- Added Athena to analyze CloudFront logs.

- Added Athena to analyze SES logs.
- Added check MySQL slow query.
- Added version control to be monitored by dependbot.
- Added APIEndpoint for CSP report. However, custom domains, etc. are not supported.
- Added the ability to check for broken links in Synthetics Canary.
- Some tflint corrections were made.
- When checking MFA in AWS, if the MFA name was fixed and not a user name, an error would occur, but the restriction on the MFA name has been removed.
- Added the ability to configure whether or not console access and access keys are obtained when creating IAM users.
- Metrics now does not monitor for CloudFront 403 errors by default.
- SecurityHub's CIS AWS Foundations Benchmark version has been updated from v1.2.0 to default to v1.4.0. If you use the original v1.2.0, you will need to set variables.
- Synthetics Canary is now supported to run within VPC.
- CloudFront and SES logs from us-east-1 can be forwarded to S3.

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/terraform/base" # Location of package manifests
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "terraform" # See documentation for possible values
+    directory: "/terraform/monitor" # Location of package manifests
+    schedule:
+      interval: "daily"

.github/workflows/example/cd-workflow-dispatch-base-dev.yaml

@@ -4,9 +4,10 @@ on:
   workflow_dispatch:
 jobs:
   deploy:
+    environment:
+      name: dev
     env:
-      ENVIRONMENT: dev
-      ENV: ${{ secrets.ENV_DEV }}
+      ENV: ${{ secrets.ENV }}
     runs-on: ubuntu-latest
     steps:
       - name: "code: check out code"

.github/workflows/example/cd-workflow-dispatch-monitor-dev.yaml

@@ -4,16 +4,18 @@ on:
   workflow_dispatch:
 jobs:
   deploy:
+    environment:
+      name: dev
     env:
-      ENVIRONMENT: dev
-      ENV: ${{ secrets.ENV_DEV }}
+      ENV: ${{ secrets.ENV }}
     runs-on: ubuntu-latest
     steps:
       - name: "code: check out code"
         uses: actions/checkout@v2
       - name: "terraform: apply"
         run: |
           echo "$ENV" >> $PWD/.env
+          echo $ENV
           find scripts -type f -name '*.sh' -exec chmod +x \{\} \;
           docker pull ghcr.io/y-miyazaki/terraform-aws-debian:latest
           docker run --rm -v $PWD:/workspace --env-file=$PWD/.env -w /workspace --name terraform-aws ghcr.io/y-miyazaki/terraform-aws-debian:latest scripts/terraform/deploy.sh terraform/monitor

.gitignore

@@ -18,3 +18,6 @@ provider.json
 !terraform.example.tfvars
 *.tfbackend
 !terraform.example.tfbackend
+
+devcontainer.json
+.env

README-monitor-tfvars.md

@@ -8,12 +8,12 @@ If you need to adjust the parameters, you can do so by yourself by searching TOD
 # Table of Contents
 - [Initial setting](#initial-setting)
 - [Required](#required)
-  - [deploy_user](#deploy_user)
+  - [deploy\_user](#deploy_user)
   - [region](#region)
 - [Not Required](#not-required)
   - [tags](#tags)
   - [Slack](#slack)
-  - [is_enabled](#is_enabled)
+  - [is\_enabled](#is_enabled)
 
 # Initial setting
 
@@ -322,7 +322,7 @@ metric_resource_api_gateway = {
 # or publish your own application metrics. Amazon CloudWatch can load all the metrics in your account
 # (both AWS resource metrics and application metrics that you provide) for search, graphing, and alarms.
 #
-# Metrics about Cloudfront will be checked and you will be notified via Slack if the specified threshold is exceeded.
+# Metrics about CloudFront will be checked and you will be notified via Slack if the specified threshold is exceeded.
 # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/monitoring-using-cloudwatch.html
 #--------------------------------------------------------------
 metric_resource_cloudfront = {
@@ -464,3 +464,31 @@ metric_synthetics_canary = {
   # TODO: need to set is_enabled for Metric of Synthetics Canary.
   is_enabled = false
 ```
+
+- Athena
+
+```
+#--------------------------------------------------------------
+# Athena
+# Amazon Athena is an interactive query service that makes it easy to 
+# analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.
+# With a few actions in the AWS Management Console, you can point Athena at your data stored in
+# Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds.
+#
+# With this configuration, CloudFront and SES logs can be viewed in Athena.
+#--------------------------------------------------------------
+athena = {
+  # TODO: need to set is_enabled for Athena.
+  is_enabled     = false
+  .
+  .
+  .
+  # TODO: To check CloudFront logs with Athena, specify true.
+  enabled_cloudfront    = false
+  # TODO: Specify the S3 bucket where CloudFront logs are stored. s3://{bucket name}/{bucket prefix}
+  cloudfront_log_bucket = "s3://{bucket name}/{bucket prefix}"
+  # TODO: To check SES logs with Athena, specify true.
+  enabled_ses = false
+  # TODO: Specify the S3 bucket where SES logs are stored. s3://{bucket name}/{bucket prefix}
+  ses_log_bucket = "s3://{bucket name}/{bucket prefix}"  
+```

README.md

@@ -44,7 +44,7 @@ Basically, it is designed to be turned on and off for each setting and function
   - [Metrics](#metrics)
     - [Metrics:ALB](#metricsalb)
     - [Metrics:API Gateway](#metricsapi-gateway)
-    - [Metrics:Cloudfront](#metricscloudfront)
+    - [Metrics:CloudFront](#metricscloudfront)
     - [Metrics:EC2](#metricsec2)
     - [Metrics:ElastiCache](#metricselasticache)
     - [Metrics:Lambda](#metricslambda)
@@ -53,6 +53,10 @@ Basically, it is designed to be turned on and off for each setting and function
     - [Metrics:Synthetics Canary](#metricssynthetics-canary)
   - [CloudWatch Events(EventBridge)](#cloudwatch-eventseventbridge)
     - [CloudWatch Events:EC2](#cloudwatch-eventsec2)
+  - [Athena](#athena)
+    - [Athena: Named Query](#athena-named-query)
+    - [Athena: CloudFront](#athena-cloudfront)
+    - [Athena: SES](#athena-ses)
   - [S3 bucket list](#s3-bucket-list)
   - [Author Information](#author-information)
 
@@ -174,7 +178,7 @@ You can use Amazon CloudWatch Logs to monitor, store, and access your log files
 
 CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time, and you can query them and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualize log data in dashboards.
 
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html
+Reference: [What is Amazon CloudWatch Logs?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html)
 
 ### Log:Application
 
@@ -188,70 +192,70 @@ The filter function of CloudWatchLogs can be used to check specified logs with s
 
 Metrics are data about the performance of your systems. By default, many services provide free metrics for resources (such as Amazon EC2 instances, Amazon EBS volumes, and Amazon RDS DB instances). You can also enable detailed monitoring for some resources, such as your Amazon EC2 instances, or publish your own application metrics. Amazon CloudWatch can load all the metrics in your account (both AWS resource metrics and application metrics that you provide) for search, graphing, and alarms.
 
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html
+Reference: [Using Amazon CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
 
 ### Metrics:ALB
 
 Metrics about ALB will be checked and you will be notified via Slack if the specified threshold is exceeded.
 
-https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html
+Reference: [CloudWatch metrics for your Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html)
 
 ### Metrics:API Gateway
 
 Metrics about API Gateway will be checked and you will be notified via Slack if the specified threshold is exceeded.
 
-https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-metrics-and-dimensions.html
+Reference: [Amazon API Gateway dimensions and metrics](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-metrics-and-dimensions.html)
 
-### Metrics:Cloudfront
+### Metrics:CloudFront
 
-Metrics about Cloudfront will be checked and you will be notified via Slack if the specified threshold is exceeded.
+Metrics about CloudFront will be checked and you will be notified via Slack if the specified threshold is exceeded.
 
-https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/monitoring-using-cloudwatch.html
+Reference: [Monitoring CloudFront metrics with Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/monitoring-using-cloudwatch.html)
 
 ### Metrics:EC2
 
-Metrics about EC2 will be checked and you will be notified via Slack if the specified threshold is exceeded.
-
-https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html
+Metrics about EC2 will be checked and you will be notified via Slack if the specified threshold is exceeded.  
+  
+Reference: [Monitoring use with CloudWatch Metrics](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html)
 
 ### Metrics:ElastiCache
 
-Metrics about ElastiCache will be checked and you will be notified via Slack if the specified threshold is exceeded.
-
-https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheMetrics.html
+Metrics about ElastiCache will be checked and you will be notified via Slack if the specified threshold is exceeded.  
+  
+Reference: [Monitoring use with CloudWatch Metrics](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheMetrics.html)
 
 ### Metrics:Lambda
 
-Metrics about Lambda will be checked and you will be notified via Slack if the specified threshold is exceeded.
-
-https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html
+Metrics about Lambda will be checked and you will be notified via Slack if the specified threshold is exceeded.  
+  
+Reference: [Working with Lambda function metrics](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html)
 
 ### Metrics:RDS
 
-Metrics about RDS will be checked and you will be notified via Slack if the specified threshold is exceeded.
-
-https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/monitoring-cloudwatch.html
+Metrics about RDS will be checked and you will be notified via Slack if the specified threshold is exceeded.  
+  
+Reference: [Monitoring Amazon RDS metrics with Amazon CloudWatch](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/monitoring-cloudwatch.html)
 
 ### Metrics:SES
 
-Metrics about SES will be checked and you will be notified via Slack if the specified threshold is exceeded.
-
-https://docs.aws.amazon.com/ses/latest/dg/event-publishing-retrieving-cloudwatch.html
+Metrics about SES will be checked and you will be notified via Slack if the specified threshold is exceeded.  
+  
+Reference: [Retrieving Amazon SES event data from CloudWatch](https://docs.aws.amazon.com/ses/latest/dg/event-publishing-retrieving-cloudwatch.html)
 
 ### Metrics:Synthetics Canary
 
 You can use Amazon CloudWatch Synthetics to create canaries, configurable scripts that run on a schedule, to monitor your endpoints and APIs. Canaries follow the same routes and perform the same actions as a customer, which makes it possible for you to continually verify your customer experience even when you don't have any customer traffic on your applications. By using canaries, you can discover issues before your customers do.
 
 Using Synthetics Canary, the status code is checked against the specified URL,
-and if an unexpected status code is returned, the user is notified via Slack.
-
-https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html
+and if an unexpected status code is returned, the user is notified via Slack.  
+  
+Reference: [Using synthetic monitoring](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html)
 
 ## CloudWatch Events(EventBridge)
 
 Amazon EventBridge is a serverless event bus service that you can use to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your applications, software as a service (SaaS) applications, and AWS services to targets such as AWS Lambda functions, HTTP invocation endpoints using API destinations, or event buses in other AWS accounts.
 
-https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html
+Reference: [What Is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html)
 
 ### CloudWatch Events:EC2
 
@@ -262,6 +266,29 @@ The following events are monitored.
 - EC2 Spot Instance Interruption Warning  
   https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-instance-termination-notices.html
 
+## Athena
+
+Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. With a few actions in the AWS Management Console, you can point Athena at your data stored in Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds.  
+Reference: [What is Amazon Athena?](https://docs.aws.amazon.com/athena/latest/ug/what-is.html)  
+
+### Athena: Named Query
+Named Query (Named Query, Saved Query) is an Amazon Athena feature that allows you to name and save SQL queries and call them from the console.
+
+![Named Query](image/athena_named_query.png)
+### Athena: CloudFront
+If you are using CloudFront to store your standard logs in S3, you can retrieve the logs from Athena using SQL.  
+When the Athena function is enabled, a table is created for CloudFront and a named query is created for easy searching.  
+
+Reference: [Configuring and using standard logs (access logs)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html)
+
+![CloudFront](image/athena_cloudfront.png)
+
+### Athena: SES
+If you are using SES to store your standard logs in S3, you can retrieve the logs from Athena using SQL.  
+When the Athena function is enabled, a table is created for SES and a named query is created for easy searching.  
+
+![SES](image/athena_ses.png)
+
 ## S3 bucket list
 
 This is a description of the S3 bucket that will be created and the data in the bucket.

modules/aws/recipes/apigateway/create/main.tf

@@ -0,0 +1,12 @@
+#--------------------------------------------------------------
+# Manages an API Gateway REST API
+#--------------------------------------------------------------
+resource "aws_api_gateway_rest_api" "this" {
+  description                  = var.description
+  disable_execute_api_endpoint = var.disable_execute_api_endpoint
+  name                         = var.name
+  endpoint_configuration {
+    types = var.types
+  }
+  tags = var.tags
+}

modules/aws/recipes/apigateway/create/outputs.tf

@@ -0,0 +1,12 @@
+output "id" {
+  description = "ID of the REST API."
+  value       = aws_api_gateway_rest_api.this.id
+}
+output "root_resource_id" {
+  description = "Resource ID of the REST API's root."
+  value       = aws_api_gateway_rest_api.this.root_resource_id
+}
+output "execution_arn" {
+  description = "Execution ARN part to be used in lambda_permission's source_arn when allowing API Gateway to invoke a Lambda function."
+  value       = aws_api_gateway_rest_api.this.execution_arn
+}

modules/aws/recipes/apigateway/create/variables.tf

@@ -0,0 +1,27 @@
+#--------------------------------------------------------------
+# module variables
+#--------------------------------------------------------------
+variable "name" {
+  type        = string
+  description = "(Required) API Gateway Name."
+}
+variable "description" {
+  type        = string
+  description = "(Optional) Description of the REST API. If importing an OpenAPI specification via the body argument, this corresponds to the info.description field. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value."
+  default     = ""
+}
+variable "disable_execute_api_endpoint" {
+  type        = bool
+  description = "(Optional) Whether clients can invoke your API by using the default execute-api endpoint. By default, clients can invoke your API with the default https://{api_id}.execute-api.{region}.amazonaws.com endpoint. To require that clients use a custom domain name to invoke your API, disable the default endpoint. Defaults to false. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-endpoint-configuration extension disableExecuteApiEndpoint property. If the argument value is true and is different than the OpenAPI value, the argument value will override the OpenAPI value."
+  default     = true
+}
+variable "types" {
+  type        = list(string)
+  description = "(Optional) List of endpoint types. This resource currently only supports managing a single value. Valid values: EDGE, REGIONAL or PRIVATE. If unspecified, defaults to EDGE. If set to PRIVATE recommend to set put_rest_api_mode = merge to not cause the endpoints and associated Route53 records to be deleted. Refer to the documentation for more information on the difference between edge-optimized and regional APIs."
+  default     = ["REGIONAL"]
+}
+variable "tags" {
+  type        = map(any)
+  description = "(Optional) Key-value map of resource tags for the workgroup. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."
+  default     = null
+}

modules/aws/recipes/apigateway/create/versions.tf

@@ -0,0 +1,12 @@
+#--------------------------------------------------------------
+# Terraform Provider
+#--------------------------------------------------------------
+terraform {
+  required_version = ">=1.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=4.0.0"
+    }
+  }
+}