Feature/v2.7.0 (#5)

- fixed README-base.tfvars.md. README-base.monitor.md. change module for lambda. change module for s3. s3 bucket policy. lambda policy for security. - added inside vpc for lambda. s3 access log for security. - removed old s3 bucket modules. old s3 policy rules.
y-miyazaki · May 31, 2022 · 91d89b0 · 91d89b0
1 parent f309c91
commit 91d89b0
Show file tree

Hide file tree

Showing 95 changed files with 1,447 additions and 7,548 deletions.
diff --git a/README-base-tfvars.md b/README-base-tfvars.md
@@ -1,32 +1,34 @@
 # How do we fix base tfvars?
 
-The example is [terraform.example.tfvars](terraform/base/terraform.example.tfvars). The following is a list of things that must be modified and things that should be modified when doing terraform apply for the first time.  
+The example is [terraform.example.tfvars](terraform/base/terraform.example.tfvars). The following is a list of things that must be modified and things that should be modified when doing terraform apply for the first time.
 If you need to adjust the parameters, you can do so by yourself by searching TODO.
 
 - [Initial setting](#initial-setting)
 - [Required](#required)
-  - [deploy_user](#deployuser)
+  - [deploy_user](#deploy_user)
   - [region](#region)
   - [support_iam_role_principal_arns](#supportiamroleprincipalarns)
+  - [subscriber_email_addresses](#subscriber_email_addresses)
 - [Not Required](#not-required)
   - [tags](#tags)
   - [Slack](#slack)
-  - [is_enabled](#isenabled)
+  - [is_enabled](#is_enabled)
 
 # Initial setting
+
 This section describes the initial settings for running [Base's Terraform](./terraform/base/). If an item has already been addressed, please skip to the next section.
 
-- Remove the access key from the root account  
+- Remove the access key from the root account
   Since this is a security issue, let's remove the access key from the root account from the management console.
 
-- Manual creation of IAM user and IAM group to run Terraform  
+- Manual creation of IAM user and IAM group to run Terraform
   Create an IAM user and an IAM group from the management console in order to run Terraform.
   Create an IAM group (pseudonym: deploy). Attach AdministratorAccess as the policy.
   Create an IAM user (pseudonym: terraform), giving it only Programmatic access for Access Type, and add it to the IAM group (pseudonym: deploy).
 
-- Create an S3 to store the Terraform State  
+- Create an S3 to store the Terraform State
   Create an S3 from the management console to manage the Terraform State.
-  However, if you have an environment where you can run the aws command and profile already configured, you can create an S3 by running the following command.  
+  However, if you have an environment where you can run the aws command and profile already configured, you can create an S3 by running the following command.
   https://github.com/y-miyazaki/cloud-commands/blob/master/cmd/awstfinitstate
 
 ```sh
@@ -67,9 +69,9 @@ region: ap-northeast-1
 --------------------------------------------------------------
 ```
 
-- terraform.{environment}.tfvars file to configure for each environment  
+- terraform.{environment}.tfvars file to configure for each environment
   You need to rename the linked file [terraform.example.tfvars](terraform/base/terraform.example.tfvars) and change each variable for your environment. The variables that need to be changed are marked with TODO comments; search for them in TODO.
-- main_provider.tf file to set for each environment  
+- main_provider.tf file to set for each environment
   Rename the linked file [main_provider.tf.example](terraform/base/main_provider.tf.example) to main_provider.tf. After that, you need to change each parameter. The variables that need to be changed are marked with TODO comments, search for them in TODO.
 
 ```terraform
@@ -119,7 +121,7 @@ provider "aws" {
 }
 ```
 
-- Running Terraform  
+- Running Terraform
   Run the terraform command: terraform init followed by terraform apply.
   You may find that terraform apply fails due to conflicts or other problems, so run it again and it will succeed.
 
@@ -216,6 +218,41 @@ https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-control
   ]
 ```
 
+## subscriber_email_addresses
+
+The following are the supporting Budgets. If you want to receive Budgets notifications, you must set the email address for Budgets notifications to subscriber_email_addresses.
+
+```
+budgets = {
+  # TODO: need to set is_enabled for settings of budgets.
+  is_enabled = true
+  # Provides a budgets budget resource. Budgets use the cost visualisation provided
+  # by Cost Explorer to show you the status of your budgets, to provide forecasts of
+  # your estimated costs, and to track your AWS usage, including your free tier usage.
+  aws_budgets_budget = {
+    name = "budgets-monthly"
+    # TODO: need to change limit_amount for Service
+    limit_amount = "100.0"
+    time_unit    = "MONTHLY"
+    notification = [
+      {
+        comparison_operator = "GREATER_THAN"
+        threshold           = "80"
+        threshold_type      = "PERCENTAGE"
+        notification_type   = "ACTUAL"
+        # TODO: need to change subscriber_email_addresses.
+        # If the threshold is exceeded, you will be notified to the email address provided.
+        # At least one must set an email address.
+        subscriber_email_addresses = [
+          # example)
+          # "[email protected]"
+        ]
+        subscriber_sns_topic_arns = null
+      }
+    ]
+  }
+```
+
 # Not Required
 
 Although terraform apply will succeed without fixing the following items, the following is a list of things that should be changed for each environment.
@@ -241,7 +278,7 @@ Basically, for notifications, you need an oauth access token from Slack and a sp
 If you can get it, please modify all of the following If there is no normal token and channel ID, you will not be notified, but the deployment itself will succeed.
 
 ```
-      # TODO: need to change SLACK_OAUTH_ACCESS_TOKEN.
+      # TODO: need to change SLACK_OAUTH_ACCESS_TOKEN.(bot token xoxb-xxxxxx....)
       SLACK_OAUTH_ACCESS_TOKEN = "xxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx"
       # TODO: need to change SLACK_CHANNEL_ID.
       SLACK_CHANNEL_ID = "XXXXXXXXXXXXXX"

diff --git a/README-monitor-tfvars.md b/README-monitor-tfvars.md
@@ -1,31 +1,32 @@
 # How do we fix monitor tfvars?
 
-The example is [terraform.example.tfvars](terraform/monitor/terraform.example.tfvars). The following is a list of things that must be modified and things that should be modified when doing terraform apply for the first time.  
+The example is [terraform.example.tfvars](terraform/monitor/terraform.example.tfvars). The following is a list of things that must be modified and things that should be modified when doing terraform apply for the first time.
 If you need to adjust the parameters, you can do so by yourself by searching TODO.
 
 - [Initial setting](#initial-setting)
 - [Required](#required)
-  - [deploy_user](#deployuser)
+  - [deploy_user](#deploy_user)
   - [region](#region)
 - [Not Required](#not-required)
   - [tags](#tags)
   - [Slack](#slack)
-  - [is_enabled](#isenabled)
+  - [is_enabled](#is_enabled)
 
 # Initial setting
+
 This section describes the initial settings for running [monitor's Terraform](./terraform/monitor/). If an item has already been addressed, please skip to the next section.
 
-- Remove the access key from the root account  
+- Remove the access key from the root account
   Since this is a security issue, let's remove the access key from the root account from the management console.
 
-- Manual creation of IAM user and IAM group to run Terraform  
+- Manual creation of IAM user and IAM group to run Terraform
   Create an IAM user and an IAM group from the management console in order to run Terraform.
   Create an IAM group (pseudonym: deploy). Attach AdministratorAccess as the policy.
   Create an IAM user (pseudonym: terraform), giving it only Programmatic access for Access Type, and add it to the IAM group (pseudonym: deploy).
 
-- Create an S3 to store the Terraform State  
+- Create an S3 to store the Terraform State
   Create an S3 from the management console to manage the Terraform State.
-  However, if you have an environment where you can run the aws command and profile already configured, you can create an S3 by running the following command.  
+  However, if you have an environment where you can run the aws command and profile already configured, you can create an S3 by running the following command.
   https://github.com/y-miyazaki/cloud-commands/blob/master/cmd/awstfinitstate
 
 ```sh
@@ -66,9 +67,9 @@ region: ap-northeast-1
 --------------------------------------------------------------
 ```
 
-- terraform.{environment}.tfvars file to configure for each environment  
+- terraform.{environment}.tfvars file to configure for each environment
   You need to rename the linked file [terraform.example.tfvars](terraform/monitor/terraform.example.tfvars) and change each variable for your environment. The variables that need to be changed are marked with TODO comments; search for them in TODO.
-- main_provider.tf file to set for each environment  
+- main_provider.tf file to set for each environment
   Rename the linked file [main_provider.tf.example](terraform/monitor/main_provider.tf.example) to main_provider.tf. After that, you need to change each parameter. The variables that need to be changed are marked with TODO comments, search for them in TODO.
 
 ```terraform
@@ -118,7 +119,7 @@ provider "aws" {
 }
 ```
 
-- Running Terraform  
+- Running Terraform
   Run the terraform command: terraform init followed by terraform apply.
   You may find that terraform apply fails due to conflicts or other problems, so run it again and it will succeed.
 
@@ -224,7 +225,7 @@ Basically, for notifications, you need an oauth access token from Slack and a sp
 If you can get it, please modify all of the following If there is no normal token and channel ID, you will not be notified, but the deployment itself will succeed.
 
 ```
-      # TODO: need to change SLACK_OAUTH_ACCESS_TOKEN.
+      # TODO: need to change SLACK_OAUTH_ACCESS_TOKEN.(bot token xoxb-xxxxxx....)
       SLACK_OAUTH_ACCESS_TOKEN = "xxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx"
       # TODO: need to change SLACK_CHANNEL_ID.
       SLACK_CHANNEL_ID = "XXXXXXXXXXXXXX"

diff --git a/modules/aws/recipes/iam/role/lambda/README.md b/modules/aws/recipes/iam/role/lambda/README.md
@@ -23,6 +23,7 @@ No modules.
 | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_default_tags.provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/default_tags) | data source |
 
 ## Inputs
@@ -31,6 +32,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_iam_policy"></a> [aws\_iam\_policy](#input\_aws\_iam\_policy) | (Optional) Provides an IAM policy. | <pre>object(<br>    {<br>      # Description of the IAM policy.<br>      description = string<br>      # The name of the policy. If omitted, Terraform will assign a random, unique name.<br>      name = string<br>      # Path in which to create the policy. See IAM Identifiers for more information.<br>      path = string<br>      #  (Required) The policy document. This is a JSON formatted string. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.<br>      policy = string<br>    }<br>  )</pre> | <pre>{<br>  "description": "Policy for Lambda.",<br>  "name": "lambda-policy",<br>  "path": "/",<br>  "policy": null<br>}</pre> | no |
 | <a name="input_aws_iam_role"></a> [aws\_iam\_role](#input\_aws\_iam\_role) | (Optional) Provides an IAM role. | <pre>object(<br>    {<br>      # Description of the role.<br>      description = string<br>      # Friendly name of the role. If omitted, Terraform will assign a random, unique name. See IAM Identifiers for more information.<br>      name = string<br>      # Path to the role. See IAM Identifiers for more information.<br>      path = string<br>    }<br>  )</pre> | <pre>{<br>  "description": "Role for Lambda.",<br>  "name": "lambda-role",<br>  "path": "/"<br>}</pre> | no |
+| <a name="input_is_vpc"></a> [is\_vpc](#input\_is\_vpc) | (Optional) If you are deploying Lambda inside a VPC, set to true. | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the resource. | `map(any)` | `null` | no |
 
 ## Outputs

diff --git a/modules/aws/recipes/iam/role/lambda/main.tf b/modules/aws/recipes/iam/role/lambda/main.tf
@@ -51,3 +51,12 @@ resource "aws_iam_role_policy_attachment" "this" {
   role       = aws_iam_role.this.name
   policy_arn = aws_iam_policy.this.arn
 }
+
+#--------------------------------------------------------------
+# Attaches a Managed IAM Policy to an IAM role
+#--------------------------------------------------------------
+resource "aws_iam_role_policy_attachment" "vpc" {
+  count      = var.is_vpc ? 1 : 0
+  role       = aws_iam_role.this.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess"
+}
diff --git a/modules/aws/recipes/iam/role/lambda/variables.tf b/modules/aws/recipes/iam/role/lambda/variables.tf
@@ -1,6 +1,11 @@
 #--------------------------------------------------------------
 # module variables
 #--------------------------------------------------------------
+variable "is_vpc" {
+  type        = bool
+  description = "(Optional) If you are deploying Lambda inside a VPC, set to true."
+  default     = false
+}
 variable "aws_iam_role" {
   type = object(
     {