initial: aws-security-audit

terraform-modules · Apr 12, 2019 · 57b5e2b · 57b5e2b
commit 57b5e2b
Show file tree

Hide file tree

Showing 4 changed files with 230 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,78 @@
+Usage:
+
+```code
+module "scanner" {
+#  source = "git@vc1.csvd.census.gov:terraform/terraform-modules.git/aws-security-audit"
+  source = "vc1.csvd.census.gov:terraform/terraform-modules.git/aws-security-audit"
+
+  group = "g-audit-group"
+  users = [ "s-ois-scan" ]
+  create_access_keys = true
+  pgp_key = ""
+}
+```
+
+## Required Inputs
+
+The following input variables are required:
+
+## Optional Inputs
+
+The following input variables are optional (have default values):
+
+### create\_access\_keys
+
+Description: Set to 1 or true to create access keys
+
+Type: `string`
+
+Default: `"false"`
+
+### group
+
+Description: Security Audit IAM group name
+
+Type: `string`
+
+Default: `"g-inf-security-audit"`
+
+### pgp\_key
+
+Description: PGP key used to encrypt access key
+
+Type: `string`
+
+Default: `""`
+
+### policy
+
+Description: Security Audit IAM Policy name
+
+Type: `string`
+
+Default: `"p-inf-security-audit"`
+
+### users
+
+Description: Security Audit IAM user name(s)
+
+Type: `list`
+
+Default: `<list>`
+
+## Outputs
+
+The following outputs are exported:
+
+### aws\_access\_key\_id
+
+Description: Access Key IDs for Users
+
+### aws\_secret\_access\_key
+
+Description: Access Secret Key IDs for Users
+
+### user
+
+Description: Users created
+
diff --git a/main.tf b/main.tf
@@ -0,0 +1,103 @@
+/**
+ * Usage:
+* 
+* module "scanner" {
+*   source = "../module/aws-security-audit"
+* 
+*   group = "g-audit-group"
+*   users = [ "s-ois-scan" ]
+*   create_access_keys = true
+*   pgp_key = ""
+* }
+*/
+
+#---
+# used to get the partition from arn
+#---
+data "aws_caller_identity" "current" {}
+
+data "aws_arn" "current" {
+  arn = "${data.aws_caller_identity.current.arn}"
+}
+
+#---
+# user setup
+#---
+resource "aws_iam_user" "audit" {
+  count = "${length(var.users)}"
+  name  = "${var.users[count.index]}"
+}
+
+#---
+# group setup
+#---
+resource "aws_iam_group" "audit" {
+  name = "${var.group}"
+}
+
+#---
+# group membership
+#---
+resource "aws_iam_group_membership" "audit" {
+  count      = "${length(var.users)}"
+  name       = "${var.group}"
+  group      = "${aws_iam_group.audit.name}"
+  users      = ["${var.users}"]
+  depends_on = ["aws_iam_user.audit"]
+}
+
+#---
+# policy document, policy, and attachment
+# from prowler: https://github.com/toniblyx/prowler
+#---
+data "aws_iam_policy_document" "audit" {
+  statement {
+    sid       = "AdditionalSecurityAuditpermissions"
+    effect    = "Allow"
+    actions   = ["support:DescribeTrustedAdvisorChecks"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "audit" {
+  name        = "${var.policy}"
+  path        = "/"
+  description = "Policy for Security Auditing"
+  policy      = "${data.aws_iam_policy_document.audit.json}"
+}
+
+data "aws_iam_policy" "aws-managed-security-audit" {
+  arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
+}
+
+locals {
+#  security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"]
+  enable_access_keys      = "${var.create_access_keys ? length(var.users) : 0 }"
+}
+
+#resource "aws_iam_group_policy_attachment" "audit" {
+#  count      = "${length(local.security-audit-policies)}"
+#  group      = "${aws_iam_group.audit.name}"
+#  policy_arn = "${element(local.security-audit-policies,count.index)}"
+#}
+
+resource "aws_iam_group_policy_attachment" "audit-0" {
+  group      = "${aws_iam_group.audit.name}"
+  policy_arn = "${aws_iam_policy.audit.arn}"
+}
+
+resource "aws_iam_group_policy_attachment" "audit-1" {
+  group      = "${aws_iam_group.audit.name}"
+  policy_arn = "${data.aws_iam_policy.aws-managed-security-audit.arn}"
+}
+
+#---
+# access key (not for rotation)
+#---
+resource "aws_iam_access_key" "audit" {
+  #  count = "${length(var.users)}"
+  count = "${local.enable_access_keys}"
+  user  = "${aws_iam_user.audit.*.name[count.index]}"
+
+  #  pgp_key = "${file("setup/terraform.gpg.b64")}"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,21 @@
+output "user" {
+  description = "Users created"
+  value       = ["${aws_iam_user.audit.*.name}"]
+}
+
+output "aws_access_key_id" {
+  description = "Access Key IDs for Users"
+  value       = "${aws_iam_access_key.audit.*.id}"
+}
+
+locals {
+#  encrypted_secret    = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}"
+  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+}
+
+output "aws_secret_access_key" {
+  description = "Access Secret Key IDs for Users"
+  value       = ["${split(",",local.secret)}"]
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,28 @@
+variable "group" {
+  description = "Security Audit IAM group name"
+  default     = "g-inf-security-audit"
+}
+
+variable "users" {
+  description = "Security Audit IAM user name(s)"
+
+  type    = "list"
+  default = ["s-inf-security-audit"]
+}
+
+variable "policy" {
+  description = "Security Audit IAM Policy name"
+  default     = "p-inf-security-audit"
+}
+
+# may be a sub-module by user after rotation
+variable "create_access_keys" {
+  description = "Set to 1 or true to create access keys"
+  default     = false
+}
+
+// Typical use to use "${file("filename.b64")}"
+variable "pgp_key" {
+  description = "PGP key used to encrypt access key"
+  default     = ""
+}