Feat/tag conformance pack module

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/accounts/demo_account/dev/variables.tfvars

@@ -1,8 +1,8 @@
-profile                 = "DEMO" #account name, do not change
-bucket_name             = "tag-conformance-pack-files-demo-dev"
-create_tf_backend          = false
+profile                 = "<profile>" #account name, do not change
+bucket_name             = "tag-conformance-pack-files-<account>-<env>"
+create_tf_backend          = true
 region                  = "us-east-1"
-application_domain_path = "./accounts/demo_account/application-domain.json"
+application_domain_path = "./accounts/<account>/<env>/application-domain.json"
 script_path = "./src"
 custom_lambda_script = "custom-required-tags-evaluation.py"
 create_event_bridge_tagger = true
@@ -11,10 +11,10 @@ ssm_script = "ssmDocumentAutomation.py"
 tags = {
   application = "config"
   domain      = "infrastructure"
-  board       = "demo"
+  board       = "board"
   company     = "rd"
   shared      = "no"
-  env         = "dev"
+  env         = "env"
   tag_created = "iac"
 }
 RemediationExecutionControls = {
@@ -118,4 +118,4 @@ custom_lambda_resource_types = [
   "AWS::Cloud9::EnvironmentEC2",
   "AWS::CloudTrail::Trail"
 ]
-  
+

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/accounts/demo_account/qa/variables.tfvars

@@ -1,8 +1,8 @@
-profile                 = "DEMO" #account name, do not change
-bucket_name             = "tag-conformance-pack-files-demo-qa"
-create_tf_backend          = false
+profile                 = "<profile>" #account name, do not change
+bucket_name             = "tag-conformance-pack-files-<account>-<env>"
+create_tf_backend          = true
 region                  = "us-east-1"
-application_domain_path = "./accounts/demo_account/application-domain.json"
+application_domain_path = "./accounts/<account>/<env>/application-domain.json"
 script_path = "./src"
 custom_lambda_script = "custom-required-tags-evaluation.py"
 create_event_bridge_tagger = true
@@ -11,10 +11,10 @@ ssm_script = "ssmDocumentAutomation.py"
 tags = {
   application = "config"
   domain      = "infrastructure"
-  board       = "demo"
+  board       = "board"
   company     = "rd"
   shared      = "no"
-  env         = "qa"
+  env         = "env"
   tag_created = "iac"
 }
 RemediationExecutionControls = {
@@ -118,4 +118,4 @@ custom_lambda_resource_types = [
   "AWS::Cloud9::EnvironmentEC2",
   "AWS::CloudTrail::Trail"
 ]
-  
+

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/accounts/demo_account_2/qa/variables.tfvars

@@ -1,8 +1,8 @@
-profile                 = "DEMO2" #account name, do not change
-bucket_name             = "tag-conformance-pack-files-demo2-qa"
+profile                 = "<profile>" #account name, do not change
+bucket_name             = "tag-conformance-pack-files-<account>-<env>"
 create_tf_backend          = true
 region                  = "us-east-1"
-application_domain_path = "./accounts/demo_account_2/application-domain.json"
+application_domain_path = "./accounts/<account>/<env>/application-domain.json"
 script_path = "./src"
 custom_lambda_script = "custom-required-tags-evaluation.py"
 create_event_bridge_tagger = true
@@ -11,10 +11,10 @@ ssm_script = "ssmDocumentAutomation.py"
 tags = {
   application = "config"
   domain      = "infrastructure"
-  board       = "demo"
+  board       = "board"
   company     = "rd"
   shared      = "no"
-  env         = "qa"
+  env         = "env"
   tag_created = "iac"
 }
 RemediationExecutionControls = {
@@ -24,26 +24,98 @@ RemediationExecutionControls = {
       ErrorPercentage                   = 40
     }
   }
-  Automatic                = false
+  Automatic                = true
   MaximumAutomaticAttempts = 1
   RetryAttemptSeconds      = 1200
 }
 
 # supported resources for required-tags managed config rule
 # https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
 resource_types = [
+  "AWS::ACM::Certificate",
+  "AWS::AutoScaling::AutoScalingGroup",
+  "AWS::CodeBuild::Project",
+  "AWS::DynamoDB::Table",
+  "AWS::EC2::CustomerGateway",
   "AWS::EC2::Instance",
+  "AWS::EC2::InternetGateway",
+  "AWS::EC2::NetworkAcl",
+  "AWS::EC2::NetworkInterface",
+  "AWS::EC2::RouteTable",
+  "AWS::EC2::SecurityGroup",
+  "AWS::EC2::Subnet",
+  "AWS::EC2::Volume",
+  "AWS::EC2::VPC",
+  "AWS::EC2::VPNConnection",
+  "AWS::EC2::VPNGateway",
+  "AWS::ElasticLoadBalancing::LoadBalancer",
+  "AWS::ElasticLoadBalancingV2::LoadBalancer",
+  "AWS::RDS::DBInstance",
+  "AWS::RDS::DBSecurityGroup",
+  "AWS::RDS::DBSnapshot",
+  "AWS::RDS::DBSubnetGroup",
+  "AWS::RDS::EventSubscription",
+  "AWS::Redshift::Cluster",
+  "AWS::Redshift::ClusterParameterGroup",
+  "AWS::Redshift::ClusterSecurityGroup",
+  "AWS::Redshift::ClusterSnapshot",
+  "AWS::Redshift::ClusterSubnetGroup",
+  "AWS::S3::Bucket"
 ]
 
 # all supporter resources
 # https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html
 custom_lambda_resource_types = [
+  "AWS::ECR::Repository",
+  "AWS::ECR::RegistryPolicy",
+  "AWS::ECR::PullThroughCacheRule",
+  "AWS::ECR::PublicRepository",
+  "AWS::AmazonMQ::Broker",
   "AWS::ECS::Cluster",
   "AWS::ECS::Cluster",
   "AWS::ECS::TaskDefinition",
   "AWS::ECS::Service",
   "AWS::ECS::TaskSet",
   "AWS::ECS::CapacityProvider",
-
+  "AWS::CloudFront::Distribution",
+  "AWS::CloudFront::StreamingDistribution",
+  "AWS::CloudWatch::Alarm",
+  "WS::CloudWatch::MetricStream",
+  "AWS::OpenSearch::Domain",
+  "AWS::Elasticsearch::Domain",
+  "AWS::EKS::Cluster",
+  "AWS::EKS::FargateProfile",
+  "AWS::EKS::IdentityProviderConfig",
+  "AWS::EKS::Addon",
+  "AWS::Lambda::Function",
+  "AWS::Athena::WorkGroup",
+  "AWS::Athena::DataCatalog",
+  "AWS::Athena::PreparedStatement",
+  "AWS::SQS::Queue",
+  "AWS::SNS::Topic",
+  "AWS::EMR::SecurityConfiguration",
+  "AWS::Events::EventBus",
+  "AWS::Events::Rule",
+  "AWS::GuardDuty::Detector",
+  "AWS::GuardDuty::ThreatIntelSet",
+  "AWS::GuardDuty::IPSet",
+  "AWS::GuardDuty::Filter",
+  "AWS::MSK::Cluster",
+  "AWS::MSK::Configuration",
+  "AWS::KafkaConnect::Connector",
+  "AWS::MSK::BatchScramSecret",
+  "AWS::Backup::BackupPlan",
+  "AWS::Backup::BackupSelection",
+  "AWS::Backup::BackupVault",
+  "AWS::Backup::RecoveryPoint",
+  "AWS::Backup::ReportPlan",
+  "AWS::NetworkManager::TransitGatewayRegistration",
+  "AWS::NetworkManager::GlobalNetwork",
+  "AWS::NetworkManager::CustomerGatewayAssociation",
+  "AWS::SecretsManager::Secret",
+  "AWS::ApiGatewayV2::Api",
+  "AWS::ApiGateway::RestApi",
+  "AWS::Cloud9::EnvironmentEC2",
+  "AWS::CloudTrail::Trail"
 ]
-  
+

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/backend.tf

@@ -1,3 +1,37 @@
 terraform {
   backend "s3" {}
 }
+
+
+module "backend_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.15.1"
+
+  create_bucket = var.create_tf_backend
+
+  bucket                   = "tag-conformance-pack-terraform-${replace(lower(var.profile), "_", "-")}"
+  acl                      = "private"
+  control_object_ownership = true
+  object_ownership         = "ObjectWriter"
+
+  versioning = {
+    enabled = true
+  }
+}
+
+module "backend_dynamodb_table" {
+  source = "terraform-aws-modules/dynamodb-table/aws"
+
+  create_table = var.create_tf_backend_dynamo_table
+
+  name                           = "tag-conformance-pack-terraform-${replace(lower(var.profile), "_", "-")}"
+  server_side_encryption_enabled = true
+  hash_key                       = "LockID"
+
+  attributes = [
+    {
+      name = "LockID"
+      type = "S"
+    }
+  ]
+}

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/conformance-pack.tf

@@ -2,8 +2,6 @@ module "ConformancePack" {
   source = "../module/tag-conformance-pack"
 
   profile                        = var.profile
-  create_tf_backend              = var.create_tf_backend
-  create_tf_backend_dynamo_table = var.create_tf_backend_dynamo_table
   bucket_name                    = var.bucket_name
   application_domain_path        = var.application_domain_path
   RemediationExecutionControls   = var.RemediationExecutionControls

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/providers.tf

@@ -3,6 +3,10 @@ provider "aws" {
   region  = var.region
   default_tags {
     tags = {
+<<<<<<< HEAD
+      Name = "TagConformancePack"
+=======
+>>>>>>> main
       git-location = "https://gitlab.com/raiadrogasil/rd/devops-rd/finopstools/tagconformacepack"
       application  = var.tags["application"]
       domain       = var.tags["domain"]

aws/modules/tag-conformance-pack/examples/multiple-accounts-deploy/variables.tf

@@ -6,7 +6,15 @@ variable "profile" {
 }
 
 variable "tags" {
-  type = map(string)
+  type = object({
+    application = string
+    domain      = string
+    board       = string
+    company     = string
+    shared      = string
+    env         = string
+    tag_created = string
+  })
 }
 
 variable "application_domain_path" {
@@ -25,7 +33,7 @@ variable "custom_lambda_resource_types" {
 
 variable "custom_lambda_script" {
   type        = string
-  description = "script para a função lambda do lambda custom config"
+  description = "script para a função landa do lambda custom config"
 }
 
 variable "script_path" {
@@ -55,7 +63,17 @@ variable "RemediationExecutionControls" {
     MaximumAutomaticAttempts = number
     RetryAttemptSeconds      = number
   })
-
+  default = {
+    ExecutionControls = {
+      SsmControls = {
+        ConcurrentExecutionRatePercentage = 20
+        ErrorPercentage                   = 40
+      }
+    }
+    Automatic                = false
+    MaximumAutomaticAttempts = 1
+    RetryAttemptSeconds      = 1200
+  }
   description = "Config Remediation ExecutionControls yaml block"
 }
 
@@ -77,4 +95,12 @@ variable "event_bridge_tagger_script" {
 
 variable "create_event_bridge_tagger" {
   type = bool
+}
+
+# a função lambda event_bridge_tagger vai dispara apenas quando um recurso for modificado.
+# esse scheduler tem como função executar a função lambda periodicamente para todos os recursos suportados por ela.
+variable "schedule_expression" {
+  type = string
+  default = "rate(10 day)"
+  description = "taxa de execução do event bridge schedule que dispara a função lambda event_bridge_tagger."
 }

aws/modules/tag-conformance-pack/lambda-event_bridge_tagger.tf

@@ -7,7 +7,7 @@ module "event_bridge_tagger" {
   handler       = "${trimsuffix(var.event_bridge_tagger_script, ".py")}.lambda_handler"
   runtime       = "python3.10"
   create        = var.create_event_bridge_tagger
-  source_path   = "../module/tag-conformance-pack/src/event_bridge_tagger.py" # #"${var.script_path}/${var.event_bridge_tagger_script}"
+  source_path   = "${var.script_path}/${var.event_bridge_tagger_script}"
 
   attach_create_log_group_permission = true
   cloudwatch_logs_retention_in_days  = 1
@@ -145,6 +145,7 @@ PATTERN
 }
 
 
+
 resource "aws_cloudwatch_event_target" "cloudwatch_logs_trigger" {
   count = var.create_event_bridge_tagger ? 1 : 0
   rule  = aws_cloudwatch_event_rule.cloudwatch_logs_trigger[0].name
@@ -168,3 +169,23 @@ resource "aws_cloudwatch_event_target" "config_rule_trigger" {
   rule  = aws_cloudwatch_event_rule.config_rule_trigger[0].name
   arn   = module.event_bridge_tagger.lambda_function_arn
 }
+
+module "event_bridge_schedule" {
+  source = "terraform-aws-modules/eventbridge/aws"
+  create = var.create_event_bridge_tagger
+
+  bus_name = "event_bridge_tagger_schedule"
+
+  attach_lambda_policy = true
+  lambda_target_arns   = [module.event_bridge_tagger.lambda_function_arn]
+
+  schedules = {
+    event-bridge-tagger-cron = {
+      description         = "Trigger for a Lambda"
+      schedule_expression = var.schedule_expression
+      timezone            = "America/Sao_Paulo"
+      arn                 = module.event_bridge_tagger.lambda_function_arn
+      input               = jsonencode({ "event_bridge_tagger_schedule": "schedule" }) # utilizado no script para distinguir o evento de schedule de outros.
+    }
+  }
+}