From b7904e3cfd5b88dfb7f13fcb6b9f90e1b68f1895 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 16 Dec 2024 09:36:29 -0500
Subject: [PATCH] * 2.8.0 -- 2024-12-16   - ec2-settings     - add settings for
 ebs (encrypt by default) and ec2 (enable imdsv2), block public sharing of ami
 and snapshots

---
 CHANGELOG.md                     |   4 +
 common/version.tf                |   2 +-
 ec2-settings/README.md           | 122 +++++++++++++++++++++++++++++++
 ec2-settings/_module_name.tf     |   3 +
 ec2-settings/data.tf             |   1 +
 ec2-settings/defaults.tf         |   1 +
 ec2-settings/main.tf             |  68 +++++++++++++++++
 ec2-settings/prefixes.tf         |   1 +
 ec2-settings/variables.common.tf |   1 +
 ec2-settings/version.tf          |   1 +
 inventory/get-billing.sh         |   3 +-
 11 files changed, 204 insertions(+), 3 deletions(-)
 create mode 100644 ec2-settings/README.md
 create mode 100644 ec2-settings/_module_name.tf
 create mode 120000 ec2-settings/data.tf
 create mode 120000 ec2-settings/defaults.tf
 create mode 100644 ec2-settings/main.tf
 create mode 120000 ec2-settings/prefixes.tf
 create mode 120000 ec2-settings/variables.common.tf
 create mode 120000 ec2-settings/version.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e9ba7ef..405137a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -378,3 +378,7 @@
 * 2.7.0 -- 2024-11-13
   - inventory
     - add inventory code for use in decommission (not a submodule at this time)
+
+* 2.8.0 -- 2024-12-16
+  - ec2-settings
+    - add settings for ebs (encrypt by default) and ec2 (enable imdsv2), block public sharing of ami and snapshots
diff --git a/common/version.tf b/common/version.tf
index 2499cf3..4baf91e 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.7.0"
+  _module_version = "2.8.0"
 }
diff --git a/ec2-settings/README.md b/ec2-settings/README.md
new file mode 100644
index 0000000..033c4c8
--- /dev/null
+++ b/ec2-settings/README.md
@@ -0,0 +1,122 @@
+# aws-inf-setup :: iam-account-settings
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "settings" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-account-settings"
+
+  account_alias = "ma5-gov"
+  account_usage = "GovCloud Management Account"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_account_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias) | resource |
+| [aws_iam_account_password_policy.account_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_account_settings"></a> [account\_settings](#input\_account\_settings) | Map of account setting values to change.  See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no |
+| <a name="input_account_usage"></a> [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_console_url"></a> [console\_url](#output\_console\_url) | AWS Console URL |
+
+<!-- BEGIN_TF_DOCS -->
+# aws-inf-setup :: ec2-settings
+This module will setup several default per account and region.  It must be used in each region.
+
+* EBS
+  * default key (alias/aws/ebs)
+  * encrypt by default (using above key)
+  * blocks public sharing of snapshots
+* EC2
+  * blocks public sharing of AMIs
+  * sets instance metdata to allow v1 and v2
+  * makes imds token optional
+  * sets imds hop limit to 2
+  * enables metadata tags
+
+# Usage
+This module takes no attributes.
+
+```hcl
+module "ec2-settings" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ec2-settings?ref=tf-upgrade"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ebs_default_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_default_kms_key) | resource |
+| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_ebs_snapshot_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_snapshot_block_public_access) | resource |
+| [aws_ec2_image_block_public_access.sharing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource |
+| [aws_ec2_instance_metadata_defaults.imds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
\ No newline at end of file
diff --git a/ec2-settings/_module_name.tf b/ec2-settings/_module_name.tf
new file mode 100644
index 0000000..79392e5
--- /dev/null
+++ b/ec2-settings/_module_name.tf
@@ -0,0 +1,3 @@
+locals {
+  _module_name = "aws-inf-setup/ec2-settings"
+}
diff --git a/ec2-settings/data.tf b/ec2-settings/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/ec2-settings/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/ec2-settings/defaults.tf b/ec2-settings/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/ec2-settings/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/ec2-settings/main.tf b/ec2-settings/main.tf
new file mode 100644
index 0000000..2af2afa
--- /dev/null
+++ b/ec2-settings/main.tf
@@ -0,0 +1,68 @@
+/*
+* # aws-inf-setup :: ec2-settings
+* This module will setup several default per account and region.  It must be used in each region.
+*
+* * EBS
+*   * default key (alias/aws/ebs)
+*   * encrypt by default (using above key)
+*   * blocks public sharing of snapshots
+* * EC2
+*   * blocks public sharing of AMIs
+*   * sets instance metdata to allow v1 and v2
+*   * makes imds token optional
+*   * sets imds hop limit to 2
+*   * enables metadata tags
+*
+* # Usage
+* This module takes no attributes.
+*
+* ```hcl
+* module "ec2-settings" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ec2-settings?ref=tf-upgrade"
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:created_by"        = "terraform"
+    "boc:tf_module_version" = local._module_version
+    "boc:tf_module_name"    = local._module_name
+  }
+}
+
+#---
+# EBS
+#---
+data "aws_kms_key" "default" {
+  key_id = "alias/aws/ebs"
+}
+
+resource "aws_ebs_default_kms_key" "default" {
+  key_arn = aws_kms_key.default.arn
+}
+
+resource "aws_ebs_encryption_by_default" "default" {
+  enabled = true
+}
+
+resource "aws_ebs_snapshot_block_public_access" "sharing" {
+  state = "block-all-sharing"
+}
+
+#---
+# EC2
+#---
+resource "aws_ec2_image_block_public_access" "sharing" {
+  state = "block-new-sharing"
+}
+
+resource "aws_ec2_instance_metadata_defaults" "imds" {
+  http_endpoint               = "enabled"
+  http_tokens                 = "optional"
+  http_put_response_hop_limit = 2
+  instance_metadata_tags      = "enabled"
+}
diff --git a/ec2-settings/prefixes.tf b/ec2-settings/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/ec2-settings/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/ec2-settings/variables.common.tf b/ec2-settings/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/ec2-settings/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/ec2-settings/version.tf b/ec2-settings/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/ec2-settings/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/inventory/get-billing.sh b/inventory/get-billing.sh
index 4abcc5b..ea7b42a 100755
--- a/inventory/get-billing.sh
+++ b/inventory/get-billing.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-VERSION="1.0.1"
+VERSION="1.0.2"
 
 caller=$(tf-aws sts get-caller-identity --query 'Arn' 2> /dev/null)
 if [ $(echo $caller | grep -c aws-us-gov) != 0 ]
@@ -8,7 +8,6 @@ then
   echo "# partition is not commercial, exiting"
   exit 1
 fi
-exit
 
 lastmonth=$(date --date="-1 month" +%Y-%m-01)
 nextmonth=$(date --date="+1 month" +%Y-%m-01)