Release 3.4.1 (#31) (#32)

* Updated module versions and added comments

* Update module versions and VPN storage class

* Updated VPN terraform outputs for printing port nubmer

* Updated Readme files

* Updated karpenter private subnet tag

* Updated vpn server lifecycle to ignore ami changes

Co-authored-by: ankush-sqops <ankush.upadhyay@squareops.com>

Author: vinayakgautamops

IAM.md

@@ -27,7 +27,8 @@ The Policy required to deploy this module is:
                 "ec2:CreateEgressOnlyInternetGateway",
                 "ec2:CreateFlowLogs",
                 "ec2:CreateInternetGateway",
-                "ec2:CreateKeyPair",
+                "ec2:CreateIpam",
+                "ec2:CreateIpamPool",
                 "ec2:CreateNatGateway",
                 "ec2:CreateNetworkAcl",
                 "ec2:CreateNetworkAclEntry",
@@ -37,13 +38,15 @@ The Policy required to deploy this module is:
                 "ec2:CreateSubnet",
                 "ec2:CreateTags",
                 "ec2:CreateVPC",
+                "ec2:CreateVpcEndpoint",
                 "ec2:CreateVpnGateway",
                 "ec2:DeleteCustomerGateway",
                 "ec2:DeleteDhcpOptions",
                 "ec2:DeleteEgressOnlyInternetGateway",
                 "ec2:DeleteFlowLogs",
                 "ec2:DeleteInternetGateway",
-                "ec2:DeleteKeyPair",
+                "ec2:DeleteIpam",
+                "ec2:DeleteIpamPool",
                 "ec2:DeleteNatGateway",
                 "ec2:DeleteNetworkAcl",
                 "ec2:DeleteNetworkAclEntry",
@@ -53,29 +56,35 @@ The Policy required to deploy this module is:
                 "ec2:DeleteSubnet",
                 "ec2:DeleteTags",
                 "ec2:DeleteVPC",
+                "ec2:DeleteVpcEndpoints",
                 "ec2:DeleteVpnGateway",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
+                "ec2:DescribeAvailabilityZones",
                 "ec2:DescribeCustomerGateways",
                 "ec2:DescribeDhcpOptions",
                 "ec2:DescribeEgressOnlyInternetGateways",
                 "ec2:DescribeFlowLogs",
+                "ec2:DescribeImages",
                 "ec2:DescribeInstanceAttribute",
                 "ec2:DescribeInstanceCreditSpecifications",
                 "ec2:DescribeInstanceTypes",
                 "ec2:DescribeInstances",
                 "ec2:DescribeInternetGateways",
-                "ec2:DescribeKeyPairs",
+                "ec2:DescribeIpamPools",
+                "ec2:DescribeIpams",
                 "ec2:DescribeNatGateways",
                 "ec2:DescribeNetworkAcls",
                 "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribePrefixLists",
                 "ec2:DescribeRouteTables",
                 "ec2:DescribeSecurityGroups",
                 "ec2:DescribeSpotInstanceRequests",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeTags",
                 "ec2:DescribeVolumes",
                 "ec2:DescribeVpcAttribute",
+                "ec2:DescribeVpcEndpoints",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeVpnGateways",
                 "ec2:DetachInternetGateway",
@@ -85,9 +94,13 @@ The Policy required to deploy this module is:
                 "ec2:DisassociateRouteTable",
                 "ec2:DisassociateVpcCidrBlock",
                 "ec2:EnableVgwRoutePropagation",
-                "ec2:ImportKeyPair",
+                "ec2:GetIpamPoolCidrs",
                 "ec2:ModifyInstanceAttribute",
+                "ec2:ModifyIpam",
+                "ec2:ModifyIpamPool",
+                "ec2:ModifyVpcEndpoint",
                 "ec2:MonitorInstances",
+                "ec2:ProvisionIpamPoolCidr",
                 "ec2:ReleaseAddress",
                 "ec2:RequestSpotInstances",
                 "ec2:RevokeSecurityGroupEgress",
@@ -122,25 +135,35 @@ The Policy required to deploy this module is:
             "Sid": "VisualEditor2",
             "Effect": "Allow",
             "Action": [
+                "iam:AddRoleToInstanceProfile",
                 "iam:AttachRolePolicy",
+                "iam:CreateInstanceProfile",
                 "iam:CreatePolicy",
                 "iam:CreateRole",
+                "iam:CreateServiceLinkedRole",
+                "iam:DeleteInstanceProfile",
                 "iam:DeletePolicy",
                 "iam:DeleteRole",
                 "iam:DeleteRolePermissionsBoundary",
                 "iam:DetachRolePolicy",
+                "iam:GetInstanceProfile",
                 "iam:GetPolicy",
                 "iam:GetPolicyVersion",
                 "iam:GetRole",
                 "iam:ListAttachedRolePolicies",
                 "iam:ListInstanceProfilesForRole",
+                "iam:ListPolicies",
                 "iam:ListPolicyVersions",
                 "iam:ListRolePolicies",
                 "iam:PassRole",
                 "iam:PutRolePermissionsBoundary",
+                "iam:RemoveRoleFromInstanceProfile",
+                "iam:TagInstanceProfile",
                 "iam:TagPolicy",
                 "iam:TagRole",
-                "iam:UntagPolicy"
+                "iam:UntagInstanceProfile",
+                "iam:UntagPolicy",
+                "iam:UpdateRoleDescription"
             ],
             "Resource": [
                 "*"
@@ -209,13 +232,13 @@ The Policy required to deploy this module is:
             "Sid": "VisualEditor7",
             "Effect": "Allow",
             "Action": [
-                "ssm:AddTagsToResource",
-                "ssm:DeleteParameter",
-                "ssm:DescribeParameters",
+                "ssm:CreateDocument",
+                "ssm:DeleteDocument",
+                "ssm:DescribeDocument",
+                "ssm:DescribeDocumentPermission",
+                "ssm:GetDocument",
                 "ssm:GetParameter",
-                "ssm:GetParameters",
-                "ssm:ListTagsForResource",
-                "ssm:PutParameter"
+                "ssm:UpdateDocument"
             ],
             "Resource": [
                 "*"

README.md

@@ -203,7 +203,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.9.0 |
 | <a name="module_vpn_server"></a> [vpn\_server](#module\_vpn\_server) | ./modules/vpn | n/a |
 
 ## Resources
@@ -248,6 +248,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 | <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | The netmask length for IPAM managed VPC | `number` | `16` | no |
 | <a name="input_ipv6_enabled"></a> [ipv6\_enabled](#input\_ipv6\_enabled) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no |
 | <a name="input_ipv6_only"></a> [ipv6\_only](#input\_ipv6\_only) | Enable it for deploying native IPv6 network | `bool` | `false` | no |
+| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | ARN of the KMS key to encrypt VPN server EBS volume | `string` | `""` | no |
 | <a name="input_name"></a> [name](#input\_name) | Specify the name of the VPC | `string` | `""` | no |
 | <a name="input_one_nat_gateway_per_az"></a> [one\_nat\_gateway\_per\_az](#input\_one\_nat\_gateway\_per\_az) | Set to true if a NAT Gateway is required per availability zone for Private Subnet Tier | `bool` | `false` | no |
 | <a name="input_private_subnet_assign_ipv6_address_on_creation"></a> [private\_subnet\_assign\_ipv6\_address\_on\_creation](#input\_private\_subnet\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
@@ -280,6 +281,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 | <a name="output_vpc_ipv6_association_id"></a> [vpc\_ipv6\_association\_id](#output\_vpc\_ipv6\_association\_id) | The association ID for the IPv6 CIDR block |
 | <a name="output_vpc_secondary_cidr_blocks"></a> [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
 | <a name="output_vpn_host_public_ip"></a> [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | IP Address of VPN Server |
+| <a name="output_vpn_port_description"></a> [vpn\_port\_description](#output\_vpn\_port\_description) | Description of VPN server port |
 | <a name="output_vpn_security_group"></a> [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/complete-vpc-with-vpn/README.md

@@ -33,9 +33,9 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_key_pair_vpn"></a> [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | n/a |
-| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ | n/a |
+| <a name="module_key_pair_vpn"></a> [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | 1.0.2 |
+| <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | 3.1.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | squareops/vpc/aws | 3.3.5 |
 
 ## Resources
 

examples/complete-vpc-with-vpn/main.tf

@@ -1,29 +1,33 @@
 locals {
   name        = "vpc"
-  region      = "ap-south-1"
+  region      = "us-west-1"
   environment = "prod"
   additional_aws_tags = {
     Owner      = "Organization_Name"
     Expires    = "Never"
     Department = "Engineering"
   }
-  kms_user         = null
-  vpc_cidr         = "10.10.0.0/16"
-  current_identity = data.aws_caller_identity.current.arn
+  kms_user           = null
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-west-1a", "us-west-1b"]
+  current_identity   = data.aws_caller_identity.current.arn
+  vpn_server_enabled = true // Set to true, enabling the VPN server within the VPC, which will use the provided key pair for securing VPN connections.
 }
 
 data "aws_caller_identity" "current" {}
 
 module "key_pair_vpn" {
   source             = "squareops/keypair/aws"
+  version            = "1.0.2"
+  count              = local.vpn_server_enabled ? 1 : 0
   key_name           = format("%s-%s-vpn", local.environment, local.name)
   environment        = local.environment
   ssm_parameter_path = format("%s-%s-vpn", local.environment, local.name)
 }
 
 module "kms" {
-  source = "terraform-aws-modules/kms/aws"
-
+  source                  = "terraform-aws-modules/kms/aws"
+  version                 = "3.1.0"
   deletion_window_in_days = 7
   description             = "Symetric Key to Enable Encryption at rest using KMS services."
   enable_key_rotation     = false
@@ -70,14 +74,16 @@ module "kms" {
 
 module "vpc" {
   source                                          = "squareops/vpc/aws"
+  version                                         = "3.3.5"
   name                                            = local.name
   region                                          = local.region
   vpc_cidr                                        = local.vpc_cidr
   environment                                     = local.environment
   flow_log_enabled                                = true
-  vpn_key_pair_name                               = module.key_pair_vpn.key_pair_name
-  availability_zones                              = ["ap-south-1a", "ap-south-1b"]
-  vpn_server_enabled                              = true
+  vpn_key_pair_name                               = local.vpn_server_enabled ? module.key_pair_vpn[0].key_pair_name : null
+  availability_zones                              = local.availability_zones
+  vpn_server_enabled                              = local.vpn_server_enabled
+  kms_key_arn                                     = module.kms.key_arn
   intra_subnet_enabled                            = true
   public_subnet_enabled                           = true
   auto_assign_public_ip                           = true
@@ -91,4 +97,4 @@ module "vpc" {
   flow_log_cloudwatch_log_group_skip_destroy      = true
   flow_log_cloudwatch_log_group_retention_in_days = 90
   flow_log_cloudwatch_log_group_kms_key_arn       = module.kms.key_arn #Enter your kms key arn
-}
+}

examples/simple-vpc/main.tf

@@ -7,15 +7,16 @@ locals {
     Expires    = "Never"
     Department = "Engineering"
   }
-  vpc_cidr = "10.10.0.0/16"
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-east-1a", "us-east-1b"]
 }
 
 module "vpc" {
   source                = "squareops/vpc/aws"
   name                  = local.name
   vpc_cidr              = local.vpc_cidr
   environment           = local.environment
-  availability_zones    = ["us-east-1a", "us-east-1b"]
+  availability_zones    = local.availability_zones
   public_subnet_enabled = true
   auto_assign_public_ip = true
 }

examples/vpc-dualstack/main.tf

@@ -7,16 +7,17 @@ locals {
     Expires    = "Never"
     Department = "Engineering"
   }
-  vpc_cidr     = "10.10.0.0/16"
-  ipv6_enabled = true
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-east-1a", "us-east-1b"]
+  ipv6_enabled       = true
 }
 
 module "vpc" {
   source                                          = "squareops/vpc/aws"
   name                                            = local.name
   vpc_cidr                                        = local.vpc_cidr
   environment                                     = local.environment
-  availability_zones                              = ["us-east-1a", "us-east-1b"]
+  availability_zones                              = local.availability_zones
   public_subnet_enabled                           = true
   private_subnet_enabled                          = true
   intra_subnet_enabled                            = false

examples/vpc-native-ipv6/main.tf

@@ -7,9 +7,10 @@ locals {
     Expires    = "Never"
     Department = "Engineering"
   }
-  vpc_cidr     = "10.10.0.0/16"
-  ipv6_enabled = true
-  ipv6_only    = true
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-east-1a", "us-east-1b"]
+  ipv6_enabled       = true
+  ipv6_only          = true
 }
 
 module "vpc" {
@@ -19,7 +20,7 @@ module "vpc" {
   ipv6_only                                       = local.ipv6_only
   environment                                     = local.environment
   ipv6_enabled                                    = local.ipv6_enabled
-  availability_zones                              = ["us-east-1a", "us-east-1b"]
+  availability_zones                              = local.availability_zones
   public_subnet_enabled                           = true
   private_subnet_enabled                          = true
   intra_subnet_enabled                            = true

examples/vpc-with-private-subnet/main.tf

@@ -7,15 +7,16 @@ locals {
     Expires    = "Never"
     Department = "Engineering"
   }
-  vpc_cidr = "10.10.0.0/16"
+  vpc_cidr           = "10.10.0.0/16"
+  availability_zones = ["us-east-1a", "us-east-1b"]
 }
 
 module "vpc" {
   source                 = "squareops/vpc/aws"
   name                   = local.name
   vpc_cidr               = local.vpc_cidr
   environment            = local.environment
-  availability_zones     = ["us-east-1a", "us-east-1b"]
+  availability_zones     = local.availability_zones
   public_subnet_enabled  = true
   private_subnet_enabled = true
   auto_assign_public_ip  = true

examples/vpc-with-secondary-cidr/main.tf

@@ -8,6 +8,7 @@ locals {
     Department = "Engineering"
   }
   vpc_cidr              = "10.10.0.0/16"
+  availability_zones    = ["us-east-1a", "us-east-1b"]
   secondry_cidr_enabled = true
   secondary_cidr_blocks = ["10.20.0.0/16"]
 }
@@ -17,7 +18,7 @@ module "vpc" {
   name                    = local.name
   vpc_cidr                = local.vpc_cidr
   environment             = local.environment
-  availability_zones      = ["us-east-1a", "us-east-1b"]
+  availability_zones      = local.availability_zones
   public_subnet_enabled   = true
   private_subnet_enabled  = true
   auto_assign_public_ip   = true