Use this module to integrate Terraform Cloud Run Tasks with AWS IAM Access Analyzer for policy validation.
To use this module you need have the following:
- AWS account and credentials
- Terraform Cloud with Run Task entitlement (Business subscription or higher)
-
Build and package the Lambda files
make all -
Refer to the module_workspace for steps to deploy this module in Terraform Cloud.
-
After you deployed the module_workspace, navigate to your Terraform Cloud organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
-
You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.
-
Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.
-
Does not support Terraform computed resources.
For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetObject",
]
Effect = "Allow"
Resource = "${aws_s3_bucket.b.id}"
}
]
})
}
-
Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.
-
Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.
-
Enable the AWS WAF setup by setting variable
deploy_waftotrue(additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint. -
We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.
| Name | Version |
|---|---|
| terraform | >= 1.0.7 |
| archive | ~>2.2.0 |
| aws | >= 3.73.0, < 5.0.0 |
| random | >=3.4.0 |
| tfe | ~>0.38.0 |
| Name | Version |
|---|---|
| archive | ~>2.2.0 |
| aws | >= 3.73.0, < 5.0.0 |
| aws.cloudfront_waf | >= 3.73.0, < 5.0.0 |
| random | >=3.4.0 |
| tfe | ~>0.38.0 |
| Name | Source | Version |
|---|---|---|
| runtask_cloudfront | terraform-aws-modules/cloudfront/aws | 3.2.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The region from which this module will be executed. | string |
n/a | yes |
| tfc_org | Terraform Organization name | string |
n/a | yes |
| cloudwatch_log_group_name | RunTask CloudWatch log group name | string |
"/hashicorp/terraform/runtask/iam-access-analyzer/" |
no |
| cloudwatch_log_group_retention | Lambda CloudWatch log group retention period | string |
"365" |
no |
| deploy_waf | Set to true to deploy CloudFront and WAF in front of the Lambda function URL | string |
false |
no |
| event_bus_name | EventBridge event bus name | string |
"default" |
no |
| event_source | EventBridge source name | string |
"app.terraform.io" |
no |
| lambda_default_timeout | Lambda default timeout in seconds | number |
30 |
no |
| lambda_reserved_concurrency | Maximum Lambda reserved concurrency, make sure your AWS quota is sufficient | number |
100 |
no |
| name_prefix | Name to be used on all the resources as identifier. | string |
"aws-ia2" |
no |
| recovery_window | Numbers of day Number of days that AWS Secrets Manager waits before it can delete the secret | number |
0 |
no |
| runtask_stages | List of all supported RunTask stages | list(string) |
[ |
no |
| supported_policy_document | (Optional) allow list of the supported IAM policy document | string |
"" |
no |
| waf_managed_rule_set | List of AWS Managed rules to use inside the WAF ACL | list(map(string)) |
[ |
no |
| waf_rate_limit | Rate limit for request coming to WAF | number |
100 |
no |
| workspace_prefix | TFC workspace name prefix that allowed to run this runtask | string |
"" |
no |
| Name | Description |
|---|---|
| runtask_hmac | HMAC key value, keep this sensitive data safe |
| runtask_id | The Run Tasks id configured in Terraform Cloud |
| runtask_url | The Run Tasks URL endpoint, you can use this to configure the Run Task setup in Terraform Cloud |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent