readme updated, BridgeCrew compliance checks fixes, code cleaned (#75)

* readme updated, BridgeCrew compliance checks fixes, code cleaned

* Auto Format

* tags added

* tags added

* Auto Format

Co-authored-by: cloudpossebot <[email protected]>

.gitignore

@@ -2,6 +2,7 @@
 *.tfstate
 *.tfstate.backup
 .terraform.tfstate.lock.info
+**/.terraform.lock.hcl
 
 # Module directory
 .terraform/

README.md

@@ -143,10 +143,7 @@ Available targets:
 |------|---------|
 | terraform | >= 0.12.26 |
 | aws | >= 2.0 |
-| local | >= 1.2 |
-| null | >= 2.0 |
 | random | >= 2.1 |
-| template | >= 2.0 |
 
 ## Providers
 
@@ -159,6 +156,7 @@ Available targets:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | artifact\_location | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no |
 | artifact\_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no |
@@ -190,6 +188,7 @@ Available targets:
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
 | local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no |
 | logs\_config | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no |
+| mfa\_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `true` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
 | private\_repository | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no |
@@ -205,6 +204,7 @@ Available targets:
 | source\_version | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 | vpc\_config | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
 
 ## Outputs

docs/terraform.md

@@ -5,10 +5,7 @@
 |------|---------|
 | terraform | >= 0.12.26 |
 | aws | >= 2.0 |
-| local | >= 1.2 |
-| null | >= 2.0 |
 | random | >= 2.1 |
-| template | >= 2.0 |
 
 ## Providers
 
@@ -21,6 +18,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_log\_bucket\_name | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no |
 | additional\_tag\_map | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no |
 | artifact\_location | Location of artifact. Applies only for artifact of type S3 | `string` | `""` | no |
 | artifact\_type | The build output artifact's type. Valid values for this parameter are: CODEPIPELINE, NO\_ARTIFACTS or S3 | `string` | `"CODEPIPELINE"` | no |
@@ -52,6 +50,7 @@
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
 | local\_cache\_modes | Specifies settings that AWS CodeBuild uses to store and reuse build dependencies. Valid values: LOCAL\_SOURCE\_CACHE, LOCAL\_DOCKER\_LAYER\_CACHE, and LOCAL\_CUSTOM\_CACHE | `list(string)` | `[]` | no |
 | logs\_config | Configuration for the builds to store log data to CloudWatch or S3. | `any` | `{}` | no |
+| mfa\_delete | A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 ) | `bool` | `true` | no |
 | name | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no |
 | namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no |
 | private\_repository | Set to true to login into private repository with credentials supplied in source\_credential variable. | `bool` | `false` | no |
@@ -67,6 +66,7 @@
 | source\_version | A version of the build input to be built for this project. If not specified, the latest version is used. | `string` | `""` | no |
 | stage | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
 | tags | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| versioning\_enabled | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `true` | no |
 | vpc\_config | Configuration for the builds to run inside a VPC. | `any` | `{}` | no |
 
 ## Outputs

examples/bitbucket/build.tf

@@ -1,58 +1,58 @@
 
 module "build" {
-    source                          = "../.."
-    
-    namespace           = var.namespace
-    stage               = var.stage
-    name                = local.build_name
-
-    # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
-    build_image         = var.build_image
-    build_compute_type  = var.build_compute_type
-    build_timeout       = var.build_timeout
-    buildspec           = var.buildspec
-    privileged_mode     = var.privileged_mode
-
-    # Target repository (ECS)
-    image_repo_name     = aws_ecr_repository.ecr_repo.name
-    image_tag           = local.image_tag
-
-    # Extra permissions
-    extra_permissions   = var.extra_permissions
-
-    # environment_variables 
-    aws_region          = var.aws_region          
-    aws_account_id      = var.aws_account_id
-    environment_variables = var.environment_variables
-
-    # Source repository
-    artifact_type       = var.artifact_type
-    source_type         = var.source_type
-    source_location     = var.source_location
-    git_clone_depth     = var.git_clone_depth
-    
-    # Branch name
-    source_version      = var.source_version != "" ?  var.source_version : null
-
-    # Repository Credentials
-    private_repository            = var.private_repository
-    source_credential_token       = var.source_credential_token
-    source_credential_user_name   = var.source_credential_user_name
-    source_credential_auth_type   = var.source_credential_auth_type
-    source_credential_server_type = var.source_credential_server_type
-
-    # Cache
-    cache_expiration_days         = var.cache_expiration_days
-    cache_bucket_suffix_enabled   = var.cache_bucket_suffix_enabled
-    cache_type                    = var.cache_type
-    local_cache_modes             = var.local_cache_modes
-
-    # Other
-    badge_enabled                 = var.badge_enabled
-    attributes                    = var.attributes
-    tags                          = var.tags
-
-        
+  source = "../.."
+
+  namespace = var.namespace
+  stage     = var.stage
+  name      = local.build_name
+
+  # https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html
+  build_image        = var.build_image
+  build_compute_type = var.build_compute_type
+  build_timeout      = var.build_timeout
+  buildspec          = var.buildspec
+  privileged_mode    = var.privileged_mode
+
+  # Target repository (ECS)
+  image_repo_name = aws_ecr_repository.ecr_repo.name
+  image_tag       = local.image_tag
+
+  # Extra permissions
+  extra_permissions = var.extra_permissions
+
+  # environment_variables 
+  aws_region            = var.aws_region
+  aws_account_id        = var.aws_account_id
+  environment_variables = var.environment_variables
+
+  # Source repository
+  artifact_type   = var.artifact_type
+  source_type     = var.source_type
+  source_location = var.source_location
+  git_clone_depth = var.git_clone_depth
+
+  # Branch name
+  source_version = var.source_version != "" ? var.source_version : null
+
+  # Repository Credentials
+  private_repository            = var.private_repository
+  source_credential_token       = var.source_credential_token
+  source_credential_user_name   = var.source_credential_user_name
+  source_credential_auth_type   = var.source_credential_auth_type
+  source_credential_server_type = var.source_credential_server_type
+
+  # Cache
+  cache_expiration_days       = var.cache_expiration_days
+  cache_bucket_suffix_enabled = var.cache_bucket_suffix_enabled
+  cache_type                  = var.cache_type
+  local_cache_modes           = var.local_cache_modes
+
+  # Other
+  badge_enabled = var.badge_enabled
+  attributes    = var.attributes
+  tags          = var.tags
+
+
 
 
 }

examples/bitbucket/ecr.tf

@@ -5,20 +5,22 @@ resource "aws_ecr_repository" "ecr_repo" {
   image_scanning_configuration {
     scan_on_push = var.scan_on_push
   }
+
+  tags = ["example"]
 }
 
 resource "aws_ecr_lifecycle_policy" "lifecycle" {
-  count = var.life_cycle_policy ? 1 : 0
+  count      = var.life_cycle_policy ? 1 : 0
   repository = aws_ecr_repository.ecr_repo.name
-  policy = <<EOF
+  policy     = <<EOF
 {
     "rules": [
         {
             "rulePriority": 1,
             "description": "Keep last ${var.keep_tagged_last_n_images} images",
             "selection": {
                 "tagStatus": "tagged",
-                "tagPrefixList": ["${join("\",\"",local.tagPrefixList)}"],
+                "tagPrefixList": ["${join("\",\"", local.tagPrefixList)}"],
                 "countType": "imageCountMoreThan",
                 "countNumber": ${var.keep_tagged_last_n_images}
             },

examples/bitbucket/main.tf

@@ -1,35 +1,35 @@
 provider "aws" {
-  region = var.aws_region
+  region  = var.aws_region
   profile = var.aws_profile
 }
 
 
 locals {
-repository_name = var.repository_name
+  repository_name = var.repository_name
   build_name      = local.repository_name
   image_tag       = var.image_tag
   tagPrefixList   = concat(var.tagPrefixList, ["ts"])
   log_tracker_defaults = {
-    initial_timeout   = 180
-    update_timeout    = 300
-    sleep_interval    = 30
-    init_wait_time    = 15
-    max_retry_count   = 4
-    print_dots        = false
+    initial_timeout = 180
+    update_timeout  = 300
+    sleep_interval  = 30
+    init_wait_time  = 15
+    max_retry_count = 4
+    print_dots      = false
   }
   log_tracker = merge(local.log_tracker_defaults, var.log_tracker)
 }
 
 
 resource "null_resource" "codebuild_provisioner" {
-    triggers = {
-      value = timestamp()
-    }
-  
+  triggers = {
+    value = timestamp()
+  }
+
 
   provisioner "local-exec" {
     interpreter = ["/bin/bash", "-c"]
-    command = join(" ",[
+    command = join(" ", [
       "./start-build.sh",
       module.build.project_name,
       var.aws_profile,

examples/bitbucket/outputs.tf

@@ -43,7 +43,7 @@ output "repository_arn" {
 
 output "repository_image_full_name_tag" {
   # The full name of the container image as docker style "name:tag".
-  value =  "${aws_ecr_repository.ecr_repo.repository_url}:${local.image_tag}"
+  value = "${aws_ecr_repository.ecr_repo.repository_url}:${local.image_tag}"
 
 }
 

examples/bitbucket/variables.tf

@@ -15,7 +15,7 @@ variable "repository_name" {
 variable "image_tag_mutability" {
   description = "The tag mutability setting for the repository.Must be one of MUTABLE or IMMUTABLE."
   type        = string
-  default     = "MUTABLE"
+  default     = "IMMUTABLE"
 }
 
 variable "scan_on_push" {
@@ -295,6 +295,6 @@ variable "extra_permissions" {
 
 # Log tracker
 variable "log_tracker" {
-  type        = map
-  default     = {}
+  type    = map
+  default = {}
 }

examples/complete/fixtures.us-west-1.tfvars

@@ -27,3 +27,5 @@ environment_variables = [
 cache_expiration_days = 7
 
 cache_type = "S3"
+
+mfa_delete = false

examples/complete/main.tf

@@ -8,6 +8,7 @@ module "codebuild" {
   environment_variables       = var.environment_variables
   cache_expiration_days       = var.cache_expiration_days
   cache_type                  = var.cache_type
+  mfa_delete                  = var.mfa_delete
 
   context = module.this.context
 }

examples/complete/variables.tf

@@ -32,4 +32,9 @@ variable "cache_bucket_suffix_enabled" {
 variable "cache_type" {
   type        = string
   description = "The type of storage that will be used for the AWS CodeBuild project cache. Valid values: NO_CACHE, LOCAL, and S3.  Defaults to NO_CACHE.  If cache_type is S3, it will create an S3 bucket for storing codebuild cache inside"
-}
+}
+
+variable "mfa_delete" {
+  type        = bool
+  description = "A boolean that indicates that versions of S3 objects can only be deleted with MFA. ( Terraform cannot apply changes of this value; https://github.com/terraform-providers/terraform-provider-aws/issues/629 )"
+}

main.tf

@@ -5,12 +5,27 @@ data "aws_region" "default" {
 }
 
 resource "aws_s3_bucket" "cache_bucket" {
+  #bridgecrew:skip=BC_AWS_S3_13:Skipping `Enable S3 Bucket Logging` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
+  #bridgecrew:skip=BC_AWS_S3_14:Skipping `Ensure all data stored in the S3 bucket is securely encrypted at rest` check until bridgecrew will support dynamic blocks (https://github.com/bridgecrewio/checkov/issues/776).
   count         = module.this.enabled && local.s3_cache_enabled ? 1 : 0
   bucket        = local.cache_bucket_name_normalised
   acl           = "private"
   force_destroy = true
   tags          = module.this.tags
 
+  versioning {
+    enabled    = var.versioning_enabled
+    mfa_delete = var.mfa_delete
+  }
+
+  dynamic "logging" {
+    for_each = var.access_log_bucket_name != "" ? [1] : []
+    content {
+      target_bucket = var.access_log_bucket_name
+      target_prefix = "logs/${module.this.id}/"
+    }
+  }
+
   lifecycle_rule {
     id      = "codebuildcache"
     enabled = true
@@ -85,6 +100,7 @@ resource "aws_iam_role" "default" {
   name                  = module.this.id
   assume_role_policy    = data.aws_iam_policy_document.role.json
   force_detach_policies = true
+  tags                  = module.this.tags
 }
 
 data "aws_iam_policy_document" "role" {

test/src/go.mod

@@ -4,11 +4,6 @@ go 1.13
 
 require (
 	github.com/aws/aws-sdk-go v1.34.7 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/uuid v1.1.1 // indirect
-	github.com/gruntwork-io/terratest v0.16.0
-	github.com/pquerna/otp v1.2.0 // indirect
+	github.com/gruntwork-io/terratest v0.31.4
 	github.com/stretchr/testify v1.5.1
-	golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f // indirect
-	golang.org/x/sys v0.0.0-20190527104216-9cd6430ef91e // indirect
 )