upgrade cloud custodian versions + make S3 bucket creation optional i… (#9)

Author: ElsevierAlex

examples/cloudtrail/main.tf

@@ -7,6 +7,7 @@ locals {
 }
 
 module "cloud_custodian_s3" {
+  count  = var.create_bucket ? 1 : 0
   source = "terraform-aws-modules/s3-bucket/aws"
 
   bucket        = "${local.prefix}cloudtrail-${local.account_id}"
@@ -39,15 +40,17 @@ resource "aws_iam_role_policy" "custodian" {
 }
 
 data "aws_iam_policy_document" "custodian" {
-  statement {
-
-    actions = [
-      "s3:PutObject",
-    ]
-
-    resources = [
-      "${module.cloud_custodian_s3.s3_bucket_arn}/*",
-    ]
+  dynamic "statement" {
+    for_each = var.create_bucket ? ["${module.cloud_custodian_s3[0].s3_bucket_arn}/*"] : []
+    content {
+      actions = [
+        "s3:PutObject",
+      ]
+
+      resources = [
+        statement.value
+      ]
+    }
   }
 
   statement {
@@ -79,15 +82,16 @@ module "cloud_custodian_lambda" {
 
   regions = [local.region]
 
-  execution_options = {
+  execution_options = var.create_bucket ? {
     # Not really required but if you run custodian run you need to specify -s/--output-dir you'd then have execution-options
     # as part of the config.json with the output_dir that was specified
     "output_dir" = "s3://${local.prefix}cloudtrail-${local.account_id}/output?region=${local.region}"
-  }
+  } : {}
 
   policies = templatefile("${path.module}/templates/policy.yaml.tpl", {
-    prefix     = local.prefix
-    account_id = local.account_id
+    prefix        = local.prefix
+    account_id    = local.account_id
+    create_bucket = var.create_bucket
   })
 
   depends_on = [

examples/cloudtrail/templates/policy.yaml.tpl

@@ -8,9 +8,11 @@ policies:
       metrics_enabled: true
       dryrun: false
       log_group: "/cloud-custodian/policies"
-      output_dir: s3://${prefix}cloudtrail-${account_id}/output
-      cache_dir: s3://${prefix}cloudtrail-${account_id}/cache
+%{ if create_bucket ~}
+      output_dir: s3://$${prefix}cloudtrail-$${account_id}/output
+      cache_dir: s3://$${prefix}cloudtrail-$${account_id}/cache
       cache_period: 15
+%{ endif ~}
     role: arn:aws:iam::${account_id}:role/${prefix}cloudtrail-lambda
     events:
     - source: ec2.amazonaws.com

examples/cloudtrail/variables.tf

@@ -0,0 +1,5 @@
+variable "create_bucket" {
+  description = "Whether to create the S3 bucket for Cloud Custodian results"
+  type        = bool
+  default     = true
+}

examples/config-rule/main.tf

@@ -7,6 +7,7 @@ locals {
 }
 
 module "cloud_custodian_s3" {
+  count  = var.create_bucket ? 1 : 0
   source = "terraform-aws-modules/s3-bucket/aws"
 
   bucket        = "${local.prefix}config-rule-${local.account_id}"
@@ -39,15 +40,17 @@ resource "aws_iam_role_policy" "custodian" {
 }
 
 data "aws_iam_policy_document" "custodian" {
-  statement {
-
-    actions = [
-      "s3:PutObject",
-    ]
+  dynamic "statement" {
+    for_each = var.create_bucket ? ["${module.cloud_custodian_s3[0].s3_bucket_arn}/*"] : []
+    content {
+      actions = [
+        "s3:PutObject",
+      ]
 
-    resources = [
-      "${module.cloud_custodian_s3.s3_bucket_arn}/*",
-    ]
+      resources = [
+        statement.value
+      ]
+    }
   }
 
   statement {
@@ -103,11 +106,11 @@ module "cloud_custodian_lambda" {
 
   regions = [local.region]
 
-  execution_options = {
+  execution_options = var.create_bucket ? {
     # Not really required but if you run custodian run you need to specify -s/--output-dir you'd then have execution-options
     # as part of the config.json with the output_dir that was specified
     "output_dir" = "s3://${local.prefix}config-rule-${local.account_id}/output?region=${local.region}"
-  }
+  } : {}
   policies = <<EOF
 {
   "policies": [
@@ -116,14 +119,18 @@ module "cloud_custodian_lambda" {
       "mode": {
         "type": "config-rule",
         "function-prefix": "${local.prefix}",
-        "execution-options": {
-          "metrics_enabled": true,
-          "dryrun": false,
-          "log_group": "/cloud-custodian/policies",
-          "output_dir": "s3://${local.prefix}config-rule-${local.account_id}/output",
-          "cache_dir": "s3://${local.prefix}config-rule-${local.account_id}/cache",
-          "cache_period": 15
-        },
+        "execution-options": ${jsonencode(merge(
+          {
+            metrics_enabled = true
+            dryrun = false
+            log_group = "/cloud-custodian/policies"
+          },
+          var.create_bucket ? {
+            output_dir = "s3://${local.prefix}config-rule-${local.account_id}/output"
+            cache_dir = "s3://${local.prefix}config-rule-${local.account_id}/cache"
+            cache_period = 15
+          } : {}
+        ))},
         "role": "arn:aws:iam::${local.account_id}:role/${local.prefix}config-rule-lambda"
       },
       "resource": "ec2",

examples/config-rule/variables.tf

@@ -0,0 +1,5 @@
+variable "create_bucket" {
+  description = "Whether to create the S3 bucket for Cloud Custodian results"
+  type        = bool
+  default     = true
+}

examples/ec2-instance-state/main.tf

@@ -7,6 +7,7 @@ locals {
 }
 
 module "cloud_custodian_s3" {
+  count  = var.create_bucket ? 1 : 0
   source = "terraform-aws-modules/s3-bucket/aws"
 
   bucket        = "${local.prefix}ec2-instance-state-${local.account_id}"
@@ -39,15 +40,17 @@ resource "aws_iam_role_policy" "custodian" {
 }
 
 data "aws_iam_policy_document" "custodian" {
-  statement {
-
-    actions = [
-      "s3:PutObject",
-    ]
-
-    resources = [
-      "${module.cloud_custodian_s3.s3_bucket_arn}/*",
-    ]
+  dynamic "statement" {
+    for_each = var.create_bucket ? ["${module.cloud_custodian_s3[0].s3_bucket_arn}/*"] : []
+    content {
+      actions = [
+        "s3:PutObject",
+      ]
+
+      resources = [
+        statement.value
+      ]
+    }
   }
 
   statement {
@@ -78,11 +81,11 @@ module "cloud_custodian_lambda" {
 
   regions = [local.region]
 
-  execution_options = {
+  execution_options = var.create_bucket ? {
     # Not really required but if you run custodian run you need to specify -s/--output-dir you'd then have execution-options
     # as part of the config.json with the output_dir that was specified
     "output_dir" = "s3://${local.prefix}ec2-instance-state-${local.account_id}/output?region=${local.region}"
-  }
+  } : {}
 
   force_deploy = var.force_deploy
 
@@ -94,14 +97,18 @@ module "cloud_custodian_lambda" {
       "mode": {
         "type": "ec2-instance-state",
         "function-prefix": "${local.prefix}",
-        "execution-options": {
-          "metrics_enabled": true,
-          "dryrun": false,
-          "log_group": "/cloud-custodian/policies",
-          "output_dir": "s3://${local.prefix}ec2-instance-state-${local.account_id}/output",
-          "cache_dir": "s3://${local.prefix}ec2-instance-state-${local.account_id}/cache",
-          "cache_period": 15
-        },
+        "execution-options": ${jsonencode(merge(
+          {
+            metrics_enabled = true
+            dryrun = false
+            log_group = "/cloud-custodian/policies"
+          },
+          var.create_bucket ? {
+            output_dir = "s3://${local.prefix}ec2-instance-state-${local.account_id}/output"
+            cache_dir = "s3://${local.prefix}ec2-instance-state-${local.account_id}/cache"
+            cache_period = 15
+          } : {}
+        ))},
         "role": "arn:aws:iam::${local.account_id}:role/${local.prefix}ec2-instance-state-lambda",
         "events": [
           "terminated"

examples/ec2-instance-state/variables.tf

@@ -1,3 +1,9 @@
+variable "create_bucket" {
+  description = "Whether to create the S3 bucket for Cloud Custodian results"
+  type        = bool
+  default     = true
+}
+
 variable "force_deploy" {
   description = <<EOT
     Force redeployment of Lambda functions by updating a deployment timestamp tag.

examples/multi-policies/main.tf

@@ -6,6 +6,7 @@ locals {
 }
 
 module "cloud_custodian_s3" {
+  count  = var.create_bucket ? 1 : 0
   source = "terraform-aws-modules/s3-bucket/aws"
 
   bucket        = "${local.prefix}multi-policies-${local.account_id}"
@@ -38,15 +39,17 @@ resource "aws_iam_role_policy" "custodian" {
 }
 
 data "aws_iam_policy_document" "custodian" {
-  statement {
-
-    actions = [
-      "s3:PutObject",
-    ]
-
-    resources = [
-      "${module.cloud_custodian_s3.s3_bucket_arn}/*",
-    ]
+  dynamic "statement" {
+    for_each = var.create_bucket ? ["${module.cloud_custodian_s3[0].s3_bucket_arn}/*"] : []
+    content {
+      actions = [
+        "s3:PutObject",
+      ]
+
+      resources = [
+        statement.value
+      ]
+    }
   }
 
   statement {
@@ -113,9 +116,16 @@ data "aws_iam_policy_document" "scheduler" {
 module "custodian_policies" {
   source = "../../modules/cloud-custodian-lambda-policies"
 
+  execution_options = var.create_bucket ? {
+    # Not really required but if you run custodian run you need to specify -s/--output-dir you'd then have execution-options
+    # as part of the config.json with the output_dir that was specified
+    "output_dir" = "s3://${local.prefix}multi-policies-${local.account_id}/output"
+  } : {}
+
   policies = templatefile("${path.module}/templates/policies.yaml.tpl", {
-    prefix     = local.prefix
-    account_id = local.account_id
+    prefix        = local.prefix
+    account_id    = local.account_id
+    create_bucket = var.create_bucket
   })
   regions = var.regions
 

examples/multi-policies/templates/policies.yaml.tpl

@@ -12,9 +12,11 @@ policies:
       metrics_enabled: true
       dryrun: false
       log_group: "/cloud-custodian/policies"
-      output_dir: s3://${prefix}multi-policies-${account_id}/output
-      cache_dir: s3://${prefix}multi-policies-${account_id}/cache
+%{ if create_bucket ~}
+      output_dir: s3://$${prefix}multi-policies-$${account_id}/output
+      cache_dir: s3://$${prefix}multi-policies-$${account_id}/cache
       cache_period: 15
+%{ endif ~}
     schedule: cron(0 11 ? * 3 *)
     timezone: Europe/London
     scheduler-role: ${prefix}multi-policies-scheduler
@@ -31,9 +33,11 @@ policies:
       metrics_enabled: true
       dryrun: false
       log_group: "/cloud-custodian/policies"
-      output_dir: s3://${prefix}multi-policies-${account_id}/output
-      cache_dir: s3://${prefix}multi-policies-${account_id}/cache
+%{ if create_bucket ~}
+      output_dir: s3://$${prefix}multi-policies-$${account_id}/output
+      cache_dir: s3://$${prefix}multi-policies-$${account_id}/cache
       cache_period: 15
+%{ endif ~}
     schedule: cron(0 11 ? * 3 *)
     timezone: Europe/London
     scheduler-role: ${prefix}multi-policies-scheduler
@@ -51,9 +55,11 @@ policies:
       metrics_enabled: true
       dryrun: false
       log_group: "/cloud-custodian/policies"
-      output_dir: s3://${prefix}multi-policies-${account_id}/output
-      cache_dir: s3://${prefix}multi-policies-${account_id}/cache
+%{ if create_bucket ~}
+      output_dir: s3://$${prefix}multi-policies-$${account_id}/output
+      cache_dir: s3://$${prefix}multi-policies-$${account_id}/cache
       cache_period: 15
+%{ endif ~}
     role: "${prefix}multi-policies-lambda"
     events:
     - pending

examples/multi-policies/variables.tf

@@ -1,3 +1,9 @@
+variable "create_bucket" {
+  description = "Whether to create the S3 bucket for Cloud Custodian results"
+  type        = bool
+  default     = true
+}
+
 variable "regions" {
   description = "Regions to deploy the policy to"
   type        = list(string)