From 0795de6144b702c9327d5ac0c6412dbb032f6dae Mon Sep 17 00:00:00 2001 From: David Redmin Date: Mon, 23 Sep 2024 11:11:05 -0400 Subject: [PATCH] Create CyHy Lambda artifacts bucket name using bucket_prefix This makes our bucket names unique and allows us to remove some local variables that are no longer needed. Co-authored-by: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Co-authored-by: Jeremy Frasier --- README.md | 4 +--- lambda_artifacts_bucket.tf | 2 +- locals.tf | 9 --------- provisionlambdabucket_policy.tf | 2 +- variables.tf | 4 ++-- 5 files changed, 5 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index e057ce1..739cb38 100644 --- a/README.md +++ b/README.md @@ -140,12 +140,10 @@ changes by simply running `terraform apply -var-file=.tfvars`. |------|-------------|------|---------|:--------:| | aws\_region | The AWS region where the non-global resources for the Cyber Hygiene account are to be provisioned (e.g. "us-east-1"). | `string` | `"us-east-1"` | no | | cool\_lambda\_artifacts\_s3\_bucket | The name of the bucket where COOL Lambda deployment packages are to be stored. | `string` | n/a | yes | -| cyhy\_lambda\_artifacts\_s3\_bucket | The name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored. Note that in production Terraform workspaces, the string '-production' will be appended to the bucket name. In non-production workspaces, '-' will be appended to the bucket name. | `string` | `"cool-cyhy-lambda-deployment-artifacts"` | no | +| cyhy\_lambda\_artifacts\_s3\_bucket\_prefix | The prefix of the name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored. A unique bucket name beginning with the specified prefix will be created. | `string` | `"cool-cyhy-lambda-deployment-artifacts"` | no | | disable\_inactive\_users\_lambda\_key | The S3 key associated with the Lambda function deployment package to disable inactive IAM users. | `string` | n/a | yes | | provisionaccount\_role\_description | The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account."` | no | | provisionaccount\_role\_name | The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the Cyber Hygiene account. | `string` | `"ProvisionAccount"` | no | -| provisioncyhyroot\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root. | `string` | `"Allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root."` | no | -| provisioncyhyroot\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision all AWS resources required by cisagov/cyhy-tf-root. | `string` | `"ProvisionCyHyRoot"` | no | | provisionlambdabucket\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account."` | no | | provisionlambdabucket\_policy\_name | The name to assign the IAM policy that allows sufficient permissions to provision the Lambda deployment artifacts S3 bucket in the Cyber Hygiene account. | `string` | `"ProvisionLambdaArtifactsBucket"` | no | | provisionssmsessionmanager\_policy\_description | The description to associate with the IAM policy that allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in the Cyber Hygiene account. | `string` | `"Allows sufficient permissions to provision the SSM Document resource and set up SSM session logging in the Cyber Hygiene account."` | no | diff --git a/lambda_artifacts_bucket.tf b/lambda_artifacts_bucket.tf index 33ec696..af7e1b8 100644 --- a/lambda_artifacts_bucket.tf +++ b/lambda_artifacts_bucket.tf @@ -1,7 +1,7 @@ # This bucket is used to store the deployment packages for any Lambda functions # that will be used in a CyHy environment. resource "aws_s3_bucket" "lambda_artifacts" { - bucket = local.lambda_bucket_name + bucket_prefix = var.cyhy_lambda_artifacts_s3_bucket_prefix tags = { "Name" = "Lambda Deployment Artifacts" diff --git a/locals.tf b/locals.tf index 7589a07..221ecc0 100644 --- a/locals.tf +++ b/locals.tf @@ -17,15 +17,6 @@ locals { # Get the CyHy account ID. cyhy_account_id = data.aws_caller_identity.cyhy.id - # Determine if this is a Production workspace by checking if - # terraform.workspace begins with "prod" - production_workspace = length(regexall("^prod", terraform.workspace)) == 1 - - # In production Terraform workspaces, the string '-production' is appended to - # the bucket name. In non-production workspaces, '-' is - # appended to the bucket name. - lambda_bucket_name = format("%s-%s", var.cyhy_lambda_artifacts_s3_bucket, local.production_workspace ? "production" : terraform.workspace) - # Find the Users account users_account_id = [ for account in data.aws_organizations_organization.cool.accounts : diff --git a/provisionlambdabucket_policy.tf b/provisionlambdabucket_policy.tf index a5dc868..c66cd10 100644 --- a/provisionlambdabucket_policy.tf +++ b/provisionlambdabucket_policy.tf @@ -20,7 +20,7 @@ data "aws_iam_policy_document" "provisionlambdabucket_policy_doc" { ] resources = [ - "arn:aws:s3:::${local.lambda_bucket_name}", + "arn:aws:s3:::${var.cyhy_lambda_artifacts_s3_bucket_prefix}*", ] } } diff --git a/variables.tf b/variables.tf index 012a24e..2688f93 100644 --- a/variables.tf +++ b/variables.tf @@ -26,9 +26,9 @@ variable "aws_region" { type = string } -variable "cyhy_lambda_artifacts_s3_bucket" { +variable "cyhy_lambda_artifacts_s3_bucket_prefix" { default = "cool-cyhy-lambda-deployment-artifacts" - description = "The name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored. Note that in production Terraform workspaces, the string '-production' will be appended to the bucket name. In non-production workspaces, '-' will be appended to the bucket name." + description = "The prefix of the name of the bucket in the Cyber Hygiene account where any Lambda deployment artifacts for a CyHy environment will be stored. A unique bucket name beginning with the specified prefix will be created." type = string }