Merge pull request #4 from zoitech/add_variables

Updated to terraform 0.12

CHANGELOG.md

@@ -0,0 +1,17 @@
+## 1.0.1
+
+BUG FIXES:
+
+* added variables ([#2](https://github.com/zoitech/terraform-aws-config/issues/2))
+
+BACKWARDS INCOMPATIBILITIES / NOTES:
+
+* Terraform version 0.12.x ([#3](https://github.com/zoitech/terraform-aws-config/issues/3))
+
+ENHANCEMENTS:
+
+* Added readme
+
+## 1.0.0
+
+* Initial commit

cloudwatch.tf

@@ -2,3 +2,4 @@ resource "aws_cloudwatch_log_group" "s3_webserver_buckets_cloudwatch" {
   name              = "/aws/lambda/${aws_lambda_function.s3_webserver_buckets.function_name}"
   retention_in_days = 14
 }
+

config.tf

@@ -21,11 +21,13 @@ resource "aws_config_organization_managed_rule" "accessKeyRotated" {
   }
 EOF
 
+
   rule_identifier = "ACCESS_KEYS_ROTATED"
 }
 
 resource "aws_config_organization_managed_rule" "dbInstanceBackupEnabled" {
-  name             = "db_instance_backup_enabled"
+  name = "db_instance_backup_enabled"
+  # https://docs.aws.amazon.com/config/latest/developerguide/db-instance-backup-enabled.html
   input_parameters = <<EOF
   {
     "backupRetentionPeriod" : "${var.dbInstanceBackupEnabled_RetentionPeriod}",
@@ -34,6 +36,7 @@ resource "aws_config_organization_managed_rule" "dbInstanceBackupEnabled" {
   }
 EOF
 
+
   rule_identifier = "DB_INSTANCE_BACKUP_ENABLED"
 }
 
@@ -50,12 +53,15 @@ resource "aws_config_organization_managed_rule" "elasticsearchInVpcOnly" {
 }
 
 resource "aws_config_organization_managed_rule" "elbLoggingEnabled" {
-  name             = "elb_logging_enabled"
+  name = "elb_logging_enabled"
+  # https://docs.aws.amazon.com/config/latest/developerguide/elb-logging-enabled.html
   input_parameters = <<EOF
   {
     "s3BucketNames" : "${var.elbLoggingEnabled_s3BucketNames}"
   }
-  EOF
+  
+EOF
+
 
   rule_identifier = "ELB_LOGGING_ENABLED"
 }
@@ -77,14 +83,14 @@ resource "aws_config_organization_custom_rule" "s3WebserverBuckets" {
   name = "s3_webserver_buckets"
 
   #depends_on = ["aws_config_configuration_recorder.config-recorder", "aws_lambda_permission.s3_webserver_buckets_config_permissions"]
-  lambda_function_arn = "${aws_lambda_function.s3_webserver_buckets.arn}"
+  lambda_function_arn = aws_lambda_function.s3_webserver_buckets.arn
   trigger_types       = ["ScheduledNotification"]
 }
 
 resource "aws_config_organization_custom_rule" "iam_console_login" {
   name = "iam_console_login"
 
-  lambda_function_arn = "${aws_lambda_function.iam_console_login.arn}"
+  lambda_function_arn = aws_lambda_function.iam_console_login.arn
   trigger_types       = ["ScheduledNotification"]
 }
 

iam_lambda.tf

@@ -16,11 +16,12 @@ resource "aws_iam_role" "s3_webserver_buckets_role" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_policy" "lambda_logging" {
-  name = "lambda_logging"
-  path = "/"
+  name        = "lambda_logging"
+  path        = "/"
   description = "Allows Lambda functions to write to CloudWatch"
 
   policy = <<EOF
@@ -39,11 +40,12 @@ resource "aws_iam_policy" "lambda_logging" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_policy" "lambda_put_config_evaluations" {
-  name = "lambda-put-config-evaluations"
-  path = "/"
+  name        = "lambda-put-config-evaluations"
+  path        = "/"
   description = "Allows Lambda to put an evaluation to AWS Config"
 
   policy = <<EOF
@@ -59,25 +61,24 @@ resource "aws_iam_policy" "lambda_put_config_evaluations" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_cloudwatch" {
-  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
-  policy_arn = "${aws_iam_policy.lambda_logging.arn}"
+  role       = aws_iam_role.s3_webserver_buckets_role.name
+  policy_arn = aws_iam_policy.lambda_logging.arn
 }
 
 resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_attachment_s3readonly" {
-  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
+  role       = aws_iam_role.s3_webserver_buckets_role.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "s3_webserver_buckets_attachment_config_putevaluation" {
-  role       = "${aws_iam_role.s3_webserver_buckets_role.name}"
-  policy_arn = "${aws_iam_policy.lambda_put_config_evaluations.arn}"
+  role       = aws_iam_role.s3_webserver_buckets_role.name
+  policy_arn = aws_iam_policy.lambda_put_config_evaluations.arn
 }
 
-
-
 resource "aws_iam_role" "iam_console_login_role" {
   name = "lambda-iam-console-login"
 
@@ -96,21 +97,22 @@ resource "aws_iam_role" "iam_console_login_role" {
   ]
 }
 EOF
+
 }
 
 resource "aws_iam_role_policy_attachment" "iam_console_login_iam_read_only" {
-  role       = "${aws_iam_role.iam_console_login_role.name}"
+  role       = aws_iam_role.iam_console_login_role.name
   policy_arn = "arn:aws:iam::aws:policy/IAMReadOnlyAccess"
 }
 
 resource "aws_iam_role_policy_attachment" "iam_console_login_cloudwatch" {
-  role       = "${aws_iam_role.iam_console_login_role.name}"
-  policy_arn = "${aws_iam_policy.lambda_logging.arn}"
+  role       = aws_iam_role.iam_console_login_role.name
+  policy_arn = aws_iam_policy.lambda_logging.arn
 }
 
 resource "aws_iam_role_policy_attachment" "iam_console_login_config" {
-  role = "${aws_iam_role.iam_console_login_role.name}"
-  policy_arn = "${aws_iam_policy.lambda_put_config_evaluations.arn}"
+  role       = aws_iam_role.iam_console_login_role.name
+  policy_arn = aws_iam_policy.lambda_put_config_evaluations.arn
 }
 
 resource "aws_iam_role" "aws_config_recorder" {
@@ -131,4 +133,6 @@ resource "aws_iam_role" "aws_config_recorder" {
   ]
 }
 EOF
+
 }
+

lambda.tf

@@ -1,26 +1,27 @@
 resource "aws_lambda_function" "s3_webserver_buckets" {
   filename      = "lambda/s3_webserver_buckets.zip"
   function_name = "s3_webserver_buckets"
-  role          = "${aws_iam_role.s3_webserver_buckets_role.arn}"
+  role          = aws_iam_role.s3_webserver_buckets_role.arn
   handler       = "s3_webserver_buckets.lambda_handler"
-  timeout       = "${var.lambda_timeout}"
+  timeout       = var.lambda_timeout
 
   runtime = "python3.7"
 }
 
 resource "aws_lambda_permission" "s3_webserver_buckets_config_permissions" {
   action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.s3_webserver_buckets.arn}"
+  function_name = aws_lambda_function.s3_webserver_buckets.arn
   principal     = "config.amazonaws.com"
   statement_id  = "AllowExecutionFromConfig"
 }
 
 resource "aws_lambda_function" "iam_console_login" {
   filename      = "lambda/iam_console_login.zip"
   function_name = "iam_console_login"
-  role          = "${aws_iam_role.iam_console_login_role.arn}"
+  role          = aws_iam_role.iam_console_login_role.arn
   handler       = "iam_console_login.lambda_handler"
-  timeout       = "${var.lambda_timeout}"
+  timeout       = var.lambda_timeout
 
   runtime = "python3.7"
 }
+

variables.tf

@@ -1,43 +1,44 @@
 # aws_config_organization_managed_rule - resourcesTagged
-variable required_tags {
+variable "required_tags" {
   # https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
   description = "A map of the required tag keys and/or values to evaluate"
   type        = map(string)
   default = {
-    "tag1Key" : "owner"
+    "tag1Key" = "owner"
   }
 }
 
 # aws_config_organization_managed_rule - accessKeyRotated
-variable accessKeyRotated_maxAccessKeyAge {
+variable "accessKeyRotated_maxAccessKeyAge" {
   description = "Every Access Key will be defined as Non-Compliant after exceeding the number of days defined in this variable"
   default     = 30
 }
 
 # aws_config_organization_managed_rule - dbInstanceBackupEnabled
-variable dbInstanceBackupEnabled_RetentionPeriod {
+variable "dbInstanceBackupEnabled_RetentionPeriod" {
   description = "The retention period in days for the RDS Databases to check"
   default     = 30
 }
 
-variable dbInstanceBackupEnabled_PreferredBackupWindow {
+variable "dbInstanceBackupEnabled_PreferredBackupWindow" {
   description = "The format is hh24:min-hh24:min. Example: 23:00-02:00"
   default     = "22:00-24:00"
 }
 
-variable dbInstanceBackupEnabled_CheckReadReplicas {
+variable "dbInstanceBackupEnabled_CheckReadReplicas" {
   description = "Defines if AWS Config should Check if the RDS instance has backups enabled for the ReadReplicas"
   default     = true
 }
 
 # aws_config_organization_managed_rule - elbLoggingEnabled
-variable elbLoggingEnabled_s3BucketNames {
+variable "elbLoggingEnabled_s3BucketNames" {
   description = "Comma separated list of S3 bucket names for ELB to deliver the log files"
   default     = "backup"
 }
 
 # aws_lambda_function - s3_webserver_buckets
-variable lambda_timeout {
+variable "lambda_timeout" {
   description = "The timeout for the custom lambda scripts which define more custom AWS Config rules"
   default     = 30
 }
+

versions.tf

@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}