diff --git a/README.md b/README.md new file mode 100644 index 0000000..39122d3 --- /dev/null +++ b/README.md @@ -0,0 +1,78 @@ +Usage: + +```code +module "scanner" { +# source = "git@vc1.csvd.census.gov:terraform/terraform-modules.git/aws-security-audit" + source = "vc1.csvd.census.gov:terraform/terraform-modules.git/aws-security-audit" + + group = "g-audit-group" + users = [ "s-ois-scan" ] + create_access_keys = true + pgp_key = "" +} +``` + +## Required Inputs + +The following input variables are required: + +## Optional Inputs + +The following input variables are optional (have default values): + +### create\_access\_keys + +Description: Set to 1 or true to create access keys + +Type: `string` + +Default: `"false"` + +### group + +Description: Security Audit IAM group name + +Type: `string` + +Default: `"g-inf-security-audit"` + +### pgp\_key + +Description: PGP key used to encrypt access key + +Type: `string` + +Default: `""` + +### policy + +Description: Security Audit IAM Policy name + +Type: `string` + +Default: `"p-inf-security-audit"` + +### users + +Description: Security Audit IAM user name(s) + +Type: `list` + +Default: `` + +## Outputs + +The following outputs are exported: + +### aws\_access\_key\_id + +Description: Access Key IDs for Users + +### aws\_secret\_access\_key + +Description: Access Secret Key IDs for Users + +### user + +Description: Users created + diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..dadbd00 --- /dev/null +++ b/main.tf @@ -0,0 +1,103 @@ +/** + * Usage: +* +* module "scanner" { +* source = "../module/aws-security-audit" +* +* group = "g-audit-group" +* users = [ "s-ois-scan" ] +* create_access_keys = true +* pgp_key = "" +* } +*/ + +#--- +# used to get the partition from arn +#--- +data "aws_caller_identity" "current" {} + +data "aws_arn" "current" { + arn = "${data.aws_caller_identity.current.arn}" +} + +#--- +# user setup +#--- +resource "aws_iam_user" "audit" { + count = "${length(var.users)}" + name = "${var.users[count.index]}" +} + +#--- +# group setup +#--- +resource "aws_iam_group" "audit" { + name = "${var.group}" +} + +#--- +# group membership +#--- +resource "aws_iam_group_membership" "audit" { + count = "${length(var.users)}" + name = "${var.group}" + group = "${aws_iam_group.audit.name}" + users = ["${var.users}"] + depends_on = ["aws_iam_user.audit"] +} + +#--- +# policy document, policy, and attachment +# from prowler: https://github.com/toniblyx/prowler +#--- +data "aws_iam_policy_document" "audit" { + statement { + sid = "AdditionalSecurityAuditpermissions" + effect = "Allow" + actions = ["support:DescribeTrustedAdvisorChecks"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "audit" { + name = "${var.policy}" + path = "/" + description = "Policy for Security Auditing" + policy = "${data.aws_iam_policy_document.audit.json}" +} + +data "aws_iam_policy" "aws-managed-security-audit" { + arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit" +} + +locals { +# security-audit-policies = ["${data.aws_iam_policy.aws-managed-security-audit.arn}", "$(aws_iam_policy.audit.arn}"] + enable_access_keys = "${var.create_access_keys ? length(var.users) : 0 }" +} + +#resource "aws_iam_group_policy_attachment" "audit" { +# count = "${length(local.security-audit-policies)}" +# group = "${aws_iam_group.audit.name}" +# policy_arn = "${element(local.security-audit-policies,count.index)}" +#} + +resource "aws_iam_group_policy_attachment" "audit-0" { + group = "${aws_iam_group.audit.name}" + policy_arn = "${aws_iam_policy.audit.arn}" +} + +resource "aws_iam_group_policy_attachment" "audit-1" { + group = "${aws_iam_group.audit.name}" + policy_arn = "${data.aws_iam_policy.aws-managed-security-audit.arn}" +} + +#--- +# access key (not for rotation) +#--- +resource "aws_iam_access_key" "audit" { + # count = "${length(var.users)}" + count = "${local.enable_access_keys}" + user = "${aws_iam_user.audit.*.name[count.index]}" + + # pgp_key = "${file("setup/terraform.gpg.b64")}" +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..4550e68 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,21 @@ +output "user" { + description = "Users created" + value = ["${aws_iam_user.audit.*.name}"] +} + +output "aws_access_key_id" { + description = "Access Key IDs for Users" + value = "${aws_iam_access_key.audit.*.id}" +} + +locals { +# encrypted_secret = "${join(",",aws_iam_access_key.audit.*.encrypted_secret)}" + encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}" + notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}" + secret = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}" +} + +output "aws_secret_access_key" { + description = "Access Secret Key IDs for Users" + value = ["${split(",",local.secret)}"] +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..e3588b0 --- /dev/null +++ b/variables.tf @@ -0,0 +1,28 @@ +variable "group" { + description = "Security Audit IAM group name" + default = "g-inf-security-audit" +} + +variable "users" { + description = "Security Audit IAM user name(s)" + + type = "list" + default = ["s-inf-security-audit"] +} + +variable "policy" { + description = "Security Audit IAM Policy name" + default = "p-inf-security-audit" +} + +# may be a sub-module by user after rotation +variable "create_access_keys" { + description = "Set to 1 or true to create access keys" + default = false +} + +// Typical use to use "${file("filename.b64")}" +variable "pgp_key" { + description = "PGP key used to encrypt access key" + default = "" +}