From 93b0ea6f1013660a0aed49ec9085bfcd3a729472 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Sun, 19 Sep 2021 12:35:51 -0400 Subject: [PATCH] chore: update examples for security best practices and Bridgecrew monitoring --- .pre-commit-config.yaml | 4 +- README.md | 15 ++++++ examples/mysql_iam_cluster/README.md | 8 ++-- examples/mysql_iam_cluster/main.tf | 56 +++++++++++++++++----- examples/mysql_iam_instance/README.md | 8 ++-- examples/mysql_iam_instance/main.tf | 51 ++++++++++++++++---- examples/postgresql_iam_cluster/README.md | 8 ++-- examples/postgresql_iam_cluster/main.tf | 56 +++++++++++++++++----- examples/postgresql_iam_instance/README.md | 8 ++-- examples/postgresql_iam_instance/main.tf | 51 ++++++++++++++++---- 10 files changed, 205 insertions(+), 60 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e3e3cbc..12f60a3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.50.0 + rev: v1.51.0 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + rev: v4.0.1 hooks: - id: check-merge-conflict \ No newline at end of file diff --git a/README.md b/README.md index 360db7a..7184c1d 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,21 @@ Examples codified under the [`examples`](./examples) are intended to give users - [IAM auth. w/ PostgreSQL Aurora cluster](./examples/postgresql_iam_cluster) - [IAM auth. w/ PostgreSQL RDS instance](./examples/postgresql_iam_instance) +## Security & Compliance [](https://bridgecrew.io/) + +Security scanning results provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance. + +| Benchmark | Description | +|--------|---------------| +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=PCI-DSS+V3.2.1) | Payment Card Industry Data Security Standards Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=SOC2) | Service Organization Control 2 Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance | +| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=FEDRAMP+%28MODERATE%29) | FedRAMP Moderate Impact Level | + ## Requirements diff --git a/examples/mysql_iam_cluster/README.md b/examples/mysql_iam_cluster/README.md index ee85022..570e151 100644 --- a/examples/mysql_iam_cluster/README.md +++ b/examples/mysql_iam_cluster/README.md @@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.38 | -| [random](#provider\_random) | n/a | +| [aws](#provider\_aws) | 3.59.0 | +| [random](#provider\_random) | 3.1.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 | | [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 | -| [rds\_proxy](#module\_rds\_proxy) | ../../ | | +| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a | | [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | diff --git a/examples/mysql_iam_cluster/main.tf b/examples/mysql_iam_cluster/main.tf index e30900b..4832e7d 100644 --- a/examples/mysql_iam_cluster/main.tf +++ b/examples/mysql_iam_cluster/main.tf @@ -51,6 +51,18 @@ module "vpc" { create_database_subnet_group = true enable_nat_gateway = true single_nat_gateway = true + map_public_ip_on_launch = false + + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}" tags = local.tags } @@ -71,13 +83,18 @@ module "rds" { engine_version = "5.7" replica_count = 1 instance_type = "db.t3.medium" - storage_encrypted = false + storage_encrypted = true apply_immediately = true skip_final_snapshot = true - vpc_id = module.vpc.vpc_id - subnets = module.vpc.database_subnets - allowed_security_groups = [module.rds_proxy_sg.security_group_id] + enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"] + monitoring_interval = 60 + create_monitoring_role = true + + vpc_id = module.vpc.vpc_id + subnets = module.vpc.database_subnets + create_security_group = false + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] db_subnet_group_name = local.name # Created by VPC module db_parameter_group_name = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id @@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" { name = "example-aurora-db-57-parameter-group" family = "aurora-mysql5.7" description = "example-aurora-db-57-parameter-group" + + tags = local.tags } resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" { name = "example-aurora-57-cluster-parameter-group" family = "aurora-mysql5.7" description = "example-aurora-57-cluster-parameter-group" + + tags = local.tags } ################################################################################ @@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_gro resource "aws_iam_instance_profile" "ec2_test" { name_prefix = local.name role = aws_iam_role.ec2_test.name + + tags = local.tags } data "aws_iam_policy_document" "ec2_test_assume" { @@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" { name_prefix = local.name force_detach_policies = true assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json + + tags = local.tags } data "aws_iam_policy_document" "ec2_test" { @@ -171,14 +196,23 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 2" + version = "~> 3" - name = local.name - instance_count = 1 + name = local.name - associate_public_ip_address = true - iam_instance_profile = aws_iam_instance_profile.ec2_test.name - user_data = <<-EOT + monitoring = true + ebs_optimized = true + metadata_options = { + http_endpoint = "disabled" + } + root_block_device = [ + { + encrypted = true + } + ] + + iam_instance_profile = aws_iam_instance_profile.ec2_test.name + user_data = <<-EOT #!/usr/bin/env bash mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem @@ -191,7 +225,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" vpc_security_group_ids = [module.ec2_sg.security_group_id] - subnet_ids = module.vpc.private_subnets + subnet_id = element(module.vpc.private_subnets, 0) tags = local.tags } diff --git a/examples/mysql_iam_instance/README.md b/examples/mysql_iam_instance/README.md index 845dae1..4d38367 100644 --- a/examples/mysql_iam_instance/README.md +++ b/examples/mysql_iam_instance/README.md @@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.38 | -| [random](#provider\_random) | n/a | +| [aws](#provider\_aws) | 3.59.0 | +| [random](#provider\_random) | 3.1.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 | | [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 | -| [rds\_proxy](#module\_rds\_proxy) | ../../ | | +| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a | | [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | diff --git a/examples/mysql_iam_instance/main.tf b/examples/mysql_iam_instance/main.tf index 8f43934..5e7ee5e 100644 --- a/examples/mysql_iam_instance/main.tf +++ b/examples/mysql_iam_instance/main.tf @@ -48,8 +48,21 @@ module "vpc" { private_subnets = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"] database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"] - enable_nat_gateway = true - single_nat_gateway = true + create_database_subnet_group = true + enable_nat_gateway = true + single_nat_gateway = true + map_public_ip_on_launch = false + + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}" tags = local.tags } @@ -94,11 +107,16 @@ module "rds" { port = 3306 instance_class = "db.t3.micro" allocated_storage = 5 - storage_encrypted = false + storage_encrypted = true apply_immediately = true + enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"] + monitoring_interval = 60 + create_monitoring_role = true + vpc_security_group_ids = [module.rds_sg.security_group_id] subnet_ids = module.vpc.database_subnets + multi_az = true maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" @@ -115,6 +133,8 @@ module "rds" { resource "aws_iam_instance_profile" "ec2_test" { name_prefix = local.name role = aws_iam_role.ec2_test.name + + tags = local.tags } data "aws_iam_policy_document" "ec2_test_assume" { @@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" { name_prefix = local.name force_detach_policies = true assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json + + tags = local.tags } data "aws_iam_policy_document" "ec2_test" { @@ -181,14 +203,23 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 2" + version = "~> 3" - name = local.name - instance_count = 1 + name = local.name - associate_public_ip_address = true - iam_instance_profile = aws_iam_instance_profile.ec2_test.name - user_data = <<-EOT + monitoring = true + ebs_optimized = true + metadata_options = { + http_endpoint = "disabled" + } + root_block_device = [ + { + encrypted = true + } + ] + + iam_instance_profile = aws_iam_instance_profile.ec2_test.name + user_data = <<-EOT #!/usr/bin/env bash mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem @@ -201,7 +232,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" vpc_security_group_ids = [module.ec2_sg.security_group_id] - subnet_ids = module.vpc.private_subnets + subnet_id = element(module.vpc.private_subnets, 0) tags = local.tags } diff --git a/examples/postgresql_iam_cluster/README.md b/examples/postgresql_iam_cluster/README.md index 5dee515..1103396 100644 --- a/examples/postgresql_iam_cluster/README.md +++ b/examples/postgresql_iam_cluster/README.md @@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.38 | -| [random](#provider\_random) | n/a | +| [aws](#provider\_aws) | 3.59.0 | +| [random](#provider\_random) | 3.1.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 | | [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 | -| [rds\_proxy](#module\_rds\_proxy) | ../../ | | +| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a | | [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | diff --git a/examples/postgresql_iam_cluster/main.tf b/examples/postgresql_iam_cluster/main.tf index c77a769..854ac1d 100644 --- a/examples/postgresql_iam_cluster/main.tf +++ b/examples/postgresql_iam_cluster/main.tf @@ -51,6 +51,18 @@ module "vpc" { create_database_subnet_group = true enable_nat_gateway = true single_nat_gateway = true + map_public_ip_on_launch = false + + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}" tags = local.tags } @@ -71,13 +83,18 @@ module "rds" { engine_version = "11.9" replica_count = 1 instance_type = "db.t3.medium" - storage_encrypted = false + storage_encrypted = true apply_immediately = true skip_final_snapshot = true - vpc_id = module.vpc.vpc_id - subnets = module.vpc.database_subnets - allowed_security_groups = [module.rds_proxy_sg.security_group_id] + enabled_cloudwatch_logs_exports = ["postgresql"] + monitoring_interval = 60 + create_monitoring_role = true + + vpc_id = module.vpc.vpc_id + subnets = module.vpc.database_subnets + create_security_group = false + vpc_security_group_ids = [module.rds_proxy_sg.security_group_id] db_subnet_group_name = local.name # Created by VPC module db_parameter_group_name = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id @@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_postgres11_parameter_group" { name = "example-aurora-db-postgres11-parameter-group" family = "aurora-postgresql11" description = "test-aurora-db-postgres11-parameter-group" + + tags = local.tags } resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_group" { name = "example-aurora-postgres11-cluster-parameter-group" family = "aurora-postgresql11" description = "example-aurora-postgres11-cluster-parameter-group" + + tags = local.tags } ################################################################################ @@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_ resource "aws_iam_instance_profile" "ec2_test" { name_prefix = local.name role = aws_iam_role.ec2_test.name + + tags = local.tags } data "aws_iam_policy_document" "ec2_test_assume" { @@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" { name_prefix = local.name force_detach_policies = true assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json + + tags = local.tags } data "aws_iam_policy_document" "ec2_test" { @@ -171,14 +196,23 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 2" + version = "~> 3" - name = local.name - instance_count = 1 + name = local.name - associate_public_ip_address = true - iam_instance_profile = aws_iam_instance_profile.ec2_test.name - user_data = <<-EOT + monitoring = true + ebs_optimized = true + metadata_options = { + http_endpoint = "disabled" + } + root_block_device = [ + { + encrypted = true + } + ] + + iam_instance_profile = aws_iam_instance_profile.ec2_test.name + user_data = <<-EOT #!/usr/bin/env bash mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem @@ -191,7 +225,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" vpc_security_group_ids = [module.ec2_sg.security_group_id] - subnet_ids = module.vpc.private_subnets + subnet_id = element(module.vpc.private_subnets, 0) tags = local.tags } diff --git a/examples/postgresql_iam_instance/README.md b/examples/postgresql_iam_instance/README.md index 2b13080..b81878f 100644 --- a/examples/postgresql_iam_instance/README.md +++ b/examples/postgresql_iam_instance/README.md @@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.38 | -| [random](#provider\_random) | n/a | +| [aws](#provider\_aws) | 3.59.0 | +| [random](#provider\_random) | 3.1.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 | +| [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 | | [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 | -| [rds\_proxy](#module\_rds\_proxy) | ../../ | | +| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a | | [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 | diff --git a/examples/postgresql_iam_instance/main.tf b/examples/postgresql_iam_instance/main.tf index 240ecd9..cf9f823 100644 --- a/examples/postgresql_iam_instance/main.tf +++ b/examples/postgresql_iam_instance/main.tf @@ -48,8 +48,21 @@ module "vpc" { private_subnets = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"] database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"] - enable_nat_gateway = true - single_nat_gateway = true + create_database_subnet_group = true + enable_nat_gateway = true + single_nat_gateway = true + map_public_ip_on_launch = false + + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + flow_log_log_format = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}" tags = local.tags } @@ -94,11 +107,16 @@ module "rds" { port = 5432 instance_class = "db.t3.micro" allocated_storage = 5 - storage_encrypted = false + storage_encrypted = true apply_immediately = true + enabled_cloudwatch_logs_exports = ["postgresql"] + monitoring_interval = 60 + create_monitoring_role = true + vpc_security_group_ids = [module.rds_sg.security_group_id] subnet_ids = module.vpc.database_subnets + multi_az = true maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" @@ -115,6 +133,8 @@ module "rds" { resource "aws_iam_instance_profile" "ec2_test" { name_prefix = local.name role = aws_iam_role.ec2_test.name + + tags = local.tags } data "aws_iam_policy_document" "ec2_test_assume" { @@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" { name_prefix = local.name force_detach_policies = true assume_role_policy = data.aws_iam_policy_document.ec2_test_assume.json + + tags = local.tags } data "aws_iam_policy_document" "ec2_test" { @@ -181,14 +203,23 @@ module "ec2_sg" { module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" - version = "~> 2" + version = "~> 3" - name = local.name - instance_count = 1 + name = local.name - associate_public_ip_address = true - iam_instance_profile = aws_iam_instance_profile.ec2_test.name - user_data = <<-EOT + monitoring = true + ebs_optimized = true + metadata_options = { + http_endpoint = "disabled" + } + root_block_device = [ + { + encrypted = true + } + ] + + iam_instance_profile = aws_iam_instance_profile.ec2_test.name + user_data = <<-EOT #!/usr/bin/env bash mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem @@ -201,7 +232,7 @@ module "ec2_instance" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" vpc_security_group_ids = [module.ec2_sg.security_group_id] - subnet_ids = module.vpc.private_subnets + subnet_id = element(module.vpc.private_subnets, 0) tags = local.tags }