Skip to content

Terraform AWS: Cloud Custodian

Quality gate

Known Vulnerabilities

Overview

The purpose of this module is to provide a Terraform based interface for administering Cloud Custodian to assist with managing the state of template files and to allow for easier runtime interpolation via Terraform.

For more information about this repository and its usage, please see Terraform AWS ARC GitHub CLOUD CUSTODIAN Module Usage Guide.

Requirements

1
2
3
Terraform >= 1.0.5  
Pip >= 20.0.2   
Python >= 3.8

Getting started

You must have Python 3.8 or above installed.

To install Cloud Custodian, you can download it using Pip:

1
pip install c7n
* Pip package notes * c7n is for AWS * c7n_azure us for Azure * c7n_gcp is for Google Compute

Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
terraform {
  required_version = "~> 1.0.5"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_policy" "ec2" {
  name        = "cloud-custodian-allow-ec2-management"
  description = "Cloud Custodian EC2 policy."

  # This policy is for example purposes only
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:*",
        "*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "aws_lambda_basic_execution_role" {
  role       = module.cloud_custodian.role_name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "ec2" {
  role       = module.cloud_custodian.role_name
  policy_arn = aws_iam_policy.ec2.arn
}

module "cloud_custodian" {
  source = "../."

  name      = "tf-cloud-custodian"
  namespace = "refarch"
  region    = "us-east-1"

  stage                    = "example"
  cloudtrail_sqs_enabled   = true
  custodian_files_path     = "${path.root}/files"
  custodian_templates_path = "${path.root}/templates"

  template_file_vars = {
    EC2_TAG_ROLE = module.cloud_custodian.role_name
    SQS_ARN      = module.cloud_custodian.sqs_arn
    REGION       = "us-east-1"
  }

  tags = {
    Module  = "terraform-aws-cloud-custodian"
    Example = "true"
  }
}

Requirements

Name Version
terraform ~> 1.3
aws ~> 4.0
local >= 2.0
null >= 2.0
random >= 2.0

Providers

Name Version
aws 3.68.0
local 2.1.0
null 3.1.0

Modules

Name Source Version
cloudtrail git::https://github.com/cloudposse/terraform-aws-cloudtrail.git 0.20.1
cloudtrail_s3_bucket git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git 0.26.2
cloudtrail_sqs_queue git::https://github.com/terraform-aws-modules/terraform-aws-sqs.git v3.1.0

Resources

Name Type
aws_iam_policy.custodian_output_s3_policy resource
aws_iam_role.role resource
aws_iam_role_policy_attachment.cloudtrail resource
aws_iam_role_policy_attachment.cloudwatchlogs resource
aws_iam_role_policy_attachment.iam resource
aws_iam_role_policy_attachment.s3_output resource
aws_iam_role_policy_attachment.sqs resource
aws_iam_role_policy_attachment.tags resource
aws_s3_bucket.custodian_output resource
aws_s3_bucket_server_side_encryption_configuration.server_side_encryption resource
local_file.cc_files resource
null_resource.run_custodian resource

Inputs

Name Description Type Default Required
cloudtrail_enabled Set to false to prevent the module from creating any resources. bool true no
cloudtrail_s3_bucket_enabled Set to false to prevent the module from creating any resources. bool true no
cloudtrail_sqs_enabled Set to false to prevent the module from creating any resources. bool true no
custodian_files_path Path to where the custodian files are located. string null no
custodian_templates_path Path to where the custodian template files are located. string null no
name Name of invocation. string n/a yes
namespace A namespace for all the resources to live in. string n/a yes
region AWS Region to create objects in. string n/a yes
stage Stage of pipeline (Eg. sbx, dev, staging, uat, prod). string n/a yes
tags Additional tags to assign resources. map(string) n/a yes
template_file_vars Variable name and value maps. map(string) {} no

Outputs

Name Description
bucket_arn ARN of the bucket.
bucket_id Name of the bucket.
role_arn ARN of the role created.
role_name Name of the role created.
sqs_arn ARN of the SQS queue

Versioning

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

On commits to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development

Prerequisites

Install the prerequisites: * pre-commit * terraform * terraform-docs

Then run pre-commit on the repo: 

1
2
pre-commit install
pre-commit run --all-files

Authors

This project is authored by:
* SourceFuse ARC Team