generated from plus3it/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmain.tf
191 lines (172 loc) · 6.82 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}
data "aws_region" "current" {}
data "aws_iam_policy_document" "lambda" {
statement {
sid = "AllowS3Object"
actions = [
"s3:PutObject",
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging",
]
resources = ["arn:${data.aws_partition.current.partition}:s3:::${var.s3_bucket}/*"]
}
statement {
actions = [
"ses:SendEmail",
"ses:SendTemplatedEmail",
"ses:TestRenderTemplate"
]
resources = [
"*"
]
}
statement {
sid = "AllowAssumeRole"
actions = [
"sts:AssumeRole"
]
resources = [
"arn:${data.aws_partition.current.partition}:iam::*:role/${var.assume_role_name}"
]
}
}
module "lambda" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v7.20.1"
description = "Lambda function for Key Enforcement"
function_name = var.project_name
handler = "iam_key_enforcer.lambda_handler"
tags = var.tags
attach_policy_json = true
policy_json = data.aws_iam_policy_document.lambda.json
artifacts_dir = var.lambda.artifacts_dir
build_in_docker = var.lambda.build_in_docker
create_package = var.lambda.create_package
ignore_source_code_hash = var.lambda.ignore_source_code_hash
local_existing_package = var.lambda.local_existing_package
recreate_missing_package = var.lambda.recreate_missing_package
ephemeral_storage_size = var.lambda.ephemeral_storage_size
runtime = var.lambda.runtime
s3_bucket = var.lambda.s3_bucket
s3_existing_package = var.lambda.s3_existing_package
s3_prefix = var.lambda.s3_prefix
store_on_s3 = var.lambda.store_on_s3
timeout = var.lambda.timeout
environment_variables = {
LOG_LEVEL = var.log_level
EMAIL_ADMIN_REPORT_ENABLED = var.email_admin_report_enabled
EMAIL_ADMIN_REPORT_SUBJECT = var.email_admin_report_subject
EMAIL_SOURCE = var.email_source
ADMIN_EMAIL = var.admin_email
KEY_AGE_WARNING = var.key_age_warning
KEY_AGE_INACTIVE = var.key_age_inactive
KEY_AGE_DELETE = var.key_age_delete
KEY_USE_THRESHOLD = var.key_use_threshold
S3_ENABLED = var.s3_enabled
S3_BUCKET = var.s3_bucket
EMAIL_TAG = var.email_tag
EMAIL_BANNER_MSG = var.email_banner_message
EMAIL_BANNER_MSG_COLOR = var.email_banner_message_color
EMAIL_USER_TEMPLATE = aws_ses_template.user_template.id
EMAIL_ADMIN_TEMPLATE = aws_ses_template.admin_template.id
}
source_path = [
{
path = "${path.module}/src/python",
prefix_in_zip = ""
pip_requirements = true
patterns = var.lambda.source_path.patterns
},
]
}
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = module.lambda.lambda_function_name
principal = "events.amazonaws.com"
source_arn = "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:rule/${var.project_name}-*"
}
##############################
# SQS Queue Policy
##############################
resource "aws_sqs_queue_policy" "this" {
queue_url = aws_sqs_queue.this.id
policy = jsonencode(
{
Version = "2012-10-17",
Id = "sqspolicy",
Statement : [
{
Sid = "AllowSend",
Effect = "Allow",
Principal = "*",
Action = "sqs:SendMessage",
Resource = aws_sqs_queue.this.arn,
Condition = {
"ArnLike" : {
"aws:SourceArn" : "arn:${data.aws_partition.current.partition}:events:*:*:rule/${var.project_name}-*"
}
}
},
{
Sid = "AllowRead",
Effect = "Allow",
"Principal" : {
"AWS" : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
},
Action = "sqs:ReceiveMessage",
Resource = aws_sqs_queue.this.arn,
}
]
}
)
}
##############################
# SQS Queue
##############################
resource "aws_sqs_queue" "this" {
name = "${var.project_name}-dlq"
message_retention_seconds = 1209600
receive_wait_time_seconds = 20
visibility_timeout_seconds = 30
tags = var.tags
}
##############################
# Schedule Event
##############################
module "scheduled_events" {
source = "./modules/scheduled_event"
for_each = { for account in var.accounts : account.account_name => account }
event_name = each.value.account_name
event_rule_description = "Scheduled Event that runs IAM Key Enforcer Lambda for account ${each.value.account_number} - ${each.value.account_name}"
lambda_arn = module.lambda.lambda_function_arn
project_name = var.project_name
tags = var.tags
schedule_expression = var.schedule_expression != null ? var.schedule_expression : each.value.schedule_expression
dead_letter_config = {
arn = aws_sqs_queue.this.arn
}
input_transformer = {
input_template = jsonencode({
"account_number" : each.value.account_number,
"account_name" : each.value.account_name,
"role_arn" : "arn:${data.aws_partition.current.partition}:iam::${each.value.account_number}:role/${var.assume_role_name}",
"armed" : each.value.armed,
"debug" : each.value.debug,
"email_targets" : each.value.email_targets,
"exempt_groups" : each.value.exempt_groups,
"email_user_enabled" : each.value.email_user_enabled,
})
}
}
resource "aws_ses_template" "user_template" {
name = "${var.project_name}-user"
html = var.email_templates.user.html != null ? var.email_templates.user.html : file("${path.module}/email_templates/user_email.html")
subject = var.email_templates.user.subject != null ? var.email_templates.user.subject : "IAM User Key {{armed_state_msg}} for {{user_name}}"
text = var.email_templates.user.text != null ? var.email_templates.user.text : file("${path.module}/email_templates/user_email.txt")
}
resource "aws_ses_template" "admin_template" {
name = "${var.project_name}-admin"
html = var.email_templates.admin.html != null ? var.email_templates.admin.html : file("${path.module}/email_templates/admin_email.html")
subject = var.email_templates.admin.subject != null ? var.email_templates.admin.subject : "IAM Key Enforcement Report for {{account_number}}"
text = var.email_templates.admin.text != null ? var.email_templates.admin.text : file("${path.module}/email_templates/admin_email.txt")
}