Feat/ws throttling

alerts/common/main.tf

@@ -1,7 +1,7 @@
 variable "sns_topic_name" { default = "alerts" }
 
 resource "aws_sns_topic" "alerts" {
-  name = "alerts"
+  name = var.sns_topic_name
 }
 
 output "sns_topic_arn" {

alerts/opsgenie/main.tf

@@ -4,5 +4,5 @@ resource "aws_sns_topic_subscription" "opsgenie_alarm_notification_subscription"
   topic_arn              = var.sns_topic_arn
   protocol               = "https"
   endpoint_auto_confirms = true
-  endpoint               = "https://api.%{if var.eu_region}eu.%{endif}opsgenie.com/v1/json/cloudwatch?apiKey=${var.api_key}"
+  endpoint               = "https://api.%{if var.eu_region}eu.%{endif}opsgenie.com/v1/json/cloudwatch%{if var.cloudwatch_event}events%{endif}?apiKey=${var.api_key}"
 }

alerts/opsgenie/variables.tf

@@ -1,3 +1,4 @@
 variable "api_key" {}
 variable "eu_region" {default = false}
 variable "sns_topic_arn" {}
+variable "cloudwatch_event" { default = false }

api-gateway-v2/alerts/api_alerts.tf

@@ -0,0 +1,44 @@
+variable "notifications_sns_topic_arn" { default = "" }
+variable "api_name" { default = "" }
+variable "threshold" {default = 10}
+variable "period" {default = 60}
+variable "evaluation_periods" {default = 1}
+variable "alarm_name" {default = ""}
+
+resource "aws_cloudwatch_metric_alarm" "api-4xx" {
+  alarm_name                = "api-gateway-4xx-response.${var.alarm_name}"
+  alarm_description         = "This alarm monitors api 4xx response"
+  comparison_operator       = "GreaterThanThreshold"
+  evaluation_periods        = var.evaluation_periods
+  metric_name               = "4XXError"
+  namespace                 = "AWS/ApiGateway"
+  period                    = var.period
+  statistic                 = "Sum"
+  threshold                 = var.threshold
+  treat_missing_data        = "ignore"
+  alarm_actions             = [var.notifications_sns_topic_arn]
+  ok_actions                = [var.notifications_sns_topic_arn]
+  dimensions = {
+    ApiName = var.api_name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "api-5xx" {
+  alarm_name                = "api-gateway-5xx-response.${var.alarm_name}"
+  alarm_description         = "This alarm monitors api 5xx response"
+  comparison_operator       = "GreaterThanThreshold"
+  evaluation_periods        = var.evaluation_periods
+  metric_name               = "5XXError"
+  namespace                 = "AWS/ApiGateway"
+  period                    = var.period
+  statistic                 = "Sum"
+  threshold                 = var.threshold
+  treat_missing_data        = "ignore"
+  alarm_actions             = [var.notifications_sns_topic_arn]
+  ok_actions                = [var.notifications_sns_topic_arn]
+  dimensions = {
+    ApiName = var.api_name
+  }
+}
+
+

api-gateway-v2/any-route/main.tf

@@ -0,0 +1,5 @@
+resource "aws_apigatewayv2_route" "public" {
+  api_id               = var.api_id
+  route_key            = "${var.method} ${var.path}"
+  target               = "integrations/${var.integration_id}"
+}

api-gateway-v2/any-route/variables.tf

@@ -0,0 +1,4 @@
+variable "path" {}
+variable "method" { default = "ANY" }
+variable "api_id" {}
+variable "integration_id" {}

api-gateway-v2/jwt-auth-route-with-options/main.tf

@@ -0,0 +1,15 @@
+resource "aws_apigatewayv2_route" "auth_on" {
+  for_each             = toset(var.method)
+  api_id               = var.api_id
+  route_key            = "${each.key} ${var.path}"
+  target               = "integrations/${var.integration_id}"
+  authorization_scopes = var.authorization_scopes
+  authorizer_id        = var.authorizer_id
+  authorization_type   = "JWT"
+}
+
+resource "aws_apigatewayv2_route" "auth_off" {
+  api_id               = var.api_id
+  route_key            = "OPTIONS ${var.path}"
+  target               = "integrations/${var.integration_id}"
+}

api-gateway-v2/jwt-auth-route-with-options/variables.tf

@@ -0,0 +1,16 @@
+variable "path" {}
+variable "method"{
+  type = list
+  default = [
+  "GET","POST","DELETE","HEAD","PATCH","PUT"
+  ]
+}
+variable "api_id" {}
+variable "integration_id" {}
+variable "authorizer_id" {}
+variable "authorization_scopes" {
+  type = list
+  default = [
+    "aws.cognito.signin.user.admin",
+  ]
+}

api-gateway-v2/websocket/main.tf

@@ -31,6 +31,8 @@ resource "aws_apigatewayv2_route" "connect" {
   route_key      = "$connect"
   operation_name = "ConnectRoute"
   target         = "integrations/${aws_apigatewayv2_integration.connect.id}"
+  throttling_burst_limit   = var.throttling_burst_limit
+  throttling_rate_limit    = var.throttling_rate_limit
 }
 
 resource "aws_apigatewayv2_integration" "disconnect" {
@@ -48,6 +50,8 @@ resource "aws_apigatewayv2_route" "disconnect" {
   route_key      = "$disconnect"
   operation_name = "DisconnectRoute"
   target         = "integrations/${aws_apigatewayv2_integration.disconnect.id}"
+  throttling_burst_limit   = var.throttling_burst_limit
+  throttling_rate_limit    = var.throttling_rate_limit
 }
 
 resource "aws_apigatewayv2_stage" "main" {

api-gateway-v2/websocket/variables.tf

@@ -6,3 +6,5 @@ variable "disconnect_lambda_invoke_arn" {}
 variable "domain_name" {}
 variable "dns_zone_id" {}
 variable "certificate_arn" {}
+variable "throttling_burst_limit" {}
+variable "throttling_rate_limit" {}

api-gateway/alerts/api_alerts.tf

@@ -0,0 +1,44 @@
+variable "notifications_sns_topic_arn" { default = "" }
+variable "api_name" { default = "" }
+variable "threshold" {default = 10}
+variable "period" {default = 60}
+variable "evaluation_periods" {default = 1}
+variable "alarm_name" {default = ""}
+
+resource "aws_cloudwatch_metric_alarm" "api-4xx" {
+  alarm_name                = "api-gateway-4xx-response.${var.alarm_name}"
+  alarm_description         = "This alarm monitors api 4xx response"
+  comparison_operator       = "GreaterThanThreshold"
+  evaluation_periods        = var.evaluation_periods
+  metric_name               = "4XXError"
+  namespace                 = "AWS/ApiGateway"
+  period                    = var.period
+  statistic                 = "Sum"
+  threshold                 = var.threshold
+  treat_missing_data        = "ignore"
+  alarm_actions             = [var.notifications_sns_topic_arn]
+  ok_actions                = [var.notifications_sns_topic_arn]
+  dimensions = {
+    ApiName = var.api_name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "api-5xx" {
+  alarm_name                = "api-gateway-5xx-response.${var.alarm_name}"
+  alarm_description         = "This alarm monitors api 5xx response"
+  comparison_operator       = "GreaterThanThreshold"
+  evaluation_periods        = var.evaluation_periods
+  metric_name               = "5XXError"
+  namespace                 = "AWS/ApiGateway"
+  period                    = var.period
+  statistic                 = "Sum"
+  threshold                 = var.threshold
+  treat_missing_data        = "ignore"
+  alarm_actions             = [var.notifications_sns_topic_arn]
+  ok_actions                = [var.notifications_sns_topic_arn]
+  dimensions = {
+    ApiName = var.api_name
+  }
+}
+
+

api-gateway/base/output.tf

@@ -13,3 +13,7 @@ output "stage_name" {
 output "invoke_url" {
   value = aws_api_gateway_deployment.deployment.invoke_url
 }
+
+output "api_name" {
+  value = var.name
+}

api-gateway/lambda-single/output.tf

@@ -6,10 +6,18 @@ output "root_resource_id" {
   value = aws_api_gateway_rest_api.api.root_resource_id
 }
 
+output "proxy_resource_id" {
+  value = aws_api_gateway_resource.lambda.id
+}
+
 output "stage_name" {
   value = var.stage_name
 }
 
 output "invoke_url" {
   value = aws_api_gateway_deployment.deployment.invoke_url
 }
+
+output "api_name" {
+  value = var.name
+}

ci/account/variables.tf

@@ -5,9 +5,7 @@ variable "deployer_additional_principals" {
 }
 variable "provisioner_additional_principals" {
   type = list
-  default = [
-    "arn:aws:iam::492614697882:root",
-  ]
+  default = []
 }
 variable "deployer_policy" {
   default = <<EOF

ecs/cluster/output.tf

@@ -1,17 +1,17 @@
 output "cluster_id" {
-  value = module.ecs.this_ecs_cluster_id
+  value = module.ecs.ecs_cluster_id
 }
 
 output "id" {
-  value = module.ecs.this_ecs_cluster_id
+  value = module.ecs.ecs_cluster_id
 }
 
 output "cluster_arn" {
-  value = module.ecs.this_ecs_cluster_id
+  value = module.ecs.ecs_cluster_id
 }
 
 output "arn" {
-  value = module.ecs.this_ecs_cluster_id
+  value = module.ecs.ecs_cluster_id
 }
 
 output "cluster_name" {

ecs/fargate-ssh-server/main.tf

@@ -58,13 +58,16 @@ resource "aws_service_discovery_service" "service" {
 }
 
 module "sg" {
-  source = "github.com/tomaszkiewicz/terraform-modules/sg"
+  source = "github.com/pragmaticcoders/terraform-modules/sg"
 
   name   = "ecs-service-${var.name}"
   vpc_id = var.vpc_id
   ports = [
     var.service_port,
   ]
+
+  cidr_blocks = var.cidr_blocks
+
 }
 
 resource "aws_cloudwatch_log_group" "service" {

ecs/fargate-ssh-server/variables.tf

@@ -10,28 +10,33 @@ variable "cpu" { default = 256 }
 variable "memory" { default = 512 }
 variable "execution_role_arn" { default = "" }
 
-variable "container_image" { default = "luktom/ws" }
+variable "container_image" { default = "pragmaticcoders/ws" }
 variable "container_image_tag" { default = "latest" }
 
 variable "ssh_public_keys" {
-  type    = list
+  type    = list(any)
   default = []
 }
 variable "tunnel_only_ssh_public_keys" {
-  type    = list
+  type    = list(any)
   default = []
 }
 
 variable "logs_retention_days" { default = 7 }
 variable "environment" {
-  type    = map
+  type    = map(any)
   default = {}
 }
 variable "secrets" {
-  type    = map
+  type    = map(any)
   default = {}
 }
 variable "efs_filesystem_id" { default = "" }
 variable "notifications_sns_topic_arn" { default = "" }
 
 variable "service_discovery_namespace_id" { default = "" }
+
+variable "cidr_blocks" {
+  type    = list(string)
+  default = ["0.0.0.0/0"]
+}

ecs/service/main.tf

@@ -131,7 +131,7 @@ resource "aws_ecs_task_definition" "task" {
     ),
     {
       name : "healthcheck"
-      image : "luktom/ws"
+      image : "pragmaticcoders/ws"
       essential : true
       healthCheck : {
         command : [

eks/variable.tf

@@ -96,10 +96,10 @@ variable "map_users" {
   }))
 
   default = [
-    {
-      userarn  = "arn:aws:iam::492614697882:user/luktom"
-      username = "luktom"
-      groups   = ["system:masters"]
-    },
+//    {
+//      userarn  = "arn:aws:iam::492614697882:user/luktom"
+//      username = "luktom"
+//      groups   = ["system:masters"]
+//    },
   ]
 }

gitlab-runner-environment/ecs_service_runner.tf

@@ -74,7 +74,7 @@ if [ ! -f /data/config.toml ]; then
     --template-config /data/template.toml \
     --config /data/config.toml \
     --executor docker+machine \
-    --docker-image luktom/ws \
+    --docker-image pragmaticcoders/ws \
     --tag-list "${join(",", var.gitlab_runner_tags)}" \
     --run-untagged=true \
     --locked=false
@@ -121,7 +121,7 @@ resource "aws_ecs_task_definition" "gitlab_runner_manager" {
   container_definitions = jsonencode([
     {
       name : "app",
-      image : "luktom/ws",
+      image : "pragmaticcoders/ws",
       essential : true,
       user : "root",
       entryPoint : [

gitlab-tf-cloud-tenant/variables.tf

@@ -1,5 +1,5 @@
 variable "tenant" {}
-variable "mail_domain" { default = "luktom.net" }
+variable "mail_domain" { default = "pragmaticcoders.com" }
 variable "group_name" { default = "" }
 variable "group_path" { default = "" }
 variable "envs" {

organizations/provisioner_role.tf

@@ -7,12 +7,12 @@ echo "Creating provisioner role for arn:${data.aws_partition.current.partition}:
 echo "==> Assuming role on master"
 
 ROLE_ARN="arn:${data.aws_partition.current.partition}:iam::$MASTER_ACCOUNT_ID:role/ci-provisioner"
-curl -s -o assume-role.sh https://gitlab.com/luktom/ci/-/raw/master/scripts/assume-role.sh && . assume-role.sh
+curl -s -o assume-role.sh https://raw.githubusercontent.com/pragmaticcoders/terraform-modules/master/scripts/assume-role.sh && . assume-role.sh
 
 echo "==> Assuming role on $SLAVE_ACCOUNT_NAME"
 
 ROLE_ARN="arn:${data.aws_partition.current.partition}:iam::$SLAVE_ACCOUNT_ID:role/OrganizationAccountAccessRole"
-curl -s -o assume-role.sh https://gitlab.com/luktom/ci/-/raw/master/scripts/assume-role.sh && . assume-role.sh
+curl -s -o assume-role.sh https://raw.githubusercontent.com/pragmaticcoders/terraform-modules/master/scripts/assume-role.sh && . assume-role.sh
 
 echo "==> Checking if provisioner role exists"
 

rds/postgres/main.tf

@@ -4,6 +4,8 @@ module "database" {
 
   identifier = var.name
   name       = var.name
+  parameter_group_name = var.name
+  parameter_group_use_name_prefix = false
 
   engine               = "postgres"
   engine_version       = "11"

scripts/assume-role.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if [[ -z "$ROLE_ARN" ]]; then
+  echo "==> skipping assume role as no role specified"
+  return
+fi
+
+echo "==> assuming role $ROLE_ARN"
+output=$(aws sts assume-role --role-arn "$ROLE_ARN" --role-session-name "assumed-role")
+
+echo "==> role $ROLE_ARN assumed"
+export AWS_ACCESS_KEY_ID=$(echo $output | jq -c '.Credentials.AccessKeyId' | tr -d '"' | tr -d ' ')
+export AWS_SECRET_ACCESS_KEY=$(echo $output | jq -c '.Credentials.SecretAccessKey' | tr -d '"' | tr -d ' ')
+export AWS_SESSION_TOKEN=$(echo $output  | jq -c '.Credentials.SessionToken' | tr -d '"' | tr -d ' ')

security/cloudtrail/main.tf

@@ -51,7 +51,7 @@ resource "aws_cloudtrail" "organization" {
   # sns_topic_name                = "${data.terraform_remote_state.master.cloudtrail_events_sns_topic_arn}"
   enable_log_file_validation = true
   # kms_key_id                    = "${data.terraform_remote_state.master.kms_cloudtrail_arn["${var.account_name}"]}"
-  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail.arn
+  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
   cloud_watch_logs_role_arn  = module.role.iam_role_arn
 
   depends_on = [