Merge pull request #7 from Coalfire-CF/sg-module-integration

Sg module integration

.github/workflows/org-checkov.yml

@@ -9,4 +9,6 @@ on:
 
 jobs:
   check-markdown:
-    uses: Coalfire-CF/Actions/.github/workflows/org-checkov.yml@main
+    uses: Coalfire-CF/Actions/.github/workflows/org-checkov.yml@main
+    with:
+      skip-path: examples

.gitignore

@@ -1,5 +1,6 @@
 # Local .terraform directories
 **/.terraform/*
+.terraform.lock.hcl
 
 # .tfstate files
 *.tfstate
@@ -34,3 +35,6 @@ override.tf.json
 # Ansible
 *.pub
 *.ppk
+
+# Keys
+*.pem

ebs.tf

@@ -0,0 +1,38 @@
+resource "aws_ebs_volume" "this" {
+  count = length(local.additional_ebs_volumes)
+
+  availability_zone    = local.additional_ebs_volumes[count.index][0].availability_zone
+  encrypted            = true
+  size                 = local.additional_ebs_volumes[count.index][1].size
+  type                 = local.additional_ebs_volumes[count.index][1].type
+  throughput           = local.additional_ebs_volumes[count.index][1].throughput
+  kms_key_id           = var.ebs_kms_key_arn
+  iops                 = local.additional_ebs_volumes[count.index][1].iops
+  multi_attach_enabled = local.additional_ebs_volumes[count.index][1].multi_attach_enabled
+  final_snapshot       = local.additional_ebs_volumes[count.index][1].final_snapshot
+  snapshot_id          = local.additional_ebs_volumes[count.index][1].snapshot_id
+  outpost_arn          = local.additional_ebs_volumes[count.index][1].outpost_arn
+  tags = merge(
+    {
+      Name                        = var.instance_count == 1 ? var.name : "${var.name}${count.index / var.instance_count + 1}",
+      AssociatedInstance          = local.additional_ebs_volumes[count.index][0].id
+      ForceDetach                 = local.additional_ebs_volumes[count.index][1].force_detach
+      SkipDestroy                 = local.additional_ebs_volumes[count.index][1].skip_destroy
+      StopInstanceBeforeDetaching = local.additional_ebs_volumes[count.index][1].stop_instance_before_detaching
+      DeviceName                  = local.additional_ebs_volumes[count.index][1].device_name
+    },
+    local.additional_ebs_volumes[count.index][1].tags,
+    var.global_tags
+  )
+}
+
+resource "aws_volume_attachment" "this" {
+  count = length(aws_ebs_volume.this[*])
+
+  device_name                    = aws_ebs_volume.this[count.index].tags.DeviceName
+  instance_id                    = aws_ebs_volume.this[count.index].tags.AssociatedInstance
+  volume_id                      = aws_ebs_volume.this[count.index].id
+  force_detach                   = aws_ebs_volume.this[count.index].tags.ForceDetach
+  skip_destroy                   = aws_ebs_volume.this[count.index].tags.SkipDestroy
+  stop_instance_before_detaching = aws_ebs_volume.this[count.index].tags.StopInstanceBeforeDetaching
+}

ec2.tf

@@ -9,29 +9,17 @@ resource "aws_instance" "this" {
 
   ###  NETWORKING  ###
   subnet_id                   = element(var.subnet_ids, count.index)
-  vpc_security_group_ids      = compact(concat(var.additional_security_groups, [local.sg_id]))
   private_ip                  = var.private_ip
   associate_public_ip_address = var.associate_public_ip || var.associate_eip
   source_dest_check           = var.source_dest_check
+  vpc_security_group_ids      = [module.security_group.id]
 
   ###  STORAGE  ###
   root_block_device {
     volume_type = var.root_volume_type
     volume_size = var.root_volume_size
-    encrypted = true
-    kms_key_id = var.ebs_kms_key_arn
-  }
-
-  dynamic "ebs_block_device" {
-    for_each = var.ebs_block_devices
-    content {
-      device_name = ebs_block_device.value["device_name"]
-      volume_size = ebs_block_device.value["volume_size"]
-      volume_type = ebs_block_device.value["volume_type"]
-      encrypted = true
-      delete_on_termination = var.volume_delete_on_termination
-      kms_key_id            = var.ebs_kms_key_arn
-    }
+    encrypted   = true
+    kms_key_id  = var.ebs_kms_key_arn
   }
 
   ebs_optimized = var.ebs_optimized
@@ -42,31 +30,26 @@ resource "aws_instance" "this" {
 
 
   ###  TAGS  ###
-  tags = merge({
-    Name = var.instance_count == 1 ? var.name : "${var.name}${count.index + 1}",
-    PatchGroup = tostring(count.index % 2 + 1) # Default PatchGroup tag increments in range 1-2
-    #Name =  "${var.name}${count.index + 1}"
+  tags = merge(
+    {
+      Name       = var.instance_count == 1 ? var.name : "${var.name}${count.index + 1}",
+      PatchGroup = tostring(count.index % 2 + 1) # Default PatchGroup tag increments in range 1-2
     },
-  var.tags,
-  var.global_tags,
-  var.regional_tags)
+    var.tags,
+    var.global_tags
+  )
 
-  volume_tags = merge({
-    Name = var.instance_count == 1 ? var.name : "${var.name}${count.index + 1}"
-    #Name = "${var.name}${count.index + 1}"
+  volume_tags = merge(
+    {
+      Name = var.instance_count == 1 ? var.name : "${var.name}${count.index + 1}"
     },
-  var.tags,
-  var.global_tags,
-  var.regional_tags)
+    var.tags,
+    var.global_tags
+  )
 
   lifecycle {
     ignore_changes = [root_block_device, ebs_block_device, user_data, ami]
   }
 
-  provisioner "local-exec" {
-    command = var.local_exec_command
-  }
-
   depends_on = [var.module_depends_on]
-
 }

eip.tf

@@ -1,10 +1,10 @@
 resource "aws_eip" "eip" {
-  count = var.associate_eip ? 1 * var.instance_count : 0
-  vpc   = true
+  count  = var.associate_eip ? 1 * var.instance_count : 0
+  domain = "vpc"
 }
 
 resource "aws_eip_association" "eip_attach" {
-  count         = var.associate_eip ? 1 * var. instance_count : 0
+  count         = var.associate_eip ? 1 * var.instance_count : 0
   instance_id   = aws_instance.this[count.index].id
   allocation_id = aws_eip.eip[count.index].id
-}
+}

enis.tf

@@ -1,42 +1,6 @@
-
-//resource "aws_network_interface" "public" {
-//  count = length(var.additional_enis["public"])
-//  subnet_id = var.additional_enis["public"][count.index]["subnet_id"][0]
-//  security_groups = var.additional_enis["public"][count.index]["security_groups"]
-//  source_dest_check = var.additional_enis["public"][count.index]["source_dest_check"][0]
-//  tags = {
-//    Name = var.additional_enis["public"][count.index]["name"][0]
-//  }
-//}
-
-//resource "aws_eip" "eip_multi_eni" {
-//  count = length(var.additional_enis["public"])
-//  vpc   = true
-//}
-//
-//resource "aws_eip_association" "eip_multi_eni_attach" {
-//  count         = length(var.additional_enis["public"])
-//  network_interface_id = aws_network_interface.public[count.index].id
-//  allocation_id = aws_eip.eip_multi_eni[count.index].id
-//}
-
-//resource "aws_network_interface" "private" {
-//  count = length(var.additional_enis["private"])
-//  subnet_id = var.additional_enis["private"][count.index]["subnet_id"][0]
-//  security_groups = var.additional_enis["private"][count.index]["security_groups"]
-//  source_dest_check = var.additional_enis["private"][count.index]["source_dest_check"][0]
-//  tags = {
-//    Name = var.additional_enis["private"][count.index]["name"][0]
-//  }
-//}
-
-//locals {
-//  eni_ids = concat(aws_network_interface.public.*.id, aws_network_interface.private.*.id)
-//}
-
 resource "aws_network_interface_attachment" "eni_attachment" {
-  count = length(var.additional_eni_ids)
-  device_index = count.index + 1
-  instance_id = aws_instance.this[0].id
+  count                = length(var.additional_eni_ids)
+  device_index         = count.index + 1
+  instance_id          = aws_instance.this[0].id
   network_interface_id = var.additional_eni_ids[count.index]
 }

examples/simple/README.md

@@ -0,0 +1,11 @@
+## EC2 module simple example
+
+This example creates 2 EC2 instances using the EC2 module, along with a temporary VPC, subnet, and the keys required to test the module.
+
+# Prerequisites
+
+Generate an EC2 key pair and place the pem key in this directory. Add the pem file to the tfvars file. To match the example tfvars file, run the following command in the terminal while in this directory:
+
+`aws ec2 create-key-pair --profile sandbox --region us-east-2 --key-type rsa --key-format pem --query "KeyMaterial" --key-name "ec2-module-test" --output text > ec2-module-test.pem`
+
+Note that `terraform destroy` will NOT remove the key pair from the AWS account as it is not tracked by state.

examples/simple/keys.tf

@@ -0,0 +1,37 @@
+# Requires a .pem file exists in this directory. This should be a generated key-pair (example in README)
+data "local_file" "key" {
+  filename = "${var.key_name}.pem"
+}
+
+resource "aws_ssm_parameter" "ec2_module_key_parameter" {
+  name        = "/test/${var.key_name}.pem"
+  description = "Private key for EC2 module test build"
+  type        = "SecureString"
+  value       = data.local_file.key.content
+}
+
+resource "aws_kms_key" "ebs_key" {
+  description         = "ebs key for ec2-module"
+  policy              = data.aws_iam_policy_document.ebs_key.json
+  enable_key_rotation = true
+}
+
+locals {
+  partition = strcontains(var.aws_region, "gov") ? "aws-gov" : "aws"
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "ebs_key" {
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:${local.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      ]
+    }
+  }
+}

examples/simple/main.tf

@@ -0,0 +1,77 @@
+data "aws_ami" "ami" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-hvm-*"]
+  }
+
+  owners = ["amazon"]
+}
+
+resource "aws_vpc" "main" {
+  cidr_block = var.vpc_cidr
+}
+
+resource "aws_subnet" "main" {
+  vpc_id     = aws_vpc.main.id
+  cidr_block = var.subnet_cidr
+}
+
+module "ec2_test" {
+  #source = "git::https://github.com/Coalfire-CF/ACE-AWS-SecurityGroup"
+  source = "../.." # For testing within current ACE-AWS-EC2 branch
+
+  name = "ec2-module-test-instance"
+
+  ami               = data.aws_ami.ami.id
+  ec2_instance_type = "t2.micro"
+  instance_count    = 2
+
+  vpc_id     = aws_vpc.main.id
+  subnet_ids = [aws_subnet.main.id]
+
+  ec2_key_pair    = "ec2-module-test"
+  ebs_kms_key_arn = aws_kms_key.ebs_key.arn
+
+  # EBS
+  ebs_volumes = [
+    {
+      device_name = "/dev/sdb"
+      size        = 20
+      type        = "gp3"
+    },
+    {
+      device_name = "/dev/sdc"
+      size        = 20
+      type        = "gp3"
+    }
+  ]
+
+  # Storage
+  root_volume_size = "20"
+
+  # Security Group Rules
+  ingress_rules = [{
+    protocol    = "tcp"
+    from_port   = "443"
+    to_port     = "443"
+    cidr_blocks = [aws_vpc.main.cidr_block]
+    },
+    {
+      protocol    = "tcp"
+      from_port   = "22"
+      to_port     = "22"
+      cidr_blocks = [aws_vpc.main.cidr_block]
+  }]
+
+  egress_rules = [{
+    protocol    = "-1"
+    from_port   = "0"
+    to_port     = "0"
+    cidr_blocks = ["0.0.0.0/0"]
+  }]
+
+  # Tagging
+  global_tags = {}
+}

examples/simple/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.15.0, < 6.0"
+    }
+  }
+}
+
+provider "aws" {
+  region            = var.aws_region
+  profile           = var.profile
+  use_fips_endpoint = true
+}

examples/simple/tfvars/example.tfvars

@@ -0,0 +1,5 @@
+aws_region      = "us-east-2"
+profile         = "sandbox"
+vpc_cidr        = "10.2.0.0/24"
+subnet_cidr     = "10.2.0.0/24"
+key_name        = "ec2-module-test"

examples/simple/variables.tf

@@ -0,0 +1,27 @@
+variable "aws_region" {
+  description = "The region where things will be deployed by default"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "key_name" {
+  description = "The name of the EC2 pem key in this directory (without the suffix)"
+  type        = string
+}
+
+variable "profile" {
+  description = "The name of the profile to get AWS credentials from"
+  type        = string
+}
+
+variable "vpc_cidr" {
+  description = "The cidr block for the vpc created for testing the security group"
+  type        = string
+  default     = "10.1.0.0/24"
+}
+
+variable "subnet_cidr" {
+  description = "The cidr block for the subnet created for testing the security group"
+  type        = string
+  default     = "10.1.0.0/24"
+}