Skip to content

Commit

Permalink
Feature/v4 (#4)
Browse files Browse the repository at this point in the history 
- Add
  - added Synthetics Canary for Heartbeat.
  - added README-base-tfvars.md.
  - update aws provider >= 4.0.0.
- FIX
  - fixed modules for default tags.
  - fixed budgets module.
  - fixed cloudtrail module.
  - fixed s3 module for aws provider over 4.0.0.
- BUG
  - fixed ses metrics. 
  - fixed metrics notification.
  • Loading branch information
@y-miyazaki
y-miyazaki authored Mar 18, 2022
1 parent b90bf56 commit 076451e
Show file tree
Hide file tree
Showing 114 changed files with 6,824 additions and 473 deletions.
283 changes: 283 additions & 0 deletions README-base-tfvars.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,283 @@
# How do we fix tfvars?

The example is [terraform.example.tfvars](terraform/base/terraform.example.tfvars). The following is a list of things that must be modified and things that should be modified when doing terraform apply for the first time.
If you need to adjust the parameters, you can do so by yourself by searching TODO.

- [Required](#required)
- [deploy_user](#deployuser)
- [region](#region)
- [support_iam_role_principal_arns](#supportiamroleprincipalarns)
- [Not Required](#not-required)
- [tags](#tags)
- [Slack](#slack)
- [is_enabled](#isenabled)

# Required

The following items must be modified; terraform apply will fail if you run it as an example.

## deploy_user

Specify a user to deploy Terraform that has been registered as an IAM user.
Of course, you can narrow down the permissions, but due to the large number of permissions required, give the user `Administrator Access` to deploy Terraform.

```
#--------------------------------------------------------------
# Deploy IAM user
#--------------------------------------------------------------
# TODO: need to change deploy IAM user.
deploy_user = "terraform"
```

## region

Select the region where you want to create the resource.

```
# TODO: need to change region.
region = "ap-northeast-1"
```

## support_iam_role_principal_arns

The following are the supporting IAM roles. If you are not sure, please specify your AWS Account ID once. For detailed documentation, please see

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-1.20-remediation

```
# TODO: need to set principal role arn for Support IAM Role.
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#cis-1.20-remediation
support_iam_role_principal_arns = [
# example)
# "arn:aws:iam::{account id}:{iam user}"
"arn:aws:iam::999999999999:root"
]
```

# Not Required

Although terraform apply will succeed without fixing the following items, the following is a list of things that should be changed for each environment.

## tags

You can leave the following as it is without any problem. However, if you want to add TAGs to the resources according to your environment, please modify the following.

```
# TODO: need to change tags.
tags = {
# TODO: need to change env.
env = "dev"
# TODO: need to change service.
# service is project name or job name or product name.
service = "base"
}
```

## Slack

Basically, for notifications, you need an oauth access token from Slack and a specified channel ID.
If you can get it, please modify all of the following If there is no normal token and channel ID, you will not be notified, but the deployment itself will succeed.

```
# TODO: need to change SLACK_OAUTH_ACCESS_TOKEN.
SLACK_OAUTH_ACCESS_TOKEN = "xxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx"
# TODO: need to change SLACK_CHANNEL_ID.
SLACK_CHANNEL_ID = "XXXXXXXXXXXXXX"
```

## is_enabled

The variable for each function has is_enabled. If you do not want to use it as a function, you can disable it by specifying false.

- Budgets

```
#--------------------------------------------------------------
# Budgets
#--------------------------------------------------------------
budgets = {
# TODO: need to set is_enabled for settings of budgets.
is_enabled = true
```

- IAM

```
#--------------------------------------------------------------
# IAM: Users
#--------------------------------------------------------------
iam = {
# TODO: need to set is_enabled for settings of IAM.
is_enabled = true
```

- Compute Optimizer

```
#--------------------------------------------------------------
# Compute Optimizer
# AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce
# costs and improve performance by using machine learning to analyze historical utilization metrics.
# Over-provisioning resources can lead to unnecessary infrastructure cost, and under-provisioning resources
# can lead to poor application performance. Compute Optimizer helps you choose optimal configurations
# for three types of AWS resources: Amazon EC2 instances, Amazon EBS volumes, and AWS Lambda functions,
# based on your utilization data.
#--------------------------------------------------------------
compute_optimizer = {
# TODO: need to set is_enabled for settings of Compute Optimizer.
is_enabled = true
}
```

- Health

```
#--------------------------------------------------------------
# Health
#--------------------------------------------------------------
health = {
# TODO: need to set is_enabled for settings of AWS Health.
is_enabled = true
```

- Trusted Advisor

```
#--------------------------------------------------------------
# Trusted Advisor
#--------------------------------------------------------------
trusted_advisor = {
# TODO: need to set is_enabled for settings of Trusted Advisor.
// If you are not in a business or enterprise plan with a support plan, set is_enable to false as notifications will fail. If not, set it to true.
is_enabled = false
```

- Access Analyzer

```
#--------------------------------------------------------------
# Security:Access Analyzer
#--------------------------------------------------------------
security_access_analyzer = {
# TODO: need to set is_enabled for settings of Access Analyzer.
is_enabled = true
```

- Access Analyzer

```
#--------------------------------------------------------------
# Security:Access Analyzer
#--------------------------------------------------------------
security_access_analyzer = {
# TODO: need to set is_enabled for settings of Access Analyzer.
is_enabled = true
```

- CloudTrail

```
#--------------------------------------------------------------
# Security:CloudTrail
#--------------------------------------------------------------
security_cloudtrail = {
# TODO: need to set is_enabled for settings of CloudTrail.
is_enabled = true
```

- AWS Config

```
#--------------------------------------------------------------
# Security:AWS Config
#--------------------------------------------------------------
security_config = {
# TODO: need to set is_enabled for settings of AWS Config.
is_enabled = true
```

- Security:AWS Config(us-east-1(CloudFront))

```
#--------------------------------------------------------------
# Security:AWS Config(us-east-1(CloudFront))
#--------------------------------------------------------------
security_config_us_east_1 = {
# TODO: need to set is_enabled for settings of AWS Config.
is_enabled = false
```

- Security: Default VPC

```
#--------------------------------------------------------------
# Security:Default VPC
#--------------------------------------------------------------
security_default_vpc = {
# TODO: need to set is_enabled for settings of default VPC security.
is_enabled = true
```

- Security: EBS

```
#--------------------------------------------------------------
# Security:EBS
#--------------------------------------------------------------
security_ebs = {
# TODO: need to set is_enabled for settings of EBS.
```

- Security:GuardDuty

```
#--------------------------------------------------------------
# Security:GuardDuty
#--------------------------------------------------------------
security_guardduty = {
# TODO: need to set is_enabled for settings of GuardDuty.
is_enabled = true
```

- Security:IAM

```
#--------------------------------------------------------------
# Security:IAM
#--------------------------------------------------------------
security_iam = {
# TODO: need to set is_enabled for settings of IAM security.
is_enabled = true
```

- Security:S3

```
#--------------------------------------------------------------
# Security:S3
#--------------------------------------------------------------
security_s3 = {
# TODO: need to set is_enabled for settings of S3 security.
is_enabled = true
```

- Security:SecurityHub

```
#--------------------------------------------------------------
# Security:SecurityHub
#--------------------------------------------------------------
security_securityhub = {
# TODO: need to set is_enabled for settings of SecurityHub.
is_enabled = true
```
5 changes: 2 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,6 @@ region: ap-northeast-1

- terraform.{environment}.tfvars file to configure for each environment
You need to rename the linked file [terraform.example.tfvars](terraform/base/terraform.example.tfvars) and change each variable for your environment. The variables that need to be changed are marked with TODO comments; search for them in TODO.

- main_provider.tf file to set for each environment
Rename the linked file [main_provider.tf.example](terraform/base/main_provider.tf.example) to main_provider.tf. After that, you need to change each parameter. The variables that need to be changed are marked with TODO comments, search for them in TODO.

Expand Down Expand Up @@ -278,11 +277,11 @@ This is a description of the S3 bucket that will be created and the data in the
| AWS Config | aws-log-common | /AWSLogs/{accountID}/Config/{region}/yyyy/m/d/ConfigHistory/ | AWS Config Compliance History Timeline for Resources. | https://docs.aws.amazon.com/config/latest/developerguide/view-compliance-history.html |
| AWS Config | aws-log-common | /AWSLogs/{accountID}/Config/{region}/yyyy/m/d/ConfigSnapshot/ | AWS Config snapshot. | https://docs.aws.amazon.com/config/latest/developerguide/deliver-snapshot-cli.html |
| AWS Config | aws-log-common | /AWSLogs/{accountID}/Config/ConfigWritabilityCheckFile/yyyy/m/d | This is a test file to confirm that Config can be written to the S3 bucket normally. | |
| AWS Config | aws-log-common | /AWSLogs/{accountID}/CloudTrail/AccessLog | This is the access log of the CloudTrail bucket. |
| AWS Config | aws-log-common | /AWSLogs/{accountID}/CloudTrail/AccessLog | This is the access log of the CloudTrail bucket. |
| AWS CloudTrail | aws-log-cloudtrail | /AWSLogs/{accountID}/CloudTrail-Digest/{region}/yyyy/mm/dd | Each digest file contains the names of the log files that were delivered to your Amazon S3 bucket during the last hour, the hash values for those log files, and the digital signature of the previous digest file. The signature for the current digest file is stored in the metadata properties of the digest file object. The digital signatures and hashes are used for validating the integrity of the log files and of the digest file itself. | https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-digest-file-structure.html |
| AWS CloudTrail | aws-log-cloudtrail | /AWSLogs/{accountID}/CloudTrail-Insight/{region}/yyyy/mm/dd | CloudTrail Insights can help you detect unusual API activity in your AWS account by raising Insights events. CloudTrail Insights measures your normal patterns of API call volume, also called the baseline, and generates Insights events when the volume is outside normal patterns. Insights events are generated for write management APIs. | https://docs.aws.amazon.com/awscloudtrail/latest/userguide/log-insights-events-with-cloudtrail.html |
| AWS CloudTrail | aws-log-cloudtrail | /AWSLogs/{accountID}/CloudTrail/{region}/yyyy/mm/dd | It is recorded as an event in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface. | https://docs.aws.amazon.com/awscloudtrail/latest/userguide/get-and-view-cloudtrail-log-files.html |
| AWS Log | aws-log-application | /Logs | Application log from CloudWatch Logs. | |
| AWS Log | aws-log-application | /Logs | Application log from CloudWatch Logs. | |
## Author Information
Expand Down
Binary file added lambda/outputs/heartbeat.zip
View file
Binary file not shown.
83 changes: 83 additions & 0 deletions modules/aws/recipes/budgets/create-v4/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
#--------------------------------------------------------------
# Locals
#--------------------------------------------------------------
locals {
tags = {
for k, v in(var.tags == null ? {} : var.tags) : k => v if lookup(data.aws_default_tags.provider.tags, k, null) == null || lookup(data.aws_default_tags.provider.tags, k, null) != v
}
}
#--------------------------------------------------------------
# Use this data source to get the default tags configured on the provider.
#--------------------------------------------------------------
data "aws_default_tags" "provider" {}

#--------------------------------------------------------------
# Provides a budgets budget resource. Budgets use the cost visualisation provided by Cost Explorer to show you the status of your budgets, to provide forecasts of your estimated costs, and to track your AWS usage, including your free tier usage.
#--------------------------------------------------------------
resource "aws_budgets_budget" "this" {
count = var.is_enabled ? 1 : 0
name = lookup(var.aws_budgets_budget, "name")
budget_type = lookup(var.aws_budgets_budget, "budget_type", "COST")
dynamic "cost_filter" {
for_each = lookup(var.aws_budgets_budget, "cost_filter", [])
content {
name = lookup(cost_filter.value, "name", null)
values = lookup(cost_filter.value, "values", null)
}
}
dynamic "cost_types" {
for_each = lookup(var.aws_budgets_budget, "cost_types", [{}])
content {
include_credit = lookup(cost_types.value, "include_credit", true)
include_discount = lookup(cost_types.value, "include_discount", true)
include_other_subscription = lookup(cost_types.value, "include_other_subscription", true)
include_recurring = lookup(cost_types.value, "include_recurring", true)
include_refund = lookup(cost_types.value, "include_refund", true)
include_subscription = lookup(cost_types.value, "include_subscription", true)
include_support = lookup(cost_types.value, "include_support", true)
include_tax = lookup(cost_types.value, "include_tax", true)
include_upfront = lookup(cost_types.value, "include_upfront", true)
use_amortized = lookup(cost_types.value, "use_amortized", false)
use_blended = lookup(cost_types.value, "use_blended", false)
}
}
limit_amount = lookup(var.aws_budgets_budget, "limit_amount")
limit_unit = lookup(var.aws_budgets_budget, "limit_unit", "USD")
time_period_end = lookup(var.aws_budgets_budget, "time_period_end", "2050-12-31_00:00")
time_period_start = lookup(var.aws_budgets_budget, "time_period_start", "2021-01-01_00:00")
time_unit = lookup(var.aws_budgets_budget, "time_unit", "MONTHLY")
dynamic "notification" {
for_each = lookup(var.aws_budgets_budget, "notification", [{}])
content {
comparison_operator = lookup(notification.value, "comparison_operator", "GREATER_THAN")
threshold = lookup(notification.value, "threshold", "80")
threshold_type = lookup(notification.value, "threshold_type", "PERCENTAGE")
notification_type = lookup(notification.value, "notification_type", "ACTUAL")
subscriber_email_addresses = lookup(notification.value, "subscriber_email_addresses", null)
subscriber_sns_topic_arns = lookup(notification.value, "subscriber_sns_topic_arns", null)
}
}
}

#--------------------------------------------------------------
# Provides an EventBridge Rule resource.
#--------------------------------------------------------------
resource "aws_cloudwatch_event_rule" "this" {
count = var.is_enabled ? 1 : 0
name = lookup(var.aws_cloudwatch_event_rule, "name", "budgets-cloudwatch-event-rule")
schedule_expression = lookup(var.aws_cloudwatch_event_rule, "schedule_expression", "cron(0 9 * * ? *)")
description = lookup(var.aws_cloudwatch_event_rule, "description", "This cloudwatch event used for Budgets.")
is_enabled = lookup(var.aws_cloudwatch_event_rule, "is_enabled", true)
tags = local.tags
}
#--------------------------------------------------------------
# Provides an EventBridge Target resource.
#--------------------------------------------------------------
resource "aws_cloudwatch_event_target" "this" {
count = var.is_enabled ? 1 : 0
rule = aws_cloudwatch_event_rule.this[0].name
arn = lookup(var.aws_cloudwatch_event_target, "arn")
depends_on = [
aws_cloudwatch_event_rule.this[0]
]
}
0 modules/aws/recipes/budgets/outputs.tf → .../aws/recipes/budgets/create-v4/outputs.tf
View file
File renamed without changes.
Loading

0 comments on commit 076451e

Please sign in to comment.