diff --git a/README.md b/README.md index 6b1d62e..7bf9a26 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,6 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource). | Directory | Purpose | | --------- | ------- | | `aws/terraform/us-gov-west-1/management-account/day0` | Account Setup Terraform files | -| `aws/terraform/us-gov-west-1/management-account/rds` | RDS Database Terraform files | | `aws/terraform/us-gov-west-1/global-vars.tf` | Global variables | | `aws/terraform/us-gov-west-1/networking` | Networking deployment Terraform files | | `aws/terraform/us-gov-west-1/org-creation` | AWS Organization Terraform files | diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf b/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf index 5b4c77f..b03c8e4 100644 --- a/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf +++ b/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf @@ -23,10 +23,10 @@ module "win_bastion" { ami = data.aws_ami.ami.id ec2_instance_type = var.instance_size instance_count = var.instance_count - associate_eip = var.associate_eip + associate_eip = var.associate_eip - vpc_id = data.terraform_remote_state.networking.outputs.mgmt_vpc_id - subnet_ids = [ data.terraform_remote_state.networking.outputs.public_subnets[0]] + vpc_id = data.terraform_remote_state.networking.outputs.mgmt_vpc_id + subnet_ids = [data.terraform_remote_state.networking.outputs.public_subnets[0]] ec2_key_pair = var.key_name ebs_kms_key_arn = data.terraform_remote_state.day0.outputs.ebs_kms_key_arn @@ -40,7 +40,7 @@ module "win_bastion" { from_port = "3389" to_port = "3389" cidr_blocks = [data.terraform_remote_state.networking.outputs.mgmt_vpc_cidr] - } + } ] egress_rules = [{ diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf b/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf index f15d275..00ccc2f 100644 --- a/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf +++ b/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf @@ -1,7 +1,7 @@ provider "aws" { region = var.aws_region skip_region_validation = "true" - profile = "pak-mgmt" - alias = "mgmt" - use_fips_endpoint = true + profile = "pak-mgmt" + alias = "mgmt" + use_fips_endpoint = true } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/management-account/day0/README.md b/aws/terraform/us-gov-west-1/management-account/day0/README.md index 4644829..8f26e6f 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/README.md +++ b/aws/terraform/us-gov-west-1/management-account/day0/README.md @@ -46,7 +46,7 @@ terraform { ## tfvars Example ``` hcl resource_prefix = "" -aws_region = "" +aws_region = "" ``` ## Deployment Steps diff --git a/aws/terraform/us-gov-west-1/management-account/day0/data.tf b/aws/terraform/us-gov-west-1/management-account/day0/data.tf index ecb82af..f1bb0ef 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/data.tf +++ b/aws/terraform/us-gov-west-1/management-account/day0/data.tf @@ -9,7 +9,7 @@ data "aws_iam_policy_document" "eks_key" { actions = ["kms:*"] resources = ["*"] principals { - type = "AWS" + type = "AWS" identifiers = [ "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root" ] diff --git a/aws/terraform/us-gov-west-1/management-account/day0/main.tf b/aws/terraform/us-gov-west-1/management-account/day0/main.tf index bd64cb5..c01b7fb 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/main.tf +++ b/aws/terraform/us-gov-west-1/management-account/day0/main.tf @@ -4,16 +4,16 @@ module "account-setup" { aws = aws.mgmt } - resource_prefix = var.resource_prefix - account_number = "${data.aws_caller_identity.current.account_id}" - aws_region = var.aws_region - default_aws_region = var.aws_region + resource_prefix = var.resource_prefix + account_number = data.aws_caller_identity.current.account_id + aws_region = var.aws_region + default_aws_region = var.aws_region application_account_numbers = ["${data.aws_caller_identity.current.account_id}"] additional_kms_keys = [ - { - name = "eks" - policy = "${data.aws_iam_policy_document.eks_key.json}" - }, + { + name = "eks" + policy = "${data.aws_iam_policy_document.eks_key.json}" + }, -] + ] } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/management-account/day0/provider.tf b/aws/terraform/us-gov-west-1/management-account/day0/provider.tf index 128b209..a382820 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/provider.tf +++ b/aws/terraform/us-gov-west-1/management-account/day0/provider.tf @@ -1,7 +1,7 @@ provider "aws" { region = var.aws_region skip_region_validation = "true" - profile = "mgmt" - alias = "mgmt" - use_fips_endpoint = true + profile = "mgmt" + alias = "mgmt" + use_fips_endpoint = true } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf b/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf index 2b14adc..28bd408 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf +++ b/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf @@ -5,7 +5,7 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } -} + } backend "s3" { bucket = "pak-us-gov-west-1-tf-state" region = "us-gov-west-1" diff --git a/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars b/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars index b5a8d7c..2353da6 100644 --- a/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars +++ b/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars @@ -1,2 +1,2 @@ resource_prefix = "pak" -aws_region = "us-gov-west-1" +aws_region = "us-gov-west-1" diff --git a/aws/terraform/us-gov-west-1/networking/outputs.tf b/aws/terraform/us-gov-west-1/networking/outputs.tf index efd5d0a..5b14869 100644 --- a/aws/terraform/us-gov-west-1/networking/outputs.tf +++ b/aws/terraform/us-gov-west-1/networking/outputs.tf @@ -1,39 +1,39 @@ output "mgmt_vpc_id" { description = "VPC id of deployed mgmt VPC" - value = module.mgmt_vpc.vpc_id + value = module.mgmt_vpc.vpc_id } output "firewall_subnets" { description = "subnet ids of deployed firewall subnets" - value = module.mgmt_vpc.firewall_subnets + value = module.mgmt_vpc.firewall_subnets } output "public_subnets" { description = "subnet ids of deployed public subnets" - value = module.mgmt_vpc.public_subnets + value = module.mgmt_vpc.public_subnets } output "private_subnets" { description = "subnet ids of deployed private subnets" - value = module.mgmt_vpc.private_subnets + value = module.mgmt_vpc.private_subnets } output "database_subnets" { description = "subnet ids of deployed firewall subnets" - value = module.mgmt_vpc.database_subnets + value = module.mgmt_vpc.database_subnets } output "redshift_subnets" { description = "subnet ids of deployed public subnets" - value = module.mgmt_vpc.redshift_subnets + value = module.mgmt_vpc.redshift_subnets } output "elasticache_subnets" { description = "subnet ids of deployed private subnets" - value = module.mgmt_vpc.elasticache_subnets + value = module.mgmt_vpc.elasticache_subnets } -output "mgmt_vpc_cidr"{ +output "mgmt_vpc_cidr" { description = "mgmt vpc cidr block" - value = module.mgmt_vpc.vpc_cidr_block + value = module.mgmt_vpc.vpc_cidr_block } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/networking/provider.tf b/aws/terraform/us-gov-west-1/networking/provider.tf index dbf9095..95ff0a9 100644 --- a/aws/terraform/us-gov-west-1/networking/provider.tf +++ b/aws/terraform/us-gov-west-1/networking/provider.tf @@ -1,7 +1,7 @@ provider "aws" { region = var.aws_region skip_region_validation = "true" - profile = "pak-mgmt" - alias = "mgmt" - use_fips_endpoint = true # FIPs endpoints for govcloud + profile = "pak-mgmt" + alias = "mgmt" + use_fips_endpoint = true # FIPs endpoints for govcloud } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/networking/tstate.tf b/aws/terraform/us-gov-west-1/networking/tstate.tf index ccd3ea9..5e2627d 100644 --- a/aws/terraform/us-gov-west-1/networking/tstate.tf +++ b/aws/terraform/us-gov-west-1/networking/tstate.tf @@ -5,7 +5,7 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } -} + } backend "s3" { bucket = "pak-us-gov-west-1-tf-state" region = "us-gov-west-1" diff --git a/aws/terraform/us-gov-west-1/networking/vars.tfvars b/aws/terraform/us-gov-west-1/networking/vars.tfvars index 73c66bd..30b3599 100644 --- a/aws/terraform/us-gov-west-1/networking/vars.tfvars +++ b/aws/terraform/us-gov-west-1/networking/vars.tfvars @@ -1,6 +1,6 @@ -resource_prefix = "pak" -deploy_aws_nfw = false -aws_region = "us-gov-west-1" +resource_prefix = "pak" +deploy_aws_nfw = false +aws_region = "us-gov-west-1" cidrs_for_remote_access = [""] -mgmt_vpc_cidr = "10.0.0.0/16" -profile = "pak-mgmt" \ No newline at end of file +mgmt_vpc_cidr = "10.0.0.0/16" +profile = "pak-mgmt" \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-creation/org.tf b/aws/terraform/us-gov-west-1/org-creation/org.tf index d1c9294..641890b 100644 --- a/aws/terraform/us-gov-west-1/org-creation/org.tf +++ b/aws/terraform/us-gov-west-1/org-creation/org.tf @@ -5,23 +5,23 @@ module "org" { aws = aws.mgmt } - feature_set = "ALL" - aws_region = var.aws_region - aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] - resource_prefix = var.resource_prefix - s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn - org_member_account_numbers = var.org_member_account_numbers - delegated_admin_account_id = var.delegated_admin_account_id + feature_set = "ALL" + aws_region = var.aws_region + aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"] + resource_prefix = var.resource_prefix + s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn + org_member_account_numbers = var.org_member_account_numbers + delegated_admin_account_id = var.delegated_admin_account_id delegated_service_principal = var.delegated_service_principal - enabled_policy_types = var.enabled_policy_types - service_access_principals = var.service_access_principals + enabled_policy_types = var.enabled_policy_types + service_access_principals = var.service_access_principals } resource "aws_organizations_organizational_unit" "ou" { depends_on = [module.org] - name = "app_ou" - parent_id = module.org.org_roots[0]["id"] + name = "app_ou" + parent_id = module.org.org_roots[0]["id"] } diff --git a/aws/terraform/us-gov-west-1/org-creation/outputs.tf b/aws/terraform/us-gov-west-1/org-creation/outputs.tf index cf075a8..4e0c54f 100644 --- a/aws/terraform/us-gov-west-1/org-creation/outputs.tf +++ b/aws/terraform/us-gov-west-1/org-creation/outputs.tf @@ -1,5 +1,5 @@ output "accounts" { - value = module.org.accounts + value = module.org.accounts description = "List of org accounts including master" } diff --git a/aws/terraform/us-gov-west-1/org-creation/provider.tf b/aws/terraform/us-gov-west-1/org-creation/provider.tf index 13c98b6..abe9ab7 100644 --- a/aws/terraform/us-gov-west-1/org-creation/provider.tf +++ b/aws/terraform/us-gov-west-1/org-creation/provider.tf @@ -1,7 +1,7 @@ provider "aws" { region = var.default_aws_region skip_region_validation = "true" - profile = "pak-mgmt" - alias = "mgmt" - use_fips_endpoint = true # FIPs endpoints for govcloud + profile = "pak-mgmt" + alias = "mgmt" + use_fips_endpoint = true # FIPs endpoints for govcloud } \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-creation/tstate.tf b/aws/terraform/us-gov-west-1/org-creation/tstate.tf index f49316b..50cfbc0 100644 --- a/aws/terraform/us-gov-west-1/org-creation/tstate.tf +++ b/aws/terraform/us-gov-west-1/org-creation/tstate.tf @@ -5,7 +5,7 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } -} + } backend "s3" { bucket = "pak-us-gov-west-1-tf-state" region = "us-gov-west-1" diff --git a/aws/terraform/us-gov-west-1/org-creation/variables.tf b/aws/terraform/us-gov-west-1/org-creation/variables.tf index c6b69c7..74c39eb 100644 --- a/aws/terraform/us-gov-west-1/org-creation/variables.tf +++ b/aws/terraform/us-gov-west-1/org-creation/variables.tf @@ -1,6 +1,6 @@ variable "service_access_principals" { description = "List of AWS Service Access Principals that you want to enable for organization integration" - type = list(string) + type = list(string) default = [ "cloudtrail.amazonaws.com", "config.amazonaws.com", @@ -16,31 +16,31 @@ variable "enabled_policy_types" { variable "feature_set" { description = "Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED_BILLING." - default = "ALL" + default = "ALL" } variable "delegated_admin_account_id" { - description = "The account ID number of the member account in the organization to register as a delegated administrator."v + description = "The account ID number of the member account in the organization to register as a delegated administrator." } variable "delegated_service_principal" { description = "The service principal of the AWS service for which you want to make the member account a delegated administrator." - default = "principal" + default = "principal" } variable "aws_new_member_account_name" { description = "The Friendly name for the member account." - default = null + default = null } variable "aws_new_member_account_email" { description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." - default = null + default = null } variable "ou_creation_info" { description = "list of names of OU to create and their corresponding delegated admins" - default = null + default = null } variable "aws_region" { @@ -53,7 +53,7 @@ variable "resource_prefix" { } variable "finding_publishing_frequency" { - type = string + type = string default = "ONE_HOUR" } @@ -63,17 +63,17 @@ variable "aws_sec_hub_standards_arn" { variable "aws_guardduty_datasources_enable_S3" { description = "Configuration for the collected datasources." - default = true + default = true } variable "aws_guardduty_datasources_enable_k8_audit_logs" { description = "Configuration for the collected datasources." - default = true + default = true } variable "aws_guardduty_datasources_enable_malware_protection_ebs" { description = "Configuration for the collected datasources." - default = true + default = true } variable "s3_kms_key_arn" { @@ -82,22 +82,22 @@ variable "s3_kms_key_arn" { variable "create_org_config" { description = "True/False statement whether to enable AWS Config in the Organization" - default = true + default = true } variable "create_org_guardduty" { description = "True/False statement whether to enable AWS GuardDuty in the Organization" - default = true + default = true } variable "create_org_cloudtrail" { description = "True/False statement whether to enable AWS Cloudtrail in the Organization" - default = true + default = true } variable "create_org_securityhub" { description = "True/False statement whether to enable AWS Security Hub in the Organization" - default = true + default = true } variable "org_member_account_numbers" { diff --git a/aws/terraform/us-gov-west-1/org-creation/vars.tfvars b/aws/terraform/us-gov-west-1/org-creation/vars.tfvars index e4a29cb..a18b205 100644 --- a/aws/terraform/us-gov-west-1/org-creation/vars.tfvars +++ b/aws/terraform/us-gov-west-1/org-creation/vars.tfvars @@ -1,12 +1,12 @@ service_access_principals = [ - "cloudtrail.amazonaws.com", - "config.amazonaws.com", - "securityhub.amazonaws.com", - "guardduty.amazonaws.com", - "config-multiaccountsetup.amazonaws.com"] -enabled_policy_types = ["SERVICE_CONTROL_POLICY"] -feature_set = "ALL" -resource_prefix = "pak" + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + "securityhub.amazonaws.com", + "guardduty.amazonaws.com", +"config-multiaccountsetup.amazonaws.com"] +enabled_policy_types = ["SERVICE_CONTROL_POLICY"] +feature_set = "ALL" +resource_prefix = "pak" org_member_account_numbers = ["1111111111111"] delegated_admin_account_id = "1111111111111" -aws_region = "us-gov-west-1" \ No newline at end of file +aws_region = "us-gov-west-1" \ No newline at end of file diff --git a/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf b/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf index b8e0e13..2562716 100644 --- a/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf +++ b/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf @@ -5,7 +5,7 @@ terraform { source = "hashicorp/aws" version = "~> 5.0" } -} + } backend "s3" { bucket = "pak-us-gov-west-1-tf-state" region = "us-gov-west-1"