chore: update examples for security best practices and Bridgecrew monitoring (#6)

bryantbiggs · web-flow · commit 4bbca899cab1 · 2021-09-19T12:41:40.000-04:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.50.0
+    rev: v1.51.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
   - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.0.1
     hooks:
       - id: check-merge-conflict
diff --git a/README.md b/README.md
@@ -61,6 +61,21 @@ Examples codified under the [`examples`](./examples) are intended to give users
 - [IAM auth. w/ PostgreSQL Aurora cluster](./examples/postgresql_iam_cluster)
 - [IAM auth. w/ PostgreSQL RDS instance](./examples/postgresql_iam_instance)
 
+## Security & Compliance [<img src="https://cloudposse.com/wp-content/uploads/2020/11/bridgecrew.svg" width="250" align="right" />](https://bridgecrew.io/)
+
+Security scanning results provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
+
+| Benchmark | Description |
+|--------|---------------|
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=PCI-DSS+V3.2.1) | Payment Card Industry Data Security Standards Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=SOC2) | Service Organization Control 2 Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=FEDRAMP+%28MODERATE%29) | FedRAMP Moderate Impact Level |
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
diff --git a/examples/mysql_iam_cluster/README.md b/examples/mysql_iam_cluster/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
 
diff --git a/examples/mysql_iam_cluster/main.tf b/examples/mysql_iam_cluster/main.tf
@@ -51,6 +51,18 @@ module "vpc" {
   create_database_subnet_group = true
   enable_nat_gateway           = true
   single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
 
   tags = local.tags
 }
@@ -71,13 +83,18 @@ module "rds" {
   engine_version      = "5.7"
   replica_count       = 1
   instance_type       = "db.t3.medium"
-  storage_encrypted   = false
+  storage_encrypted   = true
   apply_immediately   = true
   skip_final_snapshot = true
 
-  vpc_id                  = module.vpc.vpc_id
-  subnets                 = module.vpc.database_subnets
-  allowed_security_groups = [module.rds_proxy_sg.security_group_id]
+  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
+  vpc_id                 = module.vpc.vpc_id
+  subnets                = module.vpc.database_subnets
+  create_security_group  = false
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
 
   db_subnet_group_name            = local.name # Created by VPC module
   db_parameter_group_name         = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
@@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" {
   name        = "example-aurora-db-57-parameter-group"
   family      = "aurora-mysql5.7"
   description = "example-aurora-db-57-parameter-group"
+
+  tags = local.tags
 }
 
 resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" {
   name        = "example-aurora-57-cluster-parameter-group"
   family      = "aurora-mysql5.7"
   description = "example-aurora-57-cluster-parameter-group"
+
+  tags = local.tags
 }
 
 ################################################################################
@@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_gro
 resource "aws_iam_instance_profile" "ec2_test" {
   name_prefix = local.name
   role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "ec2_test_assume" {
@@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" {
   name_prefix           = local.name
   force_detach_policies = true
   assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "ec2_test" {
@@ -171,14 +196,23 @@ module "ec2_sg" {
 
 module "ec2_instance" {
   source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"
+
+  name = local.name
 
-  name           = local.name
-  instance_count = 1
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
 
-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
   #!/usr/bin/env bash
 
   mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -191,7 +225,7 @@ module "ec2_instance" {
   ami                    = data.aws_ami.ubuntu.id
   instance_type          = "t3.micro"
   vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)
 
   tags = local.tags
 }
diff --git a/examples/mysql_iam_instance/README.md b/examples/mysql_iam_instance/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
diff --git a/examples/mysql_iam_instance/main.tf b/examples/mysql_iam_instance/main.tf
@@ -48,8 +48,21 @@ module "vpc" {
   private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
   database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
 
-  enable_nat_gateway = true
-  single_nat_gateway = true
+  create_database_subnet_group = true
+  enable_nat_gateway           = true
+  single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
 
   tags = local.tags
 }
@@ -94,11 +107,16 @@ module "rds" {
   port                 = 3306
   instance_class       = "db.t3.micro"
   allocated_storage    = 5
-  storage_encrypted    = false
+  storage_encrypted    = true
   apply_immediately    = true
 
+  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
   vpc_security_group_ids = [module.rds_sg.security_group_id]
   subnet_ids             = module.vpc.database_subnets
+  multi_az               = true
 
   maintenance_window      = "Mon:00:00-Mon:03:00"
   backup_window           = "03:00-06:00"
@@ -115,6 +133,8 @@ module "rds" {
 resource "aws_iam_instance_profile" "ec2_test" {
   name_prefix = local.name
   role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "ec2_test_assume" {
@@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" {
   name_prefix           = local.name
   force_detach_policies = true
   assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "ec2_test" {
@@ -181,14 +203,23 @@ module "ec2_sg" {
 
 module "ec2_instance" {
   source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"
 
-  name           = local.name
-  instance_count = 1
+  name = local.name
+
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
 
-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
   #!/usr/bin/env bash
 
   mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@@ -201,7 +232,7 @@ module "ec2_instance" {
   ami                    = data.aws_ami.ubuntu.id
   instance_type          = "t3.micro"
   vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)
 
   tags = local.tags
 }
diff --git a/examples/postgresql_iam_cluster/README.md b/examples/postgresql_iam_cluster/README.md
@@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
 
diff --git a/examples/postgresql_iam_cluster/main.tf b/examples/postgresql_iam_cluster/main.tf
diff --git a/examples/postgresql_iam_instance/README.md b/examples/postgresql_iam_instance/README.md
diff --git a/examples/postgresql_iam_instance/main.tf b/examples/postgresql_iam_instance/main.tf
