From d47e06df0cc8f806194692fa22a7b101522769b8 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Mon, 5 Sep 2022 13:52:21 +0800
Subject: [PATCH] UPD: updated several modules to simplify input variables

---
 .../networking/delete-default-vpcs/main.tf    |   5 +-
 .../aws_config/main.tf                        |  14 +-
 .../aws_config/variables.tf                   |  10 +-
 .../cloudtrail_cwlogs/cloudtrail.tf           |   6 +-
 .../cloudtrail_cwlogs/ct-key.tf               |   2 +-
 .../cloudtrail_cwlogs/ct-s3-bucket.tf         |  54 +--
 .../cloudtrail_cwlogs/cw-loggroup.tf          | 350 +++++++++---------
 .../cloudtrail_cwlogs/variables.tf            |   9 +-
 .../guardduty/variables.tf                    |  11 -
 .../roles_iam_resources/variables.tf          |  18 +-
 modules/storage/infra-s3-bucket/variables.tf  |  11 -
 11 files changed, 206 insertions(+), 284 deletions(-)

diff --git a/modules/networking/delete-default-vpcs/main.tf b/modules/networking/delete-default-vpcs/main.tf
index ab6130e..ea8e4cd 100644
--- a/modules/networking/delete-default-vpcs/main.tf
+++ b/modules/networking/delete-default-vpcs/main.tf
@@ -1,5 +1,8 @@
+data aws_regions all-aws-regions {}
+
 resource "null_resource" "shell" {
+  for_each = data.aws_regions.all-aws-regions.names
   provisioner "local-exec" {
-    command = "/bin/bash -c '${path.module}/exec.sh ${var.region-name}'"
+    command = "/bin/bash -c '${path.module}/exec.sh ${each.value}'"
   }
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/aws_config/main.tf b/modules/security_identity_compliance/aws_config/main.tf
index e172743..d80c78d 100644
--- a/modules/security_identity_compliance/aws_config/main.tf
+++ b/modules/security_identity_compliance/aws_config/main.tf
@@ -80,16 +80,10 @@ resource "aws_config_configuration_recorder_status" "main" {
 
 module config-bucket {
   source = "../../storage/infra-s3-bucket"
-
-  application = var.application
-  aws-region-short = var.aws-region-short
-  bucket-name = "${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
+  bucket-name = "${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
   add-random-suffix = false
   bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
-  customer-name = var.customer-name
   default-tags = var.default-tags
-  environment = var.environment
-  project = var.project
 }
 
 data "aws_iam_policy_document" "config_bucket_policy" {
@@ -107,7 +101,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
+      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
     ]
   }
 
@@ -124,7 +118,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
+      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
     ]
   }
 
@@ -141,7 +135,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
     ]
 
     resources = [
-      "arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
+      "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
     ]
 
     condition {
diff --git a/modules/security_identity_compliance/aws_config/variables.tf b/modules/security_identity_compliance/aws_config/variables.tf
index c7324ea..7dc9a0c 100644
--- a/modules/security_identity_compliance/aws_config/variables.tf
+++ b/modules/security_identity_compliance/aws_config/variables.tf
@@ -1,13 +1,5 @@
-variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "aws-region-short" {}
 variable "default-tags" {}
-
-locals {
-  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
-}
+variable resource-prefix {}
 
 variable config-retention-days {
   type = number
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf
index 049ef54..eb88545 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf
@@ -1,12 +1,12 @@
 resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
-  name               = "${local.resource-prefix}-cwl-role"
+  name               = "${var.resource-prefix}-cwl-role"
   assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
   description        = "Enables AWS CloudTrail to deliver log to CloudWatch log"
   tags               = var.default-tags
 }
 
 resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
-  name   = "${local.resource-prefix}-cwl-role-policy"
+  name   = "${var.resource-prefix}-cwl-role-policy"
   role   = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
   policy = data.aws_iam_policy_document.ct-role-pdoc.json
 }
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "ct-role-pdoc" {
 
 
 resource "aws_cloudtrail" "default" {
-  name                          = "${local.resource-prefix}-trail-001"
+  name                          = "${var.resource-prefix}-trail-001"
   enable_logging                = true
   s3_bucket_name                = local.ct-bucket-name
   enable_log_file_validation    = true
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
index 2ebb9c3..3640e86 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
@@ -6,7 +6,7 @@ resource "aws_kms_key" "ctbucket-key" {
 }
 
 resource "aws_kms_alias" ctbucket-key-aliaas {
-  name = "alias/${local.resource-prefix}-kmskey-default"
+  name = "alias/${var.resource-prefix}-kmskey-default"
   target_key_id = aws_kms_key.ctbucket-key.key_id
 }
 
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
index 2892258..4d1f05b 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
@@ -55,54 +55,10 @@ data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
 
 }
 
+module ct-bucket {
+  source = "../../storage/infra-s3-bucket"
 
-resource "aws_s3_bucket" "ct-bucket" {
-  bucket = local.ct-bucket-name
-  policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
-
-  versioning {
-    enabled = false
-  }
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.ctbucket-key.arn
-        sse_algorithm = "aws:kms"
-      }
-    }
-  }
-  tags                 = var.default-tags
-
-  lifecycle_rule {
-    id = "${local.resource-prefix}-ctbucket-lifecycle-rule"
-    enabled = true
-
-    transition {
-      days = 30
-      storage_class = "INTELLIGENT_TIERING"
-    }
-
-    expiration {
-      days = var.cloudtrail-retain-days
-    }
-  }
+  bucket-name        = local.ct-bucket-name
+  bucket-policy-json = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
+  default-tags       = var.default-tags
 }
-
-
-resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
-  bucket = aws_s3_bucket.ct-bucket.id
-
-  block_public_acls   = true
-  block_public_policy = true
-  ignore_public_acls =  true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {
-  bucket = aws_s3_bucket.ct-bucket.id
-
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
index 2735d56..b6e2467 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
@@ -1,13 +1,13 @@
 resource "aws_cloudwatch_log_group" "ct-cwl" {
-  name_prefix = "cloudtrail/"
+  name_prefix       = "cloudtrail/"
   retention_in_days = var.cloudtrail-retain-days
-  kms_key_id = aws_kms_key.ctbucket-key.arn
-  tags  = var.default-tags
+  kms_key_id        = aws_kms_key.ctbucket-key.arn
+  tags              = var.default-tags
 }
 
 resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
   name           = "cis11-rootaccess-filter"
-  pattern = <<EOT
+  pattern        = <<EOT
   {$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
 EOT
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
@@ -20,16 +20,16 @@ EOT
 }
 
 resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
-  alarm_name                = "cis11-rootaccess-alarm"
-  comparison_operator       = "GreaterThanOrEqualToThreshold"
-  evaluation_periods        = "1"
-  metric_name               = "cis11-rootaccess-metric"
-  namespace                 = "LogMetrics"
-  period                    = "300"
-  statistic                 = "Average"
-  threshold                 = "1"
-  alarm_description         = "Root access is detected from cloudtrail"
-  treat_missing_data        = "notBreaching"
+  alarm_name          = "cis11-rootaccess-alarm"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = "1"
+  metric_name         = "cis11-rootaccess-metric"
+  namespace           = "LogMetrics"
+  period              = "300"
+  statistic           = "Average"
+  threshold           = "1"
+  alarm_description   = "Root access is detected from cloudtrail"
+  treat_missing_data  = "notBreaching"
 
   // alarm_actions     = []
 }
@@ -37,14 +37,14 @@ resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
 // CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
-  alarm_name = "cis-unauthorized_api_calls"
-  alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
-  metric_name = "UnauthorizedAttemptCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "60"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-unauthorized_api_calls"
+  alarm_description   = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
+  metric_name         = "UnauthorizedAttemptCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "60"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -52,25 +52,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
-  name = "UnauthorizedAttemptCount"
+  pattern        = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
+  name           = "UnauthorizedAttemptCount"
 
   metric_transformation {
-  name = "UnauthorizedAttemptCount"
-  value = "1"
-  namespace = "CloudTrailMetrics"
+    name      = "UnauthorizedAttemptCount"
+    value     = "1"
+    namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
-  alarm_name = "cis-no_mfa_console_logins"
-  alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
-  metric_name = "ConsoleSigninWithoutMFA"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "60"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-no_mfa_console_logins"
+  alarm_description   = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
+  metric_name         = "ConsoleSigninWithoutMFA"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "60"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -78,26 +78,26 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
-  name = "ConsoleSigninWithoutMFA"
+  pattern        = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
+  name           = "ConsoleSigninWithoutMFA"
 
   metric_transformation {
-    name = "ConsoleSigninWithoutMFA"
-    value = "1"
+    name      = "ConsoleSigninWithoutMFA"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
-  alarm_name = "cis-iam_policy_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
-  metric_name = "IAMPolicyEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-iam_policy_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
+  metric_name         = "IAMPolicyEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -105,25 +105,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
-  name = "IAMPolicyEventCount"
+  pattern        = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
+  name           = "IAMPolicyEventCount"
 
   metric_transformation {
-    name = "IAMPolicyEventCount"
-    value = "1"
+    name      = "IAMPolicyEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
-  alarm_name = "cis-cloudtrail_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
-  metric_name = "CloudTrailEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-cloudtrail_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
+  metric_name         = "CloudTrailEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -131,25 +131,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
-  name = "CloudTrailEventCount"
+  pattern        = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
+  name           = "CloudTrailEventCount"
 
   metric_transformation {
-    name = "CloudTrailEventCount"
-    value = "1"
+    name      = "CloudTrailEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
-  alarm_name = "cis-failed_console_logins"
-  alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
-  metric_name = "ConsoleLoginFailures"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-failed_console_logins"
+  alarm_description   = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
+  metric_name         = "ConsoleLoginFailures"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -157,25 +157,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
-  name = "ConsoleLoginFailures"
+  pattern        = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
+  name           = "ConsoleLoginFailures"
 
   metric_transformation {
-    name = "ConsoleLoginFailures"
-    value = "1"
+    name      = "ConsoleLoginFailures"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
-  alarm_name = "cis-disabled_deleted_cmks"
-  alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
-  metric_name = "KMSCustomerKeyDeletion"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "60"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-disabled_deleted_cmks"
+  alarm_description   = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
+  metric_name         = "KMSCustomerKeyDeletion"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "60"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   //  alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -183,26 +183,26 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
-  name = "KMSCustomerKeyDeletion"
+  pattern        = "{ ($.eventSource = kms.amazonaws.com) &&  (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
+  name           = "KMSCustomerKeyDeletion"
 
   metric_transformation {
-    name = "KMSCustomerKeyDeletion"
-    value = "1"
+    name      = "KMSCustomerKeyDeletion"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
-  alarm_name = "cis-s3_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
-  metric_name = "S3BucketActivityEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-s3_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
+  metric_name         = "S3BucketActivityEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -210,25 +210,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
-  name = "S3BucketActivityEventCount"
+  pattern        = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
+  name           = "S3BucketActivityEventCount"
 
   metric_transformation {
-  name = "S3BucketActivityEventCount"
-  value = "1"
-  namespace = "CloudTrailMetrics"
+    name      = "S3BucketActivityEventCount"
+    value     = "1"
+    namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
-  alarm_name = "cis-config_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
-  metric_name = "CloudTrailEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-config_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
+  metric_name         = "CloudTrailEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -236,25 +236,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
-  name = "CloudTrailEventCount"
+  pattern        = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
+  name           = "CloudTrailEventCount"
 
   metric_transformation {
-  name = "CloudTrailEventCount"
-  value = "1"
-  namespace = "CloudTrailMetrics"
+    name      = "CloudTrailEventCount"
+    value     = "1"
+    namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
-  alarm_name = "cis-securitygroup_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
-  metric_name = "SecurityGroupEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-securitygroup_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
+  metric_name         = "SecurityGroupEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -262,51 +262,51 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
-  name = "SecurityGroupEventCount"
+  pattern        = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
+  name           = "SecurityGroupEventCount"
 
   metric_transformation {
-  name = "SecurityGroupEventCount"
-  value = "1"
-  namespace = "CloudTrailMetrics"
+    name      = "SecurityGroupEventCount"
+    value     = "1"
+    namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm11" {
-  alarm_name = "cis-nacl_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
-  metric_name = "NetworkAclEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-nacl_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
+  metric_name         = "NetworkAclEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
-  }
+}
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
-  name = "NetworkAclEventCount"
+  pattern        = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
+  name           = "NetworkAclEventCount"
 
   metric_transformation {
-    name = "NetworkAclEventCount"
-    value = "1"
+    name      = "NetworkAclEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
-  alarm_name = "cis-igw_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
-  metric_name = "GatewayEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-igw_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
+  metric_name         = "GatewayEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -314,25 +314,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
-  name = "GatewayEventCount"
+  pattern        = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
+  name           = "GatewayEventCount"
 
   metric_transformation {
-    name = "GatewayEventCount"
-    value = "1"
+    name      = "GatewayEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
-  alarm_name = "cis-vpc_routetable_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
-  metric_name = "VpcRouteTableEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-vpc_routetable_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
+  metric_name         = "VpcRouteTableEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -340,25 +340,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
-  name = "VpcRouteTableEventCount"
+  pattern        = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
+  name           = "VpcRouteTableEventCount"
 
   metric_transformation {
-    name = "VpcRouteTableEventCount"
-    value = "1"
+    name      = "VpcRouteTableEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
-  alarm_name = "cis-vpc_changes"
-  alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC."
-  metric_name = "VpcEventCount"
-  namespace = "CloudTrailMetrics"
-  statistic = "Sum"
-  period = "300"
-  threshold = "1"
-  evaluation_periods = "1"
+  alarm_name          = "cis-vpc_changes"
+  alarm_description   = "A CloudWatch Alarm that triggers when changes are made to a VPC."
+  metric_name         = "VpcEventCount"
+  namespace           = "CloudTrailMetrics"
+  statistic           = "Sum"
+  period              = "300"
+  threshold           = "1"
+  evaluation_periods  = "1"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   // alarm_actions = [""]
   treat_missing_data = "notBreaching"
@@ -366,12 +366,12 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
 
 resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" {
   log_group_name = aws_cloudwatch_log_group.ct-cwl.name
-  pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
-  name = "VpcEventCount"
+  pattern        = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
+  name           = "VpcEventCount"
 
   metric_transformation {
-    name = "VpcEventCount"
-    value = "1"
+    name      = "VpcEventCount"
+    value     = "1"
     namespace = "CloudTrailMetrics"
   }
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf b/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
index 24b947b..44a1c12 100644
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
@@ -1,16 +1,19 @@
+/*
 variable "customer-name" {}
 variable "environment" {}
 variable "project" {}
 variable "application" {}
-variable "aws-region-short" {}
+*/
+variable resource-prefix {}
 variable "default-tags" {}
 variable "cloudtrail-retain-days" {
   type = number
   default = 90
 }
 
+data aws_region this-region {}
+
 locals {
-  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
-  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+  ct-bucket-name = "${var.resource-prefix}-ctbucket-${data.aws_caller_identity.this.account_id}"
 }
 
diff --git a/modules/security_identity_compliance/guardduty/variables.tf b/modules/security_identity_compliance/guardduty/variables.tf
index e1dcf7f..bace9fa 100644
--- a/modules/security_identity_compliance/guardduty/variables.tf
+++ b/modules/security_identity_compliance/guardduty/variables.tf
@@ -1,12 +1 @@
-variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "aws-region-short" {}
 variable "default-tags" {}
-
-locals {
-  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
-  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
-}
-
diff --git a/modules/security_identity_compliance/roles_iam_resources/variables.tf b/modules/security_identity_compliance/roles_iam_resources/variables.tf
index e4538d8..b96acb1 100644
--- a/modules/security_identity_compliance/roles_iam_resources/variables.tf
+++ b/modules/security_identity_compliance/roles_iam_resources/variables.tf
@@ -1,8 +1,4 @@
 variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "aws-region-short" {}
 variable "default-tags" {}
 variable "cloudtrail-retain-days" {
   type = number
@@ -14,11 +10,11 @@ variable "create-cloudhealth-resources" {
   default = false
 }
 
-variable "cloudheath-ext-id1" {}
-variable "cloudheath-ext-id2" {}
-
-locals {
-  ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
-  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+variable "cloudheath-ext-id1" {
+  type = string
+  default = ""
+}
+variable "cloudheath-ext-id2" {
+  type = string
+  default = ""
 }
-
diff --git a/modules/storage/infra-s3-bucket/variables.tf b/modules/storage/infra-s3-bucket/variables.tf
index 93920c2..02ae502 100644
--- a/modules/storage/infra-s3-bucket/variables.tf
+++ b/modules/storage/infra-s3-bucket/variables.tf
@@ -1,8 +1,3 @@
-variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "aws-region-short" {}
 variable "default-tags" {}
 variable "bucket-retain-days" {
   type = number
@@ -19,12 +14,6 @@ variable "add-random-suffix" {
   default = false
 }
 
-data aws_region this-region {}
-
-locals {
-  resource-prefix = "${var.environment}-substr(${data.aws_region.this-region.name}, 0, 2)-${var.customer-name}-${var.project}"
-}
-
 variable bucket-acl {
   type = string
   default = "private"