From 1eac1ae789817e36bf7509122908cad399da743b Mon Sep 17 00:00:00 2001 From: Santiago Lo Coco Date: Wed, 30 Nov 2022 11:17:07 -0300 Subject: [PATCH] Add r53, cognito, sns and ses Add SNS because of the academy restrictions --- terraform/modules/acm/main.tf | 40 +++++++ terraform/modules/acm/outputs.tf | 8 ++ terraform/modules/acm/variables.tf | 45 ++++++++ terraform/modules/acm/versions.tf | 10 ++ terraform/modules/cloudfront/main.tf | 5 +- terraform/modules/cloudfront/outputs.tf | 13 +++ terraform/modules/cloudfront/variables.tf | 12 ++ terraform/modules/cognito/main.tf | 109 ++++++++++++++++++ terraform/modules/cognito/variables.tf | 99 ++++++++++++++++ terraform/modules/cognito/versions.tf | 10 ++ terraform/modules/route53/main.tf | 26 +++++ terraform/modules/route53/outputs.tf | 8 ++ terraform/modules/route53/variables.tf | 20 ++++ terraform/modules/route53/versions.tf | 10 ++ terraform/modules/ses/main.tf | 54 +++++++++ terraform/modules/ses/variables.tf | 13 +++ terraform/modules/ses/versions.tf | 10 ++ terraform/modules/sns/main.tf | 16 +++ terraform/modules/sns/outputs.tf | 8 ++ terraform/modules/sns/variables.tf | 23 ++++ terraform/modules/sns/versions.tf | 10 ++ terraform/organization/acm.tf | 21 ++++ terraform/organization/cloudfront.tf | 8 +- terraform/organization/cognito.tf | 49 ++++++++ terraform/organization/datasources.tf | 20 +++- terraform/organization/lambda.tf | 2 +- terraform/organization/locals.tf | 34 ++++-- terraform/organization/route53.tf | 24 ++++ terraform/organization/ses.tf | 14 +++ terraform/organization/sns.tf | 28 +++++ terraform/organization/vpc.tf | 45 +++----- terraform/organization/waf.tf | 2 +- .../lambda/lambdaDB/lambda_handler.py | 35 +++--- terraform/resources/lambda/lambdaSNS.zip | Bin 0 -> 387 bytes .../lambda/lambdaSNS/lambda_handler.py | 10 ++ .../lambda/lambdaSQS/lambda_handler.py | 38 +++--- 36 files changed, 801 insertions(+), 78 deletions(-) create mode 100644 terraform/modules/acm/main.tf create mode 100644 terraform/modules/acm/outputs.tf create mode 100644 terraform/modules/acm/variables.tf create mode 100644 terraform/modules/acm/versions.tf create mode 100644 terraform/modules/cloudfront/outputs.tf create mode 100644 terraform/modules/cognito/main.tf create mode 100644 terraform/modules/cognito/variables.tf create mode 100644 terraform/modules/cognito/versions.tf create mode 100644 terraform/modules/route53/main.tf create mode 100644 terraform/modules/route53/outputs.tf create mode 100644 terraform/modules/route53/variables.tf create mode 100644 terraform/modules/route53/versions.tf create mode 100644 terraform/modules/ses/main.tf create mode 100644 terraform/modules/ses/variables.tf create mode 100644 terraform/modules/ses/versions.tf create mode 100644 terraform/modules/sns/main.tf create mode 100644 terraform/modules/sns/outputs.tf create mode 100644 terraform/modules/sns/variables.tf create mode 100644 terraform/modules/sns/versions.tf create mode 100644 terraform/organization/acm.tf create mode 100644 terraform/organization/cognito.tf create mode 100644 terraform/organization/route53.tf create mode 100644 terraform/organization/ses.tf create mode 100644 terraform/organization/sns.tf create mode 100644 terraform/resources/lambda/lambdaSNS.zip create mode 100644 terraform/resources/lambda/lambdaSNS/lambda_handler.py diff --git a/terraform/modules/acm/main.tf b/terraform/modules/acm/main.tf new file mode 100644 index 0000000..111c23f --- /dev/null +++ b/terraform/modules/acm/main.tf @@ -0,0 +1,40 @@ +# --------------------------------------------------------------------------- +# Amazon ACM +# --------------------------------------------------------------------------- + +data "aws_route53_zone" "this" { + name = var.domain_name +} + +resource "aws_acm_certificate" "this" { + domain_name = var.domain_name + subject_alternative_names = var.subject_alternative_names + validation_method = var.validation_method + + tags = var.tags + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "this" { + allow_overwrite = var.validation_allow_overwrite_records + + name = tolist(aws_acm_certificate.this.domain_validation_options)[0].resource_record_name + records = [tolist(aws_acm_certificate.this.domain_validation_options)[0].resource_record_value] + type = tolist(aws_acm_certificate.this.domain_validation_options)[0].resource_record_type + zone_id = data.aws_route53_zone.this.zone_id + ttl = var.dns_ttl + + depends_on = [aws_acm_certificate.this] +} + +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [aws_route53_record.this.fqdn] + + timeouts { + create = var.validation_timeout + } +} diff --git a/terraform/modules/acm/outputs.tf b/terraform/modules/acm/outputs.tf new file mode 100644 index 0000000..50cc40b --- /dev/null +++ b/terraform/modules/acm/outputs.tf @@ -0,0 +1,8 @@ +# --------------------------------------------------------------------------- +# Amazon ACM outputs +# --------------------------------------------------------------------------- + +output "certificate_arn" { + description = "The ARN of the certificate." + value = aws_acm_certificate.this.arn +} diff --git a/terraform/modules/acm/variables.tf b/terraform/modules/acm/variables.tf new file mode 100644 index 0000000..b51b74c --- /dev/null +++ b/terraform/modules/acm/variables.tf @@ -0,0 +1,45 @@ +# --------------------------------------------------------------------------- +# Amazon ACM variables +# --------------------------------------------------------------------------- + +variable "domain_name" { + description = "A domain name for which the certificate should be issued" + type = string + default = "" +} + +variable "subject_alternative_names" { + description = "A list of domains that should be SANs in the issued certificate" + type = list(string) + default = [] +} + +variable "validation_method" { + description = "Which method to use for validation. DNS or EMAIL are valid, NONE can be used for certificates that were imported into ACM and then into Terraform." + type = string + default = "DNS" +} + +variable "validation_allow_overwrite_records" { + description = "Whether to allow overwrite of Route53 records" + type = bool + default = true +} + +variable "tags" { + description = "A mapping of tags to assign to the resource" + type = map(string) + default = {} +} + +variable "dns_ttl" { + description = "The TTL of DNS recursive resolvers to cache information about this record." + type = number + default = 60 +} + +variable "validation_timeout" { + description = "Define maximum timeout to wait for the validation to complete" + type = string + default = null +} diff --git a/terraform/modules/acm/versions.tf b/terraform/modules/acm/versions.tf new file mode 100644 index 0000000..3861683 --- /dev/null +++ b/terraform/modules/acm/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "1.3.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} diff --git a/terraform/modules/cloudfront/main.tf b/terraform/modules/cloudfront/main.tf index 75c13ed..42119a4 100644 --- a/terraform/modules/cloudfront/main.tf +++ b/terraform/modules/cloudfront/main.tf @@ -8,6 +8,8 @@ resource "aws_cloudfront_distribution" "this" { enabled = var.enabled default_root_object = var.default_root_object + aliases = var.aliases + dynamic "origin" { for_each = var.origin @@ -61,6 +63,7 @@ resource "aws_cloudfront_distribution" "this" { } viewer_certificate { - cloudfront_default_certificate = true + acm_certificate_arn = var.acm_certificate_arn + ssl_support_method = "sni-only" } } diff --git a/terraform/modules/cloudfront/outputs.tf b/terraform/modules/cloudfront/outputs.tf new file mode 100644 index 0000000..c1c6081 --- /dev/null +++ b/terraform/modules/cloudfront/outputs.tf @@ -0,0 +1,13 @@ +# --------------------------------------------------------------------------- +# Amazon CloudFront outputs +# --------------------------------------------------------------------------- + +output "distribution_domain_name" { + description = "The domain name corresponding to the distribution." + value = try(aws_cloudfront_distribution.this.domain_name, "") +} + +output "distribution_hosted_zone_id" { + description = "The CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to." + value = try(aws_cloudfront_distribution.this.hosted_zone_id, "") +} diff --git a/terraform/modules/cloudfront/variables.tf b/terraform/modules/cloudfront/variables.tf index d9f43ec..e14d7aa 100644 --- a/terraform/modules/cloudfront/variables.tf +++ b/terraform/modules/cloudfront/variables.tf @@ -37,3 +37,15 @@ variable "enabled" { type = bool default = true } + +variable "aliases" { + description = "Domain aliases." + type = any + nullable = false +} + +variable "acm_certificate_arn" { + description = "ACM certificate." + type = string + nullable = false +} diff --git a/terraform/modules/cognito/main.tf b/terraform/modules/cognito/main.tf new file mode 100644 index 0000000..c791fd3 --- /dev/null +++ b/terraform/modules/cognito/main.tf @@ -0,0 +1,109 @@ +# --------------------------------------------------------------------------- +# Amazon Cognito +# --------------------------------------------------------------------------- + +resource "aws_cognito_user_pool" "this" { + name = var.name + alias_attributes = var.alias_attributes + auto_verified_attributes = var.auto_verified_attributes + + password_policy { + minimum_length = var.password_minimum_length + require_lowercase = var.password_require_lowercase + require_numbers = var.password_require_numbers + require_symbols = var.password_require_symbols + require_uppercase = var.password_require_uppercase + temporary_password_validity_days = var.temporary_password_validity_days + } + + dynamic "schema" { + for_each = var.schema_attributes + iterator = attribute + + content { + name = attribute.value.name + required = try(attribute.value.required, false) + attribute_data_type = attribute.value.type + developer_only_attribute = try(attribute.value.developer_only_attribute, false) + mutable = try(attribute.value.mutable, true) + + dynamic "number_attribute_constraints" { + for_each = attribute.value.type == "Number" ? [true] : [] + + content { + min_value = lookup(attribute.value, "min_value", null) + max_value = lookup(attribute.value, "max_value", null) + } + } + + dynamic "string_attribute_constraints" { + for_each = attribute.value.type == "String" ? [true] : [] + + content { + min_length = lookup(attribute.value, "min_length", 0) + max_length = lookup(attribute.value, "max_length", 2048) + } + } + } + } + + username_configuration { + case_sensitive = var.enable_username_case_sensitivity + } + + verification_message_template { + default_email_option = "CONFIRM_WITH_CODE" + } + + dynamic "account_recovery_setting" { + for_each = length(var.account_recovery_mechanisms) > 0 ? [true] : [] + + content { + dynamic "recovery_mechanism" { + for_each = var.account_recovery_mechanisms + iterator = recovery + + content { + name = recovery.value.name + priority = recovery.value.priority + } + } + } + } + + email_configuration { + email_sending_account = "COGNITO_DEFAULT" + } + + # auto_verified_attributes = ["email"] +} + +resource "aws_cognito_user_pool_client" "this" { + name = var.client_name + user_pool_id = aws_cognito_user_pool.this.id + + callback_urls = ["https://${var.redirect_url}"] + + allowed_oauth_flows_user_pool_client = true + allowed_oauth_flows = ["code"] + allowed_oauth_scopes = ["email", "openid", "phone"] + supported_identity_providers = ["COGNITO"] + id_token_validity = "60" + access_token_validity = "60" + explicit_auth_flows = ["ALLOW_CUSTOM_AUTH", "ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH"] + prevent_user_existence_errors = "ENABLED" + read_attributes = ["address", "birthdate", "email", "email_verified", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "phone_number_verified", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"] + write_attributes = ["address", "birthdate", "email", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "phone_number", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo"] + + token_validity_units { + access_token = "minutes" + id_token = "minutes" + refresh_token = "days" + } +} + +resource "aws_cognito_user_pool_domain" "this" { + domain = var.domain + user_pool_id = aws_cognito_user_pool.this.id + # certificate_arn = var.certificate_arn +} diff --git a/terraform/modules/cognito/variables.tf b/terraform/modules/cognito/variables.tf new file mode 100644 index 0000000..05ce26f --- /dev/null +++ b/terraform/modules/cognito/variables.tf @@ -0,0 +1,99 @@ + + + +variable "name" { + type = string + description = "(Required) The name of the user pool." +} + +variable "client_name" { + type = string + description = "(Required) The name of the client user pool." +} + +variable "alias_attributes" { + type = set(string) + description = "(Optional) Attributes supported as an alias for this user pool. Possible values: 'phone_number', 'email', or 'preferred_username'. Conflicts with username_attributes." + default = null +} + +variable "domain" { + description = "(Optional) Type a domain prefix to use for the sign-up and sign-in pages that are hosted by Amazon Cognito, e.g. 'https://{YOUR_PREFIX}.auth.eu-west-1.amazoncognito.com'. The prefix must be unique across the selected AWS Region. Domain names can only contain lower-case letters, numbers, and hyphens." + type = string + default = null +} + +variable "redirect_url" { + description = "Redirect URL." + type = string + default = null +} + +variable "account_recovery_mechanisms" { + type = any + description = "(Optional) A list of recovery_mechanisms which are defined by a `name` and its `priority`. Valid values for `name` are veri fied_email, verified_phone_number, and admin_only." + default = [] +} + +variable "enable_username_case_sensitivity" { + type = bool + description = "(Optional) Specifies whether username case sensitivity will be applied for all users in the user pool through Cognito APIs." + default = false +} + +variable "password_minimum_length" { + type = number + description = "(Optional) The minimum length of the password policy that you have set." + default = 20 +} + +variable "password_require_lowercase" { + type = bool + description = "(Optional) Whether you have required users to use at least one lowercase letter in their password." + default = true +} + +variable "password_require_numbers" { + type = bool + description = "(Optional) Whether you have required users to use at least one number in their password." + default = true +} + +variable "password_require_symbols" { + type = bool + description = "(Optional) Whether you have required users to use at least one symbol in their password." + default = true +} + +variable "password_require_uppercase" { + type = bool + description = "(Optional) Whether you have required users to use at least one uppercase letter in their password." + default = true +} + +variable "temporary_password_validity_days" { + type = number + description = "(Optional) In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator." + default = 1 +} + +variable "schema_attributes" { + description = "(Optional) A list of schema attributes of a user pool. You can add a maximum of 25 custom attributes." + type = any + default = [] +} + +variable "tags" { + type = map(string) + description = "(Optional) A mapping of tags to assign to the resource." + default = {} +} + +variable "auto_verified_attributes" { + type = set(string) + description = "(Optional) The attributes to be auto-verified. Possible values: 'email', 'phone_number'." + default = [ + "email" + ] +} + diff --git a/terraform/modules/cognito/versions.tf b/terraform/modules/cognito/versions.tf new file mode 100644 index 0000000..3861683 --- /dev/null +++ b/terraform/modules/cognito/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "1.3.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} diff --git a/terraform/modules/route53/main.tf b/terraform/modules/route53/main.tf new file mode 100644 index 0000000..cc84af2 --- /dev/null +++ b/terraform/modules/route53/main.tf @@ -0,0 +1,26 @@ +# ------------------------------------------------------------------------------ +# Amazon Route 53 +# ------------------------------------------------------------------------------ + +data "aws_route53_zone" "this" { + name = var.zone_name + private_zone = var.private_zone +} + +resource "aws_route53_record" "this" { + for_each = var.records + + zone_id = data.aws_route53_zone.this.zone_id + name = each.value.name + type = each.value.type + + dynamic "alias" { + for_each = length(keys(lookup(each.value, "alias", {}))) == 0 ? [] : [true] + + content { + name = each.value.alias.name + zone_id = try(each.value.alias.zone_id, data.aws_route53_zone.this.zone_id) + evaluate_target_health = false + } + } +} diff --git a/terraform/modules/route53/outputs.tf b/terraform/modules/route53/outputs.tf new file mode 100644 index 0000000..8ee683d --- /dev/null +++ b/terraform/modules/route53/outputs.tf @@ -0,0 +1,8 @@ +# ------------------------------------------------------------------------------ +# Amazon Route 53 outputs +# ------------------------------------------------------------------------------ + +output "zone_id" { + description = "The route 53 zone ID." + value = data.aws_route53_zone.this.zone_id +} diff --git a/terraform/modules/route53/variables.tf b/terraform/modules/route53/variables.tf new file mode 100644 index 0000000..d2196b4 --- /dev/null +++ b/terraform/modules/route53/variables.tf @@ -0,0 +1,20 @@ +# ------------------------------------------------------------------------------ +# Amazon Route 53 variables +# ------------------------------------------------------------------------------ + +variable "zone_name" { + description = "Name of DNS zone" + type = string +} + +variable "private_zone" { + description = "Whether Route53 zone is private or public" + type = bool + default = false +} + +variable "records" { + description = "List of objects of DNS records" + type = any + default = {} +} diff --git a/terraform/modules/route53/versions.tf b/terraform/modules/route53/versions.tf new file mode 100644 index 0000000..3861683 --- /dev/null +++ b/terraform/modules/route53/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "1.3.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} diff --git a/terraform/modules/ses/main.tf b/terraform/modules/ses/main.tf new file mode 100644 index 0000000..4823e50 --- /dev/null +++ b/terraform/modules/ses/main.tf @@ -0,0 +1,54 @@ +# ------------------------------------------------------------------------------ +# Amazon SES +# ------------------------------------------------------------------------------ + +resource "aws_ses_domain_identity" "this" { + domain = var.domain +} + +resource "aws_ses_domain_mail_from" "this" { + domain = aws_ses_domain_identity.this.domain + mail_from_domain = "mail.${var.domain}" +} + +# hacer for_each + +# resource "aws_route53_record" "amazonses_verification_record" { +# zone_id = data.aws_route53_zone.main.zone_id +# name = "_amazonses.${var.domain}" +# type = "TXT" +# ttl = "600" +# records = [join("", aws_ses_domain_identity.ses_domain.*.verification_token)] +# } + +# resource "aws_ses_domain_dkim" "ses_domain_dkim" { +# domain = join("", aws_ses_domain_identity.ses_domain.*.domain) +# } + +# resource "aws_route53_record" "amazonses_dkim_record" { +# count = 3 +# zone_id = data.aws_route53_zone.main.zone_id +# name = "${element(aws_ses_domain_dkim.ses_domain_dkim.dkim_tokens, count.index)}._domainkey.${var.domain}" +# type = "CNAME" +# ttl = "600" +# records = ["${element(aws_ses_domain_dkim.ses_domain_dkim.dkim_tokens, count.index)}.dkim.amazonses.com"] +# } + +# resource "aws_route53_record" "spf_mail_from" { +# zone_id = data.aws_route53_zone.main.zone_id +# name = aws_ses_domain_mail_from.main.mail_from_domain +# type = "TXT" +# ttl = "600" +# records = ["v=spf1 include:amazonses.com -all"] +# } + +# creo que solo con este spf estamos + +resource "aws_route53_record" "this" { + # zone_id = data.aws_route53_zone.this.zone_id + zone_id = var.zone_id + name = var.domain + type = "TXT" + ttl = "600" + records = ["v=spf1 include:amazonses.com -all"] +} \ No newline at end of file diff --git a/terraform/modules/ses/variables.tf b/terraform/modules/ses/variables.tf new file mode 100644 index 0000000..f881ec7 --- /dev/null +++ b/terraform/modules/ses/variables.tf @@ -0,0 +1,13 @@ +# ------------------------------------------------------------------------------ +# Amazon SES variables +# ------------------------------------------------------------------------------ + +variable "domain" { + description = "The domain to use." + type = string +} + +variable "zone_id" { + description = "ID of DNS zone" + type = string +} diff --git a/terraform/modules/ses/versions.tf b/terraform/modules/ses/versions.tf new file mode 100644 index 0000000..3861683 --- /dev/null +++ b/terraform/modules/ses/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "1.3.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} diff --git a/terraform/modules/sns/main.tf b/terraform/modules/sns/main.tf new file mode 100644 index 0000000..3c2bc22 --- /dev/null +++ b/terraform/modules/sns/main.tf @@ -0,0 +1,16 @@ +# ------------------------------------------------------------------------------ +# Amazon SNS +# ------------------------------------------------------------------------------ + +resource "aws_sns_topic" "this" { + name = var.name + delivery_policy = jsonencode(var.delivery) +} + +resource "aws_sns_topic_subscription" "this" { + count = length(var.emails) + + topic_arn = aws_sns_topic.this.arn + protocol = var.protocol + endpoint = var.emails[count.index] +} diff --git a/terraform/modules/sns/outputs.tf b/terraform/modules/sns/outputs.tf new file mode 100644 index 0000000..37859d7 --- /dev/null +++ b/terraform/modules/sns/outputs.tf @@ -0,0 +1,8 @@ +# -------------------------------------------------------------------- +# Amazon SNS output +# -------------------------------------------------------------------- + +output "name" { + description = "The topic name." + value = aws_sns_topic.this.name +} diff --git a/terraform/modules/sns/variables.tf b/terraform/modules/sns/variables.tf new file mode 100644 index 0000000..1a505a2 --- /dev/null +++ b/terraform/modules/sns/variables.tf @@ -0,0 +1,23 @@ +# ------------------------------------------------------------------------------ +# Amazon SES variables +# ------------------------------------------------------------------------------ + +variable "name" { + description = "The topic name." + type = string +} + +variable "delivery" { + description = "The topic delivery json." + type = any +} + +variable "protocol" { + description = "The subscription protocol." + type = string +} + +variable "emails" { + description = "The subscription emails." + type = any +} diff --git a/terraform/modules/sns/versions.tf b/terraform/modules/sns/versions.tf new file mode 100644 index 0000000..3861683 --- /dev/null +++ b/terraform/modules/sns/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "1.3.4" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.10.0" + } + } +} diff --git a/terraform/organization/acm.tf b/terraform/organization/acm.tf new file mode 100644 index 0000000..cc6691d --- /dev/null +++ b/terraform/organization/acm.tf @@ -0,0 +1,21 @@ +module "acm" { + source = "../modules/acm" + + providers = { + aws = aws.aws + } + + # depends_on = [ + # module.route53 + # ] + + # zone_id = module.route53.zone_id + domain_name = local.domain + subject_alternative_names = [ + "*.${local.domain}" + ] + + tags = { + name = local.domain + } +} diff --git a/terraform/organization/cloudfront.tf b/terraform/organization/cloudfront.tf index edca1cc..f705fd4 100644 --- a/terraform/organization/cloudfront.tf +++ b/terraform/organization/cloudfront.tf @@ -7,11 +7,17 @@ module "cloudfront" { depends_on = [ module.s3, - module.apigw + module.apigw, + module.acm ] enabled = true web_acl_id = module.waf.web_acl_arn + aliases = [ + local.domain + ] + + acm_certificate_arn = module.acm.certificate_arn origin = { api-gateway = { diff --git a/terraform/organization/cognito.tf b/terraform/organization/cognito.tf new file mode 100644 index 0000000..e531d10 --- /dev/null +++ b/terraform/organization/cognito.tf @@ -0,0 +1,49 @@ +module "cognito" { + source = "../modules/cognito" + + providers = { + aws = aws.aws + } + + redirect_url = local.domain + name = "cognito-userpool" + domain = "santilococo" + client_name = "cognito-client" + + alias_attributes = [ + "email", + # "phone_number", + "preferred_username", + ] + + auto_verified_attributes = [ + "email" + ] + + account_recovery_mechanisms = [ + { + name = "verified_email" + priority = 1 + } + ] + + password_minimum_length = 10 + password_require_lowercase = true + password_require_numbers = true + password_require_uppercase = true + password_require_symbols = true + + temporary_password_validity_days = 3 + + enable_username_case_sensitivity = false + + schema_attributes = [ + { + type = "String" + developer_only_attribute = false + mutable = true + name = "email" + required = true + } + ] +} diff --git a/terraform/organization/datasources.tf b/terraform/organization/datasources.tf index 24f534e..366de28 100644 --- a/terraform/organization/datasources.tf +++ b/terraform/organization/datasources.tf @@ -17,7 +17,7 @@ data "template_file" "userdata" { } } -data "aws_iam_policy_document" "this" { +data "aws_iam_policy_document" "dynamodb" { statement { effect = "Allow" actions = [ @@ -33,3 +33,21 @@ data "aws_iam_policy_document" "this" { resources = ["arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${module.dynamodb.name}"] } } + +data "aws_iam_policy_document" "sns" { + statement { + effect = "Allow" + actions = [ + "sns:Publish", + "sns:Subscribe", + "sns:CreateTopic", + "sns:GetTopicAttributes", + "sns:SetTopicAttributes", + ] + principals { + type = "AWS" + identifiers = ["*"] + } + resources = ["arn:aws:sns:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:${module.sns.name}"] + } +} diff --git a/terraform/organization/lambda.tf b/terraform/organization/lambda.tf index 4f2ddf2..8cd3d5d 100644 --- a/terraform/organization/lambda.tf +++ b/terraform/organization/lambda.tf @@ -17,5 +17,5 @@ module "lambda" { iam_role = each.value.role vpc_subnet_ids = module.vpc.private_subnets - vpc_security_group_ids = [aws_security_group.dynamodb_sg.id] + vpc_security_group_ids = [each.value.security_group_ids] } diff --git a/terraform/organization/locals.tf b/terraform/organization/locals.tf index 8a86ce0..0d8cd22 100644 --- a/terraform/organization/locals.tf +++ b/terraform/organization/locals.tf @@ -52,18 +52,28 @@ locals { lambdas = { lambdaSQS = { - package = "${local.path}/lambda/lambdaSQS.zip" - function_name = "AWSLambdaHandlerAPISQSDBg3" - role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" - handler = "lambda_handler.main" - runtime = "python3.9" + package = "${local.path}/lambda/lambdaSQS.zip" + function_name = "AWSLambdaHandlerAPISQSDBg3" + role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" + handler = "lambda_handler.main" + runtime = "python3.9", + security_group_ids = aws_security_group.dynamodb_sg.id }, lambdaDB = { - package = "${local.path}/lambda/lambdaDB.zip" - function_name = "AWSLambdaHandlerAPIDBg3" - role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" - handler = "lambda_handler.main" - runtime = "python3.9" + package = "${local.path}/lambda/lambdaDB.zip" + function_name = "AWSLambdaHandlerAPIDBg3" + role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" + handler = "lambda_handler.main" + runtime = "python3.9", + security_group_ids = aws_security_group.dynamodb_sg.id + } + lambdaSNS = { + package = "${local.path}/lambda/lambdaSNS.zip" + function_name = "AWSLambdaHandlerAPISNSg3" + role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/LabRole" + handler = "lambda_handler.main" + runtime = "python3.9", + security_group_ids = aws_security_group.sns_sg.id } } @@ -87,4 +97,8 @@ locals { cidr_block = "0.0.0.0/0" } ] + + domain = "santilococo.com.ar" + + emails = ["slococo@itba.edu.ar"] } diff --git a/terraform/organization/route53.tf b/terraform/organization/route53.tf new file mode 100644 index 0000000..385cca1 --- /dev/null +++ b/terraform/organization/route53.tf @@ -0,0 +1,24 @@ +module "route53" { + source = "../modules/route53" + + providers = { + aws = aws.aws + } + + depends_on = [ + module.cloudfront + ] + + zone_name = local.domain + + records = { + record = { + name = local.domain + type = "A" + alias = { + name = module.cloudfront.distribution_domain_name + zone_id = module.cloudfront.distribution_hosted_zone_id + } + } + } +} diff --git a/terraform/organization/ses.tf b/terraform/organization/ses.tf new file mode 100644 index 0000000..1c18156 --- /dev/null +++ b/terraform/organization/ses.tf @@ -0,0 +1,14 @@ +module "ses" { + source = "../modules/ses" + + providers = { + aws = aws.aws + } + + depends_on = [ + module.route53 + ] + + domain = local.domain + zone_id = module.route53.zone_id +} diff --git a/terraform/organization/sns.tf b/terraform/organization/sns.tf new file mode 100644 index 0000000..4b3a4a9 --- /dev/null +++ b/terraform/organization/sns.tf @@ -0,0 +1,28 @@ +module "sns" { + source = "../modules/sns" + + providers = { + aws = aws.aws + } + + name = "slococo" + delivery = { + http = { + defaultHealthyRetryPolicy = { + minDelayTarget = 20, + maxDelayTarget = 20, + numRetries = 3, + numMaxDelayRetries = 0, + numNoDelayRetries = 0, + numMinDelayRetries = 0, + backoffFunction = "linear" + }, + disableSubscriptionOverrides = false, + defaultThrottlePolicy = { + maxReceivesPerSecond = 1 + } + } + } + protocol = "email" + emails = local.emails +} diff --git a/terraform/organization/vpc.tf b/terraform/organization/vpc.tf index a1e91b2..714a618 100644 --- a/terraform/organization/vpc.tf +++ b/terraform/organization/vpc.tf @@ -36,10 +36,6 @@ module "vpc" { enable_nat_gateway = true single_nat_gateway = true - - tags = { - Name = "vpc-g3-bsmsapp" - } } module "vpc_endpoints" { @@ -57,16 +53,20 @@ module "vpc_endpoints" { service = "dynamodb" service_type = "Gateway" route_table_ids = flatten([module.vpc.private_route_table_ids]) - policy = data.aws_iam_policy_document.this.json + policy = data.aws_iam_policy_document.dynamodb.json tags = { Name = "dynamodb-vpc-endpoint" } security_group_ids = [aws_security_group.dynamodb_sg.id] + }, + sns = { + service = "sns" + service_type = "Interface" + route_table_ids = flatten([module.vpc.private_route_table_ids]) + policy = data.aws_iam_policy_document.sns.json + tags = { Name = "sns-vpc-endpoint" } + subnet_ids = module.vpc.private_subnets + security_group_ids = [aws_security_group.sns_sg.id] } } - - tags = { - Name = "vpc-g3-bsmsapp" - Endpoint = "true" - } } resource "aws_vpc_endpoint" "dynamodb_endpoint" { @@ -91,26 +91,17 @@ resource "aws_security_group" "dynamodb_sg" { protocol = "tcp" prefix_list_ids = [aws_vpc_endpoint.dynamodb_endpoint.prefix_list_id] } - - tags = { - Name = "vpc-g3-bsmsapp" - } } -resource "aws_security_group" "vpc_tls" { - name_prefix = "vpc-g3-bsmsapp-vpc_tls" - description = "Allow TLS inbound traffic" +resource "aws_security_group" "sns_sg" { + name_prefix = "vpc-g3-bsmsapp-ssg" + description = "Allow outbound traffic" vpc_id = module.vpc.vpc_id - ingress { - description = "TLS from VPC" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [module.vpc.vpc_cidr_block] - } - - tags = { - Name = "vpc-g3-bsmsapp" + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } diff --git a/terraform/organization/waf.tf b/terraform/organization/waf.tf index 7f259c3..466799a 100644 --- a/terraform/organization/waf.tf +++ b/terraform/organization/waf.tf @@ -5,7 +5,7 @@ module "waf" { aws = aws.aws } - name = "AWS-WAF-g3" + name = "AWS-WAF-bsmsapp" scope = "CLOUDFRONT" rule = { diff --git a/terraform/resources/lambda/lambdaDB/lambda_handler.py b/terraform/resources/lambda/lambdaDB/lambda_handler.py index 5e83579..cf37542 100644 --- a/terraform/resources/lambda/lambdaDB/lambda_handler.py +++ b/terraform/resources/lambda/lambdaDB/lambda_handler.py @@ -2,25 +2,26 @@ import json import boto3 from decimal import * + class DecimalEncoder(json.JSONEncoder): - def default(self, obj): - if isinstance(obj, Decimal): - return str(obj) - return json.JSONEncoder.default(self, obj) + def default(self, obj): + if isinstance(obj, Decimal): + return str(obj) + return json.JSONEncoder.default(self, obj) -def main (event, context): - client = boto3.resource('dynamodb', region_name="us-east-1") - table = client.Table("AWSDynamoDB-g3") - - data = table.scan()["Items"] +def main(event, context): + client = boto3.resource('dynamodb', region_name="us-east-1") + table = client.Table("AWSDynamoDB-g3") - resp = { - "statusCode": 200, - "headers": { - "Access-Control-Allow-Origin": "*", - }, - "body": json.dumps(data, cls=DecimalEncoder) - } + data = table.scan()["Items"] - return resp \ No newline at end of file + resp = { + "statusCode": 200, + "headers": { + "Access-Control-Allow-Origin": "*", + }, + "body": json.dumps(data, cls=DecimalEncoder) + } + + return resp diff --git a/terraform/resources/lambda/lambdaSNS.zip b/terraform/resources/lambda/lambdaSNS.zip new file mode 100644 index 0000000000000000000000000000000000000000..1b65466303dc34d1a23ed4dbd147b2e997ba48d3 GIT binary patch literal 387 zcmWIWW@Zs#U|`^2nB!I+8pF|b>NJq2$jHDT$RNXzlbD;7k{F+nn3s~1TBKJ{85+XL zz&wMqF4-utJ-M`kn}Lz#1v3K!nDF)Y%|2|vv-fv+#~dLK-^=Tw4WDed8_o7^?+@qO zF+#Up{I<`xSJz9v4Le5>UaGxJ#a8Uh^XK%uU zToe#!NN19(#FZ6mAI%BZo{?7TJX!3+Y#UF}6LW?bPS0SqAq24D~|ENKL>u!IsT YB$UuXD8QSQ4Wxk)2*ZK27|09;027LdZU6uP literal 0 HcmV?d00001 diff --git a/terraform/resources/lambda/lambdaSNS/lambda_handler.py b/terraform/resources/lambda/lambdaSNS/lambda_handler.py new file mode 100644 index 0000000..61f3f90 --- /dev/null +++ b/terraform/resources/lambda/lambdaSNS/lambda_handler.py @@ -0,0 +1,10 @@ +import json +import boto3 + + +def main(event, context): + message = "Probando SNS desde lambda..." + subject = "BSMSapp" + client = boto3.client("sns") + topic_arn = "arn:aws:sns:us-east-1:025685231147:slococo" + client.publish(TopicArn=topic_arn, Message=message, Subject=subject) diff --git a/terraform/resources/lambda/lambdaSQS/lambda_handler.py b/terraform/resources/lambda/lambdaSQS/lambda_handler.py index 2e45239..0243fe5 100644 --- a/terraform/resources/lambda/lambdaSQS/lambda_handler.py +++ b/terraform/resources/lambda/lambdaSQS/lambda_handler.py @@ -2,25 +2,25 @@ import json import boto3 -def main (event, context): - payload = event - payload = payload["Records"][0] - body = payload["body"] - body = body.replace('\n', '') - body = json.loads(body) - query = body["body-json"] +def main(event, context): + payload = event + payload = payload["Records"][0] + body = payload["body"] + body = body.replace('\n', '') + body = json.loads(body) + query = body["body-json"] - client = boto3.resource('dynamodb', region_name="us-east-1") - table = client.Table("AWSDynamoDB-g3") - - table.put_item(Item=query) + client = boto3.resource('dynamodb', region_name="us-east-1") + table = client.Table("AWSDynamoDB-g3") - resp = { - "statusCode": 200, - "headers": { - "Access-Control-Allow-Origin": "*", - }, - "body": "El elemento fue agregado." - } + table.put_item(Item=query) - return resp \ No newline at end of file + resp = { + "statusCode": 200, + "headers": { + "Access-Control-Allow-Origin": "*", + }, + "body": "El elemento fue agregado." + } + + return resp