From d823301e6d1d4061a0d1029e1161ceb49b6e4a2f Mon Sep 17 00:00:00 2001 From: Dominik Kroliczek Date: Thu, 4 Mar 2021 15:00:27 +0100 Subject: [PATCH 01/27] Add single lambda proxy resource id output --- api-gateway/lambda-single/output.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/api-gateway/lambda-single/output.tf b/api-gateway/lambda-single/output.tf index c1bdab4..18723f6 100644 --- a/api-gateway/lambda-single/output.tf +++ b/api-gateway/lambda-single/output.tf @@ -6,6 +6,10 @@ output "root_resource_id" { value = aws_api_gateway_rest_api.api.root_resource_id } +output "proxy_resource_id" { + value = aws_api_gateway_resource.lambda.id +} + output "stage_name" { value = var.stage_name } From 696a0f9d68c9f1cfe7fdb43745fc533f57d96f91 Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Fri, 5 Mar 2021 12:01:11 +0100 Subject: [PATCH 02/27] create route with and without auth(OPTIONS) for each method --- .../jwt-with-no-authorized-route/main.tf | 15 +++++++++++++++ .../jwt-with-no-authorized-route/variables.tf | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 api-gateway-v2/jwt-with-no-authorized-route/main.tf create mode 100644 api-gateway-v2/jwt-with-no-authorized-route/variables.tf diff --git a/api-gateway-v2/jwt-with-no-authorized-route/main.tf b/api-gateway-v2/jwt-with-no-authorized-route/main.tf new file mode 100644 index 0000000..2685649 --- /dev/null +++ b/api-gateway-v2/jwt-with-no-authorized-route/main.tf @@ -0,0 +1,15 @@ +resource "aws_apigatewayv2_route" "auth_on" { + for_each = toset(var.method) + api_id = var.api_id + route_key = "${each.key} ${var.path}" + target = "integrations/${var.integration_id}" + authorization_scopes = var.authorization_scopes + authorizer_id = var.authorizer_id + authorization_type = "JWT" +} + +resource "aws_apigatewayv2_route" "auth_off" { + api_id = var.api_id + route_key = "OPTIONS ${var.path}" + target = "integrations/${var.integration_id}" +} diff --git a/api-gateway-v2/jwt-with-no-authorized-route/variables.tf b/api-gateway-v2/jwt-with-no-authorized-route/variables.tf new file mode 100644 index 0000000..af8087a --- /dev/null +++ b/api-gateway-v2/jwt-with-no-authorized-route/variables.tf @@ -0,0 +1,16 @@ +variable "path" {} +variable "method"{ + type = list + default = [ + "GET","POST","DELETE","HEAD","PATCH","PUT" + ] +} +variable "api_id" {} +variable "integration_id" {} +variable "authorizer_id" {} +variable "authorization_scopes" { + type = list + default = [ + "aws.cognito.signin.user.admin", + ] +} From 09c93d9a715101f45235d80f9bd9c1ce1efffa02 Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Fri, 5 Mar 2021 13:57:19 +0100 Subject: [PATCH 03/27] module name update --- .../{jwt-authorized-route => jwt-auth-any-route}/main.tf | 0 .../{jwt-authorized-route => jwt-auth-any-route}/variables.tf | 0 .../main.tf | 0 .../variables.tf | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename api-gateway-v2/{jwt-authorized-route => jwt-auth-any-route}/main.tf (100%) rename api-gateway-v2/{jwt-authorized-route => jwt-auth-any-route}/variables.tf (100%) rename api-gateway-v2/{jwt-with-no-authorized-route => jwt-auth-route-with-options}/main.tf (100%) rename api-gateway-v2/{jwt-with-no-authorized-route => jwt-auth-route-with-options}/variables.tf (100%) diff --git a/api-gateway-v2/jwt-authorized-route/main.tf b/api-gateway-v2/jwt-auth-any-route/main.tf similarity index 100% rename from api-gateway-v2/jwt-authorized-route/main.tf rename to api-gateway-v2/jwt-auth-any-route/main.tf diff --git a/api-gateway-v2/jwt-authorized-route/variables.tf b/api-gateway-v2/jwt-auth-any-route/variables.tf similarity index 100% rename from api-gateway-v2/jwt-authorized-route/variables.tf rename to api-gateway-v2/jwt-auth-any-route/variables.tf diff --git a/api-gateway-v2/jwt-with-no-authorized-route/main.tf b/api-gateway-v2/jwt-auth-route-with-options/main.tf similarity index 100% rename from api-gateway-v2/jwt-with-no-authorized-route/main.tf rename to api-gateway-v2/jwt-auth-route-with-options/main.tf diff --git a/api-gateway-v2/jwt-with-no-authorized-route/variables.tf b/api-gateway-v2/jwt-auth-route-with-options/variables.tf similarity index 100% rename from api-gateway-v2/jwt-with-no-authorized-route/variables.tf rename to api-gateway-v2/jwt-auth-route-with-options/variables.tf From f1b83c8ef1dded5c78826f9a3e154eeedd80bd26 Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Mon, 8 Mar 2021 14:35:53 +0100 Subject: [PATCH 04/27] add wildcard to arn --- security/cloudtrail/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/cloudtrail/main.tf b/security/cloudtrail/main.tf index 7bc19dc..feb7914 100644 --- a/security/cloudtrail/main.tf +++ b/security/cloudtrail/main.tf @@ -51,7 +51,7 @@ resource "aws_cloudtrail" "organization" { # sns_topic_name = "${data.terraform_remote_state.master.cloudtrail_events_sns_topic_arn}" enable_log_file_validation = true # kms_key_id = "${data.terraform_remote_state.master.kms_cloudtrail_arn["${var.account_name}"]}" - cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail.arn + cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*" cloud_watch_logs_role_arn = module.role.iam_role_arn depends_on = [ From 987e953548335c82ea9a4316992a044624784f52 Mon Sep 17 00:00:00 2001 From: Marcin Byrdziak Date: Wed, 10 Mar 2021 12:57:13 +0100 Subject: [PATCH 05/27] Fix for https://github.com/terraform-aws-modules/terraform-aws-rds/pull/304 --- rds/postgres/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rds/postgres/main.tf b/rds/postgres/main.tf index 3b38b98..2a97cee 100644 --- a/rds/postgres/main.tf +++ b/rds/postgres/main.tf @@ -4,6 +4,8 @@ module "database" { identifier = var.name name = var.name + parameter_group_name = var.name + parameter_group_use_name_prefix = false engine = "postgres" engine_version = "11" From c390cbddd0c4120dc24c8bbf484745c2b44d1cbd Mon Sep 17 00:00:00 2001 From: Marcin Byrdziak Date: Fri, 12 Mar 2021 14:23:37 +0100 Subject: [PATCH 06/27] Do not create any default access in resources --- ci/account/variables.tf | 4 +--- eks/variable.tf | 10 +++++----- gitlab-tf-cloud-tenant/variables.tf | 2 +- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/ci/account/variables.tf b/ci/account/variables.tf index 2fc5fc3..f6c2c49 100644 --- a/ci/account/variables.tf +++ b/ci/account/variables.tf @@ -5,9 +5,7 @@ variable "deployer_additional_principals" { } variable "provisioner_additional_principals" { type = list - default = [ - "arn:aws:iam::492614697882:root", - ] + default = [] } variable "deployer_policy" { default = < Date: Mon, 15 Mar 2021 15:02:50 +0100 Subject: [PATCH 07/27] add alerts per Api GW name --- alerts/api-gateway/api_alerts.tf | 42 +++++++++++++++++++++++++++++ alerts/api_gw.tf | 7 +++++ api-gateway/base/output.tf | 4 +++ api-gateway/lambda-single/output.tf | 4 +++ 4 files changed, 57 insertions(+) create mode 100644 alerts/api-gateway/api_alerts.tf create mode 100644 alerts/api_gw.tf diff --git a/alerts/api-gateway/api_alerts.tf b/alerts/api-gateway/api_alerts.tf new file mode 100644 index 0000000..c9bb57e --- /dev/null +++ b/alerts/api-gateway/api_alerts.tf @@ -0,0 +1,42 @@ +resource "aws_cloudwatch_metric_alarm" "api-4xx" { + alarm_name = "api-gateway-4xx-response" + alarm_description = "This alarm monitors api 4xx response" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "4XXError" + namespace = "AWS/ApiGateway" + period = "60" + statistic = "Sum" + threshold = 10 + treat_missing_data = "ignore" + alarm_actions = [var.notifications_sns_topic_arn] + ok_actions = [var.notifications_sns_topic_arn] + dimensions = { + ApiName = var.api_name + } +} + +resource "aws_cloudwatch_metric_alarm" "api-5xx" { + alarm_name = "api-gateway-5xx-response" + alarm_description = "This alarm monitors api 5xx response" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "5XXError" + namespace = "AWS/ApiGateway" + period = "60" + statistic = "Sum" + threshold = 10 + treat_missing_data = "ignore" + alarm_actions = [var.notifications_sns_topic_arn] + ok_actions = [var.notifications_sns_topic_arn] + dimensions = { + ApiName = var.api_name + } +} + +variable "notifications_sns_topic_arn" { + default = "" +} +variable "api_name" { + default = "" +} diff --git a/alerts/api_gw.tf b/alerts/api_gw.tf new file mode 100644 index 0000000..1db5917 --- /dev/null +++ b/alerts/api_gw.tf @@ -0,0 +1,7 @@ +variable "api" { default = "" } + +module "api-gateway" { + source = "./api-gateway" + + api_name = var.api +} diff --git a/api-gateway/base/output.tf b/api-gateway/base/output.tf index c1bdab4..2e4879f 100644 --- a/api-gateway/base/output.tf +++ b/api-gateway/base/output.tf @@ -13,3 +13,7 @@ output "stage_name" { output "invoke_url" { value = aws_api_gateway_deployment.deployment.invoke_url } + +output "api_name" { + value = var.name +} \ No newline at end of file diff --git a/api-gateway/lambda-single/output.tf b/api-gateway/lambda-single/output.tf index 18723f6..ab91874 100644 --- a/api-gateway/lambda-single/output.tf +++ b/api-gateway/lambda-single/output.tf @@ -17,3 +17,7 @@ output "stage_name" { output "invoke_url" { value = aws_api_gateway_deployment.deployment.invoke_url } + +output "api_name" { + value = var.name +} From 991e9d7d1f923e7b8d8ffdfb5c6e5ee0cdfbe744 Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Tue, 16 Mar 2021 09:48:50 +0100 Subject: [PATCH 08/27] split alerts per api gw version add parameters as var --- alerts/api_gw.tf | 7 --- .../alerts}/api_alerts.tf | 25 +++++------ api-gateway/alerts/api_alerts.tf | 43 +++++++++++++++++++ 3 files changed, 56 insertions(+), 19 deletions(-) delete mode 100644 alerts/api_gw.tf rename {alerts/api-gateway => api-gateway-v2/alerts}/api_alerts.tf (70%) create mode 100644 api-gateway/alerts/api_alerts.tf diff --git a/alerts/api_gw.tf b/alerts/api_gw.tf deleted file mode 100644 index 1db5917..0000000 --- a/alerts/api_gw.tf +++ /dev/null @@ -1,7 +0,0 @@ -variable "api" { default = "" } - -module "api-gateway" { - source = "./api-gateway" - - api_name = var.api -} diff --git a/alerts/api-gateway/api_alerts.tf b/api-gateway-v2/alerts/api_alerts.tf similarity index 70% rename from alerts/api-gateway/api_alerts.tf rename to api-gateway-v2/alerts/api_alerts.tf index c9bb57e..3f4b947 100644 --- a/alerts/api-gateway/api_alerts.tf +++ b/api-gateway-v2/alerts/api_alerts.tf @@ -1,13 +1,19 @@ +variable "notifications_sns_topic_arn" { default = "" } +variable "api_name" { default = "" } +variable "threshold" {default = 10} +variable "period" {default = 60} +variable "evaluation_periods" {default = 1} + resource "aws_cloudwatch_metric_alarm" "api-4xx" { alarm_name = "api-gateway-4xx-response" alarm_description = "This alarm monitors api 4xx response" comparison_operator = "GreaterThanThreshold" - evaluation_periods = "1" + evaluation_periods = var.evaluation_periods metric_name = "4XXError" namespace = "AWS/ApiGateway" - period = "60" + period = var.period statistic = "Sum" - threshold = 10 + threshold = var.threshold treat_missing_data = "ignore" alarm_actions = [var.notifications_sns_topic_arn] ok_actions = [var.notifications_sns_topic_arn] @@ -20,12 +26,12 @@ resource "aws_cloudwatch_metric_alarm" "api-5xx" { alarm_name = "api-gateway-5xx-response" alarm_description = "This alarm monitors api 5xx response" comparison_operator = "GreaterThanThreshold" - evaluation_periods = "1" + evaluation_periods = var.evaluation_periods metric_name = "5XXError" namespace = "AWS/ApiGateway" - period = "60" + period = var.period statistic = "Sum" - threshold = 10 + threshold = var.threshold treat_missing_data = "ignore" alarm_actions = [var.notifications_sns_topic_arn] ok_actions = [var.notifications_sns_topic_arn] @@ -34,9 +40,4 @@ resource "aws_cloudwatch_metric_alarm" "api-5xx" { } } -variable "notifications_sns_topic_arn" { - default = "" -} -variable "api_name" { - default = "" -} + diff --git a/api-gateway/alerts/api_alerts.tf b/api-gateway/alerts/api_alerts.tf new file mode 100644 index 0000000..3f4b947 --- /dev/null +++ b/api-gateway/alerts/api_alerts.tf @@ -0,0 +1,43 @@ +variable "notifications_sns_topic_arn" { default = "" } +variable "api_name" { default = "" } +variable "threshold" {default = 10} +variable "period" {default = 60} +variable "evaluation_periods" {default = 1} + +resource "aws_cloudwatch_metric_alarm" "api-4xx" { + alarm_name = "api-gateway-4xx-response" + alarm_description = "This alarm monitors api 4xx response" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = var.evaluation_periods + metric_name = "4XXError" + namespace = "AWS/ApiGateway" + period = var.period + statistic = "Sum" + threshold = var.threshold + treat_missing_data = "ignore" + alarm_actions = [var.notifications_sns_topic_arn] + ok_actions = [var.notifications_sns_topic_arn] + dimensions = { + ApiName = var.api_name + } +} + +resource "aws_cloudwatch_metric_alarm" "api-5xx" { + alarm_name = "api-gateway-5xx-response" + alarm_description = "This alarm monitors api 5xx response" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = var.evaluation_periods + metric_name = "5XXError" + namespace = "AWS/ApiGateway" + period = var.period + statistic = "Sum" + threshold = var.threshold + treat_missing_data = "ignore" + alarm_actions = [var.notifications_sns_topic_arn] + ok_actions = [var.notifications_sns_topic_arn] + dimensions = { + ApiName = var.api_name + } +} + + From 7dd148ffd1c0571adde030cfde233bea97b49fc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Kr=C3=B3liczek?= Date: Tue, 16 Mar 2021 12:19:02 +0100 Subject: [PATCH 09/27] Add dmarc handling to ses module (#8) * Add dmarc handling to ses module * Fix formatting --- ses-dmarc/main.tf | 21 +++++++++++++++++++++ ses-dmarc/variables.tf | 2 ++ ses/domains.tf | 8 ++++++++ ses/variables.tf | 1 + 4 files changed, 32 insertions(+) create mode 100644 ses-dmarc/main.tf create mode 100644 ses-dmarc/variables.tf diff --git a/ses-dmarc/main.tf b/ses-dmarc/main.tf new file mode 100644 index 0000000..b988111 --- /dev/null +++ b/ses-dmarc/main.tf @@ -0,0 +1,21 @@ +resource "aws_route53_record" "dmarc" { + zone_id = var.dns_zone_id + name = "_dmarc.${var.domain}" + type = "TXT" + ttl = "600" + records = [ + "v=DMARC1; p=reject; pct=100"] +} + +resource "aws_ses_domain_dkim" "dkim" { + domain = var.domain +} + +resource "aws_route53_record" "example_amazonses_dkim_record" { + count = 3 + zone_id = var.dns_zone_id + name = "${element(aws_ses_domain_dkim.dkim.dkim_tokens, count.index)}._domainkey" + type = "CNAME" + ttl = "600" + records = ["${element(aws_ses_domain_dkim.dkim.dkim_tokens, count.index)}.dkim.amazonses.com"] +} diff --git a/ses-dmarc/variables.tf b/ses-dmarc/variables.tf new file mode 100644 index 0000000..afd61c0 --- /dev/null +++ b/ses-dmarc/variables.tf @@ -0,0 +1,2 @@ +variable "domain" {} +variable "dns_zone_id" {} diff --git a/ses/domains.tf b/ses/domains.tf index 83a4b27..960f871 100644 --- a/ses/domains.tf +++ b/ses/domains.tf @@ -33,3 +33,11 @@ resource "aws_route53_record" "amazonses_verification_record" { aws_ses_domain_identity.domain[each.key].verification_token ] } + +module dmarc { + source = "../ses-dmarc" + for_each = var.configure_dmarc ? var.domains : {} + dns_zone_id = each.value + domain = each.key +} + diff --git a/ses/variables.tf b/ses/variables.tf index 3c58cde..f830b23 100644 --- a/ses/variables.tf +++ b/ses/variables.tf @@ -15,3 +15,4 @@ variable "mails" { } variable "create_user" { default = false } +variable "configure_dmarc" { default = false } From aeefe92ff9a4ccc29726a9df0fc4d00bba370008 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Kr=C3=B3liczek?= Date: Thu, 18 Mar 2021 10:38:51 +0100 Subject: [PATCH 10/27] Add public apigw route module (#9) --- api-gateway-v2/any-route/main.tf | 5 +++++ api-gateway-v2/any-route/variables.tf | 4 ++++ 2 files changed, 9 insertions(+) create mode 100644 api-gateway-v2/any-route/main.tf create mode 100644 api-gateway-v2/any-route/variables.tf diff --git a/api-gateway-v2/any-route/main.tf b/api-gateway-v2/any-route/main.tf new file mode 100644 index 0000000..96d4a49 --- /dev/null +++ b/api-gateway-v2/any-route/main.tf @@ -0,0 +1,5 @@ +resource "aws_apigatewayv2_route" "public" { + api_id = var.api_id + route_key = "${var.method} ${var.path}" + target = "integrations/${var.integration_id}" +} diff --git a/api-gateway-v2/any-route/variables.tf b/api-gateway-v2/any-route/variables.tf new file mode 100644 index 0000000..d4498fe --- /dev/null +++ b/api-gateway-v2/any-route/variables.tf @@ -0,0 +1,4 @@ +variable "path" {} +variable "method" { default = "ANY" } +variable "api_id" {} +variable "integration_id" {} From 1aa1b2e528988b030d73db485a61db2b102cb936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Kr=C3=B3liczek?= Date: Mon, 22 Mar 2021 15:47:00 +0100 Subject: [PATCH 11/27] Add sqs module outputs (#10) --- sqs/output.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sqs/output.tf b/sqs/output.tf index 1df3fe5..8493898 100644 --- a/sqs/output.tf +++ b/sqs/output.tf @@ -6,6 +6,18 @@ output "name" { value = var.name } +output "id" { + value = aws_sqs_queue.queue.id +} + output "dead_letter_arn" { value = aws_sqs_queue.dead_letter.arn } + +output "dead_letter_name" { + value = aws_sqs_queue.dead_letter.name +} + +output "dead_letter_id" { + value = aws_sqs_queue.dead_letter.id +} From 4faaf3bfd16c08704a802ea595735299d2a65aeb Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Thu, 25 Mar 2021 14:03:41 +0100 Subject: [PATCH 12/27] create unique name for alert --- api-gateway-v2/alerts/api_alerts.tf | 5 +++-- api-gateway/alerts/api_alerts.tf | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/api-gateway-v2/alerts/api_alerts.tf b/api-gateway-v2/alerts/api_alerts.tf index 3f4b947..31ea043 100644 --- a/api-gateway-v2/alerts/api_alerts.tf +++ b/api-gateway-v2/alerts/api_alerts.tf @@ -3,9 +3,10 @@ variable "api_name" { default = "" } variable "threshold" {default = 10} variable "period" {default = 60} variable "evaluation_periods" {default = 1} +variable "alarm_name" {default = ""} resource "aws_cloudwatch_metric_alarm" "api-4xx" { - alarm_name = "api-gateway-4xx-response" + alarm_name = "api-gateway-4xx-response.${var.alarm_name}" alarm_description = "This alarm monitors api 4xx response" comparison_operator = "GreaterThanThreshold" evaluation_periods = var.evaluation_periods @@ -23,7 +24,7 @@ resource "aws_cloudwatch_metric_alarm" "api-4xx" { } resource "aws_cloudwatch_metric_alarm" "api-5xx" { - alarm_name = "api-gateway-5xx-response" + alarm_name = "api-gateway-5xx-response.${var.alarm_name}" alarm_description = "This alarm monitors api 5xx response" comparison_operator = "GreaterThanThreshold" evaluation_periods = var.evaluation_periods diff --git a/api-gateway/alerts/api_alerts.tf b/api-gateway/alerts/api_alerts.tf index 3f4b947..31ea043 100644 --- a/api-gateway/alerts/api_alerts.tf +++ b/api-gateway/alerts/api_alerts.tf @@ -3,9 +3,10 @@ variable "api_name" { default = "" } variable "threshold" {default = 10} variable "period" {default = 60} variable "evaluation_periods" {default = 1} +variable "alarm_name" {default = ""} resource "aws_cloudwatch_metric_alarm" "api-4xx" { - alarm_name = "api-gateway-4xx-response" + alarm_name = "api-gateway-4xx-response.${var.alarm_name}" alarm_description = "This alarm monitors api 4xx response" comparison_operator = "GreaterThanThreshold" evaluation_periods = var.evaluation_periods @@ -23,7 +24,7 @@ resource "aws_cloudwatch_metric_alarm" "api-4xx" { } resource "aws_cloudwatch_metric_alarm" "api-5xx" { - alarm_name = "api-gateway-5xx-response" + alarm_name = "api-gateway-5xx-response.${var.alarm_name}" alarm_description = "This alarm monitors api 5xx response" comparison_operator = "GreaterThanThreshold" evaluation_periods = var.evaluation_periods From a1a23ed10feed984c9887347612a4538d24dfbec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Kr=C3=B3liczek?= Date: Tue, 30 Mar 2021 13:56:11 +0200 Subject: [PATCH 13/27] Use alerts name variable (#12) --- alerts/common/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alerts/common/main.tf b/alerts/common/main.tf index b5af784..223762c 100644 --- a/alerts/common/main.tf +++ b/alerts/common/main.tf @@ -1,7 +1,7 @@ variable "sns_topic_name" { default = "alerts" } resource "aws_sns_topic" "alerts" { - name = "alerts" + name = var.sns_topic_name } output "sns_topic_arn" { From ac79e1921278f9773cfe6859234a8090a0242781 Mon Sep 17 00:00:00 2001 From: apukocz-pc <81754448+apukocz-pc@users.noreply.github.com> Date: Thu, 1 Apr 2021 15:11:05 +0200 Subject: [PATCH 14/27] fix alert for opsgenie enable cloudwatchevents (#13) Co-authored-by: alex --- alerts/opsgenie/main.tf | 2 +- alerts/opsgenie/variables.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/alerts/opsgenie/main.tf b/alerts/opsgenie/main.tf index 988d087..f7f0196 100644 --- a/alerts/opsgenie/main.tf +++ b/alerts/opsgenie/main.tf @@ -4,5 +4,5 @@ resource "aws_sns_topic_subscription" "opsgenie_alarm_notification_subscription" topic_arn = var.sns_topic_arn protocol = "https" endpoint_auto_confirms = true - endpoint = "https://api.%{if var.eu_region}eu.%{endif}opsgenie.com/v1/json/cloudwatch?apiKey=${var.api_key}" + endpoint = "https://api.%{if var.eu_region}eu.%{endif}opsgenie.com/v1/json/cloudwatch%{if var.cloudwatch_event}events%{endif}?apiKey=${var.api_key}" } diff --git a/alerts/opsgenie/variables.tf b/alerts/opsgenie/variables.tf index dc96046..d52722b 100644 --- a/alerts/opsgenie/variables.tf +++ b/alerts/opsgenie/variables.tf @@ -1,3 +1,4 @@ variable "api_key" {} variable "eu_region" {default = false} variable "sns_topic_arn" {} +variable "cloudwatch_event" { default = false } \ No newline at end of file From 6c1af71259114044f51b0fcd4eea700421d6840d Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Tue, 6 Apr 2021 12:35:23 +0200 Subject: [PATCH 15/27] add assume role script to repo --- scripts/assume-role.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 scripts/assume-role.sh diff --git a/scripts/assume-role.sh b/scripts/assume-role.sh new file mode 100644 index 0000000..27305e6 --- /dev/null +++ b/scripts/assume-role.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +if [[ -z "$ROLE_ARN" ]]; then + echo "==> skipping assume role as no role specified" + return +fi + +echo "==> assuming role $ROLE_ARN" +output=$(aws sts assume-role --role-arn "$ROLE_ARN" --role-session-name "assumed-role") + +echo "==> role $ROLE_ARN assumed" +export AWS_ACCESS_KEY_ID=$(echo $output | jq -c '.Credentials.AccessKeyId' | tr -d '"' | tr -d ' ') +export AWS_SECRET_ACCESS_KEY=$(echo $output | jq -c '.Credentials.SecretAccessKey' | tr -d '"' | tr -d ' ') +export AWS_SESSION_TOKEN=$(echo $output | jq -c '.Credentials.SessionToken' | tr -d '"' | tr -d ' ') \ No newline at end of file From 8f4c07f989aaabb356b593f77d9fabe832947793 Mon Sep 17 00:00:00 2001 From: kkosowsk Date: Thu, 8 Apr 2021 17:50:27 +0200 Subject: [PATCH 16/27] replace luktom/ws with pragmaticcoders/ws replace assumer_role URL --- ecs/fargate-ssh-server/variables.tf | 2 +- ecs/service/main.tf | 2 +- gitlab-runner-environment/ecs_service_runner.tf | 4 ++-- organizations/provisioner_role.tf | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 5308047..220d6e8 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -10,7 +10,7 @@ variable "cpu" { default = 256 } variable "memory" { default = 512 } variable "execution_role_arn" { default = "" } -variable "container_image" { default = "luktom/ws" } +variable "container_image" { default = "pragmaticcoders/ws" } variable "container_image_tag" { default = "latest" } variable "ssh_public_keys" { diff --git a/ecs/service/main.tf b/ecs/service/main.tf index 28b9a3a..230783b 100644 --- a/ecs/service/main.tf +++ b/ecs/service/main.tf @@ -131,7 +131,7 @@ resource "aws_ecs_task_definition" "task" { ), { name : "healthcheck" - image : "luktom/ws" + image : "pragmaticcoders/ws" essential : true healthCheck : { command : [ diff --git a/gitlab-runner-environment/ecs_service_runner.tf b/gitlab-runner-environment/ecs_service_runner.tf index 1112fe7..96587fe 100644 --- a/gitlab-runner-environment/ecs_service_runner.tf +++ b/gitlab-runner-environment/ecs_service_runner.tf @@ -74,7 +74,7 @@ if [ ! -f /data/config.toml ]; then --template-config /data/template.toml \ --config /data/config.toml \ --executor docker+machine \ - --docker-image luktom/ws \ + --docker-image pragmaticcoders/ws \ --tag-list "${join(",", var.gitlab_runner_tags)}" \ --run-untagged=true \ --locked=false @@ -121,7 +121,7 @@ resource "aws_ecs_task_definition" "gitlab_runner_manager" { container_definitions = jsonencode([ { name : "app", - image : "luktom/ws", + image : "pragmaticcoders/ws", essential : true, user : "root", entryPoint : [ diff --git a/organizations/provisioner_role.tf b/organizations/provisioner_role.tf index 025632d..86197bb 100644 --- a/organizations/provisioner_role.tf +++ b/organizations/provisioner_role.tf @@ -7,12 +7,12 @@ echo "Creating provisioner role for arn:${data.aws_partition.current.partition}: echo "==> Assuming role on master" ROLE_ARN="arn:${data.aws_partition.current.partition}:iam::$MASTER_ACCOUNT_ID:role/ci-provisioner" -curl -s -o assume-role.sh https://gitlab.com/luktom/ci/-/raw/master/scripts/assume-role.sh && . assume-role.sh +curl -s -o assume-role.sh https://raw.githubusercontent.com/pragmaticcoders/terraform-modules/master/scripts/assume-role.sh && . assume-role.sh echo "==> Assuming role on $SLAVE_ACCOUNT_NAME" ROLE_ARN="arn:${data.aws_partition.current.partition}:iam::$SLAVE_ACCOUNT_ID:role/OrganizationAccountAccessRole" -curl -s -o assume-role.sh https://gitlab.com/luktom/ci/-/raw/master/scripts/assume-role.sh && . assume-role.sh +curl -s -o assume-role.sh https://raw.githubusercontent.com/pragmaticcoders/terraform-modules/master/scripts/assume-role.sh && . assume-role.sh echo "==> Checking if provisioner role exists" From 670fef3d925ed3c4c4688d28504fcf1f4b84d457 Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 9 Apr 2021 09:22:35 +0200 Subject: [PATCH 17/27] fix fargate-ssh-server securitygroup cidr --- ecs/fargate-ssh-server-sg/data.tf | 1 + ecs/fargate-ssh-server-sg/main.tf | 182 +++++++++++++++++++++++++ ecs/fargate-ssh-server-sg/output.tf | 3 + ecs/fargate-ssh-server-sg/variables.tf | 39 ++++++ 4 files changed, 225 insertions(+) create mode 100644 ecs/fargate-ssh-server-sg/data.tf create mode 100644 ecs/fargate-ssh-server-sg/main.tf create mode 100644 ecs/fargate-ssh-server-sg/output.tf create mode 100644 ecs/fargate-ssh-server-sg/variables.tf diff --git a/ecs/fargate-ssh-server-sg/data.tf b/ecs/fargate-ssh-server-sg/data.tf new file mode 100644 index 0000000..2502393 --- /dev/null +++ b/ecs/fargate-ssh-server-sg/data.tf @@ -0,0 +1 @@ +data "aws_region" "current" {} diff --git a/ecs/fargate-ssh-server-sg/main.tf b/ecs/fargate-ssh-server-sg/main.tf new file mode 100644 index 0000000..d95988e --- /dev/null +++ b/ecs/fargate-ssh-server-sg/main.tf @@ -0,0 +1,182 @@ +resource "aws_ecs_service" "service" { + name = var.name + cluster = var.cluster_arn + task_definition = aws_ecs_task_definition.task.arn + desired_count = var.initial_desired_count + platform_version = "1.4.0" + + network_configuration { + assign_public_ip = var.assign_public_ip + security_groups = [ + module.sg.id, + ] + subnets = var.subnet_ids + } + + dynamic "service_registries" { + for_each = var.service_discovery_namespace_id == "" ? [] : [""] + content { + container_name = "app" + registry_arn = aws_service_discovery_service.service[0].arn + container_port = var.service_port + } + } + + capacity_provider_strategy { + base = 0 + capacity_provider = "FARGATE_SPOT" + weight = 1 + } + + # lifecycle { + # ignore_changes = [ + # desired_count, + # ] + # } +} + +resource "aws_service_discovery_service" "service" { + count = var.service_discovery_namespace_id == "" ? 0 : 1 + + name = var.name + + dns_config { + namespace_id = var.service_discovery_namespace_id + + dns_records { + ttl = 10 + type = "A" + } + + dns_records { + ttl = 10 + type = "SRV" + } + + routing_policy = "MULTIVALUE" + } +} + +module "sg" { + source = "github.com/pragmaticcoders/terraform-modules/sg" + + name = "ecs-service-${var.name}" + vpc_id = var.vpc_id + ports = [ + var.service_port, + ] + + cidr_blocks = [ + var.cidr_block, + ] + +} + +resource "aws_cloudwatch_log_group" "service" { + name = "/ecs/service/${var.name}" + retention_in_days = var.logs_retention_days +} + +resource "aws_ecs_task_definition" "task" { + family = var.name + network_mode = "awsvpc" + cpu = var.cpu + memory = var.memory + execution_role_arn = var.execution_role_arn + # task_role_arn = module.task_role.arn + requires_compatibilities = [ + "FARGATE", + ] + + container_definitions = jsonencode([ + merge({ + name : "app" + image : "${var.container_image}:${var.container_image_tag}" + essential : true + portMappings : [ + { + hostPort : var.service_port + protocol : "tcp" + containerPort : var.service_port + }, + ] + environment : concat([ + ], [ + for k, v in var.environment : { + name : k + value : v + } + ]) + secrets : concat([ + ], [ + for k, v in var.secrets : { + name : k + valueFrom : v + } + ]) + entryPoint : [ + "/usr/bin/sudo", + "-E", + "/bin/bash", + "-c", + ] + command : [ + join(" && ", [ + "apk add --update openssh", + "ssh-keygen -A", + "sed -i \"s/.*PermitRootLogin.*/PermitRootLogin without-password/g\" /etc/ssh/sshd_config", + "sed -i \"s/.*PasswordAuthentication.*/PasswordAuthentication no/g\" /etc/ssh/sshd_config", + "sed -i \"s/.*AllowTcpForwarding.*/AllowTcpForwarding yes/g\" /etc/ssh/sshd_config", + "mkdir -p /root/.ssh", + "echo \"${join("\n", var.ssh_public_keys)}\" > /root/.ssh/authorized_keys", + "echo \"${join("\n", formatlist("command=\\\"/bin/tunnel\\\" %s", var.tunnel_only_ssh_public_keys))}\" >> /root/.ssh/authorized_keys", + "echo \"Authorized keys:\"", + "cat /root/.ssh/authorized_keys", + "chmod 700 /root/.ssh", + "chmod 600 /root/.ssh/authorized_keys", + "echo \"root:root\" | chpasswd", + "echo -n > /etc/motd", + "echo \"#!/bin/bash\" > /bin/tunnel", + "echo \"echo You can now establish a connection using ssh tunnel.\" >> /bin/tunnel", + "echo \"echo Hit Ctrl+C to terminate.\" >> /bin/tunnel", + "echo \"while true\" >> /bin/tunnel", + "echo \"do\" >> /bin/tunnel", + "echo \" sleep 100\" >> /bin/tunnel", + "echo \"done\" >> /bin/tunnel", + "chmod +x /bin/tunnel", + "/usr/sbin/sshd -D", + ]) + ] + logConfiguration : { + logDriver : "awslogs" + options : { + awslogs-group : aws_cloudwatch_log_group.service.name + awslogs-region : data.aws_region.current.name + awslogs-stream-prefix : "app" + } + }, + }, var.efs_filesystem_id == "" ? {} : { + mountPoints : [ + { + sourceVolume : "efs" + containerPath : "/mnt/efs" + } + ] + }) + ]) + + dynamic "volume" { + for_each = var.efs_filesystem_id == "" ? [] : [""] + content { + name = "efs" + efs_volume_configuration { + file_system_id = var.efs_filesystem_id + root_directory = "/" + } + } + } + + lifecycle { + create_before_destroy = true + } +} diff --git a/ecs/fargate-ssh-server-sg/output.tf b/ecs/fargate-ssh-server-sg/output.tf new file mode 100644 index 0000000..d98a819 --- /dev/null +++ b/ecs/fargate-ssh-server-sg/output.tf @@ -0,0 +1,3 @@ +output "security_group_id" { + value = module.sg.id +} diff --git a/ecs/fargate-ssh-server-sg/variables.tf b/ecs/fargate-ssh-server-sg/variables.tf new file mode 100644 index 0000000..263da7d --- /dev/null +++ b/ecs/fargate-ssh-server-sg/variables.tf @@ -0,0 +1,39 @@ +variable "name" { default = "ssh-server" } +variable "cluster_arn" {} +variable "initial_desired_count" { default = 1 } +variable "assign_public_ip" { default = true } +variable "subnet_ids" {} +variable "service_port" { default = 22 } +variable "vpc_id" {} + +variable "cpu" { default = 256 } +variable "memory" { default = 512 } +variable "execution_role_arn" { default = "" } + +variable "container_image" { default = "luktom/ws" } +variable "container_image_tag" { default = "latest" } + +variable "ssh_public_keys" { + type = list + default = [] +} +variable "tunnel_only_ssh_public_keys" { + type = list + default = [] +} + +variable "logs_retention_days" { default = 7 } +variable "environment" { + type = map + default = {} +} +variable "secrets" { + type = map + default = {} +} +variable "efs_filesystem_id" { default = "" } +variable "notifications_sns_topic_arn" { default = "" } + +variable "service_discovery_namespace_id" { default = "" } + +variable cidr_block { default = "" } From 1de8a1aa8a7bfab7500048bd09e146f70b203726 Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 9 Apr 2021 11:38:25 +0200 Subject: [PATCH 18/27] fix fargate-ssh-server securitygroup cidr - fix --- ecs/fargate-ssh-server-sg/data.tf | 1 - ecs/fargate-ssh-server-sg/main.tf | 182 ------------------------- ecs/fargate-ssh-server-sg/output.tf | 3 - ecs/fargate-ssh-server-sg/variables.tf | 39 ------ ecs/fargate-ssh-server/main.tf | 7 +- ecs/fargate-ssh-server/variables.tf | 4 +- 6 files changed, 9 insertions(+), 227 deletions(-) delete mode 100644 ecs/fargate-ssh-server-sg/data.tf delete mode 100644 ecs/fargate-ssh-server-sg/main.tf delete mode 100644 ecs/fargate-ssh-server-sg/output.tf delete mode 100644 ecs/fargate-ssh-server-sg/variables.tf diff --git a/ecs/fargate-ssh-server-sg/data.tf b/ecs/fargate-ssh-server-sg/data.tf deleted file mode 100644 index 2502393..0000000 --- a/ecs/fargate-ssh-server-sg/data.tf +++ /dev/null @@ -1 +0,0 @@ -data "aws_region" "current" {} diff --git a/ecs/fargate-ssh-server-sg/main.tf b/ecs/fargate-ssh-server-sg/main.tf deleted file mode 100644 index d95988e..0000000 --- a/ecs/fargate-ssh-server-sg/main.tf +++ /dev/null @@ -1,182 +0,0 @@ -resource "aws_ecs_service" "service" { - name = var.name - cluster = var.cluster_arn - task_definition = aws_ecs_task_definition.task.arn - desired_count = var.initial_desired_count - platform_version = "1.4.0" - - network_configuration { - assign_public_ip = var.assign_public_ip - security_groups = [ - module.sg.id, - ] - subnets = var.subnet_ids - } - - dynamic "service_registries" { - for_each = var.service_discovery_namespace_id == "" ? [] : [""] - content { - container_name = "app" - registry_arn = aws_service_discovery_service.service[0].arn - container_port = var.service_port - } - } - - capacity_provider_strategy { - base = 0 - capacity_provider = "FARGATE_SPOT" - weight = 1 - } - - # lifecycle { - # ignore_changes = [ - # desired_count, - # ] - # } -} - -resource "aws_service_discovery_service" "service" { - count = var.service_discovery_namespace_id == "" ? 0 : 1 - - name = var.name - - dns_config { - namespace_id = var.service_discovery_namespace_id - - dns_records { - ttl = 10 - type = "A" - } - - dns_records { - ttl = 10 - type = "SRV" - } - - routing_policy = "MULTIVALUE" - } -} - -module "sg" { - source = "github.com/pragmaticcoders/terraform-modules/sg" - - name = "ecs-service-${var.name}" - vpc_id = var.vpc_id - ports = [ - var.service_port, - ] - - cidr_blocks = [ - var.cidr_block, - ] - -} - -resource "aws_cloudwatch_log_group" "service" { - name = "/ecs/service/${var.name}" - retention_in_days = var.logs_retention_days -} - -resource "aws_ecs_task_definition" "task" { - family = var.name - network_mode = "awsvpc" - cpu = var.cpu - memory = var.memory - execution_role_arn = var.execution_role_arn - # task_role_arn = module.task_role.arn - requires_compatibilities = [ - "FARGATE", - ] - - container_definitions = jsonencode([ - merge({ - name : "app" - image : "${var.container_image}:${var.container_image_tag}" - essential : true - portMappings : [ - { - hostPort : var.service_port - protocol : "tcp" - containerPort : var.service_port - }, - ] - environment : concat([ - ], [ - for k, v in var.environment : { - name : k - value : v - } - ]) - secrets : concat([ - ], [ - for k, v in var.secrets : { - name : k - valueFrom : v - } - ]) - entryPoint : [ - "/usr/bin/sudo", - "-E", - "/bin/bash", - "-c", - ] - command : [ - join(" && ", [ - "apk add --update openssh", - "ssh-keygen -A", - "sed -i \"s/.*PermitRootLogin.*/PermitRootLogin without-password/g\" /etc/ssh/sshd_config", - "sed -i \"s/.*PasswordAuthentication.*/PasswordAuthentication no/g\" /etc/ssh/sshd_config", - "sed -i \"s/.*AllowTcpForwarding.*/AllowTcpForwarding yes/g\" /etc/ssh/sshd_config", - "mkdir -p /root/.ssh", - "echo \"${join("\n", var.ssh_public_keys)}\" > /root/.ssh/authorized_keys", - "echo \"${join("\n", formatlist("command=\\\"/bin/tunnel\\\" %s", var.tunnel_only_ssh_public_keys))}\" >> /root/.ssh/authorized_keys", - "echo \"Authorized keys:\"", - "cat /root/.ssh/authorized_keys", - "chmod 700 /root/.ssh", - "chmod 600 /root/.ssh/authorized_keys", - "echo \"root:root\" | chpasswd", - "echo -n > /etc/motd", - "echo \"#!/bin/bash\" > /bin/tunnel", - "echo \"echo You can now establish a connection using ssh tunnel.\" >> /bin/tunnel", - "echo \"echo Hit Ctrl+C to terminate.\" >> /bin/tunnel", - "echo \"while true\" >> /bin/tunnel", - "echo \"do\" >> /bin/tunnel", - "echo \" sleep 100\" >> /bin/tunnel", - "echo \"done\" >> /bin/tunnel", - "chmod +x /bin/tunnel", - "/usr/sbin/sshd -D", - ]) - ] - logConfiguration : { - logDriver : "awslogs" - options : { - awslogs-group : aws_cloudwatch_log_group.service.name - awslogs-region : data.aws_region.current.name - awslogs-stream-prefix : "app" - } - }, - }, var.efs_filesystem_id == "" ? {} : { - mountPoints : [ - { - sourceVolume : "efs" - containerPath : "/mnt/efs" - } - ] - }) - ]) - - dynamic "volume" { - for_each = var.efs_filesystem_id == "" ? [] : [""] - content { - name = "efs" - efs_volume_configuration { - file_system_id = var.efs_filesystem_id - root_directory = "/" - } - } - } - - lifecycle { - create_before_destroy = true - } -} diff --git a/ecs/fargate-ssh-server-sg/output.tf b/ecs/fargate-ssh-server-sg/output.tf deleted file mode 100644 index d98a819..0000000 --- a/ecs/fargate-ssh-server-sg/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "security_group_id" { - value = module.sg.id -} diff --git a/ecs/fargate-ssh-server-sg/variables.tf b/ecs/fargate-ssh-server-sg/variables.tf deleted file mode 100644 index 263da7d..0000000 --- a/ecs/fargate-ssh-server-sg/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -variable "name" { default = "ssh-server" } -variable "cluster_arn" {} -variable "initial_desired_count" { default = 1 } -variable "assign_public_ip" { default = true } -variable "subnet_ids" {} -variable "service_port" { default = 22 } -variable "vpc_id" {} - -variable "cpu" { default = 256 } -variable "memory" { default = 512 } -variable "execution_role_arn" { default = "" } - -variable "container_image" { default = "luktom/ws" } -variable "container_image_tag" { default = "latest" } - -variable "ssh_public_keys" { - type = list - default = [] -} -variable "tunnel_only_ssh_public_keys" { - type = list - default = [] -} - -variable "logs_retention_days" { default = 7 } -variable "environment" { - type = map - default = {} -} -variable "secrets" { - type = map - default = {} -} -variable "efs_filesystem_id" { default = "" } -variable "notifications_sns_topic_arn" { default = "" } - -variable "service_discovery_namespace_id" { default = "" } - -variable cidr_block { default = "" } diff --git a/ecs/fargate-ssh-server/main.tf b/ecs/fargate-ssh-server/main.tf index 2e89f7b..d95988e 100644 --- a/ecs/fargate-ssh-server/main.tf +++ b/ecs/fargate-ssh-server/main.tf @@ -58,13 +58,18 @@ resource "aws_service_discovery_service" "service" { } module "sg" { - source = "github.com/tomaszkiewicz/terraform-modules/sg" + source = "github.com/pragmaticcoders/terraform-modules/sg" name = "ecs-service-${var.name}" vpc_id = var.vpc_id ports = [ var.service_port, ] + + cidr_blocks = [ + var.cidr_block, + ] + } resource "aws_cloudwatch_log_group" "service" { diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 5308047..79d1fa2 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -10,7 +10,7 @@ variable "cpu" { default = 256 } variable "memory" { default = 512 } variable "execution_role_arn" { default = "" } -variable "container_image" { default = "luktom/ws" } +variable "container_image" { default = "pragmaticcoders/ws" } variable "container_image_tag" { default = "latest" } variable "ssh_public_keys" { @@ -35,3 +35,5 @@ variable "efs_filesystem_id" { default = "" } variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } + +variable cidr_block { default = "" } \ No newline at end of file From c6def29463ff445be0254cf659557fc70a1f20f5 Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 9 Apr 2021 11:41:22 +0200 Subject: [PATCH 19/27] fix fargate-ssh-server securitygroup cidr - fix fmt --- ecs/fargate-ssh-server/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 79d1fa2..a4f2cbe 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -14,21 +14,21 @@ variable "container_image" { default = "pragmaticcoders/ws" } variable "container_image_tag" { default = "latest" } variable "ssh_public_keys" { - type = list + type = list(any) default = [] } variable "tunnel_only_ssh_public_keys" { - type = list + type = list(any) default = [] } variable "logs_retention_days" { default = 7 } variable "environment" { - type = map + type = map(any) default = {} } variable "secrets" { - type = map + type = map(any) default = {} } variable "efs_filesystem_id" { default = "" } @@ -36,4 +36,4 @@ variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } -variable cidr_block { default = "" } \ No newline at end of file +variable "cidr_block" { default = "" } \ No newline at end of file From 24142629e1de5d2fa104d54fcc18453ce3cd91b3 Mon Sep 17 00:00:00 2001 From: apukocz-pc <81754448+apukocz-pc@users.noreply.github.com> Date: Fri, 9 Apr 2021 12:06:47 +0200 Subject: [PATCH 20/27] fix fargate-ssh-server securitygroup cidr (#16) * fix fargate-ssh-server securitygroup cidr * fix fargate-ssh-server securitygroup cidr - fix * fix fargate-ssh-server securitygroup cidr - fix fmt Co-authored-by: alex --- ecs/fargate-ssh-server/main.tf | 7 ++++++- ecs/fargate-ssh-server/variables.tf | 10 ++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ecs/fargate-ssh-server/main.tf b/ecs/fargate-ssh-server/main.tf index 2e89f7b..d95988e 100644 --- a/ecs/fargate-ssh-server/main.tf +++ b/ecs/fargate-ssh-server/main.tf @@ -58,13 +58,18 @@ resource "aws_service_discovery_service" "service" { } module "sg" { - source = "github.com/tomaszkiewicz/terraform-modules/sg" + source = "github.com/pragmaticcoders/terraform-modules/sg" name = "ecs-service-${var.name}" vpc_id = var.vpc_id ports = [ var.service_port, ] + + cidr_blocks = [ + var.cidr_block, + ] + } resource "aws_cloudwatch_log_group" "service" { diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 220d6e8..a4f2cbe 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -14,24 +14,26 @@ variable "container_image" { default = "pragmaticcoders/ws" } variable "container_image_tag" { default = "latest" } variable "ssh_public_keys" { - type = list + type = list(any) default = [] } variable "tunnel_only_ssh_public_keys" { - type = list + type = list(any) default = [] } variable "logs_retention_days" { default = 7 } variable "environment" { - type = map + type = map(any) default = {} } variable "secrets" { - type = map + type = map(any) default = {} } variable "efs_filesystem_id" { default = "" } variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } + +variable "cidr_block" { default = "" } \ No newline at end of file From 08544d9a9b35b3af459857e4cc2270426696576b Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 9 Apr 2021 13:49:51 +0200 Subject: [PATCH 21/27] fix fargate-ssh-server securitygroup cidr - cidr list --- ecs/fargate-ssh-server/variables.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index a4f2cbe..04fbdf7 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -36,4 +36,7 @@ variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } -variable "cidr_block" { default = "" } \ No newline at end of file +variable "cidr_blocks" { + type = list(string) + default = ["0.0.0.0/0"] +} \ No newline at end of file From 681f4733709e8c89bc1654868b8fc195bbc960e5 Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 9 Apr 2021 16:21:45 +0200 Subject: [PATCH 22/27] fix fargate-ssh-server securitygroup cidr - cidr list str --- ecs/fargate-ssh-server/main.tf | 4 +--- ecs/fargate-ssh-server/variables.tf | 2 +- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/ecs/fargate-ssh-server/main.tf b/ecs/fargate-ssh-server/main.tf index d95988e..d54dbcf 100644 --- a/ecs/fargate-ssh-server/main.tf +++ b/ecs/fargate-ssh-server/main.tf @@ -66,9 +66,7 @@ module "sg" { var.service_port, ] - cidr_blocks = [ - var.cidr_block, - ] + cidr_blocks = var.cidr_block } diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 04fbdf7..535b6df 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -36,7 +36,7 @@ variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } -variable "cidr_blocks" { +variable "cidr_block" { type = list(string) default = ["0.0.0.0/0"] } \ No newline at end of file From c89cdf22a71effb1663475a39eda5f61139950ac Mon Sep 17 00:00:00 2001 From: apukocz-pc <81754448+apukocz-pc@users.noreply.github.com> Date: Mon, 12 Apr 2021 11:00:02 +0200 Subject: [PATCH 23/27] fix fargate-ssh-server securitygroup cidr - cidr blocks (#19) Co-authored-by: alex --- ecs/fargate-ssh-server/main.tf | 2 +- ecs/fargate-ssh-server/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ecs/fargate-ssh-server/main.tf b/ecs/fargate-ssh-server/main.tf index d54dbcf..c45f8e3 100644 --- a/ecs/fargate-ssh-server/main.tf +++ b/ecs/fargate-ssh-server/main.tf @@ -66,7 +66,7 @@ module "sg" { var.service_port, ] - cidr_blocks = var.cidr_block + cidr_blocks = var.cidr_blocks } diff --git a/ecs/fargate-ssh-server/variables.tf b/ecs/fargate-ssh-server/variables.tf index 535b6df..04fbdf7 100644 --- a/ecs/fargate-ssh-server/variables.tf +++ b/ecs/fargate-ssh-server/variables.tf @@ -36,7 +36,7 @@ variable "notifications_sns_topic_arn" { default = "" } variable "service_discovery_namespace_id" { default = "" } -variable "cidr_block" { +variable "cidr_blocks" { type = list(string) default = ["0.0.0.0/0"] } \ No newline at end of file From 2686c8053909ef9025d24a65d1d4d28902b35cdc Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 16 Apr 2021 14:02:27 +0200 Subject: [PATCH 24/27] fix vpc flow logs enable/disable --- security/vpc-flow-logs/main.tf | 40 ++++++++++++++++++++++++++++++++++ vpc/main.tf | 6 +++++ vpc/variables.tf | 4 ++++ 3 files changed, 50 insertions(+) create mode 100644 security/vpc-flow-logs/main.tf diff --git a/security/vpc-flow-logs/main.tf b/security/vpc-flow-logs/main.tf new file mode 100644 index 0000000..5cc93e7 --- /dev/null +++ b/security/vpc-flow-logs/main.tf @@ -0,0 +1,40 @@ +variable "tenant" {} + +module "bucket" { + source = "../../s3/simple-bucket" + + bucket = "${var.tenant}-vpc-flow-logs" + versioning_enabled = true + + policy = < Date: Fri, 16 Apr 2021 14:04:38 +0200 Subject: [PATCH 25/27] fix vpc flow logs enable/disable fmt --- vpc/main.tf | 2 +- vpc/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpc/main.tf b/vpc/main.tf index b6f3a55..981b766 100644 --- a/vpc/main.tf +++ b/vpc/main.tf @@ -47,6 +47,6 @@ module "vpc" { enable_flow_log = var.enable_flow_log flow_log_destination_type = var.flow_log_destination_type flow_log_destination_arn = var.flow_log_destination_arn - flow_log_traffic_type = var.flow_log_traffic_type + flow_log_traffic_type = var.flow_log_traffic_type } diff --git a/vpc/variables.tf b/vpc/variables.tf index bda45ad..b20e311 100644 --- a/vpc/variables.tf +++ b/vpc/variables.tf @@ -6,6 +6,6 @@ variable "enable_nat_gateway" { default = false } variable "enable_ipv6" { default = false } variable "max_azs" { default = 3 } variable "enable_flow_log" { default = false } -variable "flow_log_destination_type" { default = "" } +variable "flow_log_destination_type" { default = "" } variable "flow_log_destination_arn" { default = "" } variable "flow_log_traffic_type" { default = "ALL" } From d734070c3cb98a6f8040563e9b236d5365b36318 Mon Sep 17 00:00:00 2001 From: apukocz-pc <81754448+apukocz-pc@users.noreply.github.com> Date: Tue, 27 Apr 2021 11:26:20 +0200 Subject: [PATCH 26/27] fix ecs-cluster (#21) Co-authored-by: alex --- ecs/cluster/output.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ecs/cluster/output.tf b/ecs/cluster/output.tf index ed1c12d..6044bcc 100644 --- a/ecs/cluster/output.tf +++ b/ecs/cluster/output.tf @@ -1,17 +1,17 @@ output "cluster_id" { - value = module.ecs.this_ecs_cluster_id + value = module.ecs.ecs_cluster_id } output "id" { - value = module.ecs.this_ecs_cluster_id + value = module.ecs.ecs_cluster_id } output "cluster_arn" { - value = module.ecs.this_ecs_cluster_id + value = module.ecs.ecs_cluster_id } output "arn" { - value = module.ecs.this_ecs_cluster_id + value = module.ecs.ecs_cluster_id } output "cluster_name" { From 4ab582142273c4f07e0189bdca14f33f8d81ccee Mon Sep 17 00:00:00 2001 From: Mateusz Malec Date: Mon, 17 May 2021 12:23:31 +0200 Subject: [PATCH 27/27] [Tech] allow to specify WS throttling --- api-gateway-v2/websocket/main.tf | 4 ++++ api-gateway-v2/websocket/variables.tf | 2 ++ 2 files changed, 6 insertions(+) diff --git a/api-gateway-v2/websocket/main.tf b/api-gateway-v2/websocket/main.tf index 8fc9d11..3f4e9f0 100644 --- a/api-gateway-v2/websocket/main.tf +++ b/api-gateway-v2/websocket/main.tf @@ -31,6 +31,8 @@ resource "aws_apigatewayv2_route" "connect" { route_key = "$connect" operation_name = "ConnectRoute" target = "integrations/${aws_apigatewayv2_integration.connect.id}" + throttling_burst_limit = var.throttling_burst_limit + throttling_rate_limit = var.throttling_rate_limit } resource "aws_apigatewayv2_integration" "disconnect" { @@ -48,6 +50,8 @@ resource "aws_apigatewayv2_route" "disconnect" { route_key = "$disconnect" operation_name = "DisconnectRoute" target = "integrations/${aws_apigatewayv2_integration.disconnect.id}" + throttling_burst_limit = var.throttling_burst_limit + throttling_rate_limit = var.throttling_rate_limit } resource "aws_apigatewayv2_stage" "main" { diff --git a/api-gateway-v2/websocket/variables.tf b/api-gateway-v2/websocket/variables.tf index 9e5d7f1..5f09c60 100644 --- a/api-gateway-v2/websocket/variables.tf +++ b/api-gateway-v2/websocket/variables.tf @@ -6,3 +6,5 @@ variable "disconnect_lambda_invoke_arn" {} variable "domain_name" {} variable "dns_zone_id" {} variable "certificate_arn" {} +variable "throttling_burst_limit" {} +variable "throttling_rate_limit" {}