v0.2.0 (#21)

quixoticmonk · web-flow · commit 41801e071889 · 2025-01-10T13:29:15.000-08:00
New changes:
* tfe provider version
* updated oac name, event name to provide uniqueness
* fulfillment url evaluation in case of no changes
* support for python3.12/3/13 lambda runtime in validations
* kms alias name with a prefix.
diff --git a/.config/.tflint.hcl b/.config/.tflint.hcl
@@ -3,7 +3,7 @@
 
 plugin "aws" {
   enabled = true
-  version = "0.22.1"
+  version = "0.54.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v0.1.0
+v0.2.0
diff --git a/cloudfront.tf b/cloudfront.tf
@@ -19,8 +19,8 @@ module "runtask_cloudfront" {
 
   create_origin_access_control = true
   origin_access_control = {
-    lambda_oac = {
-      description      = "CloudFront OAC to Lambda"
+    lambda_oac_plan_analyzer = {
+      description      = "CloudFront OAC to Lambda AWS-IA plan analyzer"
       origin_type      = "lambda"
       signing_behavior = "always"
       signing_protocol = "sigv4"
@@ -36,7 +36,7 @@ module "runtask_cloudfront" {
         origin_protocol_policy = "https-only"
         origin_ssl_protocols   = ["TLSv1.2"]
       }
-      origin_access_control = "lambda_oac"
+      origin_access_control = "lambda_oac_plan_analyzer"
       custom_header         = var.deploy_waf ? [local.cloudfront_custom_header] : null
     }
   }
diff --git a/examples/basic/providers.tf b/examples/basic/providers.tf
@@ -8,7 +8,7 @@ terraform {
 
     tfe = {
       source  = "hashicorp/tfe"
-      version = "~> 0.38.0"
+      version = ">= 0.38.0"
     }
   }
 }
diff --git a/kms.tf b/kms.tf
@@ -11,7 +11,7 @@ resource "aws_kms_key" "runtask_key" {
 
 # Assign an alias to the key
 resource "aws_kms_alias" "runtask_key" {
-  name          = "alias/runTask"
+  name          = "alias/${local.solution_prefix}-runTask"
   target_key_id = aws_kms_key.runtask_key.key_id
 }
 
@@ -28,6 +28,6 @@ resource "aws_kms_key" "runtask_waf" {
 resource "aws_kms_alias" "runtask_waf" {
   count         = local.waf_deployment
   provider      = aws.cloudfront_waf
-  name          = "alias/runtask-WAF"
+  name          = "alias/${local.solution_prefix}-runtask-WAF"
   target_key_id = aws_kms_key.runtask_waf[count.index].key_id
 }
diff --git a/lambda.tf b/lambda.tf
@@ -26,6 +26,7 @@ resource "aws_lambda_function" "runtask_eventbridge" {
       HCP_TF_CF_SECRET_ARN   = var.deploy_waf ? aws_secretsmanager_secret.runtask_cloudfront[0].arn : null
       HCP_TF_CF_SIGNATURE    = var.deploy_waf ? local.cloudfront_sig_name : null
       EVENT_BUS_NAME         = var.event_bus_name
+      EVENT_RULE_DETAIL_TYPE = local.solution_prefix # ensure uniqueness of event sent to each runtask state machine
     }
   }
   tracing_config {
@@ -42,7 +43,6 @@ resource "aws_lambda_function" "runtask_eventbridge" {
 resource "aws_lambda_function_url" "runtask_eventbridge" {
   function_name      = aws_lambda_function.runtask_eventbridge.function_name
   authorization_type = "AWS_IAM"
-  #checkov:skip=CKV_AWS_258:auth set to none, validation hmac inside the lambda code
 }
 
 resource "aws_lambda_permission" "runtask_eventbridge" {
@@ -78,9 +78,10 @@ resource "aws_lambda_function" "runtask_request" {
   }
   environment {
     variables = {
-      HCP_TF_ORG       = var.hcp_tf_org
-      RUNTASK_STAGES   = join(",", var.runtask_stages)
-      WORKSPACE_PREFIX = length(var.workspace_prefix) > 0 ? var.workspace_prefix : null
+      HCP_TF_ORG             = var.hcp_tf_org
+      RUNTASK_STAGES         = join(",", var.runtask_stages)
+      WORKSPACE_PREFIX       = length(var.workspace_prefix) > 0 ? var.workspace_prefix : null
+      EVENT_RULE_DETAIL_TYPE = local.solution_prefix # ensure uniqueness of event sent to each runtask state machine
     }
   }
   tags = local.combined_tags
diff --git a/lambda/runtask_callback/handler.py b/lambda/runtask_callback/handler.py
@@ -35,7 +35,7 @@ def lambda_handler(event, _):
     logger.debug(json.dumps(event))
     try:
         # trim empty url from the payload
-        if event["payload"]["result"]["fulfillment"]["url"] == False:
+        if "fulfillment" in event["payload"]["result"] and event["payload"]["result"]["fulfillment"]["url"] == False:
             event["payload"]["result"]["fulfillment"].pop("url")
 
         if (
diff --git a/lambda/runtask_eventbridge/handler.py b/lambda/runtask_eventbridge/handler.py
@@ -15,7 +15,7 @@
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 """
 
-"""HashiCorp HCP Terraform run task event handler implementation"""
+"""HCP Terraform run task event handler implementation"""
 
 import os
 import hmac
@@ -46,6 +46,7 @@
 logger.info("Log level set to %s" % logger.getEffectiveLevel())
 
 event_bus_name = os.environ.get("EVENT_BUS_NAME", "default")
+event_rule_detail_type = os.environ.get("EVENT_RULE_DETAIL_TYPE", "tfplan-analyzer")
 event_bridge_client = boto3.client("events")
 
 ## Add user-agent to event-bridge event
@@ -80,7 +81,6 @@ def lambda_handler(event, _):
         )
         return {"statusCode": 500, "body": "Internal Server Error"}
 
-    detail_type = "hcp-tf-runtask"
     try:
         if hcp_tf_use_waf == "True" and not contains_valid_cloudfront_signature(
             event=event
@@ -92,7 +92,7 @@ def lambda_handler(event, _):
             print_error("401 Unauthorized - Invalid Payload Signature", headers)
             return {"statusCode": 401, "body": "Invalid Payload Signature"}
 
-        response = forward_event(json_payload, detail_type)
+        response = forward_event(json_payload, event_rule_detail_type)
 
         if response["FailedEntryCount"] > 0:
             print_error(
diff --git a/lambda/runtask_request/handler.py b/lambda/runtask_request/handler.py
@@ -22,6 +22,7 @@
 HCP_TF_ORG = os.environ.get("HCP_TF_ORG", False)
 WORKSPACE_PREFIX = os.environ.get("WORKSPACE_PREFIX", False)
 RUNTASK_STAGES = os.environ.get("RUNTASK_STAGES", False)
+EVENT_RULE_DETAIL_TYPE = os.environ.get("EVENT_RULE_DETAIL_TYPE", "tfplan-analyzer") # assume there could be multiple deployment of this module, this will ensure each rule are unique
 
 logger = logging.getLogger()
 log_level = os.environ.get("log_level", logging.INFO)
@@ -34,7 +35,7 @@ def lambda_handler(event, _):
     logger.debug(json.dumps(event))
     try:
         VERIFY = True
-        if event["payload"]["detail-type"] == "hcp-tf-runtask":
+        if event["payload"]["detail-type"] == EVENT_RULE_DETAIL_TYPE:
             if (
                 HCP_TF_ORG
                 and event["payload"]["detail"]["organization_name"] != HCP_TF_ORG
diff --git a/variables.tf b/variables.tf
@@ -107,8 +107,8 @@ variable "lambda_python_runtime" {
   type        = string
   default     = "python3.11"
   validation {
-    condition     = contains(["python3.11", "python3.10", "python3.9"], var.lambda_python_runtime)
-    error_message = "Valid values for var: lambda_python_runtime are python3.11, python3.10, python3.9"
+    condition     = contains(["python3.13","python3.12","python3.11", "python3.10", "python3.9"], var.lambda_python_runtime)
+    error_message = "Valid values for var: lambda_python_runtime are python3.13, python3.12, python3.11, python3.10, python3.9"
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`
`4`	`4`	`plugin "aws" {`
`5`	`5`	`enabled = true`
`6`		`- version = "0.22.1"`
	`6`	`+ version = "0.54.0"`
`7`	`7`	`source = "github.com/terraform-linters/tflint-ruleset-aws"`
`8`	`8`	`}`
`9`	`9`
Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,8 @@ module "runtask_cloudfront" {`
`19`	`19`
`20`	`20`	`create_origin_access_control = true`
`21`	`21`	`origin_access_control = {`
`22`		`- lambda_oac = {`
`23`		`- description = "CloudFront OAC to Lambda"`
	`22`	`+ lambda_oac_plan_analyzer = {`
	`23`	`+ description = "CloudFront OAC to Lambda AWS-IA plan analyzer"`
`24`	`24`	`origin_type = "lambda"`
`25`	`25`	`signing_behavior = "always"`
`26`	`26`	`signing_protocol = "sigv4"`
`@@ -36,7 +36,7 @@ module "runtask_cloudfront" {`
`36`	`36`	`origin_protocol_policy = "https-only"`
`37`	`37`	`origin_ssl_protocols = ["TLSv1.2"]`
`38`	`38`	`}`
`39`		`- origin_access_control = "lambda_oac"`
	`39`	`+ origin_access_control = "lambda_oac_plan_analyzer"`
`40`	`40`	`custom_header = var.deploy_waf ? [local.cloudfront_custom_header] : null`
`41`	`41`	`}`
`42`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ terraform {`
`8`	`8`
`9`	`9`	`tfe = {`
`10`	`10`	`source = "hashicorp/tfe"`
`11`		`- version = "~> 0.38.0"`
	`11`	`+ version = ">= 0.38.0"`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ resource "aws_kms_key" "runtask_key" {`
`11`	`11`
`12`	`12`	`# Assign an alias to the key`
`13`	`13`	`resource "aws_kms_alias" "runtask_key" {`
`14`		`- name = "alias/runTask"`
	`14`	`+ name = "alias/${local.solution_prefix}-runTask"`
`15`	`15`	`target_key_id = aws_kms_key.runtask_key.key_id`
`16`	`16`	`}`
`17`	`17`
`@@ -28,6 +28,6 @@ resource "aws_kms_key" "runtask_waf" {`
`28`	`28`	`resource "aws_kms_alias" "runtask_waf" {`
`29`	`29`	`count = local.waf_deployment`
`30`	`30`	`provider = aws.cloudfront_waf`
`31`		`- name = "alias/runtask-WAF"`
	`31`	`+ name = "alias/${local.solution_prefix}-runtask-WAF"`
`32`	`32`	`target_key_id = aws_kms_key.runtask_waf[count.index].key_id`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ resource "aws_lambda_function" "runtask_eventbridge" {`
`26`	`26`	`HCP_TF_CF_SECRET_ARN = var.deploy_waf ? aws_secretsmanager_secret.runtask_cloudfront[0].arn : null`
`27`	`27`	`HCP_TF_CF_SIGNATURE = var.deploy_waf ? local.cloudfront_sig_name : null`
`28`	`28`	`EVENT_BUS_NAME = var.event_bus_name`
	`29`	`+ EVENT_RULE_DETAIL_TYPE = local.solution_prefix # ensure uniqueness of event sent to each runtask state machine`
`29`	`30`	`}`
`30`	`31`	`}`
`31`	`32`	`tracing_config {`
`@@ -42,7 +43,6 @@ resource "aws_lambda_function" "runtask_eventbridge" {`
`42`	`43`	`resource "aws_lambda_function_url" "runtask_eventbridge" {`
`43`	`44`	`function_name = aws_lambda_function.runtask_eventbridge.function_name`
`44`	`45`	`authorization_type = "AWS_IAM"`
`45`		`- #checkov:skip=CKV_AWS_258:auth set to none, validation hmac inside the lambda code`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`resource "aws_lambda_permission" "runtask_eventbridge" {`
`@@ -78,9 +78,10 @@ resource "aws_lambda_function" "runtask_request" {`
`78`	`78`	`}`
`79`	`79`	`environment {`
`80`	`80`	`variables = {`
`81`		`- HCP_TF_ORG = var.hcp_tf_org`
`82`		`- RUNTASK_STAGES = join(",", var.runtask_stages)`
`83`		`- WORKSPACE_PREFIX = length(var.workspace_prefix) > 0 ? var.workspace_prefix : null`
	`81`	`+ HCP_TF_ORG = var.hcp_tf_org`
	`82`	`+ RUNTASK_STAGES = join(",", var.runtask_stages)`
	`83`	`+ WORKSPACE_PREFIX = length(var.workspace_prefix) > 0 ? var.workspace_prefix : null`
	`84`	`+ EVENT_RULE_DETAIL_TYPE = local.solution_prefix # ensure uniqueness of event sent to each runtask state machine`
`84`	`85`	`}`
`85`	`86`	`}`
`86`	`87`	`tags = local.combined_tags`
Original file line number	Diff line number	Diff line change
`@@ -107,8 +107,8 @@ variable "lambda_python_runtime" {`
`107`	`107`	`type = string`
`108`	`108`	`default = "python3.11"`
`109`	`109`	`validation {`
`110`		`- condition = contains(["python3.11", "python3.10", "python3.9"], var.lambda_python_runtime)`
`111`		`- error_message = "Valid values for var: lambda_python_runtime are python3.11, python3.10, python3.9"`
	`110`	`+ condition = contains(["python3.13","python3.12","python3.11", "python3.10", "python3.9"], var.lambda_python_runtime)`
	`111`	`+ error_message = "Valid values for var: lambda_python_runtime are python3.13, python3.12, python3.11, python3.10, python3.9"`
`112`	`112`	`}`
`113`	`113`	`}`
`114`	`114`