Skip to content

Latest commit

 

History

History
119 lines (83 loc) · 6.03 KB

README.md

File metadata and controls

119 lines (83 loc) · 6.03 KB

terraform-aws-maskopy

Lint Status LICENSE

drawing

Overview:

Maskopy solution is to Copy and Obfuscate Production Data to Target Environments in AWS. It uses AWS Serverless services, Step functions, Lambda and Fargate.

Features:

Simplified Copy and Obfuscation

Maskopy copies and provides ability to run obfuscation on production data across AWS accounts. Any sensitive information in the production data is obfuscated in a transient instance. The final obfuscated snapshot is shared in the user-specified environments.

Self-Service and End-To-End Automation

Maskopy is a self-serviced solution that allows users to get production data without involving multiple teams. It is fully automated and is implemented to easily plug into CI/CD pipelines and other automation solutions through SNS or SQS.

Secure Design

Maskopy has security controls such as access management via IAM roles, authorization on the caller identity, network access to transient resources controlled through security groups. Bring your own container with third party tools for obfuscation algorithms.

Bring Your Own Obfuscation Container

Maskopy is a obfuscation tool agnostic solution. Teams can leverage any encryption tools or obfuscation frameworks based on their needs and bake those into a docker container. Bring the container to Maskopy solution to run data obfuscation

Usage

module "maskopy" {
    source = "git::https://github.com/DNXLabs/terraform-aws-maskopy.git?ref=0.1.1"

    enabled = true

    providers = {
        aws.source  = aws.prod
        aws.staging = aws.nonprod
    }

    staging_vpc_id                 = data.aws_vpc.selected.id
    staging_subnet_ids             = data.aws_subnet_ids.staging_subnet_ids.ids
    staging_rds_default_kms_key_id = ""

    rds_staging_subnet_group_name = ""

    obfuscation_scripts_bucket_name = ""
}

Documentation

Requirements

Name Version
terraform >= 0.13
aws >= 3.26, < 4.0
null 3.1.0

Providers

Name Version
archive n/a
aws >= 3.26, < 4.0
aws.source >= 3.26, < 4.0
aws.staging >= 3.26, < 4.0
null 3.1.0

Inputs

Name Description Type Default Required
application_name The name for the maskopy application, this name should match part of the string with the invoker role name. string "MASKOPY" no
build_lambda_layer If true will build the lambda layer. Set to true only with local source module. bool false no
cost_center All the temporary resources are tagged with the code. string "MaskopyCost" no
create_obfuscation_scripts_bucket Create bucket to store obfuscation scripts. bool true no
custom_source_kms_key Custom KMS key, used when variable custom_source_kms_key_enabled equals to true. string "" no
custom_source_kms_key_enabled Only used when encrypt RDS in source account with another KMS key. Remember to add permissions to the existing key. bool false no
ecs_docker_image Docker image that ECS task will run with and will download the scripts from S3 obfuscation bucket. string "dnxsolutions/obfuscation" no
ecs_fargate_role_name ECS role name. string "ECS_MASKOPY" no
enabled If true, will deploy the maskopy solution. bool true no
lambda_role_name Lambda role name. string "LAMBDA_MASKOPY" no
lambdas_names n/a list(string)
[
"00-AuthorizeUser",
"01-UseExistingSnapshot",
"02-CheckForSnapshotCompletion",
"03-ShareSnapshots",
"04-CopySharedDBSnapshots",
"05-CheckForDestinationSnapshotCompletion",
"06-RestoreDatabases",
"07-CheckForRestoreCompletion",
"08a-CreateFargate",
"08b-CreateECS",
"09-TakeSnapshot",
"10-CheckFinalSnapshotAvailability",
"11-CleanupAndTagging",
"ErrorHandlingAndCleanup"
]
no
obfuscation_scripts_bucket_name Bucket to store the obfuscations scripts, they should be uploaded inside /obfuscation folder. string n/a yes
rds_staging_subnet_group_name Staging RDS option group name to deploy the transient database. string n/a yes
replicate_destination_account_id Name of the bucket to send dumps data from source bucket. string "" no
replicate_destination_bucket_name Name of the bucket to send dumps data from source bucket. string "" no
replicate_obfuscation_bucket Replicate data inside the bucket to another acount. bool true no
replicate_obfuscation_bucket_prefix Name of prefix to replicate inside the bucket to another acount. string "dumps" no
sqs_queue_name SNS queue name to send messages when step functions complete running. string "maskopy_sqs_queue" no
staging_rds_default_kms_key_id KMS key that maskopy will use for the transient RDS. string n/a yes
staging_subnet_ids Subnets inside the staging VPC to deploy the lambdas and ECS tasks. list(string) n/a yes
staging_vpc_id VPC id for the staging account. string n/a yes
step_function_state_machine_name Name for the step functions state machine. string "maskopy-state-machine" no

Outputs

No output.

Authors

Module managed by DNX Solutions.

License

Apache 2 Licensed. See LICENSE for full details.