Merge pull request #1 from wellsiau-aws/ws-abp-setup

WIP: Migrate to ABP platform repo

Author: tbulding

.gitignore

@@ -17,7 +17,7 @@ crash.log
 # control as they are data points which are potentially sensitive and subject 
 # to change depending on the environment.
 #
-*.tfvars
+./*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in

.header.md

@@ -1,6 +1,73 @@
-# Terraform Module Project
+# terraform-runtask-iam-access-analyzer
 
-:no_entry_sign: Do not edit this readme.md file. To learn how to change this content and work with this repository, refer to CONTRIBUTING.md
+Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.
 
-## Readme Content
-This file will contain any instructional information about this module. 
+![Diagram](./diagram/RunTask-EventBridge.png)
+
+## Prerequisites
+
+To use this module you need have the following:
+
+1. AWS account and credentials
+2. Terraform Cloud with Run Task entitlement (Business subscription or higher)
+
+## Usage
+
+* Build and package the Lambda files
+
+  ```
+  make all
+  ```
+
+* Refer to the [module_workspace](./examples/module_workspace/README.md) for steps to deploy this module in Terraform Cloud.
+
+* After you deployed the [module_workspace](./examples/module_workspace/README.md), navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
+
+* You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the [demo_workspace](./examples/demo_workspace/README.md) for more details.
+
+## Limitations
+
+1. Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.
+
+2. Does not support Terraform [computed resources](https://www.terraform.io/plugin/sdkv2/schemas/schema-behaviors).
+
+For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.
+
+```
+resource "aws_s3_bucket" "b" {
+  bucket = "my-tf-test-bucket"
+
+  tags = {
+    Name        = "My bucket"
+    Environment = "Dev"
+  }
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "test-policy"
+  description = "A test policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:GetObject",
+        ]
+        Effect   = "Allow"
+        Resource = "${aws_s3_bucket.b.id}"
+      }
+    ]
+  })
+}
+```
+
+## Best practice
+
+* **Do not** re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.
+
+* **Do not** use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.
+
+* Enable the AWS WAF setup by setting variable `deploy_waf` to `true` (additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint.
+
+* We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.

.project_automation/functional_tests/entrypoint.sh

@@ -1,49 +1,46 @@
-#!/bin/bash -ex
+#!/bin/bash -e
 
 ## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
 # managed and local tasks always use these variables for the project and project type path
 PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 
+echo "Starting Funtional Tests"
+
 cd ${PROJECT_PATH}
 
+#********** TFC Env Vars *************
+export AWS_DEFAULT_REGION=us-east-1
+export TFE_TOKEN=`aws secretsmanager get-secret-value --secret-id abp/tfc/token | jq -r ".SecretString"`
+export TF_TOKEN_app_terraform_io=`aws secretsmanager get-secret-value --secret-id abp/tfc/token | jq -r ".SecretString"`
+
+#********** MAKEFILE *************
+echo "Build the lambda function packages"
+make all
+
 #********** Checkov Analysis *************
-echo "Running Checkov Analysis"
+echo "Running Checkov Analysis on root module"
+checkov --directory . --skip-path examples --framework terraform
+
+echo "Running Checkov Analysis on terraform plan"
 terraform init
-terraform plan -out tf.plan
+terraform plan -out tf.plan -var-file .project_automation/functional_tests/functional_test.tfvars
 terraform show -json tf.plan  > tf.json 
 checkov 
 
 #********** Terratest execution **********
 echo "Running Terratest"
+export GOPROXY=https://goproxy.io,direct
 cd test
 rm -f go.mod
 go mod init github.com/aws-ia/terraform-project-ephemeral
 go mod tidy
 go install github.com/gruntwork-io/terratest/modules/terraform
 go test -timeout 45m
 
-#********** Terratest execution **********
+#********** CLEANUP *************
+echo "Cleaning up all temp files and artifacts"
 cd ${PROJECT_PATH}
-echo "Building readme.md file"
-UPDATE_BRANCH="ephemeral_readme-updates" 
-
-export GH_DEBUG=1
-REMOTE=$(git remote -v | awk '{print $2}' | head -n 1)
-git remote remove origin
-git remote add origin ${REMOTE}
-git fetch --all
-
-git push origin -d $UPDATE_BRANCH || true
-git checkout -b "$UPDATE_BRANCH"
-terraform-docs --lockfile=false ./
-
-if [ -n "${BASE_PATH}" ]
-then
-  git add . --all
-  git commit -m "(automated) Updates from project type"
-  git push -f --set-upstream origin $UPDATE_BRANCH
-  gh pr create --title "Updates from functional tests " --body "_This is an automated PR incorporating updates to this project's readme.md file. Please review and either approve/merge or reject as appropriate_"
-else
-  echo "Local build mode (skipping git commit)"
-fi
+make clean
+
+echo "End of Functional Tests"

.project_automation/functional_tests/functional_test.tfvars

@@ -0,0 +1,2 @@
+tfc_org    = "wellsiau-org"
+aws_region = "us-east-1"

.project_automation/static_tests/Dockerfile

@@ -21,3 +21,7 @@ RUN wget -O /tmp/tflint-ruleset-aws.zip https://github.com/terraform-linters/tfl
 RUN curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
 
 RUN gem install mdl
+
+ENV TERRAFORM_DOCS_VERSION=v0.16.0
+RUN wget https://github.com/terraform-docs/terraform-docs/releases/download/${TERRAFORM_DOCS_VERSION}/terraform-docs-${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz && \
+    tar -C /usr/local/bin -xzf terraform-docs-${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz && chmod +x /usr/local/bin/terraform-docs

.project_automation/static_tests/entrypoint.sh

@@ -5,6 +5,8 @@
 PROJECT_PATH=${BASE_PATH}/project
 PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 
+echo "Starting Static Tests"
+
 cd ${PROJECT_PATH}
 terraform init
 terraform validate
@@ -14,4 +16,8 @@ tflint
 
 tfsec .
 
-mdl .header.md
+mdl .header.md
+
+terraform-docs --lockfile=false ./
+
+echo "End of Static Tests"

CONTRIBUTING.md

@@ -96,4 +96,4 @@ go test -timeout 45m
 ```
 # from the root of the repository
 terraform-docs --lockfile=false ./
-```
+```

Makefile

@@ -0,0 +1,20 @@
+TOPTARGETS := all clean build 
+
+SUBDIRS := $(wildcard lambda/*/.)
+BASE = $(shell /bin/pwd)
+
+$(TOPTARGETS): $(SUBDIRS)
+
+$(SUBDIRS):
+	$(MAKE) -C $@ $(MAKECMDGOALS) $(ARGS) BASE="${BASE}"
+
+.PHONY: $(TOPTARGETS) $(SUBDIRS)
+
+clean:
+	rm -f .terraform.lock.hcl
+	rm -rf .terraform
+	rm -rf ./lambda/*.zip
+	rm -f ./test/go.mod
+	rm -f ./test/go.sum
+	rm -f tf.json
+	rm -f tf.plan

NOTICE.txt

@@ -5,3 +5,10 @@ Licensed under the Apache License, Version 2.0 (the "License"). You may not use
     http://aws.amazon.com/apache2.0/
 
 or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+**********************
+THIRD PARTY COMPONENTS
+**********************
+This software includes third party software subject to the following copyrights:
+
+@yaml/pyyaml under the Massachusetts Institute of Technology (MIT) license