diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml index 5a97381..2e0ae35 100644 --- a/.github/workflows/code-scan.yml +++ b/.github/workflows/code-scan.yml @@ -34,6 +34,8 @@ jobs: # This will add both a CLI output to the console and create a results.sarif file output_format: cli,sarif output_file_path: console,results.sarif + #https://github.com/bridgecrewio/checkov/issues/6216 + skip_check: CKV2_GHA_1 - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml new file mode 100644 index 0000000..9067d15 --- /dev/null +++ b/.github/workflows/documentation.yml @@ -0,0 +1,25 @@ +#https://github.com/terraform-docs/gh-actions +name: generate-terraform-docs +on: + - pull_request +jobs: + docs: + runs-on: ubuntu-latest + permissions: + #checkov:skip=CKV2_GHA_1: This is required to add Terraform module details to the ReadMe.md + # Ensure top-level permissions are not set to write-all + contents: write + id-token: write + pull-requests: write + steps: + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render terraform docs inside the README.md and push changes back to PR branch + uses: terraform-docs/gh-actions@v1.3.0 + with: + working-dir: . + output-file: README.md + output-method: inject + git-push: "true" \ No newline at end of file diff --git a/README.md b/README.md index 71840b9..2b4e632 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![License: Unlicense](https://img.shields.io/badge/license-Unlicense-white.svg)](https://choosealicense.com/licenses/unlicense/)[![GitHub pull-requests closed](https://img.shields.io/github/issues-pr-closed/kunduso/amazon-elasticache-redis-tf)](https://github.com/kunduso/amazon-elasticache-redis-tf/pulls?q=is%3Apr+is%3Aclosed)[![GitHub pull-requests](https://img.shields.io/github/issues-pr/kunduso/amazon-elasticache-redis-tf)](https://GitHub.com/kunduso/amazon-elasticache-redis-tf/pull/) [![GitHub issues-closed](https://img.shields.io/github/issues-closed/kunduso/amazon-elasticache-redis-tf)](https://github.com/kunduso/amazon-elasticache-redis-tf/issues?q=is%3Aissue+is%3Aclosed)[![GitHub issues](https://img.shields.io/github/issues/kunduso/amazon-elasticache-redis-tf)](https://GitHub.com/kunduso/amazon-elasticache-redis-tf/issues/) -[![terraform-infra-provisioning](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/terraform.yml/badge.svg?branch=main)](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/terraform.yml)[![checkov-static-analysis-scan](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/code-scan.yml/badge.svg?branch=main)](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/code-scan.yml) +[![terraform-infra-provisioning](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/terraform.yml/badge.svg?branch=main)](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/terraform.yml)[![checkov-static-analysis-scan](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/code-scan.yml/badge.svg?branch=main)](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/code-scan.yml) [![Generate terraform docs](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/documentation.yml/badge.svg)](https://github.com/kunduso/amazon-elasticache-redis-tf/actions/workflows/documentation.yml) ![Image](https://skdevops.files.wordpress.com/2023/10/85-image-0-1.png) @@ -18,10 +18,75 @@ For this code to function without errors, I created an OpenID connect identity p
I stored the ARN of the IAM Role as a GitHub secret which is referred in the [`terraform.yml`](https://github.com/kunduso/amazon-elasticache-redis-tf/blob/eb148db2b9ff37cff9f1fb469d0c14b6479bd57a/.github/workflows/terraform.yml#L42) file.
Since I used Infracost in this repository, I stored the `INFRACOST_API_KEY` as a repository secret. It is referenced in the [`terraform.yml`](https://github.com/kunduso/amazon-elasticache-redis-tf/blob/eb148db2b9ff37cff9f1fb469d0c14b6479bd57a/.github/workflows/terraform.yml#L52) GitHub actions workflow file.
As part of the Infracost integration, I also created a `INFRACOST_API_KEY` and stored that as a GitHub Actions secret. I also managed the cost estimate process using a GitHub Actions variable `INFRACOST_SCAN_TYPE` where the value is either `hcl_code` or `tf_plan`, depending on the type of scan desired. + +## Requirements + +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | 5.20.1 | +| [random](#requirement\_random) | 3.6.3 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.20.1 | +| [random](#provider\_random) | 3.6.3 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [vpc](#module\_vpc) | github.com/kunduso/terraform-aws-vpc | v1.0.1 | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.engine_log](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.slow_log](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/cloudwatch_log_group) | resource | +| [aws_elasticache_replication_group.app4](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/elasticache_replication_group) | resource | +| [aws_elasticache_subnet_group.elasticache_subnet](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/elasticache_subnet_group) | resource | +| [aws_iam_policy.secret_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/iam_policy) | resource | +| [aws_iam_policy.ssm_parameter_policy](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/iam_policy) | resource | +| [aws_kms_alias.encryption_rest](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_alias) | resource | +| [aws_kms_alias.encryption_secret](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_alias) | resource | +| [aws_kms_key.encryption_rest](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_key) | resource | +| [aws_kms_key.encryption_secret](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_key) | resource | +| [aws_kms_key_policy.encryption_rest_policy](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_key_policy) | resource | +| [aws_kms_key_policy.encryption_secret_policy](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/kms_key_policy) | resource | +| [aws_secretsmanager_secret.elasticache_auth](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.auth](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/secretsmanager_secret_version) | resource | +| [aws_security_group.elasticache](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/security_group) | resource | +| [aws_security_group_rule.elasticache_egress](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.elasticache_ingress](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/security_group_rule) | resource | +| [aws_ssm_parameter.elasticache_ep](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.elasticache_port](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/resources/ssm_parameter) | resource | +| [random_password.auth](https://registry.terraform.io/providers/hashicorp/random/3.6.3/docs/resources/password) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.20.1/docs/data-sources/caller_identity) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_key](#input\_access\_key) | The access\_key that belongs to the IAM user. | `string` | `""` | no | +| [name](#input\_name) | The name of the application. | `string` | `"app-4"` | no | +| [region](#input\_region) | AWS Cloud infrastructure region. | `string` | `"us-east-2"` | no | +| [secret\_key](#input\_secret\_key) | The secret\_key that belongs to the IAM user. | `string` | `""` | no | +| [subnet\_cidr\_private](#input\_subnet\_cidr\_private) | CIDR blocks for the private subnets. | `list(any)` | 
[
  "10.20.32.0/27",
  "10.20.32.32/27",
  "10.20.32.64/27"
]
| no | +| [subnet\_cidr\_public](#input\_subnet\_cidr\_public) | CIDR blocks for the public subnets. | `list(any)` | 
[
  "10.20.32.96/27"
]
| no | +| [vpc\_cidr](#input\_vpc\_cidr) | CIDR for the VPC. | `string` | `"10.20.32.0/25"` | no | + +## Outputs + +No outputs. + ## Usage Ensure that the policy attached to the IAM role whose credentials are being used in this configuration has permission to create and manage all the resources that are included in this repository.
Review the code including the [`terraform.yml`](./.github/workflows/terraform.yml) to understand the steps in the GitHub Actions pipeline. Also review the terraform code to understand all the concepts associated with creating an AWS VPC, subnets, internet gateway, route table, and route table association.
If you want to check the pipeline logs, click on the **Build Badge** (terrform-infra-provisioning) above the image in this ReadMe. +## Contributing +If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome! ## License This code is released under the Unlincse License. See [LICENSE](LICENSE). \ No newline at end of file diff --git a/cloudwatch.tf b/cloudwatch.tf index b845914..3807120 100644 --- a/cloudwatch.tf +++ b/cloudwatch.tf @@ -1,8 +1,10 @@ +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group resource "aws_cloudwatch_log_group" "slow_log" { name = "/elasticache/${var.name}/slow-log" retention_in_days = 365 kms_key_id = aws_kms_key.encryption_rest.arn } +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group resource "aws_cloudwatch_log_group" "engine_log" { name = "/elasticache/${var.name}/engine-log" retention_in_days = 365 diff --git a/elasticache.tf b/elasticache.tf index ab46eb1..b21cbae 100644 --- a/elasticache.tf +++ b/elasticache.tf @@ -1,14 +1,16 @@ +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group resource "aws_elasticache_subnet_group" "elasticache_subnet" { name = "${var.name}-cache-subnet" subnet_ids = [for subnet in module.vpc.private_subnets : subnet.id] } - +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret resource "aws_secretsmanager_secret" "elasticache_auth" { name = "${var.name}-elasticache-auth" recovery_window_in_days = 0 kms_key_id = aws_kms_key.encryption_secret.id #checkov:skip=CKV2_AWS_57: Disabled Secrets Manager secrets automatic rotation } +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version resource "aws_secretsmanager_secret_version" "auth" { secret_id = aws_secretsmanager_secret.elasticache_auth.id secret_string = random_password.auth.result diff --git a/random.tf b/random.tf index c36bf04..67bec41 100644 --- a/random.tf +++ b/random.tf @@ -1,4 +1,5 @@ #https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/auth.html#auth-overview +#https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password resource "random_password" "auth" { length = 128 special = true