feat: custom accept json (#29)

handle custom accept json
revised documentation README.md

Author: gwnlng

README.md

@@ -44,24 +44,13 @@ This Environment variable value is specified as a map(string). Example:
 
 ### Command Line Interface method
 
-The general steps are:
-
-1. Configure S3 backend for terraform state
-2. Setup Terraform input tfvars
-3. Invoke the commands defined below to create the Fargate Service that launches corresponding SnykBroker dockerized container.
-```
-$ terraform init -backend-config="env/dev/config.s3.tfbackend"
-$ terraform plan -input=false -var-file="env/dev/terraform.tfvars" -out=tfplan
-$ terraform apply "tfplan"
-```
-
 ### Deployment Modes
 
-| Mode       | Description                                       | Variable Settings                                   |
-|------------|---------------------------------------------------|-----------------------------------------------------|
-| HTTP       | No SSL certificate                                | broker_protocol="http", use_private_ssl_cert=false  |
-| HTTPS/HTTP | Public SSL certificate, internal HTTP             | broker_protocol="https", use_private_ssl_cert=false |
-| HTTPS      | Public SSL certificate, internal private SSL cert | broker_protocol="https", use_private_ssl_cert=true  |
+| Mode       | Description                                       | Variable Settings                              |
+|------------|---------------------------------------------------|------------------------------------------------|
+| HTTP       | No SSL certificate                                | broker_protocol="http", private_ssl_cert=false |
+| HTTPS/HTTP | Public SSL certificate, internal HTTP             | broker_protocol="https", private_ssl_cert=false |
+| HTTPS      | Public SSL certificate, internal private SSL cert | broker_protocol="https", private_ssl_cert=true |
 
 #### Public SSL certificate
 
@@ -70,13 +59,31 @@ Public SSL certificate for `<broker_hostname>.<public_domain_name>` is created a
 #### Private SSL certificate/Key
 
 * Upload private SSL certificate (.pem) and its private key (.key) to a S3 bucket
-* Ensure S3 bucket and these 2 objects are accessible to Terraform assumed credentials
-* Set variable `cert_bucket_name="<S3_bucket_name>"` 
+* Verify S3 bucket and these objects are accessible to Terraform assumed credentials
+* Set variable `config_bucket_name="<S3_bucket_name>"` 
 * Set variable `broker_private_key_object="<S3_folder>/<key_name.key>"`
 * Set variable `broker_ssl_cert_object="<S3_folder>/<cert_name.pem>"`
 
 Private SSL certificate validity and renewal are handled independently by Customer.
 
+#### Custom approved listing filter
+
+* Upload custom [integration type](https://github.com/snyk/broker/tree/master/client-templates) accept.json to S3 bucket
+* Verify S3 bucket and accept.json are accessible to Terraform assumed credentials
+* Set variable `config_bucket_name="<S3_bucket_name>"`
+* Set variable `custom_listing_filter="<S3_folder>/accept.json"`
+
+### Deployment steps
+
+1. Configure S3 backend for terraform state
+2. Setup Terraform input tfvars
+3. Invoke the commands defined below to create the Fargate Service that launches corresponding SnykBroker dockerized container.
+```
+$ terraform init -backend-config="env/dev/config.s3.tfbackend"
+$ terraform plan -input=false -var-file="env/dev/terraform.tfvars" -out=tfplan
+$ terraform apply "tfplan"
+```
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
@@ -138,26 +145,33 @@ Private SSL certificate validity and renewal are handled independently by Custom
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_env_vars"></a> [additional\_env\_vars](#input\_additional\_env\_vars) | Additional environment variables | `map(string)` | `{}` |    no    |
+| <a name="input_broker_accept_json_object"></a> [broker\_accept\_json\_object](#input\_broker\_accept\_json\_object) | S3 object of SnykBroker listing filter accept.json. Example <s3folder>/accept.json | `string` | `null` |    no    |
 | <a name="input_broker_env_vars"></a> [broker\_env\_vars](#input\_broker\_env\_vars) | SnykBroker environment variables key-value pairs. PORT, BROKER\_CLIENT\_URL not required | `map(string)` | `{}` |   yes    |
 | <a name="input_broker_hostname"></a> [broker\_hostname](#input\_broker\_hostname) | SnykBroker hostname. <broker\_hostname>.<public\_domain\_name> forms its FQDN for SCM webhooks calls | `string` | `"snykbroker"` |    no    |
 | <a name="input_broker_port"></a> [broker\_port](#input\_broker\_port) | Default snykbroker client port. Set a non-system port i.e. >= 1024 as container run-as non-root user | `number` | `7341` |    no    |
 | <a name="input_broker_private_key_object"></a> [broker\_private\_key\_object](#input\_broker\_private\_key\_object) | S3 object of SnykBroker certificate private key. Example <s3folder>/<name>.key | `string` | `null` |    no    |
 | <a name="input_broker_protocol"></a> [broker\_protocol](#input\_broker\_protocol) | Protocol for running connections to SnykBroker. Either http or https | `string` | `"https"` |    no    |
 | <a name="input_broker_ssl_cert_object"></a> [broker\_ssl\_cert\_object](#input\_broker\_ssl\_cert\_object) | S3 object of SnykBroker certificate. Example <s3folder>/<name>.pem | `string` | `null` |    no    |
-| <a name="input_cert_bucket_name"></a> [cert\_bucket\_name](#input\_cert\_bucket\_name) | S3 bucket name storing SnykBroker private key, SSL certificate | `string` | `null` |    no    |
 | <a name="input_cloudwatch_log_group_name"></a> [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | SnykBroker CloudWatch log group name | `string` | `"/aws/ecs/snykbroker"` |    no    |
 | <a name="input_cloudwatch_log_retention_days"></a> [cloudwatch\_log\_retention\_days](#input\_cloudwatch\_log\_retention\_days) | SnykBroker CloudWatch log retention in days | `number` | `7` |    no    |
+| <a name="input_config_bucket_name"></a> [config\_bucket\_name](#input\_config\_bucket\_name) | Configuration S3 bucket name storing SnykBroker private key, SSL certificate, accept.json filter, etc | `string` | `null` |    no    |
 | <a name="input_container_name"></a> [container\_name](#input\_container\_name) | Snyk broker container name behind the Service | `string` | `"snykbroker"` |    no    |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | Broker service task CPU. min 256 i.e. 0.25 vCPU, max 4096 i.e. 4 vCPU | `number` | `256` |    no    |
+| <a name="input_custom_listing_filter"></a> [custom\_listing\_filter](#input\_custom\_listing\_filter) | Use custom approved listing filter i.e. a revised accept.json | `bool` | `false` |    no    |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default Tags at aws provider scope | `map(string)` | <pre>{<br>  "Snyk": "SnykBroker"<br>}</pre> |    no    |
 | <a name="input_dockerhub_access_token"></a> [dockerhub\_access\_token](#input\_dockerhub\_access\_token) | DockerHub personal access token | `string` | `null` |    no    |
 | <a name="input_dockerhub_username"></a> [dockerhub\_username](#input\_dockerhub\_username) | DockerHub username | `string` | `null` |    no    |
+| <a name="input_fargate_capacity_base"></a> [fargate\_capacity\_base](#input\_fargate\_capacity\_base) | Fargate capacity provider base as minimum number of Tasks. Only this or fargate\_spot\_capacity\_base can be >0 | `number` | `0` |    no    |
+| <a name="input_fargate_capacity_weight"></a> [fargate\_capacity\_weight](#input\_fargate\_capacity\_weight) | Fargate capacity provider weight as a relative percentage of total service\_desired\_count Tasks | `number` | `50` |    no    |
+| <a name="input_fargate_spot_capacity_base"></a> [fargate\_spot\_capacity\_base](#input\_fargate\_spot\_capacity\_base) | Fargate Spot capacity provider base as minimum number of Tasks. Only this or fargate\_capacity\_base can be >0 | `number` | `0` |    no    |
+| <a name="input_fargate_spot_capacity_weight"></a> [fargate\_spot\_capacity\_weight](#input\_fargate\_spot\_capacity\_weight) | Fargate Spot capacity provider weight as a relative percentage of total service\_desired\_count Tasks | `number` | `50` |    no    |
 | <a name="input_image"></a> [image](#input\_image) | Broker image to pull from DockerHub. May be custom derived broker image | `string` | `null` |    no    |
 | <a name="input_integration_type"></a> [integration\_type](#input\_integration\_type) | Snyk Integration type. Choice of artifactory, azurerepos, bitbucket, gh, ghe, gitlab, jira or nexus | `string` | `""` |   yes    |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | Lambda function runtime. Defined by AWS supported versions. | `string` | `"python3.9"` |    no    |
 | <a name="input_launch_type"></a> [launch\_type](#input\_launch\_type) | SnykBroker service launch type | `string` | `"FARGATE"` |    no    |
 | <a name="input_log_bucket_name"></a> [log\_bucket\_name](#input\_log\_bucket\_name) | snykbbroker requests access log bucket name for logging webhooks requests | `string` | `null` |    no    |
 | <a name="input_memory"></a> [memory](#input\_memory) | Broker service memory in MiB. Min 512, max 30720 | `number` | `512` |    no    |
+| <a name="input_private_ssl_cert"></a> [private\_ssl\_cert](#input\_private\_ssl\_cert) | Use private SSL certificate at SnykBroker client | `bool` | `false` |    no    |
 | <a name="input_public_domain_name"></a> [public\_domain\_name](#input\_public\_domain\_name) | Customer public domain e.g. example.com | `string` | `null` |   yes    |
 | <a name="input_scheduling_strategy"></a> [scheduling\_strategy](#input\_scheduling\_strategy) | Snyk broker scheduling strategy | `string` | `"REPLICA"` |    no    |
 | <a name="input_service_azs"></a> [service\_azs](#input\_service\_azs) | count of service availability zones to use | `number` | `2` |    no    |
@@ -168,15 +182,14 @@ Private SSL certificate validity and renewal are handled independently by Custom
 | <a name="input_snykbroker_repo"></a> [snykbroker\_repo](#input\_snykbroker\_repo) | DockerHub snyk broker repo | `string` | `"snyk/broker"` |    no    |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags | `map(string)` | `{}` |    no    |
 | <a name="input_use_existing_route53_zone"></a> [use\_existing\_route53\_zone](#input\_use\_existing\_route53\_zone) | Use existing public hosted zone of <public\_domain\_name> or create new zone | `bool` | `true` |    no    |
-| <a name="input_use_private_ssl_cert"></a> [use\_private\_ssl\_cert](#input\_use\_private\_ssl\_cert) | Use private SSL certificate at SnykBroker client | `bool` | `true` |    no    |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | SnykBroker VPC cidr. Linked to service\_azs to be created | `string` | `"192.168.0.0/20"` |    no    |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_aws_broker_dns_name"></a> [aws\_broker\_dns\_name](#output\_aws\_broker\_dns\_name) | AWS generated SnykBroker Client DNS name |
+| <a name="output_snykbroker_aws_dns_name"></a> [snykbroker\_aws\_dns\_name](#output\_snykbroker\_aws\_dns\_name) | SnykBroker Client AWS DNS name |
 | <a name="output_snykbroker_client_healthcheck_url"></a> [snykbroker\_client\_healthcheck\_url](#output\_snykbroker\_client\_healthcheck\_url) | SnykBroker Client healthcheck URL |
 | <a name="output_snykbroker_client_systemcheck_url"></a> [snykbroker\_client\_systemcheck\_url](#output\_snykbroker\_client\_systemcheck\_url) | SnykBroker Client systemcheck URL |
-| <a name="output_snykbroker_lb_dns_name"></a> [snykbroker\_lb\_dns\_name](#output\_snykbroker\_lb\_dns\_name) | SnykBroker Client load balancer DNS name |
+| <a name="output_snykbroker_lb_dns_name"></a> [snykbroker\_lb\_dns\_name](#output\_snykbroker\_lb\_dns\_name) | SnykBroker Client hosted domain DNS name |
 <!-- END_TF_DOCS -->

env/dev/terraform.tfvars

@@ -1,6 +1,7 @@
 integration_type="gh"
 additional_env_vars={"LOG_LEVEL":"info"}
 public_domain_name="pixelsvc.com"
-cert_bucket_name="tfstate-gwnlng"
+config_bucket_name="tfstate-gwnlng"
 broker_private_key_object="myprivate.key"
 broker_ssl_cert_object="mycert.pem"
+broker_accept_json_object="accept.json"

lambda.tf

@@ -2,11 +2,11 @@
 # this will set https to be served by the container even though its cert will not be validated at the target
 # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html#target-group-routing-configuration
 module "snykbroker_cert_handler_lambda" {
-  count   = var.use_private_ssl_cert ? 1 : 0
+  count   = local.attach_config ? 1 : 0
   source  = "terraform-aws-modules/lambda/aws"
   version = "4.0.1"
 
-  create        = var.use_private_ssl_cert
+  create        = local.attach_config
   function_name = "snykbroker_cert_copy"
   description   = "SnykBroker private certificate handler function"
   handler       = "s3obj_efs_copy.lambda_handler"
@@ -43,11 +43,11 @@ module "snykbroker_cert_handler_lambda" {
 }
 
 module "snykbroker_lambda_security_group" {
-  count   = var.use_private_ssl_cert ? 1 : 0
+  count   = local.attach_config ? 1 : 0
   source  = "terraform-aws-modules/security-group/aws"
   version = "4.13.0"
 
-  create      = var.use_private_ssl_cert
+  create      = local.attach_config
   name        = "snykbroker_lambda_security"
   description = "Security group for cert handler lambda"
   vpc_id      = module.snykbroker_vpc.vpc_id
@@ -66,7 +66,7 @@ module "snykbroker_lambda_security_group" {
 }
 
 resource "aws_efs_access_point" "snykbroker_cert_access_point" {
-  count          = var.use_private_ssl_cert ? 1 : 0
+  count          = local.attach_config ? 1 : 0
   file_system_id = module.snykbroker_efs[0].efs_id
 
   posix_user {
@@ -89,7 +89,7 @@ resource "aws_efs_access_point" "snykbroker_cert_access_point" {
 # local provisioner waits 90 seconds for efs DNS records to propagate in aws region
 # see https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-mount-cmd-dns-name.html
 resource "null_resource" "wait_lambda_efs" {
-  count = var.use_private_ssl_cert ? 1 : 0
+  count = local.attach_config ? 1 : 0
   provisioner "local-exec" {
     command = "sleep 90"
   }
@@ -98,11 +98,13 @@ resource "null_resource" "wait_lambda_efs" {
 
 # invoke injection lambda function with event map pointing to the key and cert
 resource "aws_lambda_invocation" "snykbroker_lambda_invocation" {
-  count = var.use_private_ssl_cert ? 1 : 0
+  count         = local.attach_config ? 1 : 0
   function_name = module.snykbroker_cert_handler_lambda[0].lambda_function_name
   input         = jsonencode({
-    "bucket_name" = var.cert_bucket_name
-    "s3_objects"  = [var.broker_private_key_object, var.broker_ssl_cert_object]
+    "bucket_name" = var.config_bucket_name
+    "s3_objects"  = concat(
+      var.private_ssl_cert ? [var.broker_private_key_object, var.broker_ssl_cert_object] : [],
+      var.custom_listing_filter ? [var.broker_accept_json_object] : [])
   })
   depends_on = [null_resource.wait_lambda_efs]
 }

locals.tf

@@ -9,10 +9,13 @@ locals {
   broker_client_url     = format("%s://%s:%s", var.broker_protocol, try(values(module.snykbroker_lb_route53_record.route53_record_fqdn)[0], module.snykbroker_lb.lb_dns_name), local.broker_lb_port)
   # certificate env vars
   mount_path            = "/mnt/shared"
-  cert_env_vars         = var.use_private_ssl_cert ? tomap({
+  cert_env_vars         = var.private_ssl_cert ? tomap({
     "HTTPS_CERT" = format("%s/%s", local.mount_path, element(split("/", var.broker_ssl_cert_object), length(split("/", var.broker_ssl_cert_object))-1))
     "HTTPS_KEY"  = format("%s/%s", local.mount_path, element(split("/", var.broker_private_key_object), length(split("/", var.broker_private_key_object))-1))
   }) : {}
+  listing_filter_env_var = var.custom_listing_filter ? tomap({
+    "ACCEPT" = format("%s/%s", local.mount_path, element(split("/", var.broker_accept_json_object), length(split("/", var.broker_accept_json_object))-1))
+  }) : {}
   computed_env_vars     = {
     "BROKER_CLIENT_URL" = local.broker_client_url
     "PORT"              = local.broker_port
@@ -25,8 +28,9 @@ locals {
   broker_env_vars       = merge({
     for v in local.env_vars : v => lookup(var.broker_env_vars, v, "")
       if length(regexall("(TOKEN)$", v)) == 0
-  }, local.computed_env_vars, local.cert_env_vars, var.additional_env_vars)
+  }, local.computed_env_vars, local.cert_env_vars, local.listing_filter_env_var, var.additional_env_vars)
 
   # remove trailing dot from domain if any
   domain_name = trimsuffix(var.public_domain_name, ".")
+  attach_config  = var.private_ssl_cert || var.custom_listing_filter
 }

main.tf

@@ -83,7 +83,7 @@ module "snykbroker_security_group" {
   number_of_computed_ingress_with_source_security_group_id = 1
   egress_cidr_blocks      = ["0.0.0.0/0"]
   egress_rules            = ["https-443-tcp"]
-  egress_with_source_security_group_id = var.use_private_ssl_cert ? [
+  egress_with_source_security_group_id = local.attach_config ? [
     {
       rule                     = "nfs-tcp"
       source_security_group_id = module.snykbroker_efs[0].sg_id
@@ -110,22 +110,26 @@ module "snykbroker_ecs_cluster" {
 
   cluster_configuration = {
     execute_command_configuration = {
-      logging = "OVERRIDE"
+      kms_key_id = module.snykbroker_kms.key_arn
+      logging    = "OVERRIDE"
       log_configuration = {
-        cloud_watch_log_group_name = module.snykbroker_log_group.cloudwatch_log_group_name
+        cloud_watch_encryption_enabled = true
+        cloud_watch_log_group_name     = module.snykbroker_log_group.cloudwatch_log_group_name
       }
     }
   }
 
   fargate_capacity_providers = {
     FARGATE = {
       default_capacity_provider_strategy = {
-        weight = 50
+        base   = var.fargate_capacity_base
+        weight = var.fargate_capacity_weight
       }
     }
     FARGATE_SPOT = {
       default_capacity_provider_strategy = {
-        weight = 50
+        base   = var.fargate_spot_capacity_base
+        weight = var.fargate_spot_capacity_weight
       }
     }
   }
@@ -156,7 +160,7 @@ module "snykbroker_ecs_task_definition" {
 
   task_stop_timeout = 90
 
-  task_mount_points = var.use_private_ssl_cert ? [
+  task_mount_points = local.attach_config ? [
     {
       sourceVolume  = var.service_name
       containerPath = local.mount_path
@@ -165,7 +169,7 @@ module "snykbroker_ecs_task_definition" {
   ] : []
 
   # volume name corresponds to sourceVolume which will contain a cert directory with cert injected by a lambda function
-  volume = var.use_private_ssl_cert ? [
+  volume = local.attach_config ? [
     {
       name = var.service_name
       efs_volume_configuration = [
@@ -205,7 +209,7 @@ module "snykbroker_lb" {
   target_groups = [
     {
       name_prefix       = "snyk-"
-      backend_protocol  = var.use_private_ssl_cert ? "HTTPS" : "HTTP"
+      backend_protocol  = var.private_ssl_cert ? "HTTPS" : "HTTP"
       backend_port      = local.broker_port
       target_type       = "ip"
       health_check = {
@@ -216,7 +220,7 @@ module "snykbroker_lb" {
         healthy_threshold   = 3
         unhealthy_threshold = 3
         timeout             = 10
-        protocol            = var.use_private_ssl_cert ? "HTTPS" : "HTTP"
+        protocol            = var.private_ssl_cert ? "HTTPS" : "HTTP"
         matcher             = "200-299"
       }
     }
@@ -243,7 +247,7 @@ module "snykbroker_lb" {
 }
 
 module "snykbroker_efs" {
-  count   = var.use_private_ssl_cert ? 1 : 0
+  count   = local.attach_config ? 1 : 0
   source  = "terraform-iaac/efs/aws"
   version = "2.0.4"
   # insert the 5 required variables here

outputs.tf

@@ -1,10 +1,10 @@
-output "aws_broker_dns_name" {
-  description = "AWS generated SnykBroker Client DNS name"
+output "snykbroker_aws_dns_name" {
+  description = "SnykBroker Client AWS DNS name"
   value       = module.snykbroker_lb.lb_dns_name
 }
 
 output "snykbroker_lb_dns_name" {
-  description = "SnykBroker Client load balancer DNS name"
+  description = "SnykBroker Client hosted domain DNS name"
   value       = try(values(module.snykbroker_lb_route53_record.route53_record_fqdn)[0], "")
 }