| `[]` | no |
+| [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | A list of Pritunl server security group rules where source is another security group |
| `[]` | no |
+| [instance\_type](#input\_instance\_type) | Pritunl server instance type | `string` | `"t3.small"` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID in case of using CMK | `any` | `null` | no |
+| [name](#input\_name) | Name used for all resources in this module | `string` | `"pritunl"` | no |
+| [private\_subnets](#input\_private\_subnets) | A list of private subnets where EFS will be created | `list(any)` | n/a | yes |
+| [public\_subnets](#input\_public\_subnets) | A list of public subnets where Pritunl server will be run | `list(any)` | n/a | yes |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security groups | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+| ---------------------------------------------------------------------------------------------------------- | ----------- |
+| [pritunl\_endpoint](#output\_pritunl\_endpoint) | n/a |
+| [pritunl\_security\_group](#output\_pritunl\_security\_group) | n/a |
+
+
+## Architecture diagram
+
+
+
+## Description
+* AWS ASG is used to automatically run "broken" instance again
+* The entire logic is located in user-data script:
+ * Install MongoDB
+ * Install Pritunl-server
+ * Configure sysctl
+ * Attache Elastic IP
+ * Disable source-destination check, because this instance will forward traffic
+ * Mount EFS filesystem into directory with MongoDB data. We don't want to care about AZ and EBS disks
+* AWS Backup is configured to backup EFS storage
diff --git a/terraform/modules/aws-ec2-pritunl/backup.tf b/terraform/modules/aws-ec2-pritunl/backup.tf
index d0f22cab..bfab8509 100644
--- a/terraform/modules/aws-ec2-pritunl/backup.tf
+++ b/terraform/modules/aws-ec2-pritunl/backup.tf
@@ -3,9 +3,9 @@ resource "aws_backup_vault" "this" {
}
resource "aws_backup_plan" "this" {
- name = "${var.name}_backup_plan"
+ name = var.name
rule {
- rule_name = "${var.name}_backup_plan_efs"
+ rule_name = var.name
target_vault_name = aws_backup_vault.this.name
schedule = "cron(0 1 * * ? *)"
lifecycle {
@@ -16,7 +16,7 @@ resource "aws_backup_plan" "this" {
resource "aws_backup_selection" "efs" {
iam_role_arn = module.backup_role.iam_role_arn
- name = "${var.name}_backup_selection_efs"
+ name = "${var.name}-efs"
plan_id = aws_backup_plan.this.id
resources = [
diff --git a/terraform/modules/aws-ec2-pritunl/variables.tf b/terraform/modules/aws-ec2-pritunl/variables.tf
index e17e95f2..86992871 100644
--- a/terraform/modules/aws-ec2-pritunl/variables.tf
+++ b/terraform/modules/aws-ec2-pritunl/variables.tf
@@ -1,23 +1,43 @@
-variable "vpc_id" {}
-variable "public_subnets" {}
+variable "vpc_id" {
+ type = string
+ description = "ID of the VPC where to create security groups"
+}
+
+variable "public_subnets" {
+ type = list(any)
+ description = "A list of public subnets where Pritunl server will be run"
+}
+
+variable "private_subnets" {
+ type = list(any)
+ description = "A list of private subnets where EFS will be created"
+}
variable "name" {
- default = "pritunl"
+ default = "pritunl"
+ description = "Name used for all resources in this module"
}
+
variable "environment" {
- default = "infra"
+ default = "infra"
+ description = "Environment name"
}
+
variable "instance_type" {
- default = "t3.small"
+ default = "t3.small"
+ description = "Pritunl server instance type"
}
variable "encrypted" {
- default = true
+ default = true
+ description = "Encrypt or not EFS"
}
variable "kms_key_id" {
- default = null
+ default = null
+ description = "KMS key ID in case of using CMK"
}
+
variable "ingress_with_source_security_group_id" {
type = list(object({
protocol = string
@@ -26,8 +46,10 @@ variable "ingress_with_source_security_group_id" {
security_groups = string
}))
- default = []
+ default = []
+ description = "A list of Pritunl server security group rules where source is another security group"
}
+
variable "ingress_with_cidr_blocks" {
type = list(object({
protocol = string
@@ -36,5 +58,6 @@ variable "ingress_with_cidr_blocks" {
cidr_blocks = string
}))
- default = []
+ default = []
+ description = "A list of Pritunl server security group rules where source is CIDR"
}
diff --git a/terraform/modules/aws-iam-eks-trusted/README.md b/terraform/modules/aws-iam-eks-trusted/README.md
new file mode 100644
index 00000000..8458b1c2
--- /dev/null
+++ b/terraform/modules/aws-iam-eks-trusted/README.md
@@ -0,0 +1,37 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [name](#input\_name) | Name, required to form unique resource names | `any` | n/a | yes |
+| [oidc\_provider\_arn](#input\_oidc\_provider\_arn) | The ARN of the OIDC Provider | `any` | n/a | yes |
+| [policy](#input\_policy) | The policy that will be attached to role | `any` | n/a | yes |
+| [region](#input\_region) | Target region for all infrastructure resources | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [role\_arn](#output\_role\_arn) | This role ARN |
+
\ No newline at end of file
diff --git a/terraform/modules/aws-iam-eks-trusted/variables.tf b/terraform/modules/aws-iam-eks-trusted/variables.tf
index b02a273f..e59bb921 100644
--- a/terraform/modules/aws-iam-eks-trusted/variables.tf
+++ b/terraform/modules/aws-iam-eks-trusted/variables.tf
@@ -1,15 +1,13 @@
variable "oidc_provider_arn" {
description = "The ARN of the OIDC Provider"
- default = ""
}
+
variable "name" {
description = "Name, required to form unique resource names"
- default = ""
}
variable "region" {
description = "Target region for all infrastructure resources"
- default = ""
}
variable "policy" {
diff --git a/terraform/modules/aws-iam-user-with-policy/README.md b/terraform/modules/aws-iam-user-with-policy/README.md
new file mode 100644
index 00000000..558fa39c
--- /dev/null
+++ b/terraform/modules/aws-iam-user-with-policy/README.md
@@ -0,0 +1,37 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_access_key.this_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_user.this_user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [name](#input\_name) | Project name, required to form unique resource names | `any` | n/a | yes |
+| [policy](#input\_policy) | IAM policy that will be attached to user | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [access\_key\_id](#output\_access\_key\_id) | AWS ACCESS\_KEY\_ID |
+| [access\_secret\_key](#output\_access\_secret\_key) | AWS ACCESS\_SECRET\_KEY |
+
\ No newline at end of file
diff --git a/terraform/modules/aws-iam-user-with-policy/variables.tf b/terraform/modules/aws-iam-user-with-policy/variables.tf
index b26ee8f8..27f06432 100644
--- a/terraform/modules/aws-iam-user-with-policy/variables.tf
+++ b/terraform/modules/aws-iam-user-with-policy/variables.tf
@@ -1,6 +1,5 @@
variable "name" {
description = "Project name, required to form unique resource names"
- default = ""
}
variable "policy" {
diff --git a/terraform/modules/aws-wafv2-top-10-owasp-rules/variables.tf b/terraform/modules/aws-wafv2-top-10-owasp-rules/variables.tf
index 45b420c0..a9fe3e9b 100644
--- a/terraform/modules/aws-wafv2-top-10-owasp-rules/variables.tf
+++ b/terraform/modules/aws-wafv2-top-10-owasp-rules/variables.tf
@@ -1,56 +1,64 @@
variable "wafv2_rule_action" {
- default = "block"
+ type = string
+ default = "block"
+ description = "Default rules action"
}
variable "waf_scope" {
- default = "CLOUDFRONT"
+ type = string
+ default = "CLOUDFRONT"
+ description = "One API can be used for both global and regional applications. Possible values are CLOUDFRONT and REGIONAL. REGIONAL is used for ALBs, API Gateway"
}
variable "name" {
- default = "test"
+ type = string
+ description = "Name used for all resources in this module"
}
variable "max_expected_uri_size" {
type = string
- description = "Maximum number of bytes allowed in the URI component of the HTTP request. Generally the maximum possible value is determined by the server operating system (maps to file system paths), the web server software, or other middleware components. Choose a value that accomodates the largest URI segment you use in practice in your web application."
default = "512"
+ description = "Maximum number of bytes allowed in the URI component of the HTTP request. Generally the maximum possible value is determined by the server operating system (maps to file system paths), the web server software, or other middleware components. Choose a value that accomodates the largest URI segment you use in practice in your web application."
}
variable "max_expected_query_string_size" {
type = string
- description = "Maximum number of bytes allowed in the query string component of the HTTP request. Normally the of query string parameters following the ? in a URL is much larger than the URI , but still bounded by the of the parameters your web application uses and their values."
default = "1024"
+ description = "Maximum number of bytes allowed in the query string component of the HTTP request. Normally the of query string parameters following the ? in a URL is much larger than the URI , but still bounded by the of the parameters your web application uses and their values."
}
variable "max_expected_body_size" {
type = string
- description = "Maximum number of bytes allowed in the body of the request. If you do not plan to allow large uploads, set it to the largest payload value that makes sense for your web application. Accepting unnecessarily large values can cause performance issues, if large payloads are used as an attack vector against your web application."
default = "4096"
+ description = "Maximum number of bytes allowed in the body of the request. If you do not plan to allow large uploads, set it to the largest payload value that makes sense for your web application. Accepting unnecessarily large values can cause performance issues, if large payloads are used as an attack vector against your web application."
}
variable "max_expected_cookie_size" {
type = string
- description = "Maximum number of bytes allowed in the cookie header. The maximum size should be less than 4096, the size is determined by the amount of information your web application stores in cookies. If you only pass a session token via cookies, set the size to no larger than the serialized size of the session token and cookie metadata."
default = "4093"
+ description = "Maximum number of bytes allowed in the cookie header. The maximum size should be less than 4096, the size is determined by the amount of information your web application stores in cookies. If you only pass a session token via cookies, set the size to no larger than the serialized size of the session token and cookie metadata."
}
variable "csrf_expected_header" {
type = string
- description = "The custom HTTP request header, where the CSRF token value is expected to be encountered"
default = "x-csrf-token"
+ description = "The custom HTTP request header, where the CSRF token value is expected to be encountered"
}
variable "csrf_expected_size" {
type = string
- description = "The size in bytes of the CSRF token value. For example if it's a canonically formatted UUIDv4 value the expected size would be 36 bytes/ASCII characters."
default = "36"
+ description = "The size in bytes of the CSRF token value. For example if it's a canonically formatted UUIDv4 value the expected size would be 36 bytes/ASCII characters."
}
variable "blacklisted_cidrs" {
- type = list(string)
- default = ["10.0.0.0/8", "192.168.0.0/16", "169.254.0.0/16", "172.16.0.0/16", "127.0.0.1/32"]
+ type = list(string)
+ default = ["10.0.0.0/8", "192.168.0.0/16", "169.254.0.0/16", "172.16.0.0/16", "127.0.0.1/32"]
+ description = "A list of blacklister CIDR blocks"
}
+
variable "cloudwatch_metrics_enabled" {
- type = bool
- default = false
+ type = bool
+ default = false
+ description = "Enable or not using AWS Cloudwatch metrics"
}
diff --git a/terraform/modules/kubernetes-namespace/README.md b/terraform/modules/kubernetes-namespace/README.md
new file mode 100644
index 00000000..2a4e937f
--- /dev/null
+++ b/terraform/modules/kubernetes-namespace/README.md
@@ -0,0 +1,48 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+| ---------------------------------------------------------------------- | ------- |
+| [kubernetes](#provider\_kubernetes) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+| ----------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| [kubernetes_limit_range.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/limit_range) | resource |
+| [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_network_policy.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_resource_quota.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/resource_quota) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: |
+| [annotations](#input\_annotations) | An unstructured key value map stored with the namespace that may be used to store arbitrary metadata | `map(any)` | `{}` | no |
+| [depends](#input\_depends) | Indicates the resource this resource depends on. | `any` | `null` | no |
+| [enable](#input\_enable) | If set to true, create namespace | `bool` | `true` | no |
+| [labels](#input\_labels) | Map of string keys and values that can be used to organize and categorize (scope and select) namespaces. | `map(any)` | `{}` | no |
+| [limits](#input\_limits) | n/a | `any` |