Use this module to integrate HCP Terraform Run Tasks with AWS IAM Access Analyzer for policy validation.
To use this module you need have the following:
- AWS account and credentials
- HCP Terraform with Run Task entitlement (Business subscription or higher)
-
Build and package the Lambda files
make all
-
Refer to the module_workspace for steps to deploy this module in HCP Terraform.
-
After you deployed the module_workspace, navigate to your HCP Terraform organization, go to Organization Settings > Integrations > Run tasks to find the newly created Run Task.
-
You can use this run task in any workspace where you have standard IAM resource policy document. Refer to the demo_workspace for more details.
-
Does not provide verbose error / warning messages in Run Task console. In the future, we will explore possibility to provide verbose logging.
-
Does not support Terraform computed resources.
For example, the tool will report no IAM policy found for the following Terraform template. The policy json string is a computed resource. The plan output doesn't contain information of IAM policy document.
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
resource "aws_iam_policy" "policy" {
name = "test-policy"
description = "A test policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:GetObject",
]
Effect = "Allow"
Resource = "${aws_s3_bucket.b.id}"
}
]
})
}
-
Do not re-use the Run Tasks URL across different trust-boundary (organizations, accounts, team). We recommend you to deploy separate Run Task deployment per trust-boundary.
-
Do not use Run Tasks URL from untrusted party, remember that Run Tasks execution sent Terraform plan output to the Run Task endpoint. Only use trusted Run Tasks URL.
-
Enable the AWS WAF setup by setting variable
deploy_waf
totrue
(additional cost will apply). This will add WAF protection to the Run Tasks URL endpoint. -
We recommend you to setup additional CloudWatch alarm to monitor Lambda concurrency and WAF rules.
Name | Version |
---|---|
terraform | >= 1.0.7 |
archive | ~>2.2.0 |
aws | >=5.72.0 |
random | >=3.4.0 |
tfe | >=0.38.0 |
time | >=0.12.0 |
Name | Version |
---|---|
archive | ~>2.2.0 |
aws | >=5.72.0 |
aws.cloudfront_waf | >=5.72.0 |
random | >=3.4.0 |
tfe | >=0.38.0 |
time | >=0.12.0 |
Name | Source | Version |
---|---|---|
runtask_cloudfront | terraform-aws-modules/cloudfront/aws | 3.4.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_region | The region from which this module will be executed. | string |
n/a | yes |
tfc_org | Terraform Organization name | string |
n/a | yes |
cloudwatch_log_group_name | RunTask CloudWatch log group name | string |
"/hashicorp/terraform/runtask/iam-access-analyzer/" |
no |
cloudwatch_log_group_retention | Lambda CloudWatch log group retention period | string |
"365" |
no |
deploy_waf | Set to true to deploy CloudFront and WAF in front of the Lambda function URL | string |
false |
no |
event_bus_name | EventBridge event bus name | string |
"default" |
no |
event_source | EventBridge source name | string |
"app.terraform.io" |
no |
lambda_architecture | Lambda architecture (arm64 or x86_64) | string |
"x86_64" |
no |
lambda_default_timeout | Lambda default timeout in seconds | number |
30 |
no |
lambda_reserved_concurrency | Maximum Lambda reserved concurrency, make sure your AWS quota is sufficient | number |
100 |
no |
name_prefix | Name to be used on all the resources as identifier. | string |
"aws-ia2" |
no |
recovery_window | Numbers of day Number of days that AWS Secrets Manager waits before it can delete the secret | number |
0 |
no |
runtask_stages | List of all supported RunTask stages | list(string) |
[ |
no |
supported_policy_document | (Optional) allow list of the supported IAM policy document | string |
"" |
no |
tags | Map of tags to apply to resources deployed by this solution. | map(any) |
null |
no |
waf_managed_rule_set | List of AWS Managed rules to use inside the WAF ACL | list(map(string)) |
[ |
no |
waf_rate_limit | Rate limit for request coming to WAF | number |
100 |
no |
workspace_prefix | TFC workspace name prefix that allowed to run this runtask | string |
"" |
no |
Name | Description |
---|---|
runtask_hmac | HMAC key value, keep this sensitive data safe |
runtask_id | The Run Tasks id configured in HCP Terraform |
runtask_url | The Run Tasks URL endpoint, you can use this to configure the Run Task setup in HCP Terraform |