- update policy, code structure

- remove access_key generation

CHANGELOG.md

@@ -22,3 +22,7 @@
 
 * 2.1.3 -- 2022-05-25
   - update statements to check for create first
+
+* 2.2.0 -- 2022-07-19
+  - update policy, code structure
+  - remove access_key generation

README.md

@@ -1,27 +1,27 @@
 # aws-security-audit
-This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
-is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted NetworkAudit permissions
+
+This modulue sets up an IAM account and group for OIS to do scanning. By default, the IAM account
+is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted SecurityAudit permissions
 to be able to read most AWS resources.
 
+Additional permissions for use by [Tenable](https://docs.tenable.com/nessus/compliancechecksreference/Content/AWSIAMPolicy.htm) have also
+been included.
+
 # Usage
 
 ```hcl
 module "scanner" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
 
-  email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
-  create_access_keys = true
-  pgp_key = file(filename.b64)
-
   ## optional
-  additional_policies = [ ]
-  group = "g-audit-group"
-  users = [ "s-ois-scan" ]
-  contact = "badra001"
-  reference = "INC1234"
+  # additional_policies = [ ]
+  # reference = "INC000000001234"
 }
 ```
 
+Generation of access keys has been removed from this module, as we have a better more central way of
+handling that.
+
 ## Requirements
 
 | Name | Version |
@@ -33,7 +33,6 @@ module "scanner" {
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_null"></a> [null](#provider\_null) | n/a |
 
 ## Modules
 
@@ -43,14 +42,11 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_iam_access_key.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_group.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
 | [aws_iam_group_membership.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
-| [aws_iam_group_policy_attachment.audit_main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_group_policy_attachment.audit_other](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
+| [aws_iam_group_policy_attachment.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
 | [aws_iam_policy.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [null_resource.audit_output](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy.aws-managed-security-audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
@@ -65,7 +61,7 @@ No modules.
 | <a name="input_create_access_keys"></a> [create\_access\_keys](#input\_create\_access\_keys) | Set to 1 or true to create access keys | `bool` | `false` | no |
 | <a name="input_email_addresses"></a> [email\_addresses](#input\_email\_addresses) | Security Audit IAM Email Contact List(s) | `list(string)` | <pre>[<br>  "ois.compliance.scanning.group@census.gov"<br>]</pre> | no |
 | <a name="input_group"></a> [group](#input\_group) | Security Audit IAM group name | `string` | `"g-inf-security-audit"` | no |
-| <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | PGP key used to encrypt access key | `string` | n/a | yes |
+| <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | PGP key used to encrypt access key | `string` | `null` | no |
 | <a name="input_policy"></a> [policy](#input\_policy) | Security Audit IAM Policy name | `string` | `"p-inf-security-audit"` | no |
 | <a name="input_reference"></a> [reference](#input\_reference) | Remedy ticket reference number for the user | `string` | `""` | no |
 | <a name="input_users"></a> [users](#input\_users) | Security Audit IAM user name(s) | `list(string)` | <pre>[<br>  "s-inf-security-audit"<br>]</pre> | no |
@@ -74,7 +70,4 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_aws_access_key_id"></a> [aws\_access\_key\_id](#output\_aws\_access\_key\_id) | Access Key IDs for Users |
-| <a name="output_aws_info"></a> [aws\_info](#output\_aws\_info) | Access key, secret, and user map output |
-| <a name="output_aws_secret_access_key"></a> [aws\_secret\_access\_key](#output\_aws\_secret\_access\_key) | Access Secret Key IDs for Users |
 | <a name="output_user"></a> [user](#output\_user) | Users created |

data.tf

@@ -0,0 +1,6 @@
+data "aws_caller_identity" "current" {
+}
+
+data "aws_arn" "current" {
+  arn = data.aws_caller_identity.current.arn
+}

main.tf

@@ -1,39 +1,40 @@
 /**
 * # aws-security-audit
-* This modulue sets up an IAm account and group for OIS to do scanning. By default, the IAM account
-* is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted NetworkAudit permissions
+*
+* This modulue sets up an IAM account and group for OIS to do scanning. By default, the IAM account
+* is `s-inf-security-audit` and the group is `g-inf-security-audit`.  It is granted SecurityAudit permissions
 * to be able to read most AWS resources.
 *
+* Additional permissions for use by [Tenable](https://docs.tenable.com/nessus/compliancechecksreference/Content/AWSIAMPolicy.htm) have also
+* been included.
+*
 * # Usage
 * 
 * ```hcl
 * module "scanner" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-security-audit.git"
 * 
-*   email_addresses = [ "ois.compliance.scanning.group@census.gov" ]
-*   create_access_keys = true
-*   pgp_key = file(filename.b64)
-*
 *   ## optional
-*   additional_policies = [ ]
-*   group = "g-audit-group"
-*   users = [ "s-ois-scan" ]
-*   contact = "badra001"
-*   reference = "INC1234"
+*   # additional_policies = [ ]
+*   # reference = "INC000000001234"
 * }
 * ```
+*
+* Generation of access keys has been removed from this module, as we have a better more central way of
+* handling that.
 */
 
 locals {
   base_tags = {
     "boc:tf_module_version" = local._module_version
     "boc:created_by"        = "terraform"
   }
+
   #  security-audit-policies = [ data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn ]
-  enable_access_keys = var.create_access_keys ? length(var.users) : 0
-  contact            = lower(var.contact)
-  email_address      = join(",", [for e in var.email_addresses : lower(e)])
-  tags_email         = { "boc:id:mail" = local.email_address }
+  #  enable_access_keys = var.create_access_keys ? length(var.users) : 0
+  contact       = lower(var.contact)
+  email_address = join(",", [for e in var.email_addresses : lower(e)])
+  tags_email    = { "boc:id:mail" = local.email_address }
   tags_contact = {
     exists = {
       "boc:id:username" = local.contact
@@ -51,36 +52,22 @@ locals {
     local.tags_email,
     local.tags_reference[var.reference != "" ? "exists" : "not_exists"]
   )
-  aws_access_key_id     = concat(aws_iam_access_key.audit[*].id, [])
-  aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, [])
-
-  policies = compact(concat([data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
-}
-
-#---
-# used to get the partition from arn
-#---
-data "aws_caller_identity" "current" {
-}
-
-data "aws_arn" "current" {
-  arn = data.aws_caller_identity.current.arn
+  #  aws_access_key_id     = concat(aws_iam_access_key.audit[*].id, [])
+  #  aws_secret_access_key = concat(aws_iam_access_key.audit[*].encrypted_secret, [])
+  #  policies = compact(concat([data.aws_iam_policy.aws-managed-security-audit.arn], var.additional_policies))
 }
 
 #---
 # user setup
 #---
 resource "aws_iam_user" "audit" {
-  count = length(var.users)
-  name  = var.users[count.index]
+  for_each = toset(var.users)
+  name     = each.key
+
   tags = merge(
     local.base_tags,
     local.tags,
   )
-  #  tags = {
-  #    "EmailAddress" = var.email_addresses[count.index]
-  #  }
-
 
   lifecycle {
     ignore_changes = [tags["boc:tf_module_version"]]
@@ -98,11 +85,10 @@ resource "aws_iam_group" "audit" {
 # group membership
 #---
 resource "aws_iam_group_membership" "audit" {
-  count      = length(var.users)
-  name       = var.group
-  group      = aws_iam_group.audit.name
-  users      = var.users
-  depends_on = [aws_iam_user.audit]
+  for_each = aws_iam_user.audit
+  name     = var.group
+  group    = aws_iam_group.audit.name
+  users    = each.value.name
 }
 
 #---
@@ -111,9 +97,20 @@ resource "aws_iam_group_membership" "audit" {
 #---
 data "aws_iam_policy_document" "audit" {
   statement {
-    sid       = "AdditionalSecurityAuditpermissions"
-    effect    = "Allow"
-    actions   = ["support:DescribeTrustedAdvisorChecks"]
+    sid    = "AdditionalSecurityAuditpermissions"
+    effect = "Allow"
+    actions = [
+      "cloudtrail:Describe*",
+      "cloudtrail:Get*",
+      "cloudtrail:List*",
+      "cloudwatch:List*",
+      "logs:Get*",
+      "rds:List*",
+      "sns:Get*",
+      "sns:List*",
+      "support:Describe*",
+      #      "support:DescribeTrustedAdvisorChecks",
+    ]
     resources = ["*"]
   }
 }
@@ -126,34 +123,36 @@ resource "aws_iam_policy" "audit" {
 }
 
 data "aws_iam_policy" "aws-managed-security-audit" {
-  arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
+  #  arn = "arn:${data.aws_arn.current.partition}:iam::aws:policy/SecurityAudit"
+  name = "SecurityAudit"
 }
 
-resource "aws_iam_group_policy_attachment" "audit_main" {
-  group      = aws_iam_group.audit.name
-  policy_arn = aws_iam_policy.audit.arn
-}
-
-resource "aws_iam_group_policy_attachment" "audit_other" {
-  for_each   = toset(local.policies)
+resource "aws_iam_group_policy_attachment" "audit" {
+  for_each   = toset(compcat(concat([data.aws_iam_policy.aws-managed-security-audit.arn, aws_iam_policy.audit.arn], var.additional_policies)))
   group      = aws_iam_group.audit.name
   policy_arn = each.key
 }
 
+#resource "aws_iam_group_policy_attachment" "audit_other" {
+#  for_each   = toset(local.policies)
+#  group      = aws_iam_group.audit.name
+#  policy_arn = each.key
+#}
+#
 #---
 # access key (not for rotation)
 #---
-resource "aws_iam_access_key" "audit" {
-  count   = local.enable_access_keys
-  user    = aws_iam_user.audit[count.index].name
-  pgp_key = var.pgp_key
-}
-
-resource "null_resource" "audit_output" {
-  count = length(var.users)
-  triggers = {
-    user                  = var.create_access_keys ? element(aws_iam_user.audit[*].name, count.index) : null
-    aws_access_key_id     = var.create_access_keys ? element(local.aws_access_key_id, count.index) : null
-    aws_secret_access_key = var.create_access_keys ? element(local.aws_secret_access_key, count.index) : null
-  }
-}
+# resource "aws_iam_access_key" "audit" {
+#   count   = local.enable_access_keys
+#   user    = aws_iam_user.audit[count.index].name
+#   pgp_key = var.pgp_key
+# }
+# 
+# resource "null_resource" "audit_output" {
+#   count = length(var.users)
+#   triggers = {
+#     user                  = var.create_access_keys ? element(aws_iam_user.audit[*].name, count.index) : null
+#     aws_access_key_id     = var.create_access_keys ? element(local.aws_access_key_id, count.index) : null
+#     aws_secret_access_key = var.create_access_keys ? element(local.aws_secret_access_key, count.index) : null
+#   }
+# }

outputs.tf

@@ -1,28 +1,28 @@
 output "user" {
   description = "Users created"
-  value       = var.create_access_keys ? aws_iam_user.audit[*].name : []
+  value       = var.users
 }
 
-output "aws_access_key_id" {
-  description = "Access Key IDs for Users"
-  value       = var.create_access_keys ? aws_iam_access_key.audit[*].id : []
-}
-
-locals {
-  #  encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
-  #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
-  #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
-  #  secret = local.encrypted_secret
-}
-
-output "aws_secret_access_key" {
-  description = "Access Secret Key IDs for Users"
-  #  value       = [split(",", local.secret)]
-  value = var.create_access_keys ? aws_iam_access_key.audit[*].encrypted_secret : []
-}
-
-output "aws_info" {
-  description = "Access key, secret, and user map output"
-  value       = var.create_access_keys ? tomap(null_resource.audit_output[*].triggers) : {}
-}
+## output "aws_access_key_id" {
+##   description = "Access Key IDs for Users"
+##   value       = var.create_access_keys ? aws_iam_access_key.audit[*].id : []
+## }
+## 
+## locals {
+##   #  encrypted_secret = join(",", aws_iam_access_key.audit.*.encrypted_secret)
+##   #  encrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+##   #  notencrypted_secret = "${join(",",aws_iam_access_key.audit.*.secret)}"
+##   #  secret              = "${var.pgp_key == "" ? local.notencrypted_secret : local.encrypted_secret}"
+##   #  secret = local.encrypted_secret
+## }
+## 
+## output "aws_secret_access_key" {
+##   description = "Access Secret Key IDs for Users"
+##   #  value       = [split(",", local.secret)]
+##   value = var.create_access_keys ? aws_iam_access_key.audit[*].encrypted_secret : []
+## }
+## 
+## output "aws_info" {
+##   description = "Access key, secret, and user map output"
+##   value       = var.create_access_keys ? tomap(null_resource.audit_output[*].triggers) : {}
+## }