Now with tflint and tfsec compatibility

.gitignore

@@ -5,3 +5,14 @@
 .*.swp
 
 tmp*
+
+__pycache__
+
+
+# jsonpath-ng
+module_sqs_fair_queueing/scripts/bin/jsonpath_ng
+module_sqs_fair_queueing/scripts/decorator*
+module_sqs_fair_queueing/scripts/jsonpath_ng*
+module_sqs_fair_queueing/scripts/ply*
+module_sqs_fair_queueing/scripts/six*
+module_sqs_fair_queueing/scripts/six.py

README.md

@@ -1,8 +1,6 @@
-# Terraform Skeleton
-
-A skeleton for fred's terraform projects.
-
+# SQS Fair Queueing
 
+Proof of concept terraform to demonstrate fair queueing based on hash.
 
 ## Table of Contents
 
@@ -14,8 +12,50 @@ A skeleton for fred's terraform projects.
 
 ## Usage
 
-Fork, edit this readme. Run `git init` then `pre-commit install`
+You must install `jsonpath-ng` into the `module_sqs_fair_queueing/scripts` directory via:
+
+```
+pip install --target ./module_sqs_fair_queueing/scripts jsonpath-ng
+```
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.47.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_sqs_fair_queue"></a> [sqs\_fair\_queue](#module\_sqs\_fair\_queue) | ./module_sqs_fair_queueing | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
+| [aws_s3_bucket_public_access_block.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_sqs_queue.queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
 
+| Name | Description |
+|------|-------------|
+| <a name="output_example"></a> [example](#output\_example) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

config.tf

@@ -1,7 +1,4 @@
 locals {
-  # I like unique id to match the terraform backend storage, and I use it for various names and prefixes..
-  unique_id = "sqs_fair_queueing"
-
   # Everything here should be self-explanatory
   profile = "default"
   region  = "us-east-2"

main.tf

@@ -7,19 +7,23 @@ module "sqs_fair_queue" {
   sqs_prefix     = "mbox-fair-queueing-test-fq"
   num_queues     = 4
   hash_jsonpath  = "$" # This will evenly distribute all messages
+  tags           = local.tags
 }
 
 ######################################
 # Example Resources for testing
+
+# tfsec:ignore:aws-s3-enable-bucket-logging Logging is a good idea, but we don't here.
+# tfsec:ignore:aws-s3-enable-versioning Versioning is a good idea, but we don't here.
 resource "aws_s3_bucket" "bucket" {
   bucket        = "mbox-fair-queueing-test"
   force_destroy = true
 
-  tags = {
+  tags = merge(local.tags, {
     Name        = "mbox-fair-queueing-test"
     Environment = "Dev"
     Purpose     = "POC bucket for S3 fair queueing"
-  }
+  })
 }
 
 resource "aws_s3_bucket_acl" "bucket" {
@@ -27,7 +31,17 @@ resource "aws_s3_bucket_acl" "bucket" {
   acl    = "private"
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
+resource "aws_s3_bucket_public_access_block" "bucket" {
+  bucket = aws_s3_bucket.bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# tfsec:ignore:aws-s3-encryption-customer-key AWS managed key is sufficient
+resource "aws_s3_bucket_server_side_encryption_configuration" "bucket" {
   bucket = aws_s3_bucket.bucket.bucket
 
   rule {
@@ -68,6 +82,8 @@ resource "aws_sqs_queue" "queue" {
 POLICY
 
   depends_on = [aws_s3_bucket.bucket]
+
+  tags = local.tags
 }
 
 resource "aws_s3_bucket_notification" "bucket_notification" {

module_sqs_fair_queueing/lambda.tf

@@ -32,6 +32,13 @@ resource "aws_lambda_function" "sqs_fair_queue" {
       "HASH_JSONPATH"  = var.hash_jsonpath
     }
   }
+
+  # tfsec recommends tracing as a best practice
+  tracing_config {
+    mode = "Active"
+  }
+
+  tags = var.tags
 }
 
 resource "aws_lambda_permission" "sqs_fair_queue" {
@@ -47,7 +54,8 @@ data "aws_iam_policy_document" "sqs_fair_queue" {
     sid       = "SQSIngest"
     effect    = "Allow"
     resources = [var.source_sqs_arn]
-    actions   = ["sqs:*"] # TODO: Nail down
+    # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
+    actions = ["sqs:*"] # TODO: Nail down
     # Probably:
     #   "sqs:ReceiveMessage",
     #   "sqs:SendMessage",
@@ -59,7 +67,8 @@ data "aws_iam_policy_document" "sqs_fair_queue" {
     sid       = "SQSPut"
     effect    = "Allow"
     resources = tolist(aws_sqs_queue.queue[*].arn)
-    actions   = ["sqs:*"] # TODO: Nail down
+    # tfsec:ignore:aws-iam-no-policy-wildcards Wildcards are fine and useful
+    actions = ["sqs:*"] # TODO: Nail down
   }
 }
 
@@ -68,6 +77,7 @@ resource "aws_iam_policy" "sqs_fair_queue" {
   path        = "/sqs_fair_queue/"
   description = "SQS Fair Queueing Lambda Policy"
   policy      = data.aws_iam_policy_document.sqs_fair_queue.json
+  tags        = var.tags
 }
 
 data "aws_iam_policy_document" "lambda_trust" {
@@ -87,6 +97,7 @@ resource "aws_iam_role" "sqs_fair_queue" {
   name               = "sqs_fair_queue_${var.sqs_prefix}"
   path               = "/sqs_fair_queue/"
   assume_role_policy = data.aws_iam_policy_document.lambda_trust.json
+  tags               = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "sqs_fair_queue" {
@@ -98,5 +109,3 @@ resource "aws_iam_role_policy_attachment" "aws_managed_lambda" {
   role       = aws_iam_role.sqs_fair_queue.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
-
-

module_sqs_fair_queueing/required_providers.tf

@@ -5,5 +5,9 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.0"
     }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "> 1"
+    }
   }
 }

module_sqs_fair_queueing/sqs.tf

@@ -21,6 +21,6 @@ resource "aws_sqs_queue" "queue" {
   #  ]
   #}
   #POLICY
-}
-
 
+  tags = var.tags
+}

module_sqs_fair_queueing/vars.tf

@@ -19,3 +19,9 @@ variable "num_queues" {
   description = "How many fair queues to create."
   default     = 16
 }
+
+variable "tags" {
+  type        = map(any)
+  description = "Tags to apply to resources."
+  default     = {}
+}