From 9bc545587154d7d87dbee30be732f78b076f7d86 Mon Sep 17 00:00:00 2001 From: Brad Janke Date: Mon, 6 Nov 2023 14:53:47 -0600 Subject: [PATCH] aws-shield is now able to protect alb's from ingress-groups (#897) Co-authored-by: cloudpossebot Co-authored-by: Dan Miller --- modules/aws-shield/README.md | 2 ++ modules/aws-shield/alb.tf | 2 +- modules/aws-shield/main.tf | 2 +- modules/aws-shield/remote-state.tf | 9 +++++++++ modules/aws-shield/variables.tf | 6 ++++++ 5 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 modules/aws-shield/remote-state.tf diff --git a/modules/aws-shield/README.md b/modules/aws-shield/README.md index d20d875c5..b6345477e 100644 --- a/modules/aws-shield/README.md +++ b/modules/aws-shield/README.md @@ -102,6 +102,7 @@ This leads to more simplified inter-component dependencies and minimizes the nee | Name | Source | Version | |------|--------|---------| +| [alb](#module\_alb) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -126,6 +127,7 @@ This leads to more simplified inter-component dependencies and minimizes the nee |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | | [alb\_names](#input\_alb\_names) | list of ALB names which will be protected with AWS Shield Advanced | `list(string)` | `[]` | no | +| [alb\_protection\_enabled](#input\_alb\_protection\_enabled) | Enable ALB protection. By default, ALB names are read from the EKS cluster ALB control group | `bool` | `false` | no | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | | [cloudfront\_distribution\_ids](#input\_cloudfront\_distribution\_ids) | list of CloudFront Distribution IDs which will be protected with AWS Shield Advanced | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | diff --git a/modules/aws-shield/alb.tf b/modules/aws-shield/alb.tf index e1238519d..ff0eac196 100644 --- a/modules/aws-shield/alb.tf +++ b/modules/aws-shield/alb.tf @@ -1,5 +1,5 @@ data "aws_alb" "alb" { - for_each = local.alb_protection_enabled ? toset(var.alb_names) : [] + for_each = local.alb_protection_enabled == false ? [] : length(var.alb_names) > 0 ? toset(var.alb_names) : toset([module.alb[0].outputs.load_balancer_name]) name = each.key } diff --git a/modules/aws-shield/main.tf b/modules/aws-shield/main.tf index bed51d5f6..097d0a3e9 100644 --- a/modules/aws-shield/main.tf +++ b/modules/aws-shield/main.tf @@ -7,7 +7,7 @@ locals { # Used to determine correct partition (i.e. - `aws`, `aws-gov`, `aws-cn`, etc.) partition = one(data.aws_partition.current[*].partition) - alb_protection_enabled = local.enabled && length(var.alb_names) > 0 + alb_protection_enabled = local.enabled && local.alb_protection_enabled cloudfront_distribution_protection_enabled = local.enabled && length(var.cloudfront_distribution_ids) > 0 eip_protection_enabled = local.enabled && length(var.eips) > 0 route53_protection_enabled = local.enabled && length(var.route53_zone_names) > 0 diff --git a/modules/aws-shield/remote-state.tf b/modules/aws-shield/remote-state.tf new file mode 100644 index 000000000..98b19290f --- /dev/null +++ b/modules/aws-shield/remote-state.tf @@ -0,0 +1,9 @@ +module "alb" { + count = length(var.alb_names) > 0 ? 0 : 1 + source = "cloudposse/stack-config/yaml//modules/remote-state" + version = "1.5.0" + + component = "eks/alb-controller-ingress-group" + + context = module.this.context +} diff --git a/modules/aws-shield/variables.tf b/modules/aws-shield/variables.tf index bcf1c1b9e..882e3fb86 100644 --- a/modules/aws-shield/variables.tf +++ b/modules/aws-shield/variables.tf @@ -9,6 +9,12 @@ variable "alb_names" { default = [] } +variable "alb_protection_enabled" { + description = "Enable ALB protection. By default, ALB names are read from the EKS cluster ALB control group" + type = bool + default = false +} + variable "cloudfront_distribution_ids" { description = "list of CloudFront Distribution IDs which will be protected with AWS Shield Advanced" type = list(string)