Coalfire-CF · douglas-f · Jan 25, 2024 · Jan 2, 2024
diff --git a/README.md b/README.md
@@ -22,7 +22,6 @@ Learn more at [Coalfire OpenSource](https://coalfire.com/opensource).
 | Directory | Purpose |
 | --------- | ------- |
 | `aws/terraform/us-gov-west-1/management-account/day0` | Account Setup Terraform files |
-| `aws/terraform/us-gov-west-1/management-account/rds` | RDS Database Terraform files |
 | `aws/terraform/us-gov-west-1/global-vars.tf` | Global variables |
 | `aws/terraform/us-gov-west-1/networking` | Networking deployment Terraform files |
 | `aws/terraform/us-gov-west-1/org-creation` | AWS Organization Terraform files |

diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf b/aws/terraform/us-gov-west-1/management-account/bastion/bastion.tf
@@ -23,10 +23,10 @@ module "win_bastion" {
  ami = data.aws_ami.ami.id
  ec2_instance_type = var.instance_size
  instance_count = var.instance_count
- associate_eip = var.associate_eip
+ associate_eip  = var.associate_eip
 
- vpc_id = data.terraform_remote_state.networking.outputs.mgmt_vpc_id
- subnet_ids = [ data.terraform_remote_state.networking.outputs.public_subnets[0]]
+ vpc_id  = data.terraform_remote_state.networking.outputs.mgmt_vpc_id
+ subnet_ids  = [data.terraform_remote_state.networking.outputs.public_subnets[0]]
  ec2_key_pair = var.key_name
  ebs_kms_key_arn = data.terraform_remote_state.day0.outputs.ebs_kms_key_arn
 
@@ -40,7 +40,7 @@ module "win_bastion" {
  from_port = "3389"
  to_port = "3389"
  cidr_blocks = [data.terraform_remote_state.networking.outputs.mgmt_vpc_cidr]
- }
+  }
  ]
 
  egress_rules = [{

diff --git a/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf b/aws/terraform/us-gov-west-1/management-account/bastion/provider.tf
@@ -1,7 +1,7 @@
 provider "aws" {
  region = var.aws_region
  skip_region_validation = "true"
- profile = "pak-mgmt"
- alias = "mgmt"
- use_fips_endpoint = true
+ profile  = "pak-mgmt"
+ alias  = "mgmt"
+ use_fips_endpoint  = true
 }
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/README.md b/aws/terraform/us-gov-west-1/management-account/day0/README.md
@@ -46,7 +46,7 @@ terraform {
 ## tfvars Example
 ``` hcl
 resource_prefix = "<customer-prefix>"
-aws_region = "<aws-region>"
+aws_region  = "<aws-region>"
 ```
 
 ## Deployment Steps

diff --git a/aws/terraform/us-gov-west-1/management-account/day0/data.tf b/aws/terraform/us-gov-west-1/management-account/day0/data.tf
@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "eks_key" {
  actions = ["kms:*"]
  resources = ["*"]
  principals {
- type  = "AWS"
+ type = "AWS"
  identifiers = [
  "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root"
  ]

diff --git a/aws/terraform/us-gov-west-1/management-account/day0/main.tf b/aws/terraform/us-gov-west-1/management-account/day0/main.tf
@@ -4,16 +4,16 @@ module "account-setup" {
  aws = aws.mgmt
  }
 
- resource_prefix = var.resource_prefix
- account_number = "${data.aws_caller_identity.current.account_id}"
- aws_region = var.aws_region
- default_aws_region = var.aws_region
+ resource_prefix  = var.resource_prefix
+ account_number  = data.aws_caller_identity.current.account_id
+ aws_region  = var.aws_region
+ default_aws_region  = var.aws_region
  application_account_numbers = ["${data.aws_caller_identity.current.account_id}"]
  additional_kms_keys = [
- {
- name = "eks"
- policy = "${data.aws_iam_policy_document.eks_key.json}"
- },
+  {
+  name  = "eks"
+  policy = "${data.aws_iam_policy_document.eks_key.json}"
+  },
 
-]
+ ]
 }
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/provider.tf b/aws/terraform/us-gov-west-1/management-account/day0/provider.tf
@@ -1,7 +1,7 @@
 provider "aws" {
  region = var.aws_region
  skip_region_validation = "true"
- profile = "mgmt"
- alias = "mgmt"
- use_fips_endpoint = true
+ profile  = "mgmt"
+ alias  = "mgmt"
+ use_fips_endpoint  = true
 }
diff --git a/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf b/aws/terraform/us-gov-west-1/management-account/day0/tstate.tf
@@ -5,7 +5,7 @@ terraform {
  source = "hashicorp/aws"
  version = "~> 5.0"
  }
-}
+ }
  backend "s3" {
  bucket = "pak-us-gov-west-1-tf-state"
  region = "us-gov-west-1"

diff --git a/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars b/aws/terraform/us-gov-west-1/management-account/day0/vars.tfvars
@@ -1,2 +1,2 @@
 resource_prefix = "pak"
-aws_region = "us-gov-west-1"
+aws_region  = "us-gov-west-1"
diff --git a/aws/terraform/us-gov-west-1/networking/outputs.tf b/aws/terraform/us-gov-west-1/networking/outputs.tf
@@ -1,39 +1,39 @@
 output "mgmt_vpc_id" {
  description = "VPC id of deployed mgmt VPC"
- value = module.mgmt_vpc.vpc_id
+ value  = module.mgmt_vpc.vpc_id
 }
 
 output "firewall_subnets" {
  description = "subnet ids of deployed firewall subnets"
- value = module.mgmt_vpc.firewall_subnets
+ value  = module.mgmt_vpc.firewall_subnets
 }
 
 output "public_subnets" {
  description = "subnet ids of deployed public subnets"
- value = module.mgmt_vpc.public_subnets
+ value  = module.mgmt_vpc.public_subnets
 }
 
 output "private_subnets" {
  description = "subnet ids of deployed private subnets"
- value = module.mgmt_vpc.private_subnets
+ value  = module.mgmt_vpc.private_subnets
 }
 
 output "database_subnets" {
  description = "subnet ids of deployed firewall subnets"
- value = module.mgmt_vpc.database_subnets
+ value  = module.mgmt_vpc.database_subnets
 }
 
 output "redshift_subnets" {
  description = "subnet ids of deployed public subnets"
- value = module.mgmt_vpc.redshift_subnets
+ value  = module.mgmt_vpc.redshift_subnets
 }
 
 output "elasticache_subnets" {
  description = "subnet ids of deployed private subnets"
- value = module.mgmt_vpc.elasticache_subnets
+ value  = module.mgmt_vpc.elasticache_subnets
 }
 
-output "mgmt_vpc_cidr"{
+output "mgmt_vpc_cidr" {
  description = "mgmt vpc cidr block"
- value = module.mgmt_vpc.vpc_cidr_block
+ value  = module.mgmt_vpc.vpc_cidr_block
 }
diff --git a/aws/terraform/us-gov-west-1/networking/provider.tf b/aws/terraform/us-gov-west-1/networking/provider.tf
@@ -1,7 +1,7 @@
 provider "aws" {
  region = var.aws_region
  skip_region_validation = "true"
- profile = "pak-mgmt"
- alias = "mgmt"
- use_fips_endpoint = true  # FIPs endpoints for govcloud
+ profile  = "pak-mgmt"
+ alias  = "mgmt"
+ use_fips_endpoint  = true # FIPs endpoints for govcloud
 }
diff --git a/aws/terraform/us-gov-west-1/networking/tstate.tf b/aws/terraform/us-gov-west-1/networking/tstate.tf
@@ -5,7 +5,7 @@ terraform {
  source = "hashicorp/aws"
  version = "~> 5.0"
  }
-}
+ }
  backend "s3" {
  bucket = "pak-us-gov-west-1-tf-state"
  region = "us-gov-west-1"

diff --git a/aws/terraform/us-gov-west-1/networking/vars.tfvars b/aws/terraform/us-gov-west-1/networking/vars.tfvars
@@ -1,6 +1,6 @@
-resource_prefix = "pak"
-deploy_aws_nfw = false
-aws_region = "us-gov-west-1"
+resource_prefix  = "pak"
+deploy_aws_nfw  = false
+aws_region  = "us-gov-west-1"
 cidrs_for_remote_access = [""]
-mgmt_vpc_cidr = "10.0.0.0/16"
-profile = "pak-mgmt"
+mgmt_vpc_cidr  = "10.0.0.0/16"
+profile  = "pak-mgmt"
diff --git a/aws/terraform/us-gov-west-1/org-creation/org.tf b/aws/terraform/us-gov-west-1/org-creation/org.tf
@@ -5,23 +5,23 @@ module "org" {
  aws = aws.mgmt
  }
 
- feature_set = "ALL"
- aws_region = var.aws_region
- aws_sec_hub_standards_arn = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
- resource_prefix = var.resource_prefix
- s3_kms_key_arn = data.terraform_remote_state.day0.outputs.s3_kms_key_arn
- org_member_account_numbers = var.org_member_account_numbers
- delegated_admin_account_id = var.delegated_admin_account_id
+ feature_set  = "ALL"
+ aws_region  = var.aws_region
+ aws_sec_hub_standards_arn  = ["arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/cis-aws-foundations-benchmark/v/1.4.0", "arn:${data.aws_partition.current.partition}:securityhub:${var.aws_region}::standards/aws-foundational-security-best-practices/v/1.0.0"]
+ resource_prefix  = var.resource_prefix
+ s3_kms_key_arn  = data.terraform_remote_state.day0.outputs.s3_kms_key_arn
+ org_member_account_numbers  = var.org_member_account_numbers
+ delegated_admin_account_id  = var.delegated_admin_account_id
  delegated_service_principal = var.delegated_service_principal
- enabled_policy_types = var.enabled_policy_types
- service_access_principals = var.service_access_principals
+ enabled_policy_types  = var.enabled_policy_types
+ service_access_principals  = var.service_access_principals
 }
 
 
 resource "aws_organizations_organizational_unit" "ou" {
  depends_on = [module.org]
- name = "app_ou"
- parent_id = module.org.org_roots[0]["id"]
+ name  = "app_ou"
+ parent_id  = module.org.org_roots[0]["id"]
 }
 
 

diff --git a/aws/terraform/us-gov-west-1/org-creation/outputs.tf b/aws/terraform/us-gov-west-1/org-creation/outputs.tf
@@ -1,5 +1,5 @@
 output "accounts" {
- value = module.org.accounts
+ value  = module.org.accounts
  description = "List of org accounts including master"
 }
 

diff --git a/aws/terraform/us-gov-west-1/org-creation/provider.tf b/aws/terraform/us-gov-west-1/org-creation/provider.tf
@@ -1,7 +1,7 @@
 provider "aws" {
  region = var.default_aws_region
  skip_region_validation = "true"
- profile = "pak-mgmt"
- alias = "mgmt"
- use_fips_endpoint = true  # FIPs endpoints for govcloud
+ profile  = "pak-mgmt"
+ alias  = "mgmt"
+ use_fips_endpoint  = true # FIPs endpoints for govcloud
 }
diff --git a/aws/terraform/us-gov-west-1/org-creation/tstate.tf b/aws/terraform/us-gov-west-1/org-creation/tstate.tf
@@ -5,7 +5,7 @@ terraform {
  source = "hashicorp/aws"
  version = "~> 5.0"
  }
-}
+ }
  backend "s3" {
  bucket = "pak-us-gov-west-1-tf-state"
  region = "us-gov-west-1"

diff --git a/aws/terraform/us-gov-west-1/org-creation/variables.tf b/aws/terraform/us-gov-west-1/org-creation/variables.tf
@@ -1,6 +1,6 @@
 variable "service_access_principals" {
  description = "List of AWS Service Access Principals that you want to enable for organization integration"
- type = list(string)
+ type  = list(string)
  default = [
  "cloudtrail.amazonaws.com",
  "config.amazonaws.com",
@@ -16,31 +16,31 @@ variable "enabled_policy_types" {
 
 variable "feature_set" {
  description = "Feature set to be used with Org and member accounts Specify ALL(default) or CONSOLIDATED_BILLING."
- default = "ALL"
+ default  = "ALL"
 }
 
 variable "delegated_admin_account_id" {
- description = "The account ID number of the member account in the organization to register as a delegated administrator."v
+ description = "The account ID number of the member account in the organization to register as a delegated administrator."
 }
 
 variable "delegated_service_principal" {
  description = "The service principal of the AWS service for which you want to make the member account a delegated administrator."
- default = "principal"
+ default  = "principal"
 }
 
 variable "aws_new_member_account_name" {
  description = "The Friendly name for the member account."
- default = null
+ default  = null
 }
 
 variable "aws_new_member_account_email" {
  description = "The Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account."
- default = null
+ default  = null
 }
 
 variable "ou_creation_info" {
  description = "list of names of OU to create and their corresponding delegated admins"
- default = null
+ default  = null
 }
 
 variable "aws_region" {
@@ -53,7 +53,7 @@ variable "resource_prefix" {
 }
 
 variable "finding_publishing_frequency" {
- type = string
+ type  = string
  default = "ONE_HOUR"
 }
 
@@ -63,17 +63,17 @@ variable "aws_sec_hub_standards_arn" {
 
 variable "aws_guardduty_datasources_enable_S3" {
  description = "Configuration for the collected datasources."
- default = true
+ default  = true
 }
 
 variable "aws_guardduty_datasources_enable_k8_audit_logs" {
  description = "Configuration for the collected datasources."
- default = true
+ default  = true
 }
 
 variable "aws_guardduty_datasources_enable_malware_protection_ebs" {
  description = "Configuration for the collected datasources."
- default = true
+ default  = true
 }
 
 variable "s3_kms_key_arn" {
@@ -82,22 +82,22 @@ variable "s3_kms_key_arn" {
 
 variable "create_org_config" {
  description = "True/False statement whether to enable AWS Config in the Organization"
- default = true
+ default  = true
 }
 
 variable "create_org_guardduty" {
  description = "True/False statement whether to enable AWS GuardDuty in the Organization"
- default = true
+ default  = true
 }
 
 variable "create_org_cloudtrail" {
  description = "True/False statement whether to enable AWS Cloudtrail in the Organization"
- default = true
+ default  = true
 }
 
 variable "create_org_securityhub" {
  description = "True/False statement whether to enable AWS Security Hub in the Organization"
- default = true
+ default  = true
 }
 
 variable "org_member_account_numbers" {

diff --git a/aws/terraform/us-gov-west-1/org-creation/vars.tfvars b/aws/terraform/us-gov-west-1/org-creation/vars.tfvars
@@ -1,12 +1,12 @@
 service_access_principals = [
-  "cloudtrail.amazonaws.com",
-  "config.amazonaws.com",
-  "securityhub.amazonaws.com",
-  "guardduty.amazonaws.com",
- "config-multiaccountsetup.amazonaws.com"]
-enabled_policy_types = ["SERVICE_CONTROL_POLICY"]
-feature_set = "ALL"
-resource_prefix = "pak"
+ "cloudtrail.amazonaws.com",
+ "config.amazonaws.com",
+ "securityhub.amazonaws.com",
+ "guardduty.amazonaws.com",
+"config-multiaccountsetup.amazonaws.com"]
+enabled_policy_types  = ["SERVICE_CONTROL_POLICY"]
+feature_set  = "ALL"
+resource_prefix  = "pak"
 org_member_account_numbers = ["1111111111111"]
 delegated_admin_account_id = "1111111111111"
-aws_region = "us-gov-west-1"
+aws_region  = "us-gov-west-1"
diff --git a/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf b/aws/terraform/us-gov-west-1/org-onboarding/tstate.tf
@@ -5,7 +5,7 @@ terraform {
  source = "hashicorp/aws"
  version = "~> 5.0"
  }
-}
+ }
  backend "s3" {
  bucket = "pak-us-gov-west-1-tf-state"
  region = "us-gov-west-1"