Skip to content

Commit

Permalink
Merge pull request #2 from dwc0011/create-project
Browse files Browse the repository at this point in the history
Create project
  • Loading branch information
dwc0011 authored Sep 8, 2023
2 parents 84084d8 + e0690b9 commit 9223420
Show file tree
Hide file tree
Showing 16 changed files with 839 additions and 64 deletions.
2 changes: 1 addition & 1 deletion .bumpversion.cfg
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[bumpversion]
current_version = 1.2.0
current_version = 1.0.0
commit = True
message = Bumps version to {new_version}
tag = False
Expand Down
25 changes: 23 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,27 @@ updates:
interval: weekly
# Maintain dependencies for dockerfiles
- package-ecosystem: docker
directory: /
directory: "/"
schedule:
interval: weekly
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: pip
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: pip
directory: "/src"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: terraform
directory: "/"
schedule:
interval: daily
open-pull-requests-limit: 10
- package-ecosystem: terraform
directory: "/tests/test_delete_default_cloudtrail"
schedule:
interval: daily
open-pull-requests-limit: 10
28 changes: 4 additions & 24 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,33 +1,13 @@
## repo-template
## terraform-aws-tardigrade-org-new-account-delete-cloudtrail

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).

### [1.2.0] (https://github.com/plus3it/repo-template/releases/tag/1.2.0)
### [1.0.0](https://github.com/plus3it/terraform-aws-tardigrade-org-new-account-delete-cloudtrail/releases/tag/1.0.0)

**Summary**:

* Updated SHA value for Github Actions Workflows
* Updated CHANGELOG.template.md file
* Added Master branch in release workflow logic to make migration to Github Actions more efficient

### 1.1.0

**Commit Delta**: N/A

**Released**: 2023.01.27

**Summary**:

* Updated workflow files to be consumable and reusable, and now points to actions-workflows repo

### 1.0.0

**Commit Delta**: N/A

**Released**: 2023.01.10
**Released**: 2023.08.11

**Summary**:

* Initial release of capability
* Initial Release
13 changes: 0 additions & 13 deletions CHANGELOG.template.md

This file was deleted.

2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1 +1 @@
FROM plus3it/tardigrade-ci:0.24.11
FROM plus3it/tardigrade-ci:0.24.13
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
export ONLY_MOTO := true

include $(shell test -f .tardigrade-ci || curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)
124 changes: 101 additions & 23 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,101 @@
# repo-template
Generic repo template for Plus3IT repositories

To use this template:

1. Select the green "Use this template" button, or [click here](https://github.com/plus3it/repo-template/generate).
2. Select the repo Owner, give the repo a name, enter a description, select Public or Private, and click "Create repository from template".
3. Clone the repository and create a new branch.
4. Edit the following files to customize them for the new repository:
* `LICENSE`
* Near the end of the file, edit the date and change the repository name
* `CHANGELOG.template.md`
* Rename to `CHANGELOG.md`, replacing the repo-template changelog
* Edit templated items for the new repo
* `.bumpversion.cfg`
* Edit the version number for the new repo, ask team if not sure what to
start with
* `README.md`
* Replace contents for the new repo
* `.github/`
* Inspect dependabot and workflow files in case changes are needed for
the new repo
5. Commit the changes and open a pull request
# terraform-aws-tardigrade-org-new-account-delete-cloudtrail

A Terraform module to delete the default cloudtrail when new AWS accounts
are added or invited to an AWS Organization.

The Lambda function is triggered for the account by an Event Rule that matches
the CreateAccountResult or InviteAccountToOrganization events. The function then
deletes the default cloudtrail and s3 objects and buckets for that account.

<!-- BEGIN TFDOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |

## Resources

| Name | Type |
|------|------|
| [aws_iam_policy_document.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name to prefix resources with | `string` | n/a | yes |
| <a name="input_assume_role_name"></a> [assume\_role\_name](#input\_assume\_role\_name) | Name of the IAM role that the lambda will assume in the target account | `string` | `"OrganizationAccountAccessRole"` | no |
| <a name="input_cloudtrail_name_prefix"></a> [cloudtrail\_name\_prefix](#input\_cloudtrail\_name\_prefix) | Name Prefix of the cloudtrail name to delete | `string` | `"cloudtrail-"` | no |
| <a name="input_dry_run"></a> [dry\_run](#input\_dry\_run) | Boolean toggle to control the dry-run mode of the lambda function | `bool` | `true` | no |
| <a name="input_error_not_found"></a> [error\_not\_found](#input\_error\_not\_found) | Error if the cloudtrail name/pattern is not found | `bool` | `true` | no |
| <a name="input_event_bus_name"></a> [event\_bus\_name](#input\_event\_bus\_name) | Event bus name to create event rules in | `string` | `"default"` | no |
| <a name="input_event_types"></a> [event\_types](#input\_event\_types) | Event types that will trigger this lambda | `set(string)` | <pre>[<br> "CreateAccountResult",<br> "InviteAccountToOrganization"<br>]</pre> | no |
| <a name="input_lambda"></a> [lambda](#input\_lambda) | Object of optional attributes passed on to the lambda module | <pre>object({<br> artifacts_dir = optional(string, "builds")<br> build_in_docker = optional(bool, false)<br> create_package = optional(bool, true)<br> ephemeral_storage_size = optional(number)<br> ignore_source_code_hash = optional(bool, true)<br> local_existing_package = optional(string)<br> memory_size = optional(number, 128)<br> recreate_missing_package = optional(bool, false)<br> runtime = optional(string, "python3.8")<br> s3_bucket = optional(string)<br> s3_existing_package = optional(map(string))<br> s3_prefix = optional(string)<br> store_on_s3 = optional(bool, false)<br> timeout = optional(number, 300)<br> })</pre> | `{}` | no |
| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Log level for lambda | `string` | `"INFO"` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Tags for resource | `map(string)` | `{}` | no |

## Outputs

No outputs.

<!-- END TFDOCS -->

## CLI Option

Steps to run via the CLI

1. Install and configure aws cli.
2. Set AWS_PROFILE and AWS_DEFAULT_REGION (account and region that can assume the role and run commands from)
3. Review the options for the script and run

### Script Options

```bash
Supported Environment Variables:
'LOG_LEVEL': defaults to 'info'
- set the desired log level ('error', 'warning', 'info' or 'debug')

'DRY_RUN': defaults to 'true'
- set whether actions should be simulated or live
- value of 'true' (case insensitive) will be simulated.

'CLOUDTRAIL_NAME_PREFIX': defaults to 'cloudtrail-'
-sets the name of the cloudtrail to delete.

options:
-h, --help show this help message and exit

required arguments:
--target-account-id TARGET_ACCOUNT_ID
Account number to delete default VPC resources in

--assume-role-arn ASSUME_ROLE_ARN
ARN of IAM role to assume in the target account (case sensitive)
OR
--assume-role-name ASSUME_ROLE_NAME
Name of IAM role to assume in the target account (case sensitive)

usage: delete_default_cloudtrail.py [-h] --target-account-id TARGET_ACCOUNT_ID (--assume-role-arn ASSUME_ROLE_ARN | --assume-role-name ASSUME_ROLE_NAME)
```

### Sample steps to execute in venv

```bash
mkdir vpc_env
python3 -m venv vpc_env
source vpc_env/bin/activate
python3 -m pip install -U pip
pip3 install -r src/requirements.txt
python3 src/delete_default_cloudtrail.py --target-account-id=<TARGET ACCT ID> (--assume-role-arn=<ROLE ARN TO ASSUME> | --assume-role-name=<ROLE NAME TO ASSUME>)
deactivate
rm -rf vpc_env
```
122 changes: 122 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
##############################
# Lambda
##############################
module "lambda" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-lambda.git?ref=v5.3.0"

function_name = "${var.project_name}-delete-default-cloudtrail"

description = "Lambda function deleting cloudtrail and associated bucket"
handler = "delete_default_cloudtrail.lambda_handler"
tags = var.tags

attach_policy_json = true
policy_json = data.aws_iam_policy_document.lambda.json

artifacts_dir = var.lambda.artifacts_dir
build_in_docker = var.lambda.build_in_docker
create_package = var.lambda.create_package
ignore_source_code_hash = var.lambda.ignore_source_code_hash
local_existing_package = var.lambda.local_existing_package
recreate_missing_package = var.lambda.recreate_missing_package
ephemeral_storage_size = var.lambda.ephemeral_storage_size
runtime = var.lambda.runtime
s3_bucket = var.lambda.s3_bucket
s3_existing_package = var.lambda.s3_existing_package
s3_prefix = var.lambda.s3_prefix
store_on_s3 = var.lambda.store_on_s3
timeout = var.lambda.timeout

environment_variables = {
LOG_LEVEL = var.log_level
ASSUME_ROLE_NAME = var.assume_role_name
CLOUDTRAIL_NAME_PREFIX = var.cloudtrail_name_prefix
DRY_RUN = var.dry_run
ERROR_NOT_FOUND = var.error_not_found
}

source_path = [
{
path = "${path.module}/src"
pip_requirements = true
patterns = ["!\\.terragrunt-source-manifest"]
}
]

}

data "aws_iam_policy_document" "lambda" {
statement {
sid = "AllowAssumeRole"

actions = [
"sts:AssumeRole"
]

resources = [
"arn:${data.aws_partition.current.partition}:iam::*:role/${var.assume_role_name}"
]
}
}

##############################
# Events
##############################
locals {
lambda_name = module.lambda.lambda_function_name

event_types = {
CreateAccountResult = jsonencode(
{
"detail" : {
"eventSource" : ["organizations.amazonaws.com"],
"eventName" : ["CreateAccountResult"]
"serviceEventDetails" : {
"createAccountStatus" : {
"state" : ["SUCCEEDED"]
}
}
}
}
)
InviteAccountToOrganization = jsonencode(
{
"detail" : {
"eventSource" : ["organizations.amazonaws.com"],
"eventName" : ["InviteAccountToOrganization"]
}
}
)
}
}

resource "aws_cloudwatch_event_rule" "this" {
for_each = var.event_types

name = "${var.project_name}-${each.value}"
description = "Managed by Terraform"
event_pattern = local.event_types[each.value]
event_bus_name = var.event_bus_name
tags = var.tags
}

resource "aws_cloudwatch_event_target" "this" {
for_each = aws_cloudwatch_event_rule.this

rule = each.value.name
arn = module.lambda.lambda_function_arn
}

resource "aws_lambda_permission" "events" {
for_each = aws_cloudwatch_event_rule.this

action = "lambda:InvokeFunction"
function_name = module.lambda.lambda_function_name
principal = "events.amazonaws.com"
source_arn = each.value.arn
}

##############################
# Common
##############################
data "aws_partition" "current" {}
Loading

0 comments on commit 9223420

Please sign in to comment.