xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: updated several modules to simplify input variables

Browse Source
This commit is contained in:
xpk 2022-09-05 13:52:21 +08:00
parent aaf99335bd
commit d47e06df0c
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
11 changed files with 206 additions and 284 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
modules/networking/delete-default-vpcs/main.tf
View File

@ -1,5 +1,8 @@
data aws_regions all-aws-regions {}
resource "null_resource" "shell" { resource "null_resource" "shell" {
for_each = data.aws_regions.all-aws-regions.names
provisioner "local-exec" { provisioner "local-exec" {
command = "/bin/bash -c '${path.module}/exec.sh ${var.region-name}'" command = "/bin/bash -c '${path.module}/exec.sh ${each.value}'"
} }
} }

14
modules/security_identity_compliance/aws_config/main.tf
View File

@ -80,16 +80,10 @@ resource "aws_config_configuration_recorder_status" "main" {
module config-bucket { module config-bucket {
source = "../../storage/infra-s3-bucket" source = "../../storage/infra-s3-bucket"
bucket-name = "${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
application = var.application
aws-region-short = var.aws-region-short
bucket-name = "${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}"
add-random-suffix = false add-random-suffix = false
bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json bucket-policy-json = data.aws_iam_policy_document.config_bucket_policy.json
customer-name = var.customer-name
default-tags = var.default-tags default-tags = var.default-tags
environment = var.environment
project = var.project
} }
data "aws_iam_policy_document" "config_bucket_policy" { data "aws_iam_policy_document" "config_bucket_policy" {
@ -107,7 +101,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
] ]
resources = [ resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}", "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
] ]
} }
@ -124,7 +118,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
] ]
resources = [ resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}", "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}",
] ]
} }
@ -141,7 +135,7 @@ data "aws_iam_policy_document" "config_bucket_policy" {
] ]
resources = [ resources = [
"arn:aws:s3:::${local.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*", "arn:aws:s3:::${var.resource-prefix}-configbucket-${data.aws_caller_identity.this.account_id}/*",
] ]
condition { condition {

10
modules/security_identity_compliance/aws_config/variables.tf
View File

@ -1,13 +1,5 @@
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {} variable "default-tags" {}
variable resource-prefix {}
locals {
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}
variable config-retention-days { variable config-retention-days {
type = number type = number

6
modules/security_identity_compliance/cloudtrail_cwlogs/cloudtrail.tf
View File

@ -1,12 +1,12 @@
resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" { resource "aws_iam_role" "iam_cloudtrial_cloudwatch_role" {
name = "${local.resource-prefix}-cwl-role" name = "${var.resource-prefix}-cwl-role"
assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json assume_role_policy = data.aws_iam_policy_document.ct-role-assumerole-policy.json
description = "Enables AWS CloudTrail to deliver log to CloudWatch log" description = "Enables AWS CloudTrail to deliver log to CloudWatch log"
tags = var.default-tags tags = var.default-tags
} }
resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" { resource "aws_iam_role_policy" "iam_cloudtrial_cloudwatach_role_policy" {
name = "${local.resource-prefix}-cwl-role-policy" name = "${var.resource-prefix}-cwl-role-policy"
role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id role = aws_iam_role.iam_cloudtrial_cloudwatch_role.id
policy = data.aws_iam_policy_document.ct-role-pdoc.json policy = data.aws_iam_policy_document.ct-role-pdoc.json
} }
@ -46,7 +46,7 @@ data "aws_iam_policy_document" "ct-role-pdoc" {
resource "aws_cloudtrail" "default" { resource "aws_cloudtrail" "default" {
name = "${local.resource-prefix}-trail-001" name = "${var.resource-prefix}-trail-001"
enable_logging = true enable_logging = true
s3_bucket_name = local.ct-bucket-name s3_bucket_name = local.ct-bucket-name
enable_log_file_validation = true enable_log_file_validation = true

2
modules/security_identity_compliance/cloudtrail_cwlogs/ct-key.tf
View File

@ -6,7 +6,7 @@ resource "aws_kms_key" "ctbucket-key" {
} }
resource "aws_kms_alias" ctbucket-key-aliaas { resource "aws_kms_alias" ctbucket-key-aliaas {
name = "alias/${local.resource-prefix}-kmskey-default" name = "alias/${var.resource-prefix}-kmskey-default"
target_key_id = aws_kms_key.ctbucket-key.key_id target_key_id = aws_kms_key.ctbucket-key.key_id
} }

54
modules/security_identity_compliance/cloudtrail_cwlogs/ct-s3-bucket.tf
View File

@ -55,54 +55,10 @@ data "aws_iam_policy_document" "cloudtrail_bucket_policy" {
} }
module ct-bucket {
source = "../../storage/infra-s3-bucket"
resource "aws_s3_bucket" "ct-bucket" { bucket-name = local.ct-bucket-name
bucket = local.ct-bucket-name bucket-policy-json = data.aws_iam_policy_document.cloudtrail_bucket_policy.json
policy = data.aws_iam_policy_document.cloudtrail_bucket_policy.json default-tags = var.default-tags
versioning {
enabled = false
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.ctbucket-key.arn
sse_algorithm = "aws:kms"
}
}
}
tags = var.default-tags
lifecycle_rule {
id = "${local.resource-prefix}-ctbucket-lifecycle-rule"
enabled = true
transition {
days = 30
storage_class = "INTELLIGENT_TIERING"
}
expiration {
days = var.cloudtrail-retain-days
}
}
} }
resource "aws_s3_bucket_public_access_block" "s3-public-access-settings" {
bucket = aws_s3_bucket.ct-bucket.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_ownership_controls" "ctbucket-ownership-setting" {
bucket = aws_s3_bucket.ct-bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}

350
modules/security_identity_compliance/cloudtrail_cwlogs/cw-loggroup.tf
View File

@ -1,13 +1,13 @@
resource "aws_cloudwatch_log_group" "ct-cwl" { resource "aws_cloudwatch_log_group" "ct-cwl" {
name_prefix = "cloudtrail/" name_prefix = "cloudtrail/"
retention_in_days = var.cloudtrail-retain-days retention_in_days = var.cloudtrail-retain-days
kms_key_id = aws_kms_key.ctbucket-key.arn kms_key_id = aws_kms_key.ctbucket-key.arn
tags = var.default-tags tags = var.default-tags
} }
resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" { resource "aws_cloudwatch_log_metric_filter" "cwl-metric-filter-cis11" {
name = "cis11-rootaccess-filter" name = "cis11-rootaccess-filter"
pattern = <<EOT pattern = <<EOT
{$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"} {$.userIdentity.type="Root" && $.userIdentity.invokedBy NOT EXISTS && $.eventType !="AwsServiceEvent"}
EOT EOT
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
@ -20,16 +20,16 @@ EOT
} }
resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" { resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
alarm_name = "cis11-rootaccess-alarm" alarm_name = "cis11-rootaccess-alarm"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1" evaluation_periods = "1"
metric_name = "cis11-rootaccess-metric" metric_name = "cis11-rootaccess-metric"
namespace = "LogMetrics" namespace = "LogMetrics"
period = "300" period = "300"
statistic = "Average" statistic = "Average"
threshold = "1" threshold = "1"
alarm_description = "Root access is detected from cloudtrail" alarm_description = "Root access is detected from cloudtrail"
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
// alarm_actions = [] // alarm_actions = []
} }
@ -37,14 +37,14 @@ resource "aws_cloudwatch_metric_alarm" "cis11-rootaccess-alarm" {
// CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/ // CIS 3.x benchmark from asecure.cloud https://asecure.cloud/p/monitoring_cis_benchmark/
resource "aws_cloudwatch_metric_alarm" "CwAlarm2" { resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
alarm_name = "cis-unauthorized_api_calls" alarm_name = "cis-unauthorized_api_calls"
alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted." alarm_description = "A CloudWatch Alarm that triggers if Multiple unauthorized actions or logins attempted."
metric_name = "UnauthorizedAttemptCount" metric_name = "UnauthorizedAttemptCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "60" period = "60"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -52,25 +52,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm2" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter2" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
name = "UnauthorizedAttemptCount" name = "UnauthorizedAttemptCount"
metric_transformation { metric_transformation {
name = "UnauthorizedAttemptCount" name = "UnauthorizedAttemptCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm3" { resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
alarm_name = "cis-no_mfa_console_logins" alarm_name = "cis-no_mfa_console_logins"
alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA." alarm_description = "A CloudWatch Alarm that triggers if there is a Management Console sign-in without MFA."
metric_name = "ConsoleSigninWithoutMFA" metric_name = "ConsoleSigninWithoutMFA"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "60" period = "60"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -78,26 +78,26 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm3" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter3" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }" pattern = "{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"
name = "ConsoleSigninWithoutMFA" name = "ConsoleSigninWithoutMFA"
metric_transformation { metric_transformation {
name = "ConsoleSigninWithoutMFA" name = "ConsoleSigninWithoutMFA"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm4" { resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
alarm_name = "cis-iam_policy_changes" alarm_name = "cis-iam_policy_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups." alarm_description = "A CloudWatch Alarm that triggers when changes are made to IAM policies. Events include IAM policy creation/deletion/update operations as well as attaching/detaching policies from IAM users, roles or groups."
metric_name = "IAMPolicyEventCount" metric_name = "IAMPolicyEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -105,25 +105,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm4" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter4" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
name = "IAMPolicyEventCount" name = "IAMPolicyEventCount"
metric_transformation { metric_transformation {
name = "IAMPolicyEventCount" name = "IAMPolicyEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm5" { resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
alarm_name = "cis-cloudtrail_changes" alarm_name = "cis-cloudtrail_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail." alarm_description = "A CloudWatch Alarm that triggers when changes are made to CloudTrail."
metric_name = "CloudTrailEventCount" metric_name = "CloudTrailEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -131,25 +131,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm5" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter5" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
name = "CloudTrailEventCount" name = "CloudTrailEventCount"
metric_transformation { metric_transformation {
name = "CloudTrailEventCount" name = "CloudTrailEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm6" { resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
alarm_name = "cis-failed_console_logins" alarm_name = "cis-failed_console_logins"
alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures." alarm_description = "A CloudWatch Alarm that triggers if there are AWS Management Console authentication failures."
metric_name = "ConsoleLoginFailures" metric_name = "ConsoleLoginFailures"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -157,25 +157,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm6" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter6" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
name = "ConsoleLoginFailures" name = "ConsoleLoginFailures"
metric_transformation { metric_transformation {
name = "ConsoleLoginFailures" name = "ConsoleLoginFailures"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm7" { resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
alarm_name = "cis-disabled_deleted_cmks" alarm_name = "cis-disabled_deleted_cmks"
alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion." alarm_description = "A CloudWatch Alarm that triggers if customer created CMKs get disabled or scheduled for deletion."
metric_name = "KMSCustomerKeyDeletion" metric_name = "KMSCustomerKeyDeletion"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "60" period = "60"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -183,26 +183,26 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm7" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter7" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }" pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey) || ($.eventName=ScheduleKeyDeletion)) }"
name = "KMSCustomerKeyDeletion" name = "KMSCustomerKeyDeletion"
metric_transformation { metric_transformation {
name = "KMSCustomerKeyDeletion" name = "KMSCustomerKeyDeletion"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm8" { resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
alarm_name = "cis-s3_changes" alarm_name = "cis-s3_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket." alarm_description = "A CloudWatch Alarm that triggers when changes are made to an S3 Bucket."
metric_name = "S3BucketActivityEventCount" metric_name = "S3BucketActivityEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -210,25 +210,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm8" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter8" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
name = "S3BucketActivityEventCount" name = "S3BucketActivityEventCount"
metric_transformation { metric_transformation {
name = "S3BucketActivityEventCount" name = "S3BucketActivityEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm9" { resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
alarm_name = "cis-config_changes" alarm_name = "cis-config_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config." alarm_description = "A CloudWatch Alarm that triggers when changes are made to AWS Config."
metric_name = "CloudTrailEventCount" metric_name = "CloudTrailEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -236,25 +236,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm9" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter9" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }" pattern = "{ ($.eventName = PutConfigurationRecorder) || ($.eventName = StopConfigurationRecorder) || ($.eventName = DeleteDeliveryChannel) || ($.eventName = PutDeliveryChannel) }"
name = "CloudTrailEventCount" name = "CloudTrailEventCount"
metric_transformation { metric_transformation {
name = "CloudTrailEventCount" name = "CloudTrailEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm10" { resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
alarm_name = "cis-securitygroup_changes" alarm_name = "cis-securitygroup_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups." alarm_description = "A CloudWatch Alarm that triggers when changes are made to Security Groups."
metric_name = "SecurityGroupEventCount" metric_name = "SecurityGroupEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -262,51 +262,51 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm10" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter10" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
name = "SecurityGroupEventCount" name = "SecurityGroupEventCount"
metric_transformation { metric_transformation {
name = "SecurityGroupEventCount" name = "SecurityGroupEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm11" { resource "aws_cloudwatch_metric_alarm" "CwAlarm11" {
alarm_name = "cis-nacl_changes" alarm_name = "cis-nacl_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs." alarm_description = "A CloudWatch Alarm that triggers when changes are made to Network ACLs."
metric_name = "NetworkAclEventCount" metric_name = "NetworkAclEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
} }
resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter11" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
name = "NetworkAclEventCount" name = "NetworkAclEventCount"
metric_transformation { metric_transformation {
name = "NetworkAclEventCount" name = "NetworkAclEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm12" { resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
alarm_name = "cis-igw_changes" alarm_name = "cis-igw_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC." alarm_description = "A CloudWatch Alarm that triggers when changes are made to an Internet Gateway in a VPC."
metric_name = "GatewayEventCount" metric_name = "GatewayEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -314,25 +314,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm12" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter12" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
name = "GatewayEventCount" name = "GatewayEventCount"
metric_transformation { metric_transformation {
name = "GatewayEventCount" name = "GatewayEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm13" { resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
alarm_name = "cis-vpc_routetable_changes" alarm_name = "cis-vpc_routetable_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table." alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC's Route Table."
metric_name = "VpcRouteTableEventCount" metric_name = "VpcRouteTableEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -340,25 +340,25 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm13" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter13" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }" pattern = "{ ($.eventName = AssociateRouteTable) || ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DeleteRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DisassociateRouteTable) }"
name = "VpcRouteTableEventCount" name = "VpcRouteTableEventCount"
metric_transformation { metric_transformation {
name = "VpcRouteTableEventCount" name = "VpcRouteTableEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }
resource "aws_cloudwatch_metric_alarm" "CwAlarm14" { resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
alarm_name = "cis-vpc_changes" alarm_name = "cis-vpc_changes"
alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC." alarm_description = "A CloudWatch Alarm that triggers when changes are made to a VPC."
metric_name = "VpcEventCount" metric_name = "VpcEventCount"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
statistic = "Sum" statistic = "Sum"
period = "300" period = "300"
threshold = "1" threshold = "1"
evaluation_periods = "1" evaluation_periods = "1"
comparison_operator = "GreaterThanOrEqualToThreshold" comparison_operator = "GreaterThanOrEqualToThreshold"
// alarm_actions = [""] // alarm_actions = [""]
treat_missing_data = "notBreaching" treat_missing_data = "notBreaching"
@ -366,12 +366,12 @@ resource "aws_cloudwatch_metric_alarm" "CwAlarm14" {
resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" { resource "aws_cloudwatch_log_metric_filter" "MetricFilter14" {
log_group_name = aws_cloudwatch_log_group.ct-cwl.name log_group_name = aws_cloudwatch_log_group.ct-cwl.name
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
name = "VpcEventCount" name = "VpcEventCount"
metric_transformation { metric_transformation {
name = "VpcEventCount" name = "VpcEventCount"
value = "1" value = "1"
namespace = "CloudTrailMetrics" namespace = "CloudTrailMetrics"
} }
} }

9
modules/security_identity_compliance/cloudtrail_cwlogs/variables.tf
View File

@ -1,16 +1,19 @@
/*
variable "customer-name" {} variable "customer-name" {}
variable "environment" {} variable "environment" {}
variable "project" {} variable "project" {}
variable "application" {} variable "application" {}
variable "aws-region-short" {} */
variable resource-prefix {}
variable "default-tags" {} variable "default-tags" {}
variable "cloudtrail-retain-days" { variable "cloudtrail-retain-days" {
type = number type = number
default = 90 default = 90
} }
data aws_region this-region {}
locals { locals {
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}" ct-bucket-name = "${var.resource-prefix}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
} }

11
modules/security_identity_compliance/guardduty/variables.tf
View File

@ -1,12 +1 @@
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {} variable "default-tags" {}
locals {
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}"
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

18
modules/security_identity_compliance/roles_iam_resources/variables.tf
View File

@ -1,8 +1,4 @@
variable "customer-name" {} variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {} variable "default-tags" {}
variable "cloudtrail-retain-days" { variable "cloudtrail-retain-days" {
type = number type = number
@ -14,11 +10,11 @@ variable "create-cloudhealth-resources" {
default = false default = false
} }
variable "cloudheath-ext-id1" {} variable "cloudheath-ext-id1" {
variable "cloudheath-ext-id2" {} type = string
default = ""
locals { }
ct-bucket-name = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}-ctbucket-${data.aws_caller_identity.this.account_id}" variable "cloudheath-ext-id2" {
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}" type = string
default = ""
} }

11
modules/storage/infra-s3-bucket/variables.tf
View File

@ -1,8 +1,3 @@
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "aws-region-short" {}
variable "default-tags" {} variable "default-tags" {}
variable "bucket-retain-days" { variable "bucket-retain-days" {
type = number type = number
@ -19,12 +14,6 @@ variable "add-random-suffix" {
default = false default = false
} }
data aws_region this-region {}
locals {
resource-prefix = "${var.environment}-substr(${data.aws_region.this-region.name}, 0, 2)-${var.customer-name}-${var.project}"
}
variable bucket-acl { variable bucket-acl {
type = string type = string
default = "private" default = "private"