tf_cod/aws_specific_modules.tf at main · IndicoDataSolutions/tf_cod · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#
# Include modules only installed on AWS here.
#
module "keycloak" {
  count = var.keycloak_enabled == true && var.multitenant_enabled == false ? 1 : 0
  depends_on = [
    module.cluster,
    module.intake
  ]
  source         = "./modules/aws/keycloak"
  local_dns_name = local.dns_name
}

data "aws_vpc_endpoint_service" "guardduty" {
  service_type = "Interface"
  filter {
    name   = "service-name"
    values = ["com.amazonaws.${var.region}.guardduty-data"]
  }
}

resource "aws_vpc_endpoint" "eks_vpc_guardduty" {
  count             = var.load_environment == "" && var.create_guardduty_vpc_endpoint && var.multitenant_enabled == false ? 1 : 0
  vpc_id            = local.environment_indico_vpc_id
  service_name      = data.aws_vpc_endpoint_service.guardduty.service_name
  vpc_endpoint_type = "Interface"

  policy = data.aws_iam_policy_document.eks_vpc_guardduty.json

  security_group_ids  = [aws_security_group.eks_vpc_endpoint_guardduty[0].id]
  subnet_ids          = local.environment_private_subnet_ids
  private_dns_enabled = true
}

resource "aws_security_group" "eks_vpc_endpoint_guardduty" {
  count       = var.load_environment == "" && var.create_guardduty_vpc_endpoint && var.multitenant_enabled == false ? 1 : 0
  name_prefix = "${var.label}-vpc-endpoint-guardduty-sg-"
  description = "Security Group used by VPC Endpoints."
  vpc_id      = local.environment_indico_vpc_id

  tags = {
    "Name"             = "${var.label}-vpc-endpoint-guardduty-sg-"
    "GuardDutyManaged" = "false"
  }

  lifecycle {
    create_before_destroy = true
  }

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

data "aws_iam_policy_document" "eks_vpc_guardduty" {
  statement {
    actions = ["*"]

    effect = "Allow"

    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
  }

  statement {
    actions = ["*"]

    effect = "Deny"

    resources = ["*"]

    principals {
      type        = "AWS"
      identifiers = ["*"]
    }

    condition {
      test     = "StringNotEquals"
      variable = "aws:PrincipalAccount"

      values = [data.aws_caller_identity.current.account_id]
    }
  }
}

data "aws_eks_addon_version" "guardduty" {
  addon_name         = "aws-guardduty-agent"
  kubernetes_version = var.k8s_version
  most_recent        = true
}

resource "aws_eks_addon" "guardduty" {
  depends_on = [
    module.cluster,
    time_sleep.wait_1_minutes_after_cluster
  ]
  count = var.eks_addon_version_guardduty != null && var.multitenant_enabled == false ? 1 : 0

  cluster_name                = var.label
  addon_name                  = "aws-guardduty-agent"
  addon_version               = data.aws_eks_addon_version.guardduty.version
  resolve_conflicts_on_update = "OVERWRITE"

  preserve = true

  tags = {
    "eks_addon" = "guardduty"
  }
}