pushed changes of final comments

.gitignore

@@ -28,6 +28,4 @@ override.tf.json
 .DS_Store
 
 
-# Ansible
-*.pub
-*.ppk
+

README.md

@@ -5,6 +5,7 @@
 ## Description
 Coalfire created reference architecture for FedRAMP AWS builds. This repository is used as a parent directory to deploy Coalfire-CF/`terraform-aws-<service>` modules.
 
+
 Learn more at [Coalfire OpenSource](https://coalfire.com/opensource).
 
 ## Architecture
@@ -20,7 +21,6 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource).
 
 | Directory | Purpose |
 | --------- | ------- |
-| `ansible` | Ansible playbooks |
 | `aws/terraform/us-gov-west-1/management-account/day0` | Account Setup Terraform files |
 | `aws/terraform/us-gov-west-1/management-account/rds` | RDS Database Terraform files |
 | `aws/terraform/us-gov-west-1/global-vars.tf` | Global variables |
@@ -31,7 +31,7 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource).
 ## Code Updates
 
 1. Update `global-vars.tf` in `aws/terraform/us-gov-west-1/global-vars.tf`
-2. Update `tstate.tf` in each directory (when applicable).
+2. Update `tstate.tf` in each directory (when applicable). Example below:
 ``` hcl
 terraform {
  required_version = ">=1.5.0"
@@ -44,14 +44,14 @@ terraform {
  backend "s3" {
  bucket = "pak-us-gov-west-1-tf-state"
  region = "us-gov-west-1"
- key = "pak-us-gov-west-1-networking.tfstate"
+ key = "pak-us-gov-west-1-tfsetup.tfstate"
  dynamodb_table = "pak-us-gov-west-1-state-lock"
  encrypt = true
  }
 }
 ```
 
-3. Update `remote-data.tf`in each directory (when applicable).
+3. Update `remote-data.tf`in each directory (when applicable). Example below:
 ``` hcl
 data "terraform_remote_state" "day0" {
  backend = "s3"
@@ -107,18 +107,14 @@ No outputs.
 
 ## Contributing
 
-[Relative or absolute link to contributing.md](CONTRIBUTING.md)
+If you're interested in contributing to our projects, please review the [Contributing Guidelines](CONTRIBUTING.md). And send an email to [our team](contributing@coalfire.com) to receive a copy of our CLA and start the onboarding process.
 
 
 ## License
 
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/license/mit/)
 
 
-## Coalfire Pages
-
-[Absolute link to any relevant Coalfire Pages](https://coalfire.com/)
-
 ### Copyright
 
 Copyright © 2023 Coalfire Systems Inc.

aws/terraform/us-gov-west-1/management-account/bastion/README.md

@@ -81,14 +81,15 @@ associate_eip = true
 ## Deployment Steps
 
 1. Change directory to the `bastion` folder
+2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
+ - From in front of `backend "s3"` to the bracket associated with the end of the code block
+3. Run `terraform init` to download modules and create initial local state file.
 
-2. Run `terraform init` to download modules and create initial local state file.
+4. Populate `vars.tfvars` 
 
-3. Populate `vars.tfvars` 
+5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources.
 
-4. Run `terraform plan` to ensure no errors and validate plan is deploying expected resources.
-
-5. Run `terraform apply` to deploy infrastructure.
+6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure.
 
 ## Example Deployment
 

aws/terraform/us-gov-west-1/management-account/day0/README.md

@@ -50,12 +50,16 @@ aws_region = "<aws-region>"
 ```
 
 ## Deployment Steps
-- Change the working directory to the `management-account` directory
-- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
- - From in front of `backend "s3"` to the bracket associated with the end of the code block
-- Run `terraform init`
-- Run `terraform plan` to review the resources being created
-- If everything looks correct in the plan output, run `terraform apply -var-file ./tfvars/vars.tfvars`
+1. Change the working directory the `management-account/day0` folder
+2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
+ - From in front of `backend "s3"` to the bracket associated with the end of the code block
+3. Run `terraform init` to download modules and create initial local state file.
+
+4. Populate `vars.tfvars` 
+
+5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources.
+
+6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure.
 
 ``` hcl
 data "terraform_remote_state" "day0" {

aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars

@@ -0,0 +1,2 @@
+resource_prefix = "pak"
+aws_region = "us-gov-west-1"

aws/terraform/us-gov-west-1/networking/README.md

@@ -62,12 +62,16 @@ profile = "<customer-prefix>-mgmt"
 ```
 
 ## Deployment Steps
-- Change the working directory the `networking` folder
-- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
- - From in front of `backend "s3"` to the bracket associated with the end of the code block
-- Run `terraform init`
-- Run `terraform plan` to review the resources being created
-- If everything looks correct in the plan output, run `terraform apply`
+1. Change the working directory the `networking` folder
+2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
+ - From in front of `backend "s3"` to the bracket associated with the end of the code block
+3. Run `terraform init` to download modules and create initial local state file.
+
+4. Populate `vars.tfvars` 
+
+5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources.
+
+6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure.
 
 ``` hcl
 data "terraform_remote_state" "day0" {
@@ -83,7 +87,7 @@ data "terraform_remote_state" "day0" {
 ```
 
 ## Example Deployments
-The below are example deployements of the networking module, it consists of 2 examples, one with AWS Network Firewall and one without.
+The below are example deployments of the networking module, it consists of 2 examples, one with AWS Network Firewall and one without.
 
 ### AWS Networking deployment with AWS Network Firewall
 ```hcl

aws/terraform/us-gov-west-1/org-creation/README.md

@@ -30,6 +30,48 @@ terraform {
  }
 }
 ```
+
+## Deployment Steps
+1. Change the working directory the `org-creation` folder
+2. If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
+ - From in front of `backend "s3"` to the bracket associated with the end of the code block
+3. Run `terraform init` to download modules and create initial local state file.
+
+4. Populate `vars.tfvars` 
+
+5. Run `terraform plan -var-file vars.tfvars` to ensure no errors and validate plan is deploying expected resources.
+
+6. Run `terraform apply -var-file vars.tfvars` to deploy infrastructure.
+
+``` hcl
+data "terraform_remote_state" "day0" {
+ backend = "s3"
+
+ config = {
+ bucket = "${var.resource_prefix}-${var.default_aws_region}-tf-state"
+ region = var.default_aws_region
+ key = "${var.resource_prefix}-${var.default_aws_region}-tfsetup.tfstate"
+ profile = "pak-mgmt"
+ }
+}
+```
+
+## tfvars Example
+``` hcl
+resource_prefix = "<customer-prefix>"
+aws_region = "<aws-region>"
+service_access_principals = [
+ "cloudtrail.amazonaws.com",
+ "config.amazonaws.com",
+ "securityhub.amazonaws.com",
+ "guardduty.amazonaws.com",
+ "config-multiaccountsetup.amazonaws.com"]
+enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
+feature_set = "ALL"
+org_member_account_numbers = ["1111111111111"]
+delegated_admin_account_id = "1111111111111"
+```
+
 ## Module Example
 ``` hcl
 module "org" {
@@ -40,19 +82,15 @@ module "org" {
  }
 
  feature_set = "ALL"
- aws_region = var.default_aws_region
- aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
+ aws_region = var.aws_region
+ aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
  resource_prefix = var.resource_prefix
  s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn
- org_member_account_numbers = ["111111111111"]
- delegated_admin_account_id = "111111111111"
- delegated_service_principal = "principal"
- enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
- service_access_principals = ["cloudtrail.amazonaws.com",
- "config.amazonaws.com",
- "securityhub.amazonaws.com",
- "guardduty.amazonaws.com",
- "config-multiaccountsetup.amazonaws.com"]
+ org_member_account_numbers = var.org_member_account_numbers
+ delegated_admin_account_id = var.delegated_admin_account_id
+ delegated_service_principal = var.delegated_service_principal
+ enabled_policy_types = var.enabled_policy_types
+ service_access_principals = var.service_access_principals
 }
 
 
@@ -106,25 +144,4 @@ resource "aws_organizations_resource_policy" "org_resource_policy" {
 }
 EOF
 }
-```
-
-## Deployment Steps
-- Change the working directory the `org-creation` folder
-- If you are running this directory for the first time, comment out the S3 backend in `tstate.tf`
- - From in front of `backend "s3"` to the bracket associated with the end of the code block
-- Run `terraform init`
-- Run `terraform plan` to review the resources being created
-- If everything looks correct in the plan output, run `terraform apply`
-
-``` hcl
-data "terraform_remote_state" "day0" {
- backend = "s3"
-
- config = {
- bucket = "${var.resource_prefix}-${var.default_aws_region}-tf-state"
- region = var.default_aws_region
- key = "${var.resource_prefix}-${var.default_aws_region}-tfsetup.tfstate"
- profile = "pak-mgmt"
- }
-}
 ```

aws/terraform/us-gov-west-1/org-creation/data.tf

@@ -0,0 +1,3 @@
+data "aws_partition" "current" {
+ provider = aws.mgmt
+}

aws/terraform/us-gov-west-1/org-creation/org.tf

@@ -6,19 +6,15 @@ module "org" {
  }
 
  feature_set = "ALL"
- aws_region = var.default_aws_region
- aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.default_aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
+ aws_region = var.aws_region
+ aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
  resource_prefix = var.resource_prefix
  s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn
- org_member_account_numbers = ["358745275192"]
- delegated_admin_account_id = "358745275192"
- delegated_service_principal = "principal"
- enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
- service_access_principals = ["cloudtrail.amazonaws.com",
- "config.amazonaws.com",
- "securityhub.amazonaws.com",
- "guardduty.amazonaws.com",
- "config-multiaccountsetup.amazonaws.com"]
+ org_member_account_numbers = var.org_member_account_numbers
+ delegated_admin_account_id = var.delegated_admin_account_id
+ delegated_service_principal = var.delegated_service_principal
+ enabled_policy_types = var.enabled_policy_types
+ service_access_principals = var.service_access_principals
 }
 
 

aws/terraform/us-gov-west-1/org-creation/variables.tf

@@ -0,0 +1,105 @@
+variable "service_access_principals" {
+ description = "List of AWS Service Access Principals that you want to enable for organization integration"
+ type = list(string)
+ default = [
+ "cloudtrail.amazonaws.com",
+ "config.amazonaws.com",
+ "securityhub.amazonaws.com",
+ "guardduty.amazonaws.com",
+ "config-multiaccountsetup.amazonaws.com"
+ ]
+}
+
+variable "enabled_policy_types" {
+ description = "List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL."
+}
+
+variable "feature_set" {
+ description = "Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED_BILLING."
+ default = "ALL"
+}
+
+variable "delegated_admin_account_id" {
+ description = "The account ID number of the member account in the organization to register as a delegated administrator."v
+}
+
+variable "delegated_service_principal" {
+ description = "The service principal of the AWS service for which you want to make the member account a delegated administrator."
+ default = "principal"
+}
+
+variable "aws_new_member_account_name" {
+ description = "The Friendly name for the member account."
+ default = null
+}
+
+variable "aws_new_member_account_email" {
+ description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account."
+ default = null
+}
+
+variable "ou_creation_info" {
+ description = "list of names of OU to create and their corresponding delegated admins"
+ default = null
+}
+
+variable "aws_region" {
+ type = string
+}
+
+
+variable "resource_prefix" {
+ type = string
+}
+
+variable "finding_publishing_frequency" {
+ type = string
+ default = "ONE_HOUR"
+}
+
+variable "aws_sec_hub_standards_arn" {
+ type = list(string)
+}
+
+variable "aws_guardduty_datasources_enable_S3" {
+ description = "Configuration for the collected datasources."
+ default = true
+}
+
+variable "aws_guardduty_datasources_enable_k8_audit_logs" {
+ description = "Configuration for the collected datasources."
+ default = true
+}
+
+variable "aws_guardduty_datasources_enable_malware_protection_ebs" {
+ description = "Configuration for the collected datasources."
+ default = true
+}
+
+variable "s3_kms_key_arn" {
+ type = string
+}
+
+variable "create_org_config" {
+ description = "True/False statement whether to enable AWS Config in the Organization"
+ default = true
+}
+
+variable "create_org_guardduty" {
+ description = "True/False statement whether to enable AWS GuardDuty in the Organization"
+ default = true
+}
+
+variable "create_org_cloudtrail" {
+ description = "True/False statement whether to enable AWS Cloudtrail in the Organization"
+ default = true
+}
+
+variable "create_org_securityhub" {
+ description = "True/False statement whether to enable AWS Security Hub in the Organization"
+ default = true
+}
+
+variable "org_member_account_numbers" {
+ default = null
+}