Initial (#1)

* setup initial structure

* update

* add stuff for terraform-state

* add base_tags

* update docs

* update docs

* update usage

* update doc

* update doc

* update doc

* remove some variables

* remove some variables

* update required things

* ignore common/READMD.md

* fix typos

* fix source

* fix tag

* fix keys

* change local.tags to var.tags

* add comment

.gitignore

@@ -0,0 +1,13 @@
+#  Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .tfvars files
+*.tfvars
+
+.terraform/*
+logs
+common/README.md

.pre-commit-config.yaml

@@ -0,0 +1,17 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.31.0
+  hooks:
+#    - id: terraform_validate
+    - id: terraform_fmt
+    - id: terraform_docs_replace
+      args: ['table']
+      exclude: common/*.tf
+      exclude: version.tf
+
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.1.0
+  hooks:
+    - id: check-symlinks
+    - id: detect-aws-credentials
+    - id: detect-private-key

CHANGELOG.md

@@ -0,0 +1,6 @@
+# Versions
+
+* v1.0 -- 20210218
+  - initial creation
+  - module: terraform-state
+

README.md

@@ -1,2 +1,27 @@
 # aws-inf-setup
-AWS Infrastructure Setup
+
+This contains a bunch of submodules used for setting up an AWS account, to the standard configurations we use
+at Census.
+
+## Submodules
+
+### [terraform-state](terraform-state)
+
+This creates an S3 bucket, KMS key, and DynamoDB table for use with an AWS account.  The bucket region is important
+for connection to the remote state. Key ARN and ID, S3 bucket ID, and DDB tables are exportet, but they follow a standard
+structure so they are not really needed. The bucket is `inf-tfstate-{account_id}`.
+
+This has no other dependencies, since it has to be created first.  Only one is needed per account.
+
+### splunk-user
+
+### access-logging-bucket
+
+This sets up the S3 bucket used for access logs.  One is needed per region, and the region and account are included
+in the bucket names: `inf-log-{account_id}-{region}`.
+
+### object-logging
+### cloudtrail
+### config
+### gpg-key
+

access-logging-bucket/version.tf

@@ -0,0 +1 @@
+../common/version.tf

cloudtrail/version.tf

@@ -0,0 +1 @@
+../common/version.tf

common/data.tf

@@ -0,0 +1,23 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_region" "current" {}
+
+# output "caller_account_id" {
+#   value = data.aws_caller_identity.current.account_id
+# }
+#
+# output "account_caller_arn" {
+#   value = data.aws_caller_identity.current.arn
+# }
+#
+# output "account_caller_arn_partition" {
+#   value = data.aws_arn.current.partition
+# }
+#
+# output "account_region"name" {
+#   value = data.aws_region.current.name
+# }

common/defaults.tf

@@ -0,0 +1,5 @@
+
+locals {
+  _defaults = {
+  }
+}

common/prefixes.tf

@@ -0,0 +1,12 @@
+locals {
+  _prefixes = {
+    "efs"            = "v-efs-"
+    "s3"             = "v-s3-"
+    "ebs"            = "v-ebs-"
+    "kms"            = "k-kms-"
+    "role"           = "r-"
+    "policy"         = "p-"
+    "security-group" = ""
+    #    "security-group" = "sg-"
+  }
+}

common/variables.common.tf

@@ -0,0 +1,86 @@
+#---
+# account info
+#---
+variable "account_id" {
+  description = "AWS Account ID (default will pull from current user)"
+  type        = string
+  default     = ""
+}
+
+variable "account_alias" {
+  description = "AWS Account Alias (required)"
+  type        = string
+}
+
+variable "override_prefixes" {
+  description = "Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things"
+  type        = map(string)
+  default     = {}
+}
+
+variable "tags" {
+  description = "AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data_safeguard field for such things."
+  type        = map(string)
+  default     = {}
+}
+
+## # s3
+## variable "bucket_name" {
+##   description = "AWS Bucket Name.  Standard prefix will be applied here, do not include here."
+##   type        = string
+## }
+## 
+## variable "bucket_folders" {
+##   description = "List of folders (keys) to create after creation of bucket. They will have object metadata provided based on metadata_tags and data_safeguard labels."
+##   type        = list(string)
+##   default     = []
+## }
+## 
+## variable "kms_key_id" {
+##   description = "AWS KMS Key ID (one per bucket).  This is currently ignored."
+##   type        = string
+##   default     = ""
+## }
+## 
+## variable "metadata_tags" {
+##   description = "AWS S3 Custom metadata (prefix x-amzn-meta- automatically included, not needed here).  If data_safeguard labels are applied, they will be incorporated on any bucket objects created."
+##   type        = map(string)
+##   default     = {}
+## }
+## 
+## variable "access_log_bucket_prefix" {
+##   description = "Access log bucket prefix, to which the bucket name will be appended to make the target_prefix"
+##   type        = string
+##   default     = "s3"
+## }
+## 
+## variable "access_log_bucket" {
+##   description = "Server Access Logging Bucket ID"
+##   type        = string
+##   #  default     = null
+## }
+## 
+## variable "allowed_cidr" {
+##   description = "List of allowed source IPs (NOT from within the VPC).  If empty, there will be no restrictions on source IP.  If provided, you must also use allowed_endpoints for access within a VPC."
+##   type        = list(string)
+##   default     = []
+## }
+## 
+## variable "allowed_endpoints" {
+##   description = "List of allowed VPC endpoint IDs.  If used, it will enable access to the bucket from the specific VPC endpoints."
+##   type        = list(string)
+##   default     = []
+## }
+## 
+## variable "force_destroy" {
+##   description = "Sets force_destroy to allow the bucket and contents to be deleted.  The deletion may take a very long time based on the number of objects.  You normally want to update this to true, apply, and then destroy the resource."
+##   type        = bool
+##   default     = false
+## }
+## 
+## # variable "lifecycle_rules" {
+## #   description = "Setup lifecycle rules (in-progress, not working)"
+## #   type = map()
+## #   default = {}
+## # }
+## 

common/version.tf

@@ -0,0 +1,3 @@
+locals {
+  _module_version = "1.0"
+}

config/version.tf

@@ -0,0 +1 @@
+../common/version.tf

gpg-key/version.tf

@@ -0,0 +1 @@
+../common/version.tf

object-logging/version.tf

@@ -0,0 +1 @@
+../common/version.tf

terraform-state/README.md

@@ -0,0 +1,101 @@
+# aws-inf-setup :: terraform-state
+
+This set up the needed components for the Terraform remote state:
+
+* S3 bucket
+* KMS key for the bucket
+* DynamoDB table for locking
+
+# Usage  
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "tfstate" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state"
+
+  account_alias         = "do2-govcloud"
+}
+```
+
+This one can be used if you need to customize stuff, though really, the defaults are all built  
+for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in  
+variable file generation.
+
+```hcl
+module "tfstate_full" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state"
+
+  # required
+  account_alias         = "do2-govcloud"
+
+  # optional, defaults
+  tfstate_key_prefix    = "do2-govcloud"
+  kms_tfstate_key       = "k-kms-inf-tfstate"
+  tfstate_table         = "tf_remote_state"
+  tfstate_bucket        = "inf-tfstate-123456789012"
+  tfstate_bucket_prefix = "inf-tfstate"
+  tfstate_key_suffix    = "terraform.tfstate"
+
+  # this is generally not needed and not recommended
+  component_tags        = {
+    "s3" = {
+      "SpecialTag1" = "something"
+      "SpecialTag2" = "somethingElse"
+    }
+  }
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No Modules.
+
+## Resources
+
+| Name |
+|------|
+| [aws_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) |
+| [aws_caller_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) |
+| [aws_dynamodb_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) |
+| [aws_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) |
+| [aws_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) |
+| [aws_s3_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) |
+| [aws_s3_bucket_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| account\_alias | AWS Account Alias (required) | `string` | n/a | yes |
+| account\_id | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| component\_tags | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| kms\_tfstate\_key | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no |
+| override\_prefixes | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| tags | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| tfstate\_bucket | Terraform remote state S3 bucket | `string` | `""` | no |
+| tfstate\_bucket\_prefix | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no |
+| tfstate\_key\_prefix | Terraform remote state S3 bucket prefix (account alias) | `string` | `""` | no |
+| tfstate\_key\_suffix | Terraform remote state S3 bucket suffix | `string` | `"terraform.tfstate"` | no |
+| tfstate\_region | Terraform remote state S3 bucket region | `string` | `""` | no |
+| tfstate\_table | Terraform remote state table | `string` | `"tf_remote_state"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| tfstate\_bucket\_arn | Terraform state S3 bucket ARN |
+| tfstate\_bucket\_id | Terraform state S3 bucket ID |
+| tfstate\_dynamodb\_arn | Terraform state DynamoDB table ARN |
+| tfstate\_key\_arn | inf-tfstate KMS key ARN |

terraform-state/data.tf

@@ -0,0 +1 @@
+../common/data.tf

terraform-state/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf