Chores

.github/dependabot.yml

@@ -7,15 +7,30 @@ updates:
     schedule:
       interval: monthly
       day: wednesday
+    labels:
+      - chore
+      - dependencies
+      - github_actions
+      - patch
   - package-ecosystem: terraform
     directory: modules/aws-asg
     open-pull-requests-limit: 5
     schedule:
       interval: monthly
       day: wednesday
+    labels:
+      - chore
+      - dependencies
+      - patch
+      - terraform
   - package-ecosystem: terraform
-    directory: modules/aws-asg/examples
+    directory: modules/aws-asg/examples/cga-with-vpc
     open-pull-requests-limit: 5
     schedule:
       interval: monthly
       day: wednesday
+    labels:
+      - chore
+      - dependencies
+      - patch
+      - terraform

modules/aws-asg/README.md

@@ -5,16 +5,14 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | ~> 3 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.24.0 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.1.1 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.37.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 
@@ -43,7 +41,6 @@ No modules.
 | [aws_security_group.inbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.redis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.resources](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
-| [null_resource.tags_as_list_of_maps](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [random_string.prefix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 | [aws_ami.ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -68,7 +65,7 @@ No modules.
 | <a name="input_cloudwatch_logs_enabled"></a> [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Set to true to send '/var/log/message' logs to CloudWatch | `bool` | `true` | no |
 | <a name="input_launch_tmpl_associate_public_ip_address"></a> [launch\_tmpl\_associate\_public\_ip\_address](#input\_launch\_tmpl\_associate\_public\_ip\_address) | Associate a public ip address with an instance in a VPC | `bool` | `false` | no |
 | <a name="input_launch_tmpl_instance_type"></a> [launch\_tmpl\_instance\_type](#input\_launch\_tmpl\_instance\_type) | The type of instance to use (e.g. t3.micro, t3.small, t3.medium, etc) | `string` | `"t3.small"` | no |
-| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v2.0.1"` | no |
+| <a name="input_module_version"></a> [module\_version](#input\_module\_version) | Terraform module version | `string` | `"v2.0.2"` | no |
 | <a name="input_nlb_enable_cross_zone_load_balancing"></a> [nlb\_enable\_cross\_zone\_load\_balancing](#input\_nlb\_enable\_cross\_zone\_load\_balancing) | Configure cross zone load balancing for the NLB | `bool` | `false` | no |
 | <a name="input_nlb_subnets"></a> [nlb\_subnets](#input\_nlb\_subnets) | A list of public subnet IDs to attach to the LB. Use Public Subnets only | `list(string)` | n/a | yes |
 | <a name="input_redis_subnets"></a> [redis\_subnets](#input\_redis\_subnets) | A list of subnet IDs to to use for the redis instances.<br>  At least two subnets on different Availability Zones must be provided | `list(any)` | `[]` | no |

modules/aws-asg/examples/cga-with-vpc/README.md

@@ -1,20 +1,23 @@
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.50 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.24.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.37.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudgen-access-proxy"></a> [cloudgen-access-proxy](#module\_cloudgen-access-proxy) | ../../ | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.0.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.18.1 |
 
 ## Resources
 

modules/aws-asg/examples/cga-with-vpc/main.tf

@@ -78,7 +78,7 @@ output "Security_Group_for_Resources" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "3.0.0"
+  version = "3.18.1"
 
   name = local.application
 

modules/aws-asg/examples/cga-with-vpc/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.50"
+    }
+  }
+  required_version = ">= 0.14"
+}

modules/aws-asg/locals.tf

@@ -14,16 +14,4 @@ locals {
     },
     var.tags
   )
-
-  common_tags_asg = null_resource.tags_as_list_of_maps.*.triggers
-}
-
-resource "null_resource" "tags_as_list_of_maps" {
-  count = length(keys(local.common_tags_map))
-
-  triggers = {
-    "key"                 = keys(local.common_tags_map)[count.index]
-    "value"               = values(local.common_tags_map)[count.index]
-    "propagate_at_launch" = true
-  }
 }

modules/aws-asg/main.tf

@@ -6,7 +6,7 @@ resource "random_string" "prefix" {
   length  = 6
   lower   = true
   upper   = true
-  number  = true
+  numeric = true
   special = false
 }
 
@@ -187,16 +187,19 @@ resource "aws_autoscaling_group" "asg" {
     create_before_destroy = true
   }
 
-  tags = concat(
-    [
+  dynamic "tag" {
+    for_each = merge(
+      local.common_tags_map,
       {
-        "key"                 = "Name"
-        "value"               = aws_launch_template.launch_template.name
-        "propagate_at_launch" = true
-      },
-    ],
-    local.common_tags_asg
-  )
+        Name = aws_launch_template.launch_template.name
+      }
+    )
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
 }
 
 #
@@ -283,32 +286,22 @@ resource "aws_launch_template" "launch_template" {
     }
   }
 
-  user_data = base64encode(<<-EOT
-  #!/bin/bash
-  %{~if var.cloudwatch_logs_enabled~}
-  # Install CloudWatch Agent
-  curl -sL "https://url.access.barracuda.com/config-ec2-cloudwatch-logs" | bash -s -- \
-    -l "${aws_cloudwatch_log_group.cloudgen_access_proxy[0].name}" \
-    -r "${var.aws_region}"
-  %{~endif~}
-  # Install CloudGen Access Proxy
-  curl -sL "https://url.access.barracuda.com/proxy-linux" | bash -s -- \
-    -u \
-  %{~if !var.ssm_parameter_store~}
-    -e "DISABLE_AWS_SSM=1" \
-  %{~endif~}
-  %{~if local.redis_enabled~}
-    -r "${aws_elasticache_replication_group.redis[0].primary_endpoint_address}" \
-    -s "${aws_elasticache_replication_group.redis[0].port}" \
-  %{~endif~}
-    -p "${var.cloudgen_access_proxy_public_port}" \
-    -l "${var.cloudgen_access_proxy_level}" \
-    -e "FYDE_PREFIX=cga_proxy_${random_string.prefix.result}_"
-  # Harden instance and reboot
-  curl -sL "https://url.access.barracuda.com/harden-linux" | bash -s --
-  shutdown -r now
-  EOT
-  )
+  # tflint-ignore: terraform_deprecated_index
+  user_data = base64encode(templatefile(
+    "${path.module}/templates/userdata.sh.tpl",
+    {
+      cloudwatch_logs_enabled           = var.cloudwatch_logs_enabled,
+      aws_cloudwatch_log_group          = aws_cloudwatch_log_group.cloudgen_access_proxy[0].name,
+      aws_region                        = var.aws_region,
+      ssm_parameter_store               = var.ssm_parameter_store,
+      redis_enabled                     = local.redis_enabled,
+      redis_primary_endpoint_address    = aws_elasticache_replication_group.redis[0].primary_endpoint_address,
+      redis_port                        = aws_elasticache_replication_group.redis[0].port,
+      cloudgen_access_proxy_public_port = var.cloudgen_access_proxy_public_port,
+      cloudgen_access_proxy_level       = var.cloudgen_access_proxy_level,
+      random_string_prefix_result       = random_string.prefix.result,
+    }
+  ))
 
   lifecycle {
     create_before_destroy = true
@@ -465,18 +458,18 @@ resource "aws_cloudwatch_log_group" "cloudgen_access_proxy" { #tfsec:ignore:AWS0
 resource "aws_elasticache_replication_group" "redis" {
   count = local.redis_enabled ? 1 : 0
 
-  automatic_failover_enabled    = true
-  engine                        = "redis"
-  replication_group_id          = "cga-proxy-${random_string.prefix.result}"
-  replication_group_description = "Redis for CloudGen Access Proxy"
-  node_type                     = "cache.t2.micro"
-  number_cache_clusters         = 2
-  subnet_group_name             = aws_elasticache_subnet_group.redis[0].name
-  security_group_ids            = [aws_security_group.redis[0].id]
-  port                          = 6379
-  at_rest_encryption_enabled    = false #tfsec:ignore:AWS035
-  transit_encryption_enabled    = false #tfsec:ignore:AWS036
-  multi_az_enabled              = true
+  automatic_failover_enabled = true
+  engine                     = "redis"
+  replication_group_id       = "cga-proxy-${random_string.prefix.result}"
+  description                = "Redis for CloudGen Access Proxy"
+  node_type                  = "cache.t2.micro"
+  num_cache_clusters         = 2
+  subnet_group_name          = aws_elasticache_subnet_group.redis[0].name
+  security_group_ids         = [aws_security_group.redis[0].id]
+  port                       = 6379
+  at_rest_encryption_enabled = false #tfsec:ignore:AWS035
+  transit_encryption_enabled = false #tfsec:ignore:AWS036
+  multi_az_enabled           = true
 
   tags = {
     Name = "cga-proxy-${random_string.prefix.result}"

modules/aws-asg/templates/userdata.sh.tpl

@@ -0,0 +1,26 @@
+#!/bin/bash
+%{if cloudwatch_logs_enabled~}
+
+# Install CloudWatch Agent
+curl -sL "https://url.access.barracuda.com/config-ec2-cloudwatch-logs" | bash -s -- \
+    -l "${aws_cloudwatch_log_group}" \
+    -r "${aws_region}"
+%{endif~}
+
+# Install CloudGen Access Proxy
+curl -sL "https://url.access.barracuda.com/proxy-linux" | bash -s -- \
+    -u \
+%{if !ssm_parameter_store~}
+    -e "DISABLE_AWS_SSM=1" \
+%{endif~}
+%{if redis_enabled~}
+    -r "${redis_primary_endpoint_address}" \
+    -s "${redis_port}" \
+%{endif~}
+    -p "${cloudgen_access_proxy_public_port}" \
+    -l "${cloudgen_access_proxy_level}" \
+    -e "FYDE_PREFIX=cga_proxy_${random_string_prefix_result}_"
+
+# Harden instance and reboot
+curl -sL "https://url.access.barracuda.com/harden-linux" | bash -s --
+shutdown -r now

modules/aws-asg/variables.tf

@@ -44,7 +44,7 @@ variable "cloudgen_access_proxy_level" {
 variable "module_version" {
   description = "Terraform module version"
   type        = string
-  default     = "v2.0.1"
+  default     = "v2.0.2"
 }
 
 #

modules/aws-asg/versions.tf

@@ -4,10 +4,6 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 3.50"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3"
-    }
     random = {
       source  = "hashicorp/random"
       version = "~> 3"