answerdigital / terraform-modules Goto Github PK
View Code? Open in Web Editor NEWThe repo for the infrastructure as code
License: MIT License
The repo for the infrastructure as code
License: MIT License
There is an issue where there are two many clones, meaning we are hitting the threshold of too many requests sometimes when all the pipelines run
I propose the following fix:
base-ref
and head-ref
to determine the file has changed and then only execute the necessary actions instead of rebuilding the necessary fixes.Note: This is absolutely required if we plug in Terratest
https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/require-vpc-flow-logs-for-all-vpcs/
@chrisbloe Another one that might have impact on cost, Do we want to include this by default?
On a forked PR i.e. #77
The pipeline does not execute because pull requests from forked branches do not have access to the github.event.pull_request.head.ref
variable
This is due to security reasons, need to come up with something that will fix this and ideally not hamper the security of any Github secrets (If we choose to have them)
Create an ELB Module that will allow the creation of an ELB provided a set of instances to add to the Load Balancer
It should be made so that it will receive traffic on a port and redistribute traffic to the instance port on the specified listeners.
The goal of this module will allows us to simplify the process of creating a load balancer so that given a set of 2 private EC2's or resources on Private IP's can we provide the port of which the application sits and put those in-front of a public facing load balancer to route traffic too.
Inputs
Outputs
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb for info on setting this up.
Testing
Will need fairly rigorous testing to ensure that the networking is working, ideally this will be done with the Go Modules.
At the moment, the example refers to:
aws_security_group.ec2_security_group.id
This is the security group to which the EC2 Belongs
This is not actually present anywhere and no other module provides this information.
More Information
@chrisbloe I assume this has cost, might want to ignore this one and delegate to the implementor if they want it, depends if we want this?
Allow the ability to specify if this box has the ability to the AWS console (So it can manage resources on it's own network) Handing it the credentials it needs.
Useful if this box is an administration box or if you need AWS credentials for other reasons.
Create a module to manage secrets and configurations of that secret using AWS Secrets Manager
Now this is not necessarily complicated, however research on the security considerations behind this is the important part here, and making sensible decisions on what should be configurable / what we should permanently set is a key to this task.
It'd be great to have someone with a good knowledge of the security aspects of this, as there's lots of concepts which I imagine are not really considered from project to project due to time constraints.
Inputs:
We can use the Academy Org for planning, however I recommend we create a new account in that org to do so.
This PR runs the command
"terraform plan" command using the provided example.tf
e.g.
cd examples
terraform plan
This will allow us to plot out the Architecture and could help prevent bugs with the terraform code, We will need examples for other modules too!
Cluster has very low backup retention period.
https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/specify-backup-retention/
RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.
@chrisbloe
I recommend the approach might be for this one is for projects to decide there backup retention period by force, as there is cost implication behind this one. Let me know if you agree? (We may provide a default for this as 1 day)
Impact The block device could be compromised and read from Resolution Turn on encryption for all block devices
https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/ec2/enable-at-rest-encryption/
Not sure there is a cost impact associated with this one.
The resource Update naming policy for Terraform resource names, variables in resources of name, and the name key for resources that accept Tags
The naming convention has been discussed as a team.
Resource Names
In the scenario of which the component has a one to one relationship that will never change (subject to knowledge at the time) then the name of a resource should be this
In all other scenarios it should be an explanation of what that resource does in context of the application.
Variables for resource called 'name'
This should follow the resource naming policy
https://answerconsulting.jira.com/wiki/spaces/ARCH/pages/3206709249/Resource+Naming
Name Key in Tags
This should follow the resource naming policy
https://answerconsulting.jira.com/wiki/spaces/ARCH/pages/3206709249/Resource+Naming
A user should be able to provide a pre-created SSH Key for an EC2 instance, with a fallback of Terraform handling it if you don't want to make your own.
Route53 Example Terraform.
See module/aws/ec2/examples/example.tf
for prior example
Need a bit of knowledge on domains, and possibly a sample domain to test it with, bit trickier this one.
Either MIT or Apache 2.0
An example.tf file in line with the other modules, that provides a sample implementation of terraform.
See /modules/aws/ec2/examples/example.tf
for an example of a pre-existing example.
You will want to actually plan and deploy the modules into the Academy account
Create a load balancer module:
There is one for MDM that has been created for reference:
https://github.com/answerdigital/AnswerDigital-MDM/blob/main/test/lb.tf
To implement the Tagging Policy
The policy is still in progress, full details will be copied in here.
https://aquasecurity.github.io/tfsec/v0.61.3/checks/aws/ec2/enforce-http-token-imds/#possible-impact
Do not think there's any cost behind this one
https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/rds/encrypt-cluster-storage-data/
Assuming no cost here?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.