This module is used to configure AWS resources to work with the Shepherd project.
Creates metric alarms for use with a Lambda Function
- Success rate
module "shepherd" {
source = "dod-iac/shepherd/aws"
subscriber_buckets = [
"bucket1",
"bucket2",
]
shepherd_users = [
"iam_user1",
"iam_user2",
]
tags = {
Project = var.project
Application = var.application
Environment = var.environment
Automation = "Terraform"
}
}Terraform 0.13. Pin module version to ~> 1.0.0 . Submit pull-requests to master branch.
Terraform 0.11 and 0.12 are not supported.
This project constitutes a work of the United States Government and is not subject to domestic copyright protection under 17 USC § 105. However, because the project utilizes code licensed from contributors and other third parties, it therefore is licensed under the MIT License. See LICENSE file for more information.
For the Athena Workgroups it is required that the options "Queries with requester pays buckets" is set to "Enabled". Ensure that both the Athena primary workgroup and the Shepherd workgroups have this enabled. This will have to be done manually for any new workgroups added.
Each database needs a table with the data. There is a saved query in each workgroup for creating the table. After switching workgroups, and while checking the correct DB is selected, run the create-table query. This needs to be done for each database, remembering to switch workgroups each time. Confirm that the tables exist by looking in AWS Glue or in AWS Athena by selecting the appropriate database.
There are two roles that must be passed to the vendor and appear as outputs:
- shepherd_glue_role_arn: The role used by AWS Glue to do ETL on the data
- shepherd_users_role_arn: The role used by IAM users to work with the resources configured by this module
Some data needs to be placed in AWS SSM Parameter store. They are:
salt: A random 32 character string used as a salt for hashing algorithms
To write a variable use the chamber tool:
SALT=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)
chamber write shepherd-global salt "${SALT}"No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| template | n/a |
| Name | Source | Version |
|---|---|---|
| athena_results | trussworks/s3-private-bucket/aws | ~> 3.2.1 |
| aws_logs | trussworks/logs/aws | ~> 10.0.0 |
| glue_tmp_bucket | trussworks/s3-private-bucket/aws | ~> 3.2.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application | n/a | string |
"shepherd" |
no |
| csv_bucket_allowed_ip_blocks | List of CIDR blocks allowed to access the CSV bucket | list(string) |
[ |
no |
| csv_bucket_name | The name of the S3 bucket hosting the publicly accessible CSV files. The name must be a valid DNS name. Best practice is to use a unique hash in the name, ie UNIQUEHASH.example.com | string |
"" |
no |
| csv_jobs | Details for each CSV job. See comments in code for details | list(map(string)) |
[] |
no |
| environment | n/a | string |
"global" |
no |
| project | n/a | string |
"shepherd" |
no |
| region | n/a | string |
"us-gov-west-1" |
no |
| shepherd_engineers | The set of IAM user names to add to the 'shepherd_engineers' group | list(string) |
[] |
no |
| shepherd_users | The set of IAM user names to add to the 'shepherd_users' group | list(string) |
[] |
no |
| subscriber_buckets | The set of AWS S3 buckets to subscribe too | list(string) |
[] |
no |
| tags | The tags for the project | map(string) |
{} |
no |
| Name | Description |
|---|---|
| csv_results_bucket | The CSV results bucket name |
| csv_website_domain | The CSV domain of the website endpoint, if the bucket is configured with a website. This is used to create Route 53 alias records. |
| csv_website_endpoint | The CSV website endpoint, if the bucket is configured with a website. |
| shepherd_glue_role_arn | shepherd glue role arn |
| shepherd_users_role_arn | shepherd-users role arn |