-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* LZA-163: S3 and CUR modules * LZA-163: Move cur infra into one module and create IAM roe * LZA-163: Update S3 settings, create inline policy and S3 lifecycle rule * LZA-163: Create S3 Replication Rule * LZA-163: Create bucket policy * LZA-163: Terraform fmt and update aws region condition validation * LZA-163: add aws_s3_bucket_public_access_block * LZA-163: add aws_s3_bucket_public_access_block * LZA-163: Change bucket name references to use tf resource value * LZA-163: Change bucket name references to use tf resource value and add arn for iam role in replication rule * Configure .trivyignore for CUDOS setup (#28) * Create .trivyignore file and add s3 kms * Change to use trivyignores instead of ignorefile * Change to use avd references * move .trivyignore file to module root * append avd to ignore checks * Capitalise misconf value * LZA-163: Updates from testing * Delete main.tf * Update .trivyignore * Update README.md * LZA-163: Updates from testing * LZA-163: Updates from testing * LZA-163: Updates from testing * LZA-163: Updates from testing --------- Co-authored-by: Liam MacPherson <[email protected]>
- Loading branch information
1 parent
ede9173
commit 350fba3
Showing
7 changed files
with
469 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,4 +23,5 @@ jobs: | |
uses: aquasecurity/[email protected] | ||
with: | ||
scan-type: 'config' | ||
trivyignores: ".trivyignore" | ||
exit-code: '1' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
#Ignore requirement for S3 logging bucket as per CUDOS setup instructions | ||
AVD-AWS-0089 | ||
|
||
#Ignore requirement for customer managed key for S3 encryption as per CUDOS setup instructions | ||
AVD-AWS-0132 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Core Cloud AWS Cost & Usage Report Module | ||
|
||
This module is responsible for creating and managing Cost and Usage Reports and their related infrastructure in AWS. | ||
|
||
## Usage | ||
|
||
```hcl | ||
module "cost_usage_reports" { | ||
source = "git::ssh://[email protected]/UKHomeOffice/core-cloud-terraform-modules.git//modules/aws/cost_usage_reports" | ||
report_name = <VALUE> | ||
time_unit = <VALUE> | ||
format = <VALUE> | ||
compression = <VALUE> | ||
additional_schema_elements = <VALUE> | ||
bucket_name = <VALUE> | ||
bucket_region = <VALUE> | ||
additional_artifacts = <VALUE> | ||
s3_prefix = <VALUE> | ||
refresh_closed_reports = <VALUE> | ||
report_versioning = <VALUE> | ||
iam_role = <VALUE> | ||
lifecycle_rule = <VALUE> | ||
noncurrent_version_expiration_days = <VALUE> | ||
expiration_days = <VALUE> | ||
inline_policy_name = <VALUE> | ||
billing_account = <VALUE> | ||
replication_rule = <VALUE> | ||
destination_bucket = <VALUE> | ||
} | ||
``` | ||
|
||
## Validation | ||
|
||
This module expects the variables to conform to the following: | ||
- `report_name` - Must be a string between 1 and 256 characters. | ||
- `time_unit` - Valid values for time_unit are DAILY, HOURLY or MONTHLY. | ||
- `format` - Valid values for format are textORcsv or Parquet. | ||
- `compression` - Valid values for time_unit are GZIP, ZIP or Parquet. | ||
- `additional_schema_elements` - Valid values for additional_schema_elements are RESOURCES or SPLIT_COST_ALLOCATION_DATA. | ||
- `bucket_name` - Must be a string between 1 and 64 characters. | ||
- `bucket_region` - - Must be an AWS region. | ||
- `additional_artifacts` - Valid values for time_unit are REDSHIFT, QUICKSHIFT or ATHENA. | ||
- `s3_prefix` - Must be a string between 1 and 256 characters. | ||
- `refresh_closed_reports` - Boolean value. | ||
- `report_versioning` - Valid values for report_versioning are CREATE_NEW_REPORT or OVERWRITE_REPORT. | ||
- `iam_role` - Friendly name of the role. If omitted, Terraform will assign a random, unique name. | ||
- `lifecycle_rule` - Must be a string between 1 and 256 characters. | ||
- `noncurrent_version_expiration_days` - Must be a positive integer. | ||
- `expiration_days` - Must be a positive integer. | ||
- `inline_policy_name` - Must be a string between 1 and 256 characters. | ||
- `billing_account` - Must be a 12 character string. | ||
- `replication_rule` - Must be a string between 1 and 256 characters. | ||
- `destination_bucket` - The destination_bucket ARN must be less than 256 characters. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,217 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "> 5.0.0, < 6.0.0" | ||
} | ||
} | ||
} | ||
|
||
provider "aws" { | ||
region = "eu-west-2" | ||
} | ||
|
||
provider "aws" { | ||
region = "us-east-1" | ||
alias = "us-east-1" | ||
} | ||
|
||
#COST AND USAGE REPORT | ||
resource "aws_cur_report_definition" "cur_report_definitions" { | ||
depends_on = [aws_iam_role.cur_role, aws_s3_bucket_policy.cur_S3_bucket_policy] | ||
provider = aws.us-east-1 | ||
report_name = var.report_name | ||
time_unit = var.time_unit | ||
format = var.format | ||
compression = var.compression | ||
additional_schema_elements = var.additional_schema_elements | ||
s3_bucket = aws_s3_bucket.s3_buckets.id | ||
s3_region = var.bucket_region | ||
additional_artifacts = var.additional_artifacts | ||
s3_prefix = "cur/${var.billing_account}" | ||
refresh_closed_reports = var.refresh_closed_reports | ||
report_versioning = var.report_versioning | ||
} | ||
|
||
#S3 BUCKET | ||
resource "aws_s3_bucket" "s3_buckets" { | ||
bucket = var.bucket_name | ||
} | ||
|
||
#S3 SETTINGS | ||
resource "aws_s3_bucket_ownership_controls" "bucket_ownership_controls" { | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
rule { | ||
object_ownership = "BucketOwnerEnforced" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_versioning" "versioning_rules" { | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
versioning_configuration { | ||
status = "Enabled" | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption_rules" { | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
|
||
rule { | ||
apply_server_side_encryption_by_default { | ||
sse_algorithm = "AES256" | ||
} | ||
} | ||
} | ||
|
||
resource "aws_s3_bucket_public_access_block" "cur_public_access_block" { | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
|
||
block_public_acls = true | ||
block_public_policy = true | ||
ignore_public_acls = true | ||
restrict_public_buckets = true | ||
} | ||
|
||
#IAM ROLE | ||
resource "aws_iam_role" "cur_role" { | ||
name = var.iam_role | ||
assume_role_policy = jsonencode({ | ||
"Version" : "2012-10-17", | ||
"Statement" : [ | ||
{ | ||
"Action" : "sts:AssumeRole", | ||
"Principal" : { | ||
"Service" : "s3.amazonaws.com" | ||
}, | ||
"Effect" : "Allow", | ||
"Sid" : "" | ||
} | ||
] | ||
}) | ||
|
||
inline_policy { | ||
name = var.inline_policy_name | ||
|
||
policy = jsonencode({ | ||
"Version" : "2012-10-17", | ||
"Statement" : [ | ||
{ | ||
"Action" : [ | ||
"s3:GetReplicationConfiguration", | ||
"s3:ListBucket" | ||
], | ||
"Resource" : "arn:aws:s3:::cid-${var.billing_account}-central-finops-local", | ||
"Effect" : "Allow" | ||
}, | ||
{ | ||
"Action" : [ | ||
"s3:GetObjectVersionForReplication", | ||
"s3:GetObjectVersionAcl" | ||
], | ||
"Resource" : "arn:aws:s3:::cid-${var.billing_account}-central-finops-local/*", | ||
"Effect" : "Allow" | ||
}, | ||
{ | ||
"Action" : [ | ||
"s3:ReplicateObject", | ||
"s3:ReplicateDelete", | ||
"s3:ReplicateTags", | ||
"s3:GetObjectVersionTagging" | ||
], | ||
"Resource" : "arn:aws:s3:::cid-873134405383-shared/cur/${var.billing_account}/*", | ||
"Effect" : "Allow" | ||
} | ||
] | ||
}) | ||
} | ||
} | ||
|
||
#S3 BUCKET POLICY | ||
resource "aws_s3_bucket_policy" "cur_S3_bucket_policy" { | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
policy = jsonencode({ | ||
"Version" : "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "billingreports.amazonaws.com" | ||
}, | ||
"Action": [ | ||
"s3:GetBucketAcl", | ||
"s3:GetBucketPolicy" | ||
], | ||
"Resource": aws_s3_bucket.s3_buckets.arn, | ||
"Condition": { | ||
"StringEquals": { | ||
"aws:SourceAccount": var.billing_account, | ||
"aws:SourceArn": "arn:aws:cur:us-east-1:${var.billing_account}:definition/*" | ||
} | ||
} | ||
}, | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "billingreports.amazonaws.com" | ||
}, | ||
"Action": "s3:PutObject", | ||
"Resource": "${aws_s3_bucket.s3_buckets.arn}/*", | ||
"Condition": { | ||
"StringEquals": { | ||
"aws:SourceAccount": var.billing_account, | ||
"aws:SourceArn": "arn:aws:cur:us-east-1:${var.billing_account}:definition/*" | ||
} | ||
} | ||
} | ||
] | ||
}) | ||
} | ||
|
||
|
||
#S3 LIFECYCLE RULE | ||
resource "aws_s3_bucket_lifecycle_configuration" "cur_bucket_lifecycle_rule" { | ||
depends_on = [aws_s3_bucket_versioning.versioning_rules] | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
rule { | ||
id = var.lifecycle_rule | ||
|
||
filter {} | ||
|
||
noncurrent_version_expiration { | ||
noncurrent_days = var.noncurrent_version_expiration_days | ||
} | ||
|
||
expiration { | ||
days = var.expiration_days | ||
} | ||
status = "Enabled" | ||
} | ||
} | ||
|
||
/* # REPLICATION RULE | ||
resource "aws_s3_bucket_replication_configuration" "cur_bucket_replication_rule" { | ||
depends_on = [aws_s3_bucket_versioning.versioning_rules] | ||
bucket = aws_s3_bucket.s3_buckets.id | ||
role = aws_iam_role.cur_role.arn | ||
rule { | ||
id = var.replication_rule | ||
filter {} | ||
destination { | ||
bucket = var.destination_bucket | ||
storage_class = "STANDARD" | ||
} | ||
delete_marker_replication { | ||
status = "Enabled" | ||
} | ||
source_selection_criteria { | ||
sse_kms_encrypted_objects { | ||
status = "Disabled" | ||
} | ||
} | ||
status = "Enabled" | ||
} | ||
} */ |
Oops, something went wrong.