Skip to content

Latest commit

 

History

History
189 lines (153 loc) · 15.3 KB

File metadata and controls

189 lines (153 loc) · 15.3 KB

terraform-runtask-iam-access-analyzer

Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.

Diagram

Prerequisites

To use this module you need have the following:

  1. AWS account and credentials
  2. Terraform Cloud with Run Task entitlement (Business subscription or higher)

Usage

  • Build and package the Lambda files

    make all
    
  • Refer to the module_workspace for steps to deploy this module in Terraform Cloud.

  • After you deployed the module_workspace, navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.

  • You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.

Limitations

  1. Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.

  2. Does not support Terraform computed resources.

For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_iam_policy" "policy" {
  name        = "test-policy"
  description = "A test policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:GetObject",
        ]
        Effect   = "Allow"
        Resource = "${aws_s3_bucket.b.id}"
      }
    ]
  })
}

Best practice

  • Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.

  • Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.

  • Enable the AWS WAF setup by setting variable deploy_waf to true (additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint.

  • We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.

Requirements

Name Version
terraform >= 1.0.7
archive ~>2.2.0
aws >= 3.73.0, < 5.0.0
random >=3.4.0
tfe ~>0.38.0

Providers

Name Version
archive ~>2.2.0
aws >= 3.73.0, < 5.0.0
aws.cloudfront_waf >= 3.73.0, < 5.0.0
random >=3.4.0
tfe ~>0.38.0

Modules

Name Source Version
runtask_cloudfront terraform-aws-modules/cloudfront/aws 3.2.1

Resources

Name Type
aws_cloudfront_origin_request_policy.runtask_cloudfront resource
aws_cloudwatch_event_rule.runtask_rule resource
aws_cloudwatch_event_target.runtask_target resource
aws_cloudwatch_log_group.runtask_callback resource
aws_cloudwatch_log_group.runtask_eventbridge resource
aws_cloudwatch_log_group.runtask_fulfillment resource
aws_cloudwatch_log_group.runtask_fulfillment_output resource
aws_cloudwatch_log_group.runtask_request resource
aws_cloudwatch_log_group.runtask_states resource
aws_cloudwatch_log_group.runtask_waf resource
aws_iam_role.runtask_callback resource
aws_iam_role.runtask_eventbridge resource
aws_iam_role.runtask_fulfillment resource
aws_iam_role.runtask_request resource
aws_iam_role.runtask_rule resource
aws_iam_role.runtask_states resource
aws_iam_role_policy.runtask_eventbridge resource
aws_iam_role_policy.runtask_fulfillment resource
aws_iam_role_policy.runtask_rule resource
aws_iam_role_policy.runtask_states resource
aws_iam_role_policy_attachment.runtask_callback resource
aws_iam_role_policy_attachment.runtask_eventbridge resource
aws_iam_role_policy_attachment.runtask_fulfillment resource
aws_iam_role_policy_attachment.runtask_request resource
aws_kms_alias.runtask_key resource
aws_kms_alias.runtask_waf resource
aws_kms_key.runtask_key resource
aws_kms_key.runtask_waf resource
aws_lambda_function.runtask_callback resource
aws_lambda_function.runtask_eventbridge resource
aws_lambda_function.runtask_fulfillment resource
aws_lambda_function.runtask_request resource
aws_lambda_function_url.runtask_eventbridge resource
aws_secretsmanager_secret.runtask_cloudfront resource
aws_secretsmanager_secret.runtask_hmac resource
aws_secretsmanager_secret_version.runtask_cloudfront resource
aws_secretsmanager_secret_version.runtask_hmac resource
aws_sfn_state_machine.runtask_states resource
aws_wafv2_web_acl.runtask_waf resource
aws_wafv2_web_acl_logging_configuration.runtask_waf resource
random_uuid.runtask_cloudfront resource
random_uuid.runtask_hmac resource
tfe_organization_run_task.aws_iam_analyzer resource
archive_file.runtask_callback data source
archive_file.runtask_eventbridge data source
archive_file.runtask_fulfillment data source
archive_file.runtask_request data source
aws_caller_identity.current_account data source
aws_iam_policy.aws_lambda_basic_execution_role data source
aws_iam_policy_document.runtask_key data source
aws_iam_policy_document.runtask_waf data source
aws_partition.current_partition data source
aws_region.cloudfront_region data source
aws_region.current_region data source

Inputs

Name Description Type Default Required
aws_region The region from which this module will be executed. string n/a yes
tfc_org Terraform Organization name string n/a yes
cloudwatch_log_group_name RunTask CloudWatch log group name string "/hashicorp/terraform/runtask/iam-access-analyzer/" no
cloudwatch_log_group_retention Lambda CloudWatch log group retention period string "365" no
deploy_waf Set to true to deploy CloudFront and WAF in front of the Lambda function URL string false no
event_bus_name EventBridge event bus name string "default" no
event_source EventBridge source name string "app.terraform.io" no
lambda_default_timeout Lambda default timeout in seconds number 30 no
lambda_reserved_concurrency Maximum Lambda reserved concurrency, make sure your AWS quota is sufficient number 100 no
name_prefix Name to be used on all the resources as identifier. string "aws-ia2" no
recovery_window Numbers of day Number of days that AWS Secrets Manager waits before it can delete the secret number 0 no
runtask_stages List of all supported RunTask stages list(string)
[
"pre_plan",
"post_plan",
"pre_apply"
]
no
supported_policy_document (Optional) allow list of the supported IAM policy document string "" no
waf_managed_rule_set List of AWS Managed rules to use inside the WAF ACL list(map(string))
[
{
"metric_suffix": "common",
"name": "AWSManagedRulesCommonRuleSet",
"priority": 10,
"vendor_name": "AWS"
},
{
"metric_suffix": "bad_input",
"name": "AWSManagedRulesKnownBadInputsRuleSet",
"priority": 20,
"vendor_name": "AWS"
}
]
no
waf_rate_limit Rate limit for request coming to WAF number 100 no
workspace_prefix TFC workspace name prefix that allowed to run this runtask string "" no

Outputs

Name Description
runtask_hmac HMAC key value, keep this sensitive data safe
runtask_id The Run Tasks id configured in Terraform Cloud
runtask_url The Run Tasks URL endpoint, you can use this to configure the Run Task setup in Terraform Cloud