aws-ia · gautambaghel · Oct 9, 2024 · Oct 10, 2024 · Oct 10, 2024 · Oct 23, 2024
diff --git a/README.md b/README.md
@@ -144,6 +144,7 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 | [aws_iam_role.runtask_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.runtask_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.runtask_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.runtask_callback](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.runtask_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.runtask_fulfillment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy.runtask_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
@@ -206,6 +207,7 @@ Enhance your Terraform workflows with AI-powered insights while maintaining secu
 | <a name="input_deploy_waf"></a> [deploy\_waf](#input\_deploy\_waf) | Set to true to deploy CloudFront and WAF in front of the Lambda function URL | `string` | `false` | no |
 | <a name="input_event_bus_name"></a> [event\_bus\_name](#input\_event\_bus\_name) | EventBridge event bus name | `string` | `"default"` | no |
 | <a name="input_event_source"></a> [event\_source](#input\_event\_source) | EventBridge source name | `string` | `"app.terraform.io"` | no |
+| <a name="input_github_api_token_arn"></a> [github\_api\_token\_arn](#input\_github\_api\_token\_arn) | The ARN of the secret containing the GitHub API token | `string` | `null` | no |
 | <a name="input_lambda_architecture"></a> [lambda\_architecture](#input\_lambda\_architecture) | Lambda architecture (arm64 or x86\_64) | `string` | `"x86_64"` | no |
 | <a name="input_lambda_default_timeout"></a> [lambda\_default\_timeout](#input\_lambda\_default\_timeout) | Lambda default timeout in seconds | `number` | `120` | no |
 | <a name="input_lambda_python_runtime"></a> [lambda\_python\_runtime](#input\_lambda\_python\_runtime) | Lambda Python runtime | `string` | `"python3.11"` | no |

diff --git a/examples/basic/.header.md b/examples/basic/.header.md
@@ -2,12 +2,6 @@
 
 Follow the steps below to deploy the module and attach it to your HCP Terraform (Terraform Cloud) organization.
 
-* Build and package the Lambda files
-
-  ```
-  make all
-  ```
-
 * Deploy the module
 
   ```bash

diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -3,12 +3,6 @@
 
 Follow the steps below to deploy the module and attach it to your HCP Terraform (Terraform Cloud) organization.
 
-* Build and package the Lambda files
-
-  ```
-  make all
-  ```
-
 * Deploy the module
 
   ```bash

diff --git a/examples/github/.header.md b/examples/github/.header.md
@@ -0,0 +1,35 @@
+# Usage Example
+
+Follow the steps below to deploy the module and attach it to your HCP Terraform (Terraform Cloud) organization. In order to create comments in Pull requests you'd also need GitHub API token.
+
+
+![github_example](../../images/github.png)
+
+* The GitHub token needs to be a [fine-grained personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) with the following permissions:
+
+  - Read access to metadata
+  - Read and Write access to pull requests
+
+* Deploy the module
+
+  ```bash
+  terraform init
+  terraform plan
+  terraform apply
+  ```
+
+* (Optional, if using HCP Terraform) Add the cloud block in `providers.tf`
+
+  ```hcl
+  terraform {
+
+    cloud {
+      # TODO: Change this to your HCP Terraform org name.
+      organization = "<enter your org name here>"
+      workspaces {
+        ...
+      }
+    }
+    ...
+  }
+  ```
diff --git a/examples/github/.terraform-docs.yaml b/examples/github/.terraform-docs.yaml
@@ -0,0 +1,21 @@
+formatter: markdown
+header-from: .header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+  lockfile: false
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace
diff --git a/examples/github/README.md b/examples/github/README.md
@@ -0,0 +1,84 @@
+<!-- BEGIN_TF_DOCS -->
+# Usage Example
+
+Follow the steps below to deploy the module and attach it to your HCP Terraform (Terraform Cloud) organization. In order to create comments in Pull requests you'd also need GitHub API token.
+
+![github\_example](../../images/github.png)
+
+* The GitHub token needs to be a [fine-grained personal access tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token) with the following permissions:
+
+  - Read access to metadata
+  - Read and Write access to pull requests
+
+* Deploy the module
+
+  ```bash
+  terraform init
+  terraform plan
+  terraform apply
+  ```
+
+* (Optional, if using HCP Terraform) Add the cloud block in `providers.tf`
+
+  ```hcl
+  terraform {
+
+    cloud {
+      # TODO: Change this to your HCP Terraform org name.
+      organization = "<enter your org name here>"
+      workspaces {
+        ...
+      }
+    }
+    ...
+  }
+  ```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.56.1 |
+| <a name="requirement_tfe"></a> [tfe](#requirement\_tfe) | ~>0.38.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.56.1 |
+| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | ~>0.38.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_hcp_tf_run_task"></a> [hcp\_tf\_run\_task](#module\_hcp\_tf\_run\_task) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret.github_api_token](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_version.github_api_token](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/resources/secretsmanager_secret_version) | resource |
+| [tfe_organization_run_task.bedrock_plan_analyzer](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/organization_run_task) | resource |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/region) | data source |
+| [tfe_organization.hcp_tf_org](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/organization) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_github_api_token"></a> [github\_api\_token](#input\_github\_api\_token) | GitHub API token for creating comments in PRs | `string` | n/a | yes |
+| <a name="input_hcp_tf_org"></a> [hcp\_tf\_org](#input\_hcp\_tf\_org) | HCP Terraform Organization name | `string` | n/a | yes |
+| <a name="input_hcp_tf_token"></a> [hcp\_tf\_token](#input\_hcp\_tf\_token) | HCP Terraform API token | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS region to deploy the resources | `string` | `"us-east-1"` | no |
+| <a name="input_tf_run_task_image_tag"></a> [tf\_run\_task\_image\_tag](#input\_tf\_run\_task\_image\_tag) | value for the docker image tag to be used by the run task logic | `string` | `"latest"` | no |
+| <a name="input_tf_run_task_logic_iam_roles"></a> [tf\_run\_task\_logic\_iam\_roles](#input\_tf\_run\_task\_logic\_iam\_roles) | values for the IAM roles to be used by the run task logic | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_runtask_url"></a> [runtask\_url](#output\_runtask\_url) | n/a |
+<!-- END_TF_DOCS -->
diff --git a/examples/github/main.tf b/examples/github/main.tf
@@ -0,0 +1,40 @@
+#####################################################################################
+# Terraform module examples are meant to show an _example_ on how to use a module
+# per use-case. The code below should not be copied directly but referenced in order
+# to build your own root module that invokes this module
+#####################################################################################
+
+data "aws_region" "current" {}
+
+data "tfe_organization" "hcp_tf_org" {
+  name = var.hcp_tf_org
+}
+
+resource "aws_secretsmanager_secret" "github_api_token" {
+  #checkov:skip=CKV2_AWS_57:run terraform apply to rotate api key
+  #checkov:skip=CKV_AWS_149:skipping KMS based encryption as it's just an example setup
+  name = "tf_ai_github_api_token"
+}
+
+resource "aws_secretsmanager_secret_version" "github_api_token" {
+  secret_id     = aws_secretsmanager_secret.github_api_token.id
+  secret_string = var.github_api_token
+}
+
+module "hcp_tf_run_task" {
+  source               = "../.."
+  aws_region           = data.aws_region.current.name
+  hcp_tf_org           = data.tfe_organization.hcp_tf_org.name
+  run_task_iam_roles   = var.tf_run_task_logic_iam_roles
+  github_api_token_arn = aws_secretsmanager_secret_version.github_api_token.arn
+  deploy_waf           = true
+}
+
+resource "tfe_organization_run_task" "bedrock_plan_analyzer" {
+  enabled      = true
+  organization = data.tfe_organization.hcp_tf_org.name
+  url          = module.hcp_tf_run_task.runtask_url
+  hmac_key     = module.hcp_tf_run_task.runtask_hmac
+  name         = "Bedrock-TF-Plan-Analyzer"
+  description  = "Analyze TF plan using Amazon Bedrock"
+}
diff --git a/examples/github/outputs.tf b/examples/github/outputs.tf
@@ -0,0 +1,3 @@
+output "runtask_url" {
+  value = module.hcp_tf_run_task.runtask_url
+}
diff --git a/examples/github/providers.tf b/examples/github/providers.tf
@@ -0,0 +1,27 @@
+terraform {
+  required_version = ">= 1.0.7"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.56.1"
+    }
+
+    tfe = {
+      source  = "hashicorp/tfe"
+      version = "~>0.38.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+provider "aws" {
+  alias  = "cloudfront_waf"
+  region = "us-east-1" # for Cloudfront WAF only, must be in us-east-1
+}
+
+provider "tfe" {
+  token = var.hcp_tf_token
+}
diff --git a/examples/github/variables.tf b/examples/github/variables.tf
@@ -0,0 +1,34 @@
+variable "hcp_tf_org" {
+  type        = string
+  description = "HCP Terraform Organization name"
+}
+
+variable "hcp_tf_token" {
+  type        = string
+  sensitive   = true
+  description = "HCP Terraform API token"
+}
+
+variable "tf_run_task_logic_iam_roles" {
+  type        = list(string)
+  description = "values for the IAM roles to be used by the run task logic"
+  default     = []
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region to deploy the resources"
+  default     = "us-east-1"
+}
+
+variable "tf_run_task_image_tag" {
+  type        = string
+  description = "value for the docker image tag to be used by the run task logic"
+  default     = "latest"
+}
+
+variable "github_api_token" {
+  type        = string
+  description = "GitHub API token for creating comments in PRs"
+  sensitive   = true
+}
diff --git a/iam.tf b/iam.tf
@@ -62,6 +62,15 @@ resource "aws_iam_role_policy_attachment" "runtask_callback" {
   policy_arn = local.lambda_managed_policies[count.index]
 }
 
+resource "aws_iam_role_policy" "runtask_callback" {
+  count = var.github_api_token_arn != null ? 1 : 0
+  name  = "${local.solution_prefix}-runtask-callback-policy"
+  role  = aws_iam_role.runtask_callback.id
+  policy = templatefile("${path.module}/templates/role-policies/runtask-callback-lambda-role-policy.tpl", {
+    github_api_token_arn = [var.github_api_token_arn]
+  })
+}
+
 ################# IAM for run task fulfillment ##################
 resource "aws_iam_role" "runtask_fulfillment" {
   name               = "${local.solution_prefix}-runtask-fulfillment"
@@ -131,4 +140,4 @@ resource "aws_iam_role_policy" "runtask_rule" {
   policy = templatefile("${path.module}/templates/role-policies/runtask-rule-role-policy.tpl", {
     resource_runtask_states = aws_sfn_state_machine.runtask_states.arn
   })
-}
+}
diff --git a/images/github.png b/images/github.png
diff --git a/kms.tf b/kms.tf
@@ -11,7 +11,7 @@ resource "aws_kms_key" "runtask_key" {
 
 # Assign an alias to the key
 resource "aws_kms_alias" "runtask_key" {
-  name          = "alias/runTask"
+  name          = "alias/runTaskKey"
   target_key_id = aws_kms_key.runtask_key.key_id
 }
 
@@ -28,6 +28,6 @@ resource "aws_kms_key" "runtask_waf" {
 resource "aws_kms_alias" "runtask_waf" {
   count         = local.waf_deployment
   provider      = aws.cloudfront_waf
-  name          = "alias/runtask-WAF"
+  name          = "alias/runtaskWAF"
   target_key_id = aws_kms_key.runtask_waf[count.index].key_id
-}
+}
diff --git a/lambda.tf b/lambda.tf
@@ -112,10 +112,16 @@ resource "aws_lambda_function" "runtask_callback" {
   tracing_config {
     mode = "Active"
   }
+  environment {
+    variables = {
+      GITHUB_API_TOKEN_ARN = var.github_api_token_arn
+    }
+  }
   tags = local.combined_tags
   #checkov:skip=CKV_AWS_116:not using DLQ
   #checkov:skip=CKV_AWS_117:VPC is not required
   #checkov:skip=CKV_AWS_272:skip code-signing
+  #checkov:skip=CKV_AWS_173:no sensitive data in env var
 }
 
 resource "aws_cloudwatch_log_group" "runtask_callback" {
@@ -189,4 +195,4 @@ resource "aws_cloudwatch_log_group" "runtask_fulfillment_output" {
   retention_in_days = var.cloudwatch_log_group_retention
   kms_key_id        = aws_kms_key.runtask_key.arn
   tags              = local.combined_tags
-}
+}