Skip to content

Commit

Permalink
Feat: Updated the terraform version and fixed the tfsec warnings
Browse files Browse the repository at this point in the history
  • Loading branch information
@anmolnagpal
anmolnagpal committed Aug 28, 2023
1 parent c16c5f9 commit 22ffd9b
Show file tree
Hide file tree
Showing 8 changed files with 165 additions and 64 deletions.
94 changes: 67 additions & 27 deletions _example/public/example.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,16 @@ provider "aws" {
################################################################################

module "vpc" {
source = "clouddrove/vpc/aws"
version = "0.15.1"

name = "vpc"
environment = "dev-xcheck"
label_order = ["environment", "name"]
vpc_enabled = true

cidr_block = "10.30.0.0/16"
source = "clouddrove/vpc/aws"
version = "2.0.0"
name = "vpc"
environment = "test"
cidr_block = "10.0.0.0/16"
enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default.
create_flow_log_cloudwatch_iam_role = true
additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"]
dhcp_options_domain_name = "service.consul"
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
}

################################################################################
Expand All @@ -32,31 +33,63 @@ module "subnets" {
# tags = local.tags
enabled = true

nat_gateway_enabled = true
single_nat_gateway = true
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
vpc_id = module.vpc.vpc_id
cidr_block = module.vpc.vpc_cidr_block
ipv6_cidr_block = module.vpc.ipv6_cidr_block
type = "public-private"
igw_id = module.vpc.igw_id
nat_gateway_enabled = true
single_nat_gateway = true
availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
vpc_id = module.vpc.vpc_id
cidr_block = module.vpc.vpc_cidr_block
ipv6_cidr_block = module.vpc.ipv6_cidr_block
type = "public-private"
assign_ipv6_address_on_creation = false
}

################################################################################
# AWS SFTP SECURITY GROUP
################################################################################

module "security_group-sftp" {
source = "clouddrove/security-group/aws"
version = "0.15.0"

name = "sftp-sg"
environment = "test"
protocol = "tcp"
label_order = ["environment", "name"]
vpc_id = module.vpc.vpc_id
allowed_ip = ["10.30.0.0/16"]
allowed_ports = [27017]
source = "clouddrove/security-group/aws"
version = "2.0.0"
name = "sftp-sg"
environment = "test"
label_order = ["environment", "name"]
vpc_id = module.vpc.vpc_id
## INGRESS Rules
new_sg_ingress_rules_with_cidr_blocks = [{
rule_count = 1
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
description = "Allow ssh traffic."
},
{
rule_count = 2
from_port = 27017
protocol = "tcp"
to_port = 27017
cidr_blocks = ["172.16.0.0/16"]
description = "Allow SFTP traffic."
}
]

## EGRESS Rules
new_sg_egress_rules_with_cidr_blocks = [{
rule_count = 1
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
description = "Allow ssh outbound traffic."
},
{
rule_count = 2
from_port = 27017
protocol = "tcp"
to_port = 27017
cidr_blocks = ["172.16.0.0/16"]
description = "Allow SFTP outbound traffic."
}]
}


Expand All @@ -73,6 +106,7 @@ module "s3_bucket" {
label_order = ["environment", "name"]

versioning = true
logging = true
acl = "private"
force_destroy = true
}
Expand All @@ -89,4 +123,10 @@ module "sftp" {
enable_sftp = true
s3_bucket_name = module.s3_bucket.id
endpoint_type = "PUBLIC"
workflow_details = {
on_upload = {
execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role"
workflow_id = "w-12345XXXX6da"
}
}
}
5 changes: 0 additions & 5 deletions _example/public/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,3 @@ output "id" {
description = "ID of the created example"
value = module.sftp.id
}

output "transfer_endpoint" {
description = "Endpoint for your SFTP connection"
value = module.sftp.transfer_endpoint
}
5 changes: 4 additions & 1 deletion _example/public/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
# Terraform version
terraform {
required_version = ">= 1.5.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
version = ">= 5.9.0"
}
}
}
72 changes: 52 additions & 20 deletions _example/vpc/example.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,16 @@ provider "aws" {
################################################################################

module "vpc" {
source = "clouddrove/vpc/aws"
version = "0.15.1"

name = "vpc"
environment = "test"
label_order = ["environment", "name"]
vpc_enabled = true

cidr_block = "10.50.0.0/16"
source = "clouddrove/vpc/aws"
version = "2.0.0"
name = "vpc"
environment = "test"
cidr_block = "10.0.0.0/16"
enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default.
create_flow_log_cloudwatch_iam_role = true
additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"]
dhcp_options_domain_name = "service.consul"
dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
}

################################################################################
Expand All @@ -39,27 +40,57 @@ module "subnets" {
cidr_block = module.vpc.vpc_cidr_block
ipv6_cidr_block = module.vpc.ipv6_cidr_block
type = "public-private"
igw_id = module.vpc.igw_id
}

################################################################################
# AWS SFTP SECURITY GROUP
################################################################################

module "security_group-sftp" {
source = "clouddrove/security-group/aws"
version = "0.15.0"

source = "clouddrove/security-group/aws"
version = "2.0.0"
name = "sftp-sg"
environment = "test"
protocol = "tcp"
label_order = ["environment", "name"]
vpc_id = module.vpc.vpc_id
allowed_ip = ["10.30.0.0/16", "192.168.5.0/24", "171.21.132.0/24"]
allowed_ports = [27017]
## INGRESS Rules
new_sg_ingress_rules_with_cidr_blocks = [{
rule_count = 1
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
description = "Allow ssh traffic."
},
{
rule_count = 2
from_port = 27017
protocol = "tcp"
to_port = 27017
cidr_blocks = ["172.16.0.0/16"]
description = "Allow SFTP traffic."
}
]

## EGRESS Rules
new_sg_egress_rules_with_cidr_blocks = [{
rule_count = 1
from_port = 22
protocol = "tcp"
to_port = 22
cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
description = "Allow ssh outbound traffic."
},
{
rule_count = 2
from_port = 27017
protocol = "tcp"
to_port = 27017
cidr_blocks = ["172.16.0.0/16"]
description = "Allow SFTP outbound traffic."
}]
}


################################################################################
# AWS S3
################################################################################
Expand All @@ -68,11 +99,12 @@ module "s3_bucket" {
source = "clouddrove/s3/aws"
version = "1.3.0"

name = "clouddrove-sftp-bucket01"
name = "clouddrove-sftp-bucket"
environment = "test"
label_order = ["environment", "name"]

versioning = true
logging = true
acl = "private"
force_destroy = true
}
Expand All @@ -82,7 +114,7 @@ module "s3_bucket" {
################################################################################

module "sftp" {
source = "/home/vaibhav/terraform-modules/TEST_SFTP_0.1/AWS_SFTP"
source = "../.."
name = "sftp"
environment = "test"
label_order = ["environment", "name"]
Expand All @@ -96,7 +128,7 @@ module "sftp" {
workflow_details = {
on_upload = {
execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role"
workflow_id = "w-ce0fb52ffa53c46da"
workflow_id = "w-12345XXXX6da"
}
}
}
38 changes: 28 additions & 10 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
## Description : This Script is used to create Transfer Server, Transfer User And TransferSSK_KEY.
## Copyright @ CloudDrove. All Right Reserved.

#Module : labels
#Description : This terraform module is designed to generate consistent label names and tags
# for resources. You can use terraform-labels to implement a strict naming
# convention.
##----------------------------------------------------------------------------------
## Labels module callled that will be used for naming and tags.
##----------------------------------------------------------------------------------

module "labels" {
source = "clouddrove/labels/aws"
version = "1.3.0"
Expand All @@ -18,9 +18,9 @@ module "labels" {
label_order = var.label_order
}

####################################################################################################################################
##----------------------------------------------------------------------------------
# LOCALS
####################################################################################################################################
##----------------------------------------------------------------------------------
locals {
count = var.enabled
s3_arn_prefix = "arn:${one(data.aws_partition.default[*].partition)}:s3:::"
Expand All @@ -46,9 +46,9 @@ data "aws_s3_bucket" "landing" {
bucket = var.s3_bucket_name
}

####################################################################################################################################
##----------------------------------------------------------------------------------
# IAM POLICIES
####################################################################################################################################
##----------------------------------------------------------------------------------

# Module : IAM POLICY
# Description : This data source can be used to fetch information about a specific IAM role.
Expand Down Expand Up @@ -142,8 +142,10 @@ data "aws_iam_policy_document" "assume_role_policy" {
}
}

##----------------------------------------------------------------------------------
# Module : IAM ROLE
# Description : This data source can be used to fetch information about a specific IAM role.
##----------------------------------------------------------------------------------

resource "aws_iam_role" "s3_access_for_sftp_users" {
for_each = var.enabled ? local.user_names_map : {}
Expand All @@ -162,8 +164,10 @@ resource "aws_iam_policy" "s3_access_for_sftp_users" {
tags = module.labels.tags
}

##----------------------------------------------------------------------------------
# Module : IAM ROLE POLICY
# Description : Provides an IAM role policy.
##----------------------------------------------------------------------------------
resource "aws_iam_policy" "logging" {
count = var.enabled ? 1 : 0

Expand All @@ -183,8 +187,11 @@ resource "aws_iam_role" "logging" {
tags = module.labels.tags
}

##----------------------------------------------------------------------------------
# Module : AWS TRANSFER SERVER
# Description : Provides a AWS Transfer Server resource.
##----------------------------------------------------------------------------------

resource "aws_transfer_server" "transfer_server" {
count = var.enable_sftp ? 1 : 0
identity_provider_type = var.identity_provider_type
Expand Down Expand Up @@ -218,8 +225,12 @@ resource "aws_transfer_server" "transfer_server" {
}

}

##----------------------------------------------------------------------------------
# Module : AWS TRANSFER USER
# Description : Provides a AWS Transfer User resource.
##----------------------------------------------------------------------------------

resource "aws_transfer_user" "transfer_server_user" {
for_each = var.enabled ? { for user in var.sftp_users : user.username => user } : {}

Expand All @@ -242,9 +253,11 @@ resource "aws_transfer_user" "transfer_server_user" {
}
}


##----------------------------------------------------------------------------------
# Module : AWS TRANSFER SERVER SSH
# Description : Provides a AWS Transfer SERVER SSH resource.
##----------------------------------------------------------------------------------

resource "aws_transfer_ssh_key" "transfer_server_ssh_key" {
count = var.enabled ? length(var.sftp_users) : 0
server_id = join("", aws_transfer_server.transfer_server[*].id)
Expand All @@ -253,17 +266,22 @@ resource "aws_transfer_ssh_key" "transfer_server_ssh_key" {
}



##----------------------------------------------------------------------------------
# Module : AWS ELASTIC IP
# Description : Provides a AWS ELASTIC IP.
##----------------------------------------------------------------------------------

resource "aws_eip" "sftp" {
count = var.enabled && var.eip_enabled ? length(var.subnet_ids) : 0
vpc = local.is_vpc
tags = module.labels.tags
}

##----------------------------------------------------------------------------------
# Module : Custom Domain
# Description : Provides a Custom Domain
##----------------------------------------------------------------------------------

resource "aws_route53_record" "custom_domain" {
count = var.enabled && length(var.domain_name) > 0 && length(var.zone_id) > 0 ? 1 : 0

Expand Down

0 comments on commit 22ffd9b

Please sign in to comment.