Merge pull request #2 from domain-protect/remove-env-specific-code

Remove non-prod schedule variables
domain-protect · Aug 23, 2024 · f88d8d9 · f88d8d9
2 parents 84e8888 + b72ffe3
commit f88d8d9
Show file tree

Hide file tree

Showing 10 changed files with 95 additions and 60 deletions.
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,5 @@ htmlcov
 
 #Testing
 .env
+
+*.swp
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -0,0 +1 @@
+# Example deployment
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -0,0 +1,8 @@
+module "domain_protect" {
+  source = "../../"
+
+  scan_schedule    = var.scan_schedule
+  update_schedule  = var.update_schedule
+  ip_scan_schedule = var.ip_scan_schedule
+  takeover         = var.takeover
+}
diff --git a/examples/complete/providers.tf b/examples/complete/providers.tf
@@ -0,0 +1,9 @@
+provider "aws" {
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "archive" {}
+provider "null" {}
+provider "random" {}
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -0,0 +1,29 @@
+variable "scan_schedule" {
+  description = "schedule for running domain-protect scans, e.g. 24 hours"
+  default     = "24 hours"
+  type        = string
+}
+
+variable "update_schedule" {
+  description = "schedule for running domain-protect update function, e.g. 24 hours"
+  default     = "24 hours"
+  type        = string
+}
+
+variable "ip_scan_schedule" {
+  description = "schedule for IP address scanning used in A record checks"
+  default     = "24 hours"
+  type        = string
+}
+
+variable "takeover" {
+  description = "Create supported resource types to prevent malicious subdomain takeover"
+  default     = false
+  type        = bool
+}
+
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -0,0 +1,22 @@
+terraform {
+  required_version = "> 1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "> 5.12.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "> 2.2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "> 3.1.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "> 3.1.0"
+    }
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -1,5 +1,4 @@
 locals {
   env                    = coalesce(var.environment, lower(terraform.workspace))
   production_environment = coalesce(var.production_environment, var.production_workspace)
-  takeover               = var.takeover == true && local.env == var.production_workspace ? true : false
 }
diff --git a/main.tf b/main.tf
@@ -28,8 +28,8 @@ module "lambda_slack" {
   kms_arn            = module.kms.kms_arn
   sns_topic_arn      = module.sns.sns_topic_arn
   dlq_sns_topic_arn  = module.sns_dead_letter_queue.sns_topic_arn
-  slack_channels     = local.env == "dev" ? var.slack_channels_dev : var.slack_channels
-  slack_webhook_urls = local.env == "dev" && length(var.slack_webhook_urls_dev) > 0 ? var.slack_webhook_urls_dev : var.slack_webhook_urls
+  slack_channels     = var.slack_channels
+  slack_webhook_urls = var.slack_webhook_urls
   slack_webhook_type = var.slack_webhook_type
   slack_emoji        = var.slack_emoji
   slack_fix_emoji    = var.slack_fix_emoji
@@ -118,7 +118,7 @@ module "lambda_scan" {
 
 module "lambda_takeover" {
   #checkov:skip=CKV_AWS_274:role is ElasticBeanstalk admin, not full Administrator Access
-  count  = local.takeover ? 1 : 0
+  count  = var.takeover ? 1 : 0
   source = "./terraform-modules/lambda-takeover"
 
   runtime           = var.runtime
@@ -133,21 +133,21 @@ module "lambda_takeover" {
 }
 
 module "takeover_role" {
-  count  = local.takeover ? 1 : 0
+  count  = var.takeover ? 1 : 0
   source = "./terraform-modules/iam"
 
   project                  = var.project
   region                   = var.region
   security_audit_role_name = var.security_audit_role_name
   kms_arn                  = module.kms.kms_arn
-  takeover                 = local.takeover
+  takeover                 = var.takeover
   policy                   = "takeover"
   permissions_boundary_arn = var.permissions_boundary_arn
   environment              = local.env
 }
 
 module "lambda_resources" {
-  count  = local.takeover ? 1 : 0
+  count  = var.takeover ? 1 : 0
   source = "./terraform-modules/lambda-resources"
 
   lambdas           = ["resources"]
@@ -162,7 +162,7 @@ module "lambda_resources" {
 }
 
 module "resources_role" {
-  count  = local.takeover ? 1 : 0
+  count  = var.takeover ? 1 : 0
   source = "./terraform-modules/iam"
 
   project                  = var.project
@@ -182,23 +182,23 @@ module "cloudwatch_event" {
   lambda_function_names       = module.lambda.lambda_function_names
   lambda_function_alias_names = module.lambda.lambda_function_alias_names
   schedule                    = var.reports_schedule
-  takeover                    = local.takeover
-  update_schedule             = local.env == local.production_environment ? var.update_schedule : var.update_schedule_nonprod
+  takeover                    = var.takeover
+  update_schedule             = var.update_schedule
   update_lambdas              = var.update_lambdas
   environment                 = local.env
 }
 
 module "resources_event" {
-  count  = local.takeover ? 1 : 0
+  count  = var.takeover ? 1 : 0
   source = "./terraform-modules/cloudwatch"
 
   project                     = var.project
   lambda_function_arns        = module.lambda_resources[0].lambda_function_arns
   lambda_function_names       = module.lambda_resources[0].lambda_function_names
   lambda_function_alias_names = module.lambda_resources[0].lambda_function_alias_names
   schedule                    = var.reports_schedule
-  takeover                    = local.takeover
-  update_schedule             = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
+  takeover                    = var.takeover
+  update_schedule             = var.scan_schedule
   update_lambdas              = var.update_lambdas
   environment                 = local.env
 }
@@ -210,9 +210,9 @@ module "accounts_event" {
   lambda_function_arns        = module.lambda_accounts.lambda_function_arns
   lambda_function_names       = module.lambda_accounts.lambda_function_names
   lambda_function_alias_names = module.lambda_accounts.lambda_function_alias_names
-  schedule                    = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
-  takeover                    = local.takeover
-  update_schedule             = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
+  schedule                    = var.scan_schedule
+  takeover                    = var.takeover
+  update_schedule             = var.scan_schedule
   update_lambdas              = var.update_lambdas
   environment                 = local.env
 }
@@ -271,9 +271,9 @@ module "cloudflare_event" {
   lambda_function_arns        = module.lambda_cloudflare[0].lambda_function_arns
   lambda_function_names       = module.lambda_cloudflare[0].lambda_function_names
   lambda_function_alias_names = module.lambda_cloudflare[0].lambda_function_alias_names
-  schedule                    = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
-  takeover                    = local.takeover
-  update_schedule             = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod
+  schedule                    = var.scan_schedule
+  takeover                    = var.takeover
+  update_schedule             = var.scan_schedule
   update_lambdas              = var.update_lambdas
   environment                 = local.env
 }
@@ -417,9 +417,9 @@ module "accounts_event_ips" {
   lambda_function_arns        = module.lambda_accounts_ips[0].lambda_function_arns
   lambda_function_names       = module.lambda_accounts_ips[0].lambda_function_names
   lambda_function_alias_names = module.lambda_accounts_ips[0].lambda_function_alias_names
-  schedule                    = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
-  takeover                    = local.takeover
-  update_schedule             = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod
+  schedule                    = var.ip_scan_schedule
+  takeover                    = var.takeover
+  update_schedule             = var.ip_scan_schedule
   update_lambdas              = var.update_lambdas
   environment                 = local.env
 }

diff --git a/terraform.tfvars.example b/terraform.tfvars.example
diff --git a/variables.tf b/variables.tf
@@ -41,25 +41,13 @@ variable "reports_schedule" {
 }
 
 variable "scan_schedule" {
-  description = "schedule for running domain-protect scans, e.g. 60 minutes, does not affect frequency of regular Slack reports"
-  default     = "60 minutes"
-  type        = string
-}
-
-variable "scan_schedule_nonprod" {
-  description = "schedule for running domain-protect scans in non-prod, reduced to save costs, e.g. 12 hours"
+  description = "schedule for running domain-protect scans, e.g. 24 hours"
   default     = "24 hours"
   type        = string
 }
 
 variable "update_schedule" {
-  description = "schedule for running domain-protect update function, e.g. 60 minutes"
-  default     = "3 hours"
-  type        = string
-}
-
-variable "update_schedule_nonprod" {
-  description = "schedule for running domain-protect update function in non-prod, e.g. 12 hours"
+  description = "schedule for running domain-protect update function, e.g. 24 hours"
   default     = "24 hours"
   type        = string
 }
@@ -70,12 +58,6 @@ variable "ip_scan_schedule" {
   type        = string
 }
 
-variable "ip_scan_schedule_nonprod" {
-  description = "schedule for IP address scans in non-prod, reduced to save costs, e.g. 24 hours"
-  default     = "24 hours"
-  type        = string
-}
-
 variable "stats_schedule" {
   description = "Cron schedule for the stats message"
   default     = "cron(0 9 1 * ? *)" # 9am on the first of the month
@@ -90,7 +72,7 @@ variable "lambdas" {
 
 variable "takeover" {
   description = "Create supported resource types to prevent malicious subdomain takeover"
-  default     = true
+  default     = false
   type        = bool
 }
 
@@ -147,24 +129,12 @@ variable "slack_channels" {
   type        = list(any)
 }
 
-variable "slack_channels_dev" {
-  description = "List of Slack Channels to use for testing purposes with dev environment - enter in tfvars file"
-  default     = []
-  type        = list(any)
-}
-
 variable "slack_webhook_urls" {
   description = "List of Slack webhook URLs, in the same order as the slack_channels list - enter in tfvars file"
   default     = []
   type        = list(any)
 }
 
-variable "slack_webhook_urls_dev" {
-  description = "List of Slack app webhook URLs for dev environments in the same order as the slack_channels list - enter in tfvars file"
-  default     = []
-  type        = list(any)
-}
-
 variable "slack_webhook_type" {
   description = "Slack webhook type, can be legacy or app"
   default     = "legacy"