Adding yaml catalog (#31)

* Adding config_yaml module compatibility and catalog of metrics and alarsm

* Adding config_yaml module compatibility and catalog of metrics and alarsm

* Auto Format

* updating docs and fmt

* updating docs and fmt

* Adding link and description for CIS and moving non cis alers to custom file

* scaping yaml

* scaping yaml

* Adding link

Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com>

README.md

@@ -99,20 +99,36 @@ The table below correctly indicates which inputs are required.
 
 
 ```hcl
+module "metric_configs" {
+  source  = "cloudposse/config/yaml"
+  # Cloud Posse recommends pinning every module to a specific version
+  # version     = "x.x.x"
+
+  map_config_local_base_path = "./catalog"
+  map_config_paths           = "*.yaml"
+
+  context = module.this.context
+}
+
 module "cloudtrail_api_alarms" {
-  source         = "git::https://github.com/cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms.git"
-  region         = "${var.region}"
+  source  = "cloudposse/cloudtrail-cloudwatch-alarms/aws"
+  # Cloud Posse recommends pinning every module to a specific version
+  # version     = "x.x.x"
+
   log_group_name = "${aws_cloudwatch_log_group.default.name}"
+  metrics = module.metric_configs.map_configs
 }
 ```
-For detailed usage which includes setting up cloudtrail, cloudwatch logs, roles, policies, and the s3 bucket - as well as using this module see the [example directory](./examples/simple)
+For detailed usage which includes setting up cloudtrail, cloudwatch logs, roles, policies, and the s3 bucket - as well as using this module see the [example directory](./examples/complete)
+
+For aditional CIS rules and controls https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.8
 
 
 
 
 ## Examples
 
-Here's a complete [example](examples/simple/main.tf) of using this `terraform-aws-cloudtrail-cloudwatch-alarms` module.
+Here's a complete [example](examples/complete/main.tf) of using this `terraform-aws-cloudtrail-cloudwatch-alarms` module.
 
 
 
@@ -130,6 +146,25 @@ Here's a complete [example](examples/simple/main.tf) of using this `terraform-aw
 |------|---------|
 | aws | >= 2.0 |
 
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| this | cloudposse/label/null | 0.24.1 |
+
+## Resources
+
+| Name |
+|------|
+| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
+| [aws_cloudwatch_dashboard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_dashboard) |
+| [aws_cloudwatch_log_metric_filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) |
+| [aws_cloudwatch_metric_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| [aws_sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) |
+| [aws_sns_topic_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -150,6 +185,7 @@ Here's a complete [example](examples/simple/main.tf) of using this `terraform-aw
 | log\_group\_name | The cloudtrail cloudwatch log group name | `string` | n/a | yes |
 | log\_group\_region | The log group region that should be monitored for unauthorised AWS API Access. Current region used if none provided. | `string` | `""` | no |
 | metric\_namespace | A namespace for grouping all of the metrics together | `string` | `"CISBenchmark"` | no |
+| metrics | The cloudwatch metrics and corresponding alarm definitions | <pre>map(object({<br>    name                      = string<br>    filter_pattern            = string<br>    metric_namespace          = string<br>    metric_value              = string<br>    alarm_comparison_operator = string<br>    alarm_evaluation_periods  = string<br>    alarm_period              = string<br>    alarm_statistic           = string<br>    alarm_treat_missing_data  = string<br>    alarm_threshold           = string<br>    alarm_description         = string<br>  }))</pre> | `{}` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
@@ -165,7 +201,6 @@ Here's a complete [example](examples/simple/main.tf) of using this `terraform-aw
 | dashboard\_combined | URL to CloudWatch Combined Metric Dashboard |
 | dashboard\_individual | URL to CloudWatch Individual Metric Dashboard |
 | sns\_topic\_arn | The ARN of the SNS topic used |
-
 <!-- markdownlint-restore -->
 ## Metrics Tracked
 
@@ -358,8 +393,8 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
 ### Contributors
 
 <!-- markdownlint-disable -->
-|  [![Erik Osterman][osterman_avatar]][osterman_homepage]<br/>[Erik Osterman][osterman_homepage] | [![Jamie Nelson][Jamie-BitFlight_avatar]][Jamie-BitFlight_homepage]<br/>[Jamie Nelson][Jamie-BitFlight_homepage] | [![Anton Babenko][antonbabenko_avatar]][antonbabenko_homepage]<br/>[Anton Babenko][antonbabenko_homepage] |
-|---|---|---|
+|  [![Erik Osterman][osterman_avatar]][osterman_homepage]<br/>[Erik Osterman][osterman_homepage] | [![Jamie Nelson][Jamie-BitFlight_avatar]][Jamie-BitFlight_homepage]<br/>[Jamie Nelson][Jamie-BitFlight_homepage] | [![Anton Babenko][antonbabenko_avatar]][antonbabenko_homepage]<br/>[Anton Babenko][antonbabenko_homepage] | [![PePe Amengual][jamengual_avatar]][jamengual_homepage]<br/>[PePe Amengual][jamengual_homepage] |
+|---|---|---|---|
 <!-- markdownlint-restore -->
 
 
@@ -374,6 +409,9 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
   [antonbabenko_homepage]: https://github.com/antonbabenko
   [antonbabenko_avatar]: https://avatars3.githubusercontent.com/u/393243?s=144&v=4
 
+  [jamengual_homepage]: https://github.com/jamengual
+  [jamengual_avatar]: https://avatars.githubusercontent.com/u/2208324?s=144&v=4
+
 
 [![README Footer][readme_footer_img]][readme_footer_link]
 [![Beacon][beacon]][website]

README.yaml

@@ -82,18 +82,34 @@ description: |-
 # How to use this project
 usage: |-
   ```hcl
+  module "metric_configs" {
+    source  = "cloudposse/config/yaml"
+    # Cloud Posse recommends pinning every module to a specific version
+    # version     = "x.x.x"
+
+    map_config_local_base_path = "./catalog"
+    map_config_paths           = "*.yaml"
+
+    context = module.this.context
+  }
+
   module "cloudtrail_api_alarms" {
-    source         = "git::https://github.com/cloudposse/terraform-aws-cloudtrail-cloudwatch-alarms.git"
-    region         = "${var.region}"
+    source  = "cloudposse/cloudtrail-cloudwatch-alarms/aws"
+    # Cloud Posse recommends pinning every module to a specific version
+    # version     = "x.x.x"
+
     log_group_name = "${aws_cloudwatch_log_group.default.name}"
+    metrics = module.metric_configs.map_configs
   }
   ```
-  For detailed usage which includes setting up cloudtrail, cloudwatch logs, roles, policies, and the s3 bucket - as well as using this module see the [example directory](./examples/simple)
+  For detailed usage which includes setting up cloudtrail, cloudwatch logs, roles, policies, and the s3 bucket - as well as using this module see the [example directory](./examples/complete)
+
+  For aditional CIS rules and controls https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-3.8
 
 
 # Example usage
 examples: |-
-  Here's a complete [example](examples/simple/main.tf) of using this `terraform-aws-cloudtrail-cloudwatch-alarms` module.
+  Here's a complete [example](examples/complete/main.tf) of using this `terraform-aws-cloudtrail-cloudwatch-alarms` module.
 
 # How to get started quickly
 #quickstart: |-
@@ -119,3 +135,6 @@ contributors:
     homepage: "https://github.com/antonbabenko"
     avatar: "https://avatars3.githubusercontent.com/u/393243?s=144&v=4"
     github: "antonbabenko"
+  - name: "PePe Amengual"
+    avatar: "https://avatars.githubusercontent.com/u/2208324?s=144&v=4"
+    github: "jamengual"

alarms.tf

@@ -9,34 +9,35 @@ locals {
 
   metric_namespace = var.metric_namespace
   metric_value     = "1"
+  metrics_index    = values(var.metrics)
 }
 
 resource "aws_cloudwatch_log_metric_filter" "default" {
-  count          = module.this.enabled ? length(local.metrics) : 0
-  name           = join(module.this.delimiter, [local.metrics[count.index].name, "filter"])
-  pattern        = local.metrics[count.index].filter_pattern
+  for_each       = module.this.enabled ? var.metrics : {}
+  name           = join(module.this.delimiter, [each.value.name, "filter"])
+  pattern        = each.value.filter_pattern
   log_group_name = var.log_group_name
 
   metric_transformation {
-    name      = local.metrics[count.index].name
-    namespace = local.metric_namespace
-    value     = local.metric_value
+    name      = each.value.name
+    namespace = each.value.metric_namespace
+    value     = each.value.metric_value
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "default" {
-  count               = module.this.enabled ? length(local.metrics) : 0
-  alarm_name          = join(module.this.delimiter, [local.metrics[count.index].name, "alarm"])
-  comparison_operator = "GreaterThanOrEqualToThreshold"
-  evaluation_periods  = "1"
-  metric_name         = local.metrics[count.index].name
-  namespace           = local.metric_namespace
+  for_each            = module.this.enabled ? var.metrics : {}
+  alarm_name          = join(module.this.delimiter, [each.value.name, "alarm"])
+  comparison_operator = each.value.alarm_comparison_operator
+  evaluation_periods  = each.value.alarm_evaluation_periods
+  metric_name         = each.value.name
+  namespace           = each.value.metric_namespace
   # Period is in seconds (300 seconds == 5 mins)
-  period             = "300"
-  statistic          = "Sum"
-  treat_missing_data = "notBreaching"
-  threshold          = local.metrics[count.index].name == "ConsoleSignInFailureCount" ? "3" : "1"
-  alarm_description  = local.metrics[count.index].description
+  period             = each.value.alarm_period
+  statistic          = each.value.alarm_statistic
+  treat_missing_data = each.value.alarm_treat_missing_data
+  threshold          = each.value.alarm_threshold
+  alarm_description  = each.value.alarm_description
   alarm_actions      = local.endpoints
   tags               = module.this.tags
 }
@@ -55,8 +56,8 @@ resource "aws_cloudwatch_dashboard" "combined" {
         height = 16
         properties = {
           metrics = [
-            for metric in local.metrics :
-            [local.metric_namespace, metric.name]
+            for metric in var.metrics :
+            [metric.metric_namespace, metric.name]
           ]
           period = 300
           stat   = "Sum"
@@ -81,7 +82,7 @@ resource "aws_cloudwatch_dashboard" "individual" {
 
   dashboard_body = jsonencode({
     widgets = [
-      for index, metric in local.metrics :
+      for index, metric in local.metrics_index :
       {
         type   = "metric"
         x      = local.layout_x[index]
@@ -90,7 +91,7 @@ resource "aws_cloudwatch_dashboard" "individual" {
         height = 6
         properties = {
           metrics = [
-            [local.metric_namespace, metric.name]
+            [metric.metric_namespace, metric.name]
           ]
           period = 300
           stat   = "Sum"