clean: we should only need tags here (#55)

* chore: we should only need tags here

* fix: adding the exclusion on the trivy secuirty scanning

Author: gambol99

.gitignore

@@ -34,8 +34,11 @@ todo.md
 *.swp 
 *.swo 
 
-# Irgnore meld diff files 
+# Ignore meld diff files 
 *.orig 
 *.backup 
 *.rej 
 
+# Ignore lambda zip files and build directories
+*.zip 
+builds/

.trivyignore

@@ -3,3 +3,4 @@ AVD-DS-0015 # (Dockerfile) Purge Yum Package Cache - https://avd.aquasec.com/mis
 AVD-DS-0002 # (Dockerfile) Least Privilege User - https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0002/
 AVD-DS-0026 # (Dockerfile) No Healthcheck - https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0026/
 AVD-DS-0013 # (Dockerfile) Use Workdir Over Cd - https://avd.aquasec.com/misconfig/dockerfile/general/avd-ds-0013/
+AVD-AWS-0095 # https://avd.aquasec.com/misconfig/aws/sns/avd-aws-0095/

Makefile

@@ -71,7 +71,7 @@ init:
 	@echo "--> Running terraform init"
 	@terraform init -backend=false
 
-security: 
+security: init
 	@echo "--> Running Security checks"
 	@trivy config .
 	$(MAKE) security-modules
@@ -81,13 +81,15 @@ security-modules:
 	@echo "--> Running Security checks on modules"
 	@find . -type d -regex '.*/modules/[a-zA-Z\-_$$]*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
 		echo "--> Validating $$dir"; \
+	  terraform init -backend=false; \
 		trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
 	done; 
 
 security-examples:
 	@echo "--> Running Security checks on examples"
 	@find . -type d -path '*/examples/*' -not -path '*.terraform*' 2>/dev/null | while read -r dir; do \
 		echo "--> Validating $$dir"; \
+	  terraform init -backend=false; \
 		trivy config  --format table --exit-code  1 --severity  CRITICAL,HIGH --ignorefile .trivyignore $$dir; \
 	done;
 

main.tf

@@ -47,19 +47,15 @@ module "notify" {
   accounts_id_to_name                    = var.accounts_id_to_name
   cloudwatch_log_group_kms_key_id        = var.cloudwatch_log_group_kms_key_id
   cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention
-  cloudwatch_log_group_tags              = var.tags
   create_sns_topic                       = false
   delivery_channels                      = local.channels_config
   enable_slack                           = var.enable_slack
   enable_teams                           = var.enable_teams
-  iam_role_tags                          = var.tags
   identity_center_role                   = var.identity_center_role
   identity_center_start_url              = var.identity_center_start_url
-  lambda_function_tags                   = var.tags
   post_icons_url                         = var.post_icons_url
   recreate_missing_package               = false
   sns_topic_name                         = var.sns_topic_name
-  sns_topic_tags                         = var.tags
   tags                                   = var.tags
 
   depends_on = [module.sns]

modules/notify/README.md

@@ -94,19 +94,19 @@ Subsumed by appvia's GNU V3 license; [see license](../../LICENSE).
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.8 |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 2.5.0 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_sns_topic_name"></a> [sns\_topic\_name](#input\_sns\_topic\_name) | The name of the SNS topic to create | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | n/a | yes |
 | <a name="input_accounts_id_to_name"></a> [accounts\_id\_to\_name](#input\_accounts\_id\_to\_name) | A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name | `map(string)` | `{}` | no |
 | <a name="input_architecture"></a> [architecture](#input\_architecture) | Instruction set architecture for your Lambda function. Valid values are "x86\_64" or "arm64". | `string` | `"arm64"` | no |
 | <a name="input_aws_powertools_service_name"></a> [aws\_powertools\_service\_name](#input\_aws\_powertools\_service\_name) | The service name to use | `string` | `"appvia-notifications"` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data for Lambda | `string` | `null` | no |
 | <a name="input_cloudwatch_log_group_retention_in_days"></a> [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in log group for Lambda. | `number` | `0` | no |
-| <a name="input_cloudwatch_log_group_tags"></a> [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the Cloudwatch log group | `map(string)` | `{}` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create all resources | `bool` | `true` | no |
 | <a name="input_create_sns_topic"></a> [create\_sns\_topic](#input\_create\_sns\_topic) | Whether to create new SNS topic | `bool` | `true` | no |
 | <a name="input_delivery_channels"></a> [delivery\_channels](#input\_delivery\_channels) | The configuration for Slack notifications | <pre>map(object({<br/>    lambda_name = optional(string, "delivery_channel")<br/>    # The name of the lambda function to create<br/>    lambda_description = optional(string, "Lambda function to send notifications")<br/>    # The description for the lambda<br/>    secret_name = optional(string)<br/>    # An optional secret name in secrets manager to use for the slack configuration <br/>    webhook_url = optional(string)<br/>    # The webhook url to post to<br/>    filter_policy = optional(string)<br/>    # An optional SNS subscription filter policy to apply<br/>    filter_policy_scope = optional(string)<br/>    # If filter policy provided this is the scope of that policy; either "MessageAttributes" (default) or "MessageBody"<br/>  }))</pre> | `null` | no |
@@ -115,9 +115,8 @@ Subsumed by appvia's GNU V3 license; [see license](../../LICENSE).
 | <a name="input_enable_teams"></a> [enable\_teams](#input\_enable\_teams) | To send to teams, set to true | `bool` | `false` | no |
 | <a name="input_iam_policy_path"></a> [iam\_policy\_path](#input\_iam\_policy\_path) | Path of policies to that should be added to IAM role for Lambda Function | `string` | `null` | no |
 | <a name="input_iam_role_boundary_policy_arn"></a> [iam\_role\_boundary\_policy\_arn](#input\_iam\_role\_boundary\_policy\_arn) | The ARN of the policy that is used to set the permissions boundary for the role | `string` | `null` | no |
-| <a name="input_iam_role_name_prefix"></a> [iam\_role\_name\_prefix](#input\_iam\_role\_name\_prefix) | A unique role name beginning with the specified prefix | `string` | `"lambda"` | no |
+| <a name="input_iam_role_name_prefix"></a> [iam\_role\_name\_prefix](#input\_iam\_role\_name\_prefix) | A unique role name beginning with the specified prefix | `string` | `"lza"` | no |
 | <a name="input_iam_role_path"></a> [iam\_role\_path](#input\_iam\_role\_path) | Path of IAM role to use for Lambda Function | `string` | `null` | no |
-| <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | Additional tags for the IAM role | `map(string)` | `{}` | no |
 | <a name="input_identity_center_role"></a> [identity\_center\_role](#input\_identity\_center\_role) | The name of the role to use when redirecting through Identity Center | `string` | `null` | no |
 | <a name="input_identity_center_start_url"></a> [identity\_center\_start\_url](#input\_identity\_center\_start\_url) | The start URL of your Identity Center instance | `string` | `null` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key used for decrypting slack webhook url | `string` | `""` | no |
@@ -126,7 +125,6 @@ Subsumed by appvia's GNU V3 license; [see license](../../LICENSE).
 | <a name="input_lambda_function_ephemeral_storage_size"></a> [lambda\_function\_ephemeral\_storage\_size](#input\_lambda\_function\_ephemeral\_storage\_size) | Amount of ephemeral storage (/tmp) in MB your Lambda Function can use at runtime. Valid value between 512 MB to 10,240 MB (10 GB). | `number` | `512` | no |
 | <a name="input_lambda_function_s3_bucket"></a> [lambda\_function\_s3\_bucket](#input\_lambda\_function\_s3\_bucket) | S3 bucket to store artifacts | `string` | `null` | no |
 | <a name="input_lambda_function_store_on_s3"></a> [lambda\_function\_store\_on\_s3](#input\_lambda\_function\_store\_on\_s3) | Whether to store produced artifacts on S3 or locally. | `bool` | `false` | no |
-| <a name="input_lambda_function_tags"></a> [lambda\_function\_tags](#input\_lambda\_function\_tags) | Additional tags for the Lambda function | `map(string)` | `{}` | no |
 | <a name="input_lambda_function_vpc_security_group_ids"></a> [lambda\_function\_vpc\_security\_group\_ids](#input\_lambda\_function\_vpc\_security\_group\_ids) | List of security group ids when Lambda Function should run in the VPC. | `list(string)` | `null` | no |
 | <a name="input_lambda_function_vpc_subnet_ids"></a> [lambda\_function\_vpc\_subnet\_ids](#input\_lambda\_function\_vpc\_subnet\_ids) | List of subnet ids when Lambda Function should run in the VPC. Usually private or intra subnets. | `list(string)` | `null` | no |
 | <a name="input_lambda_role"></a> [lambda\_role](#input\_lambda\_role) | IAM role attached to the Lambda Function.  If this is set then a role will not be created for you. | `string` | `""` | no |
@@ -141,12 +139,9 @@ Subsumed by appvia's GNU V3 license; [see license](../../LICENSE).
 | <a name="input_sns_topic_feedback_role_name"></a> [sns\_topic\_feedback\_role\_name](#input\_sns\_topic\_feedback\_role\_name) | Name of the IAM role to use for SNS topic delivery status logging | `string` | `null` | no |
 | <a name="input_sns_topic_feedback_role_path"></a> [sns\_topic\_feedback\_role\_path](#input\_sns\_topic\_feedback\_role\_path) | Path of IAM role to use for SNS topic delivery status logging | `string` | `null` | no |
 | <a name="input_sns_topic_feedback_role_permissions_boundary"></a> [sns\_topic\_feedback\_role\_permissions\_boundary](#input\_sns\_topic\_feedback\_role\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the IAM role used by SNS topic delivery status logging | `string` | `null` | no |
-| <a name="input_sns_topic_feedback_role_tags"></a> [sns\_topic\_feedback\_role\_tags](#input\_sns\_topic\_feedback\_role\_tags) | A map of tags to assign to IAM the SNS topic feedback role | `map(string)` | `{}` | no |
 | <a name="input_sns_topic_kms_key_id"></a> [sns\_topic\_kms\_key\_id](#input\_sns\_topic\_kms\_key\_id) | ARN of the KMS key used for enabling SSE on the topic | `string` | `""` | no |
 | <a name="input_sns_topic_lambda_feedback_role_arn"></a> [sns\_topic\_lambda\_feedback\_role\_arn](#input\_sns\_topic\_lambda\_feedback\_role\_arn) | IAM role for SNS topic delivery status logs.  If this is set then a role will not be created for you. | `string` | `""` | no |
 | <a name="input_sns_topic_lambda_feedback_sample_rate"></a> [sns\_topic\_lambda\_feedback\_sample\_rate](#input\_sns\_topic\_lambda\_feedback\_sample\_rate) | The percentage of successful deliveries to log | `number` | `100` | no |
-| <a name="input_sns_topic_tags"></a> [sns\_topic\_tags](#input\_sns\_topic\_tags) | Additional tags for the SNS topic | `map(string)` | `{}` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
 
 ## Outputs
 

modules/notify/iam.tf

@@ -24,15 +24,11 @@ data "aws_iam_policy_document" "sns_feedback" {
 resource "aws_iam_role" "sns_feedback_role" {
   count = local.create_sns_feedback_role ? 1 : 0
 
-  name                  = var.sns_topic_feedback_role_name
+  assume_role_policy    = data.aws_iam_policy_document.sns_feedback[0].json
   description           = var.sns_topic_feedback_role_description
-  path                  = var.sns_topic_feedback_role_path
   force_detach_policies = var.sns_topic_feedback_role_force_detach_policies
+  name                  = var.sns_topic_feedback_role_name
+  path                  = var.sns_topic_feedback_role_path
   permissions_boundary  = var.sns_topic_feedback_role_permissions_boundary
-  assume_role_policy    = data.aws_iam_policy_document.sns_feedback[0].json
-
-  tags = merge(
-    var.tags,
-    var.sns_topic_feedback_role_tags,
-  )
+  tags                  = var.tags
 }

modules/notify/main.tf

@@ -116,26 +116,22 @@ data "aws_iam_policy_document" "lambda" {
 resource "aws_cloudwatch_log_group" "lambda" {
   for_each = local.distributions
 
+  kms_key_id        = var.cloudwatch_log_group_kms_key_id
   name              = "/aws/lambda/${var.delivery_channels[each.value].lambda_name}"
   retention_in_days = var.cloudwatch_log_group_retention_in_days
-  kms_key_id        = var.cloudwatch_log_group_kms_key_id
-
-  tags = merge(var.tags, var.cloudwatch_log_group_tags)
+  tags              = var.tags
 }
 
 #trivy:ignore:avd-aws-0095
 resource "aws_sns_topic" "this" {
   count = var.create_sns_topic && var.create ? 1 : 0
 
-  name = var.sns_topic_name
-
-  kms_master_key_id = var.sns_topic_kms_key_id
-
+  kms_master_key_id                   = var.sns_topic_kms_key_id
   lambda_failure_feedback_role_arn    = var.enable_sns_topic_delivery_status_logs ? local.sns_feedback_role : null
   lambda_success_feedback_role_arn    = var.enable_sns_topic_delivery_status_logs ? local.sns_feedback_role : null
   lambda_success_feedback_sample_rate = var.enable_sns_topic_delivery_status_logs ? var.sns_topic_lambda_feedback_sample_rate : null
-
-  tags = merge(var.tags, var.sns_topic_tags)
+  name                                = var.sns_topic_name
+  tags                                = var.tags
 }
 
 
@@ -211,17 +207,37 @@ module "lambda" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "7.10.0"
 
-  create = var.create
-
-  function_name = try(var.delivery_channels[each.value].lambda_name, "notify_${each.value}")
-  description   = try(var.delivery_channels[each.value].lambda_description, "")
-
-  hash_extra = each.value
-  handler    = "${local.lambda_handler[each.value]}.lambda_handler"
-
-  # source_path                    = var.lambda_source_path != null ? "${path.root}/${var.lambda_source_path}" : "${path.module}/functions/src/notify_${each.value}.py"
-  # source_path                    = var.lambda_source_path != null ? "${path.root}/${var.lambda_source_path}" : "${path.module}/functions/src"
-
+  architectures                     = [var.architecture]
+  attach_cloudwatch_logs_policy     = false
+  attach_dead_letter_policy         = var.lambda_attach_dead_letter_policy
+  attach_network_policy             = var.lambda_function_vpc_subnet_ids != null
+  attach_policy_json                = true
+  create                            = var.create
+  create_role                       = var.lambda_role == ""
+  dead_letter_target_arn            = var.lambda_dead_letter_target_arn
+  description                       = try(var.delivery_channels[each.value].lambda_description, "")
+  ephemeral_storage_size            = var.lambda_function_ephemeral_storage_size
+  function_name                     = try(var.delivery_channels[each.value].lambda_name, "notify_${each.value}")
+  handler                           = "${local.lambda_handler[each.value]}.lambda_handler"
+  hash_extra                        = each.value
+  kms_key_arn                       = var.kms_key_arn
+  lambda_role                       = var.lambda_role
+  policy_json                       = try(data.aws_iam_policy_document.lambda[each.value].json, "")
+  policy_path                       = var.iam_policy_path
+  recreate_missing_package          = var.recreate_missing_package
+  reserved_concurrent_executions    = var.reserved_concurrent_executions
+  role_name                         = "${var.iam_role_name_prefix}-${var.delivery_channels[each.value].lambda_name}"
+  role_path                         = var.iam_role_path
+  role_permissions_boundary         = var.iam_role_boundary_policy_arn
+  role_tags                         = var.tags
+  runtime                           = var.python_runtime
+  s3_bucket                         = var.lambda_function_s3_bucket
+  store_on_s3                       = var.lambda_function_store_on_s3
+  tags                              = var.tags
+  timeout                           = 10
+  use_existing_cloudwatch_log_group = true
+  vpc_security_group_ids            = var.lambda_function_vpc_security_group_ids
+  vpc_subnet_ids                    = var.lambda_function_vpc_subnet_ids
 
   # Bug in this module when creating source bundles on updated code change:
   # `Error: Provider produced inconsistent final plan`
@@ -247,14 +263,6 @@ module "lambda" {
     }
   ]
 
-  recreate_missing_package       = var.recreate_missing_package
-  runtime                        = var.python_runtime
-  architectures                  = [var.architecture]
-  timeout                        = 10
-  kms_key_arn                    = var.kms_key_arn
-  reserved_concurrent_executions = var.reserved_concurrent_executions
-  ephemeral_storage_size         = var.lambda_function_ephemeral_storage_size
-
   # If publish is disabled, there will be "Error adding new Lambda Permission for notify_xxxxx:
   # InvalidParameterValueException: We currently do not support adding policies for $LATEST."
   publish = true
@@ -273,42 +281,13 @@ module "lambda" {
     }
   ))
 
-  create_role               = var.lambda_role == ""
-  lambda_role               = var.lambda_role
-  role_name                 = "${var.iam_role_name_prefix}-${var.delivery_channels[each.value].lambda_name}"
-  role_permissions_boundary = var.iam_role_boundary_policy_arn
-  role_tags                 = var.iam_role_tags
-  role_path                 = var.iam_role_path
-  policy_path               = var.iam_policy_path
-
-  # Do not use Lambda's policy for cloudwatch logs, because we have to add a policy
-  # for KMS conditionally. This way attach_policy_json is always true independenty of
-  # the value of presense of KMS. Famous "computed values in count" bug...
-  attach_cloudwatch_logs_policy = false
-  attach_policy_json            = true
-  policy_json                   = try(data.aws_iam_policy_document.lambda[each.value].json, "")
-
-  use_existing_cloudwatch_log_group = true
-  attach_network_policy             = var.lambda_function_vpc_subnet_ids != null
-
-  dead_letter_target_arn    = var.lambda_dead_letter_target_arn
-  attach_dead_letter_policy = var.lambda_attach_dead_letter_policy
-
   allowed_triggers = {
     AllowExecutionFromSNS = {
       principal  = "sns.amazonaws.com"
       source_arn = local.sns_topic_arn
     }
   }
 
-  store_on_s3 = var.lambda_function_store_on_s3
-  s3_bucket   = var.lambda_function_s3_bucket
-
-  vpc_subnet_ids         = var.lambda_function_vpc_subnet_ids
-  vpc_security_group_ids = var.lambda_function_vpc_security_group_ids
-
-  tags = merge(var.tags, var.lambda_function_tags)
-
   depends_on = [
     aws_cloudwatch_log_group.lambda,
     local_file.notify_account_names_dict_python,