Merge pull request #1 from novekm/novekm/add-initial-module-code

Novekm/add initial module code

.config/.checkov.yml

@@ -9,7 +9,42 @@ skip-check:
 - CKV_AZURE*
 - CKV2_AZURE*
 - CKV_TF_1 # default to Terraform registry instead of Git
+- CKV2_AWS_5 # Ensure that Security Groups are attached to another resource
+- CKV2_AWS_47 # Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
+- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
+- CKV2_AWS_42 # Ensure AWS CloudFront distribution uses custom SSL certificate
+- CKV2_AWS_11 # Ensure VPC flow logging is enabled in all VPCs
+- CKV2_AWS_19 # Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances
+- CKV2_AWS_12 # Ensure the default security group of every VPC restricts all traffic
+- CKV2_AWS_20 # Ensure that ALB redirects HTTP requests into HTTPS ones
+- CKV2_AWS_32 # Ensure CloudFront distribution has a response headers policy attached
+- CKV_AWS_65 # Ensure container insights are enabled on ECS cluster
+- CKV_AWS_333 # Ensure ECS services do not have public IP addresses assigned to them automatically
+- CKV_AWS_158 # Ensure that CloudWatch Log Group is encrypted by KMS
+- CKV_AWS_51 # Ensure ECR Image Tags are immutable
+- CKV_AWS_103 # Ensure that load balancer is using at least TLS 1.2
+- CKV_AWS_136 # Ensure that ECR repositories are encrypted using KMS
+- CKV_AWS_163 # Ensure ECR image scanning on push is enabled
+- CKV_AWS_91 # Ensure the ELBv2 (Application/Network) has access logging enabled
+- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
+- CKV_AWS_2 # Ensure ALB protocol is HTTPS
+- CKV_AWS_310 # Ensure CloudFront distributions should have origin failover configured
+- CKV_AWS_68 # CloudFront Distribution should have WAF enabled
+- CKV_AWS_86 # Ensure CloudFront distribution has Access Logging enabled
+- CKV_AWS_174 # Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
+- CKV_AWS_305 # Ensure CloudFront distribution has a default root object configured
+- CKV_AWS_219 # Ensure CodePipeline Artifact store is using a KMS CMK
+- CKV_AWS_314 # Ensure CodeBuild project environments have a logging configuration
+- CKV2_AWS_6 # Ensure that S3 bucket has a Public Access block
+- CKV2_AWS_61 # Ensure that an S3 bucket has a lifecycle configuration
+- CKV2_AWS_62 # Ensure S3 buckets should have event notifications enabled
+- CKV_AWS_18 # Ensure the S3 bucket has access logging enabled
+- CKV_AWS_145 # Ensure that S3 buckets are encrypted with KMS by default
+- CKV_AWS_144 # Ensure that S3 bucket has cross-region replication enabled
+- CKV_AWS_21 # Ensure all data stored in the S3 bucket have versioning enabled
+
+
 summary-position: bottom
 output: 'cli'
 compact: True
-quiet: True
+quiet: True

.config/.tfsec.yml

@@ -1,3 +1,22 @@
 {
-  "minimum_severity": "MEDIUM"
-}
+  "minimum_severity": "MEDIUM",
+  "exclude": [
+    "aws-elb-http-not-used",
+    "aws-ecr-enable-image-scans",
+    "aws-ecr-enforce-immutable-repository",
+    "aws-elb-alb-not-public",
+    "aws-cloudfront-enable-waf",
+    "aws-cloudfront-use-secure-tls-policy",
+    "aws-cloudfront-enable-logging",
+    "aws-ec2-require-vpc-flow-logs-for-all-vpcs",
+    "aws-iam-no-policy-wildcards",
+    "aws-s3-block-public-acls",
+    "aws-s3-ignore-public-acls",
+    "aws-s3-block-public-policy",
+    "aws-s3-enable-bucket-encryption",
+    "aws-s3-no-public-buckets",
+    "aws-s3-encryption-customer-key",
+    "aws-s3-enable-bucket-logging",
+    "aws-s3-enable-versioning",
+  ],
+}

.config/functional_tests/pre-entrypoint-helpers.sh

@@ -1,6 +1,14 @@
 #!/bin/bash
 ## NOTE: this script runs at the start of functional test
-## use this to load any configuration before the functional test 
+## use this to load any configuration before the functional test
 ## TIPS: avoid modifying the .project_automation/functional_test/entrypoint.sh
 ## migrate any customization you did on entrypoint.sh to this helper script
-echo "Executing Pre-Entrypoint Helpers"
+echo "Executing Pre-Entrypoint Helpers"
+
+#********** Project Path *************
+PROJECT_PATH=${BASE_PATH}/project
+PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
+cd ${PROJECT_PATH}
+
+#********** AWS Region Export *************
+export AWS_DEFAULT_REGION=us-east-1

.gitignore

@@ -13,8 +13,8 @@ plan.out.json
 crash.log
 
 # Exclude all .tfvars files, which are likely to contain sentitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 #
 *.tfvars
@@ -38,9 +38,12 @@ override.tf.json
 terraform.rc
 .terraform.lock.hcl
 
-# Terratest / GoLang 
+# Terratest / GoLang
 go.mod
 go.sum
 
-# Terraform tests 
-tests/*.auto.tfvars
+# Terraform tests
+tests/*.auto.tfvars
+
+streamlit-app-assets.zip
+./examples/*/streamlit-app-assets.zip

.header.md

@@ -1,7 +1,53 @@
-# Terraform Module Project
+# AWS Serverless Streamlit App Terraform Module
 
-:no_entry_sign: Do not edit this readme.md file. To learn how to change this content and work with this repository, refer to CONTRIBUTING.md
+## Features
 
-## Readme Content
+- Serverless deployment using ECS, Application Load Balancer, and CloudFront
+- Ability to reference existing VPCs, Subnets, Security Groups, and IAM Roles/Policies
+- Automated build of Docker Images
+- Automated push of Docker Images to Amazon Elastic Container Registry (ECR)
+- Configurable automated CloudFront Invalidations
+- Dynamic rollback to previous app versions via image tag
 
-This file will contain any instructional information about this module.
+## Architecture
+
+### Streamlit App Hosting
+
+![Streamlit App Hosting Arch](architecture/terraform-module-serverless-streamlit-app-hosting-arch.png)
+
+### Streamlit App Deployment Pipeline
+
+![Streamlit App Deployment Pipeline Arch](architecture/terraform-module-serverless-streamlit-app-deployment-pipeline-arch-with-key.png)
+
+## Basic Usage - Simple deployment of sample Streamlit app with default configuration
+
+### Important
+
+**Note:** The basic deployment will create necessary networking and security services for you with the default values defined in the module variables. If you need to reference existing security and networking resources (VPCs, Subnets, Security Groups, IAM Roles/Policies), please visit review the example for existing resources in the `examples` directory.
+
+**Note**: Ensure the architecture of your ECS Task matches your CodeBuild project. For example, if your CodeBuild project uses an ARM environment such as `BUILD_GENERAL1_SMALL` and an ARM image such as `aws/codebuild/amazonlinux2-aarch64-standard:3.0`, you must also set the architecture of your ECS task to be `ARM64`.
+
+The module provides variables named `ecs_cpu_architecture` `codebuild_compute_type`, and `codebuild_image` which can be modified to your desired values. The default values are using ARM.
+
+**Relevant docs**:
+
+- [CodeBuild - Docker images provided by CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-available.html)
+- [CodeBuild - Build environment compute modes and types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html)
+
+```hcl
+// This is a template file for a basic deployment.
+// Modify the parameters below with your desired values
+
+module "serverless-streamlit-app" {
+  source = "../.." # local example
+  # source = "aws-ia/serverless-streamlit-app/aws" # remote example
+
+  app_name    = "streamlit-app"
+  environment = "dev"
+  app_version = "v0.0.1" # used as one of the tags for Docker image. Update this when you wish to push new changes to ECR.
+}
+```
+
+## Contributing
+
+See the `CONTRIBUTING.md` file for information on how to contribute.

.project_automation/static_tests/static_tests.sh

@@ -32,7 +32,7 @@ else
     exit 1
 fi
 
-#********** tfsec *********************
+# #********** tfsec *********************
 echo 'Starting tfsec'
 MYTFSEC=$(tfsec . --config-file ${PROJECT_PATH}/.config/.tfsec.yml --custom-check-dir ${PROJECT_PATH}/.config/.tfsec)
 if [[ $MYTFSEC == *"No problems detected!"* ]];
@@ -83,4 +83,4 @@ else
 fi
 
 #***************************************
-echo "End of Static Tests"
+echo "End of Static Tests"