Skip to content

Commit

Permalink
Add environment override (#281)
Browse files Browse the repository at this point in the history
* Update environment variable handling in `locals.tf` and `variables.tf`

* Add instructions to override Terraform workspace name

* Clarify instruction for overriding workspace name

* Update environment variable description in variables.tf

* Rename `production_workspace` to `production_environment`

* Rename production_workspace to production_environment for clarity

* Refactor `production_environment` to use local variable

* Fix production_environment and production_workspace coalesce order
  • Loading branch information
adampie authored Aug 2, 2024
1 parent aac8c96 commit 2a299b9
Show file tree
Hide file tree
Showing 16 changed files with 48 additions and 25 deletions.
1 change: 1 addition & 0 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ repos:
args:
- --zero-exit
exclude: .\.tf | ^\.github/
additional_dependencies: ["setuptools"]
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.77.0
hooks:
Expand Down
2 changes: 1 addition & 1 deletion docs/bugcrowd.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
* by default this will be the `prd` Terraform workspace
* if you have chosen a different Terraform workspace name for production, update Terraform variable:
```
production_workspace = "prd"
production_environment = "prd"
```
* Bugcrowd issues are only created for vulnerability types which don't support automated takeover

Expand Down
2 changes: 1 addition & 1 deletion docs/hackerone.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ to help organisations improve their security and stay ahead of threats
* by default this will be the `prd` Terraform workspace
* if you have chosen a different Terraform workspace name for production, update Terraform variable:
```
production_workspace = "prd"
production_environment = "prd"
```
* HackerOne issues are only created for vulnerability types which don't support automated takeover

Expand Down
11 changes: 11 additions & 0 deletions docs/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,17 @@ terraform plan
terraform apply
```

### Overriding workspace/environment name

If you're using external tooling or systems where `terraform.workspace` works differently, you can override the value by setting the `environment` variable.

```hcl
# terraform.tfvars
environment="prod" # used instead of terraform.workspace
```

Make sure to also update `production_environment` to match the `environment` variable when deploying to production.

## Adding notifications to extra Slack channels

* add an extra channel to your slack_channels variable list
Expand Down
2 changes: 1 addition & 1 deletion lambda_code/cloudflare_scan/cloudflare_scan.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
bugcrowd = os.environ["BUGCROWD"]
hackerone = os.environ["HACKERONE"]
env_name = os.environ["ENVIRONMENT"]
production_env = os.environ["PRODUCTION_WORKSPACE"]
production_env = os.environ["PRODUCTION_ENVIRONMENT"]


def process_vulnerability(domain, account_name, resource_type, vulnerability_type, takeover=""):
Expand Down
2 changes: 1 addition & 1 deletion lambda_code/scan/scan.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
bugcrowd = os.environ["BUGCROWD"]
hackerone = os.environ["HACKERONE"]
env_name = os.environ["ENVIRONMENT"]
production_env = os.environ["PRODUCTION_WORKSPACE"]
production_env = os.environ["PRODUCTION_ENVIRONMENT"]


def process_vulnerability(domain, account_name, resource_type, vulnerability_type, takeover=""):
Expand Down
2 changes: 1 addition & 1 deletion lambda_code/scan_ips/scan_ips.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
bugcrowd = os.environ["BUGCROWD"]
hackerone = os.environ["HACKERONE"]
env_name = os.environ["ENVIRONMENT"]
production_env = os.environ["PRODUCTION_WORKSPACE"]
production_env = os.environ["PRODUCTION_ENVIRONMENT"]
ip_time_limit = os.environ["IP_TIME_LIMIT"]


Expand Down
5 changes: 3 additions & 2 deletions locals.tf
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
locals {
env = lower(terraform.workspace)
takeover = var.takeover == true && local.env == var.production_workspace ? true : false
env = coalesce(var.environment, lower(terraform.workspace))
production_environment = coalesce(var.production_environment, var.production_workspace)
takeover = var.takeover == true && local.env == var.production_workspace ? true : false
}
22 changes: 11 additions & 11 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -99,14 +99,14 @@ module "lambda-scan" {
kms_arn = module.kms.kms_arn
sns_topic_arn = module.sns.sns_topic_arn
dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn
production_workspace = var.production_workspace
bugcrowd = var.bugcrowd
bugcrowd_api_key = var.bugcrowd_api_key
bugcrowd_email = var.bugcrowd_email
bugcrowd_state = var.bugcrowd_state
hackerone = var.hackerone
hackerone_api_token = var.hackerone_api_token
environment = local.env
production_environment = local.production_environment
}

module "lambda-takeover" {
Expand Down Expand Up @@ -171,7 +171,7 @@ module "cloudwatch-event" {
lambda_function_alias_names = module.lambda.lambda_function_alias_names
schedule = var.reports_schedule
takeover = local.takeover
update_schedule = local.env == var.production_workspace ? var.update_schedule : var.update_schedule_nonprod
update_schedule = local.env == local.production_environment ? var.update_schedule : var.update_schedule_nonprod
update_lambdas = var.update_lambdas
environment = local.env
}
Expand All @@ -185,7 +185,7 @@ module "resources-event" {
lambda_function_alias_names = module.lambda-resources[0].lambda_function_alias_names
schedule = var.reports_schedule
takeover = local.takeover
update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod
update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
update_lambdas = var.update_lambdas
environment = local.env
}
Expand All @@ -196,9 +196,9 @@ module "accounts-event" {
lambda_function_arns = module.lambda-accounts.lambda_function_arns
lambda_function_names = module.lambda-accounts.lambda_function_names
lambda_function_alias_names = module.lambda-accounts.lambda_function_alias_names
schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod
schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
takeover = local.takeover
update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod
update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
update_lambdas = var.update_lambdas
environment = local.env
}
Expand Down Expand Up @@ -236,7 +236,7 @@ module "lambda-cloudflare" {
org_primary_account = var.org_primary_account
sns_topic_arn = module.sns.sns_topic_arn
dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn
production_workspace = var.production_workspace
production_environment = local.production_environment
bugcrowd = var.bugcrowd
bugcrowd_api_key = var.bugcrowd_api_key
bugcrowd_email = var.bugcrowd_email
Expand All @@ -253,9 +253,9 @@ module "cloudflare-event" {
lambda_function_arns = module.lambda-cloudflare[0].lambda_function_arns
lambda_function_names = module.lambda-cloudflare[0].lambda_function_names
lambda_function_alias_names = module.lambda-cloudflare[0].lambda_function_alias_names
schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod
schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
takeover = local.takeover
update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod
update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
update_lambdas = var.update_lambdas
environment = local.env
}
Expand Down Expand Up @@ -337,7 +337,7 @@ module "lambda-scan-ips" {
kms_arn = module.kms.kms_arn
sns_topic_arn = module.sns.sns_topic_arn
dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn
production_workspace = var.production_workspace
production_environment = local.production_environment
allowed_regions = var.allowed_regions
ip_time_limit = var.ip_time_limit
bugcrowd = var.bugcrowd
Expand Down Expand Up @@ -389,9 +389,9 @@ module "accounts-event-ips" {
lambda_function_arns = module.lambda-accounts-ips[0].lambda_function_arns
lambda_function_names = module.lambda-accounts-ips[0].lambda_function_names
lambda_function_alias_names = module.lambda-accounts-ips[0].lambda_function_alias_names
schedule = local.env == var.production_workspace ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
takeover = local.takeover
update_schedule = local.env == var.production_workspace ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
update_schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
update_lambdas = var.update_lambdas
environment = local.env
}
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-cloudflare/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ resource "aws_lambda_function" "lambda" {
PROJECT = var.project
SNS_TOPIC_ARN = var.sns_topic_arn
ENVIRONMENT = var.environment
PRODUCTION_WORKSPACE = var.production_workspace
PRODUCTION_ENVIRONMENT = var.production_environment
BUGCROWD = var.bugcrowd
BUGCROWD_API_KEY = var.bugcrowd_api_key
BUGCROWD_EMAIL = var.bugcrowd_email
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-cloudflare/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ variable "external_id" {}
variable "org_primary_account" {}
variable "sns_topic_arn" {}
variable "dlq_sns_topic_arn" {}
variable "production_workspace" {}
variable "production_environment" {}
variable "bugcrowd" {}
variable "bugcrowd_api_key" {}
variable "bugcrowd_email" {}
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-scan-ips/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ resource "aws_lambda_function" "lambda" {
PROJECT = var.project
SNS_TOPIC_ARN = var.sns_topic_arn
ENVIRONMENT = var.environment
PRODUCTION_WORKSPACE = var.production_workspace
PRODUCTION_ENVIRONMENT = var.production_environment
ALLOWED_REGIONS = var.allowed_regions
IP_TIME_LIMIT = var.ip_time_limit
BUGCROWD = var.bugcrowd
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-scan-ips/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ variable "platform" {}
variable "memory_size" {}
variable "sns_topic_arn" {}
variable "dlq_sns_topic_arn" {}
variable "production_workspace" {}
variable "production_environment" {}
variable "allowed_regions" {}
variable "ip_time_limit" {}
variable "bugcrowd" {}
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-scan/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ resource "aws_lambda_function" "lambda" {
PROJECT = var.project
SNS_TOPIC_ARN = var.sns_topic_arn
ENVIRONMENT = var.environment
PRODUCTION_WORKSPACE = var.production_workspace
PRODUCTION_ENVIRONMENT = var.production_environment
BUGCROWD = var.bugcrowd
BUGCROWD_API_KEY = var.bugcrowd_api_key
BUGCROWD_EMAIL = var.bugcrowd_email
Expand Down
2 changes: 1 addition & 1 deletion terraform-modules/lambda-scan/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ variable "platform" {}
variable "memory_size" {}
variable "sns_topic_arn" {}
variable "dlq_sns_topic_arn" {}
variable "production_workspace" {}
variable "production_environment" {}
variable "bugcrowd" {}
variable "bugcrowd_api_key" {}
variable "bugcrowd_email" {}
Expand Down
12 changes: 11 additions & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,8 +85,18 @@ variable "update_lambdas" {
type = list(any)
}

variable "environment" {
description = "Environment deploying to, defaults to terraform.workspace - optionally enter in tfvars file"
default = ""
}

variable "production_environment" {
description = "Name of production environment - takeover is only turned on in this environment"
default = ""
}

variable "production_workspace" {
description = "Terraform workspace for production - takeover is only turned on in this environment"
description = "Deprecated, use production_environment. Will be removed in a future release"
default = "prd"
}

Expand Down

0 comments on commit 2a299b9

Please sign in to comment.