Merge pull request #1 from trussworks/cblkwell-release-cleanup

Cleanup for tf12; remove environment var; add arbitrary tags
trussworks · Jan 3, 2020 · cfbfd42 · cfbfd42
2 parents edda99f + 34f90fd
commit cfbfd42
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 47 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2
 jobs:
   validate:
     docker:
-      - image: trussworks/circleci-docker-primary:93fe471597189fed29f1ab2f517fc4c3370f2a77
+      - image: trussworks/circleci-docker-primary:tf12-3744e93e98dfeddf7682211c0249e6e8dc55458a
     steps:
       - checkout
       - restore_cache:

diff --git a/.terraform-version b/.terraform-version
diff --git a/README.md b/README.md
@@ -1,4 +1,3 @@
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 Creates an AWS Lambda function to check that IAM Access Keys are not older than 90 days
 on a scheduled interval using [truss-aws-tools](https://github.com/trussworks/truss-aws-tools).
 
@@ -8,32 +7,43 @@ Creates the following resources:
 * CloudWatch Event to trigger function on a schedule.
 * AWS Lambda function to actually check age of IAM Access Keys and send alert to slack if any keys are older than 90 days.
 
+## Terraform Versions
+
+Terraform 0.12: Pin module to ~> 2.0. Submit pull-requests to `master` branch.
+
+Terraform 0.11: Pin module to ~> 1.0. Submit pull-requests to `terraform011` branch.
+
 ## Usage
 
 ```hcl
 module "iam-keys-check" {
   source  = "trussworks/iam-keys-check/aws"
-  version = "1.0.0"
+  version = "2.0.0"
 
-  environment       = "prod"
   interval_minutes  = "1440"
   s3_bucket         = "lambda-builds-us-west-2"
-  version_to_deploy = "2.6"
+  version_to_deploy = "2.8"
   ssm_slack_webhook_url = "slack-webhook-url"
   slack_channel = "infra"
+
+  tags = {
+    Owner = "infra"
+  }
 }
 ```
 
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | cloudwatch\_logs\_retention\_days | Number of days to keep logs in AWS CloudWatch. | string | `"90"` | no |
-| environment | Environment tag, e.g prod. | string | n/a | yes |
+| doc\_url | URL for documentation on how to rotate keys. | string | `"https://example.com"` | no |
 | interval\_minutes | How often to check IAM Access Keys. | string | `"1440"` | no |
 | s3\_bucket | The name of the S3 bucket used to store the Lambda builds. | string | n/a | yes |
 | slack\_channel | Slack channel to send alert to | string | n/a | yes |
 | ssm\_slack\_webhook\_url | Name of the Slack webhook url parameter in Parameter Store. | string | n/a | yes |
+| tags | Map of additional tags to apply to resources; 'Name' tag automatically applied. | map(string) | `{}` | no |
 | version\_to\_deploy | The version the Lambda function to deploy. | string | n/a | yes |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/main.tf b/main.tf
@@ -13,14 +13,17 @@
  * ```hcl
  * module "iam-keys-check" {
  *   source  = "trussworks/iam-keys-check/aws"
- *   version = "1.0.0"
+ *   version = "2.0.0"
  *
- *   environment       = "prod"
  *   interval_minutes  = "1440"
  *   s3_bucket         = "lambda-builds-us-west-2"
- *   version_to_deploy = "2.6"
+ *   version_to_deploy = "2.8"
  *   ssm_slack_webhook_url = "slack-webhook-url"
  *   slack_channel = "infra"
+ *
+ *   tags = {
+ *     Owner = "infra"
+ *   }
  * }
  * ```
  */
@@ -62,7 +65,7 @@ data "aws_iam_policy_document" "main" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.name}-${var.environment}:*"]
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${local.name}:*"]
   }
 
   statement {
@@ -93,30 +96,30 @@ data "aws_iam_policy_document" "main" {
 }
 
 resource "aws_iam_role" "main" {
-  name               = "lambda-${local.name}-${var.environment}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+  name               = "lambda-${local.name}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
 resource "aws_iam_role_policy" "main" {
-  name = "lambda-${local.name}-${var.environment}"
-  role = "${aws_iam_role.main.id}"
+  name = "lambda-${local.name}"
+  role = aws_iam_role.main.id
 
-  policy = "${data.aws_iam_policy_document.main.json}"
+  policy = data.aws_iam_policy_document.main.json
 }
 
 #
 # CloudWatch Scheduled Event
 #
 
 resource "aws_cloudwatch_event_rule" "main" {
-  name                = "${local.name}-${var.environment}"
+  name                = local.name
   description         = "scheduled trigger for ${local.name}"
   schedule_expression = "rate(${var.interval_minutes} minutes)"
 }
 
 resource "aws_cloudwatch_event_target" "main" {
-  rule = "${aws_cloudwatch_event_rule.main.name}"
-  arn  = "${aws_lambda_function.main.arn}"
+  rule = aws_cloudwatch_event_rule.main.name
+  arn  = aws_lambda_function.main.arn
 }
 
 #
@@ -125,13 +128,10 @@ resource "aws_cloudwatch_event_target" "main" {
 
 resource "aws_cloudwatch_log_group" "main" {
   # This name must match the lambda function name and should not be changed
-  name              = "/aws/lambda/${local.name}-${var.environment}"
-  retention_in_days = "${var.cloudwatch_logs_retention_days}"
+  name              = "/aws/lambda/${local.name}"
+  retention_in_days = var.cloudwatch_logs_retention_days
 
-  tags = {
-    Name        = "${local.name}-${var.environment}"
-    Environment = "${var.environment}"
-  }
+  tags = "${merge(var.tags, map("Name", local.name))}"
 }
 
 #
@@ -141,38 +141,36 @@ resource "aws_cloudwatch_log_group" "main" {
 resource "aws_lambda_function" "main" {
   depends_on = ["aws_cloudwatch_log_group.main"]
 
-  s3_bucket = "${var.s3_bucket}"
+  s3_bucket = var.s3_bucket
   s3_key    = "${local.pkg}/${var.version_to_deploy}/${local.pkg}.zip"
 
-  function_name = "${local.name}-${var.environment}"
-  role          = "${aws_iam_role.main.arn}"
-  handler       = "${local.name}"
+  function_name = local.name
+  role          = aws_iam_role.main.arn
+  handler       = local.name
   runtime       = "go1.x"
   memory_size   = "128"
   timeout       = "60"
 
   environment {
     variables = {
-      DOCUMENTATION_URL     = "https://github.com/transcom/ppp-infra/tree/master/transcom-ppp#rotating-aws-access-keys"
+      DOCUMENTATION_URL     = var.doc_url
       LAMBDA                = "true"
-      SLACK_CHANNEL         = "${var.slack_channel}"
+      SLACK_CHANNEL         = var.slack_channel
       SLACK_EMOJI           = ":old_key:"
-      SSM_SLACK_WEBHOOK_URL = "${var.ssm_slack_webhook_url}"
+      SSM_SLACK_WEBHOOK_URL = var.ssm_slack_webhook_url
     }
   }
 
-  tags = {
-    Name        = "${local.name}-${var.environment}"
-    Environment = "${var.environment}"
-  }
+  tags = "${merge(var.tags, map("Name", local.name))}"
+
 }
 
 resource "aws_lambda_permission" "main" {
-  statement_id = "${local.name}-${var.environment}"
+  statement_id = local.name
 
   action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.main.function_name}"
+  function_name = aws_lambda_function.main.function_name
 
   principal  = "events.amazonaws.com"
-  source_arn = "${aws_cloudwatch_event_rule.main.arn}"
+  source_arn = aws_cloudwatch_event_rule.main.arn
 }
diff --git a/variables.tf b/variables.tf
@@ -1,35 +1,43 @@
 variable "cloudwatch_logs_retention_days" {
   default     = 90
   description = "Number of days to keep logs in AWS CloudWatch."
-  type        = "string"
+  type        = string
 }
 
-variable "environment" {
-  description = "Environment tag, e.g prod."
+variable "doc_url" {
+  default     = "https://example.com"
+  description = "URL for documentation on how to rotate keys."
+  type        = string
 }
 
 variable "interval_minutes" {
   default     = 1440
   description = "How often to check IAM Access Keys."
-  type        = "string"
+  type        = string
 }
 
 variable "s3_bucket" {
   description = "The name of the S3 bucket used to store the Lambda builds."
-  type        = "string"
+  type        = string
 }
 
 variable "version_to_deploy" {
   description = "The version the Lambda function to deploy."
-  type        = "string"
+  type        = string
 }
 
 variable "ssm_slack_webhook_url" {
   description = "Name of the Slack webhook url parameter in Parameter Store."
-  type        = "string"
+  type        = string
 }
 
 variable "slack_channel" {
   description = "Slack channel to send alert to"
-  type        = "string"
+  type        = string
+}
+
+variable "tags" {
+  default     = {}
+  description = "Map of additional tags to apply to resources; 'Name' tag automatically applied."
+  type        = map(string)
 }