From b95ff5fd5739411293ac699e8334d564b88c274a Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 2 Jan 2024 13:20:01 -0500 Subject: [PATCH] update readmes --- cloudtrail-key/README.md | 103 +++++++++ cloudtrail/OFF/README.md | 42 ++++ cloudtrail/README.md | 237 +++++++++++++++++++++ cloudtrail_orig/README.md | 104 +++++++++ config/README.md | 115 ++++++++++ iam-account-settings/README.md | 58 +++++ iam-cloud-admin.unfinished/README.md | 96 +++++++++ iam-saml/README.md | 83 ++++++++ ldap-ou-create/README.md | 83 ++++++++ org-logging/README.md | 225 +++++++++++++++++++ s3-access-logs/README.md | 99 +++++++++ s3-config-org/README.md | 87 ++++++++ s3-config/README.md | 61 ++++++ s3-flow-logs/README.md | 95 +++++++++ ses-domain/README.md | 221 +++++++++++++++++++ splunk-description/README.md | 65 ++++++ terraform-organization-info-role/README.md | 65 ++++++ terraform-state/README.md | 136 ++++++++++++ vpc-remove-defaults/README.md | 111 ++++++++++ 19 files changed, 2086 insertions(+) diff --git a/cloudtrail-key/README.md b/cloudtrail-key/README.md index decfa34..ef2f694 100644 --- a/cloudtrail-key/README.md +++ b/cloudtrail-key/README.md @@ -98,3 +98,106 @@ No modules. | [kms\_alias\_name](#output\_kms\_alias\_name) | Cloudtrail Key Alias name | | [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN | | [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID | + + +# aws-inf-setup :: cloudtrail-key + +This set up the KMS key used by Cloudtrail for the ts S3 bucket, CloudTrail, and SQS (if possible). + +* Cloudtrail +* S3 bucket +* SQS + +## Usage, Simple Example +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "cloudtrail_key_simple" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key" + + tags = { + Environment = "csvd:infrastructure" + } +} +``` + +## Usage, Longer Example +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "cloudtrail_key_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key" + + name = "mycloudtrail" + kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"] + kms_policy_document = data.aws_iam_policy_document.myct_policy.json + + tags = { + Environment = "csvd:infrastructure" + } + + component_tags = { + "kms" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | +| [aws](#requirement\_aws) | >= 3.66.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_orig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no | +| [name](#input\_name) | Name to apply to Cloudtrail KMS Key (default: k-inf-cloudtrail) | `string` | `null` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [kms\_alias\_name](#output\_kms\_alias\_name) | Cloudtrail Key Alias name | +| [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN | +| [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID | + \ No newline at end of file diff --git a/cloudtrail/OFF/README.md b/cloudtrail/OFF/README.md index cb413c4..0ddc8d1 100644 --- a/cloudtrail/OFF/README.md +++ b/cloudtrail/OFF/README.md @@ -37,3 +37,45 @@ No inputs. ## Outputs No outputs. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [local](#provider\_local) | n/a | +| [null](#provider\_null) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | +| [aws_cloudwatch_log_group.inf-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kms_key.cloudtrail_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [local_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/cloudtrail/README.md b/cloudtrail/README.md index 91fe9c9..a56e7c4 100644 --- a/cloudtrail/README.md +++ b/cloudtrail/README.md @@ -232,3 +232,240 @@ No modules. | [s3\_sqs\_info](#output\_s3\_sqs\_info) | Main S3 SQS ARNs and IDs (main, deadletter) | | [sns\_arn](#output\_sns\_arn) | SNS ARN | | [sqs\_info](#output\_sqs\_info) | Main SQS ARNs and IDs (main, deadletter) | + + +# aws-inf-setup :: cloudtrail + +This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail, +cloudwatch log groups, and associated permissions. It also generates a splunk configuration to be used +for pulling cloudtrail events. + +* S3 bucket +* SNS Topic +* SQS Queue (and Deadletter queue) +* Cloudwatch Log +* setup/*.conf files for Splunk + * inputs.{name}.{account}.{region}.conf + +Once setup, the gnerated Splunk configuration files can be provided to the Splunk team for ingesting +as CloudTrail. + +## Usage: Simple + +This siomple configuration is how it will typically be deployed. + +```hcl +module "cloudtrail_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key" + + tags = local.common_tags +} + +module "cloudtrail" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail" + + account_alias = var.account_alias + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.cloudtrail_key.kms_key_arn + + enable_sns = true + enable_sqs = true + + tags = local.common_tags +} +``` + +## Usage: Extended + +This shows the creation of a key with additional variables, along with a policy for key access (currently +just a placholder), and the cloudtrail with more variables offered. + +```hcl +module "cloudtrail_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key" + + name = "mycloudtrail" + kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"] + kms_policy_document = data.aws_iam_policy_document.myct_policy.json + + tags = { + Environment = "csvd:infrastructure" + } + + component_tags = { + "kms" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} + +data "aws_iam_policy_document" "myct_policy" {} + +module "cloudtrail" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail" + + name = "mycloudtrail" + account_alias = var.account_alias + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.cloudtrail_key.kms_key_arn + + enable_organization = false + enable_sns = true + enable_sqs = true + + tags = merge( + local.common_tags, + tomap({ Environment = "csvd:infrastructure" }), + ) +} +```hcl + +## Usage: Organization Cloudtrail + +This can be used for creation of an organization cloud trail. It is only applicable to the master +account of the organization, so you won't see this one used very often. + +```hcl +data "aws_organizations_organization" "org" {} + +module "org_cloudtrail_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail-key" + + name = "org-cloudtrail" + tags = local.common_tags +} + +module "org_cloudtrail" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail" + + account_alias = var.account_alias + enable_organization = true + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.org_cloudtrail_key.kms_key_arn + organization_id = data.aws_organizations_organization.org.id + + enable_sns = true + enable_sqs = true + + tags = local.common_tags +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | +| [aws](#requirement\_aws) | >= 3.66.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | +| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | +| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_sns_topic.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_policy.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sqs_queue.additional_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.additional_cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_s3_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cloudtrail_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes | +| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [additional\_s3\_sqs\_names](#input\_additional\_s3\_sqs\_names) | List of additional SQS queues to create and subscribe to the S3 SNS topic (if enabled) | `list(string)` | `[]` | no | +| [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no | +| [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [enable\_cloudwatch\_logs](#input\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs for this CloudTrail | `bool` | `true` | no | +| [enable\_organization](#input\_enable\_organization) | Enable CloudTrail as an organization trail. This will only work in the organization master account | `bool` | `false` | no | +| [enable\_s3\_sns](#input\_enable\_s3\_sns) | Flag to enable or disable the creation of SNS for the Cloudtrail S3 bucket | `bool` | `false` | no | +| [enable\_s3\_sqs](#input\_enable\_s3\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail S3 bucket | `bool` | `false` | no | +| [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no | +| [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS CloudTrail KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes | +| [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no | +| [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no | +| [organization\_id](#input\_organization\_id) | AWS Organization ID | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [additional\_s3\_sqs\_info](#output\_additional\_s3\_sqs\_info) | Additional S3 SQS ARNs and IDs (main, deadletter) | +| [additional\_sqs\_info](#output\_additional\_sqs\_info) | Additional SQS ARNs and IDs (main, deadletter) | +| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN | +| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID | +| [s3\_sns\_arn](#output\_s3\_sns\_arn) | S3 SNS ARN | +| [s3\_sqs\_info](#output\_s3\_sqs\_info) | Main S3 SQS ARNs and IDs (main, deadletter) | +| [sns\_arn](#output\_sns\_arn) | SNS ARN | +| [sqs\_info](#output\_sqs\_info) | Main SQS ARNs and IDs (main, deadletter) | + \ No newline at end of file diff --git a/cloudtrail_orig/README.md b/cloudtrail_orig/README.md index d6eef0c..095e1d6 100644 --- a/cloudtrail_orig/README.md +++ b/cloudtrail_orig/README.md @@ -98,3 +98,107 @@ No modules. |------|-------------| | [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN | | [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID | + + +# aws-inf-setup :: cloudtrail + +This set up the needed components for cloudtrail in a region: S3, KMS key, SNS, SQS, cloudtrail, +cloudwatch log groups, and associated permissions. It also generates a splunk configuration to be used +for pulling cloudtrail events. + +* S3 bucket +* S3 bucket policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "cloudtrail" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//cloudtrail" + + # account_alias = "do2-govcloud" + name = "mycloudtrail" + access_log_bucket = "myaccesslogbucket" + kms_key_management_identifiers = [ "arn:aws:iam::079788916859:role/r-inf-cloud-admin" ] +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "cloudtrail_full" { + + # logs is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudtrail.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.cloudtrail_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes | +| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no | +| [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no | +| [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no | +| [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no | +| [object\_log\_bucket\_prefix](#input\_object\_log\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"s3_object_logs"` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [kms\_key\_arn](#output\_kms\_key\_arn) | Cloudtrail Key ARN | +| [kms\_key\_id](#output\_kms\_key\_id) | Cloudtrail Key ID | + \ No newline at end of file diff --git a/config/README.md b/config/README.md index dacebcd..348ebc9 100644 --- a/config/README.md +++ b/config/README.md @@ -110,3 +110,118 @@ No modules. | [config\_sns\_topic\_arn](#output\_config\_sns\_topic\_arn) | SNS ARN for Config | | [config\_sqs\_arn](#output\_config\_sqs\_arn) | SQS ARN for Config | | [config\_sqs\_id](#output\_config\_sqs\_id) | SQS ID for Config (URL) | + + +# aws-inf-setup :: config + +This set up the needed components for config per region including: + +* S3 Bucket +* Role +* Policy +* SNS Topic +* SQS Queue and dead letter queue (for Splunk) +* Config +* Config Rules + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "config" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//config" + account_alias = "ma5-gov" + + ## optional + # name = "myconfigbucket" + # use_kms_encryption = false + +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [local](#provider\_local) | n/a | +| [null](#provider\_null) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_config_config_rule.config_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | +| [aws_config_config_rule.config_rules_stopped](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | +| [aws_config_configuration_recorder.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource | +| [aws_config_configuration_recorder_status.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource | +| [aws_config_delivery_channel.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource | +| [aws_iam_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_ownership_controls.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_sns_topic.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sqs_queue.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.config_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.config_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [local_file.splunk_config](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [local_file.splunk_configrules](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [null_resource.splunk_config](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.splunk_configrules](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.aws_config_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_configrules_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.config_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.config_sns_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.config_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.config_sqs_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | +| [template_file.splunk_config](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | +| [template_file.splunk_configrules](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | 
{
  "kms": {},
  "s3": {}
}
| no | +| [enable\_config\_rules\_standard](#input\_enable\_config\_rules\_standard) | Flag to enable\|disable the standard set of config rules | `bool` | `true` | no | +| [enable\_config\_rules\_stopped](#input\_enable\_config\_rules\_stopped) | Flag to enable\|disable EC2 stopped config rules | `bool` | `false` | no | +| [name](#input\_name) | Config resource name prefix used for all resources | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no | +| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [config\_s3\_bucket\_arn](#output\_config\_s3\_bucket\_arn) | S3 ARN for Config | +| [config\_s3\_bucket\_id](#output\_config\_s3\_bucket\_id) | S3 ID for Config | +| [config\_sns\_topic\_arn](#output\_config\_sns\_topic\_arn) | SNS ARN for Config | +| [config\_sqs\_arn](#output\_config\_sqs\_arn) | SQS ARN for Config | +| [config\_sqs\_id](#output\_config\_sqs\_id) | SQS ID for Config (URL) | + \ No newline at end of file diff --git a/iam-account-settings/README.md b/iam-account-settings/README.md index 30377e7..017ce54 100644 --- a/iam-account-settings/README.md +++ b/iam-account-settings/README.md @@ -53,3 +53,61 @@ No modules. | Name | Description | |------|-------------| | [console\_url](#output\_console\_url) | AWS Console URL | + + +# aws-inf-setup :: iam-account-settings + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "settings" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-account-settings" + + account_alias = "ma5-gov" + account_usage = "GovCloud Management Account" +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_account_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias) | resource | +| [aws_iam_account_password_policy.account_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [account\_settings](#input\_account\_settings) | Map of account setting values to change. See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no | +| [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [console\_url](#output\_console\_url) | AWS Console URL | + \ No newline at end of file diff --git a/iam-cloud-admin.unfinished/README.md b/iam-cloud-admin.unfinished/README.md index 9a015fa..0a075c1 100644 --- a/iam-cloud-admin.unfinished/README.md +++ b/iam-cloud-admin.unfinished/README.md @@ -91,3 +91,99 @@ No requirements. | [flowlogs\_bucket\_arn](#output\_flowlogs\_bucket\_arn) | VPC Flow Logs S3 bucket ARN | | [flowlogs\_bucket\_id](#output\_flowlogs\_bucket\_id) | VPC Flow Logs S3 bucket ID | | [policy\_assume\_ec2](#output\_policy\_assume\_ec2) | Policy for assume for ec2 | + + +# aws-inf-setup :: s3-flow-logs + +This set up the needed components for S3 VPC flow log bucket. Only one flow log bucket is +needed + +* S3 bucket +* S3 bucket objects (key prefixes, aka "directories") +* S3 bucket policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "flowlogs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "flowlogs_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" + + # optional + account_alias = "do2-govcloud" + bucket_name = "inf-flowlogs-123456789012" + + # flowlogs is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [test-role](#module\_test-role) | git@github.e.it.census.gov:terraform-modules/aws-iam-role.git | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.inf-manage-access-keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.inf-manage-credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.inf-cloud-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.deny_billing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.inf-manage-access-keys](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.inf-manage-credentials](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.inf_kms_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_name](#input\_bucket\_name) | VPC Flow Logs S3 bucket name | `string` | `""` | no | +| [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [flowlogs\_bucket\_arn](#output\_flowlogs\_bucket\_arn) | VPC Flow Logs S3 bucket ARN | +| [flowlogs\_bucket\_id](#output\_flowlogs\_bucket\_id) | VPC Flow Logs S3 bucket ID | +| [policy\_assume\_ec2](#output\_policy\_assume\_ec2) | Policy for assume for ec2 | + \ No newline at end of file diff --git a/iam-saml/README.md b/iam-saml/README.md index 30c5729..a0d8b2e 100644 --- a/iam-saml/README.md +++ b/iam-saml/README.md @@ -77,3 +77,86 @@ No modules. |------|-------------| | [saml\_assume\_policy](#output\_saml\_assume\_policy) | SAML Assume Policy document JSON | | [saml\_provider](#output\_saml\_provider) | SAML Provider ARN | + + +# aws-inf-setup :: iam-saml + +This set up the default SAML provider with the enterprise IDP, id-provider.tco.census.gov. +The appropriate metadata and URL are selected from the environment either East/West (ew) +or GovCloud (gov). + +The resulting metadata XML is saved in `setup/metdata.xml`. + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "saml" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//iam-saml" + + # optional + saml_provider_name = "Census_TCO_IDMS" +} +``` + +When creating a role to use SAML, you will need the SAML policy document as a reference: + +```hcl +resource "aws_iam_role" "role" { + name = "my-role-name" + description = "SAML role for my-role-name" + force_detach_policies = false + max_session_duration = 3600 + assume_role_policy = module.saml.saml_policy_document +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [external](#provider\_external) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_saml_provider.saml](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource | +| [null_resource.saml_metadata](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.saml_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | +| [external_external.saml_metadata](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [idp\_metadata\_selector](#input\_idp\_metadata\_selector) | URL Query parameter for selecting urn:amazon:webservices string for EW or gov | `string` | `"PID="` | no | +| [idp\_metadata\_url](#input\_idp\_metadata\_url) | ID Provider Metadata URL | `string` | `null` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [saml\_provider\_name](#input\_saml\_provider\_name) | SAML Provider Name | `string` | `"Census_TCO_IDMS"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [saml\_assume\_policy](#output\_saml\_assume\_policy) | SAML Assume Policy document JSON | +| [saml\_provider](#output\_saml\_provider) | SAML Provider ARN | + \ No newline at end of file diff --git a/ldap-ou-create/README.md b/ldap-ou-create/README.md index fa66224..c47c600 100644 --- a/ldap-ou-create/README.md +++ b/ldap-ou-create/README.md @@ -78,3 +78,86 @@ No modules. ## Outputs No outputs. + + +# About ldap-ou-create + +This module will create the initial LDAP OU object in eBOCAS, provided credentials and the provider exists (it checks for this). +The [ldap-provider](https://github.e.it.census.gov/terraform/support/tree/master/providers/terraform-provider-ldap) binary is expected to be in your `$PATH`. +This has to be done before creating any roles with `aws-iam-role` and LDAP creation enabled. + +There are some quirks to the `ldap-provider` (we use [this](https://github.com/Pryz/terraform-provider-ldap) one), where if any +details change in the DN or the DN cannot be constructed due to missing data, a *tcp connection closed* message occurs. However, for this +one, there are no changes to the resource which are dynamic, so it can be done normally in just one step. + +# Usage + +```hcl +module "ou" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ldap-ou-create" + + enable_ldap_creation = true + ldap_user = "cn=myuser,ou=Application,o=U.S. Census Bureau,c=US" + ldap_password = "password1234$$" + + # optional + # account_id = "123456789012" + ldap_url = "ldaps://ldap2.e.tco.census.gov" +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [null](#requirement\_null) | >= 1.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [ldap](#provider\_ldap) | >= 0.5.4 | +| [null](#provider\_null) | >= 1.0 | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [ldap_object.ou](https://registry.terraform.io/providers/trevex/ldap/latest/docs/resources/object) | resource | +| [null_resource.ou_ldif](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.ec2_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | +| [template_file.ou](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (role, policy) | `map(map(string))` | 
{
  "policy": {},
  "role": {}
}
| no | +| [enable\_ldap\_creation](#input\_enable\_ldap\_creation) | Flag to enable/disable LDAP object creation for role group (for SAML only). Also requires LDAP credentials. | `bool` | `false` | no | +| [ldap\_password](#input\_ldap\_password) | LDAP password for ldap\_user for writing data into eDirectory or Active Directory | `string` | `""` | no | +| [ldap\_skip\_verify](#input\_ldap\_skip\_verify) | LDAP skip verify of TLS certificates | `bool` | `false` | no | +| [ldap\_url](#input\_ldap\_url) | LDAP URL in form ldap(s)://hostname:port | `string` | `"ldaps://ldap2.e.tco.census.gov"` | no | +| [ldap\_use\_starttls](#input\_ldap\_use\_starttls) | LDAP use StartTLS (needed only if port is 389, perhaps) | `bool` | `false` | no | +| [ldap\_user](#input\_ldap\_user) | LDAP user for writing data into eDirectory or Active Directory | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/org-logging/README.md b/org-logging/README.md index bb60bb0..6cbdb5d 100644 --- a/org-logging/README.md +++ b/org-logging/README.md @@ -220,3 +220,228 @@ No modules. | [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID | | [sns\_arn](#output\_sns\_arn) | SNS ARN | | [sqs\_info](#output\_sqs\_info) | Main SQS ARNs and IDs (main, deadletter) | + + +# aws-inf-setup :: logging + +This set up the needed components for logging in a region: S3, KMS key, SNS, SQS, logging, +cloudwatch log groups, and associated permissions. It also generates a splunk configuration to be used +for pulling logging events. + +* S3 bucket +* SNS Topic +* SQS Queue (and Deadletter queue) +* Cloudwatch Log +* setup/*.conf files for Splunk + * inputs.{name}.{account}.{region}.conf + +Once setup, the gnerated Splunk configuration files can be provided to the Splunk team for ingesting +as Logging. + +## Usage: Simple + +This siomple configuration is how it will typically be deployed. + +```hcl +module "logging_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key" + + tags = local.common_tags +} + +module "logging" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging" + + account_alias = var.account_alias + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.logging_key.kms_key_arn + + enable_sns = true + enable_sqs = true + + tags = local.common_tags +} +``` + +## Usage: Extended + +This shows the creation of a key with additional variables, along with a policy for key access (currently +just a placholder), and the logging with more variables offered. + +```hcl +module "logging_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key" + + name = "mylogging" + kms_admin_roles = ["arn:aws:iam::079788916859:role/r-inf-cloud-admin"] + kms_policy_document = data.aws_iam_policy_document.myct_policy.json + + tags = { + Environment = "csvd:infrastructure" + } + + component_tags = { + "kms" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} + +data "aws_iam_policy_document" "myct_policy" {} + +module "logging" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging" + + name = "mylogging" + account_alias = var.account_alias + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.logging_key.kms_key_arn + + enable_organization = false + enable_sns = true + enable_sqs = true + + tags = merge( + local.common_tags, + tomap({ Environment = "csvd:infrastructure" }), + ) +} +```hcl + +## Usage: Organization Cloudtrail + +This can be used for creation of an organization cloud trail. It is only applicable to the master +account of the organization, so you won't see this one used very often. + +```hcl +data "aws_organizations_organization" "org" {} + +module "org_logging_key" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging-key" + + name = "org-logging" + tags = local.common_tags +} + +module "org_logging" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//logging" + + account_alias = var.account_alias + enable_organization = true + access_log_bucket = module.logs.bucket_id + kms_key_arn = module.org_logging_key.kms_key_arn + organization_id = data.aws_organizations_organization.org.id + + enable_sns = true + enable_sqs = true + + tags = local.common_tags +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [time](#requirement\_time) | >= 0.9.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [time](#provider\_time) | >= 0.9.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.logging_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_logging.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_sns_topic.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sns_topic_subscription.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_sqs_queue.additional_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | +| [aws_sqs_queue_policy.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [aws_sqs_queue_policy.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) | resource | +| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.additional_logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.additional_logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_orig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.logging_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.incoming_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | +| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes | +| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [additional\_sqs\_names](#input\_additional\_sqs\_names) | List of additional SQS queues to create and subscribe to the SNS topic (if enabled) | `list(string)` | `[]` | no | +| [cloudtrail\_bucket\_prefix](#input\_cloudtrail\_bucket\_prefix) | Access log bucket prefix, to which the bucket name will be appended to make the target\_prefix | `string` | `"cloudtrail"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [enable\_organization](#input\_enable\_organization) | Enable Logging as an organization trail. This will only work in the organization master account | `bool` | `false` | no | +| [enable\_sns](#input\_enable\_sns) | Flag to enable or disable the creation of SNS for Cloudtrail (TBD) | `bool` | `false` | no | +| [enable\_sqs](#input\_enable\_sqs) | Flag to enable or disable the creation of SQS attached to SNS for Cloudtrail, used for Splunk ingestion (TBD) | `bool` | `false` | no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS Logging KMS ARN to be used for encrypting the ClouldTrail, S3 Bucket, and SQS | `string` | n/a | yes | +| [kms\_key\_management\_identifiers](#input\_kms\_key\_management\_identifiers) | AWS IAM ARNs (roles, groups, users) for full access to the created KMS Key for this bucket | `list(string)` | `[]` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no | +| [name](#input\_name) | Name to apply to Cloudtrail, S3, SNS and SQS | `string` | `null` | no | +| [organization\_id](#input\_organization\_id) | AWS Organization ID | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [additional\_sqs\_info](#output\_additional\_sqs\_info) | Additional SQS ARNs and IDs (main, deadletter) | +| [kms\_alias\_name](#output\_kms\_alias\_name) | Org Logging Key Alias name | +| [kms\_key\_arn](#output\_kms\_key\_arn) | Org Logging Key ARN | +| [kms\_key\_id](#output\_kms\_key\_id) | Org Logging Key ID | +| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | Created S3 Bucket ARN | +| [s3\_bucket\_id](#output\_s3\_bucket\_id) | Created S3 Bucket ID | +| [sns\_arn](#output\_sns\_arn) | SNS ARN | +| [sqs\_info](#output\_sqs\_info) | Main SQS ARNs and IDs (main, deadletter) | + \ No newline at end of file diff --git a/s3-access-logs/README.md b/s3-access-logs/README.md index 58f4454..df3d552 100644 --- a/s3-access-logs/README.md +++ b/s3-access-logs/README.md @@ -94,3 +94,102 @@ No modules. |------|-------------| | [bucket\_arn](#output\_bucket\_arn) | Logging S3 bucket ARN | | [bucket\_id](#output\_bucket\_id) | Logging S3 bucket ID | + + +# aws-inf-setup :: s3-access-logs + +This set up the needed components for S3 access log bucket. An access log must exist in each region +where there are components wishing to use access logs (S3, ALB, etc.). + +* S3 bucket +* S3 bucket objects (key prefixes, aka "directories") +* S3 bucket policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "logs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "logs_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-access-logs" + + # optional + account_alias = "do2-govcloud" + bucket_name = "inf-logs-123456789012" + # use_kms_encryption = false + + # logs is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_ownership_controls.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_s3_object.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource | +| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `true` | no | +| [bucket\_name](#input\_bucket\_name) | Logging S3 bucket name | `string` | `""` | no | +| [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-logs"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [use\_kms\_encryption](#input\_use\_kms\_encryption) | Enable AWS:KMS encryption (default). If false, enables SSE-S3 (AES256), needed for some AWS services access | `bool` | `true` | no | +| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_arn](#output\_bucket\_arn) | Logging S3 bucket ARN | +| [bucket\_id](#output\_bucket\_id) | Logging S3 bucket ID | + \ No newline at end of file diff --git a/s3-config-org/README.md b/s3-config-org/README.md index 9738c7e..c996bc0 100644 --- a/s3-config-org/README.md +++ b/s3-config-org/README.md @@ -1,2 +1,89 @@ +# aws-inf-setup :: s3-config-org + +This set up the needed components for an organization-use S3 config bucket. This will exist in each available region. + +* S3 bucket + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "config_org" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config-org" + + access_log_bucket = "my-access-log-bucket" +} +``` + +# Links +* https://cloudyadvice.com/2022/04/14/automated-enterprise-deployment-of-aws-config/ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [time](#provider\_time) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_alias.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_logging.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | +| [aws_s3_bucket_ownership_controls.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.config_org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [time_sleep.policy_delay](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.empty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.key_policy_combined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket](#input\_access\_log\_bucket) | Server Access Logging Bucket ID | `string` | n/a | yes | +| [access\_log\_bucket\_prefix](#input\_access\_log\_bucket\_prefix) | Server Access Log bucket prefix, to which the Object Logging bucket name will be appended to make the target\_prefix | `string` | `"s3"` | no | +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_name](#input\_bucket\_name) | Organization Config S3 bucket name | `string` | `null` | no | +| [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Organization Config S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-org-config"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | 
{
  "kms": {},
  "s3": {}
}
| no | +| [key\_name](#input\_key\_name) | Name to apply to Org Logging KMS Key (default: k-inf-org-logging) | `string` | `null` | no | +| [kms\_admin\_roles](#input\_kms\_admin\_roles) | AWS KMS Key administrative role(s) which have full access to the key. The root user is included by default. | `list(string)` | `[]` | no | +| [kms\_policy\_document](#input\_kms\_policy\_document) | AWS KMS Key Policy Document JSON, merged with admin policy document | `string` | `null` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_arn](#output\_bucket\_arn) | Organization Config S3 bucket ARN | +| [bucket\_id](#output\_bucket\_id) | Organization Config S3 bucket ID | +| [kms\_alias\_name](#output\_kms\_alias\_name) | Organization Config S3 Key Alias name | +| [kms\_key\_arn](#output\_kms\_key\_arn) | Organization Config S3 Key ARN | +| [kms\_key\_id](#output\_kms\_key\_id) | Organization Config S3 Key ID | diff --git a/s3-config/README.md b/s3-config/README.md index 0be84aa..3543d92 100644 --- a/s3-config/README.md +++ b/s3-config/README.md @@ -55,3 +55,64 @@ No modules. |------|-------------| | [bucket\_arn](#output\_bucket\_arn) | Config S3 bucket ARN | | [bucket\_id](#output\_bucket\_id) | Config S3 bucket ID | + + +# aws-inf-setup :: s3-config + +This set up the needed components for S3 config bucket. This needs to be in just one region. + +* S3 bucket + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "config" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config" +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_name](#input\_bucket\_name) | Logging S3 bucket name | `string` | `""` | no | +| [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-config"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | 
{
  "kms": {},
  "s3": {}
}
| no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_arn](#output\_bucket\_arn) | Config S3 bucket ARN | +| [bucket\_id](#output\_bucket\_id) | Config S3 bucket ID | + \ No newline at end of file diff --git a/s3-flow-logs/README.md b/s3-flow-logs/README.md index 1ff8f0a..c3634ad 100644 --- a/s3-flow-logs/README.md +++ b/s3-flow-logs/README.md @@ -90,3 +90,98 @@ No modules. |------|-------------| | [bucket\_arn](#output\_bucket\_arn) | VPC Flow Logs S3 bucket ARN | | [bucket\_id](#output\_bucket\_id) | VPC Flow Logs S3 bucket ID | + + +# aws-inf-setup :: s3-flow-logs + +This set up the needed components for S3 VPC flow log bucket. Only one flow log bucket is +needed + +* S3 bucket +* S3 bucket objects (key prefixes, aka "directories") +* S3 bucket policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "flowlogs" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "flowlogs_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-flow-flowlogs" + + # optional + account_alias = "do2-govcloud" + bucket_name = "inf-flowlogs-123456789012" + + # flowlogs is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_s3_bucket.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_ownership_controls.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.flowlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [null_resource.policy_delay](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.flowlogs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_name](#input\_bucket\_name) | VPC Flow Logs S3 bucket name | `string` | `""` | no | +| [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | VPC Flow Logs S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-flowlogs"` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [versioning\_configuration](#input\_versioning\_configuration) | S3 Versioning Configuration (Enabled, Disabled, Suspended). To disable, use Suspended if existing bucket and Disabled if new | `string` | `"Disabled"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_arn](#output\_bucket\_arn) | VPC Flow Logs S3 bucket ARN | +| [bucket\_id](#output\_bucket\_id) | VPC Flow Logs S3 bucket ID | + \ No newline at end of file diff --git a/ses-domain/README.md b/ses-domain/README.md index c62c5d9..94e8341 100644 --- a/ses-domain/README.md +++ b/ses-domain/README.md @@ -215,3 +215,224 @@ No modules. | [ses\_domain\_identity](#output\_ses\_domain\_identity) | SES Domain Identity | | [ses\_domain\_identity\_arn](#output\_ses\_domain\_identity\_arn) | SES Domain Identity ARN | | [ses\_domain\_verification](#output\_ses\_domain\_verification) | DNS entries to add for domain verification | + + +# aws-inf-setup :: ses-domain + +This sets up the domain identity for SES. We create by default `{account_id}.aws.mail.census.gov` +as a sender domain, and generate the details which are to be submitted to TCO for inclusion in DNS. +The contents of the file `${path.root}/setup/ses_dns.md` contain the text which goes to TCO. A future enhancement +to this will include the ability to automatically incorporate the changes into DNS. This is a multi-step +setup: + +1. Create initial resources +1. Provide TCO Details for DNS Update +1. Complete domain validation +1. Enable for production + +## Select proper region + +Note that at this time, this needs to be done from the `us-gov-west-1` region for GovCloud. For East/West, any US region +will work. Ideally, this will check that the west zone is selected for gov, and not create any resources if in the incorrect region. +However, that's not current possible with Terraform 0.12, and we need to get to 0.13 to make that possible. You will see this +error if in the incorrect region: +```console +% tf-apply +module.ses.aws_ses_domain_identity.this: Creating... + +Error: Error requesting SES domain identity verification: SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-gov-east-1'. + status code: 403, request id: dff573a8-961a-4a5d-a9f8-1cf6c3beba46 + + on .terraform/modules/ses/ses-domain/main.tf line 106, in resource "aws_ses_domain_identity" "this": + 106: resource "aws_ses_domain_identity" "this" { +``` + +## Request TCO/OIS approval for 3rd Party Domain + +A submission of a form authorizing 3rd party mail is required to TCO, who then puts in a ticket to OIS. This has +been done for the AWS accounts as whole, using the default format. Any variation (that is, using a custom +`ses_domain_name` requires this form be filled out. Details are available on the [TCO Wiki Mail Section](https://wiki.apps.tco.census.gov/index.php/Services#Mail) or in [Sending Mail](https://wiki.apps.tco.census.gov/index.php/Sending_Mail). + +# Usage +This can be used without any variables to get the default configuration. + +```hcl +module "ses" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" + + profile = var.profile + ## once validated, get out of sandbox and set mail from address + # enable_production = true + # enable_mail_from = true + # enable_sns_events = true + + ## optional, changing this is not recommended + # ses_domain_name = "123456789012.postal.census.gov" + ## while these can be changed, it is not advised + # ses_base_domain_name = "aws.mail.census.gov" + # ses_base_dkim_domain_name = "dkim.amazonses.com" +} +``` +## Create initial resources +```console +% tf-apply -target=module.ses +``` + +## Provide TCO DNS details + +See and example [ses\_dns.md](example.ses\_dns.md). This file will be in `setup/ses_dns.md`. Submit this to TCO to get the records added to DNS. + +## After DNS is updated +Once DNS has been updated, you can run `tf-apply` on the resource again. It will look for a non-empty value +for the TXT record and if so, complete the validation process. Here is an example: +```console +% tf-apply -target=module.ses +Terraform will perform the following actions: + + # module.ses.aws_ses_domain_identity_verification.this[0] will be created + + resource "aws_ses_domain_identity_verification" "this" { + + arn = (known after apply) + + domain = "817869416306.aws.mail.census.gov" + + id = (known after apply) + } + +Plan: 1 to add, 0 to change, 0 to destroy. +. +. +module.ses.aws_ses_domain_identity_verification.this[0]: Creating... +module.ses.aws_ses_domain_identity_verification.this[0]: Creation complete after 1s [id=817869416306.aws.mail.census.gov] +``` +## Getting out of the Sandbox +Reference: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html + +Use the variable `enable_production=true` to do this. There is no terraform resource for this. +This enables the use of a script which requires the AWS CLIv2, and it will fail otherwise. + +```hcl +module "ses" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//ses-domain" + + profile = var.profile + enable_production = true + enable_mail_from = true + enable_sns_events = true +} +``` +then run `tf-apply` +```console +% tf-apply -target=module.ses +Resource actions are indicated with the following symbols: +-/+ destroy and then create replacement + +Terraform will perform the following actions: + + # module.ses.null_resource.to_production[0] is tainted, so must be replaced +-/+ resource "null_resource" "to_production" { + ~ id = "283142555786980861" -> (known after apply) + } + +Plan: 1 to add, 0 to change, 1 to destroy. +``` + +# Sample Output +```hcl +ses_dkim_values = [ + { + "domain" = "817869416306.aws.mail.census.gov" + "name" = "j4ixb5k4cum55axim6dhdn6nelsoigfm._domainkey.817869416306.aws.mail.census.gov" + "ttl" = 600 + "type" = "CNAME" + "value" = "j4ixb5k4cum55axim6dhdn6nelsoigfm.dkim.amazonses.com" + }, + { + "domain" = "817869416306.aws.mail.census.gov" + "name" = "njeeupi3lqslhjudeklt2utyhlggdrab._domainkey.817869416306.aws.mail.census.gov" + "ttl" = 600 + "type" = "CNAME" + "value" = "njeeupi3lqslhjudeklt2utyhlggdrab.dkim.amazonses.com" + }, + { + "domain" = "817869416306.aws.mail.census.gov" + "name" = "qdhk5oxqhqllj7hnxmvt74rk75zwwuhx._domainkey.817869416306.aws.mail.census.gov" + "ttl" = 600 + "type" = "CNAME" + "value" = "qdhk5oxqhqllj7hnxmvt74rk75zwwuhx.dkim.amazonses.com" + }, +] +ses_domain_verification = { + "domain" = "817869416306.aws.mail.census.gov" + "name" = "_amazonses.817869416306.aws.mail.census.gov" + "ttl" = 600 + "type" = "TXT" + "value" = "/Pz6+wpIUfumhdG8l0NkdfLx+wHMp+/Za2Nf5jOQTos=" +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [external](#provider\_external) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_ses_domain_dkim.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_dkim) | resource | +| [aws_ses_domain_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity) | resource | +| [aws_ses_domain_identity_verification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_identity_verification) | resource | +| [aws_ses_domain_mail_from.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_domain_mail_from) | resource | +| [aws_ses_identity_notification_topic.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_notification_topic) | resource | +| [aws_sns_topic.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource | +| [null_resource.this_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.to_production](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.ses_event](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | +| [external_external.ses_dns_txt](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [enable\_mail\_from](#input\_enable\_mail\_from) | SES Enable set of Mail From domain ses\_mail\_from.DOMAIN | `bool` | `false` | no | +| [enable\_production](#input\_enable\_production) | SES Enable calling of AWS CLI to move from sandbox to production | `bool` | `false` | no | +| [enable\_sns\_events](#input\_enable\_sns\_events) | SES Enable event notificaton to SNS for bounce, complaint, and/or delivery (specified by ses\_event\_notification\_types). | `bool` | `false` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [profile](#input\_profile) | AWS Config profile (required for calling the aws cli) | `string` | `""` | no | +| [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no | +| [ses\_additional\_contact\_email](#input\_ses\_additional\_contact\_email) | SES Additional Contact email address list (for move to production) | `list(string)` | `[]` | no | +| [ses\_base\_dkim\_domain\_name](#input\_ses\_base\_dkim\_domain\_name) | SES Base DKIM Domain Name | `string` | `"dkim.amazonses.com"` | no | +| [ses\_base\_domain\_name](#input\_ses\_base\_domain\_name) | SES Base Domain Name | `string` | `"aws.mail.census.gov"` | no | +| [ses\_domain\_name](#input\_ses\_domain\_name) | SES Fully Qualified Domain Name (default: {account\_id}.aws.mail.census.gov) | `string` | `""` | no | +| [ses\_event\_notification\_types](#input\_ses\_event\_notification\_types) | SNS Notification types for SNS. Valid values are bounce, complaint, and delivery. | `list(string)` | 
[
  "bounce",
  "complaint"
]
| no | +| [ses\_mail\_from](#input\_ses\_mail\_from) | SES mail from domain prepended to ses\_domain\_name. See enable\_mail\_from for enabling this. | `string` | `"bounce"` | no | +| [ses\_sns\_topic\_name](#input\_ses\_sns\_topic\_name) | SNS Topic name for event handling. The region name will be appended. | `string` | `"inf-ses-events"` | no | +| [ses\_use\_case\_description](#input\_ses\_use\_case\_description) | SES use case description (for move to production) | `string` | `""` | no | +| [ses\_website\_url](#input\_ses\_website\_url) | SES website URL (for move to production) | `string` | `"https://census.gov"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [ses\_dkim\_values](#output\_ses\_dkim\_values) | DNS entries to add for DKIM | +| [ses\_domain\_identity](#output\_ses\_domain\_identity) | SES Domain Identity | +| [ses\_domain\_identity\_arn](#output\_ses\_domain\_identity\_arn) | SES Domain Identity ARN | +| [ses\_domain\_verification](#output\_ses\_domain\_verification) | DNS entries to add for domain verification | + \ No newline at end of file diff --git a/splunk-description/README.md b/splunk-description/README.md index e4f46c3..1766289 100644 --- a/splunk-description/README.md +++ b/splunk-description/README.md @@ -59,3 +59,68 @@ No modules. ## Outputs No outputs. + + +# aws-inf-setup :: splunk-description + +This set up the Splunk input configuration files in setup/aws\_description\_tasks.conf +for this account and region + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "splunk_description" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//splunk-description" + account_alias = "ma5-gov" + + ## optional + # api_list = ["ec2_instances","ec2_volumes",] + # api_interval = 3600 +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [local](#provider\_local) | n/a | +| [null](#provider\_null) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [local_file.splunk_description](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [null_resource.splunk_description](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | +| [template_file.splunk_description](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [api\_interval](#input\_api\_interval) | Splunk description input retrieval interval | `number` | `3600` | no | +| [api\_list](#input\_api\_list) | Splunk description input API list | `list(string)` | `[]` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/terraform-organization-info-role/README.md b/terraform-organization-info-role/README.md index 33c2e68..275ef65 100644 --- a/terraform-organization-info-role/README.md +++ b/terraform-organization-info-role/README.md @@ -60,3 +60,68 @@ No modules. ## Outputs No outputs. + + +# About aws-info-setup :: terraform-organization-info-role + +Role to be assumed from terraform in a remote account (or local account) to grab organization information +used for sharing resources across the organization. This role belongs only in the organization master, or +any delegated organization master(s). + +# Usage +```hcl +module "tf_org_role" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-organization-info-role?ref=tf-upgrade" + + tags = merge( + local.common_tags, + var.application_tags, + ) +} +``` + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_organizations_organization.org](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [role\_description](#input\_role\_description) | IAM Role description | `string` | `"INF Terraform Role for Organization Information"` | no | +| [role\_name](#input\_role\_name) | IAM Role name (without prefix) | `string` | `"inf-terraform-organization-info"` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/terraform-state/README.md b/terraform-state/README.md index 4f41e3d..791cd2b 100644 --- a/terraform-state/README.md +++ b/terraform-state/README.md @@ -131,3 +131,139 @@ No modules. | [tfstate\_dynamodb\_arn](#output\_tfstate\_dynamodb\_arn) | Terraform state DynamoDB table ARN | | [tfstate\_key\_arn](#output\_tfstate\_key\_arn) | inf-tfstate KMS key ARN | | [tfstate\_region](#output\_tfstate\_region) | Terraform state region | + + +# aws-inf-setup :: terraform-state + +This set up the needed components for the Terraform remote state: + +* S3 bucket +* KMS key for the bucket +* DynamoDB table for locking +* IAM Policy + +# Usage +Here is a simple example, the one most commonly expected to be used. + +```hcl +module "tfstate" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state" + + account_alias = "do2-govcloud" +} +``` + +This one can be used if you need to customize stuff, though really, the defaults are all built +for a reason, and deployment code (i.e., Ansible) will expect these defaults to be used in +variable file generation. + +```hcl +module "tfstate_full" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//terraform-state" + + # required + account_alias = "do2-govcloud" + + # optional, defaults + tfstate_key_prefix = "do2-govcloud" + kms_tfstate_key = "k-kms-inf-tfstate" + tfstate_table = "tf_remote_state" + tfstate_bucket = "inf-tfstate-123456789012" + tfstate_bucket_prefix = "inf-tfstate" + tfstate_key_suffix = "terraform.tfstate" + ## sso_permissionset_names = [ "inf-terraform" ] + + # this is generally not needed and not recommended + component_tags = { + "s3" = { + "SpecialTag1" = "something" + "SpecialTag2" = "somethingElse" + } + } +} +``` +## sso\_permissionset\_names +This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role. + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_dynamodb_table.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | +| [aws_iam_group.terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource | +| [aws_iam_group_policy_attachment.terraform_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_group_policy_attachment.terraform_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_group_policy_attachment.terraform_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_policy.allow_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.tfstate_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_ownership_controls.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_public_access_block.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.group_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.role_managed_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.allow_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.allow_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_key.kms_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documetnation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no | +| [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | 
{
  "ddb": {},
  "kms": {},
  "s3": {}
}
| no | +| [kms\_tfstate\_key](#input\_kms\_tfstate\_key) | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no | +| [name](#input\_name) | Name suffix to use for policies, roles and groups (default: inf-terraform) | `string` | `"inf-terraform"` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | 
[
  "inf-terraform"
]
| no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [tfstate\_bucket](#input\_tfstate\_bucket) | Terraform remote state S3 bucket | `string` | `""` | no | +| [tfstate\_bucket\_prefix](#input\_tfstate\_bucket\_prefix) | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no | +| [tfstate\_key\_prefix](#input\_tfstate\_key\_prefix) | Terraform remote state S3 bucket prefix (account alias) | `string` | `""` | no | +| [tfstate\_key\_suffix](#input\_tfstate\_key\_suffix) | Terraform remote state S3 bucket suffix | `string` | `"terraform.tfstate"` | no | +| [tfstate\_region](#input\_tfstate\_region) | Terraform remote state S3 bucket region | `string` | `""` | no | +| [tfstate\_table](#input\_tfstate\_table) | Terraform remote state table | `string` | `"tf_remote_state"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [role\_arn](#output\_role\_arn) | Role ARN for Terraform | +| [tfstate\_bucket\_arn](#output\_tfstate\_bucket\_arn) | Terraform state S3 bucket ARN | +| [tfstate\_bucket\_id](#output\_tfstate\_bucket\_id) | Terraform state S3 bucket ID | +| [tfstate\_dynamodb\_arn](#output\_tfstate\_dynamodb\_arn) | Terraform state DynamoDB table ARN | +| [tfstate\_key\_arn](#output\_tfstate\_key\_arn) | inf-tfstate KMS key ARN | +| [tfstate\_region](#output\_tfstate\_region) | Terraform state region | + \ No newline at end of file diff --git a/vpc-remove-defaults/README.md b/vpc-remove-defaults/README.md index eca19bb..a07d58f 100644 --- a/vpc-remove-defaults/README.md +++ b/vpc-remove-defaults/README.md @@ -106,3 +106,114 @@ No modules. | Name | Description | |------|-------------| | [defaults](#output\_defaults) | AWS VPC Defaults | + + +# aws-inf-setup :: vpc-remove defaults + +# Usage + +```hcl +module "vpc_defaults" { + source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//vpc-remove-defaults" + + account_alias = "ma5-gov" + + ## optional + # enable_igw_check = true + # region = "us-gov-west-1" + # profile = "myprofile" +} +``` + +By default, it will use the current region, and it will use a profile assumed to be constructed of +the `account_id`+`account_alias`. + +# Removing Defaults +On a new account, a number of default things are set up: +* VPC +* Route Table +* Security Group +* Network ACL +* DHCP Options +* Subnets +* Internet Gateway (this may be optional) + +These can be somewhat managed by Terraform, but destroying the resources does not remove them. +This module generates a script which uses the `aws` CLI to remove all the resources. It is in +`setup/delete-defaults.sh`. It is run like so: + +```console +% setup/delete-defaults.sh +``` + +To execute it not in dry-run mode, pass any argument: +```console +% setup/delete-defaults.sh true +``` + +To remove all the defaults, which is what we are required to do, you need a few steps: +1. plan +1. apply +1. destroy +1. run script + +```shell +tf-plan -target=module.vpc_defaults +tf-apply -target=module.vpc_defaults +tf-destory -target=module.vpc_defaults +setup/delete-defaults.sh true |& tee delete-defaults.sh.log +``` +Once all of the defaults are removed, you'll need to disable the associated .tf or remove the module code +which brought in the defaults. Running it a second time with no actual defaults will fail. + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource | +| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource | +| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource | +| [aws_default_subnet.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_subnet) | resource | +| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource | +| [aws_default_vpc_dhcp_options.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc_dhcp_options) | resource | +| [null_resource.script](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_internet_gateway.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/internet_gateway) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [enable\_igw\_check](#input\_enable\_igw\_check) | Enable check of Internet Gateway (IGW) as part of default detection | `bool` | `true` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [profile](#input\_profile) | AWS Config profile (required for calling the aws cli; assumed to be {account\_id}-{account\_alias}) | `string` | `""` | no | +| [region](#input\_region) | AWS Region (default takes from current executing region) | `string` | `""` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [defaults](#output\_defaults) | AWS VPC Defaults | + \ No newline at end of file