readme updated, BridgeCrew compliance fixes (#81)

* readme updated, BridgeCrew compliance fixes

* tags added to iam role

* Update main.tf

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

Author: maximmi

.gitignore

@@ -1,7 +1,17 @@
 # Module directory
-.terraform/
+**/.terraform
+
 .idea
 *.iml
 
+# Compiled files
+**/*.tfstate
+**/*.tfstate.backup
+**/*.terraform.tfstate*
+**/.terraform.lock.hcl
+**/.terraform.lock.hcl
+
+test.log
+
 .build-harness
 build-harness

README.md

@@ -169,7 +169,7 @@ Available targets:
 | ami\_owner | Owner of the given AMI (ignored if `ami` unset) | `string` | `""` | no |
 | applying\_period | The period in seconds over which the specified statistic is applied | `number` | `60` | no |
 | assign\_eip\_address | Assign an Elastic IP address to the instance | `bool` | `true` | no |
-| associate\_public\_ip\_address | Associate a public IP address with the instance | `bool` | `true` | no |
+| associate\_public\_ip\_address | Associate a public IP address with the instance | `bool` | `false` | no |
 | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | availability\_zone | Availability Zone the instance is launched in. If not set, will be launched in the first AZ of the region | `string` | `""` | no |
 | comparison\_operator | The arithmetic operation to use when comparing the specified Statistic and Threshold. Possible values are: GreaterThanOrEqualToThreshold, GreaterThanThreshold, LessThanThreshold, LessThanOrEqualToThreshold. | `string` | `"GreaterThanOrEqualToThreshold"` | no |
@@ -183,6 +183,7 @@ Available targets:
 | ebs\_iops | Amount of provisioned IOPS. This must be set with a volume\_type of io1 | `number` | `0` | no |
 | ebs\_optimized | Launched EC2 instance will be EBS-optimized | `bool` | `false` | no |
 | ebs\_volume\_count | Count of EBS volumes that will be attached to the instance | `number` | `0` | no |
+| ebs\_volume\_encrypted | Size of the EBS volume in gigabytes | `bool` | `true` | no |
 | ebs\_volume\_size | Size of the EBS volume in gigabytes | `number` | `10` | no |
 | ebs\_volume\_type | The type of EBS volume. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |
 | enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
@@ -193,7 +194,10 @@ Available targets:
 | instance\_type | The type of the instance | `string` | `"t2.micro"` | no |
 | ipv6\_address\_count | Number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet (-1 to use subnet default) | `number` | `0` | no |
 | ipv6\_addresses | List of IPv6 addresses from the range of the subnet to associate with the primary network interface | `list(string)` | `[]` | no |
+| kms\_key\_id | KMS key ID used to encrypt EBS volume. When specifying kms\_key\_id, ebs\_volume\_encrypted needs to be set to true | `string` | `null` | no |
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
+| metadata\_http\_endpoint\_enabled | Whether the metadata service is available | `bool` | `true` | no |
+| metadata\_http\_tokens\_required | Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2. | `bool` | `true` | no |
 | metric\_name | The name for the alarm's associated metric. Allowed values can be found in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ec2-metricscollected.html | `string` | `"StatusCheckFailed_Instance"` | no |
 | metric\_namespace | The namespace for the alarm's associated metric. Allowed values can be found in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-namespaces.html | `string` | `"AWS/EC2"` | no |
 | metric\_threshold | The value against which the specified statistic is compared | `number` | `1` | no |
@@ -204,6 +208,7 @@ Available targets:
 | private\_ip | Private IP address to associate with the instance in the VPC | `string` | `""` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | region | AWS Region the instance is launched in | `string` | `""` | no |
+| root\_block\_device\_encrypted | Whether to encrypt the root block device | `bool` | `true` | no |
 | root\_iops | Amount of provisioned IOPS. This must be set if root\_volume\_type is set to `io1` | `number` | `0` | no |
 | root\_volume\_size | Size of the root volume in gigabytes | `number` | `10` | no |
 | root\_volume\_type | Type of root volume. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |

docs/terraform.md

@@ -26,7 +26,7 @@
 | ami\_owner | Owner of the given AMI (ignored if `ami` unset) | `string` | `""` | no |
 | applying\_period | The period in seconds over which the specified statistic is applied | `number` | `60` | no |
 | assign\_eip\_address | Assign an Elastic IP address to the instance | `bool` | `true` | no |
-| associate\_public\_ip\_address | Associate a public IP address with the instance | `bool` | `true` | no |
+| associate\_public\_ip\_address | Associate a public IP address with the instance | `bool` | `false` | no |
 | attributes | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no |
 | availability\_zone | Availability Zone the instance is launched in. If not set, will be launched in the first AZ of the region | `string` | `""` | no |
 | comparison\_operator | The arithmetic operation to use when comparing the specified Statistic and Threshold. Possible values are: GreaterThanOrEqualToThreshold, GreaterThanThreshold, LessThanThreshold, LessThanOrEqualToThreshold. | `string` | `"GreaterThanOrEqualToThreshold"` | no |
@@ -40,6 +40,7 @@
 | ebs\_iops | Amount of provisioned IOPS. This must be set with a volume\_type of io1 | `number` | `0` | no |
 | ebs\_optimized | Launched EC2 instance will be EBS-optimized | `bool` | `false` | no |
 | ebs\_volume\_count | Count of EBS volumes that will be attached to the instance | `number` | `0` | no |
+| ebs\_volume\_encrypted | Size of the EBS volume in gigabytes | `bool` | `true` | no |
 | ebs\_volume\_size | Size of the EBS volume in gigabytes | `number` | `10` | no |
 | ebs\_volume\_type | The type of EBS volume. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |
 | enabled | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
@@ -50,7 +51,10 @@
 | instance\_type | The type of the instance | `string` | `"t2.micro"` | no |
 | ipv6\_address\_count | Number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet (-1 to use subnet default) | `number` | `0` | no |
 | ipv6\_addresses | List of IPv6 addresses from the range of the subnet to associate with the primary network interface | `list(string)` | `[]` | no |
+| kms\_key\_id | KMS key ID used to encrypt EBS volume. When specifying kms\_key\_id, ebs\_volume\_encrypted needs to be set to true | `string` | `null` | no |
 | label\_order | The naming order of the id output and Name tag.<br>Defaults to ["namespace", "environment", "stage", "name", "attributes"].<br>You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no |
+| metadata\_http\_endpoint\_enabled | Whether the metadata service is available | `bool` | `true` | no |
+| metadata\_http\_tokens\_required | Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2. | `bool` | `true` | no |
 | metric\_name | The name for the alarm's associated metric. Allowed values can be found in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ec2-metricscollected.html | `string` | `"StatusCheckFailed_Instance"` | no |
 | metric\_namespace | The namespace for the alarm's associated metric. Allowed values can be found in https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-namespaces.html | `string` | `"AWS/EC2"` | no |
 | metric\_threshold | The value against which the specified statistic is compared | `number` | `1` | no |
@@ -61,6 +65,7 @@
 | private\_ip | Private IP address to associate with the instance in the VPC | `string` | `""` | no |
 | regex\_replace\_chars | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
 | region | AWS Region the instance is launched in | `string` | `""` | no |
+| root\_block\_device\_encrypted | Whether to encrypt the root block device | `bool` | `true` | no |
 | root\_iops | Amount of provisioned IOPS. This must be set if root\_volume\_type is set to `io1` | `number` | `0` | no |
 | root\_volume\_size | Size of the root volume in gigabytes | `number` | `10` | no |
 | root\_volume\_type | Type of root volume. Can be standard, gp2 or io1 | `string` | `"gp2"` | no |

examples/complete/main.tf

@@ -4,7 +4,7 @@ provider "aws" {
 
 module "aws_key_pair" {
   source              = "cloudposse/key-pair/aws"
-  version             = "0.13.1"
+  version             = "0.16.1"
   namespace           = module.this.namespace
   stage               = module.this.stage
   name                = module.this.name
@@ -15,7 +15,7 @@ module "aws_key_pair" {
 
 module "vpc" {
   source  = "cloudposse/vpc/aws"
-  version = "0.17.0"
+  version = "0.18.2"
 
   cidr_block = "172.16.0.0/16"
 
@@ -24,7 +24,7 @@ module "vpc" {
 
 module "subnets" {
   source  = "cloudposse/dynamic-subnets/aws"
-  version = "0.28.0"
+  version = "0.34.0"
 
   availability_zones   = var.availability_zones
   vpc_id               = module.vpc.vpc_id
@@ -38,7 +38,7 @@ module "subnets" {
 
 module "instance_profile_label" {
   source  = "cloudposse/label/null"
-  version = "0.22.0"
+  version = "0.22.1"
 
   attributes = distinct(compact(concat(module.this.attributes, ["profile"])))
 

main.tf

@@ -96,9 +96,11 @@ resource "aws_iam_role" "default" {
   path                 = "/"
   assume_role_policy   = data.aws_iam_policy_document.default.json
   permissions_boundary = var.permissions_boundary_arn
+  tags                 = module.this.tags
 }
 
 resource "aws_instance" "default" {
+  #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew supports conditional evaluation. See https://github.com/bridgecrewio/checkov/issues/793
   count                       = local.instance_count
   ami                         = local.ami
   availability_zone           = local.availability_zone
@@ -131,6 +133,12 @@ resource "aws_instance" "default" {
     volume_size           = var.root_volume_size
     iops                  = local.root_iops
     delete_on_termination = var.delete_on_termination
+    encrypted             = var.root_block_device_encrypted
+  }
+
+  metadata_options {
+    http_endpoint = var.metadata_http_endpoint_enabled ? "enabled" : "disabled"
+    http_tokens   = var.metadata_http_tokens_required ? "required" : "optional"
   }
 
   tags = module.this.tags
@@ -156,6 +164,8 @@ resource "aws_ebs_volume" "default" {
   iops              = local.ebs_iops
   type              = var.ebs_volume_type
   tags              = module.this.tags
+  encrypted         = var.ebs_volume_encrypted
+  kms_key_id        = var.kms_key_id
 }
 
 resource "aws_volume_attachment" "default" {

test/src/go.mod

@@ -3,6 +3,6 @@ module github.com/cloudposse/terraform-aws-ec2-instance
 go 1.14
 
 require (
-	github.com/gruntwork-io/terratest v0.29.0
+	github.com/gruntwork-io/terratest v0.31.4
 	github.com/stretchr/testify v1.6.1
 )