add terraform

Author: tomeresk

terraform/compute.tf

@@ -0,0 +1,88 @@
+#resource "aws_instance" "ec2_instance" {
+#  # NOTE: The AMI ID is still hardcoded. For a more robust setup,
+#  # consider using a map variable to look up AMIs by region.
+#  ami = "ami-091e1eed890c3f1d1"
+#
+#  # Use variables for instance type and key name
+#  instance_type = var.instance_type
+#  key_name      = var.key_name
+#
+#  # NOTE: This IAM profile ARN is still hardcoded.
+#  iam_instance_profile = "arn:aws:iam::980573775279:instance-profile/eks-5ecb8bcc-f19e-43e1-a3ef-6c29d8215aba"
+#
+#  # Reference the subnet created above
+#  subnet_id = aws_subnet.k8s_subnet_2.id
+#
+#  # NOTE: The Security Group ID is still hardcoded.
+#  # This should reference an aws_security_group resource.
+#  vpc_security_group_ids = [
+#    "sg-00798d49dafea46e1"
+#  ]
+#
+#  metadata_options {
+#    http_endpoint               = "enabled"
+#    http_tokens                 = "optional"
+#    http_put_response_hop_limit = 2
+#  }
+#
+#  root_block_device {
+#    delete_on_termination = true
+#  }
+#
+#  tags = {
+#    "k8s.io/cluster-autoscaler/${var.cluster_name}" = "owned"
+#    "aws:eks:cluster-name"                   = var.cluster_name
+#    "eks:nodegroup-name"                     = "my-eks-nodegroup"
+#    "k8s.io/cluster-autoscaler/enabled"      = "true"
+#    "eks:cluster-name"                       = var.cluster_name
+#    "kubernetes.io/cluster/${var.cluster_name}"     = "owned"
+#  }
+#}
+
+# compute.tf
+
+# Data source to dynamically find the latest Amazon EKS-optimized AMI.
+data "aws_ami" "eks_node" {
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-${aws_eks_cluster.my_cluster.version}-v*"]
+  }
+
+  most_recent = true
+  owners      = ["602401143452"] # AWS account ID for EKS-optimized AMIs
+}
+
+# Defines a single EC2 instance to serve as an EKS worker node.
+resource "aws_instance" "eks_node" {
+  ami = data.aws_ami.eks_node.id
+
+  instance_type = var.instance_type
+  key_name      = var.key_name
+
+  iam_instance_profile = aws_iam_instance_profile.eks_node.name
+
+  subnet_id = aws_subnet.private_1.id
+
+  vpc_security_group_ids = [
+    aws_security_group.eks_node_sg.id,
+    aws_security_group.eks_shared_sg.id,
+  ]
+
+  # This script runs on startup to register the node with the EKS cluster.
+  user_data = <<-EOF
+              #!/bin/bash
+              set -o xtrace
+              /etc/eks/bootstrap.sh ${aws_eks_cluster.my_cluster.name} --b64-cluster-ca '${aws_eks_cluster.my_cluster.certificate_authority[0].data}' --apiserver-endpoint '${aws_eks_cluster.my_cluster.endpoint}'
+              EOF
+
+  root_block_device {
+    volume_size = 20
+    volume_type = "gp2"
+    encrypted   = true
+  }
+
+  tags = {
+    Name                                        = "${var.cluster_name}-worker-node"
+    "kubernetes.io/cluster/${var.cluster_name}" = "owned"
+  }
+}

terraform/data_services.tf

@@ -0,0 +1,22 @@
+# data_services.tf
+
+# Configures the account-wide encryption settings for the AWS Glue Data Catalog.
+resource "aws_glue_data_catalog_encryption_settings" "glue_settings" {
+  data_catalog_encryption_settings {
+    # Configures encryption for the metadata (table definitions, etc.) at rest.
+    encryption_at_rest {
+      catalog_encryption_mode = "SSE-KMS"
+
+      # Reference the KMS key from your security.tf file.
+      sse_aws_kms_key_id = aws_kms_key.cloudtrail_key.arn
+    }
+
+    # Configures encryption for passwords used in data source connections.
+    connection_password_encryption {
+      return_connection_password_encrypted = true
+
+      # You can use the same KMS key for password encryption.
+      aws_kms_key_id = aws_kms_key.cloudtrail_key.arn
+    }
+  }
+}

terraform/ecr.tf

@@ -0,0 +1,42 @@
+# ecr.tf
+
+# Defines a private ECR (Elastic Container Registry) repository for the Flask webserver application.
+resource "aws_ecr_repository" "flask_webserver_repo" {
+  # Name is now dynamic and uses a path-like structure for organization.
+  name = "${var.cluster_name}/python-flask-webserver"
+
+  image_tag_mutability = "MUTABLE"
+
+  encryption_configuration {
+    encryption_type = "AES256"
+  }
+
+  # Enable vulnerability scanning on push for better security.
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    "project" = var.cluster_name
+  }
+}
+
+# Defines a second ECR repository, in this case for storing malware analysis container images.
+resource "aws_ecr_repository" "malware_repo" {
+  name = "${var.cluster_name}/malware"
+
+  image_tag_mutability = "MUTABLE"
+
+  encryption_configuration {
+    encryption_type = "AES256"
+  }
+
+  # Enable vulnerability scanning on push for better security.
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    "project" = var.cluster_name
+  }
+}

terraform/eks.tf

@@ -0,0 +1,33 @@
+# eks.tf
+
+# Defines the EKS (Kubernetes) cluster control plane.
+resource "aws_eks_cluster" "my_cluster" {
+  name    = var.cluster_name
+  version = "1.30"
+
+  # Reference the IAM role created in iam.tf
+  role_arn = aws_iam_role.eks_cluster.arn
+
+  vpc_config {
+    # Place the EKS control plane ENIs in your private subnets for security.
+    subnet_ids = [
+      aws_subnet.private_1.id,
+      aws_subnet.private_2.id,
+    ]
+
+    endpoint_private_access = true
+    endpoint_public_access  = true
+    public_access_cidrs     = ["0.0.0.0/0"]
+
+    # Reference the control plane security group from security.tf
+    security_group_ids = [aws_security_group.eks_control_plane_sg.id]
+  }
+
+  enabled_cluster_log_types = []
+
+  tags = {
+    Name                          = var.cluster_name
+    "aws:cloudformation:logical-id" = "EKSCluster"
+    "aws:cloudformation:stack-name" = "eks-cluster"
+  }
+}

terraform/iam.tf

@@ -0,0 +1,111 @@
+# iam.tf
+
+# --------------------------------------------------------------
+# IAM Roles & Policies for EKS
+# --------------------------------------------------------------
+
+# Defines the IAM role that the EKS control plane will assume.
+resource "aws_iam_role" "eks_cluster" {
+  name_prefix = "eks-cluster-role-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action    = "sts:AssumeRole",
+      Effect    = "Allow",
+      Principal = { Service = "eks.amazonaws.com" }
+    }]
+  })
+}
+
+# Attaches the required AWS-managed policy for EKS clusters to the role.
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.eks_cluster.name
+}
+
+
+# Defines the IAM role that EKS worker nodes (EC2 instances) will assume.
+resource "aws_iam_role" "eks_node" {
+  name_prefix = "eks-node-role-"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action    = "sts:AssumeRole",
+      Effect    = "Allow",
+      Principal = { Service = "ec2.amazonaws.com" }
+    }]
+  })
+}
+
+# Creates an instance profile, which is a container for the IAM role that EC2 can use.
+resource "aws_iam_instance_profile" "eks_node" {
+  name_prefix = "eks-node-profile-"
+  role        = aws_iam_role.eks_node.name
+}
+
+# Attaches the standard EKS worker node policy.
+resource "aws_iam_role_policy_attachment" "eks_node_worker_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.eks_node.name
+}
+
+# Attaches the CNI policy, allowing pods to get IP addresses from the VPC.
+resource "aws_iam_role_policy_attachment" "eks_node_cni_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.eks_node.name
+}
+
+# Attaches a read-only policy for ECR, allowing nodes to pull container images.
+resource "aws_iam_role_policy_attachment" "eks_node_ecr_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.eks_node.name
+}
+
+
+# --------------------------------------------------------------
+# IAM Roles & Policies for Lambda
+# --------------------------------------------------------------
+
+# A data source to create a reusable IAM trust policy for all Lambda functions.
+data "aws_iam_policy_document" "lambda_assume_role" {
+  statement {
+    action = "sts:AssumeRole"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+# Defines an execution role for the 'cortex_custom_lambda' function.
+resource "aws_iam_role" "cortex_custom_lambda" {
+  name_prefix        = "cortex-custom-lambda-role-"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+}
+
+# Attaches the basic execution policy, allowing the function to write to CloudWatch Logs.
+resource "aws_iam_role_policy_attachment" "cortex_custom_lambda_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.cortex_custom_lambda.name
+}
+
+# Defines an execution role for the 'empty_bucket_lambda' function.
+resource "aws_iam_role" "empty_bucket_lambda" {
+  name_prefix        = "empty-bucket-lambda-role-"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+}
+
+# Attaches the basic execution policy.
+resource "aws_iam_role_policy_attachment" "empty_bucket_lambda_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.empty_bucket_lambda.name
+}
+
+# Defines an execution role for the second 'cortex_custom_lambda' function.
+resource "aws_iam_role" "cortex_custom_lambda_2" {
+  name_prefix        = "cortex-custom-lambda-2-role-"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+}

terraform/lambda.tf

@@ -0,0 +1,56 @@
+# lambda.tf
+
+# Defines a map of common settings to be reused by all Lambda functions in this file.
+locals {
+  common_lambda_settings = {
+    handler       = "index.handler"
+    runtime       = "python3.12"
+    memory_size   = 128
+    architectures = ["x86_64"]
+  }
+}
+
+# Defines the first Cortex custom Lambda function.
+resource "aws_lambda_function" "cortex_custom_lambda" {
+  filename         = "source_code/cortex_custom_lambda.zip"
+  source_code_hash = filebase64sha256("source_code/cortex_custom_lambda.zip")
+
+  function_name = var.cortex_custom_lambda_name_1
+  role          = aws_iam_role.cortex_custom_lambda.arn
+
+  handler       = local.common_lambda_settings.handler
+  runtime       = local.common_lambda_settings.runtime
+  memory_size   = local.common_lambda_settings.memory_size
+  architectures = local.common_lambda_settings.architectures
+  timeout       = 75
+}
+
+# Defines the Lambda function responsible for emptying S3 buckets.
+resource "aws_lambda_function" "empty_bucket_lambda" {
+  filename         = "source_code/empty_bucket_lambda.zip"
+  source_code_hash = filebase64sha256("source_code/empty_bucket_lambda.zip")
+
+  function_name = var.empty_bucket_lambda_name
+  role          = aws_iam_role.empty_bucket_lambda.arn
+
+  handler       = local.common_lambda_settings.handler
+  runtime       = local.common_lambda_settings.runtime
+  memory_size   = local.common_lambda_settings.memory_size
+  architectures = local.common_lambda_settings.architectures
+  timeout       = 600
+}
+
+# Defines the second Cortex custom Lambda function.
+resource "aws_lambda_function" "cortex_custom_lambda_2" {
+  filename         = "source_code/cortex_custom_lambda_2.zip"
+  source_code_hash = filebase64sha256("source_code/cortex_custom_lambda_2.zip")
+
+  function_name = var.cortex_custom_lambda_name_2
+  role          = aws_iam_role.cortex_custom_lambda_2.arn
+
+  handler       = local.common_lambda_settings.handler
+  runtime       = local.common_lambda_settings.runtime
+  memory_size   = local.common_lambda_settings.memory_size
+  architectures = local.common_lambda_settings.architectures
+  timeout       = 75
+}