From 81bf215c0f433834ba17bef34312923a88e58be0 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Mon, 13 May 2024 22:34:37 +0300 Subject: [PATCH] added autotest for workspaces-* --- .github/workflows/tf_testing.yml | 76 ++++++++--------- .../green/common_resources/vpc.tf | 50 ++++++++--- auto_policy_testing/green/workspaces/iam.tf | 30 +++++++ auto_policy_testing/green/workspaces/main.tf | 13 +++ .../green/workspaces/outputs.tf | 6 ++ .../green/workspaces/policy.json | 42 ++++++++++ .../green/workspaces/provider.tf | 15 ++++ .../green/workspaces/variables.tf | 5 ++ auto_policy_testing/green/workspaces/vpc.tf | 30 +++++++ .../green/workspaces/workspace.tf | 84 +++++++++++++++++++ auto_policy_testing/red/workspaces/iam.tf | 30 +++++++ auto_policy_testing/red/workspaces/main.tf | 13 +++ auto_policy_testing/red/workspaces/outputs.tf | 6 ++ .../red/workspaces/provider.tf | 15 ++++ .../red/workspaces/variables.tf | 5 ++ auto_policy_testing/red/workspaces/vpc.tf | 30 +++++++ .../red/workspaces/workspace.tf | 65 ++++++++++++++ .../scripts/exception_rules.py | 7 +- .../shared_tf_modules/naming/outputs.tf | 1 + 19 files changed, 474 insertions(+), 49 deletions(-) create mode 100644 auto_policy_testing/green/workspaces/iam.tf create mode 100644 auto_policy_testing/green/workspaces/main.tf create mode 100644 auto_policy_testing/green/workspaces/outputs.tf create mode 100644 auto_policy_testing/green/workspaces/policy.json create mode 100644 auto_policy_testing/green/workspaces/provider.tf create mode 100644 auto_policy_testing/green/workspaces/variables.tf create mode 100644 auto_policy_testing/green/workspaces/vpc.tf create mode 100644 auto_policy_testing/green/workspaces/workspace.tf create mode 100644 auto_policy_testing/red/workspaces/iam.tf create mode 100644 auto_policy_testing/red/workspaces/main.tf create mode 100644 auto_policy_testing/red/workspaces/outputs.tf create mode 100644 auto_policy_testing/red/workspaces/provider.tf create mode 100644 auto_policy_testing/red/workspaces/variables.tf create mode 100644 auto_policy_testing/red/workspaces/vpc.tf create mode 100644 auto_policy_testing/red/workspaces/workspace.tf diff --git a/.github/workflows/tf_testing.yml b/.github/workflows/tf_testing.yml index 9f69c5109..9d6135c03 100644 --- a/.github/workflows/tf_testing.yml +++ b/.github/workflows/tf_testing.yml @@ -22,47 +22,47 @@ env: CORE_TESTING_FOLDER: ${{ github.workspace }} OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }} - resource_priority_list: 'acm' + resource_priority_list: 'workspaces' RED: '\033[0;31m' jobs: - terraform_test_policy_green_flights: - permissions: - contents: 'read' - id-token: 'write' - runs-on: ubuntu-22.04 - steps: - - name: Git clone the repository - uses: actions/checkout@v4 - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.CI_ASSUME_ROLE }} - role-session-name: ECC-AWS-RULEPACK_CI-GREEN - aws-region: ${{ vars.AWS_REGION }} - - name: Install dependencies - shell: bash - working-directory: auto_policy_testing/scripts - run: | - pip install -r requirements.txt - - name: terraform_test_policy_green_flights - shell: bash - working-directory: auto_policy_testing/scripts - run: | - python main.py \ - --cloud AWS \ - --infra_color green \ - -l $resource_priority_list \ - --base_dir $GITHUB_WORKSPACE \ - --output_dir $OUTPUT_DIR \ - --sa "github_ci_readonly_ecc-aws-rulepack" - echo -e "${RED}Failed policies:" - cat $OUTPUT_DIR/.failed - echo -e "${RED}Failed terraforms:" - cat $OUTPUT_DIR/.tf_failed - test -s $OUTPUT_DIR/.failed && exit 1 - test -s $OUTPUT_DIR/.tf_failed && exit 1 - exit 0 + # terraform_test_policy_green_flights: + # permissions: + # contents: 'read' + # id-token: 'write' + # runs-on: ubuntu-22.04 + # steps: + # - name: Git clone the repository + # uses: actions/checkout@v4 + # - name: configure aws credentials + # uses: aws-actions/configure-aws-credentials@v4 + # with: + # role-to-assume: ${{ secrets.CI_ASSUME_ROLE }} + # role-session-name: ECC-AWS-RULEPACK_CI-GREEN + # aws-region: ${{ vars.AWS_REGION }} + # - name: Install dependencies + # shell: bash + # working-directory: auto_policy_testing/scripts + # run: | + # pip install -r requirements.txt + # - name: terraform_test_policy_green_flights + # shell: bash + # working-directory: auto_policy_testing/scripts + # run: | + # python main.py \ + # --cloud AWS \ + # --infra_color green \ + # -l $resource_priority_list \ + # --base_dir $GITHUB_WORKSPACE \ + # --output_dir $OUTPUT_DIR \ + # --sa "github_ci_readonly_ecc-aws-rulepack" + # echo -e "${RED}Failed policies:" + # cat $OUTPUT_DIR/.failed + # echo -e "${RED}Failed terraforms:" + # cat $OUTPUT_DIR/.tf_failed + # test -s $OUTPUT_DIR/.failed && exit 1 + # test -s $OUTPUT_DIR/.tf_failed && exit 1 + # exit 0 terraform_test_policy_red_flights: permissions: diff --git a/auto_policy_testing/green/common_resources/vpc.tf b/auto_policy_testing/green/common_resources/vpc.tf index 393a92b8c..e72bb8a17 100644 --- a/auto_policy_testing/green/common_resources/vpc.tf +++ b/auto_policy_testing/green/common_resources/vpc.tf @@ -6,19 +6,49 @@ resource "aws_vpc" "this" { } resource "aws_subnet" "subnet1" { - vpc_id = aws_vpc.this.id - cidr_block = "10.0.1.0/24" - availability_zone = data.aws_availability_zones.this.names[0] + vpc_id = aws_vpc.this.id + cidr_block = "10.0.1.0/24" + availability_zone_id = "use1-az2" + map_public_ip_on_launch = "true" } resource "aws_subnet" "subnet2" { - vpc_id = aws_vpc.this.id - cidr_block = "10.0.2.0/24" - availability_zone = data.aws_availability_zones.this.names[0] + vpc_id = aws_vpc.this.id + cidr_block = "10.0.2.0/24" + availability_zone = data.aws_availability_zones.this.names[0] + map_public_ip_on_launch = "true" } resource "aws_subnet" "subnet3" { - vpc_id = aws_vpc.this.id - cidr_block = "10.0.3.0/24" - availability_zone = data.aws_availability_zones.this.names[1] -} \ No newline at end of file + vpc_id = aws_vpc.this.id + cidr_block = "10.0.3.0/24" + availability_zone_id = "use1-az4" + map_public_ip_on_launch = "true" +} + +resource "aws_internet_gateway" "this" { + vpc_id = aws_vpc.this.id +} + +resource "aws_route_table" "this" { + vpc_id = aws_vpc.this.id + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.this.id + } +} + +resource "aws_route_table_association" "this" { + subnet_id = aws_subnet.subnet1.id + route_table_id = aws_route_table.this.id +} + +resource "aws_route_table_association" "this2" { + subnet_id = aws_subnet.subnet2.id + route_table_id = aws_route_table.this.id +} + +resource "aws_route_table_association" "this3" { + subnet_id = aws_subnet.subnet3.id + route_table_id = aws_route_table.this.id +} diff --git a/auto_policy_testing/green/workspaces/iam.tf b/auto_policy_testing/green/workspaces/iam.tf new file mode 100644 index 000000000..def5e4531 --- /dev/null +++ b/auto_policy_testing/green/workspaces/iam.tf @@ -0,0 +1,30 @@ +resource "aws_iam_role" "workspaces-default" { + name = "workspaces_DefaultRole" + assume_role_policy = data.aws_iam_policy_document.workspaces.json +} + +data "aws_iam_policy_document" "workspaces" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["workspaces.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy_attachment" "workspaces-default-service-access" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesServiceAccess" +} + +resource "aws_iam_role_policy_attachment" "workspaces-default-self-service-access" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess" +} + +resource "aws_iam_role_policy_attachment" "this" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} \ No newline at end of file diff --git a/auto_policy_testing/green/workspaces/main.tf b/auto_policy_testing/green/workspaces/main.tf new file mode 100644 index 000000000..4fba53b14 --- /dev/null +++ b/auto_policy_testing/green/workspaces/main.tf @@ -0,0 +1,13 @@ +module "naming" { + source = "../../shared_tf_modules/naming" + resource_type = basename(abspath(path.module)) + status = title(basename(dirname(abspath(path.module)))) +} + +data "terraform_remote_state" "common" { + backend = "local" + + config = { + path = "../common_resources/terraform.tfstate" + } +} \ No newline at end of file diff --git a/auto_policy_testing/green/workspaces/outputs.tf b/auto_policy_testing/green/workspaces/outputs.tf new file mode 100644 index 000000000..db8cdb10b --- /dev/null +++ b/auto_policy_testing/green/workspaces/outputs.tf @@ -0,0 +1,6 @@ +output "workspaces" { + value = { + workspaces = aws_workspaces_workspace.this, + workspaces-directory = aws_workspaces_directory.this, + } +} \ No newline at end of file diff --git a/auto_policy_testing/green/workspaces/policy.json b/auto_policy_testing/green/workspaces/policy.json new file mode 100644 index 000000000..1b1ef2ec6 --- /dev/null +++ b/auto_policy_testing/green/workspaces/policy.json @@ -0,0 +1,42 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:GetCallerIdentity", + "workspaces:DescribeWorkspaceBundles", + "iam:CreateRole", + "ds:CreateDirectory", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:CreateSecurityGroup", + "iam:GetRole", + "ds:DescribeDirectories", + "iam:ListRolePolicies", + "ec2:DescribeSecurityGroups", + "iam:ListAttachedRolePolicies", + "iam:AttachRolePolicy", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ds:ListTagsForResource", + "workspaces:RegisterWorkspaceDirectory", + "iam:DetachRolePolicy", + "iam:ListInstanceProfilesForRole", + "iam:DeleteRole", + "ds:DeleteDirectory", + "ec2:DeleteNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteSecurityGroup", + "workspaces:DescribeWorkspaceDirectories", + "workspaces:ModifyWorkspaceCreationProperties", + "workspaces:DescribeTags", + "workspaces:CreateWorkspaces", + "workspaces:DescribeWorkspaces", + "workspaces:CreateWorkspaceImage", + "workspaces:TerminateWorkspaces", + "workspaces:DeregisterWorkspaceDirectory" + ], + "Resource": "*" + } + ] +} diff --git a/auto_policy_testing/green/workspaces/provider.tf b/auto_policy_testing/green/workspaces/provider.tf new file mode 100644 index 000000000..23904a9c2 --- /dev/null +++ b/auto_policy_testing/green/workspaces/provider.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + region = var.region + default_tags { + tags = module.naming.default_tags + } +} \ No newline at end of file diff --git a/auto_policy_testing/green/workspaces/variables.tf b/auto_policy_testing/green/workspaces/variables.tf new file mode 100644 index 000000000..2bd4793c8 --- /dev/null +++ b/auto_policy_testing/green/workspaces/variables.tf @@ -0,0 +1,5 @@ +variable "region" { + type = string + description = "Region where resources will be created" + default = "us-east-1" +} diff --git a/auto_policy_testing/green/workspaces/vpc.tf b/auto_policy_testing/green/workspaces/vpc.tf new file mode 100644 index 000000000..bf31b550c --- /dev/null +++ b/auto_policy_testing/green/workspaces/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_security_group" "this" { + name = "workstation_security_group" + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "this2" { + name = "workstation_security_group2" + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block] + } +} diff --git a/auto_policy_testing/green/workspaces/workspace.tf b/auto_policy_testing/green/workspaces/workspace.tf new file mode 100644 index 000000000..3b3339550 --- /dev/null +++ b/auto_policy_testing/green/workspaces/workspace.tf @@ -0,0 +1,84 @@ +######################## +### WARNING !!! ### +# This is a very expensive resource. Each WorkSpace will cost $7.25/month + $0.17/hour. + +data "aws_workspaces_bundle" "this" { + owner = "Amazon" + name = "Value with Amazon Linux 2" +} + +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_directory_service_directory" "this" { + name = "${module.naming.resource_prefix.directory}.com" + password = random_password.this.result + size = "Small" + + vpc_settings { + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id] + } +} + +resource "aws_workspaces_directory" "this" { + directory_id = aws_directory_service_directory.this.id + subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id] + + workspace_creation_properties { + enable_maintenance_mode = true + } + + depends_on = [ + aws_iam_role_policy_attachment.workspaces-default-service-access, + aws_iam_role_policy_attachment.workspaces-default-self-service-access + ] +} + +resource "aws_workspaces_workspace" "this" { + directory_id = aws_workspaces_directory.this.id + bundle_id = data.aws_workspaces_bundle.this.id + user_name = "Administrator" + + root_volume_encryption_enabled = true + user_volume_encryption_enabled = true + volume_encryption_key = data.terraform_remote_state.common.outputs.kms_key_arn + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + depends_on = [ + aws_iam_role_policy_attachment.workspaces-default-service-access, + aws_workspaces_directory.this + ] +} + + +## Can not be created from encrypted Workspace +# data "external" "this" { +# program = ["bash", "-c", "aws workspaces create-workspace-image --name autotest-green-image --description autotest-green-image --workspace-id ${aws_workspaces_workspace.this.id} | jq -r -c '{image_id: .ImageId }'"] + +# depends_on = [ aws_workspaces_workspace.this ] +# } + +# resource "null_resource" "this" { +# triggers = { +# image_id = data.external.this.result["image_id"] +# } + +# provisioner "local-exec" { +# when = destroy +# command = "aws workspaces delete-workspace-image --image-id ${self.triggers.image_id}" +# } + +# depends_on = [ aws_workspaces_workspace.this, data.external.this ] +# } \ No newline at end of file diff --git a/auto_policy_testing/red/workspaces/iam.tf b/auto_policy_testing/red/workspaces/iam.tf new file mode 100644 index 000000000..def5e4531 --- /dev/null +++ b/auto_policy_testing/red/workspaces/iam.tf @@ -0,0 +1,30 @@ +resource "aws_iam_role" "workspaces-default" { + name = "workspaces_DefaultRole" + assume_role_policy = data.aws_iam_policy_document.workspaces.json +} + +data "aws_iam_policy_document" "workspaces" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["workspaces.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy_attachment" "workspaces-default-service-access" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesServiceAccess" +} + +resource "aws_iam_role_policy_attachment" "workspaces-default-self-service-access" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess" +} + +resource "aws_iam_role_policy_attachment" "this" { + role = aws_iam_role.workspaces-default.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} \ No newline at end of file diff --git a/auto_policy_testing/red/workspaces/main.tf b/auto_policy_testing/red/workspaces/main.tf new file mode 100644 index 000000000..4fba53b14 --- /dev/null +++ b/auto_policy_testing/red/workspaces/main.tf @@ -0,0 +1,13 @@ +module "naming" { + source = "../../shared_tf_modules/naming" + resource_type = basename(abspath(path.module)) + status = title(basename(dirname(abspath(path.module)))) +} + +data "terraform_remote_state" "common" { + backend = "local" + + config = { + path = "../common_resources/terraform.tfstate" + } +} \ No newline at end of file diff --git a/auto_policy_testing/red/workspaces/outputs.tf b/auto_policy_testing/red/workspaces/outputs.tf new file mode 100644 index 000000000..db8cdb10b --- /dev/null +++ b/auto_policy_testing/red/workspaces/outputs.tf @@ -0,0 +1,6 @@ +output "workspaces" { + value = { + workspaces = aws_workspaces_workspace.this, + workspaces-directory = aws_workspaces_directory.this, + } +} \ No newline at end of file diff --git a/auto_policy_testing/red/workspaces/provider.tf b/auto_policy_testing/red/workspaces/provider.tf new file mode 100644 index 000000000..23904a9c2 --- /dev/null +++ b/auto_policy_testing/red/workspaces/provider.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + region = var.region + default_tags { + tags = module.naming.default_tags + } +} \ No newline at end of file diff --git a/auto_policy_testing/red/workspaces/variables.tf b/auto_policy_testing/red/workspaces/variables.tf new file mode 100644 index 000000000..2bd4793c8 --- /dev/null +++ b/auto_policy_testing/red/workspaces/variables.tf @@ -0,0 +1,5 @@ +variable "region" { + type = string + description = "Region where resources will be created" + default = "us-east-1" +} diff --git a/auto_policy_testing/red/workspaces/vpc.tf b/auto_policy_testing/red/workspaces/vpc.tf new file mode 100644 index 000000000..bf31b550c --- /dev/null +++ b/auto_policy_testing/red/workspaces/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_security_group" "this" { + name = "workstation_security_group" + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "this2" { + name = "workstation_security_group2" + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [data.terraform_remote_state.common.outputs.vpc_cidr_block] + } +} diff --git a/auto_policy_testing/red/workspaces/workspace.tf b/auto_policy_testing/red/workspaces/workspace.tf new file mode 100644 index 000000000..05992e002 --- /dev/null +++ b/auto_policy_testing/red/workspaces/workspace.tf @@ -0,0 +1,65 @@ +######################## +### WARNING !!! ### +# This is a very expensive resource. Each WorkSpace will cost $7.25/month + $0.17/hour. + +data "aws_workspaces_bundle" "this" { + owner = "Amazon" + name = "Value with Amazon Linux 2" +} + +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_directory_service_directory" "this" { + name = "${module.naming.resource_prefix.directory}.com" + password = random_password.this.result + size = "Small" + + vpc_settings { + vpc_id = data.terraform_remote_state.common.outputs.vpc_id + subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id] + } +} + +resource "aws_workspaces_directory" "this" { + directory_id = aws_directory_service_directory.this.id + subnet_ids = [data.terraform_remote_state.common.outputs.vpc_subnet_1_id, data.terraform_remote_state.common.outputs.vpc_subnet_3_id] + + workspace_access_properties { + device_type_web = "ALLOW" + } + workspace_creation_properties { + enable_maintenance_mode = false + } + + depends_on = [ + aws_iam_role_policy_attachment.workspaces-default-service-access, + aws_iam_role_policy_attachment.workspaces-default-self-service-access + ] +} + +resource "aws_workspaces_workspace" "this" { + directory_id = aws_workspaces_directory.this.id + bundle_id = data.aws_workspaces_bundle.this.id + user_name = "Administrator" + + root_volume_encryption_enabled = false + user_volume_encryption_enabled = true + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + depends_on = [ + aws_iam_role_policy_attachment.workspaces-default-service-access, + aws_workspaces_directory.this + ] +} \ No newline at end of file diff --git a/auto_policy_testing/scripts/exception_rules.py b/auto_policy_testing/scripts/exception_rules.py index 4caef3134..7c9042564 100644 --- a/auto_policy_testing/scripts/exception_rules.py +++ b/auto_policy_testing/scripts/exception_rules.py @@ -5,6 +5,8 @@ "ecc-aws-200-rds_cluster_deletion_protection_enabled", "ecc-aws-201-rds_instance_deletion_protection_enabled", "ecc-aws-207-rds_aurora_logging_enabled", + "ecc-aws-286-workspaces_unused_instances", + "ecc-aws-331-workspaces_images_not_older_than_90_days", "ecc-aws-519-vpc_vpn_2_tunnels_up", "ecc-aws-587-elasticsearch_reserved_instance_payment_failed", "ecc-aws-588-elasticsearch_reserved_instance_payment_pending", @@ -26,6 +28,8 @@ "ecc-aws-145-organizations_changes_alarm_exists", "ecc-aws-207-rds_aurora_logging_enabled", "ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys", + "ecc-aws-288-workspaces_instances_are_healthy", + "ecc-aws-331-workspaces_images_not_older_than_90_days", "ecc-aws-344-route53_domain_expires_in_30_days", "ecc-aws-519-vpc_vpn_2_tunnels_up", "ecc-aws-536-lambda_function_settings_check", @@ -43,7 +47,8 @@ ], "parallel": [ "glue", - "account" + "account", + "workspaces" ] } diff --git a/auto_policy_testing/shared_tf_modules/naming/outputs.tf b/auto_policy_testing/shared_tf_modules/naming/outputs.tf index 58c2a3542..54b855b07 100755 --- a/auto_policy_testing/shared_tf_modules/naming/outputs.tf +++ b/auto_policy_testing/shared_tf_modules/naming/outputs.tf @@ -51,6 +51,7 @@ output "resource_prefix" { rds_param_grp = "${local.suffix}-${var.resource_type}-paramgroup-${local.compliance_status}" rds_option_grp = "${local.suffix}-${var.resource_type}-optgroup-${local.compliance_status}" dax = "${local.suffix}-${var.resource_type}-${local.compliance_status}" + directory = "${local.suffix}-${var.resource_type}-${local.compliance_status}" } }