Merge pull request bridgecrewio#17 from apanzerj/apanzerj/add_shell_p…

…rofiles Add Shell Profiles and Fix Pre-Commit
zeet-co · Mar 31, 2022 · cc305c2 · cc305c2
2 parents 86f37cd + 6d9959a
commit cc305c2
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ module "ssm" {
   access_log_bucket_name    = "my-session-access-logs"
   enable_log_to_s3          = true
   enable_log_to_cloudwatch  = true
+  linux_shell_profile       = "date"
 }
 ```
 
@@ -117,13 +118,15 @@ No modules.
 | <a name="input_enable_log_to_s3"></a> [enable\_log\_to\_s3](#input\_enable\_log\_to\_s3) | Enable Session Manager to Log to S3 | `bool` | `true` | no |
 | <a name="input_kms_key_alias"></a> [kms\_key\_alias](#input\_kms\_key\_alias) | Alias prefix of the KMS key.  Must start with alias/ followed by a name | `string` | `"alias/ssm-key"` | no |
 | <a name="input_kms_key_deletion_window"></a> [kms\_key\_deletion\_window](#input\_kms\_key\_deletion\_window) | Waiting period for scheduled KMS Key deletion.  Can be 7-30 days. | `number` | `7` | no |
+| <a name="input_linux_shell_profile"></a> [linux\_shell\_profile](#input\_linux\_shell\_profile) | The ShellProfile to use for linux based machines. | `string` | `""` | no |
 | <a name="input_log_archive_days"></a> [log\_archive\_days](#input\_log\_archive\_days) | Number of days to wait before archiving to Glacier | `number` | `30` | no |
 | <a name="input_log_expire_days"></a> [log\_expire\_days](#input\_log\_expire\_days) | Number of days to wait before deleting | `number` | `365` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnet Ids to deploy endpoints into | `set(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_endpoint_private_dns_enabled"></a> [vpc\_endpoint\_private\_dns\_enabled](#input\_vpc\_endpoint\_private\_dns\_enabled) | Enable private dns for endpoints | `bool` | `true` | no |
 | <a name="input_vpc_endpoints_enabled"></a> [vpc\_endpoints\_enabled](#input\_vpc\_endpoints\_enabled) | Create VPC Endpoints | `bool` | `false` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to deploy endpoints into | `string` | `null` | no |
+| <a name="input_windows_shell_profile"></a> [windows\_shell\_profile](#input\_windows\_shell\_profile) | The ShellProfile to use for windows based machines. | `string` | `""` | no |
 
 ## Outputs
 

diff --git a/example/examplea/module.ssm.tf b/example/examplea/module.ssm.tf
@@ -4,4 +4,5 @@ module "ssm" {
   access_log_bucket_name   = "my-session-access-logs"
   enable_log_to_s3         = true
   enable_log_to_cloudwatch = true
+  linux_shell_profile      = "date"
 }
diff --git a/iam.tf b/iam.tf
@@ -128,9 +128,9 @@ data "aws_iam_policy_document" "ssm_s3_cwl_access" {
 }
 
 resource "aws_iam_policy" "ssm_s3_cwl_access" {
-  name = "ssm_s3_cwl_access-${local.region}"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.ssm_s3_cwl_access.json
+  name   = "ssm_s3_cwl_access-${local.region}"
+  path   = "/"
+  policy = data.aws_iam_policy_document.ssm_s3_cwl_access.json
 }
 
 resource "aws_iam_role_policy_attachment" "SSM-role-policy-attach" {

diff --git a/main.tf b/main.tf
@@ -30,18 +30,20 @@ resource "aws_ssm_document" "session_manager_prefs" {
   document_format = "JSON"
   tags            = var.tags
 
-  content = <<DOC
-{
-    "schemaVersion": "1.0",
-    "description": "Document to hold regional settings for Session Manager",
-    "sessionType": "Standard_Stream",
-    "inputs": {
-        "s3BucketName": "${var.enable_log_to_s3 ? aws_s3_bucket.session_logs_bucket.id : ""}",
-        "s3EncryptionEnabled": ${var.enable_log_to_s3 ? "true" : "false"},
-        "cloudWatchLogGroupName": "${var.enable_log_to_cloudwatch ? aws_cloudwatch_log_group.session_manager_log_group.name : ""}",
-        "cloudWatchEncryptionEnabled": ${var.enable_log_to_cloudwatch ? "true" : "false"},
-        "kmsKeyId": "${aws_kms_key.ssmkey.key_id}"
+  content = jsonencode({
+    schemaVersion = "1.0"
+    description   = "Document to hold regional settings for Session Manager"
+    sessionType   = "Standard_Stream"
+    inputs = {
+      s3BucketName                = var.enable_log_to_s3 ? aws_s3_bucket.session_logs_bucket.id : ""
+      s3EncryptionEnabled         = var.enable_log_to_s3 ? "true" : "false"
+      cloudWatchLogGroupName      = var.enable_log_to_cloudwatch ? aws_cloudwatch_log_group.session_manager_log_group.name : ""
+      cloudWatchEncryptionEnabled = var.enable_log_to_cloudwatch ? "true" : "false"
+      kmsKeyId                    = aws_kms_key.ssmkey.key_id
+      shellProfile = {
+        linux   = var.linux_shell_profile == "" ? var.linux_shell_profile : ""
+        windows = var.windows_shell_profile == "" ? var.windows_shell_profile : ""
+      }
     }
-}
-DOC
+  })
 }
diff --git a/variables.tf b/variables.tf
@@ -91,3 +91,15 @@ variable "vpc_endpoints_enabled" {
   type        = bool
   default     = false
 }
+
+variable "linux_shell_profile" {
+  description = "The ShellProfile to use for linux based machines."
+  default     = ""
+  type        = string
+}
+
+variable "windows_shell_profile" {
+  description = "The ShellProfile to use for windows based machines."
+  default     = ""
+  type        = string
+}
diff --git a/vpce.tf b/vpce.tf
@@ -1,5 +1,5 @@
 locals {
-  region = var.vpc_endpoints_enabled && var.vpc_id != null ? split(":",data.aws_vpc.selected[0].arn)[3] : data.aws_region.current.name
+  region  = var.vpc_endpoints_enabled && var.vpc_id != null ? split(":", data.aws_vpc.selected[0].arn)[3] : data.aws_region.current.name
   subnets = var.vpc_endpoints_enabled ? var.subnet_ids != [] ? var.subnet_ids : data.aws_subnet_ids.selected[0].ids : []
 }