diff --git a/.gitignore b/.gitignore index 2694c1d..9182f58 100644 --- a/.gitignore +++ b/.gitignore @@ -28,6 +28,4 @@ override.tf.json .DS_Store -# Ansible -*.pub -*.ppk + diff --git a/Coalfire-AWS-RAMPpak.png b/Coalfire-AWS-RAMPpak.png index 918b2b2..226466d 100644 Binary files a/Coalfire-AWS-RAMPpak.png and b/Coalfire-AWS-RAMPpak.png differ diff --git a/README.md b/README.md index 08967c1..6b1d62e 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ ## Description Coalfire created reference architecture for FedRAMP AWS builds. This repository is used as a parent directory to deploy Coalfire-CF/`terraform-aws-` modules. + Learn more at [Coalfire OpenSource](https://coalfire.com/opensource). ## Architecture @@ -20,7 +21,6 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource). | Directory | Purpose | | --------- | ------- | -| `ansible` | Ansible playbooks | | `aws/terraform/us-gov-west-1/management-account/day0` | Account Setup Terraform files | | `aws/terraform/us-gov-west-1/management-account/rds` | RDS Database Terraform files | | `aws/terraform/us-gov-west-1/global-vars.tf` | Global variables | @@ -31,7 +31,7 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource). ## Code Updates 1. Update `global-vars.tf` in `aws/terraform/us-gov-west-1/global-vars.tf` -2. Update `tstate.tf` in each directory (when applicable). +2. Update `tstate.tf` in each directory (when applicable). Example below: ``` hcl terraform { required_version = ">=1.5.0" @@ -44,14 +44,14 @@ terraform { backend "s3" { bucket = "pak-us-gov-west-1-tf-state" region = "us-gov-west-1" - key = "pak-us-gov-west-1-networking.tfstate" + key = "pak-us-gov-west-1-tfsetup.tfstate" dynamodb_table = "pak-us-gov-west-1-state-lock" encrypt = true } } ``` -3. Update `remote-data.tf`in each directory (when applicable). +3. Update `remote-data.tf`in each directory (when applicable). Example below: ``` hcl data "terraform_remote_state" "day0" { backend = "s3" @@ -107,7 +107,7 @@ No outputs. ## Contributing -[Relative or absolute link to contributing.md](CONTRIBUTING.md) +If you're interested in contributing to our projects, please review the [Contributing Guidelines](CONTRIBUTING.md). And send an email to [our team](contributing@coalfire.com) to receive a copy of our CLA and start the onboarding process. ## License @@ -115,10 +115,6 @@ No outputs. [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/license/mit/) -## Coalfire Pages - -[Absolute link to any relevant Coalfire Pages](https://coalfire.com/) - ### Copyright Copyright © 2023 Coalfire Systems Inc. \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/README.md b/aws/terraform/us-gov-west-1/management-account/bastion/README.md index e3aa9f6..83845b5 100644 --- a/aws/terraform/us-gov-west-1/management-account/bastion/README.md +++ b/aws/terraform/us-gov-west-1/management-account/bastion/README.md @@ -81,14 +81,15 @@ associate_eip = true ## Deployment Steps 1. Change directory to the `bastion` folder +2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` + - From in front of `backend "s3"` to the bracket associated with the end of the code block +3. Run `terraform init` to download modules and create initial local state file. -2. Run `terraform init` to download modules and create initial local state file. +4. Populate `vars.tfvars` -3. Populate `vars.tfvars` +5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources. -4. Run `terraform plan` to ensure no errors and validate plan is deploying expected resources. - -5. Run `terraform apply` to deploy infrastructure. +6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure. ## Example Deployment diff --git a/aws/terraform/us-gov-west-1/management-account/day0/README.md b/aws/terraform/us-gov-west-1/management-account/day0/README.md index ad355a0..4644829 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/README.md +++ b/aws/terraform/us-gov-west-1/management-account/day0/README.md @@ -50,12 +50,16 @@ aws_region = "" ``` ## Deployment Steps -- Change the working directory to the `management-account` directory -- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` - - From in front of `backend "s3"` to the bracket associated with the end of the code block -- Run `terraform init` -- Run `terraform plan` to review the resources being created -- If everything looks correct in the plan output, run `terraform apply -var-file ./tfvars/vars.tfvars` +1. Change the working directory the `management-account/day0` folder +2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` + - From in front of `backend "s3"` to the bracket associated with the end of the code block +3. Run `terraform init` to download modules and create initial local state file. + +4. Populate `vars.tfvars` + +5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources. + +6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure. ``` hcl data "terraform_remote_state" "day0" { diff --git a/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars b/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars new file mode 100644 index 0000000..b5a8d7c --- /dev/null +++ b/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars @@ -0,0 +1,2 @@ +resource_prefix = "pak" +aws_region = "us-gov-west-1" diff --git a/aws/terraform/us-gov-west-1/networking/README.md b/aws/terraform/us-gov-west-1/networking/README.md index 55eea93..75c05c5 100644 --- a/aws/terraform/us-gov-west-1/networking/README.md +++ b/aws/terraform/us-gov-west-1/networking/README.md @@ -62,12 +62,16 @@ profile = "-mgmt" ``` ## Deployment Steps -- Change the working directory the `networking` folder -- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` - - From in front of `backend "s3"` to the bracket associated with the end of the code block -- Run `terraform init` -- Run `terraform plan` to review the resources being created -- If everything looks correct in the plan output, run `terraform apply` +1. Change the working directory the `networking` folder +2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` + - From in front of `backend "s3"` to the bracket associated with the end of the code block +3. Run `terraform init` to download modules and create initial local state file. + +4. Populate `vars.tfvars` + +5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources. + +6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure. ``` hcl data "terraform_remote_state" "day0" { @@ -83,7 +87,7 @@ data "terraform_remote_state" "day0" { ``` ## Example Deployments -The below are example deployements of the networking module, it consists of 2 examples, one with AWS Network Firewall and one without. +The below are example deployments of the networking module, it consists of 2 examples, one with AWS Network Firewall and one without. ### AWS Networking deployment with AWS Network Firewall ```hcl diff --git a/aws/terraform/us-gov-west-1/org-creation/README.md b/aws/terraform/us-gov-west-1/org-creation/README.md index 627fc3e..01a96a3 100644 --- a/aws/terraform/us-gov-west-1/org-creation/README.md +++ b/aws/terraform/us-gov-west-1/org-creation/README.md @@ -30,6 +30,48 @@ terraform { } } ``` + +## Deployment Steps +1. Change the working directory the `org-creation` folder +2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` + - From in front of `backend "s3"` to the bracket associated with the end of the code block +3. Run `terraform init` to download modules and create initial local state file. + +4. Populate `vars.tfvars` + +5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources. + +6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure. + +``` hcl +data "terraform_remote_state" "day0" { + backend = "s3" + + config = { + bucket = "${var.resource_prefix}-${var.default_aws_region}-tf-state" + region = var.default_aws_region + key = "${var.resource_prefix}-${var.default_aws_region}-tfsetup.tfstate" + profile = "pak-mgmt" + } +} +``` + +## tfvars Example +``` hcl +resource_prefix = "" +aws_region = "" +service_access_principals = [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + "securityhub.amazonaws.com", + "guardduty.amazonaws.com", + "config-multiaccountsetup.amazonaws.com"] +enabled_policy_types = ["SERVICE_CONTROL_POLICY"] +feature_set = "ALL" +org_member_account_numbers = ["1111111111111"] +delegated_admin_account_id = "1111111111111" +``` + ## Module Example ``` hcl module "org" { @@ -40,19 +82,15 @@ module "org" { } feature_set = "ALL" - aws_region = var.default_aws_region - aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] + aws_region = var.aws_region + aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] resource_prefix = var.resource_prefix s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn - org_member_account_numbers = ["111111111111"] - delegated_admin_account_id = "111111111111" - delegated_service_principal = "principal" - enabled_policy_types = ["SERVICE_CONTROL_POLICY"] - service_access_principals = ["cloudtrail.amazonaws.com", - "config.amazonaws.com", - "securityhub.amazonaws.com", - "guardduty.amazonaws.com", - "config-multiaccountsetup.amazonaws.com"] + org_member_account_numbers = var.org_member_account_numbers + delegated_admin_account_id = var.delegated_admin_account_id + delegated_service_principal = var.delegated_service_principal + enabled_policy_types = var.enabled_policy_types + service_access_principals = var.service_access_principals } @@ -106,25 +144,4 @@ resource "aws_organizations_resource_policy" "org_resource_policy" { } EOF } -``` - -## Deployment Steps -- Change the working directory the `org-creation` folder -- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` - - From in front of `backend "s3"` to the bracket associated with the end of the code block -- Run `terraform init` -- Run `terraform plan` to review the resources being created -- If everything looks correct in the plan output, run `terraform apply` - -``` hcl -data "terraform_remote_state" "day0" { - backend = "s3" - - config = { - bucket = "${var.resource_prefix}-${var.default_aws_region}-tf-state" - region = var.default_aws_region - key = "${var.resource_prefix}-${var.default_aws_region}-tfsetup.tfstate" - profile = "pak-mgmt" - } -} ``` \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-creation/data.tf b/aws/terraform/us-gov-west-1/org-creation/data.tf new file mode 100644 index 0000000..677ed73 --- /dev/null +++ b/aws/terraform/us-gov-west-1/org-creation/data.tf @@ -0,0 +1,3 @@ +data "aws_partition" "current" { + provider = aws.mgmt +} \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-creation/org.tf b/aws/terraform/us-gov-west-1/org-creation/org.tf index 46fb2f7..d1c9294 100644 --- a/aws/terraform/us-gov-west-1/org-creation/org.tf +++ b/aws/terraform/us-gov-west-1/org-creation/org.tf @@ -6,19 +6,15 @@ module "org" { } feature_set = "ALL" - aws_region = var.default_aws_region - aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] + aws_region = var.aws_region + aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] resource_prefix = var.resource_prefix s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn - org_member_account_numbers = ["358745275192"] - delegated_admin_account_id = "358745275192" - delegated_service_principal = "principal" - enabled_policy_types = ["SERVICE_CONTROL_POLICY"] - service_access_principals = ["cloudtrail.amazonaws.com", - "config.amazonaws.com", - "securityhub.amazonaws.com", - "guardduty.amazonaws.com", - "config-multiaccountsetup.amazonaws.com"] + org_member_account_numbers = var.org_member_account_numbers + delegated_admin_account_id = var.delegated_admin_account_id + delegated_service_principal = var.delegated_service_principal + enabled_policy_types = var.enabled_policy_types + service_access_principals = var.service_access_principals } diff --git a/aws/terraform/us-gov-west-1/org-creation/variables.tf b/aws/terraform/us-gov-west-1/org-creation/variables.tf new file mode 100644 index 0000000..c6b69c7 --- /dev/null +++ b/aws/terraform/us-gov-west-1/org-creation/variables.tf @@ -0,0 +1,105 @@ +variable "service_access_principals" { + description = "List of AWS Service Access Principals that you want to enable for organization integration" + type = list(string) + default = [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + "securityhub.amazonaws.com", + "guardduty.amazonaws.com", + "config-multiaccountsetup.amazonaws.com" + ] +} + +variable "enabled_policy_types" { + description = "List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL." +} + +variable "feature_set" { + description = "Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED_BILLING." + default = "ALL" +} + +variable "delegated_admin_account_id" { + description = "The account ID number of the member account in the organization to register as a delegated administrator."v +} + +variable "delegated_service_principal" { + description = "The service principal of the AWS service for which you want to make the member account a delegated administrator." + default = "principal" +} + +variable "aws_new_member_account_name" { + description = "The Friendly name for the member account." + default = null +} + +variable "aws_new_member_account_email" { + description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." + default = null +} + +variable "ou_creation_info" { + description = "list of names of OU to create and their corresponding delegated admins" + default = null +} + +variable "aws_region" { + type = string +} + + +variable "resource_prefix" { + type = string +} + +variable "finding_publishing_frequency" { + type = string + default = "ONE_HOUR" +} + +variable "aws_sec_hub_standards_arn" { + type = list(string) +} + +variable "aws_guardduty_datasources_enable_S3" { + description = "Configuration for the collected datasources." + default = true +} + +variable "aws_guardduty_datasources_enable_k8_audit_logs" { + description = "Configuration for the collected datasources." + default = true +} + +variable "aws_guardduty_datasources_enable_malware_protection_ebs" { + description = "Configuration for the collected datasources." + default = true +} + +variable "s3_kms_key_arn" { + type = string +} + +variable "create_org_config" { + description = "True/False statement whether to enable AWS Config in the Organization" + default = true +} + +variable "create_org_guardduty" { + description = "True/False statement whether to enable AWS GuardDuty in the Organization" + default = true +} + +variable "create_org_cloudtrail" { + description = "True/False statement whether to enable AWS Cloudtrail in the Organization" + default = true +} + +variable "create_org_securityhub" { + description = "True/False statement whether to enable AWS Security Hub in the Organization" + default = true +} + +variable "org_member_account_numbers" { + default = null +} \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-creation/vars.tfvars b/aws/terraform/us-gov-west-1/org-creation/vars.tfvars new file mode 100644 index 0000000..e4a29cb --- /dev/null +++ b/aws/terraform/us-gov-west-1/org-creation/vars.tfvars @@ -0,0 +1,12 @@ +service_access_principals = [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + "securityhub.amazonaws.com", + "guardduty.amazonaws.com", + "config-multiaccountsetup.amazonaws.com"] +enabled_policy_types = ["SERVICE_CONTROL_POLICY"] +feature_set = "ALL" +resource_prefix = "pak" +org_member_account_numbers = ["1111111111111"] +delegated_admin_account_id = "1111111111111" +aws_region = "us-gov-west-1" \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-onboarding/README.md b/aws/terraform/us-gov-west-1/org-onboarding/README.md index f8da609..da2110d 100644 --- a/aws/terraform/us-gov-west-1/org-onboarding/README.md +++ b/aws/terraform/us-gov-west-1/org-onboarding/README.md @@ -42,13 +42,17 @@ terraform { ``` ## Deployment Steps -- Update the `mgmt_*` and `org_*` variables (role ARN and external ID) prior to running -- Change the working directory to the `management-account` directory -- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` - - From in front of `backend "s3"` to the bracket associated with the end of the code block -- Run `terraform init` -- Run `terraform plan` to review the resources being created -- If everything looks correct in the plan output, run `terraform apply -var-file ./tfvars/vars.tfvars` +1. Update the `mgmt_*` and `org_*` variables (role ARN and external ID) prior to running +2. Change the working directory the `org-onboarding` folder + - If you are running this directory for the first time, comment out the S3 backend in `tstate.tf` from in front of `backend "s3"` to the bracket associated with the end of the code block +3. Run `terraform init` to download modules and create initial local state file. + +4. Populate `vars.tfvars` + +5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources. + +6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure. + ``` hcl terraform {