From 85e2aa3bebc94375d27c3d4c8a0597cba8b9952c Mon Sep 17 00:00:00 2001 From: "alexander.miehe" Date: Tue, 20 Aug 2024 09:36:27 +0200 Subject: [PATCH] PLT-921 - Move the bucket to a separate module * move the bucket to a module to ensure latest security features enabled, as mentioned by security hub * move aws_s3_bucket_object to aws_s3_object as it is deprecated --- README.md | 8 +++++--- main.tf | 25 ++++++++++++++----------- variables.tf | 6 ++++++ 3 files changed, 25 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b6ce8a1..c353a48 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,9 @@ This module will create lambda for new relic log ingestion. ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [lambda\_newrelic\_resource\_bucket](#module\_lambda\_newrelic\_resource\_bucket) | github.com/terraform-aws-modules/terraform-aws-s3-bucket | v4.1.2 | ## Resources @@ -29,8 +31,7 @@ No modules. | [aws_cloudformation_stack.newrelic_lambda_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource | | [aws_cloudformation_stack.newrelic_license_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource | | [aws_cloudformation_stack.newrelic_log_ingestion](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource | -| [aws_s3_bucket.lambda_newrelic_resource](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_object.newrelic_log_ingestion_zip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object) | resource | +| [aws_s3_object.newrelic_log_ingestion_zip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | | [random_string.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_ssm_parameter.newrelic_account_number](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_ssm_parameter.newrelic_license_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | @@ -42,6 +43,7 @@ No modules. | [newrelic\_account\_number](#input\_newrelic\_account\_number) | n/a | `string` | `""` | no | | [newrelic\_license\_key\_path](#input\_newrelic\_license\_key\_path) | n/a | `string` | `""` | no | | [region](#input\_region) | n/a | `string` | `"eu-central-1"` | no | +| [tags](#input\_tags) | Map of custom tags for the provisioned resources | `map(string)` | `{}` | no | ## Outputs diff --git a/main.tf b/main.tf index 9717869..46fe7d7 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,8 @@ +moved { + from = aws_s3_bucket.lambda_newrelic_resource + to = module.lambda_newrelic_resource_bucket.aws_s3_bucket.this[0] +} + locals { name = "newrelic-${random_string.this.result}" } @@ -7,17 +12,15 @@ resource "random_string" "this" { special = false } -resource "aws_s3_bucket" "lambda_newrelic_resource" { - bucket_prefix = "lambda-newrelic-resource" - acl = "private" - - tags = { - Name = "Created by Terraform" - } +module "lambda_newrelic_resource_bucket" { + source = "github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v4.1.2" + tags = var.tags + bucket_prefix = "lambda-newrelic-resource" + attach_deny_insecure_transport_policy = true } -resource "aws_s3_bucket_object" "newrelic_log_ingestion_zip" { - bucket = aws_s3_bucket.lambda_newrelic_resource.id +resource "aws_s3_object" "newrelic_log_ingestion_zip" { + bucket = module.lambda_newrelic_resource_bucket.s3_bucket_id key = "newrelic-log-ingestion-2.3.5.zip" source = "${path.module}/newrelic-log-ingestion.zip" etag = filemd5("${path.module}/newrelic-log-ingestion.zip") @@ -28,8 +31,8 @@ resource "aws_cloudformation_stack" "newrelic_log_ingestion" { template_body = file("${path.module}/newrelic-log-ingestion.yaml") capabilities = ["CAPABILITY_AUTO_EXPAND", "CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"] parameters = { - Bucket = aws_s3_bucket.lambda_newrelic_resource.id - Key = aws_s3_bucket_object.newrelic_log_ingestion_zip.id + Bucket = module.lambda_newrelic_resource_bucket.s3_bucket_id + Key = aws_s3_object.newrelic_log_ingestion_zip.id NewRelicLicenseKey = data.aws_ssm_parameter.newrelic_license_key.value } } diff --git a/variables.tf b/variables.tf index f46a909..38f69e3 100644 --- a/variables.tf +++ b/variables.tf @@ -12,3 +12,9 @@ variable "region" { type = string default = "eu-central-1" } + +variable "tags" { + description = "Map of custom tags for the provisioned resources" + type = map(string) + default = {} +}