v2.1.0: add pre-commit, allow additional policies

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.50.0
+  hooks:
+#    - id: terraform_validate
+    - id: terraform_fmt
+    - id: terraform_docs_replace
+      args: ['table']
+      exclude: common/*.tf
+      exclude: version.tf
+    - id: terraform_tflint 
+      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.4.0
+  hooks:
+    - id: check-symlinks
+    - id: detect-aws-credentials
+    - id: detect-private-key

.tflint.hcl

@@ -0,0 +1,21 @@
+config {
+  module = true
+  force = false
+  disabled_by_default = false
+
+#  ignore_module = {
+#    "terraform-aws-modules/vpc/aws"            = true
+#    "terraform-aws-modules/security-group/aws" = true
+#  }
+
+#  varfile = ["example1.tfvars", "example2.tfvars"]
+#  variables = ["foo=bar", "bar=[\"baz\"]"]
+}
+
+rule "aws_instance_invalid_type" {
+  enabled = true
+}
+
+plugin "aws" {
+  enabled = true
+}

CHANGES.md

@@ -1,5 +1,9 @@
 * v1.0.0	tag initial release
 
 * v2.0.0	terraform 0.12 support
+
 * v2.0.1	add contact, reference
 
+* v2.1.0 -- 20210429
+  - add additional_policies feature
+  - add pre-commit hooks

README.md

@@ -1,82 +1,81 @@
-# Usage
+# aws-security-audit
+This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
+is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted NetworkAudit permissions
+to be able to read most AWS resources.
 
-for terraform 0.11 v1.x use tf-0.11
-for terraform 0.12 v2.x use tf-0.12 (until rolled into head) or specific version v2.x.y
+# Usage
 
-```code
+```hcl
 module "scanner" {
-  source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-security-audit.git?ref=tf-0.12
+  source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
 
-  group = "g-audit-group"
-  users = [ "s-ois-scan" ]
   email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
   create_access_keys = true
   pgp_key = file(filename.b64)
+
+  ## optional
+  additional_policies = [ ]
+  group = "g-audit-group"
+  users = [ "s-ois-scan" ]
+  contact = "badra001"
+  reference = "INC1234"
 }
 ```
 
-## Required Inputs
-
-The following input variables are required:
-
-## Optional Inputs
-
-The following input variables are optional (have default values):
-
-### create\_access\_keys
-
-Description: Set to 1 or true to create access keys
-
-Type: `string`
-
-Default: `"false"`
-
-### group
-
-Description: Security Audit IAM group name
-
-Type: `string`
-
-Default: `"g-inf-security-audit"`
-
-### pgp\_key
-
-Description: PGP key used to encrypt access key
-
-Type: `string`
-
-Default: `""`
-
-### policy
-
-Description: Security Audit IAM Policy name
-
-Type: `string`
-
-Default: `"p-inf-security-audit"`
-
-### users
-
-Description: Security Audit IAM user name(s)
-
-Type: `list`
-
-Default: `<list>`
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_access_key.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_group.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
+| [aws_iam_group_membership.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
+| [aws_iam_group_policy_attachment.additional_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit-0](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit-1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_user.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [null_resource.audit_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy.aws-managed-security-audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
+| [aws_iam_policy_document.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_policies"></a> [additional\_policies](#input\_additional\_policies) | ARNs of additional IAM policies to add to created group | `list(string)` | `[]` | no |
+| <a name="input_contact"></a> [contact](#input\_contact) | Census username contact | `string` | `""` | no |
+| <a name="input_create_access_keys"></a> [create\_access\_keys](#input\_create\_access\_keys) | Set to 1 or true to create access keys | `bool` | `false` | no |
+| <a name="input_email_addresses"></a> [email\_addresses](#input\_email\_addresses) | Security Audit IAM Email Contact List(s) | `list(string)` | <pre>[<br>  "ois.compliance.scanning.group@census.gov"<br>]</pre> | no |
+| <a name="input_group"></a> [group](#input\_group) | Security Audit IAM group name | `string` | `"g-inf-security-audit"` | no |
+| <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | PGP key used to encrypt access key | `string` | n/a | yes |
+| <a name="input_policy"></a> [policy](#input\_policy) | Security Audit IAM Policy name | `string` | `"p-inf-security-audit"` | no |
+| <a name="input_reference"></a> [reference](#input\_reference) | Remedy ticket reference number for the user | `string` | `""` | no |
+| <a name="input_users"></a> [users](#input\_users) | Security Audit IAM user name(s) | `list(string)` | <pre>[<br>  "s-inf-security-audit"<br>]</pre> | no |
 
 ## Outputs
 
-The following outputs are exported:
-
-### aws\_access\_key\_id
-
-Description: Access Key IDs for Users
-
-### aws\_secret\_access\_key
-
-Description: Access Secret Key IDs for Users
-
-### user
-
-Description: Users created
-
-
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_access_key_id"></a> [aws\_access\_key\_id](#output\_aws\_access\_key\_id) | Access Key IDs for Users |
+| <a name="output_aws_info"></a> [aws\_info](#output\_aws\_info) | Access key, secret, and user map output |
+| <a name="output_aws_secret_access_key"></a> [aws\_secret\_access\_key](#output\_aws\_secret\_access\_key) | Access Secret Key IDs for Users |
+| <a name="output_user"></a> [user](#output\_user) | Users created |

main.tf

@@ -1,47 +1,58 @@
 /**
+* # aws-security-audit
+* This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
+* is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted NetworkAudit permissions
+* to be able to read most AWS resources.
+*
 * # Usage
 * 
-* ```code
+* ```hcl
 * module "scanner" {
-*   source = "../module/aws-security-audit"
-*   source = "git::https://vc1.csvd.census.gov/terraform-modules/aws-security-audit.git
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
 * 
+*   email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
+*   create_access_keys = true
+*   pgp_key = file(filename.b64)
+*
+*   ## optional
+*   additional_policies = [ ]
 *   group = "g-audit-group"
 *   users = [ "s-ois-scan" ]
 *   contact = "badra001"
 *   reference = "INC1234"
-*   email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
-*   create_access_keys = true
-*   pgp_key = file(filename.b64)
 * }
 * ```
 */
 
 locals {
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
   #  security-audit-policies = [ data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn ]
   enable_access_keys = var.create_access_keys ? length(var.users) : 0
-  contact = lower(var.contact)
-  email_address = join(",",[for e in var.email_addresses: lower(e)])
-  tags_email = map("boc:id:mail",local.email_address)
+  contact            = lower(var.contact)
+  email_address      = join(",", [for e in var.email_addresses : lower(e)])
+  tags_email         = map("boc:id:mail", local.email_address)
   tags_contact = {
     exists = {
       "boc:id:username" = local.contact
     }
-    not_exists = { }
+    not_exists = {}
   }
   tags_reference = {
     exists = {
       "boc:id:reference" = var.reference
     }
-    not_exists = { }
+    not_exists = {}
   }
   tags = merge(
     local.tags_contact[var.contact != "" ? "exists" : "not_exists"],
     local.tags_email,
     local.tags_reference[var.reference != "" ? "exists" : "not_exists"]
   )
-  aws_access_key_id = concat(aws_iam_access_key.audit[*].id,list(""))
-  aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret,list(""))
+  aws_access_key_id     = concat(aws_iam_access_key.audit[*].id, list(""))
+  aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, list(""))
 }
 
 #---
@@ -60,10 +71,10 @@ data "aws_arn" "current" {
 resource "aws_iam_user" "audit" {
   count = length(var.users)
   name  = var.users[count.index]
-  tags = local.tags
-#  tags = {
-#    "EmailAddress" = var.email_addresses[count.index]
-#  }
+  tags  = local.tags
+  #  tags = {
+  #    "EmailAddress" = var.email_addresses[count.index]
+  #  }
 }
 
 #---
@@ -124,6 +135,12 @@ resource "aws_iam_group_policy_attachment" "audit-1" {
   policy_arn = data.aws_iam_policy.aws-managed-security-audit.arn
 }
 
+resource "aws_iam_group_policy_attachment" "additional_policies" {
+  for_each   = toset(var.additional_policies)
+  group      = aws_iam_group.audit.name
+  policy_arn = each.key
+}
+
 #---
 # access key (not for rotation)
 #---
@@ -136,10 +153,10 @@ resource "aws_iam_access_key" "audit" {
 resource "null_resource" "audit_output" {
   count = length(var.users)
   triggers = {
-    user = element(aws_iam_user.audit[*].name,count.index)
-#    aws_access_key_id = element(aws_iam_access_key.audit[*].id,count.index)
-#    aws_secret_access_key = element(aws_iam_access_key.audit[*].encrypted_secret,count.index)
-    aws_access_key_id = element(local.aws_access_key_id,count.index)
-    aws_secret_access_key = element(local.aws_secret_access_key,count.index)
+    user = element(aws_iam_user.audit[*].name, count.index)
+    #    aws_access_key_id = element(aws_iam_access_key.audit[*].id,count.index)
+    #    aws_secret_access_key = element(aws_iam_access_key.audit[*].encrypted_secret,count.index)
+    aws_access_key_id     = element(local.aws_access_key_id, count.index)
+    aws_secret_access_key = element(local.aws_secret_access_key, count.index)
   }
 }

outputs.tf

@@ -9,20 +9,20 @@ output "aws_access_key_id" {
 }
 
 locals {
-#  encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
+  #  encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
   #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
   #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
   #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
-#  secret = local.encrypted_secret
+  #  secret = local.encrypted_secret
 }
 
 output "aws_secret_access_key" {
   description = "Access Secret Key IDs for Users"
-#  value       = [split(",", local.secret)]
-  value       = aws_iam_access_key.audit[*].encrypted_secret
+  #  value       = [split(",", local.secret)]
+  value = aws_iam_access_key.audit[*].encrypted_secret
 }
 
 output "aws_info" {
   description = "Access key, secret, and user map output"
-  value = null_resource.audit_output[*].triggers
+  value       = null_resource.audit_output[*].triggers
 }