fmaree-uk

resource "aws_config_config_rule" "s3_bucket_public_read_prohibited" {
  name                = "s3_bucket_public_read_prohibited"
  description         = "Checks that your Amazon S3 buckets do not allow public read access"
  source {
    owner             = "AWS"
    source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
  }
  depends_on           = ["aws_config_configuration_recorder.config"]
}

fmaree-uk

resource "aws_cloudwatch_log_group" "environment_haproxy_log_group" {
  name = "${var.environment}_haproxy"
  retention_in_days = 30
}

fmaree-uk

resource "aws_cloudwatch_log_metric_filter" "viewer_vpc_flow_log_https_bytes_exclude_service_ips" {
  name           = "viewer_vpc_flow_log_https_bytes"
  pattern        = "[version, accountid, interfaceid=${aws_instance.viewer_az1.primary_network_interface_id} || interfaceid=${aws_instance.viewer_az2.primary_network_interface_id}, srcaddr!=1.2.3* || srcaddr!=3.4.5*, dstaddr, srcport, distport=443, protocol, packets, bytes, start, end, action=ACCEPT, logstatus]"
  log_group_name = "${var.environment}_vpc_flow_logs"
  metric_transformation {
    name         = "viewer_vpc_flow_log_https_bytes"
    namespace    = "LogMetrics"
    value        = "bytes"
  }
}

fmaree-uk

resource "aws_cloudwatch_log_metric_filter" "viewer_view_doc_bytes_read" {
  name           = "viewer_view_document_count"
  pattern        = "[aws_timestamp, aws_hostname, pid, client, accept_date, frontend_name, backend=*${var.environment}*, rsptimes, status_code=2*, bytes_read, request_cookie, response_cookie, termination_state, connections, queue, ..., http_request=*view-document*]"
  log_group_name = "${var.environment}_haproxy"
  metric_transformation {
    name         = "viewer_view_doc_bytes_read"
    namespace    = "LogMetrics"
    value        = "bytes_read"
  }
}

fmaree-uk

resource "aws_cloudwatch_log_metric_filter" "viewer_search_doc_count" {
  name           = "viewer_search_doc_count"
  pattern        = "[aws_timestamp, aws_hostname, pid, client, accept_date, frontend_name, backend=*${var.environment}*, rsptimes, status_code=2*, bytes_read, request_cookie, response_cookie, termination_state, connections, queue, ..., http_request=*search-results*]"
  log_group_name = "${var.environment}_haproxy"
  metric_transformation {
    name         = "viewer_search_doc_count"
    namespace    = "LogMetrics"
    value        = 1
  }
}

fmaree-uk

#!/bin/sh

DEPLOY=$1
ZONE=$2
BRANCH=$3
GIT_TAG=$3

GIT_REPO="git@gitlab.my-example-fqdn.com"
PROJECT="ops"
DEPLOY_PATH="non_prod"

fmaree-uk

// original code sourced from : https://gist.github.com/JesseCrocker/ebe4b6a8c367b7eb00d4fdf98607260d

'use strict';
console.log('Loading function');

var AWS = require('aws-sdk');
var url = require('url');
var https = require('https');
var hookUrl, kmsEncyptedHookUrl, slackChannel;

fmaree-uk

resource "aws_sns_topic" "ops" {
  name      = "ops"

  provisioner "local-exec" {
    command = "aws sns subscribe --topic-arn ${self.arn} --region eu-west-1 --protocol lambda --notification-endpoint ${aws_lambda_function.sns_to_slack_lambda_function.arn}"
  }

  depends_on = [
    "aws_s3_bucket.ses_e_mail_bucket",
    "aws_lambda_function.sns_to_slack_lambda_function"

fmaree-uk

variable "ksm_sns_to_slack" {
  default = "arn:aws:kms:eu-west-1:xxxx:key/xxxx"
}

variable "lambda_function_sns_to_slack_file" {
  default = "files/lambda_function_SnsToSlack.zip"
}

fmaree-uk

resource "aws_iam_role" "lambda_iam_role" {
  name = "lambda_iam_role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {