[Terraform] // Missing Description, Add examples in module, Add valid…

…ation (#99)

.github/workflows/terraform.yml

@@ -21,13 +21,6 @@ jobs:
       - name: "Setup - Checkout"
         uses: actions/[email protected]
 
-      # Static analysis of Terraform templates to spot potential security issues
-      # Marketplace: https://github.com/marketplace/actions/terraform-security-scan
-      - name: "Setup - Security Scan"
-        uses: triat/terraform-security-scan@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       # Downloads a specific version of Terraform CLI and adds it to PATH
       # Marketplace: https://github.com/marketplace/actions/hashicorp-setup-terraform
       - name: Setup Terraform

todo-app/aws/3-tier-app/lab/bastion/main.tf

@@ -1,7 +1,3 @@
-provider "aws" {
-  region = var.region
-}
-
 module "bastion" {
   source    = "../../modules/bastion"
   app       = var.app

todo-app/aws/3-tier-app/lab/database/mysql/main.tf

@@ -1,13 +1,8 @@
-provider "aws" {
-  region = var.region
-}
 module "mysql" {
   source          = "../../../modules/database/mysql"
   app             = var.app
   instance_type   = var.instance_type
   master_user     = var.master_user
   master_password = var.master_password
   multi_az        = var.multi_az
-
-
 }

todo-app/aws/3-tier-app/lab/main.tf

@@ -0,0 +1,4 @@
+# Provider configuration
+provider "aws" {
+  region = var.region
+}

todo-app/aws/3-tier-app/lab/security/main.tf

@@ -1,7 +1,3 @@
-provider "aws" {
-  region = var.region
-}
-
 data "aws_region" "current" {}
 
 data "aws_vpc" "selected" {

todo-app/aws/3-tier-app/lab/services/todo/app/main.tf

@@ -1,7 +1,3 @@
-provider "aws" {
-  region = var.region
-}
-
 module "todo_app" {
   source                 = "../../../../modules/app-server"
   app                    = var.app

todo-app/aws/3-tier-app/lab/vpc/main.tf

@@ -1,7 +1,3 @@
-provider "aws" {
-  region = var.region
-}
-
 module "vpc" {
   source                       = "../../modules/network"
   app                          = var.app

todo-app/aws/3-tier-app/modules/app-server/main.tf

@@ -58,7 +58,7 @@ locals {
     Version     = var.app.version
     Role        = "app"
     Environment = var.app.env
-    #Time        = formatdate("YYYYMMDDhhmmss", timestamp())
+    LastScanned = formatdate("YYYYMMDDhh", timestamp())
   }
 }
 

todo-app/aws/3-tier-app/modules/app-server/variables.tf

@@ -51,7 +51,8 @@ variable "instance_type" {
 
 
 variable "scaling_capacity" {
-  type = map(string)
+  type        = map(string)
+  description = "Scaling paramter for EC2 Auto scaling group"
   default = {
     min     = 1
     desired = 2

todo-app/aws/3-tier-app/modules/app-server/version.tf

@@ -0,0 +1,14 @@
+terraform {
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 3.22.0"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = "= 2.2.0"
+    }
+  }
+  required_version = "= 0.13.5"
+}

todo-app/aws/3-tier-app/modules/bastion/example/main.tf

@@ -0,0 +1,49 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+locals {
+  name_suffix = "us-west-2-l-psi"
+  tags = {
+    AppId       = "psi"
+    Version     = "1.0.0"
+    Role        = "security"
+    Environment = "lab"
+  }
+}
+
+# Add VPC
+module "vpc" {
+  source = "../../network/example"
+}
+
+# Add security group
+module "bastion_sg" {
+  source                 = "terraform-aws-modules/security-group/aws//modules/ssh"
+  version                = "3.17.0"
+  name                   = "security-group-${local.name_suffix}-bastion"
+  vpc_id                 = module.vpc.vpc_id
+  description            = "Bastion security group"
+  ingress_cidr_blocks    = ["0.0.0.0/0"]
+  use_name_prefix        = false
+  auto_ingress_with_self = []
+  tags = merge(local.tags, {
+    App = "bastion"
+  })
+}
+
+module "bastion" {
+  source = "../"
+  app = {
+    id      = "psi"
+    name    = "todo"
+    version = "1.0.0"
+    env     = "lab"
+  }
+  ssh_users = [
+    {
+      username   = "bastionuser"
+      public_key = "######################[PLACE-YOUR-SSH-PUBLIC-KEY-HERE]######################"
+    }
+  ]
+}

todo-app/aws/3-tier-app/modules/database/mysql/example/main.tf

@@ -0,0 +1,48 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+locals {
+  name_suffix = "us-west-2-l-psi"
+  tags = {
+    AppId       = "psi"
+    Version     = "1.0.0"
+    Role        = "security"
+    Environment = "lab"
+  }
+}
+
+# Add VPC
+module "vpc" {
+  source = "../../network/example"
+}
+
+#Add security group
+module "mysql_sg" {
+  source                 = "terraform-aws-modules/security-group/aws//modules/mysql"
+  version                = "3.17.0"
+  name                   = "security-group-${local.name_suffix}-mysql"
+  vpc_id                 = module.vpc.vpc_id
+  description            = "Test mysql database connection"
+  use_name_prefix        = false
+  auto_ingress_with_self = []
+  # auto_ingress_rules     = []
+  ingress_cidr_blocks = ["0.0.0.0/0"]
+
+  tags = merge(local.tags, {
+    App = "mysql"
+  })
+}
+
+module "mysql" {
+  source = "../"
+  app = {
+    id      = "psi"
+    version = "1.0.0"
+    env     = "lab"
+  }
+  instance_type   = "db.t2.micro"
+  master_user     = "masteruser"
+  master_password = "masterpassword"
+  multi_az        = false
+}

todo-app/aws/3-tier-app/modules/database/mysql/example/outputs.tf

@@ -0,0 +1,4 @@
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}

todo-app/aws/3-tier-app/modules/database/mysql/main.tf

@@ -27,7 +27,7 @@ locals {
     Version     = var.app.version
     Role        = "db"
     Environment = var.app.env
-    #Time        = formatdate("YYYYMMDDhhmmss", timestamp())
+    LastScanned = formatdate("YYYYMMDDhh", timestamp())
   }
 }
 

todo-app/aws/3-tier-app/modules/database/mysql/variables.tf

@@ -9,12 +9,14 @@ variable "app" {
 }
 
 variable "instance_type" {
-  type = string
+  description = "RDS(Mysql) instance type"
+  type        = string
 }
 
 variable "storage_size_in_gib" {
-  type    = number
-  default = 5
+  description = "The allocated storage in gigabytes"
+  type        = number
+  default     = 5
 }
 
 variable "database_name" {
@@ -29,11 +31,13 @@ variable "create_database_name_as_appid" {
 }
 
 variable "master_user" {
-  type = string
+  type        = string
+  description = "Mysql master user"
 }
 
 variable "master_password" {
-  type = string
+  type        = string
+  description = "Mysql master password"
   validation {
     condition     = length(var.master_password) >= 8
     error_message = "Master password should not be of length less than 8 charactors."
@@ -42,7 +46,7 @@ variable "master_password" {
 
 variable "subnet_group" {
   default     = ""
-  description = "Database subnet group"
+  description = "Database subnet group, if not provided it'll use default subnet group"
 }
 
 

todo-app/aws/3-tier-app/modules/database/mysql/version.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 3.22.0"
+    }
+  }
+  required_version = "= 0.13.5"
+}

todo-app/aws/3-tier-app/modules/ec2/main.tf

@@ -43,7 +43,7 @@ locals {
     Version     = var.app.version
     Role        = var.app.role
     Environment = var.app.env
-    #Time        = formatdate("YYYYMMDDhhmmss", timestamp())
+    LastScanned = formatdate("YYYYMMDDhh", timestamp())
   }
 }
 

todo-app/aws/3-tier-app/modules/ec2/variables.tf

@@ -31,11 +31,13 @@ variable "instance_count" {
 }
 
 variable "associate_public_ip_address" {
-  type    = bool
-  default = false
+  description = "Enable public IP address on ec2 instance(s)"
+  type        = bool
+  default     = false
 }
 
 variable "security_group_filters" {
+  description = "Security group filters to find security groups for ec2 instance(s)"
   type = list(object({
     name   = string
     values = list(string)
@@ -44,6 +46,7 @@ variable "security_group_filters" {
 }
 
 variable "subnet_filters" {
+  description = "Subnet filters to find subnet for ec2 instance(s)"
   type = list(object({
     name   = string
     values = list(string)

todo-app/aws/3-tier-app/modules/network/example/main.tf

@@ -0,0 +1,20 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+module "vpc" {
+  source = "../"
+  app = {
+    id      = "psi"
+    version = "1.0.0"
+    env     = "lab"
+  }
+  cidr                         = "172.31.0.0/24"
+  azs                          = ["us-west-2a", "us-west-2b"]
+  public_subnets               = ["172.31.0.128/26", "172.31.0.192/26"]
+  private_subnets              = ["172.31.0.0/27", "172.31.0.32/27"]
+  database_subnets             = ["172.31.0.64/27", "172.31.0.96/27"]
+  create_internet_gateway      = true
+  create_database_subnet_group = true
+  enable_nat_gateway_single    = true
+}

todo-app/aws/3-tier-app/modules/network/example/outputs.tf

@@ -0,0 +1,4 @@
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}

todo-app/aws/3-tier-app/modules/network/main.tf

@@ -4,39 +4,34 @@ data "aws_region" "current" {}
 locals {
   name_suffix                   = "${data.aws_region.current.name}-${substr(var.app.env, 0, 1)}-${var.app.id}"
   enable_nat_gateway_per_subnet = var.enable_nat_gateway_per_subnet || var.enable_nat_gateway_single || var.enable_nat_gateway_per_az
-  single_nat_gateway            = var.enable_nat_gateway_per_subnet ? false : var.enable_nat_gateway_single
-  enable_nat_gateway_per_az     = var.enable_nat_gateway_per_subnet ? false : (var.enable_nat_gateway_per_az && var.enable_nat_gateway_single ? ! var.enable_nat_gateway_per_az : var.enable_nat_gateway_per_az)
+  single_nat_gateway            = local.enable_nat_gateway_per_subnet && var.enable_nat_gateway_single
+  enable_nat_gateway_per_az     = local.enable_nat_gateway_per_subnet && (var.enable_nat_gateway_per_az && var.enable_nat_gateway_single ? ! var.enable_nat_gateway_per_az : var.enable_nat_gateway_per_az)
+  database_subnet_group         = var.create_database_subnet_group ? length(var.database_subnets) > 1 : ! var.create_database_subnet_group
 }
 
 module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "2.64.0"
-
-  name = "vpc-${local.name_suffix}"
-  cidr = var.cidr
-  azs  = var.azs
-
-  # subnets
-  public_subnets   = var.public_subnets
-  private_subnets  = var.private_subnets
-  database_subnets = var.database_subnets
-
-  # gateways
-  enable_nat_gateway     = local.enable_nat_gateway_per_subnet
-  single_nat_gateway     = local.single_nat_gateway
-  one_nat_gateway_per_az = local.enable_nat_gateway_per_az
-
-  create_database_subnet_group = var.create_database_subnet_group
-  # database
+  source                             = "terraform-aws-modules/vpc/aws"
+  version                            = "2.64.0"
+  name                               = "vpc-${local.name_suffix}"
+  cidr                               = var.cidr
+  azs                                = var.azs
+  public_subnets                     = var.public_subnets
+  private_subnets                    = var.private_subnets
+  database_subnets                   = var.database_subnets
+  create_igw                         = var.create_internet_gateway
+  enable_nat_gateway                 = local.enable_nat_gateway_per_subnet
+  single_nat_gateway                 = local.single_nat_gateway
+  one_nat_gateway_per_az             = local.enable_nat_gateway_per_az
+  create_database_subnet_group       = local.database_subnet_group
   create_database_subnet_route_table = length(var.database_subnets) > 1
-
+  instance_tenancy                   = var.instance_tenancy
 
   tags = {
     AppId       = var.app.id
     Version     = var.app.version
     Role        = "infra"
     Environment = var.app.env
-    #Time        = formatdate("YYYYMMDDhhmmss", timestamp())
+    LastScanned = formatdate("YYYYMMDDhh", timestamp())
   }
 
   public_subnet_tags = {