diff --git a/config/OLD/config.tf.1 b/config/OLD/config.tf.1 new file mode 100755 index 0000000..61b6b9f --- /dev/null +++ b/config/OLD/config.tf.1 @@ -0,0 +1,347 @@ +#--- +# config +#--- +locals { + config_policies = list("arn:${data.aws_arn.current.partition}:iam::aws:policy/service-role/AWSConfigRole", + data.terraform_remote_state.common.outputs.policy_deny_billing_arn, + aws_iam_policy.config.arn + ) + config_bucket_arn = aws_s3_bucket.config.arn +} + +#--- +# role: config +#--- +resource "aws_iam_role" "config" { + name = "r-inf-config" + + assume_role_policy = data.aws_iam_policy_document.config_assume.json + description = "EDL AWS Config Role" + force_detach_policies = false + max_session_duration = 3600 + path = "/service-role/" +} + +#--- +# policy: config +#--- +resource "aws_iam_policy" "config" { + name = "p-inf-awsconfig" + path = "/service-role/" + description = "Policy for AWS Config" + policy = data.aws_iam_policy_document.config.json +} + +resource "aws_iam_role_policy_attachment" "config" { + count = length(local.config_policies) + role = aws_iam_role.config.name + policy_arn = local.config_policies[count.index] +} + +data "aws_iam_policy_document" "config" { + statement { + sid = "AWSConfigAllowBucketPutObject" + effect = "Allow" + + resources = ["${local.config_bucket_arn}/*"] + actions = ["s3:PutObject*"] + + condition { + test = "StringLike" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + } + + statement { + sid = "AWSConfigAllowBucketACL" + effect = "Allow" + resources = [local.config_bucket_arn] + actions = ["s3:GetBucketAcl"] + } + + ## this goes in a per-region policy + ## statement { + ## sid = "AWSConfigPublishTopic" + ## effect = "Allow" + ## resources = [ aws_sns_topic.arn ] + ## actions = [ "sns:Publish" ] + ## } +} + +#--- +# STS: sts config assume +#--- +data "aws_iam_policy_document" "config_assume" { + statement { + sid = "AWSConfigServiceAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["config.amazonaws.com"] + } + } +} + +#-- +# much of this is per region, so we list through all the regions in +# which we are doing this +# only allows for 1 recorder +#--- +resource "aws_config_configuration_recorder" "config" { +# count = length(var.regions) + count = 1 + name = "inf-config-${var.regions[count.index]}" + role_arn = aws_iam_role.config.arn + + recording_group { + include_global_resource_types = true + all_supported = true + } +} + +resource "aws_config_configuration_recorder_status" "config" { +# count = length(var.regions) + count = 1 + name = aws_config_configuration_recorder.config.*.name[count.index] + is_enabled = true + depends_on = [aws_config_delivery_channel.config] +} + +resource "aws_config_delivery_channel" "config" { +# count = length(var.regions) + count = 1 + name = "inf-config-${var.regions[count.index]}" + s3_bucket_name = aws_s3_bucket.config.bucket + sns_topic_arn = aws_sns_topic.config[count.index].arn + + snapshot_delivery_properties { + delivery_frequency = "Six_Hours" + } + + depends_on = [aws_config_configuration_recorder.config] +} + +#--- +# config rules +#--- +locals { + crules = { + "vpc-flowlogs" = "VPC_FLOW_LOGS_ENABLED" + "mfa-console" = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS" +# this requires a parameter +# "iam-group-check" = "IAM_USER_GROUP_MEMBERSHIP_CHECK" + "encrypted-volumes" = "ENCRYPTED_VOLUMES" + "rds-encrypted" = "RDS_STORAGE_ENCRYPTED" + } + crules_keys = keys(local.crules) + crules_values = values(local.crules) +} + +resource "aws_config_config_rule" "config_rules" { + count = length(local.crules_keys) + name = "inf-config_rule-${local.crules_keys[count.index]}" + source { + owner = "AWS" + source_identifier = local.crules_values[count.index] + } + depends_on = [aws_config_configuration_recorder.config] +} + +#--- +# sns: config +#--- +data "aws_iam_policy_document" "config_sns" { +# count = length(var.regions) + count = 1 + statement { + sid = "AWSConfigBucketPolicy" + effect = "Allow" + actions = ["s3:*"] + + resources = [ + aws_s3_bucket.config.arn, + "${aws_s3_bucket.config.arn}/*", + ] + } + statement { + sid = "AWSConfigSNSPublish" + effect = "Allow" + actions = ["sns:Publish"] + resources = [aws_sns_topic.config[count.index].arn] + } +} + +resource "aws_iam_role_policy" "config_sns" { +# count = length(var.regions) + count = 1 +# role = aws_iam_role.config[count.index].name + role = aws_iam_role.config.name + name = "p-inf-config-${var.regions[count.index]}" + policy = data.aws_iam_policy_document.config_sns[count.index].json +} + +resource "aws_sns_topic" "config" { +# count = length(var.regions) + count = 1 + name = "inf-config-${var.regions[count.index]}" +} + +resource "aws_sns_topic_policy" "config" { + count = length(var.regions) + arn = aws_sns_topic.config[count.index].arn + policy = data.aws_iam_policy_document.config_sns_topic[count.index].json +} + +data "aws_iam_policy_document" "config_sns_topic" { + count = length(var.regions) + policy_id = "inf-config_policy-${var.regions[count.index]}" + statement { + sid = "inf-config-AllowSNS" + effect = "Allow" + resources = [aws_sns_topic.config[count.index].arn] + actions = [ + "sns:Subscribe", + "sns:SetTopicAttributes", + "sns:RemovePermission", + "sns:Receive", + "sns:Publish", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:DeleteTopic", + "sns:AddPermission", + ] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "StringEquals" + variable = "AWS:SourceOwner" + values = ["${var.account_id}"] + } + } +} + +#--- +# sqs: config (from splunk) +#--- +# one per region we are using +resource "aws_sqs_queue" "config_deadletter" { + # delay=0 retention=4d max=256k visibility=1h + count = length(var.regions) + name = "inf-config-${var.regions[count.index]}-deadletter" + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = 345600 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 3600 + + # disable kms, doesn't seem to work with splunk + # kms_master_key_id = "alias/${var.kms_inf_key}" + # kms_data_key_reuse_period_seconds = 300 + tags = merge( + local.common_tags, + map("Name", "inf-config-${var.regions[count.index]}-deadletter") + ) +} + +resource "aws_sqs_queue_policy" "config_deadletter" { + count = length(var.regions) + queue_url = aws_sqs_queue.config_deadletter[count.index].id + policy = data.aws_iam_policy_document.config_sqs_deadletter[count.index].json +} + +data "aws_iam_policy_document" "config_sqs_deadletter" { + count = length(var.regions) + policy_id = "SQSDefaultPolicy" + + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["SQS:SendMessage"] + resources = [aws_sqs_queue.config_deadletter[count.index].arn] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [aws_sns_topic.config[count.index].arn] + } + } +} + +resource "aws_sqs_queue" "config" { + # delay=0 retention=7d max=256k visibity=2h + count = length(var.regions) + name = "inf-config-${var.regions[count.index]}" + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = 604800 + receive_wait_time_seconds = 0 + visibility_timeout_seconds = 600 + + redrive_policy = < format("inf-config-rule_%v", c) } +} + +resource "aws_config_config_rule" "config_rules_stopped" { + for_each = { for cr in local.crules_stopped : cr.rule => cr } + name = format("inf-config-rule_%v", each.key) + source { + owner = "AWS" + source_identifier = each.value.rule + } + maximum_execution_frequency = "TwentyFour_Hours" + input_parameters = each.value.parameter + depends_on = [aws_config_configuration_recorder.config] +} + +#--- +# generate splunk inputs file +#--- +data "template_file" "splunk" { + template = file("${path.module}/templates/aws_config_rules_tasks.conf.tpl") + vars = { + account_id = local.account_id + account_alias = local.account_alias + entry_uuid = random_uuid.splunk.result + region = local.config_region + } +} + +resource "random_uuid" "splunk" { + keepers = { + config_rule = length(local.all_crules) > 0 ? 1 : 0 + } +} + +resource "null_resource" "splunk" { + provisioner "local-exec" { + command = "test -d setup || mkdir setup" + } + provisioner "local-exec" { + working_dir = "setup" + command = "echo '${data.template_file.splunk.rendered}' > aws_config_rules_tasks.${local.config_region}.conf" + } +} diff --git a/config/data.tf b/config/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/config/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/config/defaults.tf b/config/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/config/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/config/east_config.tf.off b/config/east_config.tf.off new file mode 100755 index 0000000..f831859 --- /dev/null +++ b/config/east_config.tf.off @@ -0,0 +1,344 @@ +#--- +# config +#--- +locals { + config_policies = list("arn:${data.aws_arn.current.partition}:iam::aws:policy/service-role/AWSConfigRole", + data.terraform_remote_state.common.outputs.policy_deny_billing_arn, + aws_iam_policy.config.arn + ) + config_bucket_arn = aws_s3_bucket.config.arn +} + +#--- +# role: config +#--- +resource "aws_iam_role" "config" { + name = "r-inf-config" + + assume_role_policy = data.aws_iam_policy_document.config_assume.json + description = "EDL AWS Config Role" + force_detach_policies = false + max_session_duration = 3600 + path = "/service-role/" +} + +#--- +# policy: config +#--- +resource "aws_iam_policy" "config" { + name = "p-inf-awsconfig" + path = "/service-role/" + description = "Policy for AWS Config" + policy = data.aws_iam_policy_document.config.json +} + +resource "aws_iam_role_policy_attachment" "config" { + count = length(local.config_policies) + role = aws_iam_role.config.name + policy_arn = local.config_policies[count.index] +} + +data "aws_iam_policy_document" "config" { + statement { + sid = "AWSConfigAllowBucketPutObject" + effect = "Allow" + + resources = ["${local.config_bucket_arn}/*"] + actions = ["s3:PutObject*"] + + condition { + test = "StringLike" + variable = "s3:x-amz-acl" + values = ["bucket-owner-full-control"] + } + } + + statement { + sid = "AWSConfigAllowBucketACL" + effect = "Allow" + resources = [local.config_bucket_arn] + actions = ["s3:GetBucketAcl"] + } + + ## this goes in a per-region policy + ## statement { + ## sid = "AWSConfigPublishTopic" + ## effect = "Allow" + ## resources = [ aws_sns_topic.arn ] + ## actions = [ "sns:Publish" ] + ## } +} + +#--- +# STS: sts config assume +#--- +data "aws_iam_policy_document" "config_assume" { + statement { + sid = "AWSConfigServiceAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["config.amazonaws.com"] + } + } +} + +#-- +# much of this is per region, so we list through all the regions in +# which we are doing this +# only allows for 1 recorder +#--- +resource "aws_config_configuration_recorder" "config" { + # count = length(var.regions) + count = 1 + name = "inf-config-${var.regions[count.index]}" + role_arn = aws_iam_role.config.arn + + recording_group { + include_global_resource_types = true + all_supported = true + } +} + +resource "aws_config_configuration_recorder_status" "config" { + # count = length(var.regions) + count = 1 + name = aws_config_configuration_recorder.config.*.name[count.index] + is_enabled = true + depends_on = [aws_config_delivery_channel.config] +} + +resource "aws_config_delivery_channel" "config" { + # count = length(var.regions) + count = 1 + name = "inf-config-${var.regions[count.index]}" + s3_bucket_name = aws_s3_bucket.config.bucket + sns_topic_arn = aws_sns_topic.config[count.index].arn + + snapshot_delivery_properties { + delivery_frequency = "Six_Hours" + } + + depends_on = [aws_config_configuration_recorder.config] +} + +#--- +# config rules +#--- +locals { + crules = { + "vpc-flowlogs" = "VPC_FLOW_LOGS_ENABLED" + "mfa-console" = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS" + # this requires a parameter + # "iam-group-check" = "IAM_USER_GROUP_MEMBERSHIP_CHECK" + "encrypted-volumes" = "ENCRYPTED_VOLUMES" + "rds-encrypted" = "RDS_STORAGE_ENCRYPTED" + } + crules_keys = keys(local.crules) + crules_values = values(local.crules) +} + +resource "aws_config_config_rule" "config_rules" { + count = length(local.crules_keys) + name = "inf-config_rule-${local.crules_keys[count.index]}" + source { + owner = "AWS" + source_identifier = local.crules_values[count.index] + } + depends_on = [aws_config_configuration_recorder.config] +} + +#--- +# sns: config +#--- +data "aws_iam_policy_document" "config_sns" { + count = length(var.regions) + statement { + sid = "AWSConfigBucketPolicy" + effect = "Allow" + actions = ["s3:*"] + + resources = [ + aws_s3_bucket.config.arn, + "${aws_s3_bucket.config.arn}/*", + ] + } + statement { + sid = "AWSConfigSNSPublish" + effect = "Allow" + actions = ["sns:Publish"] + resources = [aws_sns_topic.config[count.index].arn] + } +} + +resource "aws_iam_role_policy" "config_sns" { + count = length(var.regions) + # role = aws_iam_role.config[count.index].name + role = aws_iam_role.config.name + name = "p-inf-config-${var.regions[count.index]}" + policy = data.aws_iam_policy_document.config_sns[count.index].json +} + +resource "aws_sns_topic" "config" { + count = length(var.regions) + name = "inf-config-${var.regions[count.index]}" +} + +resource "aws_sns_topic_policy" "config" { + count = length(var.regions) + arn = aws_sns_topic.config[count.index].arn + policy = data.aws_iam_policy_document.config_sns_topic[count.index].json +} + +data "aws_iam_policy_document" "config_sns_topic" { + count = length(var.regions) + policy_id = "inf-config_policy-${var.regions[count.index]}" + statement { + sid = "inf-config-AllowSNS" + effect = "Allow" + resources = [aws_sns_topic.config[count.index].arn] + actions = [ + "sns:Subscribe", + "sns:SetTopicAttributes", + "sns:RemovePermission", + "sns:Receive", + "sns:Publish", + "sns:ListSubscriptionsByTopic", + "sns:GetTopicAttributes", + "sns:DeleteTopic", + "sns:AddPermission", + ] + principals { + type = "AWS" + identifiers = ["*"] + } + condition { + test = "StringEquals" + variable = "AWS:SourceOwner" + values = ["${var.account_id}"] + } + } +} + +#--- +# sqs: config (from splunk) +#--- +# one per region we are using +resource "aws_sqs_queue" "config_deadletter" { + # delay=0 retention=4d max=256k visibility=1h + count = length(var.regions) + name = "inf-config-${var.regions[count.index]}-deadletter" + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = 345600 + receive_wait_time_seconds = 15 + visibility_timeout_seconds = 3600 + + # disable kms, doesn't seem to work with splunk + # kms_master_key_id = "alias/${var.kms_inf_key}" + # kms_data_key_reuse_period_seconds = 300 + tags = merge( + local.common_tags, + map("Name", "inf-config-${var.regions[count.index]}-deadletter") + ) +} + +resource "aws_sqs_queue_policy" "config_deadletter" { + count = length(var.regions) + queue_url = aws_sqs_queue.config_deadletter[count.index].id + policy = data.aws_iam_policy_document.config_sqs_deadletter[count.index].json +} + +data "aws_iam_policy_document" "config_sqs_deadletter" { + count = length(var.regions) + policy_id = "SQSDefaultPolicy" + + statement { + sid = "AllowSNSSendMessage" + effect = "Allow" + actions = ["SQS:SendMessage"] + resources = [aws_sqs_queue.config_deadletter[count.index].arn] + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "ArnEquals" + variable = "aws:SourceArn" + values = [aws_sns_topic.config[count.index].arn] + } + } +} + +resource "aws_sqs_queue" "config" { + # delay=0 retention=7d max=256k visibity=2h + count = length(var.regions) + name = "inf-config-${var.regions[count.index]}" + delay_seconds = 0 + max_message_size = 262144 + message_retention_seconds = 604800 + receive_wait_time_seconds = 0 + visibility_timeout_seconds = 600 + + redrive_policy = <