terraform-runtask-iam-access-analyzer

Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.

Prerequisites

To use this module you need have the following:

1. AWS account and credentials
2. Terraform Cloud with Run Task entitlement (Business subscription or higher)

Usage

• Build and package the Lambda files

  make all
  

• Refer to the module_workspace for steps to deploy this module in Terraform Cloud.

• After you deployed the module_workspace, navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.

• You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.

Limitations

1. Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.

2. Does not support Terraform computed resources.

For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:GetObject",
        ]
        Effect   = "Allow"
        Resource = "${aws_s3_bucket.b.id}"
      }
    ]
  })
}

Best practice

• Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.

• Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.

• Enable the AWS WAF setup by setting variable deploy_waf to true (additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint.

• We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.

Requirements

Name	Version
terraform	>= 1.0.7
archive	~>2.2.0
aws	>= 3.73.0, < 5.0.0
random	>=3.4.0
tfe	~>0.38.0

Providers

Name	Version
archive	~>2.2.0
aws	>= 3.73.0, < 5.0.0
aws.cloudfront_waf	>= 3.73.0, < 5.0.0
random	>=3.4.0
tfe	~>0.38.0

Modules

Name	Source	Version
runtask_cloudfront	terraform-aws-modules/cloudfront/aws	3.2.1

Resources

Name	Type
aws_cloudfront_origin_request_policy.runtask_cloudfront	resource
aws_cloudwatch_event_rule.runtask_rule	resource
aws_cloudwatch_event_target.runtask_target	resource
aws_cloudwatch_log_group.runtask_callback	resource
aws_cloudwatch_log_group.runtask_eventbridge	resource
aws_cloudwatch_log_group.runtask_fulfillment	resource
aws_cloudwatch_log_group.runtask_fulfillment_output	resource
aws_cloudwatch_log_group.runtask_request	resource
aws_cloudwatch_log_group.runtask_states	resource
aws_cloudwatch_log_group.runtask_waf	resource
aws_iam_role.runtask_callback	resource
aws_iam_role.runtask_eventbridge	resource
aws_iam_role.runtask_fulfillment	resource
aws_iam_role.runtask_request	resource
aws_iam_role.runtask_rule	resource
aws_iam_role.runtask_states	resource
aws_iam_role_policy.runtask_eventbridge	resource
aws_iam_role_policy.runtask_fulfillment	resource
aws_iam_role_policy.runtask_rule	resource
aws_iam_role_policy.runtask_states	resource
aws_iam_role_policy_attachment.runtask_callback	resource
aws_iam_role_policy_attachment.runtask_eventbridge	resource
aws_iam_role_policy_attachment.runtask_fulfillment	resource
aws_iam_role_policy_attachment.runtask_request	resource
aws_kms_alias.runtask_key	resource
aws_kms_alias.runtask_waf	resource
aws_kms_key.runtask_key	resource
aws_kms_key.runtask_waf	resource
aws_lambda_function.runtask_callback	resource
aws_lambda_function.runtask_eventbridge	resource
aws_lambda_function.runtask_fulfillment	resource
aws_lambda_function.runtask_request	resource
aws_lambda_function_url.runtask_eventbridge	resource
aws_secretsmanager_secret.runtask_cloudfront	resource
aws_secretsmanager_secret.runtask_hmac	resource
aws_secretsmanager_secret_version.runtask_cloudfront	resource
aws_secretsmanager_secret_version.runtask_hmac	resource
aws_sfn_state_machine.runtask_states	resource
aws_wafv2_web_acl.runtask_waf	resource
aws_wafv2_web_acl_logging_configuration.runtask_waf	resource
random_uuid.runtask_cloudfront	resource
random_uuid.runtask_hmac	resource
tfe_organization_run_task.aws_iam_analyzer	resource
archive_file.runtask_callback	data source
archive_file.runtask_eventbridge	data source
archive_file.runtask_fulfillment	data source
archive_file.runtask_request	data source
aws_caller_identity.current_account	data source
aws_iam_policy.aws_lambda_basic_execution_role	data source
aws_iam_policy_document.runtask_key	data source
aws_iam_policy_document.runtask_waf	data source
aws_partition.current_partition	data source
aws_region.cloudfront_region	data source
aws_region.current_region	data source

Inputs

Name	Description	Type	Default	Required
aws_region	The region from which this module will be executed.	string	n/a	yes
tfc_org	Terraform Organization name	string	n/a	yes
cloudwatch_log_group_name	RunTask CloudWatch log group name	string	"/hashicorp/terraform/runtask/iam-access-analyzer/"	no
cloudwatch_log_group_retention	Lambda CloudWatch log group retention period	string	"365"	no
deploy_waf	Set to true to deploy CloudFront and WAF in front of the Lambda function URL	string	false	no
event_bus_name	EventBridge event bus name	string	"default"	no
event_source	EventBridge source name	string	"app.terraform.io"	no
lambda_default_timeout	Lambda default timeout in seconds	number	30	no
lambda_reserved_concurrency	Maximum Lambda reserved concurrency, make sure your AWS quota is sufficient	number	100	no
name_prefix	Name to be used on all the resources as identifier.	string	"aws-ia2"	no
recovery_window	Numbers of day Number of days that AWS Secrets Manager waits before it can delete the secret	number	0	no
runtask_stages	List of all supported RunTask stages	list(string)	[ "pre_plan", "post_plan", "pre_apply" ]	no
supported_policy_document	(Optional) allow list of the supported IAM policy document	string	""	no
waf_managed_rule_set	List of AWS Managed rules to use inside the WAF ACL	list(map(string))	[ { "metric_suffix": "common", "name": "AWSManagedRulesCommonRuleSet", "priority": 10, "vendor_name": "AWS" }, { "metric_suffix": "bad_input", "name": "AWSManagedRulesKnownBadInputsRuleSet", "priority": 20, "vendor_name": "AWS" } ]	no
waf_rate_limit	Rate limit for request coming to WAF	number	100	no
workspace_prefix	TFC workspace name prefix that allowed to run this runtask	string	""	no

Outputs

Name	Description
runtask_hmac	HMAC key value, keep this sensitive data safe
runtask_id	The Run Tasks id configured in Terraform Cloud
runtask_url	The Run Tasks URL endpoint, you can use this to configure the Run Task setup in Terraform Cloud