From 22ffd9b26a06da78d32dec8dce845a6783075c54 Mon Sep 17 00:00:00 2001 From: Anmol Nagpal Date: Mon, 28 Aug 2023 22:35:47 +0530 Subject: [PATCH] Feat: Updated the terraform version and fixed the tfsec warnings --- _example/public/example.tf | 94 ++++++++++++++++++++++++++----------- _example/public/outputs.tf | 5 -- _example/public/versions.tf | 5 +- _example/vpc/example.tf | 72 ++++++++++++++++++++-------- main.tf | 38 +++++++++++---- outputs.tf | 3 ++ variables.tf | 7 +++ versions.tf | 5 +- 8 files changed, 165 insertions(+), 64 deletions(-) diff --git a/_example/public/example.tf b/_example/public/example.tf index de5638c..9fe989b 100644 --- a/_example/public/example.tf +++ b/_example/public/example.tf @@ -7,15 +7,16 @@ provider "aws" { ################################################################################ module "vpc" { - source = "clouddrove/vpc/aws" - version = "0.15.1" - - name = "vpc" - environment = "dev-xcheck" - label_order = ["environment", "name"] - vpc_enabled = true - - cidr_block = "10.30.0.0/16" + source = "clouddrove/vpc/aws" + version = "2.0.0" + name = "vpc" + environment = "test" + cidr_block = "10.0.0.0/16" + enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default. + create_flow_log_cloudwatch_iam_role = true + additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] + dhcp_options_domain_name = "service.consul" + dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] } ################################################################################ @@ -32,14 +33,14 @@ module "subnets" { # tags = local.tags enabled = true - nat_gateway_enabled = true - single_nat_gateway = true - availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - vpc_id = module.vpc.vpc_id - cidr_block = module.vpc.vpc_cidr_block - ipv6_cidr_block = module.vpc.ipv6_cidr_block - type = "public-private" - igw_id = module.vpc.igw_id + nat_gateway_enabled = true + single_nat_gateway = true + availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + vpc_id = module.vpc.vpc_id + cidr_block = module.vpc.vpc_cidr_block + ipv6_cidr_block = module.vpc.ipv6_cidr_block + type = "public-private" + assign_ipv6_address_on_creation = false } ################################################################################ @@ -47,16 +48,48 @@ module "subnets" { ################################################################################ module "security_group-sftp" { - source = "clouddrove/security-group/aws" - version = "0.15.0" - - name = "sftp-sg" - environment = "test" - protocol = "tcp" - label_order = ["environment", "name"] - vpc_id = module.vpc.vpc_id - allowed_ip = ["10.30.0.0/16"] - allowed_ports = [27017] + source = "clouddrove/security-group/aws" + version = "2.0.0" + name = "sftp-sg" + environment = "test" + label_order = ["environment", "name"] + vpc_id = module.vpc.vpc_id + ## INGRESS Rules + new_sg_ingress_rules_with_cidr_blocks = [{ + rule_count = 1 + from_port = 22 + protocol = "tcp" + to_port = 22 + cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"] + description = "Allow ssh traffic." + }, + { + rule_count = 2 + from_port = 27017 + protocol = "tcp" + to_port = 27017 + cidr_blocks = ["172.16.0.0/16"] + description = "Allow SFTP traffic." + } + ] + + ## EGRESS Rules + new_sg_egress_rules_with_cidr_blocks = [{ + rule_count = 1 + from_port = 22 + protocol = "tcp" + to_port = 22 + cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"] + description = "Allow ssh outbound traffic." + }, + { + rule_count = 2 + from_port = 27017 + protocol = "tcp" + to_port = 27017 + cidr_blocks = ["172.16.0.0/16"] + description = "Allow SFTP outbound traffic." + }] } @@ -73,6 +106,7 @@ module "s3_bucket" { label_order = ["environment", "name"] versioning = true + logging = true acl = "private" force_destroy = true } @@ -89,4 +123,10 @@ module "sftp" { enable_sftp = true s3_bucket_name = module.s3_bucket.id endpoint_type = "PUBLIC" + workflow_details = { + on_upload = { + execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role" + workflow_id = "w-12345XXXX6da" + } + } } \ No newline at end of file diff --git a/_example/public/outputs.tf b/_example/public/outputs.tf index 845883d..986ac0a 100644 --- a/_example/public/outputs.tf +++ b/_example/public/outputs.tf @@ -2,8 +2,3 @@ output "id" { description = "ID of the created example" value = module.sftp.id } - -output "transfer_endpoint" { - description = "Endpoint for your SFTP connection" - value = module.sftp.transfer_endpoint -} \ No newline at end of file diff --git a/_example/public/versions.tf b/_example/public/versions.tf index e7fcdc2..5a227cd 100644 --- a/_example/public/versions.tf +++ b/_example/public/versions.tf @@ -1,8 +1,11 @@ +# Terraform version terraform { + required_version = ">= 1.5.0" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 5.9.0" } } } \ No newline at end of file diff --git a/_example/vpc/example.tf b/_example/vpc/example.tf index 1b5899a..25b15b5 100644 --- a/_example/vpc/example.tf +++ b/_example/vpc/example.tf @@ -7,15 +7,16 @@ provider "aws" { ################################################################################ module "vpc" { - source = "clouddrove/vpc/aws" - version = "0.15.1" - - name = "vpc" - environment = "test" - label_order = ["environment", "name"] - vpc_enabled = true - - cidr_block = "10.50.0.0/16" + source = "clouddrove/vpc/aws" + version = "2.0.0" + name = "vpc" + environment = "test" + cidr_block = "10.0.0.0/16" + enable_flow_log = true # Flow logs will be stored in cloudwatch log group. Variables passed in default. + create_flow_log_cloudwatch_iam_role = true + additional_cidr_block = ["172.3.0.0/16", "172.2.0.0/16"] + dhcp_options_domain_name = "service.consul" + dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] } ################################################################################ @@ -39,7 +40,6 @@ module "subnets" { cidr_block = module.vpc.vpc_cidr_block ipv6_cidr_block = module.vpc.ipv6_cidr_block type = "public-private" - igw_id = module.vpc.igw_id } ################################################################################ @@ -47,19 +47,50 @@ module "subnets" { ################################################################################ module "security_group-sftp" { - source = "clouddrove/security-group/aws" - version = "0.15.0" - + source = "clouddrove/security-group/aws" + version = "2.0.0" name = "sftp-sg" environment = "test" - protocol = "tcp" label_order = ["environment", "name"] vpc_id = module.vpc.vpc_id - allowed_ip = ["10.30.0.0/16", "192.168.5.0/24", "171.21.132.0/24"] - allowed_ports = [27017] + ## INGRESS Rules + new_sg_ingress_rules_with_cidr_blocks = [{ + rule_count = 1 + from_port = 22 + protocol = "tcp" + to_port = 22 + cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"] + description = "Allow ssh traffic." + }, + { + rule_count = 2 + from_port = 27017 + protocol = "tcp" + to_port = 27017 + cidr_blocks = ["172.16.0.0/16"] + description = "Allow SFTP traffic." + } + ] + + ## EGRESS Rules + new_sg_egress_rules_with_cidr_blocks = [{ + rule_count = 1 + from_port = 22 + protocol = "tcp" + to_port = 22 + cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"] + description = "Allow ssh outbound traffic." + }, + { + rule_count = 2 + from_port = 27017 + protocol = "tcp" + to_port = 27017 + cidr_blocks = ["172.16.0.0/16"] + description = "Allow SFTP outbound traffic." + }] } - ################################################################################ # AWS S3 ################################################################################ @@ -68,11 +99,12 @@ module "s3_bucket" { source = "clouddrove/s3/aws" version = "1.3.0" - name = "clouddrove-sftp-bucket01" + name = "clouddrove-sftp-bucket" environment = "test" label_order = ["environment", "name"] versioning = true + logging = true acl = "private" force_destroy = true } @@ -82,7 +114,7 @@ module "s3_bucket" { ################################################################################ module "sftp" { - source = "/home/vaibhav/terraform-modules/TEST_SFTP_0.1/AWS_SFTP" + source = "../.." name = "sftp" environment = "test" label_order = ["environment", "name"] @@ -96,7 +128,7 @@ module "sftp" { workflow_details = { on_upload = { execution_role = "arn:aws:iam::1234567890:role/test-sftp-transfer-role" - workflow_id = "w-ce0fb52ffa53c46da" + workflow_id = "w-12345XXXX6da" } } } \ No newline at end of file diff --git a/main.tf b/main.tf index 8b9e978..638e5e4 100644 --- a/main.tf +++ b/main.tf @@ -2,10 +2,10 @@ ## Description : This Script is used to create Transfer Server, Transfer User And TransferSSK_KEY. ## Copyright @ CloudDrove. All Right Reserved. -#Module : labels -#Description : This terraform module is designed to generate consistent label names and tags -# for resources. You can use terraform-labels to implement a strict naming -# convention. +##---------------------------------------------------------------------------------- +## Labels module callled that will be used for naming and tags. +##---------------------------------------------------------------------------------- + module "labels" { source = "clouddrove/labels/aws" version = "1.3.0" @@ -18,9 +18,9 @@ module "labels" { label_order = var.label_order } -#################################################################################################################################### +##---------------------------------------------------------------------------------- # LOCALS -#################################################################################################################################### +##---------------------------------------------------------------------------------- locals { count = var.enabled s3_arn_prefix = "arn:${one(data.aws_partition.default[*].partition)}:s3:::" @@ -46,9 +46,9 @@ data "aws_s3_bucket" "landing" { bucket = var.s3_bucket_name } -#################################################################################################################################### +##---------------------------------------------------------------------------------- # IAM POLICIES -#################################################################################################################################### +##---------------------------------------------------------------------------------- # Module : IAM POLICY # Description : This data source can be used to fetch information about a specific IAM role. @@ -142,8 +142,10 @@ data "aws_iam_policy_document" "assume_role_policy" { } } +##---------------------------------------------------------------------------------- # Module : IAM ROLE # Description : This data source can be used to fetch information about a specific IAM role. +##---------------------------------------------------------------------------------- resource "aws_iam_role" "s3_access_for_sftp_users" { for_each = var.enabled ? local.user_names_map : {} @@ -162,8 +164,10 @@ resource "aws_iam_policy" "s3_access_for_sftp_users" { tags = module.labels.tags } +##---------------------------------------------------------------------------------- # Module : IAM ROLE POLICY # Description : Provides an IAM role policy. +##---------------------------------------------------------------------------------- resource "aws_iam_policy" "logging" { count = var.enabled ? 1 : 0 @@ -183,8 +187,11 @@ resource "aws_iam_role" "logging" { tags = module.labels.tags } +##---------------------------------------------------------------------------------- # Module : AWS TRANSFER SERVER # Description : Provides a AWS Transfer Server resource. +##---------------------------------------------------------------------------------- + resource "aws_transfer_server" "transfer_server" { count = var.enable_sftp ? 1 : 0 identity_provider_type = var.identity_provider_type @@ -218,8 +225,12 @@ resource "aws_transfer_server" "transfer_server" { } } + +##---------------------------------------------------------------------------------- # Module : AWS TRANSFER USER # Description : Provides a AWS Transfer User resource. +##---------------------------------------------------------------------------------- + resource "aws_transfer_user" "transfer_server_user" { for_each = var.enabled ? { for user in var.sftp_users : user.username => user } : {} @@ -242,9 +253,11 @@ resource "aws_transfer_user" "transfer_server_user" { } } - +##---------------------------------------------------------------------------------- # Module : AWS TRANSFER SERVER SSH # Description : Provides a AWS Transfer SERVER SSH resource. +##---------------------------------------------------------------------------------- + resource "aws_transfer_ssh_key" "transfer_server_ssh_key" { count = var.enabled ? length(var.sftp_users) : 0 server_id = join("", aws_transfer_server.transfer_server[*].id) @@ -253,17 +266,22 @@ resource "aws_transfer_ssh_key" "transfer_server_ssh_key" { } - +##---------------------------------------------------------------------------------- # Module : AWS ELASTIC IP # Description : Provides a AWS ELASTIC IP. +##---------------------------------------------------------------------------------- + resource "aws_eip" "sftp" { count = var.enabled && var.eip_enabled ? length(var.subnet_ids) : 0 vpc = local.is_vpc tags = module.labels.tags } +##---------------------------------------------------------------------------------- # Module : Custom Domain # Description : Provides a Custom Domain +##---------------------------------------------------------------------------------- + resource "aws_route53_record" "custom_domain" { count = var.enabled && length(var.domain_name) > 0 && length(var.zone_id) > 0 ? 1 : 0 diff --git a/outputs.tf b/outputs.tf index 477d122..15b5154 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,5 +1,8 @@ +##---------------------------------------------------------------------------------- #Module : SFTP #Description : Terraform sftp module outputs. +##---------------------------------------------------------------------------------- + output "id" { value = join("", aws_transfer_server.transfer_server.*.id) description = "The Server ID of the Transfer Server (e.g. s-12345678)." diff --git a/variables.tf b/variables.tf index 9ada657..04110a5 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,8 @@ +##---------------------------------------------------------------------------------- #Module : LABEL #Description : Terraform label module variables. +##---------------------------------------------------------------------------------- + variable "name" { type = string default = "" @@ -53,8 +56,12 @@ variable "enabled" { default = true description = "Set to false to prevent the module from creating any resources." } + +##---------------------------------------------------------------------------------- #Module : SFTP #Description : Terraform sftp module variables. +##---------------------------------------------------------------------------------- + variable "enable_sftp" { type = bool default = true diff --git a/versions.tf b/versions.tf index e7fcdc2..5a227cd 100644 --- a/versions.tf +++ b/versions.tf @@ -1,8 +1,11 @@ +# Terraform version terraform { + required_version = ">= 1.5.0" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = ">= 5.9.0" } } } \ No newline at end of file