diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f14d75cf..4a907a83 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -43,6 +43,9 @@ repos:
- '--args=--only=terraform_required_providers'
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
+ - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns'
+ - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns'
+ - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns'
# - id: terrascan # Skipping until they update lifecycle block; Data resources do not have lifecycle settings, so a lifecycle block is not allowed.
# args:
# - '--args=--non-recursive'
diff --git a/.tflint.hcl b/.tflint.hcl
index ee3074e5..2df7f5af 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -1,6 +1,6 @@
plugin "aws" {
enabled = true
deep_check = true
- version = "0.17.0"
+ version = "0.21.0"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
diff --git a/submodules/bastion/README.md b/submodules/bastion/README.md
index d17cc8da..73230236 100644
--- a/submodules/bastion/README.md
+++ b/submodules/bastion/README.md
@@ -46,7 +46,7 @@ No modules.
| [instance\_type](#input\_instance\_type) | the bastion's instance type, if null, t2.micro is used | `string` | `null` | no |
| [public\_subnet\_id](#input\_public\_subnet\_id) | Public subnet to create bastion host in. | `string` | n/a | yes |
| [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| [security\_group\_rules](#input\_security\_group\_rules) | Bastion host security group rules. | map(object({
protocol = string
from_port = string
to_port = string
type = string
description = string
cidr_blocks = list(string)
source_security_group_id = string
})) | {
"bastion_inbound_ssh": {
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Inbound ssh",
"from_port": "22",
"protocol": "-1",
"source_security_group_id": null,
"to_port": "22",
"type": "ingress"
},
"bastion_outbound_traffic": {
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow all outbound traffic by default",
"from_port": "0",
"protocol": "-1",
"source_security_group_id": null,
"to_port": "0",
"type": "egress"
}
} | no |
+| [security\_group\_rules](#input\_security\_group\_rules) | Bastion host security group rules. | map(object({
protocol = string
from_port = string
to_port = string
type = string
description = string
cidr_blocks = list(string)
source_security_group_id = string
})) | {
"bastion_inbound_ssh": {
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Inbound ssh",
"from_port": "22",
"protocol": "tcp",
"source_security_group_id": null,
"to_port": "22",
"type": "ingress"
},
"bastion_outbound_traffic": {
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow all outbound traffic by default",
"from_port": "0",
"protocol": "-1",
"source_security_group_id": null,
"to_port": "0",
"type": "egress"
}
} | no |
| [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
| [vpc\_id](#input\_vpc\_id) | VPC ID. | `string` | n/a | yes |
diff --git a/submodules/bastion/main.tf b/submodules/bastion/main.tf
index bf8120b0..a7fb0402 100644
--- a/submodules/bastion/main.tf
+++ b/submodules/bastion/main.tf
@@ -7,9 +7,10 @@ locals {
}
resource "aws_security_group" "bastion" {
- name = "${var.deploy_id}-bastion"
- description = "Bastion security group"
- vpc_id = var.vpc_id
+ name = "${var.deploy_id}-bastion"
+ description = "Bastion security group"
+ revoke_rules_on_delete = true
+ vpc_id = var.vpc_id
lifecycle {
create_before_destroy = true
@@ -48,7 +49,7 @@ data "aws_iam_policy_document" "bastion" {
principals {
type = "AWS"
- identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:root"]
}
}
}
@@ -62,7 +63,7 @@ resource "aws_iam_role" "bastion" {
}
resource "aws_iam_role_policy_attachment" "bastion" {
- policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+ policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore"
role = aws_iam_role.bastion.name
}
@@ -80,6 +81,11 @@ data "aws_ami" "amazon_linux_2" {
name = "name"
values = ["amzn2-ami-hvm*"]
}
+
+ filter {
+ name = "architecture"
+ values = ["x86_64"]
+ }
}
locals {
diff --git a/submodules/bastion/variables.tf b/submodules/bastion/variables.tf
index 2ac70b06..8b7dbe11 100644
--- a/submodules/bastion/variables.tf
+++ b/submodules/bastion/variables.tf
@@ -60,7 +60,7 @@ variable "security_group_rules" {
source_security_group_id = null
}
bastion_inbound_ssh = {
- protocol = "-1"
+ protocol = "tcp"
from_port = "22"
to_port = "22"
type = "ingress"
diff --git a/submodules/eks/cluster.tf b/submodules/eks/cluster.tf
index db0cd4cf..de5388b9 100755
--- a/submodules/eks/cluster.tf
+++ b/submodules/eks/cluster.tf
@@ -22,7 +22,7 @@ data "aws_iam_policy_document" "kms_key" {
effect = "Allow"
principals {
type = "AWS"
- identifiers = ["arn:aws:iam::${local.aws_account_id}:root"]
+ identifiers = ["arn:${data.aws_partition.current.partition}:iam::${local.aws_account_id}:root"]
}
}
}
diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf
index 89e71bd4..5a75b300 100644
--- a/submodules/eks/iam.tf
+++ b/submodules/eks/iam.tf
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "domino_ecr_restricted" {
statement {
effect = "Deny"
- resources = ["arn:aws:ecr:*:${local.aws_account_id}:*"]
+ resources = ["arn:${data.aws_partition.current.partition}:ecr:*:${local.aws_account_id}:*"]
actions = [
"ecr:BatchCheckLayerAvailability",
@@ -115,8 +115,8 @@ data "aws_iam_policy_document" "ebs_csi" {
effect = "Allow"
resources = [
- "arn:aws:ec2:*:*:volume/*",
- "arn:aws:ec2:*:*:snapshot/*",
+ "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*",
+ "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
]
actions = ["ec2:CreateTags"]
@@ -137,8 +137,8 @@ data "aws_iam_policy_document" "ebs_csi" {
effect = "Allow"
resources = [
- "arn:aws:ec2:*:*:volume/*",
- "arn:aws:ec2:*:*:snapshot/*",
+ "arn:${data.aws_partition.current.partition}:ec2:*:*:volume/*",
+ "arn:${data.aws_partition.current.partition}:ec2:*:*:snapshot/*",
]
actions = ["ec2:DeleteTags"]
@@ -210,11 +210,11 @@ resource "aws_iam_policy" "custom_eks_node_policy" {
locals {
eks_aws_node_iam_policies = toset([
- "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
- "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
- "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
- "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess",
+ "AmazonEKSWorkerNodePolicy",
+ "AmazonEKS_CNI_Policy",
+ "AmazonEC2ContainerRegistryReadOnly",
+ "AmazonSSMManagedInstanceCore",
+ "AmazonElasticFileSystemReadOnlyAccess",
])
custom_node_policies = concat([aws_iam_policy.custom_eks_node_policy.arn], var.node_iam_policies)
@@ -222,7 +222,7 @@ locals {
resource "aws_iam_role_policy_attachment" "aws_eks_nodes" {
for_each = toset(local.eks_aws_node_iam_policies)
- policy_arn = each.key
+ policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/${each.key}"
role = aws_iam_role.eks_nodes.name
}
diff --git a/submodules/eks/main.tf b/submodules/eks/main.tf
index 02d35bbc..06ac3833 100644
--- a/submodules/eks/main.tf
+++ b/submodules/eks/main.tf
@@ -246,7 +246,7 @@ locals {
bastion_eks_security_group_rules = {
bastion_to_eks_api = {
- description = "Bastion outbound to eks cluster ${local.eks_cluster_name}:443 API"
+ description = "To ${local.eks_cluster_name}:443"
protocol = "tcp"
from_port = "443"
to_port = "443"
@@ -255,7 +255,7 @@ locals {
source_security_group_id = aws_security_group.eks_cluster.id
}
bastion_to_eks_nodes_ssh = {
- description = "Bastion ssh to eks cluster nodes outbound"
+ description = "To eks nodes over ssh"
protocol = "tcp"
from_port = "22"
to_port = "22"
@@ -264,7 +264,7 @@ locals {
source_security_group_id = aws_security_group.eks_nodes.id
}
eks_api_from_bastion = {
- description = "Eks cluster ${local.eks_cluster_name}:443 inbound from bastion"
+ description = "From Bastion over https"
protocol = "tcp"
from_port = "443"
to_port = "443"
@@ -273,13 +273,13 @@ locals {
source_security_group_id = var.bastion_security_group_id
}
eks_nodes_ssh_from_bastion = {
- description = "Bastion ssh to eks cluster nodes inbound"
+ description = "From Bastion over ssh"
protocol = "tcp"
from_port = "22"
to_port = "22"
type = "ingress"
- security_group_id = var.bastion_security_group_id
- source_security_group_id = aws_security_group.eks_nodes.id
+ security_group_id = aws_security_group.eks_nodes.id
+ source_security_group_id = var.bastion_security_group_id
}
}
}
diff --git a/submodules/k8s/main.tf b/submodules/k8s/main.tf
index 5128b1ce..621a0518 100644
--- a/submodules/k8s/main.tf
+++ b/submodules/k8s/main.tf
@@ -56,6 +56,10 @@ resource "local_file" "templates" {
}
resource "null_resource" "run_k8s_pre_setup" {
+ triggers = {
+ script_hash = md5(local_file.templates["k8s_presetup"].content)
+ }
+
provisioner "local-exec" {
command = basename(local_file.templates["k8s_presetup"].filename)
interpreter = ["bash"]
diff --git a/submodules/k8s/templates/k8s-functions.sh.tftpl b/submodules/k8s/templates/k8s-functions.sh.tftpl
index e5c5a117..036a1828 100644
--- a/submodules/k8s/templates/k8s-functions.sh.tftpl
+++ b/submodules/k8s/templates/k8s-functions.sh.tftpl
@@ -35,10 +35,10 @@ set_k8s_auth() {
install_calico() {
local CALICO_OPERATOR_YAML_URL=${calico_operator_url}
printf "$GREEN Installing Calico Operator $EC \n"
- kubectl_apply $CALICO_OPERATOR_YAML_URL || printf "$RED There was an error installing the calico operator"
+ kubectl_apply $CALICO_OPERATOR_YAML_URL
echo
local CALICO_CRD_YAML_URL=${calico_custom_resources_url}
- printf "$GREEN Installing Calico Custom resources $EC \n" || printf "$RED There was an error installing the calico CRD"
+ printf "$GREEN Installing Calico Custom resources $EC \n"
kubectl_apply $CALICO_CRD_YAML_URL
echo
}
@@ -58,8 +58,13 @@ kubectl_apply() {
if test -f "$k8s_manifest" || validate_url "$k8s_manifest"; then
echo "Applying $k8s_manifest..."
HTTPS_PROXY=socks5://127.0.0.1:${k8s_tunnel_port} kubectl --kubeconfig "${kubeconfig_path}" apply -f "$k8s_manifest"
+ if [ $? -ne 0 ]; then
+ printf "$RED Error applying $k8s_manifest \n"
+ exit 1
+ fi
else
- printf "$RED $k8s_manifest does not exist. $EC \n" && exit 1
+ printf "$RED $k8s_manifest does not exist. $EC \n"
+ exit 1
fi
}
diff --git a/submodules/storage/README.md b/submodules/storage/README.md
index a21a4e6b..02a40fd5 100644
--- a/submodules/storage/README.md
+++ b/submodules/storage/README.md
@@ -47,6 +47,7 @@ No modules.
| [aws_iam_policy_document.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
## Inputs
diff --git a/submodules/storage/main.tf b/submodules/storage/main.tf
index b511e857..80374f17 100644
--- a/submodules/storage/main.tf
+++ b/submodules/storage/main.tf
@@ -1,5 +1,6 @@
data "aws_canonical_user_id" "current" {}
data "aws_elb_service_account" "this" {}
+data "aws_partition" "current" {}
locals {
s3_buckets = {
diff --git a/submodules/storage/s3.tf b/submodules/storage/s3.tf
index 6671b3d2..d4cb4ae4 100644
--- a/submodules/storage/s3.tf
+++ b/submodules/storage/s3.tf
@@ -14,8 +14,8 @@ data "aws_iam_policy_document" "backups" {
effect = "Deny"
resources = [
- "arn:aws:s3:::${aws_s3_bucket.backups.bucket}",
- "arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*",
]
actions = ["s3:*"]
@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "backups" {
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -53,7 +53,7 @@ data "aws_iam_policy_document" "backups" {
statement {
sid = "DenyUnEncryptedObjectUploads"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.backups.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.backups.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -82,8 +82,8 @@ data "aws_iam_policy_document" "blobs" {
effect = "Deny"
resources = [
- "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}",
- "arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*",
]
actions = ["s3:*"]
@@ -104,7 +104,7 @@ data "aws_iam_policy_document" "blobs" {
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -122,7 +122,7 @@ data "aws_iam_policy_document" "blobs" {
statement {
sid = "DenyUnEncryptedObjectUploads"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.blobs.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.blobs.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -151,8 +151,8 @@ data "aws_iam_policy_document" "logs" {
effect = "Deny"
resources = [
- "arn:aws:s3:::${aws_s3_bucket.logs.bucket}",
- "arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*",
]
actions = ["s3:*"]
@@ -172,7 +172,7 @@ data "aws_iam_policy_document" "logs" {
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -190,7 +190,7 @@ data "aws_iam_policy_document" "logs" {
statement {
sid = "DenyUnEncryptedObjectUploads"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.logs.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.logs.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -219,8 +219,8 @@ data "aws_iam_policy_document" "monitoring" {
effect = "Deny"
resources = [
- "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}",
- "arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*",
]
actions = ["s3:*"]
@@ -240,7 +240,7 @@ data "aws_iam_policy_document" "monitoring" {
statement {
sid = ""
effect = "Allow"
- resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
actions = [
"s3:PutObject*",
@@ -256,7 +256,7 @@ data "aws_iam_policy_document" "monitoring" {
statement {
sid = "AWSLogDeliveryWrite"
effect = "Allow"
- resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -274,7 +274,7 @@ data "aws_iam_policy_document" "monitoring" {
statement {
sid = "AWSLogDeliveryCheck"
effect = "Allow"
- resources = ["arn:aws:s3:::${aws_s3_bucket.monitoring.bucket}"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.monitoring.bucket}"]
actions = [
"s3:GetBucketAcl",
@@ -334,8 +334,8 @@ data "aws_iam_policy_document" "registry" {
statement {
effect = "Deny"
resources = [
- "arn:aws:s3:::${aws_s3_bucket.registry.bucket}",
- "arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}",
+ "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*",
]
actions = ["s3:*"]
@@ -355,7 +355,7 @@ data "aws_iam_policy_document" "registry" {
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*"]
actions = ["s3:PutObject"]
condition {
@@ -373,7 +373,7 @@ data "aws_iam_policy_document" "registry" {
statement {
sid = "DenyUnEncryptedObjectUploads"
effect = "Deny"
- resources = ["arn:aws:s3:::${aws_s3_bucket.registry.bucket}/*"]
+ resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.registry.bucket}/*"]
actions = ["s3:PutObject"]
condition {