From 79e7ece995a3e5bad06b214746bdb6a7927f016a Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 7 May 2024 11:08:08 -0400 Subject: [PATCH 01/22] added eventbridge module --- terraform/modules/eventbridge/data.tf | 0 terraform/modules/eventbridge/iam.tf | 31 +++++++++++ terraform/modules/eventbridge/locals.tf | 4 ++ terraform/modules/eventbridge/main.tf | 36 +++++++++++++ terraform/modules/eventbridge/outputs.tf | 7 +++ terraform/modules/eventbridge/variables.tf | 61 ++++++++++++++++++++++ 6 files changed, 139 insertions(+) create mode 100644 terraform/modules/eventbridge/data.tf create mode 100644 terraform/modules/eventbridge/iam.tf create mode 100644 terraform/modules/eventbridge/locals.tf create mode 100644 terraform/modules/eventbridge/main.tf create mode 100644 terraform/modules/eventbridge/outputs.tf create mode 100644 terraform/modules/eventbridge/variables.tf diff --git a/terraform/modules/eventbridge/data.tf b/terraform/modules/eventbridge/data.tf new file mode 100644 index 00000000..e69de29b diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf new file mode 100644 index 00000000..55a2a2aa --- /dev/null +++ b/terraform/modules/eventbridge/iam.tf @@ -0,0 +1,31 @@ +resource "aws_iam_role" "eventbridge_role" { + name = "eventbridge_access_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "events.amazonaws.com" + } + }] + }) +} + +resource "aws_iam_role_policy" "eventbridge_policy" { + role = aws_iam_role.eventbridge_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = [ + "ecs:RunTask", + "lambda:InvokeFunction", + "sns:Publish" + ] + Resource = "*" + Effect = "Allow" + }] + }) +} diff --git a/terraform/modules/eventbridge/locals.tf b/terraform/modules/eventbridge/locals.tf new file mode 100644 index 00000000..e8c28031 --- /dev/null +++ b/terraform/modules/eventbridge/locals.tf @@ -0,0 +1,4 @@ +locals { + ecs_conditions = var.target_type == "ecs-task" + lambda_conditions = var.target_type == "lambda" +} diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf new file mode 100644 index 00000000..dd4a0d7a --- /dev/null +++ b/terraform/modules/eventbridge/main.tf @@ -0,0 +1,36 @@ +resource "aws_eventbridge_rule" "module_event" { + name = var.name + schedule_expression = var.schedule_expression +} + +resource "aws_eventbridge_target" "module_target" { + rule = aws_eventbridge_rule.module_event.name + arn = var.target_arn + target_id = "${var.target_type}-${aws_eventbridge_rule.module_event.name}" + + input_transformer { + input_paths = var.input_paths + input_template = var.input + } + + dynamic "ecs_parameters" { + for_each = local.ecs_conditions ? [1] : [] + content { + task_definition_arn = var.task_definition_arn + task_count = 1 + launch_type = "FARGATE" + network_configuration { + ecs_subnet_ids = var.private_subnet_ids + security_groups = var.security_groups + assign_public_ip = var.assign_public_ip + } + } + } + + dynamic "lambda_parameters" { + for_each = local.lambda_conditions ? [1] : [] + content { + function_arn = var.target_arn + } + } +} diff --git a/terraform/modules/eventbridge/outputs.tf b/terraform/modules/eventbridge/outputs.tf new file mode 100644 index 00000000..2bc5cf1c --- /dev/null +++ b/terraform/modules/eventbridge/outputs.tf @@ -0,0 +1,7 @@ +output "eventbridge_rule_name" { + value = aws_eventbridge_rule.module_event.name +} + +output "eventbridge_target_id" { + value = aws_eventbridge_target.module_target.target_id +} diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf new file mode 100644 index 00000000..6427d04e --- /dev/null +++ b/terraform/modules/eventbridge/variables.tf @@ -0,0 +1,61 @@ +variable "name" { + description = "Name of the EventBridge rule" + type = string +} + +variable "schedule_expression" { + description = "Schedule expression for the EventBridge rule" + type = string +} + +variable "target_type" { + description = "Type of the EventBridge target (e.g., 'ecs-task', 'lambda', 'sns')" + type = string +} + +variable "target_arn" { + description = "ARN of the EventBridge target" + type = string +} + +variable "ecs_cluster_arn" { + description = "ARN of the ECS cluster for ECS task type targets" + type = string + default = "" +} + +variable "task_definition_arn" { + description = "ARN of the ECS task definition for ECS task type targets" + type = string + default = "" +} + +variable "private_subnet_ids" { + description = "List of private subnet IDs for ECS task type targets" + type = list(string) + default = [] +} + +variable "security_groups" { + description = "List of security group IDs for ECS task type targets" + type = list(string) + default = [] +} + +variable "assign_public_ip" { + description = "Whether to assign a public IP to the ECS task. Valid values: 'ENABLED', 'DISABLED'" + type = string + default = "DISABLED" +} + +variable "input" { + description = "Input passed to the target, must be JSON" + type = string + default = "{}" +} + +variable "input_paths" { + description = "JSON paths to be extracted from the event and used in the input template" + type = map(string) + default = {} +} From 994a1d0cf357ef1b1d25600bf9f3d88670818916 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Wed, 8 May 2024 12:35:20 -0400 Subject: [PATCH 02/22] updated to add resource_prefix --- terraform/modules/eventbridge/iam.tf | 2 +- terraform/modules/eventbridge/main.tf | 2 +- terraform/modules/eventbridge/variables.tf | 5 +++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 55a2a2aa..762b0ec6 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -1,5 +1,5 @@ resource "aws_iam_role" "eventbridge_role" { - name = "eventbridge_access_role" + name = "${var.resource_prefix}-eventbridge_access_role" assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index dd4a0d7a..65e8a685 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -1,5 +1,5 @@ resource "aws_eventbridge_rule" "module_event" { - name = var.name + name = "${var.resource_prefix}-${var.name}" schedule_expression = var.schedule_expression } diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 6427d04e..27d4303a 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -59,3 +59,8 @@ variable "input_paths" { type = map(string) default = {} } + +variable "resource_prefix" { + description = "The prefix to add when creating resources" + type = string +} \ No newline at end of file From 9011d2e5f24546b197aa72cfe70adc4474f245bf Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 10 May 2024 13:07:42 -0400 Subject: [PATCH 03/22] updated to add permission boundry --- terraform/modules/eventbridge/data.tf | 1 + terraform/modules/eventbridge/iam.tf | 1 + terraform/modules/eventbridge/locals.tf | 1 + terraform/modules/eventbridge/main.tf | 2 +- terraform/modules/eventbridge/variables.tf | 8 +++++++- 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/terraform/modules/eventbridge/data.tf b/terraform/modules/eventbridge/data.tf index e69de29b..d78fce49 100644 --- a/terraform/modules/eventbridge/data.tf +++ b/terraform/modules/eventbridge/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} \ No newline at end of file diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 762b0ec6..7a675438 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -1,5 +1,6 @@ resource "aws_iam_role" "eventbridge_role" { name = "${var.resource_prefix}-eventbridge_access_role" + permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/terraform/modules/eventbridge/locals.tf b/terraform/modules/eventbridge/locals.tf index e8c28031..24d404b4 100644 --- a/terraform/modules/eventbridge/locals.tf +++ b/terraform/modules/eventbridge/locals.tf @@ -1,4 +1,5 @@ locals { ecs_conditions = var.target_type == "ecs-task" lambda_conditions = var.target_type == "lambda" + permission_boundary_arn = terraform.workspace == "stage" || terraform.workspace == "prod" ? null : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/PermissionBoundary_PowerUser" } diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 65e8a685..937c8c11 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -1,5 +1,5 @@ resource "aws_eventbridge_rule" "module_event" { - name = "${var.resource_prefix}-${var.name}" + name = "${var.resource_prefix}-${var.eventbridge_name}" schedule_expression = var.schedule_expression } diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 27d4303a..0f8800c5 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -1,4 +1,4 @@ -variable "name" { +variable "eventbridge_name" { description = "Name of the EventBridge rule" type = string } @@ -63,4 +63,10 @@ variable "input_paths" { variable "resource_prefix" { description = "The prefix to add when creating resources" type = string +} + +variable "target_account_cloudone"{ + description = "to add check conditions on whether the resources are brought up in cloudone or not" + type = bool + default = true } \ No newline at end of file From 5c91af12378e8f8a0856f554d4d1e067e60ec5df Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 10 May 2024 13:30:01 -0400 Subject: [PATCH 04/22] updated to add permission boundry --- terraform/modules/eventbridge/main.tf | 6 +++--- terraform/modules/eventbridge/variables.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 937c8c11..06a76bfb 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -8,10 +8,10 @@ resource "aws_eventbridge_target" "module_target" { arn = var.target_arn target_id = "${var.target_type}-${aws_eventbridge_rule.module_event.name}" - input_transformer { + /*input_transformer { input_paths = var.input_paths input_template = var.input - } + }*/ dynamic "ecs_parameters" { for_each = local.ecs_conditions ? [1] : [] @@ -21,7 +21,7 @@ resource "aws_eventbridge_target" "module_target" { launch_type = "FARGATE" network_configuration { ecs_subnet_ids = var.private_subnet_ids - security_groups = var.security_groups + ecs_security_groups = var.ecs_security_groups assign_public_ip = var.assign_public_ip } } diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 0f8800c5..c5372a46 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -36,7 +36,7 @@ variable "private_subnet_ids" { default = [] } -variable "security_groups" { +variable "ecs_security_groups" { description = "List of security group IDs for ECS task type targets" type = list(string) default = [] @@ -48,7 +48,7 @@ variable "assign_public_ip" { default = "DISABLED" } -variable "input" { +/*variable "input" { description = "Input passed to the target, must be JSON" type = string default = "{}" @@ -58,7 +58,7 @@ variable "input_paths" { description = "JSON paths to be extracted from the event and used in the input template" type = map(string) default = {} -} +}*/ variable "resource_prefix" { description = "The prefix to add when creating resources" From 745d79ebccae69a2b68beff18a85ee58c2f96434 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Mon, 13 May 2024 12:52:59 -0400 Subject: [PATCH 05/22] updated --- terraform/modules/eventbridge/main.tf | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 06a76bfb..9ca98fdf 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -1,17 +1,12 @@ -resource "aws_eventbridge_rule" "module_event" { - name = "${var.resource_prefix}-${var.eventbridge_name}" +resource "aws_cloudwatch_event_rule" "module_event" { + name = var.eventbridge_name schedule_expression = var.schedule_expression } -resource "aws_eventbridge_target" "module_target" { - rule = aws_eventbridge_rule.module_event.name +resource "aws_cloudwatch_event_target" "module_target" { + rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn - target_id = "${var.target_type}-${aws_eventbridge_rule.module_event.name}" - - /*input_transformer { - input_paths = var.input_paths - input_template = var.input - }*/ + target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" dynamic "ecs_parameters" { for_each = local.ecs_conditions ? [1] : [] @@ -20,9 +15,9 @@ resource "aws_eventbridge_target" "module_target" { task_count = 1 launch_type = "FARGATE" network_configuration { - ecs_subnet_ids = var.private_subnet_ids - ecs_security_groups = var.ecs_security_groups - assign_public_ip = var.assign_public_ip + subnets = var.private_subnet_ids + security_groups = var.ecs_security_groups + assign_public_ip = var.assign_public_ip } } } @@ -34,3 +29,4 @@ resource "aws_eventbridge_target" "module_target" { } } } + From bbc66bde7f75b2554cd4ce69c5458d2696fa4a97 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Mon, 13 May 2024 13:31:25 -0400 Subject: [PATCH 06/22] updated --- terraform/modules/eventbridge/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/eventbridge/outputs.tf b/terraform/modules/eventbridge/outputs.tf index 2bc5cf1c..7db5780f 100644 --- a/terraform/modules/eventbridge/outputs.tf +++ b/terraform/modules/eventbridge/outputs.tf @@ -1,7 +1,7 @@ output "eventbridge_rule_name" { - value = aws_eventbridge_rule.module_event.name + value = aws_cloudwatch_event_rule.module_event.name } output "eventbridge_target_id" { - value = aws_eventbridge_target.module_target.target_id + value = aws_cloudwatch_event_target.module_target.target_id } From 305086f311bc242844a3d8fd506d00a98c08abaf Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Mon, 13 May 2024 14:17:29 -0400 Subject: [PATCH 07/22] updated --- terraform/modules/eventbridge/main.tf | 43 +++++++++++++----------- terraform/modules/eventbridge/outputs.tf | 16 +++++++-- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 9ca98fdf..818ee0b2 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -3,30 +3,35 @@ resource "aws_cloudwatch_event_rule" "module_event" { schedule_expression = var.schedule_expression } -resource "aws_cloudwatch_event_target" "module_target" { +# For ECS Task +resource "aws_cloudwatch_event_target" "ecs_target" { + count = local.ecs_conditions ? 1 : 0 + rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - - dynamic "ecs_parameters" { - for_each = local.ecs_conditions ? [1] : [] - content { - task_definition_arn = var.task_definition_arn - task_count = 1 - launch_type = "FARGATE" - network_configuration { - subnets = var.private_subnet_ids - security_groups = var.ecs_security_groups - assign_public_ip = var.assign_public_ip - } + + ecs_target { + task_definition_arn = var.task_definition_arn + task_count = 1 + launch_type = "FARGATE" + network_configuration { + subnets = var.private_subnet_ids + security_groups = var.ecs_security_groups + assign_public_ip = var.assign_public_ip } } +} - dynamic "lambda_parameters" { - for_each = local.lambda_conditions ? [1] : [] - content { - function_arn = var.target_arn - } +# For Lambda Function +resource "aws_cloudwatch_event_target" "lambda_target" { + count = local.lambda_conditions ? 1 : 0 + + rule = aws_cloudwatch_event_rule.module_event.name + arn = var.target_arn + target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" + + lambda_target { + function_arn = var.target_arn } } - diff --git a/terraform/modules/eventbridge/outputs.tf b/terraform/modules/eventbridge/outputs.tf index 7db5780f..166a62b5 100644 --- a/terraform/modules/eventbridge/outputs.tf +++ b/terraform/modules/eventbridge/outputs.tf @@ -1,7 +1,19 @@ +# Output for the EventBridge rule name output "eventbridge_rule_name" { value = aws_cloudwatch_event_rule.module_event.name + description = "The name of the EventBridge rule." } -output "eventbridge_target_id" { - value = aws_cloudwatch_event_target.module_target.target_id +# Output for the ECS EventBridge target ID, conditionally output if ECS target is created +output "eventbridge_ecs_target_id" { + value = aws_cloudwatch_event_target.ecs_target[0].target_id + description = "The ID of the EventBridge target for the ECS task." + condition = length(aws_cloudwatch_event_target.ecs_target) > 0 +} + +# Output for the Lambda EventBridge target ID, conditionally output if Lambda target is created +output "eventbridge_lambda_target_id" { + value = aws_cloudwatch_event_target.lambda_target[0].target_id + description = "The ID of the EventBridge target for the Lambda function." + condition = length(aws_cloudwatch_event_target.lambda_target) > 0 } From ed429c31d232e42acf7b16a07570f6390edd2f7e Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Mon, 13 May 2024 14:25:38 -0400 Subject: [PATCH 08/22] updated --- terraform/modules/eventbridge/outputs.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/terraform/modules/eventbridge/outputs.tf b/terraform/modules/eventbridge/outputs.tf index 166a62b5..5a7c62f7 100644 --- a/terraform/modules/eventbridge/outputs.tf +++ b/terraform/modules/eventbridge/outputs.tf @@ -4,16 +4,14 @@ output "eventbridge_rule_name" { description = "The name of the EventBridge rule." } -# Output for the ECS EventBridge target ID, conditionally output if ECS target is created +# Output for the ECS EventBridge target ID, providing a default value if no resource is created output "eventbridge_ecs_target_id" { - value = aws_cloudwatch_event_target.ecs_target[0].target_id + value = length(aws_cloudwatch_event_target.ecs_target) > 0 ? aws_cloudwatch_event_target.ecs_target[0].target_id : "No ECS target created" description = "The ID of the EventBridge target for the ECS task." - condition = length(aws_cloudwatch_event_target.ecs_target) > 0 } -# Output for the Lambda EventBridge target ID, conditionally output if Lambda target is created +# Output for the Lambda EventBridge target ID, providing a default value if no resource is created output "eventbridge_lambda_target_id" { - value = aws_cloudwatch_event_target.lambda_target[0].target_id + value = length(aws_cloudwatch_event_target.lambda_target) > 0 ? aws_cloudwatch_event_target.lambda_target[0].target_id : "No Lambda target created" description = "The ID of the EventBridge target for the Lambda function." - condition = length(aws_cloudwatch_event_target.lambda_target) > 0 } From 94d4c92903111a294f7de2361deb81734a97c26d Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Mon, 13 May 2024 14:34:52 -0400 Subject: [PATCH 09/22] updated --- terraform/modules/eventbridge/main.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 818ee0b2..c459e94f 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -30,8 +30,5 @@ resource "aws_cloudwatch_event_target" "lambda_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - - lambda_target { - function_arn = var.target_arn - } + } From 800ee1260515ef76a34fc9e2f7a489f1768dc7f0 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Wed, 15 May 2024 13:55:42 -0400 Subject: [PATCH 10/22] updated --- terraform/modules/eventbridge/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index c459e94f..11e063aa 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -1,6 +1,7 @@ resource "aws_cloudwatch_event_rule" "module_event" { name = var.eventbridge_name schedule_expression = var.schedule_expression + role_arn = aws_iam_role.eventbridge_role.arn } # For ECS Task @@ -30,5 +31,5 @@ resource "aws_cloudwatch_event_target" "lambda_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - + } From 4ee34cfcd36f3da8462b04a5d91ad05245ab013e Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Wed, 15 May 2024 14:05:23 -0400 Subject: [PATCH 11/22] updated --- terraform/modules/eventbridge/main.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 11e063aa..492e9ce4 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -11,7 +11,7 @@ resource "aws_cloudwatch_event_target" "ecs_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - + role_arn = aws_iam_role.eventbridge_role.arn ecs_target { task_definition_arn = var.task_definition_arn task_count = 1 @@ -31,5 +31,6 @@ resource "aws_cloudwatch_event_target" "lambda_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" + role_arn = aws_iam_role.eventbridge_role.arn } From 60f2a3737bdfa18fae70544977b3aac418b56df2 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Wed, 15 May 2024 14:33:33 -0400 Subject: [PATCH 12/22] updated --- terraform/modules/eventbridge/iam.tf | 2 +- terraform/modules/eventbridge/variables.tf | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 7a675438..97f819b2 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -1,5 +1,5 @@ resource "aws_iam_role" "eventbridge_role" { - name = "${var.resource_prefix}-eventbridge_access_role" + name = "${var.iam_prefix}-${var.resource_prefix}-eventbridge_access_role" permissions_boundary = var.target_account_cloudone ? local.permission_boundary_arn : null assume_role_policy = jsonencode({ diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index c5372a46..963cbe71 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -65,8 +65,14 @@ variable "resource_prefix" { type = string } +variable "iam_prefix" { + description = "The string prefix for IAM roles and policies to conform to NCI power-user compliance" + type = string + default = "power-user" +} + variable "target_account_cloudone"{ description = "to add check conditions on whether the resources are brought up in cloudone or not" type = bool default = true -} \ No newline at end of file +} From 6effaf5c411b564b4fc1f82c016b1f8a9fc88c5b Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 17 May 2024 20:38:51 -0400 Subject: [PATCH 13/22] updated --- terraform/modules/eventbridge/main.tf | 2 +- terraform/modules/eventbridge/variables.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 492e9ce4..d2d26ed4 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -11,7 +11,7 @@ resource "aws_cloudwatch_event_target" "ecs_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - role_arn = aws_iam_role.eventbridge_role.arn + role_arn = var.ecs_task_execution_role_arn ecs_target { task_definition_arn = var.task_definition_arn task_count = 1 diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 963cbe71..f0724d4e 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -76,3 +76,8 @@ variable "target_account_cloudone"{ type = bool default = true } + +variable "iecs_task_execution_role_arn" { + description = "arn of the ecs_task_execution_role" + type = string +} From bf98f2be2cef62caf3dbbf879bc4a874dfffb98b Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 17 May 2024 21:00:42 -0400 Subject: [PATCH 14/22] updated --- terraform/modules/eventbridge/main.tf | 2 +- terraform/modules/eventbridge/variables.tf | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index d2d26ed4..2db9588c 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -11,7 +11,7 @@ resource "aws_cloudwatch_event_target" "ecs_target" { rule = aws_cloudwatch_event_rule.module_event.name arn = var.target_arn target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" - role_arn = var.ecs_task_execution_role_arn + role_arn = var.role_arn ecs_target { task_definition_arn = var.task_definition_arn task_count = 1 diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index f0724d4e..722d0d57 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -77,7 +77,7 @@ variable "target_account_cloudone"{ default = true } -variable "iecs_task_execution_role_arn" { - description = "arn of the ecs_task_execution_role" - type = string +variable "role_arn" { + description = "The ARN of the IAM role to use for EventBridge." + type = string } From 9d6223ce01b09122d480e6540507ba292cade47d Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 17 May 2024 22:10:38 -0400 Subject: [PATCH 15/22] updated --- terraform/modules/eventbridge/data.tf | 6 +++++- terraform/modules/eventbridge/main.tf | 2 +- terraform/modules/eventbridge/variables.tf | 9 +++++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/terraform/modules/eventbridge/data.tf b/terraform/modules/eventbridge/data.tf index d78fce49..13e7d25c 100644 --- a/terraform/modules/eventbridge/data.tf +++ b/terraform/modules/eventbridge/data.tf @@ -1 +1,5 @@ -data "aws_caller_identity" "current" {} \ No newline at end of file +data "aws_caller_identity" "current" {} + +data "aws_ecs_task_definition" "latest" { + family = var.task_family +} diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 2db9588c..b7d2daf8 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -13,7 +13,7 @@ resource "aws_cloudwatch_event_target" "ecs_target" { target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" role_arn = var.role_arn ecs_target { - task_definition_arn = var.task_definition_arn + task_definition_arn = data.aws_ecs_task_definition.latest.arn task_count = 1 launch_type = "FARGATE" network_configuration { diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 722d0d57..2108421f 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -24,11 +24,11 @@ variable "ecs_cluster_arn" { default = "" } -variable "task_definition_arn" { +/*variable "task_definition_arn" { description = "ARN of the ECS task definition for ECS task type targets" type = string default = "" -} +}*/ variable "private_subnet_ids" { description = "List of private subnet IDs for ECS task type targets" @@ -81,3 +81,8 @@ variable "role_arn" { description = "The ARN of the IAM role to use for EventBridge." type = string } + +variable "task_family" { + description = "The family of the ECS task definition" + type = string +} \ No newline at end of file From b4ee16ab78e70f995f559109514fcab8a3cc6e7d Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Fri, 17 May 2024 22:21:23 -0400 Subject: [PATCH 16/22] updated --- terraform/modules/eventbridge/data.tf | 2 +- terraform/modules/eventbridge/variables.tf | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/terraform/modules/eventbridge/data.tf b/terraform/modules/eventbridge/data.tf index 13e7d25c..0d262e0d 100644 --- a/terraform/modules/eventbridge/data.tf +++ b/terraform/modules/eventbridge/data.tf @@ -1,5 +1,5 @@ data "aws_caller_identity" "current" {} data "aws_ecs_task_definition" "latest" { - family = var.task_family + task_definition = var.task_definition_arn } diff --git a/terraform/modules/eventbridge/variables.tf b/terraform/modules/eventbridge/variables.tf index 2108421f..722d0d57 100644 --- a/terraform/modules/eventbridge/variables.tf +++ b/terraform/modules/eventbridge/variables.tf @@ -24,11 +24,11 @@ variable "ecs_cluster_arn" { default = "" } -/*variable "task_definition_arn" { +variable "task_definition_arn" { description = "ARN of the ECS task definition for ECS task type targets" type = string default = "" -}*/ +} variable "private_subnet_ids" { description = "List of private subnet IDs for ECS task type targets" @@ -81,8 +81,3 @@ variable "role_arn" { description = "The ARN of the IAM role to use for EventBridge." type = string } - -variable "task_family" { - description = "The family of the ECS task definition" - type = string -} \ No newline at end of file From 55dd1592455a5142f285fad3ef96d96b067d7210 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 16:56:28 -0400 Subject: [PATCH 17/22] updated --- terraform/modules/eventbridge/data.tf | 4 ++-- terraform/modules/eventbridge/main.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/modules/eventbridge/data.tf b/terraform/modules/eventbridge/data.tf index 0d262e0d..c4324585 100644 --- a/terraform/modules/eventbridge/data.tf +++ b/terraform/modules/eventbridge/data.tf @@ -1,5 +1,5 @@ data "aws_caller_identity" "current" {} -data "aws_ecs_task_definition" "latest" { +/*data "aws_ecs_task_definition" "latest" { task_definition = var.task_definition_arn -} +}*/ diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index b7d2daf8..2db9588c 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -13,7 +13,7 @@ resource "aws_cloudwatch_event_target" "ecs_target" { target_id = "${var.target_type}-${aws_cloudwatch_event_rule.module_event.name}" role_arn = var.role_arn ecs_target { - task_definition_arn = data.aws_ecs_task_definition.latest.arn + task_definition_arn = var.task_definition_arn task_count = 1 launch_type = "FARGATE" network_configuration { From fde8e50f9d6bdf41360730d0140e1648abbca927 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 18:12:30 -0400 Subject: [PATCH 18/22] updated --- terraform/modules/eventbridge/cloudwatch.tf | 8 ++++++++ terraform/modules/eventbridge/main.tf | 7 +++++++ 2 files changed, 15 insertions(+) create mode 100644 terraform/modules/eventbridge/cloudwatch.tf diff --git a/terraform/modules/eventbridge/cloudwatch.tf b/terraform/modules/eventbridge/cloudwatch.tf new file mode 100644 index 00000000..76f2756e --- /dev/null +++ b/terraform/modules/eventbridge/cloudwatch.tf @@ -0,0 +1,8 @@ +resource "aws_cloudwatch_log_group" "eventbridge_log_group" { + name = "/aws/events/${aws_cloudwatch_event_rule.module_event.name}" +} + +resource "aws_cloudwatch_log_stream" "eventbridge_log_stream" { + name = "eventbridge_log_stream" + log_group_name = aws_cloudwatch_log_group.eventbridge_log_group.name +} \ No newline at end of file diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index 2db9588c..c3eaaa9c 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -4,6 +4,8 @@ resource "aws_cloudwatch_event_rule" "module_event" { role_arn = aws_iam_role.eventbridge_role.arn } + + # For ECS Task resource "aws_cloudwatch_event_target" "ecs_target" { count = local.ecs_conditions ? 1 : 0 @@ -22,6 +24,11 @@ resource "aws_cloudwatch_event_target" "ecs_target" { assign_public_ip = var.assign_public_ip } } + // Log failed invocations + cloudwatch_logs { + log_group_name = aws_cloudwatch_log_group.eventbridge_log_group.name + log_stream_name = aws_cloudwatch_log_stream.eventbridge_log_stream.name + } } # For Lambda Function From e3917f3b40f4a2597bb02aed2e0e5c8c6c7d555c Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 18:18:22 -0400 Subject: [PATCH 19/22] updated --- terraform/modules/eventbridge/main.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/modules/eventbridge/main.tf b/terraform/modules/eventbridge/main.tf index c3eaaa9c..9ffb4c1f 100644 --- a/terraform/modules/eventbridge/main.tf +++ b/terraform/modules/eventbridge/main.tf @@ -24,11 +24,6 @@ resource "aws_cloudwatch_event_target" "ecs_target" { assign_public_ip = var.assign_public_ip } } - // Log failed invocations - cloudwatch_logs { - log_group_name = aws_cloudwatch_log_group.eventbridge_log_group.name - log_stream_name = aws_cloudwatch_log_stream.eventbridge_log_stream.name - } } # For Lambda Function From 6bb1e97e51b3b532bb30c649755832e1df768883 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 18:40:09 -0400 Subject: [PATCH 20/22] updated --- terraform/modules/eventbridge/iam.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 97f819b2..649ba5ee 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -23,6 +23,10 @@ resource "aws_iam_role_policy" "eventbridge_policy" { Action = [ "ecs:RunTask", "lambda:InvokeFunction", + "iam:PassRole", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", "sns:Publish" ] Resource = "*" From ff8706fbb667ca280476851ec96140b6fd70d403 Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 19:25:08 -0400 Subject: [PATCH 21/22] updated --- terraform/modules/eventbridge/iam.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 649ba5ee..0a29c18e 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -34,3 +34,8 @@ resource "aws_iam_role_policy" "eventbridge_policy" { }] }) } + +resource "aws_iam_role_policy_attachment" "eventbridge_policy_attachment" { + role = aws_iam_role.eventbridge_role.name + policy_arn = aws_iam_policy.eventbridge_policy.arn +} From 604eab8d73fde2b1814de74153485e4200260a5c Mon Sep 17 00:00:00 2001 From: Charlo237 <101688187+Charlo237@users.noreply.github.com> Date: Tue, 21 May 2024 19:42:34 -0400 Subject: [PATCH 22/22] updated --- terraform/modules/eventbridge/iam.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/terraform/modules/eventbridge/iam.tf b/terraform/modules/eventbridge/iam.tf index 0a29c18e..4d4e1b58 100644 --- a/terraform/modules/eventbridge/iam.tf +++ b/terraform/modules/eventbridge/iam.tf @@ -33,9 +33,4 @@ resource "aws_iam_role_policy" "eventbridge_policy" { Effect = "Allow" }] }) -} - -resource "aws_iam_role_policy_attachment" "eventbridge_policy_attachment" { - role = aws_iam_role.eventbridge_role.name - policy_arn = aws_iam_policy.eventbridge_policy.arn -} +} \ No newline at end of file