Merge pull request #70 from confusdcodr/events

Adds ability to create an inspector scan based on an event_pattern
plus3it · May 22, 2020 · 1d3f085 · 1d3f085
2 parents 9cdd1a4 + 51334b4
commit 1d3f085
Show file tree

Hide file tree

Showing 17 changed files with 137 additions and 32 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,6 +1,5 @@
 [bumpversion]
-current_version = 1.0.6
+current_version = 1.1.0
 commit = True
 tag = False
 tag_name = {new_version}
-
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 1.1.0
+
+**Commit Delta**: [Change from 1.0.6 release](https://github.com/plus3it/terraform-aws-tardigrade-inspector/compare/1.0.6...1.1.0)
+
+**Released**: 2020.05.22
+
+**Summary**:
+
+*   Adds ability to create an inspector scan based on an event_pattern
+
 ### 1.0.6
 
 **Commit Delta**: [Change from 1.0.5 release](https://github.com/plus3it/terraform-aws-tardigrade-inspector/compare/1.0.5...1.0.6)

diff --git a/README.md b/README.md
@@ -21,8 +21,9 @@
 | name | String to prefix resource names with | `string` | n/a | yes |
 | create\_inspector | Controls whether to create the Inspector resources | `bool` | `true` | no |
 | duration | Maximum time the Inspector assessment will run for (in seconds) | `string` | `"3600"` | no |
+| event\_pattern | JSON object describing an event to capture. Required if not setting a schedule. See AWS documentation for more details - https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html | `string` | `null` | no |
 | iam\_role\_arn | Controls whether to create the Inspector role | `any` | `null` | no |
-| schedule | Rate expression for CloudWatch event | `string` | `"rate(7 days)"` | no |
+| schedule | Rate expression for CloudWatch event. Required if not setting an event\_pattern | `string` | `null` | no |
 | tags | Map of tags to apply to the resources | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -1,8 +1,4 @@
-//
-// Module: inspector
-//
-provider "aws" {
-}
+provider "aws" {}
 
 locals {
   create_iam_role = var.iam_role_arn == null
@@ -47,6 +43,7 @@ resource "aws_cloudwatch_event_rule" "this" {
   name                = var.name
   description         = "Run inspector scan on a schedule"
   schedule_expression = var.schedule
+  event_pattern       = var.event_pattern
   tags                = var.tags
 }
 
@@ -68,11 +65,10 @@ resource "aws_iam_policy" "this" {
 }
 
 # Attach Policy to IAM Role
-resource "aws_iam_policy_attachment" "this" {
+resource "aws_iam_role_policy_attachment" "this" {
   count = var.create_inspector && local.create_iam_role ? 1 : 0
 
-  name       = var.name
-  roles      = [aws_iam_role.this[0].name]
+  role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.this[0].arn
 }
 

diff --git a/tests/baseline/versions.tf b/tests/baseline/versions.tf
diff --git a/tests/baseline/README.md → tests/event_and_schedule/README.md b/tests/baseline/README.md → tests/event_and_schedule/README.md
@@ -3,9 +3,7 @@
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 0.12 |
+No requirements.
 
 ## Providers
 

diff --git a/tests/event_and_schedule/main.tf b/tests/event_and_schedule/main.tf
@@ -0,0 +1,31 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "terraform-aws-inspector-"
+}
+
+module "event_based" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_inspector = true
+  name             = random_id.name.hex
+  schedule         = "rate(7 days)"
+  event_pattern    = <<-EOF
+    {
+      "source" : ["aws.ec2"],
+      "detail-type" : ["EC2 Instance State-change Notification"],
+      "detail" : {
+        "state" : ["running"]
+      }
+    }
+  EOF
+  duration         = "180"
+}
+
diff --git a/tests/event_based/README.md b/tests/event_based/README.md
@@ -0,0 +1,22 @@
+# Baseline Test
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| random | n/a |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+No output.
+
+<!-- END TFDOCS -->
diff --git a/tests/event_based/main.tf b/tests/event_based/main.tf
@@ -0,0 +1,30 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "random_id" "name" {
+  byte_length = 6
+  prefix      = "terraform-aws-inspector-"
+}
+
+module "event_based" {
+  source = "../../"
+
+  providers = {
+    aws = aws
+  }
+
+  create_inspector = true
+  name             = random_id.name.hex
+  event_pattern    = <<-EOF
+    {
+      "source" : ["aws.ec2"],
+      "detail-type" : ["EC2 Instance State-change Notification"],
+      "detail" : {
+        "state" : ["running"]
+      }
+    }
+  EOF
+  duration         = "180"
+}
+
diff --git a/tests/go.sum b/tests/go.sum
@@ -371,6 +371,7 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586 h1:7KByu05hhLed2MO29w7p1X
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0=
 golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -413,6 +414,7 @@ golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7 h1:fHDIZ2oxGnUZRN6WgWFCbYBjH
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -538,6 +540,7 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

diff --git a/tests/no_create/README.md b/tests/no_create/README.md
@@ -3,9 +3,7 @@
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 0.12 |
+No requirements.
 
 ## Providers
 

diff --git a/tests/no_create/versions.tf b/tests/no_create/versions.tf
diff --git a/tests/premade_policy/README.md b/tests/premade_policy/README.md
@@ -3,9 +3,7 @@
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
-| Name | Version |
-|------|---------|
-| terraform | >= 0.12 |
+No requirements.
 
 ## Providers
 

diff --git a/tests/premade_policy/versions.tf b/tests/premade_policy/versions.tf
diff --git a/tests/schedule_based/README.md b/tests/schedule_based/README.md
@@ -0,0 +1,22 @@
+# Baseline Test
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| random | n/a |
+
+## Inputs
+
+No input.
+
+## Outputs
+
+No output.
+
+<!-- END TFDOCS -->
diff --git a/tests/baseline/main.tf → tests/schedule_based/main.tf b/tests/baseline/main.tf → tests/schedule_based/main.tf
@@ -7,7 +7,7 @@ resource "random_id" "name" {
   prefix      = "terraform-aws-inspector-"
 }
 
-module "baseline" {
+module "scheduled_run" {
   source = "../../"
 
   providers = {

diff --git a/variables.tf b/variables.tf
@@ -23,9 +23,15 @@ variable "duration" {
 }
 
 variable "schedule" {
-  description = "Rate expression for CloudWatch event"
+  description = "Rate expression for CloudWatch event. Required if not setting an event_pattern"
   type        = string
-  default     = "rate(7 days)"
+  default     = null
+}
+
+variable "event_pattern" {
+  description = "JSON object describing an event to capture. Required if not setting a schedule. See AWS documentation for more details - https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html"
+  type        = string
+  default     = null
 }
 
 variable "tags" {