Skip to content

Latest commit

 

History

History
152 lines (115 loc) · 8.33 KB

README.md

File metadata and controls

152 lines (115 loc) · 8.33 KB
Raw

terraform-aws-mcaf-energy-labeler

Terraform module to create an ECS scheduled task that periodically generates an AWS energy label based on awsenergylabelerlib.

This module should be run in the AWS account that collects your aggregated Security Hub findings. In a typical Control Tower deployment, this would be the Audit account.

In it's most minimal input, this module will create an S3 bucket to store the generated energy labels and a scheduled ECS task that will run every Sunday at 13:00 UTC.

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    zone_name = "MYZONE"
  }
}

Or to target a single account:

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    single_account_id = "123456789012"
  }
}

Should you prefer to use an existing bucket, you can specify the bucket name:

module "aws-energy-labeler" {
  source = "schubergphilis/mcaf-energy-labeler/aws"

  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    zone_name = "MYZONE"
  }

  bucket_name   = "mybucket"
  bucket_prefix = "/myreport/"
}

If you want to create multiple reports, for example with different configurations, you should also set the name to avoid colliding resource names:

module "aws-energy-labeler" {
  for_each = {
    "myzone"    = { allowed_account_ids = ["123456789012"] },
    "otherzone" = { allowed_account_ids = ["234567890123"] },
  }

  source = "schubergphilis/mcaf-energy-labeler/aws"

  name        = "aws-energy-labeler-${each.value}"
  kms_key_arn = "arn:aws:kms:eu-west-1:123456789012:key/1234abcd-12ab-34cd-56ef-123456789012"

  config = {
    allowed_account_ids = each.value.allowed_account_ids
    zone_name           = each.key
  }
}

Requirements

Name Version
terraform >= 1.9
aws >= 5.20

Providers

Name Version
aws >= 5.20

Modules

Name Source Version
aws_ecs_container_definition terraform-aws-modules/ecs/aws//modules/container-definition ~> 5.11.4
iam_role schubergphilis/mcaf-role/aws ~> 0.4.0
s3 schubergphilis/mcaf-s3/aws ~> 0.14.1

Resources

Name Type
aws_cloudwatch_event_rule.default resource
aws_cloudwatch_event_target.default resource
aws_ecs_cluster.default resource
aws_ecs_task_definition.default resource
aws_security_group.default resource
aws_vpc_security_group_egress_rule.default resource
aws_ecs_cluster.selected data source
aws_iam_policy_document.ecs_task data source
aws_region.current data source
aws_subnet.selected data source

Inputs

Name Description Type Default Required
config Map containing labeler configuration options 
object({
    allowed_account_ids        = optional(list(string), [])
    denied_account_ids         = optional(list(string), [])
    frameworks                 = optional(list(string), [])
    log_level                  = optional(string)
    report_suppressed_findings = optional(bool, false)
    single_account_id          = optional(string)
    zone_name                  = optional(string)
  })
 n/a yes
kms_key_arn The ARN of the KMS key to use for encryption string n/a yes
bucket_name The name of the bucket to store the exported findings (will be created if not specified) string null no
bucket_prefix The prefix to use for the bucket string "/" no
cluster_arn ARN of an existing ECS cluster, if left empty a new cluster will be created string null no
iam_permissions_boundary The permissions boundary to attach to the IAM role string null no
iam_role_path The path for the IAM role string "/" no
image_uri The URI of the container image to use string "ghcr.io/schubergphilis/awsenergylabeler:main" no
memory The memory size of the task number 512 no
name Name prefix of labeler resources string "aws-energy-labeler" no
schedule_expression The cron expression to be used for triggering the labeler string "cron(0 13 ? * SUN *)" no
security_group_egress_rules Security Group egress rules 
list(object({
    cidr_ipv4                    = optional(string)
    cidr_ipv6                    = optional(string)
    description                  = string
    from_port                    = optional(number, 0)
    ip_protocol                  = optional(string, "-1")
    prefix_list_id               = optional(string)
    referenced_security_group_id = optional(string)
    to_port                      = optional(number, 0)
  }))
 
[
  {
    "cidr_ipv4": "0.0.0.0/0",
    "description": "Allow outgoing HTTPS traffic for the labeler to work",
    "from_port": 443,
    "ip_protocol": "tcp",
    "to_port": 443
  }
]
 no
subnet_ids VPC subnet ids this lambda runs from list(string) null no
tags A mapping of tags to assign map(string) {} no

Outputs

Name Description
task_role_arn value of the task role arn

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.