readme updated, BridgeCrew compliance checks fixed (#25)

maximmi · web-flow · commit c27813fa07d5 · 2021-01-26T11:35:31.000+07:00
* readme updated, BridgeCrew compliance checks fixed

* tags added for resources
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,9 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+**/.terraform.lock.hcl
+
+test.log
 
 **/node_modules/*
 **/package-lock.json
diff --git a/README.md b/README.md
@@ -184,6 +184,7 @@ Available targets:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | artifact\_filename | Artifact filename | `string` | `"lambda.zip"` | no |
 | artifact\_url | URL template for the remote artifact | `string` | `"https://artifacts.cloudposse.com/$${module_name}/$${git_ref}/$${filename}"` | no |
@@ -197,14 +198,18 @@ Available targets:
 | id\_length\_limit | Limit `id` to this many characters.<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
 | lambda\_runtime | Lambda runtime | `string` | `"nodejs12.x"` | no |
+| mfa\_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `true` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | region | AWS Region the SES should reside in | `string` | n/a | yes |
 | relay\_email | Email that used to relay from | `string` | n/a | yes |
+| s3\_bucket\_encryption\_enabled | When set to 'true' the 'aws\_s3\_bucket' resource will have AES256 encryption enabled by default | `bool` | `true` | no |
 | spf | DNS SPF record value | `string` | `"v=spf1 include:amazonses.com -all"` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| tracing\_config\_mode | Can be either PassThrough or Active. If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with 'sampled=1'. If Active, Lambda will respect any tracing header it receives from an upstream service. | `string` | `"PassThrough"` | no |
+| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 
 ## Outputs
 
@@ -311,7 +316,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
 ## Copyright
 
-Copyright © 2017-2020 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2021 [Cloud Posse, LLC](https://cpco.io/copyright)
 
 
 
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -19,6 +19,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | artifact\_filename | Artifact filename | `string` | `"lambda.zip"` | no |
 | artifact\_url | URL template for the remote artifact | `string` | `"https://artifacts.cloudposse.com/$${module_name}/$${git_ref}/$${filename}"` | no |
@@ -32,14 +33,18 @@
 | id\_length\_limit | Limit `id` to this many characters.<br>Set to `0` for unlimited length.<br>Set to `null` for default, which is `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
 | lambda\_runtime | Lambda runtime | `string` | `"nodejs12.x"` | no |
+| mfa\_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `true` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | region | AWS Region the SES should reside in | `string` | n/a | yes |
 | relay\_email | Email that used to relay from | `string` | n/a | yes |
+| s3\_bucket\_encryption\_enabled | When set to 'true' the 'aws\_s3\_bucket' resource will have AES256 encryption enabled by default | `bool` | `true` | no |
 | spf | DNS SPF record value | `string` | `"v=spf1 include:amazonses.com -all"` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| tracing\_config\_mode | Can be either PassThrough or Active. If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with 'sampled=1'. If Active, Lambda will respect any tracing header it receives from an upstream service. | `string` | `"PassThrough"` | no |
+| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 
 ## Outputs
 
diff --git a/examples/complete/fixtures.us-east-1.tfvars b/examples/complete/fixtures.us-east-1.tfvars
@@ -23,3 +23,5 @@ lambda_runtime = "nodejs12.x"
 artifact_url = "https://artifacts.cloudposse.com/terraform-external-module-artifact/example/test.zip"
 
 artifact_filename = "lambda.zip"
+
+mfa_delete = false
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -16,6 +16,7 @@ module "ses_lambda_forwarder" {
 
   artifact_url      = var.artifact_url
   artifact_filename = var.artifact_filename
+  mfa_delete        = var.mfa_delete
 
   context = module.this.context
 }
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -37,3 +37,8 @@ variable "artifact_filename" {
   type        = string
   description = "Artifact filename"
 }
+
+variable "mfa_delete" {
+  type        = bool
+  description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
+}
diff --git a/lambda.tf b/lambda.tf
@@ -16,6 +16,7 @@ data "aws_iam_policy_document" "assume" {
 resource "aws_iam_role" "lambda" {
   name               = module.this.id
   assume_role_policy = data.aws_iam_policy_document.assume.json
+  tags               = module.this.tags
 }
 
 data "aws_iam_policy_document" "lambda" {
@@ -81,6 +82,7 @@ resource "aws_lambda_function" "default" {
   handler          = "index.handler"
   source_code_hash = module.artifact.base64sha256
   runtime          = var.lambda_runtime
+  tags             = module.this.tags
 
   environment {
     variables = {
@@ -90,6 +92,10 @@ resource "aws_lambda_function" "default" {
       EMAIL_MAPPING     = jsonencode(var.forward_emails)
     }
   }
+
+  tracing_config {
+    mode = var.tracing_config_mode
+  }
 }
 
 resource "aws_lambda_alias" "default" {
diff --git a/s3.tf b/s3.tf
@@ -1,8 +1,35 @@
 resource "aws_s3_bucket" "default" {
+  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
+  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   bucket        = module.this.id
   region        = var.region
   force_destroy = true
 
+  versioning {
+    enabled    = var.versioning_enabled
+    mfa_delete = var.mfa_delete
+  }
+
+  dynamic "logging" {
+    for_each = var.access_log_bucket_name != "" ? [1] : []
+    content {
+      target_bucket = var.access_log_bucket_name
+      target_prefix = "logs/${module.this.id}/"
+    }
+  }
+
+  dynamic "server_side_encryption_configuration" {
+    for_each = var.s3_bucket_encryption_enabled ? [1] : []
+
+    content {
+      rule {
+        apply_server_side_encryption_by_default {
+          sse_algorithm = "AES256"
+        }
+      }
+    }
+  }
+
   tags = module.this.tags
 }
 
diff --git a/test/src/go.mod b/test/src/go.mod
@@ -3,7 +3,7 @@ module github.com/cloudposse/terraform-aws-ses-lambda-forwarder
 go 1.13
 
 require (
-	github.com/gruntwork-io/terratest v0.16.0
+	github.com/gruntwork-io/terratest v0.31.4
 	github.com/stretchr/testify v1.5.1
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad // indirect
 	golang.org/x/net v0.0.0-20201224014010-6772e930b67b // indirect
diff --git a/test/src/go.sum b/test/src/go.sum
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ module "ses_lambda_forwarder" {`
`16`	`16`
`17`	`17`	`artifact_url = var.artifact_url`
`18`	`18`	`artifact_filename = var.artifact_filename`
	`19`	`+ mfa_delete = var.mfa_delete`
`19`	`20`
`20`	`21`	`context = module.this.context`
`21`	`22`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,3 +37,8 @@ variable "artifact_filename" {`
`37`	`37`	`type = string`
`38`	`38`	`description = "Artifact filename"`
`39`	`39`	`}`
	`40`	`+`
	`41`	`+variable "mfa_delete" {`
	`42`	`+ type = bool`
	`43`	`+ description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"`
	`44`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ data "aws_iam_policy_document" "assume" {`
`16`	`16`	`resource "aws_iam_role" "lambda" {`
`17`	`17`	`name = module.this.id`
`18`	`18`	`assume_role_policy = data.aws_iam_policy_document.assume.json`
	`19`	`+ tags = module.this.tags`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`data "aws_iam_policy_document" "lambda" {`
`@@ -81,6 +82,7 @@ resource "aws_lambda_function" "default" {`
`81`	`82`	`handler = "index.handler"`
`82`	`83`	`source_code_hash = module.artifact.base64sha256`
`83`	`84`	`runtime = var.lambda_runtime`
	`85`	`+ tags = module.this.tags`
`84`	`86`
`85`	`87`	`environment {`
`86`	`88`	`variables = {`
`@@ -90,6 +92,10 @@ resource "aws_lambda_function" "default" {`
`90`	`92`	`EMAIL_MAPPING = jsonencode(var.forward_emails)`
`91`	`93`	`}`
`92`	`94`	`}`
	`95`	`+`
	`96`	`+ tracing_config {`
	`97`	`+ mode = var.tracing_config_mode`
	`98`	`+ }`
`93`	`99`	`}`
`94`	`100`
`95`	`101`	`resource "aws_lambda_alias" "default" {`