diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 967e8078..6f7db779 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -21,13 +21,6 @@ jobs: - name: "Setup - Checkout" uses: actions/checkout@v2.1.0 - # Static analysis of Terraform templates to spot potential security issues - # Marketplace: https://github.com/marketplace/actions/terraform-security-scan - - name: "Setup - Security Scan" - uses: triat/terraform-security-scan@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # Downloads a specific version of Terraform CLI and adds it to PATH # Marketplace: https://github.com/marketplace/actions/hashicorp-setup-terraform - name: Setup Terraform diff --git a/todo-app/aws/3-tier-app/lab/bastion/main.tf b/todo-app/aws/3-tier-app/lab/bastion/main.tf index 35e178bf..45230d66 100644 --- a/todo-app/aws/3-tier-app/lab/bastion/main.tf +++ b/todo-app/aws/3-tier-app/lab/bastion/main.tf @@ -1,7 +1,3 @@ -provider "aws" { - region = var.region -} - module "bastion" { source = "../../modules/bastion" app = var.app diff --git a/todo-app/aws/3-tier-app/lab/database/mysql/main.tf b/todo-app/aws/3-tier-app/lab/database/mysql/main.tf index fc09d8a8..7b721fdb 100644 --- a/todo-app/aws/3-tier-app/lab/database/mysql/main.tf +++ b/todo-app/aws/3-tier-app/lab/database/mysql/main.tf @@ -1,6 +1,3 @@ -provider "aws" { - region = var.region -} module "mysql" { source = "../../../modules/database/mysql" app = var.app @@ -8,6 +5,4 @@ module "mysql" { master_user = var.master_user master_password = var.master_password multi_az = var.multi_az - - } \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/lab/main.tf b/todo-app/aws/3-tier-app/lab/main.tf new file mode 100644 index 00000000..71a333a0 --- /dev/null +++ b/todo-app/aws/3-tier-app/lab/main.tf @@ -0,0 +1,4 @@ +# Provider configuration +provider "aws" { + region = var.region +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/lab/security/main.tf b/todo-app/aws/3-tier-app/lab/security/main.tf index 34c6bff9..2f4a3500 100644 --- a/todo-app/aws/3-tier-app/lab/security/main.tf +++ b/todo-app/aws/3-tier-app/lab/security/main.tf @@ -1,7 +1,3 @@ -provider "aws" { - region = var.region -} - data "aws_region" "current" {} data "aws_vpc" "selected" { diff --git a/todo-app/aws/3-tier-app/lab/services/todo/app/main.tf b/todo-app/aws/3-tier-app/lab/services/todo/app/main.tf index 27b53c7d..525157fc 100644 --- a/todo-app/aws/3-tier-app/lab/services/todo/app/main.tf +++ b/todo-app/aws/3-tier-app/lab/services/todo/app/main.tf @@ -1,7 +1,3 @@ -provider "aws" { - region = var.region -} - module "todo_app" { source = "../../../../modules/app-server" app = var.app diff --git a/todo-app/aws/3-tier-app/lab/vpc/main.tf b/todo-app/aws/3-tier-app/lab/vpc/main.tf index ae1c416b..02d14a69 100644 --- a/todo-app/aws/3-tier-app/lab/vpc/main.tf +++ b/todo-app/aws/3-tier-app/lab/vpc/main.tf @@ -1,7 +1,3 @@ -provider "aws" { - region = var.region -} - module "vpc" { source = "../../modules/network" app = var.app diff --git a/todo-app/aws/3-tier-app/modules/app-server/main.tf b/todo-app/aws/3-tier-app/modules/app-server/main.tf index b76e83f8..ef6ec669 100644 --- a/todo-app/aws/3-tier-app/modules/app-server/main.tf +++ b/todo-app/aws/3-tier-app/modules/app-server/main.tf @@ -58,7 +58,7 @@ locals { Version = var.app.version Role = "app" Environment = var.app.env - #Time = formatdate("YYYYMMDDhhmmss", timestamp()) + LastScanned = formatdate("YYYYMMDDhh", timestamp()) } } diff --git a/todo-app/aws/3-tier-app/modules/app-server/variables.tf b/todo-app/aws/3-tier-app/modules/app-server/variables.tf index 2359842e..342ac236 100644 --- a/todo-app/aws/3-tier-app/modules/app-server/variables.tf +++ b/todo-app/aws/3-tier-app/modules/app-server/variables.tf @@ -51,7 +51,8 @@ variable "instance_type" { variable "scaling_capacity" { - type = map(string) + type = map(string) + description = "Scaling paramter for EC2 Auto scaling group" default = { min = 1 desired = 2 diff --git a/todo-app/aws/3-tier-app/modules/app-server/version.tf b/todo-app/aws/3-tier-app/modules/app-server/version.tf new file mode 100644 index 00000000..fe4ce123 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/app-server/version.tf @@ -0,0 +1,14 @@ +terraform { + + required_providers { + aws = { + source = "hashicorp/aws" + version = "= 3.22.0" + } + template = { + source = "hashicorp/template" + version = "= 2.2.0" + } + } + required_version = "= 0.13.5" +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/bastion/example/main.tf b/todo-app/aws/3-tier-app/modules/bastion/example/main.tf new file mode 100644 index 00000000..22ab5310 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/bastion/example/main.tf @@ -0,0 +1,49 @@ +provider "aws" { + region = "us-west-2" +} + +locals { + name_suffix = "us-west-2-l-psi" + tags = { + AppId = "psi" + Version = "1.0.0" + Role = "security" + Environment = "lab" + } +} + +# Add VPC +module "vpc" { + source = "../../network/example" +} + +# Add security group +module "bastion_sg" { + source = "terraform-aws-modules/security-group/aws//modules/ssh" + version = "3.17.0" + name = "security-group-${local.name_suffix}-bastion" + vpc_id = module.vpc.vpc_id + description = "Bastion security group" + ingress_cidr_blocks = ["0.0.0.0/0"] + use_name_prefix = false + auto_ingress_with_self = [] + tags = merge(local.tags, { + App = "bastion" + }) +} + +module "bastion" { + source = "../" + app = { + id = "psi" + name = "todo" + version = "1.0.0" + env = "lab" + } + ssh_users = [ + { + username = "bastionuser" + public_key = "######################[PLACE-YOUR-SSH-PUBLIC-KEY-HERE]######################" + } + ] +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/database/mysql/example/main.tf b/todo-app/aws/3-tier-app/modules/database/mysql/example/main.tf new file mode 100644 index 00000000..5fe2eb0a --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/database/mysql/example/main.tf @@ -0,0 +1,48 @@ +provider "aws" { + region = "us-west-2" +} + +locals { + name_suffix = "us-west-2-l-psi" + tags = { + AppId = "psi" + Version = "1.0.0" + Role = "security" + Environment = "lab" + } +} + +# Add VPC +module "vpc" { + source = "../../network/example" +} + +#Add security group +module "mysql_sg" { + source = "terraform-aws-modules/security-group/aws//modules/mysql" + version = "3.17.0" + name = "security-group-${local.name_suffix}-mysql" + vpc_id = module.vpc.vpc_id + description = "Test mysql database connection" + use_name_prefix = false + auto_ingress_with_self = [] + # auto_ingress_rules = [] + ingress_cidr_blocks = ["0.0.0.0/0"] + + tags = merge(local.tags, { + App = "mysql" + }) +} + +module "mysql" { + source = "../" + app = { + id = "psi" + version = "1.0.0" + env = "lab" + } + instance_type = "db.t2.micro" + master_user = "masteruser" + master_password = "masterpassword" + multi_az = false +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/database/mysql/example/outputs.tf b/todo-app/aws/3-tier-app/modules/database/mysql/example/outputs.tf new file mode 100644 index 00000000..78c84a47 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/database/mysql/example/outputs.tf @@ -0,0 +1,4 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/database/mysql/main.tf b/todo-app/aws/3-tier-app/modules/database/mysql/main.tf index 91f8a9eb..5b43be23 100644 --- a/todo-app/aws/3-tier-app/modules/database/mysql/main.tf +++ b/todo-app/aws/3-tier-app/modules/database/mysql/main.tf @@ -27,7 +27,7 @@ locals { Version = var.app.version Role = "db" Environment = var.app.env - #Time = formatdate("YYYYMMDDhhmmss", timestamp()) + LastScanned = formatdate("YYYYMMDDhh", timestamp()) } } diff --git a/todo-app/aws/3-tier-app/modules/database/mysql/variables.tf b/todo-app/aws/3-tier-app/modules/database/mysql/variables.tf index 142622b5..9b887a85 100644 --- a/todo-app/aws/3-tier-app/modules/database/mysql/variables.tf +++ b/todo-app/aws/3-tier-app/modules/database/mysql/variables.tf @@ -9,12 +9,14 @@ variable "app" { } variable "instance_type" { - type = string + description = "RDS(Mysql) instance type" + type = string } variable "storage_size_in_gib" { - type = number - default = 5 + description = "The allocated storage in gigabytes" + type = number + default = 5 } variable "database_name" { @@ -29,11 +31,13 @@ variable "create_database_name_as_appid" { } variable "master_user" { - type = string + type = string + description = "Mysql master user" } variable "master_password" { - type = string + type = string + description = "Mysql master password" validation { condition = length(var.master_password) >= 8 error_message = "Master password should not be of length less than 8 charactors." @@ -42,7 +46,7 @@ variable "master_password" { variable "subnet_group" { default = "" - description = "Database subnet group" + description = "Database subnet group, if not provided it'll use default subnet group" } diff --git a/todo-app/aws/3-tier-app/modules/database/mysql/version.tf b/todo-app/aws/3-tier-app/modules/database/mysql/version.tf new file mode 100644 index 00000000..001a12f2 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/database/mysql/version.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "= 3.22.0" + } + } + required_version = "= 0.13.5" +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/ec2/main.tf b/todo-app/aws/3-tier-app/modules/ec2/main.tf index 12a01367..1062c0b4 100644 --- a/todo-app/aws/3-tier-app/modules/ec2/main.tf +++ b/todo-app/aws/3-tier-app/modules/ec2/main.tf @@ -43,7 +43,7 @@ locals { Version = var.app.version Role = var.app.role Environment = var.app.env - #Time = formatdate("YYYYMMDDhhmmss", timestamp()) + LastScanned = formatdate("YYYYMMDDhh", timestamp()) } } diff --git a/todo-app/aws/3-tier-app/modules/ec2/variables.tf b/todo-app/aws/3-tier-app/modules/ec2/variables.tf index 03596a88..7beee1a7 100644 --- a/todo-app/aws/3-tier-app/modules/ec2/variables.tf +++ b/todo-app/aws/3-tier-app/modules/ec2/variables.tf @@ -31,11 +31,13 @@ variable "instance_count" { } variable "associate_public_ip_address" { - type = bool - default = false + description = "Enable public IP address on ec2 instance(s)" + type = bool + default = false } variable "security_group_filters" { + description = "Security group filters to find security groups for ec2 instance(s)" type = list(object({ name = string values = list(string) @@ -44,6 +46,7 @@ variable "security_group_filters" { } variable "subnet_filters" { + description = "Subnet filters to find subnet for ec2 instance(s)" type = list(object({ name = string values = list(string) diff --git a/todo-app/aws/3-tier-app/modules/network/example/main.tf b/todo-app/aws/3-tier-app/modules/network/example/main.tf new file mode 100644 index 00000000..2b13affc --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/network/example/main.tf @@ -0,0 +1,20 @@ +provider "aws" { + region = "us-west-2" +} + +module "vpc" { + source = "../" + app = { + id = "psi" + version = "1.0.0" + env = "lab" + } + cidr = "172.31.0.0/24" + azs = ["us-west-2a", "us-west-2b"] + public_subnets = ["172.31.0.128/26", "172.31.0.192/26"] + private_subnets = ["172.31.0.0/27", "172.31.0.32/27"] + database_subnets = ["172.31.0.64/27", "172.31.0.96/27"] + create_internet_gateway = true + create_database_subnet_group = true + enable_nat_gateway_single = true +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/network/example/outputs.tf b/todo-app/aws/3-tier-app/modules/network/example/outputs.tf new file mode 100644 index 00000000..78c84a47 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/network/example/outputs.tf @@ -0,0 +1,4 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/network/main.tf b/todo-app/aws/3-tier-app/modules/network/main.tf index a0c85dcd..c33cb2fa 100644 --- a/todo-app/aws/3-tier-app/modules/network/main.tf +++ b/todo-app/aws/3-tier-app/modules/network/main.tf @@ -4,39 +4,34 @@ data "aws_region" "current" {} locals { name_suffix = "${data.aws_region.current.name}-${substr(var.app.env, 0, 1)}-${var.app.id}" enable_nat_gateway_per_subnet = var.enable_nat_gateway_per_subnet || var.enable_nat_gateway_single || var.enable_nat_gateway_per_az - single_nat_gateway = var.enable_nat_gateway_per_subnet ? false : var.enable_nat_gateway_single - enable_nat_gateway_per_az = var.enable_nat_gateway_per_subnet ? false : (var.enable_nat_gateway_per_az && var.enable_nat_gateway_single ? ! var.enable_nat_gateway_per_az : var.enable_nat_gateway_per_az) + single_nat_gateway = local.enable_nat_gateway_per_subnet && var.enable_nat_gateway_single + enable_nat_gateway_per_az = local.enable_nat_gateway_per_subnet && (var.enable_nat_gateway_per_az && var.enable_nat_gateway_single ? ! var.enable_nat_gateway_per_az : var.enable_nat_gateway_per_az) + database_subnet_group = var.create_database_subnet_group ? length(var.database_subnets) > 1 : ! var.create_database_subnet_group } module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" - - name = "vpc-${local.name_suffix}" - cidr = var.cidr - azs = var.azs - - # subnets - public_subnets = var.public_subnets - private_subnets = var.private_subnets - database_subnets = var.database_subnets - - # gateways - enable_nat_gateway = local.enable_nat_gateway_per_subnet - single_nat_gateway = local.single_nat_gateway - one_nat_gateway_per_az = local.enable_nat_gateway_per_az - - create_database_subnet_group = var.create_database_subnet_group - # database + source = "terraform-aws-modules/vpc/aws" + version = "2.64.0" + name = "vpc-${local.name_suffix}" + cidr = var.cidr + azs = var.azs + public_subnets = var.public_subnets + private_subnets = var.private_subnets + database_subnets = var.database_subnets + create_igw = var.create_internet_gateway + enable_nat_gateway = local.enable_nat_gateway_per_subnet + single_nat_gateway = local.single_nat_gateway + one_nat_gateway_per_az = local.enable_nat_gateway_per_az + create_database_subnet_group = local.database_subnet_group create_database_subnet_route_table = length(var.database_subnets) > 1 - + instance_tenancy = var.instance_tenancy tags = { AppId = var.app.id Version = var.app.version Role = "infra" Environment = var.app.env - #Time = formatdate("YYYYMMDDhhmmss", timestamp()) + LastScanned = formatdate("YYYYMMDDhh", timestamp()) } public_subnet_tags = { diff --git a/todo-app/aws/3-tier-app/modules/network/outputs.tf b/todo-app/aws/3-tier-app/modules/network/outputs.tf index 791d6c80..79f10a7c 100644 --- a/todo-app/aws/3-tier-app/modules/network/outputs.tf +++ b/todo-app/aws/3-tier-app/modules/network/outputs.tf @@ -2,10 +2,6 @@ output "vpc_id" { description = "The ID of the VPC" value = module.vpc.vpc_id } -# output "private_subnets" { -# description = "List of IDs of private subnets" -# value = "${module.vpc.private_subnets}" -# } output "public_subnets" { description = "List of IDs of public subnets" diff --git a/todo-app/aws/3-tier-app/modules/network/variables.tf b/todo-app/aws/3-tier-app/modules/network/variables.tf index f04f0c70..1f22fd45 100644 --- a/todo-app/aws/3-tier-app/modules/network/variables.tf +++ b/todo-app/aws/3-tier-app/modules/network/variables.tf @@ -38,6 +38,12 @@ variable "database_subnets" { default = [] } +variable "create_internet_gateway" { + description = "Whether to enable internet gateway if public subnets is available" + type = bool + default = true +} + variable "create_database_subnet_group" { description = "Whether database subnet group is created" type = bool @@ -61,3 +67,12 @@ variable "enable_nat_gateway_per_az" { description = "Enable Nat Gateway per availability zone" default = false } + +variable "instance_tenancy" { + description = "Tenancy option for instances launched into the VPC" + default = "default" + validation { + condition = contains(["default", "dedicated", "host"], var.instance_tenancy) + error_message = "Instnace tenancy either default or (dedicated or host)." + } +} \ No newline at end of file diff --git a/todo-app/aws/3-tier-app/modules/network/version.tf b/todo-app/aws/3-tier-app/modules/network/version.tf new file mode 100644 index 00000000..001a12f2 --- /dev/null +++ b/todo-app/aws/3-tier-app/modules/network/version.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "= 3.22.0" + } + } + required_version = "= 0.13.5" +} \ No newline at end of file