aws-ia · wellsiau-aws · Dec 18, 2024 · Dec 17, 2024 · Dec 17, 2024 · Dec 17, 2024
diff --git a/.config/.tflint.hcl b/.config/.tflint.hcl
@@ -3,7 +3,7 @@
 
 plugin "aws" {
   enabled = true
-  version = "0.22.1"
+  version = "0.54.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 

diff --git a/.config/functional_tests/pre-entrypoint-helpers.sh b/.config/functional_tests/pre-entrypoint-helpers.sh
@@ -12,8 +12,8 @@ cd ${PROJECT_PATH}
 
 #********** TFC Env Vars *************
 export AWS_DEFAULT_REGION=us-east-1
-export TFE_TOKEN=`aws secretsmanager get-secret-value --secret-id abp/tfc/token | jq -r ".SecretString"`
-export TF_TOKEN_app_terraform_io=`aws secretsmanager get-secret-value --secret-id abp/tfc/token | jq -r ".SecretString"`
+export TFE_TOKEN=`aws secretsmanager get-secret-value --secret-id abp/hcp/token --region us-west-2 | jq -r ".SecretString"`
+export TF_TOKEN_app_terraform_io=`aws secretsmanager get-secret-value --secret-id abp/hcp/token --region us-west-2 | jq -r ".SecretString"`
 
 #********** MAKEFILE *************
 echo "Build the lambda function packages"
@@ -22,7 +22,7 @@ make all
 #********** Get tfvars from SSM *************
 echo "Get *.tfvars from SSM parameter"
 aws ssm get-parameter \
-  --name "/abp/tfc/functional/tfc_org/terraform_test.tfvars" \
+  --name "/abp/hcp/functional/terraform-aws-runtask-iam-access-analyzer/terraform_tests.tfvars" \
   --with-decryption \
   --query "Parameter.Value" \
   --output "text" \

diff --git a/.gitignore b/.gitignore
@@ -18,6 +18,7 @@ crash.log
 # to change depending on the environment.
 #
 ./*.tfvars
+*.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -40,3 +41,12 @@ terraform.rc
 
 go.mod
 go.sum
+
+
+**/site-packages
+*.zip
+settings.json
+TODO.md
+.DS_Store
+.idea
+.venv
diff --git a/.header.md b/.header.md
@@ -1,6 +1,6 @@
 # terraform-runtask-iam-access-analyzer
 
-Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.
+Use this module to integrate HCP Terraform Run Tasks with AWS IAM Access Analyzer for policy validation.
 
 ![Diagram](./diagram/RunTask-EventBridge.png)
 
@@ -9,7 +9,7 @@ Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analy
 To use this module you need have the following:
 
 1. AWS account and credentials
-2. Terraform Cloud with Run Task entitlement (Business subscription or higher)
+2. HCP Terraform with Run Task entitlement (Business subscription or higher)
 
 ## Usage
 
@@ -19,9 +19,9 @@ To use this module you need have the following:
   make all
   ```
 
-* Refer to the [module_workspace](./examples/module_workspace/README.md) for steps to deploy this module in Terraform Cloud.
+* Refer to the [module_workspace](./examples/module_workspace/README.md) for steps to deploy this module in HCP Terraform.
 
-* After you deployed the [module_workspace](./examples/module_workspace/README.md), navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
+* After you deployed the [module_workspace](./examples/module_workspace/README.md), navigate to your HCP Terraform organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
 
 * You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the [demo_workspace](./examples/demo_workspace/README.md) for more details.
 

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 <!-- BEGIN_TF_DOCS -->
 # terraform-runtask-iam-access-analyzer
 
-Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.
+Use this module to integrate HCP Terraform Run Tasks with AWS IAM Access Analyzer for policy validation.
 
 ![Diagram](./diagram/RunTask-EventBridge.png)
 
@@ -10,7 +10,7 @@ Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analy
 To use this module you need have the following:
 
 1. AWS account and credentials
-2. Terraform Cloud with Run Task entitlement (Business subscription or higher)
+2. HCP Terraform with Run Task entitlement (Business subscription or higher)
 
 ## Usage
 
@@ -20,9 +20,9 @@ To use this module you need have the following:
   make all
   ```
 
-* Refer to the [module\_workspace](./examples/module\_workspace/README.md) for steps to deploy this module in Terraform Cloud.
+* Refer to the [module\_workspace](./examples/module\_workspace/README.md) for steps to deploy this module in HCP Terraform.
 
-* After you deployed the [module\_workspace](./examples/module\_workspace/README.md), navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
+* After you deployed the [module\_workspace](./examples/module\_workspace/README.md), navigate to your HCP Terraform organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
 
 * You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the [demo\_workspace](./examples/demo\_workspace/README.md) for more details.
 
@@ -79,25 +79,27 @@ resource "aws_iam_policy" "policy" {
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
 | <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~>2.2.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0, < 5.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >=5.72.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >=3.4.0 |
-| <a name="requirement_tfe"></a> [tfe](#requirement\_tfe) | ~>0.38.0 |
+| <a name="requirement_tfe"></a> [tfe](#requirement\_tfe) | >=0.38.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >=0.12.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_archive"></a> [archive](#provider\_archive) | ~>2.2.0 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0, < 5.0.0 |
-| <a name="provider_aws.cloudfront_waf"></a> [aws.cloudfront\_waf](#provider\_aws.cloudfront\_waf) | >= 3.73.0, < 5.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >=5.72.0 |
+| <a name="provider_aws.cloudfront_waf"></a> [aws.cloudfront\_waf](#provider\_aws.cloudfront\_waf) | >=5.72.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >=3.4.0 |
-| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | ~>0.38.0 |
+| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | >=0.38.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | >=0.12.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_runtask_cloudfront"></a> [runtask\_cloudfront](#module\_runtask\_cloudfront) | terraform-aws-modules/cloudfront/aws | 3.2.1 |
+| <a name="module_runtask_cloudfront"></a> [runtask\_cloudfront](#module\_runtask\_cloudfront) | terraform-aws-modules/cloudfront/aws | 3.4.0 |
 
 ## Resources
 
@@ -114,6 +116,7 @@ resource "aws_iam_policy" "policy" {
 | [aws_cloudwatch_log_group.runtask_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_role.runtask_callback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.runtask_edge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.runtask_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -124,6 +127,7 @@ resource "aws_iam_policy" "policy" {
 | [aws_iam_role_policy.runtask_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.runtask_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.runtask_callback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.runtask_edge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.runtask_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -132,21 +136,26 @@ resource "aws_iam_policy" "policy" {
 | [aws_kms_key.runtask_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_function.runtask_callback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_function.runtask_edge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function.runtask_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
 | [aws_lambda_function_url.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function_url) | resource |
+| [aws_lambda_permission.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_secretsmanager_secret.runtask_cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret.runtask_hmac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
 | [aws_secretsmanager_secret_version.runtask_cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.runtask_hmac](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_sfn_state_machine.runtask_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource |
 | [aws_wafv2_web_acl.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [aws_wafv2_web_acl_logging_configuration.runtask_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration) | resource |
+| [random_string.solution_prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [random_uuid.runtask_cloudfront](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
 | [random_uuid.runtask_hmac](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
 | [tfe_organization_run_task.aws_iam_analyzer](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/organization_run_task) | resource |
+| [time_sleep.wait_1800_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [archive_file.runtask_callback](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
+| [archive_file.runtask_edge](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [archive_file.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [archive_file.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [archive_file.runtask_request](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
@@ -169,12 +178,14 @@ resource "aws_iam_policy" "policy" {
 | <a name="input_deploy_waf"></a> [deploy\_waf](#input\_deploy\_waf) | Set to true to deploy CloudFront and WAF in front of the Lambda function URL | `string` | `false` | no |
 | <a name="input_event_bus_name"></a> [event\_bus\_name](#input\_event\_bus\_name) | EventBridge event bus name | `string` | `"default"` | no |
 | <a name="input_event_source"></a> [event\_source](#input\_event\_source) | EventBridge source name | `string` | `"app.terraform.io"` | no |
+| <a name="input_lambda_architecture"></a> [lambda\_architecture](#input\_lambda\_architecture) | Lambda architecture (arm64 or x86\_64) | `string` | `"x86_64"` | no |
 | <a name="input_lambda_default_timeout"></a> [lambda\_default\_timeout](#input\_lambda\_default\_timeout) | Lambda default timeout in seconds | `number` | `30` | no |
 | <a name="input_lambda_reserved_concurrency"></a> [lambda\_reserved\_concurrency](#input\_lambda\_reserved\_concurrency) | Maximum Lambda reserved concurrency, make sure your AWS quota is sufficient | `number` | `100` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name to be used on all the resources as identifier. | `string` | `"aws-ia2"` | no |
 | <a name="input_recovery_window"></a> [recovery\_window](#input\_recovery\_window) | Numbers of day Number of days that AWS Secrets Manager waits before it can delete the secret | `number` | `0` | no |
 | <a name="input_runtask_stages"></a> [runtask\_stages](#input\_runtask\_stages) | List of all supported RunTask stages | `list(string)` | <pre>[<br>  "pre_plan",<br>  "post_plan",<br>  "pre_apply"<br>]</pre> | no |
 | <a name="input_supported_policy_document"></a> [supported\_policy\_document](#input\_supported\_policy\_document) | (Optional) allow list of the supported IAM policy document | `string` | `""` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of tags to apply to resources deployed by this solution. | `map(any)` | `null` | no |
 | <a name="input_waf_managed_rule_set"></a> [waf\_managed\_rule\_set](#input\_waf\_managed\_rule\_set) | List of AWS Managed rules to use inside the WAF ACL | `list(map(string))` | <pre>[<br>  {<br>    "metric_suffix": "common",<br>    "name": "AWSManagedRulesCommonRuleSet",<br>    "priority": 10,<br>    "vendor_name": "AWS"<br>  },<br>  {<br>    "metric_suffix": "bad_input",<br>    "name": "AWSManagedRulesKnownBadInputsRuleSet",<br>    "priority": 20,<br>    "vendor_name": "AWS"<br>  }<br>]</pre> | no |
 | <a name="input_waf_rate_limit"></a> [waf\_rate\_limit](#input\_waf\_rate\_limit) | Rate limit for request coming to WAF | `number` | `100` | no |
 | <a name="input_workspace_prefix"></a> [workspace\_prefix](#input\_workspace\_prefix) | TFC workspace name prefix that allowed to run this runtask | `string` | `""` | no |
@@ -184,6 +195,6 @@ resource "aws_iam_policy" "policy" {
 | Name | Description |
 |------|-------------|
 | <a name="output_runtask_hmac"></a> [runtask\_hmac](#output\_runtask\_hmac) | HMAC key value, keep this sensitive data safe |
-| <a name="output_runtask_id"></a> [runtask\_id](#output\_runtask\_id) | The Run Tasks id configured in Terraform Cloud |
-| <a name="output_runtask_url"></a> [runtask\_url](#output\_runtask\_url) | The Run Tasks URL endpoint, you can use this to configure the Run Task setup in Terraform Cloud |
+| <a name="output_runtask_id"></a> [runtask\_id](#output\_runtask\_id) | The Run Tasks id configured in HCP Terraform |
+| <a name="output_runtask_url"></a> [runtask\_url](#output\_runtask\_url) | The Run Tasks URL endpoint, you can use this to configure the Run Task setup in HCP Terraform |
 <!-- END_TF_DOCS -->
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.0.2
+v0.1.0
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -1,9 +1,10 @@
 module "runtask_cloudfront" {
+  depends_on = [time_sleep.wait_1800_seconds]
   #checkov:skip=CKV2_AWS_42:custom domain name is optional
 
   count   = local.waf_deployment
   source  = "terraform-aws-modules/cloudfront/aws"
-  version = "3.2.1"
+  version = "3.4.0"
 
   comment             = "CloudFront for RunTask integration: ${var.name_prefix}"
   enabled             = true
@@ -12,23 +13,34 @@ module "runtask_cloudfront" {
   wait_for_deployment = true
   web_acl_id          = aws_wafv2_web_acl.runtask_waf[count.index].arn
 
+  create_origin_access_control = true
+  origin_access_control = {
+    lambda_oac_access_analyzer = {
+      description      = "CloudFront OAC to Lambda AWS-IA Access Analyzer"
+      origin_type      = "lambda"
+      signing_behavior = "always"
+      signing_protocol = "sigv4"
+    }
+  }
+
   origin = {
     runtask_eventbridge = {
       domain_name = split("/", aws_lambda_function_url.runtask_eventbridge.function_url)[2]
       custom_origin_config = {
         http_port              = 80
         https_port             = 443
         origin_protocol_policy = "https-only"
-        origin_ssl_protocols   = ["TLSv1.2"]
+        origin_ssl_protocols   = ["TLSv1"]
       }
-      custom_header = var.deploy_waf ? [local.cloudfront_custom_header] : null
+      origin_access_control = "lambda_oac_access_analyzer"
+      custom_header         = var.deploy_waf ? [local.cloudfront_custom_header] : null
     }
   }
 
   default_cache_behavior = {
     target_origin_id       = "runtask_eventbridge"
     viewer_protocol_policy = "https-only"
-   
+
     #SecurityHeadersPolicy: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-response-headers-policies.html#managed-response-headers-policies-security
     response_headers_policy_id = "67f7725c-6f97-4210-82d7-5512b31e9d03"
 
@@ -40,12 +52,21 @@ module "runtask_cloudfront" {
 
     allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
     cached_methods  = ["GET", "HEAD", "OPTIONS"]
+
+    lambda_function_association = {
+      # This function will append header x-amz-content-sha256 to allow OAC to authenticate with Lambda Function URL
+      viewer-request = {
+        lambda_arn   = aws_lambda_function.runtask_edge.qualified_arn
+        include_body = true
+      }
+    }
   }
 
   viewer_certificate = {
     cloudfront_default_certificate = true
     minimum_protocol_version       = "TLSv1.2_2021"
   }
+  tags = var.tags
 }
 
 resource "aws_cloudfront_origin_request_policy" "runtask_cloudfront" {
@@ -72,4 +93,11 @@ resource "aws_cloudfront_origin_request_policy" "runtask_cloudfront" {
   query_strings_config {
     query_string_behavior = "all"
   }
+}
+
+resource "time_sleep" "wait_1800_seconds" {
+  # wait for CloudFront Lambda@Edge removal that can take up to 30 mins / 1800s
+  # before deleting the Lambda function
+  depends_on       = [aws_lambda_function.runtask_edge]
+  destroy_duration = "1800s"
 }