Terraform module -
It's 100% Open Source and licensed under the APACHE2.
This is just a very basic example.
$ checkov -d . --external-checks-dir checkov/
...
Include module.neptune.tf this repository as a module in your existing terraform code:
module "neptune" {
source = "JamesWoolfenden/neptune/aws"
version = "v0.2.1"
common_tags = var.common_tags
subnet_ids = [element(tolist(data.aws_subnet_ids.private.ids), 0)]
cluster = local.config
allowed_range = module.ip.cidr
}This example uses a different config sourcing mechanism, the contents of a yml file - config.yaml are read into a local map block local.config.
In the example config.yml you'll see 2 properties
vpc_name_tag: "TEST"
sub_tag: "Public"These properties are used by data.network.tf to find your VPC and Subnet, Im expecting a tag of "Type" to be equal to the value of the sub_tags parameter for the subnets (I tag type:private and type:public)
filter {
name = "tag:Type"
values = [local.config["sub_tag"]]
}The VPC is found by it's name tag:
filter {
name = "tag:Name"
values = [local.config["vpc_name_tag"]]
}Switch tags and values for whatever your VPC and Subnet are tagged.
No requirements.
| Name | Version |
|---|---|
| aws | 4.64.0 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_metric_alarm.NeptunePrimaryCpuAlarm | resource |
| aws_cloudwatch_metric_alarm.NeptunePrimaryGremlinRequestsPerSecAlarm | resource |
| aws_cloudwatch_metric_alarm.NeptunePrimaryMemoryAlarm | resource |
| aws_cloudwatch_metric_alarm.NeptunePrimarySparqlRequestsPerSecAlarm | resource |
| aws_iam_policy.NeptuneCloudWatchPolicy | resource |
| aws_iam_policy.NeptuneS3Policy | resource |
| aws_iam_role.NeptuneRole | resource |
| aws_neptune_cluster.default | resource |
| aws_neptune_cluster_instance.example | resource |
| aws_neptune_cluster_parameter_group.NeptuneDBClusterParameterGroup | resource |
| aws_neptune_parameter_group.examplea | resource |
| aws_neptune_subnet_group.default | resource |
| aws_security_group.neptune | resource |
| aws_sns_topic.NeptuneAlarmTopic | resource |
| aws_sns_topic_subscription.NeptuneAlarmSubscription | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| AppName | Please specify the Application Name. Used for tagging and resource names. Mandatory LOWER CASE. | string |
"appname" |
no |
| Env | Please specify the target Environment. Used for tagging and resource names. Mandatory LOWER CASE. | string |
"dev" |
no |
| GremlinRequestsPerSecThreshold | Gremlin Requests Per Sec alarm threshold. Alert when Gremlin Requests Per Sec goes above this value. In percentage used | number |
10000 |
no |
| HighCpuAlarmThreshold | High CPU alarm threshold. Alert when CPU goes above this value. In percentage used | number |
80 |
no |
| LowMemoryAlarmThreshold | Low memory alarm threshold. Alert when memory falls below this value. In bytes | number |
7e-8 |
no |
| NeptuneDBClusterPreferredMaintenanceWindow | Neptune DB cluster preferred maintenance window. Format - ddd:hh24:mi-ddd:hh24:mi. Valid Days - Mon, Tue, Wed, Thu, Fri, Sat, Sun. Constraints - Minimum 30-minute window. | string |
"mon:03:00-mon:04:00" |
no |
| NeptuneDBInstancePreferredMaintenanceWindow | Neptune DB instance preferred maintenance window. Format - ddd:hh24:mi-ddd:hh24:mi. Valid Days - Mon, Tue, Wed, Thu, Fri, Sat, Sun. Constraints - Minimum 30-minute window. | string |
"mon:03:00-mon:04:00" |
no |
| NeptuneDBSubnetGroupName | The name for the DB Subnet Group. This value is stored as a lowercase string. Constraints, Must contain no more than 255 letters, numbers, periods, underscores, spaces, or hyphens. Must not be default. | string |
"sato-neptune" |
no |
| NeptuneEnableAuditLog | Neptune DB parameters. Allowed values 0, 1 | number |
0 |
no |
| NeptuneQueryTimeout | Neptune DB parameters. Allowed values 10-2147483647 | number |
120000 |
no |
| Region | n/a | string |
"eu-west-2" |
no |
| SNSEmailSubscription | SNS Email subscription. Optional. If not provided, no alarm subscriptions will be created | string |
n/a | yes |
| SparqlRequestsPerSecThreshold | Sparql Requests Per Sec alarm threshold. Alert when Sparql Requests Per Sec goes above this value. In percentage used | number |
10000 |
no |
| Version | Please specify the Application Version. Used for tagging | string |
"1" |
no |
| allowed_range | Cidrs that are allowed into Neptune | list(any) |
n/a | yes |
| cluster | Neptune Cluster data | map(any) |
n/a | yes |
| common_tags | This is to help you add tags to your cloud objects | map(any) |
n/a | yes |
| deletion_protection | n/a | bool |
true |
no |
| engine_version | n/a | string |
"1.2.0.1" |
no |
| family | Neptune family | string |
"neptune1.2" |
no |
| identifier | (optional) describe your variable | string |
"example-a" |
no |
| instance | n/a | map(any) |
{ |
no |
| kms_key_arn | n/a | string |
n/a | yes |
| neptune_enable_audit_log | n/a | number |
0 |
no |
| port | Port used to connect to the Neptune cluster. Must be a valid port number between | number |
8182 |
no |
| security_groups | List of security group Group Names if using EC2-Classic, or Group IDs if using a VPC | list(any) |
[] |
no |
| stack | n/a | string |
"tf-module" |
no |
| subnet_group_name | n/a | string |
"main" |
no |
| subnet_ids | n/a | list(any) |
n/a | yes |
| vpc_id | Security Group needs to know where to ne made | string |
n/a | yes |
| Name | Description |
|---|---|
| cluster | n/a |
| instances | n/a |
| role | n/a |
| subnet | n/a |
This is the policy required to build this project:
The Terraform resource required is:
resource "aws_iam_policy" "terraform_pike" {
name_prefix = "terraform_pike"
path = "/"
description = "Pike Autogenerated policy from IAC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:ListTagsForResource",
"SNS:SetTopicAttributes"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource",
"cloudwatch:PutMetricAlarm",
"cloudwatch:TagResource",
"cloudwatch:UnTagResource"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutRolePolicy"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"rds:AddRoleToDBCluster",
"rds:AddTagsToResource",
"rds:CreateDBCluster",
"rds:CreateDBClusterParameterGroup",
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBClusterParameterGroups",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBClusters",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSubnetGroups",
"rds:ListTagsForResource",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:RemoveTagsFromResource"
],
"Resource": [
"*"
]
}
]
})
}
Check out these related projects.
- terraform-aws-s3 - S3 buckets
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2019-2023 James Woolfenden
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.