diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e3e3cbc..12f60a3 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
- rev: v1.50.0
+ rev: v1.51.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- repo: git://github.com/pre-commit/pre-commit-hooks
- rev: v3.4.0
+ rev: v4.0.1
hooks:
- id: check-merge-conflict
\ No newline at end of file
diff --git a/README.md b/README.md
index 360db7a..7184c1d 100644
--- a/README.md
+++ b/README.md
@@ -61,6 +61,21 @@ Examples codified under the [`examples`](./examples) are intended to give users
- [IAM auth. w/ PostgreSQL Aurora cluster](./examples/postgresql_iam_cluster)
- [IAM auth. w/ PostgreSQL RDS instance](./examples/postgresql_iam_instance)
+## Security & Compliance [
](https://bridgecrew.io/)
+
+Security scanning results provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
+
+| Benchmark | Description |
+|--------|---------------|
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=PCI-DSS+V3.2.1) | Payment Card Industry Data Security Standards Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=SOC2) | Service Organization Control 2 Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance |
+| [](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=FEDRAMP+%28MODERATE%29) | FedRAMP Moderate Impact Level |
+
## Requirements
diff --git a/examples/mysql_iam_cluster/README.md b/examples/mysql_iam_cluster/README.md
index ee85022..570e151 100644
--- a/examples/mysql_iam_cluster/README.md
+++ b/examples/mysql_iam_cluster/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.38 |
-| [random](#provider\_random) | n/a |
+| [aws](#provider\_aws) | 3.59.0 |
+| [random](#provider\_random) | 3.1.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 |
-| [rds\_proxy](#module\_rds\_proxy) | ../../ | |
+| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
diff --git a/examples/mysql_iam_cluster/main.tf b/examples/mysql_iam_cluster/main.tf
index e30900b..4832e7d 100644
--- a/examples/mysql_iam_cluster/main.tf
+++ b/examples/mysql_iam_cluster/main.tf
@@ -51,6 +51,18 @@ module "vpc" {
create_database_subnet_group = true
enable_nat_gateway = true
single_nat_gateway = true
+ map_public_ip_on_launch = false
+
+ manage_default_security_group = true
+ default_security_group_ingress = []
+ default_security_group_egress = []
+
+ enable_flow_log = true
+ flow_log_destination_type = "cloud-watch-logs"
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+ flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
tags = local.tags
}
@@ -71,13 +83,18 @@ module "rds" {
engine_version = "5.7"
replica_count = 1
instance_type = "db.t3.medium"
- storage_encrypted = false
+ storage_encrypted = true
apply_immediately = true
skip_final_snapshot = true
- vpc_id = module.vpc.vpc_id
- subnets = module.vpc.database_subnets
- allowed_security_groups = [module.rds_proxy_sg.security_group_id]
+ enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+ monitoring_interval = 60
+ create_monitoring_role = true
+
+ vpc_id = module.vpc.vpc_id
+ subnets = module.vpc.database_subnets
+ create_security_group = false
+ vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
db_subnet_group_name = local.name # Created by VPC module
db_parameter_group_name = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
@@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" {
name = "example-aurora-db-57-parameter-group"
family = "aurora-mysql5.7"
description = "example-aurora-db-57-parameter-group"
+
+ tags = local.tags
}
resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" {
name = "example-aurora-57-cluster-parameter-group"
family = "aurora-mysql5.7"
description = "example-aurora-57-cluster-parameter-group"
+
+ tags = local.tags
}
################################################################################
@@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_gro
resource "aws_iam_instance_profile" "ec2_test" {
name_prefix = local.name
role = aws_iam_role.ec2_test.name
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test_assume" {
@@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" {
name_prefix = local.name
force_detach_policies = true
assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test" {
@@ -171,14 +196,23 @@ module "ec2_sg" {
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 2"
+ version = "~> 3"
- name = local.name
- instance_count = 1
+ name = local.name
- associate_public_ip_address = true
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
+ monitoring = true
+ ebs_optimized = true
+ metadata_options = {
+ http_endpoint = "disabled"
+ }
+ root_block_device = [
+ {
+ encrypted = true
+ }
+ ]
+
+ iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+ user_data = <<-EOT
#!/usr/bin/env bash
mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -191,7 +225,7 @@ module "ec2_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_ids = module.vpc.private_subnets
+ subnet_id = element(module.vpc.private_subnets, 0)
tags = local.tags
}
diff --git a/examples/mysql_iam_instance/README.md b/examples/mysql_iam_instance/README.md
index 845dae1..4d38367 100644
--- a/examples/mysql_iam_instance/README.md
+++ b/examples/mysql_iam_instance/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.38 |
-| [random](#provider\_random) | n/a |
+| [aws](#provider\_aws) | 3.59.0 |
+| [random](#provider\_random) | 3.1.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
-| [rds\_proxy](#module\_rds\_proxy) | ../../ | |
+| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
diff --git a/examples/mysql_iam_instance/main.tf b/examples/mysql_iam_instance/main.tf
index 8f43934..5e7ee5e 100644
--- a/examples/mysql_iam_instance/main.tf
+++ b/examples/mysql_iam_instance/main.tf
@@ -48,8 +48,21 @@ module "vpc" {
private_subnets = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
- enable_nat_gateway = true
- single_nat_gateway = true
+ create_database_subnet_group = true
+ enable_nat_gateway = true
+ single_nat_gateway = true
+ map_public_ip_on_launch = false
+
+ manage_default_security_group = true
+ default_security_group_ingress = []
+ default_security_group_egress = []
+
+ enable_flow_log = true
+ flow_log_destination_type = "cloud-watch-logs"
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+ flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
tags = local.tags
}
@@ -94,11 +107,16 @@ module "rds" {
port = 3306
instance_class = "db.t3.micro"
allocated_storage = 5
- storage_encrypted = false
+ storage_encrypted = true
apply_immediately = true
+ enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+ monitoring_interval = 60
+ create_monitoring_role = true
+
vpc_security_group_ids = [module.rds_sg.security_group_id]
subnet_ids = module.vpc.database_subnets
+ multi_az = true
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
@@ -115,6 +133,8 @@ module "rds" {
resource "aws_iam_instance_profile" "ec2_test" {
name_prefix = local.name
role = aws_iam_role.ec2_test.name
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test_assume" {
@@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" {
name_prefix = local.name
force_detach_policies = true
assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test" {
@@ -181,14 +203,23 @@ module "ec2_sg" {
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 2"
+ version = "~> 3"
- name = local.name
- instance_count = 1
+ name = local.name
- associate_public_ip_address = true
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
+ monitoring = true
+ ebs_optimized = true
+ metadata_options = {
+ http_endpoint = "disabled"
+ }
+ root_block_device = [
+ {
+ encrypted = true
+ }
+ ]
+
+ iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+ user_data = <<-EOT
#!/usr/bin/env bash
mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -201,7 +232,7 @@ module "ec2_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_ids = module.vpc.private_subnets
+ subnet_id = element(module.vpc.private_subnets, 0)
tags = local.tags
}
diff --git a/examples/postgresql_iam_cluster/README.md b/examples/postgresql_iam_cluster/README.md
index 5dee515..1103396 100644
--- a/examples/postgresql_iam_cluster/README.md
+++ b/examples/postgresql_iam_cluster/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.38 |
-| [random](#provider\_random) | n/a |
+| [aws](#provider\_aws) | 3.59.0 |
+| [random](#provider\_random) | 3.1.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 |
-| [rds\_proxy](#module\_rds\_proxy) | ../../ | |
+| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
diff --git a/examples/postgresql_iam_cluster/main.tf b/examples/postgresql_iam_cluster/main.tf
index c77a769..854ac1d 100644
--- a/examples/postgresql_iam_cluster/main.tf
+++ b/examples/postgresql_iam_cluster/main.tf
@@ -51,6 +51,18 @@ module "vpc" {
create_database_subnet_group = true
enable_nat_gateway = true
single_nat_gateway = true
+ map_public_ip_on_launch = false
+
+ manage_default_security_group = true
+ default_security_group_ingress = []
+ default_security_group_egress = []
+
+ enable_flow_log = true
+ flow_log_destination_type = "cloud-watch-logs"
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+ flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
tags = local.tags
}
@@ -71,13 +83,18 @@ module "rds" {
engine_version = "11.9"
replica_count = 1
instance_type = "db.t3.medium"
- storage_encrypted = false
+ storage_encrypted = true
apply_immediately = true
skip_final_snapshot = true
- vpc_id = module.vpc.vpc_id
- subnets = module.vpc.database_subnets
- allowed_security_groups = [module.rds_proxy_sg.security_group_id]
+ enabled_cloudwatch_logs_exports = ["postgresql"]
+ monitoring_interval = 60
+ create_monitoring_role = true
+
+ vpc_id = module.vpc.vpc_id
+ subnets = module.vpc.database_subnets
+ create_security_group = false
+ vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
db_subnet_group_name = local.name # Created by VPC module
db_parameter_group_name = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id
@@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_postgres11_parameter_group" {
name = "example-aurora-db-postgres11-parameter-group"
family = "aurora-postgresql11"
description = "test-aurora-db-postgres11-parameter-group"
+
+ tags = local.tags
}
resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_group" {
name = "example-aurora-postgres11-cluster-parameter-group"
family = "aurora-postgresql11"
description = "example-aurora-postgres11-cluster-parameter-group"
+
+ tags = local.tags
}
################################################################################
@@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_
resource "aws_iam_instance_profile" "ec2_test" {
name_prefix = local.name
role = aws_iam_role.ec2_test.name
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test_assume" {
@@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" {
name_prefix = local.name
force_detach_policies = true
assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test" {
@@ -171,14 +196,23 @@ module "ec2_sg" {
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 2"
+ version = "~> 3"
- name = local.name
- instance_count = 1
+ name = local.name
- associate_public_ip_address = true
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
+ monitoring = true
+ ebs_optimized = true
+ metadata_options = {
+ http_endpoint = "disabled"
+ }
+ root_block_device = [
+ {
+ encrypted = true
+ }
+ ]
+
+ iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+ user_data = <<-EOT
#!/usr/bin/env bash
mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -191,7 +225,7 @@ module "ec2_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_ids = module.vpc.private_subnets
+ subnet_id = element(module.vpc.private_subnets, 0)
tags = local.tags
}
diff --git a/examples/postgresql_iam_instance/README.md b/examples/postgresql_iam_instance/README.md
index 2b13080..b81878f 100644
--- a/examples/postgresql_iam_instance/README.md
+++ b/examples/postgresql_iam_instance/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.38 |
-| [random](#provider\_random) | n/a |
+| [aws](#provider\_aws) | 3.59.0 |
+| [random](#provider\_random) | 3.1.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
-| [rds\_proxy](#module\_rds\_proxy) | ../../ | |
+| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
diff --git a/examples/postgresql_iam_instance/main.tf b/examples/postgresql_iam_instance/main.tf
index 240ecd9..cf9f823 100644
--- a/examples/postgresql_iam_instance/main.tf
+++ b/examples/postgresql_iam_instance/main.tf
@@ -48,8 +48,21 @@ module "vpc" {
private_subnets = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
- enable_nat_gateway = true
- single_nat_gateway = true
+ create_database_subnet_group = true
+ enable_nat_gateway = true
+ single_nat_gateway = true
+ map_public_ip_on_launch = false
+
+ manage_default_security_group = true
+ default_security_group_ingress = []
+ default_security_group_egress = []
+
+ enable_flow_log = true
+ flow_log_destination_type = "cloud-watch-logs"
+ create_flow_log_cloudwatch_log_group = true
+ create_flow_log_cloudwatch_iam_role = true
+ flow_log_max_aggregation_interval = 60
+ flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
tags = local.tags
}
@@ -94,11 +107,16 @@ module "rds" {
port = 5432
instance_class = "db.t3.micro"
allocated_storage = 5
- storage_encrypted = false
+ storage_encrypted = true
apply_immediately = true
+ enabled_cloudwatch_logs_exports = ["postgresql"]
+ monitoring_interval = 60
+ create_monitoring_role = true
+
vpc_security_group_ids = [module.rds_sg.security_group_id]
subnet_ids = module.vpc.database_subnets
+ multi_az = true
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
@@ -115,6 +133,8 @@ module "rds" {
resource "aws_iam_instance_profile" "ec2_test" {
name_prefix = local.name
role = aws_iam_role.ec2_test.name
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test_assume" {
@@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" {
name_prefix = local.name
force_detach_policies = true
assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json
+
+ tags = local.tags
}
data "aws_iam_policy_document" "ec2_test" {
@@ -181,14 +203,23 @@ module "ec2_sg" {
module "ec2_instance" {
source = "terraform-aws-modules/ec2-instance/aws"
- version = "~> 2"
+ version = "~> 3"
- name = local.name
- instance_count = 1
+ name = local.name
- associate_public_ip_address = true
- iam_instance_profile = aws_iam_instance_profile.ec2_test.name
- user_data = <<-EOT
+ monitoring = true
+ ebs_optimized = true
+ metadata_options = {
+ http_endpoint = "disabled"
+ }
+ root_block_device = [
+ {
+ encrypted = true
+ }
+ ]
+
+ iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+ user_data = <<-EOT
#!/usr/bin/env bash
mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -201,7 +232,7 @@ module "ec2_instance" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
vpc_security_group_ids = [module.ec2_sg.security_group_id]
- subnet_ids = module.vpc.private_subnets
+ subnet_id = element(module.vpc.private_subnets, 0)
tags = local.tags
}