generated from plus3it/repo-template
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from dwc0011/create-project
Create project
- Loading branch information
Showing
16 changed files
with
839 additions
and
64 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,33 +1,13 @@ | ||
## repo-template | ||
## terraform-aws-tardigrade-org-new-account-delete-cloudtrail | ||
|
||
All notable changes to this project will be documented in this file. | ||
|
||
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). | ||
|
||
### [1.2.0] (https://github.com/plus3it/repo-template/releases/tag/1.2.0) | ||
### [1.0.0](https://github.com/plus3it/terraform-aws-tardigrade-org-new-account-delete-cloudtrail/releases/tag/1.0.0) | ||
|
||
**Summary**: | ||
|
||
* Updated SHA value for Github Actions Workflows | ||
* Updated CHANGELOG.template.md file | ||
* Added Master branch in release workflow logic to make migration to Github Actions more efficient | ||
|
||
### 1.1.0 | ||
|
||
**Commit Delta**: N/A | ||
|
||
**Released**: 2023.01.27 | ||
|
||
**Summary**: | ||
|
||
* Updated workflow files to be consumable and reusable, and now points to actions-workflows repo | ||
|
||
### 1.0.0 | ||
|
||
**Commit Delta**: N/A | ||
|
||
**Released**: 2023.01.10 | ||
**Released**: 2023.08.11 | ||
|
||
**Summary**: | ||
|
||
* Initial release of capability | ||
* Initial Release |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
FROM plus3it/tardigrade-ci:0.24.11 | ||
FROM plus3it/tardigrade-ci:0.24.13 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
export ONLY_MOTO := true | ||
|
||
include $(shell test -f .tardigrade-ci || curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,23 +1,101 @@ | ||
# repo-template | ||
Generic repo template for Plus3IT repositories | ||
|
||
To use this template: | ||
|
||
1. Select the green "Use this template" button, or [click here](https://github.com/plus3it/repo-template/generate). | ||
2. Select the repo Owner, give the repo a name, enter a description, select Public or Private, and click "Create repository from template". | ||
3. Clone the repository and create a new branch. | ||
4. Edit the following files to customize them for the new repository: | ||
* `LICENSE` | ||
* Near the end of the file, edit the date and change the repository name | ||
* `CHANGELOG.template.md` | ||
* Rename to `CHANGELOG.md`, replacing the repo-template changelog | ||
* Edit templated items for the new repo | ||
* `.bumpversion.cfg` | ||
* Edit the version number for the new repo, ask team if not sure what to | ||
start with | ||
* `README.md` | ||
* Replace contents for the new repo | ||
* `.github/` | ||
* Inspect dependabot and workflow files in case changes are needed for | ||
the new repo | ||
5. Commit the changes and open a pull request | ||
# terraform-aws-tardigrade-org-new-account-delete-cloudtrail | ||
|
||
A Terraform module to delete the default cloudtrail when new AWS accounts | ||
are added or invited to an AWS Organization. | ||
|
||
The Lambda function is triggered for the account by an Event Rule that matches | ||
the CreateAccountResult or InviteAccountToOrganization events. The function then | ||
deletes the default cloudtrail and s3 objects and buckets for that account. | ||
|
||
<!-- BEGIN TFDOCS --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 | | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | ||
|
||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|------|---------|:--------:| | ||
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name to prefix resources with | `string` | n/a | yes | | ||
| <a name="input_assume_role_name"></a> [assume\_role\_name](#input\_assume\_role\_name) | Name of the IAM role that the lambda will assume in the target account | `string` | `"OrganizationAccountAccessRole"` | no | | ||
| <a name="input_cloudtrail_name_prefix"></a> [cloudtrail\_name\_prefix](#input\_cloudtrail\_name\_prefix) | Name Prefix of the cloudtrail name to delete | `string` | `"cloudtrail-"` | no | | ||
| <a name="input_dry_run"></a> [dry\_run](#input\_dry\_run) | Boolean toggle to control the dry-run mode of the lambda function | `bool` | `true` | no | | ||
| <a name="input_error_not_found"></a> [error\_not\_found](#input\_error\_not\_found) | Error if the cloudtrail name/pattern is not found | `bool` | `true` | no | | ||
| <a name="input_event_bus_name"></a> [event\_bus\_name](#input\_event\_bus\_name) | Event bus name to create event rules in | `string` | `"default"` | no | | ||
| <a name="input_event_types"></a> [event\_types](#input\_event\_types) | Event types that will trigger this lambda | `set(string)` | <pre>[<br> "CreateAccountResult",<br> "InviteAccountToOrganization"<br>]</pre> | no | | ||
| <a name="input_lambda"></a> [lambda](#input\_lambda) | Object of optional attributes passed on to the lambda module | <pre>object({<br> artifacts_dir = optional(string, "builds")<br> build_in_docker = optional(bool, false)<br> create_package = optional(bool, true)<br> ephemeral_storage_size = optional(number)<br> ignore_source_code_hash = optional(bool, true)<br> local_existing_package = optional(string)<br> memory_size = optional(number, 128)<br> recreate_missing_package = optional(bool, false)<br> runtime = optional(string, "python3.8")<br> s3_bucket = optional(string)<br> s3_existing_package = optional(map(string))<br> s3_prefix = optional(string)<br> store_on_s3 = optional(bool, false)<br> timeout = optional(number, 300)<br> })</pre> | `{}` | no | | ||
| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Log level for lambda | `string` | `"INFO"` | no | | ||
| <a name="input_tags"></a> [tags](#input\_tags) | Tags for resource | `map(string)` | `{}` | no | | ||
|
||
## Outputs | ||
|
||
No outputs. | ||
|
||
<!-- END TFDOCS --> | ||
|
||
## CLI Option | ||
|
||
Steps to run via the CLI | ||
|
||
1. Install and configure aws cli. | ||
2. Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from) | ||
3. Review the options for the script and run | ||
|
||
### Script Options | ||
|
||
```bash | ||
Supported Environment Variables: | ||
'LOG_LEVEL': defaults to 'info' | ||
- set the desired log level ('error', 'warning', 'info' or 'debug') | ||
|
||
'DRY_RUN': defaults to 'true' | ||
- set whether actions should be simulated or live | ||
- value of 'true' (case insensitive) will be simulated. | ||
|
||
'CLOUDTRAIL_NAME_PREFIX': defaults to 'cloudtrail-' | ||
-sets the name of the cloudtrail to delete. | ||
|
||
options: | ||
-h, --help show this help message and exit | ||
|
||
required arguments: | ||
--target-account-id TARGET_ACCOUNT_ID | ||
Account number to delete default VPC resources in | ||
|
||
--assume-role-arn ASSUME_ROLE_ARN | ||
ARN of IAM role to assume in the target account (case sensitive) | ||
OR | ||
--assume-role-name ASSUME_ROLE_NAME | ||
Name of IAM role to assume in the target account (case sensitive) | ||
|
||
usage: delete_default_cloudtrail.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME) | ||
``` | ||
|
||
### Sample steps to execute in venv | ||
|
||
```bash | ||
mkdir vpc_env | ||
python3 -m venv vpc_env | ||
source vpc_env/bin/activate | ||
python3 -m pip install -U pip | ||
pip3 install -r src/requirements.txt | ||
python3 src/delete_default_cloudtrail.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>) | ||
deactivate | ||
rm -rf vpc_env | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
############################## | ||
# Lambda | ||
############################## | ||
module "lambda" { | ||
source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v5.3.0" | ||
|
||
function_name = "${var.project_name}-delete-default-cloudtrail" | ||
|
||
description = "Lambda function deleting cloudtrail and associated bucket" | ||
handler = "delete_default_cloudtrail.lambda_handler" | ||
tags = var.tags | ||
|
||
attach_policy_json = true | ||
policy_json = data.aws_iam_policy_document.lambda.json | ||
|
||
artifacts_dir = var.lambda.artifacts_dir | ||
build_in_docker = var.lambda.build_in_docker | ||
create_package = var.lambda.create_package | ||
ignore_source_code_hash = var.lambda.ignore_source_code_hash | ||
local_existing_package = var.lambda.local_existing_package | ||
recreate_missing_package = var.lambda.recreate_missing_package | ||
ephemeral_storage_size = var.lambda.ephemeral_storage_size | ||
runtime = var.lambda.runtime | ||
s3_bucket = var.lambda.s3_bucket | ||
s3_existing_package = var.lambda.s3_existing_package | ||
s3_prefix = var.lambda.s3_prefix | ||
store_on_s3 = var.lambda.store_on_s3 | ||
timeout = var.lambda.timeout | ||
|
||
environment_variables = { | ||
LOG_LEVEL = var.log_level | ||
ASSUME_ROLE_NAME = var.assume_role_name | ||
CLOUDTRAIL_NAME_PREFIX = var.cloudtrail_name_prefix | ||
DRY_RUN = var.dry_run | ||
ERROR_NOT_FOUND = var.error_not_found | ||
} | ||
|
||
source_path = [ | ||
{ | ||
path = "${path.module}/src" | ||
pip_requirements = true | ||
patterns = ["!\\.terragrunt-source-manifest"] | ||
} | ||
] | ||
|
||
} | ||
|
||
data "aws_iam_policy_document" "lambda" { | ||
statement { | ||
sid = "AllowAssumeRole" | ||
|
||
actions = [ | ||
"sts:AssumeRole" | ||
] | ||
|
||
resources = [ | ||
"arn:${data.aws_partition.current.partition}:iam::*:role/${var.assume_role_name}" | ||
] | ||
} | ||
} | ||
|
||
############################## | ||
# Events | ||
############################## | ||
locals { | ||
lambda_name = module.lambda.lambda_function_name | ||
|
||
event_types = { | ||
CreateAccountResult = jsonencode( | ||
{ | ||
"detail" : { | ||
"eventSource" : ["organizations.amazonaws.com"], | ||
"eventName" : ["CreateAccountResult"] | ||
"serviceEventDetails" : { | ||
"createAccountStatus" : { | ||
"state" : ["SUCCEEDED"] | ||
} | ||
} | ||
} | ||
} | ||
) | ||
InviteAccountToOrganization = jsonencode( | ||
{ | ||
"detail" : { | ||
"eventSource" : ["organizations.amazonaws.com"], | ||
"eventName" : ["InviteAccountToOrganization"] | ||
} | ||
} | ||
) | ||
} | ||
} | ||
|
||
resource "aws_cloudwatch_event_rule" "this" { | ||
for_each = var.event_types | ||
|
||
name = "${var.project_name}-${each.value}" | ||
description = "Managed by Terraform" | ||
event_pattern = local.event_types[each.value] | ||
event_bus_name = var.event_bus_name | ||
tags = var.tags | ||
} | ||
|
||
resource "aws_cloudwatch_event_target" "this" { | ||
for_each = aws_cloudwatch_event_rule.this | ||
|
||
rule = each.value.name | ||
arn = module.lambda.lambda_function_arn | ||
} | ||
|
||
resource "aws_lambda_permission" "events" { | ||
for_each = aws_cloudwatch_event_rule.this | ||
|
||
action = "lambda:InvokeFunction" | ||
function_name = module.lambda.lambda_function_name | ||
principal = "events.amazonaws.com" | ||
source_arn = each.value.arn | ||
} | ||
|
||
############################## | ||
# Common | ||
############################## | ||
data "aws_partition" "current" {} |
Oops, something went wrong.