[#316] Add checkbox type prompt allow select individual module

Author: tung-nimblehq

.github/wiki/Security.md

@@ -23,4 +23,3 @@ To add security features to your infrastructure:
 1. Run the infrastructure generator
 2. Select "Complete infrastructure (VPC + ECR + RDS + S3 + FARGATE + Cloudwatch + Security groups + ALB)" when prompted for infrastructure type
 3. Choose "Yes" when asked "Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?"
-

.tool-versions

@@ -1,3 +1,3 @@
 nodejs 18.12.1
-terraform 1.13.3
-trivy 0.47.0
+terraform 1.14.6
+trivy 0.69.2

src/generators/addons/aws/advanced.test.ts

@@ -24,6 +24,8 @@ describe('AWS advanced template', () => {
       provider: 'aws',
       infrastructureType: 'advanced',
       awsRegion: 'ap-southeast-1',
+      addonModules: [],
+      enabledSecurityFeatures: false,
     };
 
     beforeAll(async () => {
@@ -74,28 +76,53 @@ describe('AWS advanced template', () => {
     });
 
     describe('given enabledSecurityFeatures is true', () => {
-      const optionsEnabledSecurityFeatures: AwsOptions = {
-        projectName: projectDir,
-        provider: 'aws',
-        infrastructureType: 'advanced',
-        awsRegion: 'ap-southeast-1',
-        enabledSecurityFeatures: true,
-      };
-
-      beforeAll(async () => {
-        jest.clearAllMocks();
-        await applyAdvancedTemplate(optionsEnabledSecurityFeatures);
+      describe('given addonModules includes vpcFlowLog', () => {
+        const optionsEnabledSecurityFeatures: AwsOptions = {
+          projectName: projectDir,
+          provider: 'aws',
+          infrastructureType: 'advanced',
+          awsRegion: 'ap-southeast-1',
+          enabledSecurityFeatures: true,
+          addonModules: ['vpcFlowLog'],
+        };
+
+        beforeAll(async () => {
+          jest.clearAllMocks();
+          await applyAdvancedTemplate(optionsEnabledSecurityFeatures);
+        });
+
+        afterAll(() => {
+          jest.clearAllMocks();
+          remove('/', projectDir);
+        });
+
+        it('applies VPC Flow Log add-on when flag is set', () => {
+          expect(applyAwsVpcFlowLog).toHaveBeenCalledWith(
+            optionsEnabledSecurityFeatures
+          );
+        });
       });
-
-      afterAll(() => {
-        jest.clearAllMocks();
-        remove('/', projectDir);
-      });
-
-      it('applies VPC Flow Log add-on when flag is set', () => {
-        expect(applyAwsVpcFlowLog).toHaveBeenCalledWith(
-          optionsEnabledSecurityFeatures
-        );
+      describe('given addonModules does NOT include vpcFlowLog', () => {
+        const optionsEnabledSecurityFeaturesWithoutVpcFlowLog: AwsOptions = {
+          projectName: projectDir,
+          provider: 'aws',
+          infrastructureType: 'advanced',
+          awsRegion: 'ap-southeast-1',
+          enabledSecurityFeatures: true,
+          addonModules: [], // No vpcFlowLog
+        };
+
+        afterAll(() => {
+          jest.clearAllMocks();
+          remove('/', projectDir);
+        });
+
+        it('does NOT apply VPC Flow Log add-on when flag is set but module is not included', async () => {
+          await applyAdvancedTemplate(
+            optionsEnabledSecurityFeaturesWithoutVpcFlowLog
+          );
+          expect(applyAwsVpcFlowLog).not.toHaveBeenCalled();
+        });
       });
     });
   });

src/generators/addons/aws/advanced.ts

@@ -21,8 +21,17 @@ const applyAdvancedTemplate = async (options: AwsOptions) => {
   await applyAwsS3(options);
   await applyAwsSsm(options);
 
-  if (options.enabledSecurityFeatures) {
-    await applyAwsVpcFlowLog(options);
+  if (options?.addonModules && options?.addonModules.length > 0) {
+    await Promise.all(
+      options.addonModules.map((module) => {
+        switch (module) {
+          case 'vpcFlowLog':
+            return applyAwsVpcFlowLog(options);
+          default:
+            throw new Error(`Module ${module} has not been implemented!`);
+        }
+      })
+    );
   }
 };
 

src/generators/addons/aws/index.ts

@@ -16,6 +16,7 @@ type AwsOptions = GeneralOptions & {
   infrastructureType?: 'blank' | 'advanced';
   awsRegion?: string;
   enabledSecurityFeatures?: boolean;
+  addonModules?: string[];
 };
 
 const awsChoices = [
@@ -39,11 +40,28 @@ const awsChoices = [
   {
     type: 'confirm',
     name: 'enabledSecurityFeatures',
-    message:
-      'Do you want to create (VPC Flow Logs + CloudTrail) to enhance security posture and compliance?',
+    message: 'Do you want to add more modules(VPC Flow Logs, CloudTrail)?',
     default: false,
     when: (answers: AwsOptions) => answers.infrastructureType === 'advanced',
   },
+  {
+    type: 'checkbox',
+    name: 'addonModules',
+    message: 'Which security features do you want to add?',
+    choices: [
+      {
+        key: 'vpcFlowLog',
+        value: 'vpcFlowLog',
+        name: 'VPC Flow Logs',
+      },
+      {
+        key: 'cloudTrail',
+        value: 'cloudTrail',
+        name: 'CloudTrail',
+      },
+    ],
+    when: (answers: AwsOptions) => answers.enabledSecurityFeatures,
+  },
   {
     type: 'input',
     name: 'awsRegion',
@@ -66,7 +84,7 @@ const generateAwsTemplate = async (
     ...generalOptions,
     infrastructureType: awsOptionsPrompt.infrastructureType,
     awsRegion: awsOptionsPrompt.awsRegion,
-    enabledSecurityFeatures: awsOptionsPrompt.enabledSecurityFeatures,
+    addonModules: awsOptionsPrompt.addonModules,
   };
 
   switch (awsOptions.infrastructureType) {

src/generators/addons/aws/modules/vpcFlowLog.ts

@@ -14,7 +14,7 @@ import { appendToFile, copy } from '@/helpers/file';
 
 import { AWS_TEMPLATE_PATH } from '../constants';
 
-const vpcFlowLogLocalesContent = dedent`
+const vpcFlowLogLocalsContent = dedent`
   ### Begin VPC Flow Log ###
   locals {
     vpc_flow_log_s3_bucket_policy = {
@@ -74,14 +74,15 @@ const vpcFlowLogLocalesContent = dedent`
         }
       ]
     }
+    vpc_flow_log_query_year_ranges = "\${formatdate("YYYY", timestamp())},\${formatdate("YYYY", timestamp()) + 5}"
   }
   ### End VPC Flow Log ###`;
 
 const vpcFlowLogVariablesContent = dedent`
   variable "vpc_flow_log_retention_days" {
     description = "The number of days to retain VPC Flow Logs in S3"
     type        = number
-    default     = 90
+    default     = 30
   }`;
 
 const vpcFlowLogModuleContent = dedent`
@@ -90,7 +91,7 @@ const vpcFlowLogModuleContent = dedent`
 
     env_namespace    = local.env_namespace
     bucket_name      = "\${local.env_namespace}-flow-logs-\${data.aws_caller_identity.current.account_id}"
-    force_destroy    = true
+    force_destroy    = false
     object_ownership = "BucketOwnerPreferred"
   }
 
@@ -108,6 +109,7 @@ const vpcFlowLogModuleContent = dedent`
     vpc_id             = module.vpc.vpc_id
     s3_bucket_name     = module.s3_flow_log.aws_s3_bucket_name
     log_retention_days = var.vpc_flow_log_retention_days
+    query_year_ranges  = local.vpc_flow_log_query_year_ranges
   }`;
 
 const applyAwsVpcFlowLog = async (options: AwsOptions) => {
@@ -123,7 +125,7 @@ const applyAwsVpcFlowLog = async (options: AwsOptions) => {
   );
   appendToFile(
     INFRA_CORE_LOCALS_PATH,
-    vpcFlowLogLocalesContent,
+    vpcFlowLogLocalsContent,
     options.projectName
   );
   appendToFile(

templates/addons/aws/modules/vpc_flow_log/main.tf

@@ -65,7 +65,7 @@ resource "aws_glue_catalog_table" "vpc_flow_log_table" {
   table_type    = "EXTERNAL_TABLE"
 
   storage_descriptor {
-    location      = "s3://${var.s3_bucket_name}/AWSLogs/"
+    location      = "s3://${var.s3_bucket_name}/AWSLogs/${var.s3_key_prefix}/"
     input_format  = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetInputFormat"
     output_format = "org.apache.hadoop.hive.ql.io.parquet.MapredParquetOutputFormat"
 
@@ -106,7 +106,7 @@ resource "aws_glue_catalog_table" "vpc_flow_log_table" {
     "projection.aws_region.type"       = "enum"
     "projection.aws_region.values"     = "${data.aws_region.current.region}"
     "projection.year.type"             = "integer"
-    "projection.year.range"            = "2025,2030" # Update the range as needed
+    "projection.year.range"            = var.query_year_ranges
     "projection.year.digits"           = "4"
     "projection.month.type"            = "integer"
     "projection.month.range"           = "01,12"

templates/addons/aws/modules/vpc_flow_log/variables.tf

@@ -13,8 +13,19 @@ variable "s3_bucket_name" {
   type        = string
 }
 
+variable "s3_key_prefix" {
+  description = "The prefix for the S3 key to store the flow logs."
+  type        = string
+  default     = ""
+}
+
 variable "log_retention_days" {
   description = "The number of days to retain the flow logs in S3."
   type        = number
-  default     = 90
+  default     = 30
+}
+
+variable "query_year_ranges" {
+  description = "The range of years to query in Athena. Format: 'start_year,end_year'. Update the range as needed."
+  type        = string
 }

templates/terraform/.tool-versions

@@ -1,2 +1,2 @@
-terraform 1.13.3
-trivy 0.47.0
+terraform 1.14.6
+trivy 0.69.2

templates/terraform/core/main.tf

@@ -1,4 +1,4 @@
 terraform {
   # Terraform version
-  required_version = "1.13.3"
+  required_version = "1.14.6"
 }