFleetRequest",
"EC2Subnet",
"EC2TGW",
"EC2TGWAttachment",
"EC2VPC",
"EC2VPCEndpoint",
"EC2VPCEndpointServiceConfiguration",
"EC2VPCPeeringConnection",
"EC2VPNConnection",
"EC2VPNGatewayAttachment",
"EC2Volume",
"ECRRepository",
"EFSFileSystem",
"EFSMountTarget",
"EKSCluster",
"ELB",
"ELBv2",
"ELBv2TargetGroup",
"EMRCluster",
"EMRSecurityConfiguration",
"ESDomain",
"ElasticBeanstalkApplication",
"ElasticBeanstalkEnvironment",
"ElasticTranscoderPipeline",
"ElasticacheCacheCluster",
"ElasticacheReplicationGroup",
"ElasticacheSubnetGroup",
"FSxBackup",
"FSxFileSystem",
"FirehoseDeliveryStream",
"GlueClassifier",
"GlueConnection",
"GlueCrawler",
"GlueDatabase",
"GlueDevEndpoint",
"GlueJob",
"GlueTrigger",
"IAMGroup",
"IAMGroupPolicy",
"IAMGroupPolicyAttachment",
"IAMInstanceProfile",
"IAMInstanceProfileRole",
"IAMLoginProfile",
"IAMOpenIDConnectProvider",
"IAMRole",
"IAMServerCertificate",
"IAMServiceSpecificCredential",
"IAMUser",
"IAMUserAccessKey",
"IAMUserGroupAttachment",
"IAMUserPolicy",
"IAMUserPolicyAttachment",
"IAMVirtualMFADevice",
"IoTAuthorizer",
"IoTCACertificate",
"IoTCertificate",
"IoTJob",
"IoTOTAUpdate",
"IoTPolicy",
"IoTRoleAlias",
"IoTStream",
"IoTThing",
"IoTThingGroup",
"IoTThingType",
"IoTThingTypeState",
"IoTTopicRule",
"KMSAlias",
"KMSKey",
"KinesisAnalyticsApplication",
"KinesisStream",
"KinesisVideoProject",
"LambdaEventSourceMapping",
"LambdaFunction",
"LaunchConfiguration",
"LifecycleHook",
"LightsailDisk",
"LightsailDomain",
"LightsailInstance",
"LightsailKeyPair",
"LightsailLoadBalancer",
"LightsailStaticIP",
"MQBroker",
"MSKCluster",
"MediaConvertJobTemplate",
"MediaConvertPreset",
"MediaConvertQueue",
"MediaLiveChannel",
"MediaLiveInput",
"MediaLiveInputSecurityGroup",
"MediaPackageChannel",
"MediaPackageOriginEndpoint",
"MediaStoreContainer",
"MediaStoreDataItems",
"MediaTailorConfiguration",
"MobileProject",
"NeptuneCluster",
"NeptuneInstance",
"NetpuneSnapshot",
"OpsWorksApp",
"OpsWorksCMBackup",
"OpsWorksCMServer",
"OpsWorksCMServerState",
"OpsWorksInstance",
"OpsWorksLayer",
"OpsWorksUserProfile",
"RDSDBCluster",
"RDSDBClusterParameterGroup",
"RDSDBParameterGroup",
"RDSDBSubnetGroup",
"RDSInstance",
"RDSSnapshot",
"RedshiftCluster",
"RedshiftParameterGroup",
"RedshiftSnapshot",
"RedshiftSubnetGroup",
"RekognitionCollection",
"ResourceGroupGroup",
"RoboMakerDeploymentJob",
"RoboMakerFleet",
"RoboMakerRobot",
"RoboMakerRobotApplication",
"RoboMakerSimulationApplication",
"RoboMakerSimulationJob",
"Route53HostedZone",
"Route53ResourceRecordSet",
"S3Bucket",
"S3MultipartUpload",
"S3Object",
"SESConfigurationSet",
"SESIdentity",
"SESReceiptFilter",
"SESReceiptRuleSet",
"SESTemplate",
"SFNStateMachine",
"SNSEndpoint",
"SNSPlatformApplication",
"SNSSubscription",
"SNSTopic",
"SQSQueue",
"SSMActivation",
"SSMAssociation",
"SSMDocument",
"SSMMaintenanceWindow",
"SSMParameter",
"SSMPatchBaseline",
"SSMResourceDataSync",
"SageMakerEndpoint",
"SageMakerEndpointConfig",
"SageMakerModel",
"SageMakerNotebookInstance",
"SageMakerNotebookInstanceState",
"SecretsManagerSecret",
"ServiceCatalogConstraintPortfolioAttachment",
"ServiceCatalogPortfolio",
"ServiceCatalogPortfolioProductAttachment",
"ServiceCatalogPortfolioShareAttachment",
"ServiceCatalogPrincipalPortfolioAttachment",
"ServiceCatalogProduct",
"ServiceCatalogProvisionedProduct",
"ServiceCatalogTagOption",
"ServiceCatalogTagOptionPortfolioAttachment",
"ServiceDiscoveryInstance",
"ServiceDiscoveryNamespace",
"ServiceDiscoveryService",
"SimpleDBDomain",
"StorageGatewayFileShare",
"StorageGatewayGateway",
"StorageGatewayTape",
"StorageGatewayVolume",
"WAFRegionalByteMatchSet",
"WAFRegionalByteMatchSetIP",
"WAFRegionalIPSet",
"WAFRegionalIPSetIP",
"WAFRegionalRateBasedRule",
"WAFRegionalRateBasedRulePredicate",
"WAFRegionalRegexMatchSet",
"WAFRegionalRegexMatchTuple",
"WAFRegionalRegexPatternSet",
"WAFRegionalRegexPatternString",
"WAFRegionalRule",
"WAFRegionalRulePredicate",
"WAFRegionalWebACL",
"WAFRegionalWebACLRuleAttachment",
"WAFRule",
"WAFWebACL",
"WAFWebACLRuleAttachment",
"WorkLinkFleet",
"WorkSpacesWorkspace"
]
| no | +| [presets](#input\_presets) | A collection of presets used in the nuke |
map(map(list(object({
property = string
type = string
value = string
}))))
| `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [configuration](#output\_configuration) | The rendered configuration file for the nuke service | + \ No newline at end of file diff --git a/modules/configuration/assets/config.yml b/modules/configuration/assets/config.yml new file mode 100644 index 0000000..a5b9b75 --- /dev/null +++ b/modules/configuration/assets/config.yml @@ -0,0 +1,57 @@ +--- +# +## The configuration has been automatically generated - please do not +## modify it manually. Instead, use the `config.yml` file in the root +## of the repository to update the configuration. +# + +blocklist: + %{ for account in blocklist }- ${account}%{ endfor } + +regions: + - global + %{ for region in regions ~}- ${region} + %{ endfor ~} + +bypass-alias-check-accounts: + %{ for account in accounts ~}- ${account} + %{ endfor ~} + +resource-types: + ## The following resource types included in the deletion process + includes: + %{ for resource, filters in included ~}- ${resource} + %{ endfor ~} + + ## The following resources are excluded from the deletion process + excludes: + %{ for resource in excluded ~}- ${resource} + %{ endfor ~} + +presets: + %{ for preset_name in keys(presets) } + ${preset_name}: + filters: + %{ for resource, filters in presets[preset_name] ~}${resource}: + %{ for filter in filters ~}- property: "${filter.property}" + type: "${filter.type}" + value: "${filter.value}" + %{ endfor } + %{ endfor ~} + %{ endfor } + +## Iteratation of all the accounts, the resources and the filters +## we should apply against those resources +accounts: + %{ for account in accounts }${account}: + presets: + %{ for name in keys(presets) ~}- ${name} + %{ endfor } + filters: + %{ for resource, filters in included ~}${resource}: + %{ for filter in filters ~}- property: "${filter.property}" + type: "${filter.type}" + value: "${filter.value}" + %{ endfor } + %{ endfor } + %{ endfor } diff --git a/modules/configuration/examples/basic/.terraform.lock.hcl b/modules/configuration/examples/basic/.terraform.lock.hcl new file mode 100644 index 0000000..aaa484e --- /dev/null +++ b/modules/configuration/examples/basic/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.74.0" + constraints = ">= 5.0.0" + hashes = [ + "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", + "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", + "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", + "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", + "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", + "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", + "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", + "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", + "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", + "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", + "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", + "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", + "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", + "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", + ] +} diff --git a/modules/configuration/examples/basic/main.tf b/modules/configuration/examples/basic/main.tf new file mode 100644 index 0000000..3d68741 --- /dev/null +++ b/modules/configuration/examples/basic/main.tf @@ -0,0 +1,52 @@ +##################################################################################### +# Terraform module examples are meant to show an _example_ on how to use a module +# per use-case. The code below should not be copied directly but referenced in order +# to build your own root module that invokes this module +##################################################################################### + +locals { + tags = { + "Environment" = "Sandbox" + "GitRepo" = "https://github.com/appvia/terraform-aws-nuke" + "Owner" = "Support" + "Product" = "Sandbox" + } +} + +module "configuration" { + source = "../.." + + accounts = [123456789012, 123456789013] + regions = ["us-east-1", "us-west-2"] + + presets = { + "default" = { + "IAMRole" = [ + { + property = "roleName" + type = "regex" + value = "^AWSControlTower.*" + } + ] + } + } + + filters = [ + { + property = "tag:Environment" + type = "string" + value = "Sandbox" + }, + { + property = "tag:Owner" + type = "string" + value = "Support" + } + ] + + include_presets = { + enable_control_tower = true + enable_cost_intelligence = true + enable_landing_zone = true + } +} diff --git a/modules/configuration/examples/basic/outputs.tf b/modules/configuration/examples/basic/outputs.tf new file mode 100644 index 0000000..26129ca --- /dev/null +++ b/modules/configuration/examples/basic/outputs.tf @@ -0,0 +1,5 @@ + +output "configuration" { + description = "The rendered configuration file for the nuke service" + value = module.configuration.configuration +} diff --git a/modules/configuration/examples/basic/terraform.tf b/modules/configuration/examples/basic/terraform.tf new file mode 100644 index 0000000..c3db407 --- /dev/null +++ b/modules/configuration/examples/basic/terraform.tf @@ -0,0 +1,11 @@ + +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.0.0" + } + } +} diff --git a/modules/configuration/examples/basic/variables.tf b/modules/configuration/examples/basic/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/configuration/locals.tf b/modules/configuration/locals.tf new file mode 100644 index 0000000..525f978 --- /dev/null +++ b/modules/configuration/locals.tf @@ -0,0 +1,238 @@ + +locals { + ## All the presets to include in the configuration + presets = merge( + var.include_presets.enable_control_tower ? { "control_tower" = local.control_tower_presets } : {}, + var.include_presets.enable_cost_intelligence ? { "cost_intelligence" = local.cost_intelligence_presets } : {}, + var.include_presets.enable_landing_zone ? { "landing_zone" = local.landing_zone_present } : {}, + var.presets + ) + + ## All the resources, including the filters to apply to them + resources = merge({ + for resource in var.included : resource => var.filters + }) + + ## Render the configuration file + configuration = templatefile("${path.module}/assets/config.yml", { + accounts = var.accounts + blocklist = var.blocklist + excluded = var.excluded + included = local.resources + presets = local.presets + regions = var.regions + }) + + #accounts: + # %{ for account in accounts ~} + # ${account}: + # presets: + # %{ for preset_name, preset_filters in presets ~} + # - ${preset_name} + # %{ endfor ~} + # + # filters: + # %{ for resource, filters in included ~} + # ${resource}: + # %{ for filter in filters ~} + # - property: ${filter.property} + # type: ${filter.type} + # value: ${filter.value} + # %{ endfor ~} + # %{ endfor ~} + # %{ endfor ~} + # + ## The filters for control tower + control_tower_presets = { + CloudWatchLogsLogGroup = [ + { + property = "logGroupName" + type = "contains" + value = "aws-landing-zone" + } + ] + IAMRole = [ + { + property = "roleName" + type = "regex" + value = "^AWSControlTower.*" + }, + { + property = "roleName" + type = "regex" + value = "^aws-controltower.*" + } + ] + LambdaFunction = [ + { + property = "functionName" + type = "regex" + value = "^aws-controltower-NotificationForwarder$" + } + ] + SNSSubscription = [ + { + property = "topicArn" + type = "regex" + value = "^arn:aws:sns:.*:.*:aws-controltower.*" + } + ] + SNSTopic = [ + { + property = "topicArn" + type = "contains" + value = "aws-controltower" + } + ] + } + + ## Cost Intelligence Presets + cost_intelligence_presets = { + IAMRole = [ + { + property = "Name" + type = "regex" + value = "^CID-DC.*" + } + ] + } + + ## The filters for the landing zone + landing_zone_present = { + CloudWatchLogsLogGroup = [ + { + property = "logGroupName" + type = "contains" + value = "AWSAccelerator" + }, + { + property = "logGroupName" + type = "regex" + value = "^lza-" + }, + { + property = "logGroupName" + type = "regex" + value = "^/lza-" + }, + { + property = "logGroupName" + type = "regex" + value = "^/aws/lambda/lza-" + } + ] + IAMInstanceProfile = [ + { + property = "Name" + type = "regex" + value = "^lza-.*" + } + ] + IAMInstanceProfileRole = [ + { + property = "InstanceProfile" + type = "regex" + value = "^AWSAccelerator.*" + }, + { + property = "InstanceProfile" + type = "regex" + value = "^lza-.*" + } + ] + IAMRole = [ + { + property = "Name" + type = "regex" + value = "^AWSAccelerator.*" + }, + { + property = "Name" + type = "regex" + value = "^lza-.*" + }, + { + property = "Name" + type = "contains" + value = "CrossAccount" + }, + { + property = "Name" + type = "regex" + value = "^stacksets-exec-.*" + } + ] + KMSAlias = [ + { + property = "Name" + type = "regex" + value = "^alias/accelerator/.*" + }, + { + property = "Name" + type = "regex" + value = "^alias/lza/.*" + } + ] + KMSKey = [ + { + property = "tag:Accelerator" + type = "exact" + value = "AWSAccelerator" + }, + { + property = "Name" + type = "regex" + value = "^lza-.*" + } + ] + LambdaFunction = [ + { + property = "Name" + type = "regex" + value = "^aws-accelerator-.*" + }, + { + property = "Name" + type = "regex" + value = "^lza-.*" + } + ] + SSMParameter = [ + { + property = "Name" + type = "regex" + value = "^/accelerator/AWSAccelerator.*" + }, + { + property = "Name" + type = "regex" + value = "^/lza/.*" + } + ] + SNSSubscription = [ + { + property = "ARN" + type = "regex" + value = "^arn:aws:sns:.*:.*:aws-accelerator.*" + }, + { + property = "ARN" + type = "regex" + value = "^arn:aws:sns:.*:.*:lza-.*" + } + ] + SNSTopic = [ + { + property = "Name" + type = "contains" + value = "lza-" + }, + { + property = "TopicARN" + type = "contains" + value = "lza-" + } + ] + } +} diff --git a/modules/configuration/outputs.tf b/modules/configuration/outputs.tf new file mode 100644 index 0000000..9800ccc --- /dev/null +++ b/modules/configuration/outputs.tf @@ -0,0 +1,5 @@ + +output "configuration" { + description = "The rendered configuration file for the nuke service" + value = local.configuration +} diff --git a/modules/configuration/terraform.tf b/modules/configuration/terraform.tf new file mode 100644 index 0000000..1a4a37d --- /dev/null +++ b/modules/configuration/terraform.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 1.0.7" +} diff --git a/modules/configuration/variables.tf b/modules/configuration/variables.tf new file mode 100644 index 0000000..64f115e --- /dev/null +++ b/modules/configuration/variables.tf @@ -0,0 +1,358 @@ + +variable "accounts" { + description = "A collection of accounts to nuke" + type = list(string) +} + +variable "regions" { + description = "A collection of regions to nuke" + type = list(string) +} + +variable "blocklist" { + description = "A collection of resources to block from deletion" + type = list(string) + default = ["123456789012"] +} + +variable "presets" { + description = "A collection of presets used in the nuke" + type = map(map(list(object({ + property = string + type = string + value = string + })))) + default = {} +} + +variable "include_presets" { + description = "A collection of preset filters to use for nuke" + type = object({ + enable_control_tower = optional(bool, true) + enable_cost_intelligence = optional(bool, true) + enable_landing_zone = optional(bool, true) + }) + default = { + enable_control_tower = true + enable_cost_intelligence = true + enable_landing_zone = true + } +} + +variable "filters" { + description = "A collection of filters are applied to all resources" + type = list(object({ + property = string + type = string + value = string + })) + default = [] +} + +variable "included" { + description = "A collection of resources to include in the nuke" + type = list(string) + default = [ + "AWSBackupRecoveryPoint", + "AWSBackupSelection", + "BackupVault", + "AppStreamDirectoryConfig", + "AppStreamFleet", + "AppStreamFleetState", + "AppStreamImage", + "AppStreamImageBuilder", + "AppStreamImageBuilderWaiter", + "AppStreamStack", + "AppStreamStackFleetAttachment", + "AutoScalingGroup", + "AutoScalingPlansScalingPlan", + "BatchComputeEnvironment", + "BatchComputeEnvironmentState", + "BatchJobQueue", + "BatchJobQueueState", + "Cloud9Environment", + "CloudDirectoryDirectory", + "CloudDirectorySchema", + "CloudFrontDistribution", + "CloudFrontDistributionDeployment", + "CloudHSMV2Cluster", + "CloudHSMV2ClusterHSM", + "CloudSearchDomain", + "CloudWatchAlarm", + "CloudWatchDashboard", + "CloudWatchLogsDestination", + "CloudWatchLogsLogGroup", + "CodeBuildProject", + "CodeCommitRepository", + "CodeDeployApplication", + "CodePipelinePipeline", + "CodeStarProject", + "CognitoIdentityPool", + "CognitoUserPool", + "CognitoUserPoolDomain", + "DAXCluster", + "DAXParameterGroup", + "DAXSubnetGroup", + "DataPipelinePipeline", + "DatabaseMigrationServiceCertificate", + "DatabaseMigrationServiceEndpoint", + "DatabaseMigrationServiceEventSubscription", + "DatabaseMigrationServiceReplicationInstance", + "DatabaseMigrationServiceReplicationTask", + "DatabaseMigrationServiceSubnetGroup", + "DeviceFarmProject", + "DirectoryServiceDirectory", + "DynamoDBTable", + "EC2Address", + "EC2ClientVpnEndpoint", + "EC2ClientVpnEndpointAttachment", + "EC2CustomerGateway", + "EC2Image", + "EC2Instance", + "EC2InternetGateway", + "EC2InternetGatewayAttachment", + "EC2KeyPair", + "EC2LaunchTemplate", + "EC2NATGateway", + "EC2NetworkACL", + "EC2PlacementGroup", + "EC2RouteTable", + "EC2SecurityGroup", + "EC2Snapshot", + "EC2SpotFleetRequest", + "EC2Subnet", + "EC2TGW", + "EC2TGWAttachment", + "EC2VPC", + "EC2VPCEndpoint", + "EC2VPCEndpointServiceConfiguration", + "EC2VPCPeeringConnection", + "EC2VPNConnection", + "EC2VPNGatewayAttachment", + "EC2Volume", + "ECRRepository", + "EFSFileSystem", + "EFSMountTarget", + "EKSCluster", + "ELB", + "ELBv2", + "ELBv2TargetGroup", + "EMRCluster", + "EMRSecurityConfiguration", + "ESDomain", + "ElasticBeanstalkApplication", + "ElasticBeanstalkEnvironment", + "ElasticTranscoderPipeline", + "ElasticacheCacheCluster", + "ElasticacheReplicationGroup", + "ElasticacheSubnetGroup", + "FSxBackup", + "FSxFileSystem", + "FirehoseDeliveryStream", + "GlueClassifier", + "GlueConnection", + "GlueCrawler", + "GlueDatabase", + "GlueDevEndpoint", + "GlueJob", + "GlueTrigger", + "IAMGroup", + "IAMGroupPolicy", + "IAMGroupPolicyAttachment", + "IAMInstanceProfile", + "IAMInstanceProfileRole", + "IAMLoginProfile", + "IAMOpenIDConnectProvider", + "IAMRole", + "IAMServerCertificate", + "IAMServiceSpecificCredential", + "IAMUser", + "IAMUserAccessKey", + "IAMUserGroupAttachment", + "IAMUserPolicy", + "IAMUserPolicyAttachment", + "IAMVirtualMFADevice", + "IoTAuthorizer", + "IoTCACertificate", + "IoTCertificate", + "IoTJob", + "IoTOTAUpdate", + "IoTPolicy", + "IoTRoleAlias", + "IoTStream", + "IoTThing", + "IoTThingGroup", + "IoTThingType", + "IoTThingTypeState", + "IoTTopicRule", + "KMSAlias", + "KMSKey", + "KinesisAnalyticsApplication", + "KinesisStream", + "KinesisVideoProject", + "LambdaEventSourceMapping", + "LambdaFunction", + "LaunchConfiguration", + "LifecycleHook", + "LightsailDisk", + "LightsailDomain", + "LightsailInstance", + "LightsailKeyPair", + "LightsailLoadBalancer", + "LightsailStaticIP", + "MQBroker", + "MSKCluster", + "MediaConvertJobTemplate", + "MediaConvertPreset", + "MediaConvertQueue", + "MediaLiveChannel", + "MediaLiveInput", + "MediaLiveInputSecurityGroup", + "MediaPackageChannel", + "MediaPackageOriginEndpoint", + "MediaStoreContainer", + "MediaStoreDataItems", + "MediaTailorConfiguration", + "MobileProject", + "NeptuneCluster", + "NeptuneInstance", + "NetpuneSnapshot", + "OpsWorksApp", + "OpsWorksCMBackup", + "OpsWorksCMServer", + "OpsWorksCMServerState", + "OpsWorksInstance", + "OpsWorksLayer", + "OpsWorksUserProfile", + "RDSDBCluster", + "RDSDBClusterParameterGroup", + "RDSDBParameterGroup", + "RDSDBSubnetGroup", + "RDSInstance", + "RDSSnapshot", + "RedshiftCluster", + "RedshiftParameterGroup", + "RedshiftSnapshot", + "RedshiftSubnetGroup", + "RekognitionCollection", + "ResourceGroupGroup", + "RoboMakerDeploymentJob", + "RoboMakerFleet", + "RoboMakerRobot", + "RoboMakerRobotApplication", + "RoboMakerSimulationApplication", + "RoboMakerSimulationJob", + "Route53HostedZone", + "Route53ResourceRecordSet", + "S3Bucket", + "S3MultipartUpload", + "S3Object", + "SESConfigurationSet", + "SESIdentity", + "SESReceiptFilter", + "SESReceiptRuleSet", + "SESTemplate", + "SFNStateMachine", + "SNSEndpoint", + "SNSPlatformApplication", + "SNSSubscription", + "SNSTopic", + "SQSQueue", + "SSMActivation", + "SSMAssociation", + "SSMDocument", + "SSMMaintenanceWindow", + "SSMParameter", + "SSMPatchBaseline", + "SSMResourceDataSync", + "SageMakerEndpoint", + "SageMakerEndpointConfig", + "SageMakerModel", + "SageMakerNotebookInstance", + "SageMakerNotebookInstanceState", + "SecretsManagerSecret", + "ServiceCatalogConstraintPortfolioAttachment", + "ServiceCatalogPortfolio", + "ServiceCatalogPortfolioProductAttachment", + "ServiceCatalogPortfolioShareAttachment", + "ServiceCatalogPrincipalPortfolioAttachment", + "ServiceCatalogProduct", + "ServiceCatalogProvisionedProduct", + "ServiceCatalogTagOption", + "ServiceCatalogTagOptionPortfolioAttachment", + "ServiceDiscoveryInstance", + "ServiceDiscoveryNamespace", + "ServiceDiscoveryService", + "SimpleDBDomain", + "StorageGatewayFileShare", + "StorageGatewayGateway", + "StorageGatewayTape", + "StorageGatewayVolume", + "WAFRegionalByteMatchSet", + "WAFRegionalByteMatchSetIP", + "WAFRegionalIPSet", + "WAFRegionalIPSetIP", + "WAFRegionalRateBasedRule", + "WAFRegionalRateBasedRulePredicate", + "WAFRegionalRegexMatchSet", + "WAFRegionalRegexMatchTuple", + "WAFRegionalRegexPatternSet", + "WAFRegionalRegexPatternString", + "WAFRegionalRule", + "WAFRegionalRulePredicate", + "WAFRegionalWebACL", + "WAFRegionalWebACLRuleAttachment", + "WAFRule", + "WAFWebACL", + "WAFWebACLRuleAttachment", + "WorkLinkFleet", + "WorkSpacesWorkspace", + ] +} + +variable "excluded" { + description = "A collection of resources to exclude from the nuke" + type = list(string) + default = [ + "Cloud9Environment", + "CloudSearchDomain", + "CodeStarConnection", + "CodeStarNotification", + "CodeStarProject", + "EC2DHCPOption", + "EC2NetworkACL", + "EC2NetworkInterface", + "ECSCluster", + "ECSClusterInstance", + "ECSService", + "ECSTaskDefinition", + "FMSNotificationChannel", + "FMSPolicy", + "IAMRole", + "IAMUser", + "MachineLearningBranchPrediction", + "MachineLearningDataSource", + "MachineLearningEvaluation", + "MachineLearningMLModel", + "OpsWorksApp", + "OpsWorksApp", + "OpsWorksCMBackup", + "OpsWorksCMServer", + "OpsWorksCMServerState", + "OpsWorksInstance", + "OpsWorksLayer", + "OpsWorksUserProfile", + "RedshiftServerlessNamespace", + "RedshiftServerlessSnapshot", + "RedshiftServerlessWorkgroup", + "RoboMakerDeploymentJob", + "RoboMakerFleet", + "RoboMakerRobot", + "RoboMakerRobotApplication", + "RoboMakerSimulationApplication", + "RoboMakerSimulationJob", + "S3Object", + "ServiceCatalogTagOption", + "ServiceCatalogTagOptionPortfolioAttachment", + ] +} diff --git a/tests/module.configuration.tftest.hcl b/tests/module.configuration.tftest.hcl new file mode 100644 index 0000000..4347eee --- /dev/null +++ b/tests/module.configuration.tftest.hcl @@ -0,0 +1,45 @@ + +run "module_configuration" { + command = plan + + module { + source = "./modules/configuration" + } + + variables { + accounts = [123456789012, 123456789013] + regions = ["us-east-1", "us-west-2"] + + presets = { + "default" = { + "IAMRole" = [ + { + property = "roleName" + type = "regex" + value = "^AWSControlTower.*" + } + ] + } + } + + filters = [ + { + property = "tag:Environment" + type = "string" + value = "Sandbox" + }, + { + property = "tag:Owner" + type = "string" + value = "Support" + } + ] + + include_presets = { + enable_control_tower = true + enable_cost_intelligence = true + enable_landing_zone = true + } + } +} +