From 2a299b93c000663602e5dcba882399d0ae2cbc20 Mon Sep 17 00:00:00 2001 From: Adam Pietrzycki Date: Fri, 2 Aug 2024 21:48:44 +0100 Subject: [PATCH] Add environment override (#281) * Update environment variable handling in `locals.tf` and `variables.tf` * Add instructions to override Terraform workspace name * Clarify instruction for overriding workspace name * Update environment variable description in variables.tf * Rename `production_workspace` to `production_environment` * Rename production_workspace to production_environment for clarity * Refactor `production_environment` to use local variable * Fix production_environment and production_workspace coalesce order --- .pre-commit-config.yaml | 1 + docs/bugcrowd.md | 2 +- docs/hackerone.md | 2 +- docs/installation.md | 11 ++++++++++ .../cloudflare_scan/cloudflare_scan.py | 2 +- lambda_code/scan/scan.py | 2 +- lambda_code/scan_ips/scan_ips.py | 2 +- locals.tf | 5 +++-- main.tf | 22 +++++++++---------- terraform-modules/lambda-cloudflare/main.tf | 2 +- .../lambda-cloudflare/variables.tf | 2 +- terraform-modules/lambda-scan-ips/main.tf | 2 +- .../lambda-scan-ips/variables.tf | 2 +- terraform-modules/lambda-scan/main.tf | 2 +- terraform-modules/lambda-scan/variables.tf | 2 +- variables.tf | 12 +++++++++- 16 files changed, 48 insertions(+), 25 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8a8f75ea..2cd5e4b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -51,6 +51,7 @@ repos: args: - --zero-exit exclude: .\.tf | ^\.github/ + additional_dependencies: ["setuptools"] - repo: https://github.com/antonbabenko/pre-commit-terraform rev: v1.77.0 hooks: diff --git a/docs/bugcrowd.md b/docs/bugcrowd.md index 6a24d386..ed809f67 100644 --- a/docs/bugcrowd.md +++ b/docs/bugcrowd.md @@ -21,7 +21,7 @@ * by default this will be the `prd` Terraform workspace * if you have chosen a different Terraform workspace name for production, update Terraform variable: ``` -production_workspace = "prd" +production_environment = "prd" ``` * Bugcrowd issues are only created for vulnerability types which don't support automated takeover diff --git a/docs/hackerone.md b/docs/hackerone.md index 2bda8ff0..8ebbcf5c 100644 --- a/docs/hackerone.md +++ b/docs/hackerone.md @@ -20,7 +20,7 @@ to help organisations improve their security and stay ahead of threats * by default this will be the `prd` Terraform workspace * if you have chosen a different Terraform workspace name for production, update Terraform variable: ``` -production_workspace = "prd" +production_environment = "prd" ``` * HackerOne issues are only created for vulnerability types which don't support automated takeover diff --git a/docs/installation.md b/docs/installation.md index f4a047d6..ddf8eb32 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -95,6 +95,17 @@ terraform plan terraform apply ``` +### Overriding workspace/environment name + +If you're using external tooling or systems where `terraform.workspace` works differently, you can override the value by setting the `environment` variable. + +```hcl +# terraform.tfvars +environment="prod" # used instead of terraform.workspace +``` + +Make sure to also update `production_environment` to match the `environment` variable when deploying to production. + ## Adding notifications to extra Slack channels * add an extra channel to your slack_channels variable list diff --git a/lambda_code/cloudflare_scan/cloudflare_scan.py b/lambda_code/cloudflare_scan/cloudflare_scan.py index 2990139e..ac319c70 100644 --- a/lambda_code/cloudflare_scan/cloudflare_scan.py +++ b/lambda_code/cloudflare_scan/cloudflare_scan.py @@ -19,7 +19,7 @@ bugcrowd = os.environ["BUGCROWD"] hackerone = os.environ["HACKERONE"] env_name = os.environ["ENVIRONMENT"] -production_env = os.environ["PRODUCTION_WORKSPACE"] +production_env = os.environ["PRODUCTION_ENVIRONMENT"] def process_vulnerability(domain, account_name, resource_type, vulnerability_type, takeover=""): diff --git a/lambda_code/scan/scan.py b/lambda_code/scan/scan.py index 33e7a76b..661eec41 100644 --- a/lambda_code/scan/scan.py +++ b/lambda_code/scan/scan.py @@ -24,7 +24,7 @@ bugcrowd = os.environ["BUGCROWD"] hackerone = os.environ["HACKERONE"] env_name = os.environ["ENVIRONMENT"] -production_env = os.environ["PRODUCTION_WORKSPACE"] +production_env = os.environ["PRODUCTION_ENVIRONMENT"] def process_vulnerability(domain, account_name, resource_type, vulnerability_type, takeover=""): diff --git a/lambda_code/scan_ips/scan_ips.py b/lambda_code/scan_ips/scan_ips.py index 05ab5d7a..e3048f49 100644 --- a/lambda_code/scan_ips/scan_ips.py +++ b/lambda_code/scan_ips/scan_ips.py @@ -25,7 +25,7 @@ bugcrowd = os.environ["BUGCROWD"] hackerone = os.environ["HACKERONE"] env_name = os.environ["ENVIRONMENT"] -production_env = os.environ["PRODUCTION_WORKSPACE"] +production_env = os.environ["PRODUCTION_ENVIRONMENT"] ip_time_limit = os.environ["IP_TIME_LIMIT"] diff --git a/locals.tf b/locals.tf index 9595b416..ed1ba17a 100644 --- a/locals.tf +++ b/locals.tf @@ -1,4 +1,5 @@ locals { - env = lower(terraform.workspace) - takeover = var.takeover == true && local.env == var.production_workspace ? true : false + env = coalesce(var.environment, lower(terraform.workspace)) + production_environment = coalesce(var.production_environment, var.production_workspace) + takeover = var.takeover == true && local.env == var.production_workspace ? true : false } diff --git a/main.tf b/main.tf index c2471be2..c9a5df79 100644 --- a/main.tf +++ b/main.tf @@ -99,7 +99,6 @@ module "lambda-scan" { kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - production_workspace = var.production_workspace bugcrowd = var.bugcrowd bugcrowd_api_key = var.bugcrowd_api_key bugcrowd_email = var.bugcrowd_email @@ -107,6 +106,7 @@ module "lambda-scan" { hackerone = var.hackerone hackerone_api_token = var.hackerone_api_token environment = local.env + production_environment = local.production_environment } module "lambda-takeover" { @@ -171,7 +171,7 @@ module "cloudwatch-event" { lambda_function_alias_names = module.lambda.lambda_function_alias_names schedule = var.reports_schedule takeover = local.takeover - update_schedule = local.env == var.production_workspace ? var.update_schedule : var.update_schedule_nonprod + update_schedule = local.env == local.production_environment ? var.update_schedule : var.update_schedule_nonprod update_lambdas = var.update_lambdas environment = local.env } @@ -185,7 +185,7 @@ module "resources-event" { lambda_function_alias_names = module.lambda-resources[0].lambda_function_alias_names schedule = var.reports_schedule takeover = local.takeover - update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod + update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod update_lambdas = var.update_lambdas environment = local.env } @@ -196,9 +196,9 @@ module "accounts-event" { lambda_function_arns = module.lambda-accounts.lambda_function_arns lambda_function_names = module.lambda-accounts.lambda_function_names lambda_function_alias_names = module.lambda-accounts.lambda_function_alias_names - schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod + schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod takeover = local.takeover - update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod + update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod update_lambdas = var.update_lambdas environment = local.env } @@ -236,7 +236,7 @@ module "lambda-cloudflare" { org_primary_account = var.org_primary_account sns_topic_arn = module.sns.sns_topic_arn dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - production_workspace = var.production_workspace + production_environment = local.production_environment bugcrowd = var.bugcrowd bugcrowd_api_key = var.bugcrowd_api_key bugcrowd_email = var.bugcrowd_email @@ -253,9 +253,9 @@ module "cloudflare-event" { lambda_function_arns = module.lambda-cloudflare[0].lambda_function_arns lambda_function_names = module.lambda-cloudflare[0].lambda_function_names lambda_function_alias_names = module.lambda-cloudflare[0].lambda_function_alias_names - schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod + schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod takeover = local.takeover - update_schedule = local.env == var.production_workspace ? var.scan_schedule : var.scan_schedule_nonprod + update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod update_lambdas = var.update_lambdas environment = local.env } @@ -337,7 +337,7 @@ module "lambda-scan-ips" { kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - production_workspace = var.production_workspace + production_environment = local.production_environment allowed_regions = var.allowed_regions ip_time_limit = var.ip_time_limit bugcrowd = var.bugcrowd @@ -389,9 +389,9 @@ module "accounts-event-ips" { lambda_function_arns = module.lambda-accounts-ips[0].lambda_function_arns lambda_function_names = module.lambda-accounts-ips[0].lambda_function_names lambda_function_alias_names = module.lambda-accounts-ips[0].lambda_function_alias_names - schedule = local.env == var.production_workspace ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod + schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod takeover = local.takeover - update_schedule = local.env == var.production_workspace ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod + update_schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod update_lambdas = var.update_lambdas environment = local.env } diff --git a/terraform-modules/lambda-cloudflare/main.tf b/terraform-modules/lambda-cloudflare/main.tf index 154a326a..e88e8e2b 100644 --- a/terraform-modules/lambda-cloudflare/main.tf +++ b/terraform-modules/lambda-cloudflare/main.tf @@ -54,7 +54,7 @@ resource "aws_lambda_function" "lambda" { PROJECT = var.project SNS_TOPIC_ARN = var.sns_topic_arn ENVIRONMENT = var.environment - PRODUCTION_WORKSPACE = var.production_workspace + PRODUCTION_ENVIRONMENT = var.production_environment BUGCROWD = var.bugcrowd BUGCROWD_API_KEY = var.bugcrowd_api_key BUGCROWD_EMAIL = var.bugcrowd_email diff --git a/terraform-modules/lambda-cloudflare/variables.tf b/terraform-modules/lambda-cloudflare/variables.tf index 4429bea7..78eb1a71 100644 --- a/terraform-modules/lambda-cloudflare/variables.tf +++ b/terraform-modules/lambda-cloudflare/variables.tf @@ -11,7 +11,7 @@ variable "external_id" {} variable "org_primary_account" {} variable "sns_topic_arn" {} variable "dlq_sns_topic_arn" {} -variable "production_workspace" {} +variable "production_environment" {} variable "bugcrowd" {} variable "bugcrowd_api_key" {} variable "bugcrowd_email" {} diff --git a/terraform-modules/lambda-scan-ips/main.tf b/terraform-modules/lambda-scan-ips/main.tf index b17ca8ff..2909cb3a 100644 --- a/terraform-modules/lambda-scan-ips/main.tf +++ b/terraform-modules/lambda-scan-ips/main.tf @@ -52,7 +52,7 @@ resource "aws_lambda_function" "lambda" { PROJECT = var.project SNS_TOPIC_ARN = var.sns_topic_arn ENVIRONMENT = var.environment - PRODUCTION_WORKSPACE = var.production_workspace + PRODUCTION_ENVIRONMENT = var.production_environment ALLOWED_REGIONS = var.allowed_regions IP_TIME_LIMIT = var.ip_time_limit BUGCROWD = var.bugcrowd diff --git a/terraform-modules/lambda-scan-ips/variables.tf b/terraform-modules/lambda-scan-ips/variables.tf index a4ea673c..b0cafd55 100644 --- a/terraform-modules/lambda-scan-ips/variables.tf +++ b/terraform-modules/lambda-scan-ips/variables.tf @@ -10,7 +10,7 @@ variable "platform" {} variable "memory_size" {} variable "sns_topic_arn" {} variable "dlq_sns_topic_arn" {} -variable "production_workspace" {} +variable "production_environment" {} variable "allowed_regions" {} variable "ip_time_limit" {} variable "bugcrowd" {} diff --git a/terraform-modules/lambda-scan/main.tf b/terraform-modules/lambda-scan/main.tf index 1695f096..4c72f035 100644 --- a/terraform-modules/lambda-scan/main.tf +++ b/terraform-modules/lambda-scan/main.tf @@ -52,7 +52,7 @@ resource "aws_lambda_function" "lambda" { PROJECT = var.project SNS_TOPIC_ARN = var.sns_topic_arn ENVIRONMENT = var.environment - PRODUCTION_WORKSPACE = var.production_workspace + PRODUCTION_ENVIRONMENT = var.production_environment BUGCROWD = var.bugcrowd BUGCROWD_API_KEY = var.bugcrowd_api_key BUGCROWD_EMAIL = var.bugcrowd_email diff --git a/terraform-modules/lambda-scan/variables.tf b/terraform-modules/lambda-scan/variables.tf index 8c6c442b..f01ac674 100644 --- a/terraform-modules/lambda-scan/variables.tf +++ b/terraform-modules/lambda-scan/variables.tf @@ -10,7 +10,7 @@ variable "platform" {} variable "memory_size" {} variable "sns_topic_arn" {} variable "dlq_sns_topic_arn" {} -variable "production_workspace" {} +variable "production_environment" {} variable "bugcrowd" {} variable "bugcrowd_api_key" {} variable "bugcrowd_email" {} diff --git a/variables.tf b/variables.tf index 751fc9dc..d37ad774 100644 --- a/variables.tf +++ b/variables.tf @@ -85,8 +85,18 @@ variable "update_lambdas" { type = list(any) } +variable "environment" { + description = "Environment deploying to, defaults to terraform.workspace - optionally enter in tfvars file" + default = "" +} + +variable "production_environment" { + description = "Name of production environment - takeover is only turned on in this environment" + default = "" +} + variable "production_workspace" { - description = "Terraform workspace for production - takeover is only turned on in this environment" + description = "Deprecated, use production_environment. Will be removed in a future release" default = "prd" }