The purpose of this module is to provide a Terraform based interface for administering Cloud Custodian to assist with managing the state of template files and to allow for easier runtime interpolation via Terraform.
For more information about this repository and its usage, please see Terraform AWS ARC GitHub CLOUD CUSTODIAN Module Usage Guide.
Terraform >= 1.0.5
Pip >= 20.0.2
Python >= 3.8
You must have Python 3.8 or above installed.
To install Cloud Custodian, you can download it using Pip:
pip install c7n
- Pip package notes
- c7n is for AWS
- c7n_azure us for Azure
- c7n_gcp is for Google Compute
terraform {
required_version = "~> 1.0.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_iam_policy" "ec2" {
name = "cloud-custodian-allow-ec2-management"
description = "Cloud Custodian EC2 policy."
# This policy is for example purposes only
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "aws_lambda_basic_execution_role" {
role = module.cloud_custodian.role_name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "ec2" {
role = module.cloud_custodian.role_name
policy_arn = aws_iam_policy.ec2.arn
}
module "cloud_custodian" {
source = "../."
name = "tf-cloud-custodian"
namespace = "refarch"
region = "us-east-1"
stage = "example"
cloudtrail_sqs_enabled = true
custodian_files_path = "${path.root}/files"
custodian_templates_path = "${path.root}/templates"
template_file_vars = {
EC2_TAG_ROLE = module.cloud_custodian.role_name
SQS_ARN = module.cloud_custodian.sqs_arn
REGION = "us-east-1"
}
tags = {
Module = "terraform-aws-cloud-custodian"
Example = "true"
}
}
Name | Version |
---|---|
terraform | ~> 1.3 |
aws | ~> 4.0 |
local | >= 2.0 |
null | >= 2.0 |
random | >= 2.0 |
Name | Version |
---|---|
aws | 3.68.0 |
local | 2.1.0 |
null | 3.1.0 |
Name | Source | Version |
---|---|---|
cloudtrail | git::https://github.com/cloudposse/terraform-aws-cloudtrail.git | 0.20.1 |
cloudtrail_s3_bucket | git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git | 0.26.2 |
cloudtrail_sqs_queue | git::https://github.com/terraform-aws-modules/terraform-aws-sqs.git | v3.1.0 |
Name | Type |
---|---|
aws_iam_policy.custodian_output_s3_policy | resource |
aws_iam_role.role | resource |
aws_iam_role_policy_attachment.cloudtrail | resource |
aws_iam_role_policy_attachment.cloudwatchlogs | resource |
aws_iam_role_policy_attachment.iam | resource |
aws_iam_role_policy_attachment.s3_output | resource |
aws_iam_role_policy_attachment.sqs | resource |
aws_iam_role_policy_attachment.tags | resource |
aws_s3_bucket.custodian_output | resource |
aws_s3_bucket_server_side_encryption_configuration.server_side_encryption | resource |
local_file.cc_files | resource |
null_resource.run_custodian | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cloudtrail_enabled | Set to false to prevent the module from creating any resources. | bool |
true |
no |
cloudtrail_s3_bucket_enabled | Set to false to prevent the module from creating any resources. | bool |
true |
no |
cloudtrail_sqs_enabled | Set to false to prevent the module from creating any resources. | bool |
true |
no |
custodian_files_path | Path to where the custodian files are located. | string |
null |
no |
custodian_templates_path | Path to where the custodian template files are located. | string |
null |
no |
name | Name of invocation. | string |
n/a | yes |
namespace | A namespace for all the resources to live in. | string |
n/a | yes |
region | AWS Region to create objects in. | string |
n/a | yes |
stage | Stage of pipeline (Eg. sbx, dev, staging, uat, prod). | string |
n/a | yes |
tags | Additional tags to assign resources. | map(string) |
n/a | yes |
template_file_vars | Variable name and value maps. | map(string) |
{} |
no |
Name | Description |
---|---|
bucket_arn | ARN of the bucket. |
bucket_id | Name of the bucket. |
role_arn | ARN of the role created. |
role_name | Name of the role created. |
sqs_arn | ARN of the SQS queue |
This project uses a .version
file at the root of the repo which the pipeline reads from and does a git tag.
On commits to main
, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.
Install the prerequisites:
Then run pre-commit
on the repo:
pre-commit install
pre-commit run --all-files
This project is authored by:
- SourceFuse ARC Team