terraform-aws-mcaf-energy-labeler

Terraform module to create an ECS scheduled task that periodically generates an AWS energy label based on awsenergylabelerlib.

This module should be run in the AWS account that collects your aggregated Security Hub findings. In a typical Control Tower deployment, this would be the Audit account.

In it's most minimal input, this module will create an S3 bucket to store the generated energy labels and a scheduled ECS task that will run every Sunday at 13:00 UTC.

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    zone_name = "MYZONE"
  }
}

Or to target a single account:

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    single_account_id = "123456789012"
  }
}

Should you prefer to use an existing bucket, you can specify the bucket name:

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    zone_name = "MYZONE"
  }

  bucket_name   = "mybucket"
  bucket_prefix = "/myreport/"
}

If you want to create multiple reports, for example with different configurations, you should also set the name to avoid colliding resource names:

module "aws-energy-labeler" {
  for_each = {
    "myzone"    = { allowed_account_ids = ["123456789012"] },
    "otherzone" = { allowed_account_ids = ["234567890123"] },
  }

  source = "schubergphilis/mcaf-energy-labeler/aws"

  name        = "aws-energy-labeler-${each.value}"
  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    allowed_account_ids = each.value.allowed_account_ids
    zone_name           = each.key
  }
}

Requirements

Name	Version
terraform	>= 1.9
aws	>= 5.20

Providers

Name	Version
aws	>= 5.20

Modules

Name	Source	Version
aws_ecs_container_definition	terraform-aws-modules/ecs/aws//modules/container-definition	~> 5.11.4
iam_role	schubergphilis/mcaf-role/aws	~> 0.4.0
s3	schubergphilis/mcaf-s3/aws	~> 0.14.1

Resources

Name	Type
aws_cloudwatch_event_rule.default	resource
aws_cloudwatch_event_target.default	resource
aws_ecs_cluster.default	resource
aws_ecs_task_definition.default	resource
aws_security_group.default	resource
aws_vpc_security_group_egress_rule.default	resource
aws_ecs_cluster.selected	data source
aws_iam_policy_document.ecs_task	data source
aws_region.current	data source
aws_subnet.selected	data source

Inputs

Name	Description	Type	Default	Required
config	Map containing labeler configuration options	object({ allowed_account_ids = optional(list(string), []) denied_account_ids = optional(list(string), []) frameworks = optional(list(string), []) log_level = optional(string) report_suppressed_findings = optional(bool, false) single_account_id = optional(string) zone_name = optional(string) })	n/a	yes
kms_key_arn	The ARN of the KMS key to use for encryption	string	n/a	yes
bucket_name	The name of the bucket to store the exported findings (will be created if not specified)	string	null	no
bucket_prefix	The prefix to use for the bucket	string	"/"	no
cluster_arn	ARN of an existing ECS cluster, if left empty a new cluster will be created	string	null	no
iam_permissions_boundary	The permissions boundary to attach to the IAM role	string	null	no
iam_role_path	The path for the IAM role	string	"/"	no
image_uri	The URI of the container image to use	string	"ghcr.io/schubergphilis/awsenergylabeler:main"	no
memory	The memory size of the task	number	512	no
name	Name prefix of labeler resources	string	"aws-energy-labeler"	no
schedule_expression	The cron expression to be used for triggering the labeler	string	"cron(0 13 ? * SUN *)"	no
security_group_egress_rules	Security Group egress rules	list(object({ cidr_ipv4 = optional(string) cidr_ipv6 = optional(string) description = string from_port = optional(number, 0) ip_protocol = optional(string, "-1") prefix_list_id = optional(string) referenced_security_group_id = optional(string) to_port = optional(number, 0) }))	[ { "cidr_ipv4": "0.0.0.0/0", "description": "Allow outgoing HTTPS traffic for the labeler to work", "from_port": 443, "ip_protocol": "tcp", "to_port": 443 } ]	no
subnet_ids	VPC subnet ids this lambda runs from	list(string)	null	no
tags	A mapping of tags to assign	map(string)	{}	no

Outputs

Name	Description
task_role_arn	value of the task role arn

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.