Merge branch 'final-build-pr' of ssh://github.com/Coalfire-CF/Coalfir…

…e-AWS-RAMPpak into final-build-pr
Coalfire-CF · Oct 3, 2023 · c23bcf5 · c23bcf5
2 parents fe6a349 + 8018719
commit c23bcf5
Show file tree

Hide file tree

Showing 37 changed files with 1,243 additions and 99 deletions.
diff --git a/aws/terraform/us-gov-west-1/global-vars.tf b/aws/terraform/us-gov-west-1/global-vars.tf
@@ -0,0 +1,25 @@
+data "aws_caller_identity" "mgmt_account" {
+  # Get the management account ID
+  provider = aws.mgmt
+}
+
+variable "resource_prefix" {
+  type        = string
+  default     = "pak"
+  description = "A prefix that should be attached to the names of resources"
+}
+
+variable "default_aws_region" {
+  description = "The AWS region to create resources in"
+  type        = string
+  default     = "us-gov-west-1"
+}
+
+variable "global_tags" {
+  type = map(string)
+  default = {
+    managed_by    = "terraform"
+    backup_policy = "aws-backup-minimum-compliance"
+  }
+  description = "Tags to apply globally to all appropriate AWS resources (that have tagging functionality)"
+}
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf b/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf
@@ -0,0 +1,57 @@
+data "aws_ami" "ami" {
+  most_recent = true
+  owners      = ["077303321853"]
+  provider    = aws.mgmt
+
+  filter {
+    name   = "name"
+    values = ["Windows_Server-2019-English-STIG-Full-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+
+module "win_bastion" {
+  source = "github.com/Coalfire-CF/terraform-aws-ec2"
+
+  name = var.instance_name
+
+  ami               = data.aws_ami.ami.id
+  ec2_instance_type = var.instance_size
+  instance_count    = var.instance_count
+  associate_eip = var.associate_eip
+
+  vpc_id = data.terraform_remote_state.networking.outputs.mgmt_vpc_id
+  subnet_ids = [ data.terraform_remote_state.networking.outputs.public_subnets[0]]
+  ec2_key_pair    = var.key_name
+  ebs_kms_key_arn = data.terraform_remote_state.day0.outputs.ebs_kms_key_arn
+
+  # Storage
+  root_volume_size = var.instance_volume_size
+
+  # Security Group Rules
+  ingress_rules = [
+    {
+      protocol    = "tcp"
+      from_port   = "3389"
+      to_port     = "3389"
+      cidr_blocks = [data.terraform_remote_state.networking.outputs.mgmt_vpc_cidr]
+  }
+  ]
+
+  egress_rules = [{
+    protocol    = "-1"
+    from_port   = "0"
+    to_port     = "0"
+    cidr_blocks = ["0.0.0.0/0"]
+  }]
+
+  # Tagging
+  global_tags = {}
+
+}
+
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/outputs.tf b/aws/terraform/us-gov-west-1/management-account/bastion/outputs.tf
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf b/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf
@@ -0,0 +1,7 @@
+provider "aws" {
+  region                 = var.aws_region
+  skip_region_validation = "true"
+  profile = "pak-mgmt"
+  alias = "mgmt"
+  use_fips_endpoint = true
+}
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/remote-data.tf b/aws/terraform/us-gov-west-1/management-account/bastion/remote-data.tf
@@ -0,0 +1,21 @@
+data "terraform_remote_state" "day0" {
+  backend = "s3"
+
+  config = {
+    bucket  = "${var.resource_prefix}-${var.aws_region}-tf-state"
+    region  = var.aws_region
+    key     = "${var.resource_prefix}-${var.aws_region}-tfsetup.tfstate"
+    profile = "pak-mgmt"
+  }
+}
+
+data "terraform_remote_state" "networking" {
+  backend = "s3"
+
+  config = {
+    bucket  = "${var.resource_prefix}-${var.aws_region}-tf-state"
+    region  = var.aws_region
+    key     = "${var.resource_prefix}-${var.aws_region}-networking.tfstate"
+    profile = "pak-mgmt"
+  }
+}
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/tstate.tf b/aws/terraform/us-gov-west-1/management-account/bastion/tstate.tf
diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/variables.tf b/aws/terraform/us-gov-west-1/management-account/bastion/variables.tf
@@ -0,0 +1,185 @@
+variable "instance_count" {
+  description = "Number of instances to launch"
+  type        = number
+  default     = 1
+}
+
+variable "resource_prefix" {
+  description = "Resource prefix for resources"
+}
+
+variable "aws_region" {
+  description = "AWS Region"
+}
+
+variable "instance_name" {
+  description = "The name of the ec2 instance"
+  type        = string
+}
+
+variable "instance_size" {
+  description = "The type of instance to start"
+  type        = string
+}
+
+variable "key_name" {
+  description = "The key name to use for the instance"
+  type        = string
+}
+
+variable "root_volume_type" {
+  description = "The type of the root ebs volume on the ec2 instances created"
+  type        = string
+  default     = "gp3"
+}
+
+variable "instance_volume_size" {
+  description = "The size of the root ebs volume on the ec2 instances created"
+  type        = string
+}
+
+variable "ebs_volumes" {
+  description = "A list of maps that must contain device_name (ex. '/dev/sdb') and size (in GB). Optional args include type, throughput, iops, multi_attach_enabled, final_snapshot, snapshot_id, outpost_arn, force_detach, skip_destroy, stop_instance_before_detaching, and tags"
+  type = list(object({
+    device_name                    = string
+    size                           = number
+    type                           = string
+    throughput                     = optional(number)
+    iops                           = optional(number)
+    multi_attach_enabled           = optional(bool, false)
+    final_snapshot                 = optional(string)
+    snapshot_id                    = optional(string)
+    outpost_arn                    = optional(string)
+    force_detach                   = optional(bool, false)
+    skip_destroy                   = optional(bool, false)
+    stop_instance_before_detaching = optional(bool, false)
+    tags                           = optional(map(string), {})
+  }))
+  default = []
+}
+
+variable "ebs_optimized" {
+  description = "Whether or not the instance is ebs optimized"
+  type        = bool
+  default     = false
+}
+
+variable "target_group_arns" {
+  description = "A list of aws_alb_target_group ARNs, for use with Application Load Balancing"
+  default     = []
+  type        = list(string)
+}
+
+
+variable "private_ip" {
+  description = "The private ip for the instance"
+  type        = string
+  default     = null
+}
+
+variable "additional_security_groups" {
+  description = "A list of additional security groups to attach to the network interfaces"
+  type        = list(string)
+  default     = []
+}
+
+variable "associate_public_ip" {
+  description = "Whether or not to associate a public IP (not EIP)"
+  type        = bool
+  default     = false
+}
+
+variable "associate_eip" {
+  description = "Whether or not to associate an Elastic IP"
+  type        = bool
+  default     = false
+}
+
+variable "sg_description" {
+  description = "This overwrites the default generated description for the security group"
+  type        = string
+  default     = "Managed by Terraform"
+}
+
+variable "ingress_rules" {
+  description = "The list of rules for ingress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list"
+  type = list(object({
+    protocol         = string
+    from_port        = string
+    to_port          = string
+    cidr_blocks      = optional(list(string), [])
+    ipv6_cidr_blocks = optional(list(string), [])
+    prefix_list_ids  = optional(list(string), [])
+    security_groups  = optional(list(string), [])
+    self             = optional(bool)
+    description      = optional(string, "Managed by Terraform")
+  }))
+  default = []
+}
+
+variable "egress_rules" {
+  description = "The list of rules for egress traffic. Required fields for each rule are 'protocol', 'from_port', 'to_port', and at least one of 'cidr_blocks', 'ipv6_cidr_blocks', 'security_groups', 'self', or 'prefix_list_sg'. Optional fields are 'description' and those not used from the previous list"
+  type = list(object({
+    protocol         = string
+    from_port        = string
+    to_port          = string
+    cidr_blocks      = optional(list(string), [])
+    ipv6_cidr_blocks = optional(list(string), [])
+    prefix_list_ids  = optional(list(string), [])
+    security_groups  = optional(list(string), [])
+    self             = optional(bool)
+    description      = optional(string, "Managed by Terraform")
+  }))
+  default = []
+}
+
+variable "tags" {
+  description = "A mapping of tags to assign to the resource"
+  type        = map(string)
+  default     = {}
+}
+
+
+variable "keys_to_grant" {
+  description = "A list of kms keys to grant permissions to for the role created."
+  type        = list(string)
+  default     = []
+}
+
+variable "additional_eni_ids" {
+  description = "This variable allows for an ec2 instance to have multiple ENIs.  Instance count must be set to 1"
+  type        = list(string)
+  default     = []
+}
+
+variable "source_dest_check" {
+  description = "Whether or not source/destination check should be enabled for the primary network interface"
+  type        = bool
+  default     = true
+}
+
+variable "assume_role_policy" {
+  description = "Policy document allowing Principals to assume this role (e.g. Trust Relationship)"
+  type        = string
+  default     = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Action": "sts:AssumeRole",
+     "Principal": {
+       "Service": "ec2.amazonaws.com"
+     },
+     "Effect": "Allow",
+     "Sid": ""
+   }
+ ]
+}
+EOF
+}
+
+variable "module_depends_on" {
+  description = "A variable to simulate the depends on feature that resources have"
+  type        = any
+  default     = null
+}
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/README.md b/aws/terraform/us-gov-west-1/management-account/day0/README.md
@@ -34,10 +34,10 @@ terraform {
     }
 }
   backend "s3" {
-    bucket         = "ooc-<aws-region>-tf-state"
-    region         = "<aws-region>"
-    key            = "ooc-<aws-region>-tfsetup.tfstate"
-    dynamodb_table = "ooc-<aws-region>-state-lock"
+    bucket         = "pak-us-gov-west-1-tf-state"
+    region         = "us-gov-west-1"
+    key            = "pak-us-gov-west-1-tfsetup.tfstate"
+    dynamodb_table = "pak-us-gov-west-1-state-lock"
     encrypt        = true
   }
 }
@@ -62,10 +62,10 @@ data "terraform_remote_state" "day0" {
   backend = "s3"
 
   config = {
-    bucket  = "ooc-<aws-region>-tf-state"
+    bucket  = "pak-us-gov-west-1-tf-state"
     region  = var.aws_region
-    key     = "ooc-<aws-region>-tfsetup.tfstate"
-    profile = "ooc-mgmt"
+    key     = "pak-us-gov-west-1-tfsetup.tfstate"
+    profile = "pak-mgmt"
   }
 }
 ```
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/data.tf b/aws/terraform/us-gov-west-1/management-account/day0/data.tf
@@ -0,0 +1,18 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_partition" "current" {}
+
+data "aws_iam_policy_document" "eks_key" {
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = [
+        "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
+      ]
+    }
+  }
+}
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/main.tf b/aws/terraform/us-gov-west-1/management-account/day0/main.tf
@@ -0,0 +1,19 @@
+module "account-setup" {
+  source = "github.com/Coalfire-CF/terraform-aws-account-setup"
+  providers = {
+    aws = aws.mgmt
+  }
+
+  resource_prefix = var.resource_prefix
+  account_number = "${data.aws_caller_identity.current.account_id}"
+  aws_region = var.aws_region
+  default_aws_region = var.aws_region
+  application_account_numbers = ["${data.aws_caller_identity.current.account_id}"]
+  additional_kms_keys = [
+  {
+    name = "eks"
+    policy = "${data.aws_iam_policy_document.eks_key.json}"
+  },
+
+]
+}