From d3b71ab9cc8c247ac14b829f007023f28fcb72c8 Mon Sep 17 00:00:00 2001 From: nitrocode <7775707+nitrocode@users.noreply.github.com> Date: Thu, 22 Aug 2024 21:34:40 -0500 Subject: [PATCH 1/2] chore: tflint fixes Signed-off-by: nitrocode <7775707+nitrocode@users.noreply.github.com> --- main.tf | 132 ++++++++++++++--------------- terraform-modules/iam/variables.tf | 2 +- variables.tf | 51 +++++++++-- provider.tf => versions.tf | 10 ++- 4 files changed, 117 insertions(+), 78 deletions(-) rename provider.tf => versions.tf (65%) diff --git a/main.tf b/main.tf index c9a5df79..5f300348 100644 --- a/main.tf +++ b/main.tf @@ -5,7 +5,7 @@ module "kms" { environment = local.env } -module "lambda-role" { +module "lambda_role" { source = "./terraform-modules/iam" project = var.project region = var.region @@ -15,16 +15,16 @@ module "lambda-role" { environment = local.env } -module "lambda-slack" { +module "lambda_slack" { source = "./terraform-modules/lambda-slack" runtime = var.runtime platform = var.platform memory_size = var.memory_size_slack project = var.project - lambda_role_arn = module.lambda-role.lambda_role_arn + lambda_role_arn = module.lambda_role.lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn slack_channels = local.env == "dev" ? var.slack_channels_dev : var.slack_channels slack_webhook_urls = local.env == "dev" && length(var.slack_webhook_urls_dev) > 0 ? var.slack_webhook_urls_dev : var.slack_webhook_urls slack_webhook_type = var.slack_webhook_type @@ -45,17 +45,17 @@ module "lambda" { security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account - lambda_role_arn = module.lambda-role.lambda_role_arn + lambda_role_arn = module.lambda_role.lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - state_machine_arn = module.step-function.state_machine_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn + state_machine_arn = module.step_function.state_machine_arn allowed_regions = var.allowed_regions ip_time_limit = var.ip_time_limit environment = local.env } -module "lambda-accounts" { +module "lambda_accounts" { source = "./terraform-modules/lambda-accounts" lambdas = ["accounts"] runtime = var.runtime @@ -65,27 +65,27 @@ module "lambda-accounts" { security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account - lambda_role_arn = module.accounts-role.lambda_role_arn + lambda_role_arn = module.accounts_role.lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - state_machine_arn = module.step-function.state_machine_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn + state_machine_arn = module.step_function.state_machine_arn environment = local.env } -module "accounts-role" { +module "accounts_role" { source = "./terraform-modules/iam" project = var.project region = var.region security_audit_role_name = var.security_audit_role_name kms_arn = module.kms.kms_arn - state_machine_arn = module.step-function.state_machine_arn + state_machine_arn = module.step_function.state_machine_arn policy = "accounts" permissions_boundary_arn = var.permissions_boundary_arn environment = local.env } -module "lambda-scan" { +module "lambda_scan" { source = "./terraform-modules/lambda-scan" lambdas = ["scan"] runtime = var.runtime @@ -95,10 +95,10 @@ module "lambda-scan" { security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account - lambda_role_arn = module.lambda-role.lambda_role_arn + lambda_role_arn = module.lambda_role.lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn bugcrowd = var.bugcrowd bugcrowd_api_key = var.bugcrowd_api_key bugcrowd_email = var.bugcrowd_email @@ -109,7 +109,7 @@ module "lambda-scan" { production_environment = local.production_environment } -module "lambda-takeover" { +module "lambda_takeover" { #checkov:skip=CKV_AWS_274:role is ElasticBeanstalk admin, not full Administrator Access count = local.takeover ? 1 : 0 source = "./terraform-modules/lambda-takeover" @@ -117,14 +117,14 @@ module "lambda-takeover" { platform = var.platform memory_size = var.memory_size_slack project = var.project - lambda_role_arn = module.takeover-role.*.lambda_role_arn[0] + lambda_role_arn = module.takeover_role[*].lambda_role_arn[0] kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn environment = local.env } -module "takeover-role" { +module "takeover_role" { count = local.takeover ? 1 : 0 source = "./terraform-modules/iam" project = var.project @@ -137,21 +137,21 @@ module "takeover-role" { environment = local.env } -module "lambda-resources" { +module "lambda_resources" { count = local.takeover ? 1 : 0 source = "./terraform-modules/lambda-resources" lambdas = ["resources"] runtime = var.runtime memory_size = var.memory_size_slack project = var.project - lambda_role_arn = module.resources-role.*.lambda_role_arn[0] + lambda_role_arn = module.resources_role[*].lambda_role_arn[0] kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn environment = local.env } -module "resources-role" { +module "resources_role" { count = local.takeover ? 1 : 0 source = "./terraform-modules/iam" project = var.project @@ -163,7 +163,7 @@ module "resources-role" { environment = local.env } -module "cloudwatch-event" { +module "cloudwatch_event" { source = "./terraform-modules/cloudwatch" project = var.project lambda_function_arns = module.lambda.lambda_function_arns @@ -176,13 +176,13 @@ module "cloudwatch-event" { environment = local.env } -module "resources-event" { +module "resources_event" { count = local.takeover ? 1 : 0 source = "./terraform-modules/cloudwatch" project = var.project - lambda_function_arns = module.lambda-resources[0].lambda_function_arns - lambda_function_names = module.lambda-resources[0].lambda_function_names - lambda_function_alias_names = module.lambda-resources[0].lambda_function_alias_names + lambda_function_arns = module.lambda_resources[0].lambda_function_arns + lambda_function_names = module.lambda_resources[0].lambda_function_names + lambda_function_alias_names = module.lambda_resources[0].lambda_function_alias_names schedule = var.reports_schedule takeover = local.takeover update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod @@ -190,12 +190,12 @@ module "resources-event" { environment = local.env } -module "accounts-event" { +module "accounts_event" { source = "./terraform-modules/cloudwatch" project = var.project - lambda_function_arns = module.lambda-accounts.lambda_function_arns - lambda_function_names = module.lambda-accounts.lambda_function_names - lambda_function_alias_names = module.lambda-accounts.lambda_function_alias_names + lambda_function_arns = module.lambda_accounts.lambda_function_arns + lambda_function_names = module.lambda_accounts.lambda_function_names + lambda_function_alias_names = module.lambda_accounts.lambda_function_alias_names schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod takeover = local.takeover update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod @@ -211,7 +211,7 @@ module "sns" { environment = local.env } -module "sns-dead-letter-queue" { +module "sns_dead_letter_queue" { source = "./terraform-modules/sns" project = var.project region = var.region @@ -220,7 +220,7 @@ module "sns-dead-letter-queue" { environment = local.env } -module "lambda-cloudflare" { +module "lambda_cloudflare" { count = var.cloudflare ? 1 : 0 source = "./terraform-modules/lambda-cloudflare" lambdas = var.cloudflare_lambdas @@ -229,13 +229,13 @@ module "lambda-cloudflare" { memory_size = var.memory_size project = var.project cf_api_key = var.cf_api_key - lambda_role_arn = module.lambda-role.lambda_role_arn + lambda_role_arn = module.lambda_role.lambda_role_arn kms_arn = module.kms.kms_arn security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn production_environment = local.production_environment bugcrowd = var.bugcrowd bugcrowd_api_key = var.bugcrowd_api_key @@ -246,13 +246,13 @@ module "lambda-cloudflare" { environment = local.env } -module "cloudflare-event" { +module "cloudflare_event" { count = var.cloudflare ? 1 : 0 source = "./terraform-modules/cloudwatch" project = var.project - lambda_function_arns = module.lambda-cloudflare[0].lambda_function_arns - lambda_function_names = module.lambda-cloudflare[0].lambda_function_names - lambda_function_alias_names = module.lambda-cloudflare[0].lambda_function_alias_names + lambda_function_arns = module.lambda_cloudflare[0].lambda_function_arns + lambda_function_names = module.lambda_cloudflare[0].lambda_function_names + lambda_function_alias_names = module.lambda_cloudflare[0].lambda_function_alias_names schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod takeover = local.takeover update_schedule = local.env == local.production_environment ? var.scan_schedule : var.scan_schedule_nonprod @@ -269,7 +269,7 @@ module "dynamodb" { environment = local.env } -module "step-function-role" { +module "step_function_role" { source = "./terraform-modules/iam" project = var.project region = var.region @@ -281,16 +281,16 @@ module "step-function-role" { environment = local.env } -module "step-function" { +module "step_function" { source = "./terraform-modules/step-function" project = var.project - lambda_arn = module.lambda-scan.lambda_function_arns["scan"] - role_arn = module.step-function-role.lambda_role_arn + lambda_arn = module.lambda_scan.lambda_function_arns["scan"] + role_arn = module.step_function_role.lambda_role_arn kms_arn = module.kms.kms_arn environment = local.env } -module "dynamodb-ips" { +module "dynamodb_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/dynamodb-ips" project = var.project @@ -298,18 +298,18 @@ module "dynamodb-ips" { environment = local.env } -module "step-function-ips" { +module "step_function_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/step-function" project = var.project purpose = "ips" - lambda_arn = module.lambda-scan-ips[0].lambda_function_arns["scan-ips"] - role_arn = module.step-function-role.lambda_role_arn + lambda_arn = module.lambda_scan_ips[0].lambda_function_arns["scan-ips"] + role_arn = module.step_function_role.lambda_role_arn kms_arn = module.kms.kms_arn environment = local.env } -module "lambda-role-ips" { +module "lambda_role_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/iam" project = var.project @@ -322,7 +322,7 @@ module "lambda-role-ips" { environment = local.env } -module "lambda-scan-ips" { +module "lambda_scan_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/lambda-scan-ips" lambdas = ["scan-ips"] @@ -333,10 +333,10 @@ module "lambda-scan-ips" { security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account - lambda_role_arn = module.lambda-role-ips[0].lambda_role_arn + lambda_role_arn = module.lambda_role_ips[0].lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn production_environment = local.production_environment allowed_regions = var.allowed_regions ip_time_limit = var.ip_time_limit @@ -349,21 +349,21 @@ module "lambda-scan-ips" { environment = local.env } -module "accounts-role-ips" { +module "accounts_role_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/iam" project = var.project region = var.region security_audit_role_name = var.security_audit_role_name kms_arn = module.kms.kms_arn - state_machine_arn = module.step-function-ips[0].state_machine_arn + state_machine_arn = module.step_function_ips[0].state_machine_arn policy = "accounts" role_name = "accounts-ips" permissions_boundary_arn = var.permissions_boundary_arn environment = local.env } -module "lambda-accounts-ips" { +module "lambda_accounts_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/lambda-accounts" lambdas = ["accounts-ips"] @@ -374,21 +374,21 @@ module "lambda-accounts-ips" { security_audit_role_name = var.security_audit_role_name external_id = var.external_id org_primary_account = var.org_primary_account - lambda_role_arn = module.accounts-role-ips[0].lambda_role_arn + lambda_role_arn = module.accounts_role_ips[0].lambda_role_arn kms_arn = module.kms.kms_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn - state_machine_arn = module.step-function-ips[0].state_machine_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn + state_machine_arn = module.step_function_ips[0].state_machine_arn environment = local.env } -module "accounts-event-ips" { +module "accounts_event_ips" { count = var.ip_address ? 1 : 0 source = "./terraform-modules/cloudwatch" project = var.project - lambda_function_arns = module.lambda-accounts-ips[0].lambda_function_arns - lambda_function_names = module.lambda-accounts-ips[0].lambda_function_names - lambda_function_alias_names = module.lambda-accounts-ips[0].lambda_function_alias_names + lambda_function_arns = module.lambda_accounts_ips[0].lambda_function_arns + lambda_function_names = module.lambda_accounts_ips[0].lambda_function_names + lambda_function_alias_names = module.lambda_accounts_ips[0].lambda_function_alias_names schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod takeover = local.takeover update_schedule = local.env == local.production_environment ? var.ip_scan_schedule : var.ip_scan_schedule_nonprod @@ -396,16 +396,16 @@ module "accounts-event-ips" { environment = local.env } -module "lamdba-stats" { +module "lamdba_stats" { source = "./terraform-modules/lambda-stats" runtime = var.runtime platform = var.platform memory_size = var.memory_size project = var.project kms_arn = module.kms.kms_arn - lambda_role_arn = module.lambda-role.lambda_role_arn + lambda_role_arn = module.lambda_role.lambda_role_arn sns_topic_arn = module.sns.sns_topic_arn - dlq_sns_topic_arn = module.sns-dead-letter-queue.sns_topic_arn + dlq_sns_topic_arn = module.sns_dead_letter_queue.sns_topic_arn schedule_expression = var.stats_schedule org_primary_account = var.org_primary_account security_audit_role_name = var.security_audit_role_name diff --git a/terraform-modules/iam/variables.tf b/terraform-modules/iam/variables.tf index 4b1751c8..d6ebbe2e 100644 --- a/terraform-modules/iam/variables.tf +++ b/terraform-modules/iam/variables.tf @@ -30,7 +30,7 @@ variable "role_name" { variable "permissions_boundary_arn" { description = "permissions boundary ARN" - default = "" + default = null } variable "environment" { diff --git a/variables.tf b/variables.tf index d37ad774..09aa079a 100644 --- a/variables.tf +++ b/variables.tf @@ -1,71 +1,85 @@ variable "project" { description = "abbreviation for the project, forms first part of resource names" default = "domain-protect" + type = string } variable "region" { description = "AWS region to deploy Lambda functions" default = "eu-west-1" + type = string } variable "org_primary_account" { description = "The AWS account number of the organization primary account" default = "" + type = string } variable "security_audit_role_name" { description = "security audit role name which needs to be the same in all AWS accounts" default = "domain-protect-audit" + type = string } variable "external_id" { description = "external ID for security audit role to be defined in tvars file. Leave empty if not configured" default = "" + type = string } variable "ip_time_limit" { description = "maximum time in hours since IP last detected, before considering IP as no longer belonging to organisation" default = "48" + type = string } variable "reports_schedule" { description = "schedule for running reports, e.g. 24 hours. Irrespective of setting, you will be immediately notified of new vulnerabilities" default = "24 hours" + type = string } variable "scan_schedule" { description = "schedule for running domain-protect scans, e.g. 60 minutes, does not affect frequency of regular Slack reports" default = "60 minutes" + type = string } variable "scan_schedule_nonprod" { description = "schedule for running domain-protect scans in non-prod, reduced to save costs, e.g. 12 hours" default = "24 hours" + type = string } variable "update_schedule" { description = "schedule for running domain-protect update function, e.g. 60 minutes" default = "3 hours" + type = string } variable "update_schedule_nonprod" { description = "schedule for running domain-protect update function in non-prod, e.g. 12 hours" default = "24 hours" + type = string } variable "ip_scan_schedule" { description = "schedule for IP address scanning used in A record checks" default = "24 hours" + type = string } variable "ip_scan_schedule_nonprod" { description = "schedule for IP address scans in non-prod, reduced to save costs, e.g. 24 hours" default = "24 hours" + type = string } variable "stats_schedule" { description = "Cron schedule for the stats message" default = "cron(0 9 1 * ? *)" # 9am on the first of the month + type = string } variable "lambdas" { @@ -77,6 +91,7 @@ variable "lambdas" { variable "takeover" { description = "Create supported resource types to prevent malicious subdomain takeover" default = true + type = bool } variable "update_lambdas" { @@ -88,36 +103,43 @@ variable "update_lambdas" { variable "environment" { description = "Environment deploying to, defaults to terraform.workspace - optionally enter in tfvars file" default = "" + type = string } variable "production_environment" { description = "Name of production environment - takeover is only turned on in this environment" default = "" + type = string } variable "production_workspace" { description = "Deprecated, use production_environment. Will be removed in a future release" default = "prd" + type = string } variable "runtime" { description = "Lambda language runtime" default = "python3.11" + type = string } variable "platform" { description = "Python platform used for install of Regex and other libraries" default = "manylinux2014_x86_64" + type = string } variable "memory_size" { description = "Memory allocation for scanning Lambda functions" default = 128 + type = number } variable "memory_size_slack" { description = "Memory allocation for Slack Lambda functions" default = 128 + type = number } variable "slack_channels" { description = "List of Slack Channels - enter in tfvars file" @@ -146,66 +168,82 @@ variable "slack_webhook_urls_dev" { variable "slack_webhook_type" { description = "Slack webhook type, can be legacy or app" default = "legacy" + type = string } variable "slack_emoji" { description = "Slack emoji" default = ":warning:" + type = string } variable "slack_fix_emoji" { description = "Slack fix emoji" default = ":white_check_mark:" + type = string } variable "slack_new_emoji" { description = "Slack emoji for new vulnerability" default = ":octagonal_sign:" + type = string } variable "slack_username" { description = "Slack username appearing in the from field in the Slack message" default = "Domain Protect" + type = string } variable "bugcrowd" { description = "Set to enabled for Bugcrowd integration" default = "disabled" + type = string } variable "bugcrowd_api_key" { description = "Bugcrowd API token" default = "" + type = string + sensitive = true } variable "bugcrowd_email" { description = "Email address of Bugcrowd researcher service account" default = "" + type = string } variable "bugcrowd_state" { description = "State in which issue is created, e.g. new, triaged, unresolved, resolved" default = "unresolved" + type = string } variable "hackerone" { description = "Set to enabled for HackerOne integration" default = "disabled" + type = string } variable "hackerone_api_token" { description = "HackerOne API token" default = "" + type = string + sensitive = true } variable "cloudflare" { description = "Set to true to enable CloudFlare" default = false + type = bool } variable "cf_api_key" { description = "Cloudflare API token" default = "" + type = string + sensitive = true } variable "cloudflare_lambdas" { @@ -217,30 +255,29 @@ variable "cloudflare_lambdas" { variable "rcu" { description = "DynamoDB Read Capacity Units for vulnerability database" default = 3 + type = number } variable "wcu" { description = "DynamoDB Write Capacity Units for vulnerability database" default = 2 + type = number } variable "ip_address" { description = "Set to true to enable A record checks using IP address scans" default = false + type = bool } variable "allowed_regions" { description = "If SCPs block certain regions across all accounts, optionally replace with string formatted list of allowed regions" default = "['all']" # example "['eu-west-1', 'us-east-1']" + type = string } variable "permissions_boundary_arn" { description = "permissions boundary ARN to attach to every IAM role" - default = "" -} - -variable "default_tags" { - description = "Default tags for supported resources" - type = map(string) - default = {} + default = null + type = string } diff --git a/provider.tf b/versions.tf similarity index 65% rename from provider.tf rename to versions.tf index bf2e2272..a6a9d305 100644 --- a/provider.tf +++ b/versions.tf @@ -1,20 +1,22 @@ terraform { + required_version = "> 1" + required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.12.0" + version = "> 5.12.0" } archive = { source = "hashicorp/archive" - version = "~> 2.2.0" + version = "> 2.2.0" } null = { source = "hashicorp/null" - version = "~> 3.1.0" + version = "> 3.1.0" } random = { source = "hashicorp/random" - version = "~> 3.1.0" + version = "> 3.1.0" } } } From e869e8c1a38ec4c314a352846f2f903a6e6ff7e3 Mon Sep 17 00:00:00 2001 From: nitrocode <7775707+nitrocode@users.noreply.github.com> Date: Fri, 23 Aug 2024 09:17:47 -0500 Subject: [PATCH 2/2] chore: add breaks betw source/count and args Signed-off-by: nitrocode <7775707+nitrocode@users.noreply.github.com> --- main.tf | 121 +++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 75 insertions(+), 46 deletions(-) diff --git a/main.tf b/main.tf index 5f300348..68693a57 100644 --- a/main.tf +++ b/main.tf @@ -1,12 +1,14 @@ module "kms" { - source = "./terraform-modules/kms" + source = "./terraform-modules/kms" + project = var.project region = var.region environment = local.env } module "lambda_role" { - source = "./terraform-modules/iam" + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -16,7 +18,8 @@ module "lambda_role" { } module "lambda_slack" { - source = "./terraform-modules/lambda-slack" + source = "./terraform-modules/lambda-slack" + runtime = var.runtime platform = var.platform memory_size = var.memory_size_slack @@ -36,7 +39,8 @@ module "lambda_slack" { } module "lambda" { - source = "./terraform-modules/lambda" + source = "./terraform-modules/lambda" + lambdas = var.lambdas runtime = var.runtime platform = var.platform @@ -56,7 +60,8 @@ module "lambda" { } module "lambda_accounts" { - source = "./terraform-modules/lambda-accounts" + source = "./terraform-modules/lambda-accounts" + lambdas = ["accounts"] runtime = var.runtime platform = var.platform @@ -74,7 +79,8 @@ module "lambda_accounts" { } module "accounts_role" { - source = "./terraform-modules/iam" + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -86,7 +92,8 @@ module "accounts_role" { } module "lambda_scan" { - source = "./terraform-modules/lambda-scan" + source = "./terraform-modules/lambda-scan" + lambdas = ["scan"] runtime = var.runtime platform = var.platform @@ -111,8 +118,9 @@ module "lambda_scan" { module "lambda_takeover" { #checkov:skip=CKV_AWS_274:role is ElasticBeanstalk admin, not full Administrator Access - count = local.takeover ? 1 : 0 - source = "./terraform-modules/lambda-takeover" + count = local.takeover ? 1 : 0 + source = "./terraform-modules/lambda-takeover" + runtime = var.runtime platform = var.platform memory_size = var.memory_size_slack @@ -125,8 +133,9 @@ module "lambda_takeover" { } module "takeover_role" { - count = local.takeover ? 1 : 0 - source = "./terraform-modules/iam" + count = local.takeover ? 1 : 0 + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -138,8 +147,9 @@ module "takeover_role" { } module "lambda_resources" { - count = local.takeover ? 1 : 0 - source = "./terraform-modules/lambda-resources" + count = local.takeover ? 1 : 0 + source = "./terraform-modules/lambda-resources" + lambdas = ["resources"] runtime = var.runtime memory_size = var.memory_size_slack @@ -152,8 +162,9 @@ module "lambda_resources" { } module "resources_role" { - count = local.takeover ? 1 : 0 - source = "./terraform-modules/iam" + count = local.takeover ? 1 : 0 + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -164,7 +175,8 @@ module "resources_role" { } module "cloudwatch_event" { - source = "./terraform-modules/cloudwatch" + source = "./terraform-modules/cloudwatch" + project = var.project lambda_function_arns = module.lambda.lambda_function_arns lambda_function_names = module.lambda.lambda_function_names @@ -177,8 +189,9 @@ module "cloudwatch_event" { } module "resources_event" { - count = local.takeover ? 1 : 0 - source = "./terraform-modules/cloudwatch" + count = local.takeover ? 1 : 0 + source = "./terraform-modules/cloudwatch" + project = var.project lambda_function_arns = module.lambda_resources[0].lambda_function_arns lambda_function_names = module.lambda_resources[0].lambda_function_names @@ -191,7 +204,8 @@ module "resources_event" { } module "accounts_event" { - source = "./terraform-modules/cloudwatch" + source = "./terraform-modules/cloudwatch" + project = var.project lambda_function_arns = module.lambda_accounts.lambda_function_arns lambda_function_names = module.lambda_accounts.lambda_function_names @@ -204,7 +218,8 @@ module "accounts_event" { } module "sns" { - source = "./terraform-modules/sns" + source = "./terraform-modules/sns" + project = var.project region = var.region kms_arn = module.kms.kms_arn @@ -212,7 +227,8 @@ module "sns" { } module "sns_dead_letter_queue" { - source = "./terraform-modules/sns" + source = "./terraform-modules/sns" + project = var.project region = var.region dead_letter_queue = true @@ -221,8 +237,9 @@ module "sns_dead_letter_queue" { } module "lambda_cloudflare" { - count = var.cloudflare ? 1 : 0 - source = "./terraform-modules/lambda-cloudflare" + count = var.cloudflare ? 1 : 0 + source = "./terraform-modules/lambda-cloudflare" + lambdas = var.cloudflare_lambdas runtime = var.runtime platform = var.platform @@ -247,8 +264,9 @@ module "lambda_cloudflare" { } module "cloudflare_event" { - count = var.cloudflare ? 1 : 0 - source = "./terraform-modules/cloudwatch" + count = var.cloudflare ? 1 : 0 + source = "./terraform-modules/cloudwatch" + project = var.project lambda_function_arns = module.lambda_cloudflare[0].lambda_function_arns lambda_function_names = module.lambda_cloudflare[0].lambda_function_names @@ -261,8 +279,9 @@ module "cloudflare_event" { } module "dynamodb" { - source = "./terraform-modules/dynamodb" - project = var.project + source = "./terraform-modules/dynamodb" + project = var.project + kms_arn = module.kms.kms_arn rcu = var.rcu wcu = var.wcu @@ -270,8 +289,9 @@ module "dynamodb" { } module "step_function_role" { - source = "./terraform-modules/iam" - project = var.project + source = "./terraform-modules/iam" + project = var.project + region = var.region security_audit_role_name = var.security_audit_role_name kms_arn = module.kms.kms_arn @@ -282,8 +302,9 @@ module "step_function_role" { } module "step_function" { - source = "./terraform-modules/step-function" - project = var.project + source = "./terraform-modules/step-function" + project = var.project + lambda_arn = module.lambda_scan.lambda_function_arns["scan"] role_arn = module.step_function_role.lambda_role_arn kms_arn = module.kms.kms_arn @@ -291,16 +312,18 @@ module "step_function" { } module "dynamodb_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/dynamodb-ips" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/dynamodb-ips" + project = var.project kms_arn = module.kms.kms_arn environment = local.env } module "step_function_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/step-function" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/step-function" + project = var.project purpose = "ips" lambda_arn = module.lambda_scan_ips[0].lambda_function_arns["scan-ips"] @@ -310,8 +333,9 @@ module "step_function_ips" { } module "lambda_role_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/iam" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -323,8 +347,9 @@ module "lambda_role_ips" { } module "lambda_scan_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/lambda-scan-ips" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/lambda-scan-ips" + lambdas = ["scan-ips"] runtime = var.runtime platform = var.platform @@ -350,8 +375,9 @@ module "lambda_scan_ips" { } module "accounts_role_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/iam" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/iam" + project = var.project region = var.region security_audit_role_name = var.security_audit_role_name @@ -364,8 +390,9 @@ module "accounts_role_ips" { } module "lambda_accounts_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/lambda-accounts" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/lambda-accounts" + lambdas = ["accounts-ips"] runtime = var.runtime platform = var.platform @@ -383,8 +410,9 @@ module "lambda_accounts_ips" { } module "accounts_event_ips" { - count = var.ip_address ? 1 : 0 - source = "./terraform-modules/cloudwatch" + count = var.ip_address ? 1 : 0 + source = "./terraform-modules/cloudwatch" + project = var.project lambda_function_arns = module.lambda_accounts_ips[0].lambda_function_arns lambda_function_names = module.lambda_accounts_ips[0].lambda_function_names @@ -397,7 +425,8 @@ module "accounts_event_ips" { } module "lamdba_stats" { - source = "./terraform-modules/lambda-stats" + source = "./terraform-modules/lambda-stats" + runtime = var.runtime platform = var.platform memory_size = var.memory_size