-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sg module integration #7
Merged
Merged
Changes from 18 commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
7947934
Added pem files to gitignore
jordan-fry-cf eb19a8c
Also added lockfile to gitignore
jordan-fry-cf 61e7252
Initial rework
jordan-fry-cf b527e9c
Fixed sg edge case
jordan-fry-cf 094f51d
Started EBS rework
jordan-fry-cf bff9a30
terraform-docs: automated action
github-actions[bot] b0ae109
Added sorted maps
jordan-fry-cf 35086ea
Added flag for optional SSMManagedInstanceCore
jordan-fry-cf c80053d
Resolved merge conflicts
jordan-fry-cf 7226464
terraform-docs: automated action
github-actions[bot] 86c2105
Added simple deployment example to README with generic variables
jordan-fry-cf 1854914
Merge branch 'sg-module-integration' of github.com:Coalfire-CF/ACE-AW…
jordan-fry-cf 30f7263
Updated README examples and formatting
jordan-fry-cf 5e734bb
Updated AWS provider block
jordan-fry-cf d35a18e
Set up additional EBS volume attachments
jordan-fry-cf ee2301c
Merged with sg-module-integration branch
jordan-fry-cf 2e8079e
terraform-docs: automated action
github-actions[bot] f83c1e0
Merge pull request #8 from Coalfire-CF/ebs_rework
jordan-fry-cf 947a5fa
Omitted examples dir from checkov
jordan-fry-cf 14765fd
Removed prefix system for vpc cidr declarations
jordan-fry-cf 1d8e954
Updated README resource wording for example
jordan-fry-cf e271054
Changed sg module to point to git repo
jordan-fry-cf a6f0ade
Removed version from sg source
jordan-fry-cf 3a45c9a
terraform-docs: automated action
github-actions[bot] 3318bc5
Added source clarification to example module
jordan-fry-cf ec46e29
Merge branch 'sg-module-integration' of github.com:Coalfire-CF/ACE-AW…
jordan-fry-cf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
resource "aws_ebs_volume" "this" { | ||
count = length(local.additional_ebs_volumes) | ||
|
||
availability_zone = local.additional_ebs_volumes[count.index][0].availability_zone | ||
encrypted = true | ||
size = local.additional_ebs_volumes[count.index][1].size | ||
type = local.additional_ebs_volumes[count.index][1].type | ||
throughput = local.additional_ebs_volumes[count.index][1].throughput | ||
kms_key_id = var.ebs_kms_key_arn | ||
iops = local.additional_ebs_volumes[count.index][1].iops | ||
multi_attach_enabled = local.additional_ebs_volumes[count.index][1].multi_attach_enabled | ||
final_snapshot = local.additional_ebs_volumes[count.index][1].final_snapshot | ||
snapshot_id = local.additional_ebs_volumes[count.index][1].snapshot_id | ||
outpost_arn = local.additional_ebs_volumes[count.index][1].outpost_arn | ||
tags = merge( | ||
{ | ||
Name = var.instance_count == 1 ? var.name : "${var.name}${count.index / var.instance_count + 1}", | ||
AssociatedInstance = local.additional_ebs_volumes[count.index][0].id | ||
ForceDetach = local.additional_ebs_volumes[count.index][1].force_detach | ||
SkipDestroy = local.additional_ebs_volumes[count.index][1].skip_destroy | ||
StopInstanceBeforeDetaching = local.additional_ebs_volumes[count.index][1].stop_instance_before_detaching | ||
DeviceName = local.additional_ebs_volumes[count.index][1].device_name | ||
}, | ||
local.additional_ebs_volumes[count.index][1].tags, | ||
var.global_tags | ||
) | ||
} | ||
|
||
resource "aws_volume_attachment" "this" { | ||
count = length(aws_ebs_volume.this[*]) | ||
|
||
device_name = aws_ebs_volume.this[count.index].tags.DeviceName | ||
instance_id = aws_ebs_volume.this[count.index].tags.AssociatedInstance | ||
volume_id = aws_ebs_volume.this[count.index].id | ||
force_detach = aws_ebs_volume.this[count.index].tags.ForceDetach | ||
skip_destroy = aws_ebs_volume.this[count.index].tags.SkipDestroy | ||
stop_instance_before_detaching = aws_ebs_volume.this[count.index].tags.StopInstanceBeforeDetaching | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,10 @@ | ||
resource "aws_eip" "eip" { | ||
count = var.associate_eip ? 1 * var.instance_count : 0 | ||
vpc = true | ||
count = var.associate_eip ? 1 * var.instance_count : 0 | ||
domain = "vpc" | ||
} | ||
|
||
resource "aws_eip_association" "eip_attach" { | ||
count = var.associate_eip ? 1 * var. instance_count : 0 | ||
count = var.associate_eip ? 1 * var.instance_count : 0 | ||
instance_id = aws_instance.this[count.index].id | ||
allocation_id = aws_eip.eip[count.index].id | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,42 +1,6 @@ | ||
|
||
//resource "aws_network_interface" "public" { | ||
// count = length(var.additional_enis["public"]) | ||
// subnet_id = var.additional_enis["public"][count.index]["subnet_id"][0] | ||
// security_groups = var.additional_enis["public"][count.index]["security_groups"] | ||
// source_dest_check = var.additional_enis["public"][count.index]["source_dest_check"][0] | ||
// tags = { | ||
// Name = var.additional_enis["public"][count.index]["name"][0] | ||
// } | ||
//} | ||
|
||
//resource "aws_eip" "eip_multi_eni" { | ||
// count = length(var.additional_enis["public"]) | ||
// vpc = true | ||
//} | ||
// | ||
//resource "aws_eip_association" "eip_multi_eni_attach" { | ||
// count = length(var.additional_enis["public"]) | ||
// network_interface_id = aws_network_interface.public[count.index].id | ||
// allocation_id = aws_eip.eip_multi_eni[count.index].id | ||
//} | ||
|
||
//resource "aws_network_interface" "private" { | ||
// count = length(var.additional_enis["private"]) | ||
// subnet_id = var.additional_enis["private"][count.index]["subnet_id"][0] | ||
// security_groups = var.additional_enis["private"][count.index]["security_groups"] | ||
// source_dest_check = var.additional_enis["private"][count.index]["source_dest_check"][0] | ||
// tags = { | ||
// Name = var.additional_enis["private"][count.index]["name"][0] | ||
// } | ||
//} | ||
|
||
//locals { | ||
// eni_ids = concat(aws_network_interface.public.*.id, aws_network_interface.private.*.id) | ||
//} | ||
|
||
resource "aws_network_interface_attachment" "eni_attachment" { | ||
count = length(var.additional_eni_ids) | ||
device_index = count.index + 1 | ||
instance_id = aws_instance.this[0].id | ||
count = length(var.additional_eni_ids) | ||
device_index = count.index + 1 | ||
instance_id = aws_instance.this[0].id | ||
network_interface_id = var.additional_eni_ids[count.index] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
## EC2 module simple example | ||
|
||
This example creates 2 EC2 instances using the EC2 module, along with a VPC, subnet, and the keys required by the module. | ||
|
||
# Prerequisites | ||
|
||
Generate an EC2 key pair and place the pem key in this directory. Add the pem file to the tfvars file. To match the example tfvars file, run the following command in the terminal while in this directory: | ||
|
||
`aws ec2 create-key-pair --profile sandbox --region us-east-2 --key-type rsa --key-format pem --query "KeyMaterial" --key-name "ec2-module-test" --output text > ec2-module-test.pem` | ||
|
||
Note that `terraform destroy` will NOT remove the key pair from the AWS account as it is not tracked by state. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# Requires a .pem file exists in this directory. This should be a generated key-pair (example in README) | ||
data "local_file" "key" { | ||
filename = "${var.key_name}.pem" | ||
} | ||
|
||
resource "aws_ssm_parameter" "ec2_module_key_parameter" { | ||
name = "/test/${var.key_name}.pem" | ||
description = "Private key for EC2 module test build" | ||
type = "SecureString" | ||
value = data.local_file.key.content | ||
} | ||
|
||
resource "aws_kms_key" "ebs_key" { | ||
description = "ebs key for ec2-module" | ||
policy = data.aws_iam_policy_document.ebs_key.json | ||
enable_key_rotation = true | ||
} | ||
|
||
locals { | ||
partition = strcontains(var.aws_region, "gov") ? "aws-gov" : "aws" | ||
} | ||
|
||
data "aws_caller_identity" "current" {} | ||
|
||
data "aws_iam_policy_document" "ebs_key" { | ||
statement { | ||
effect = "Allow" | ||
actions = ["kms:*"] | ||
resources = ["*"] | ||
principals { | ||
type = "AWS" | ||
identifiers = [ | ||
"arn:${local.partition}:iam::${data.aws_caller_identity.current.account_id}:root" | ||
] | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
data "aws_ami" "ami" { | ||
most_recent = true | ||
|
||
filter { | ||
name = "name" | ||
values = ["amzn-ami-hvm-*"] | ||
} | ||
|
||
owners = ["amazon"] | ||
} | ||
|
||
resource "aws_vpc" "main" { | ||
cidr_block = "${var.vpc_cidr_prefix}.0.0/24" | ||
} | ||
|
||
resource "aws_subnet" "main" { | ||
vpc_id = aws_vpc.main.id | ||
cidr_block = "${var.vpc_cidr_prefix}.0.0/24" | ||
} | ||
|
||
module "ec2_test" { | ||
source = "../.." | ||
|
||
name = "ec2-module-test-instance" | ||
|
||
ami = data.aws_ami.ami.id | ||
ec2_instance_type = "t2.micro" | ||
instance_count = 2 | ||
|
||
vpc_id = aws_vpc.main.id | ||
subnet_ids = [aws_subnet.main.id] | ||
|
||
ec2_key_pair = "ec2-module-test" | ||
ebs_kms_key_arn = aws_kms_key.ebs_key.arn | ||
|
||
# EBS | ||
ebs_volumes = [ | ||
{ | ||
device_name = "/dev/sdb" | ||
size = 20 | ||
type = "gp3" | ||
}, | ||
{ | ||
device_name = "/dev/sdc" | ||
size = 20 | ||
type = "gp3" | ||
} | ||
] | ||
|
||
# Storage | ||
root_volume_size = "20" | ||
|
||
# Security Group Rules | ||
ingress_rules = [{ | ||
protocol = "tcp" | ||
from_port = "443" | ||
to_port = "443" | ||
cidr_blocks = [aws_vpc.main.cidr_block] | ||
}, | ||
{ | ||
protocol = "tcp" | ||
from_port = "22" | ||
to_port = "22" | ||
cidr_blocks = [aws_vpc.main.cidr_block] | ||
}] | ||
|
||
egress_rules = [{ | ||
protocol = "-1" | ||
from_port = "0" | ||
to_port = "0" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
}] | ||
|
||
# Tagging | ||
global_tags = {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
terraform { | ||
required_version = ">= 1.5" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 5.15.0, < 6.0" | ||
} | ||
} | ||
} | ||
|
||
provider "aws" { | ||
region = var.aws_region | ||
profile = var.profile | ||
use_fips_endpoint = true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
aws_region = "us-east-2" | ||
profile = "sandbox" | ||
vpc_cidr_prefix = "10.2" | ||
kourosh-forti-hands marked this conversation as resolved.
Show resolved
Hide resolved
|
||
key_name = "ec2-module-test" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
variable "aws_region" { | ||
description = "The region where things will be deployed by default" | ||
type = string | ||
default = "us-east-1" | ||
} | ||
|
||
variable "key_name" { | ||
description = "The name of the EC2 pem key in this directory (without the suffix)" | ||
type = string | ||
} | ||
|
||
variable "profile" { | ||
description = "The name of the profile to get AWS credentials from" | ||
type = string | ||
} | ||
|
||
variable "vpc_cidr_prefix" { | ||
description = "The cidr block for the vpc created for testing the security group" | ||
type = string | ||
default = "10.0" | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the way this reads, it creates a vpc itself. vpc and networking should only be done in the networking module. this module should only networking info as vars
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so are you opting that we remove VPC completely from the example?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@douglas-f you good to close this out?