diff --git a/aws/projects/ois-cloud-storage-security/CSS_TF_NecessaryInputs.md b/aws/projects/ois-cloud-storage-security/CSS_TF_NecessaryInputs.md index 57590a2e..e19dbc4d 100644 --- a/aws/projects/ois-cloud-storage-security/CSS_TF_NecessaryInputs.md +++ b/aws/projects/ois-cloud-storage-security/CSS_TF_NecessaryInputs.md @@ -1,123 +1,83 @@ -# Cloud Storage Security Terraform Module - Necessary Inputs - ---- - -## Required Inputs -These variables must be set in the module block when using this module: - -### `cidr` (list(string)) -- **Description**: The CIDR blocks which are allowed access to the CSS Console (e.g., `0.0.0.0/0` for open access). - -### `email` (string) -- **Description**: The email address to be used for the initial admin account created for the CSS Console. - -### `subnet_a_id` (string) -- **Description**: A subnet ID within the VPC that may be used for ECS tasks for this deployment. - -### `subnet_b_id` (string) -- **Description**: A second subnet ID within the VPC that may be used for ECS tasks for this deployment. We recommend choosing subnets in different availability zones. - -### `vpc` (string) -- **Description**: The VPC in which to place the user-facing Console. - -## Also Necessary Inputs - -### `allow_access_to_all_kms_keys` (bool) -- **Description**: Pick `true` if you would like to give the scanner access to all KMS encrypted buckets. -- **Default**: `true` or 'false' -- **Comment**: May want to specify kms keys - -### `api_request_scaling_policy_prefix` (string) -- **Description**: Prefix for the AutoScaling policy for the API Service. -- **Default**: `"ApiServiceRequestScaling"` -- **Comment**: `"` - -### `application_bucket_prefix` (string) -- **Description**: Prefix for the main application bucket name. -- **Default**: `"cloudstoragesec"` -- **Comment**: `"` - -### `aws_account` (string) -- **Description**: The AWS account number where resources are being deployed. Defaults to the effective Account ID in which Terraform is authorized if not set. -- **Default**: `` - -### `buckets_to_protect` (string) -- **Description**: Enter any pre-existing buckets to enable event-based protection. Bucket names must be separated by commas (e.g., `bucket1,bucket2,bucket3`). -- **Default**: `""` - -### `configure_load_balancer` (bool) -- **Description**: Whether the Console should be deployed behind a load balancer. -- **Default**: `false` or 'true' -- **Comment**: Will decide based on Network Requirements - -### `console_auto_assign_public_ip` (bool) -- **Description**: Whether a public IP should be assigned to the console. If set to `false`, ensure the console can still reach AWS services via a proxy or NAT gateway. -- **Default**: `true` -- **Comment**: Will decide based on Network Requirements - -### `custom_resource_tags` (map(string)) -- **Description**: Map of custom tags to apply to resources. -- **Default**: `{}` - -### `ecr_account` (string) -- **Description**: The AWS Account ID containing the ECR repositories for the CSS Console and Agent images. -- **Default**: `null` - -### `enable_large_file_scanning` (bool) -- **Description**: Enable scanning for files too large for the normal agent. -- **Default**: `false` - -### `event_bridge_role_name` (string) -- **Description**: Optional Role name for AWS EventBridge execution. -- **Default**: `null` -- **Comment**: `` - -### `internal_lb` (bool) -- **Description**: Specify if the load balancer should be internal. -- **Default**: `false` -- **Comment**: Will decide based on Network Requirements - -### lb_cert_arn (string) -- **Description**: The certificate arn to use for the load balancer. Required if `configure_load_balancer` is true -- **Default**: `null` - -### lb_subnet_a_id (string) -- **Description**: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. ** Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** -- **Default**: `null` - -### lb_subnet_b_id (string) -- **Description**: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones. Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** -- **Default**: `null` - -### parameter_prefix (string) -- **Description**: Prefix for SSM Parameters -- **Default**: `CloudStorageSecConsole' -- **Comment**: `` - -### quarantine_bucket_prefix (string) -- **Description**: Prefix for the quarantine bucket -- **Default**: `"cloudstoragesecquarantine"` -- **Comment**: `` - - -### service_name (string) -- **Description**: A prefix to place on resources that this Terraform template creates. May be overriden if there is an organizational standard for resource name prefixes that needs to be followed. values: any string, but should be short to avoid possibly attempting to create resources with names that exceed the max allowed length -- **Default**: `CloudStorageSec` -- **Comment**: `` -- **Comment**: This may not be aligned with the type of prefixes want to implement. Including for further review if necessary - -### set_log_group_retention_policy (bool) -- **Description**: Whether we should set a retention policy on CSS created log groups. AWS Landing Zone Accelerator environments must set this to false. -- **Default**: `true` - -### sns_cmk_key_arn (string) -- **Description**: Optional ARN for the CMK that should be used for the AWS KMS encryption for Notifications SNS topic. Cloud Storage Security Console and Agent IAM Roles will be given permission to use this key. -- **Default**: `null` - -### sns_topic_policy_override_policy_documents list(string) -- **Description**: List of IAM policy documents that are merged together into the default SNS 'Notifications' Topic. Passed in via `override_policy_documents` in `aws_iam_policy_document` data source. Users should omit definition of the `resources` attribute in statement(s) as the module will set resources to target only the 'Notifications' SNS topic. [IAM Policy documents # Override policy docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#override_policy_documents) -- **Default**: `[]` - -### trusted_load_balancer_network (string) -- **Description**: If you are using your own load balancer or other appliance to forward traffic to the Console, enter the trusted IP address range (CIDR notation) that will be routing traffic to the Console. Leave blank if you are not supplying your own load balancer. -- **Default**: `` +# Cloud Storage Security Terraform Module Settings + +## Required Inputs and Values + +These are from the [documentation](https://registry.terraform.io/modules/cloudstoragesec/cloud-storage-security/aws/latest?tab=inputs). + +* cidr: Allowed to use the console + * 148.129.0.0/16 + * 172.16.0.0/12 + * 10.0.0.0/8 +* email: Admin account email + * Recommend a shared mailbox, potentially for this POC csvd.aws+css-poc@census.gov +* subnet_a_id: first subnet (we will use one in 1a) + * get from app subnet in vpc via data resource +* subnet_b_id: first subnet (we will use one in 1b) + * get from app subnet in vpc via data resource +* vpc: VPC id for the console + * get from data resource + +## Additional Inputs and Values + +* allow_access_to_all_kms_keys + * false +* api_request_scaling_policy_prefix + * p-ApiServiceRequestScaling +* application_bucket_prefix + * v-s3-ois-css-poc +* aws_account + * 269222635945 (lab-gov-shared-nonprod) +* configure_load_balancer + * true + * may change to false to create separately +* console_auto_assign_public_ip + * false +* custom_resource_tags + * finops_* tags + * other tags +* internal_lb + * true +* lb_cert_arn + * created in [prerequisites](#prerequisites) +* lb_subnet_a_id + * get from private-lb subnet in vpc via data resource +* lb_subnet_b_id + * get from private-lb subnet in vpc via data resource +* parameter_prefix + * /apps/ois/css/poc +* quarantine_bucket_prefix + * v-s3-ois-css-poc-quarantine +* service_name + * ois-css-poc +* set_log_group_retention_policy + * true + +## Possible Inputs + +* buckets_to_protect +* ecr_account + * get value from vendor (to use remotely -- if not we need to pull images into our own repo) + * probably pull to our own repo +* trusted_load_balancer_network + * might use this if we front with f5 + +## Optional Inputs + +* enable_large_file_scanning +* event_bridge_role_name + * what do we do with eventbridge? +* sns_cmk_key_arn +* sns_topic_policy_override_policy_documents + +## Prerequisites + +1. create acm certificate from acmpca +1. setup ecr, pull images for console stuff +1. pull images for scanning stuff (perhaps?) + +# CHANGELOG + +- 1.0.0 -- 2025-01-10 + - initial +- 1.0.1 -- 2025-01-16 + - refined to just list inputs and values