The purpose of this module is to provision the baseline requirements for a landing zone environment, and to provide a pattern moving forward for pipeline access.
Add example usage here
## Provision the Landing Zone Access permissions
module "landing_zone" {
source = "appvia/cloudaccess-lza/aws"
version = "0.0.1"
aws_accounts = {
network = var.aws_accounts["network"]
management = var.aws_accounts["management"]
}
repositories = {
accelerator_repository_url = var.landing_zone_repositories.accelerator_repository_url
connectivity_repository_url = var.landing_zone_repositories.connectivity_repository_url
firewall_repository_url = var.landing_zone_repositories.firewall_repository_url
identity_repository_url = var.landing_zone_repositories.identity_repository_url
}
tags = var.tags
providers = {
management = aws.management
network = aws.network
}
}This module can configure CIS alarms and notifications. To enable this functionality, set the enable_cis_alarms variable to true. These will use a CloudWatch log group, defaulting to the AWS Control Tower organizational trail. In order to receive notifications on this events
- Use the
notifications_emailsvariable to specify a list of email addresses to send notifications to.
enable_cis_alarms = true
enable_email_notifications = true
notifications = {
email = {
addresses = ["security@example.com"]
}
}For notifications to slack
- Configuration the notifications block accordingly
enable_email_notifications = true
notifications = {
slack = {
webhook_url = "https://hooks.slack.com/services/..."
channel = "cloud-notifications"
}
}
accounts_id_to_name = {
"1234567890" = "mgmt"
}
cloudwatch_log_group_retention = 3
identity_center_start_url = "<your identity center start url - if relevant>"
identity_center_role = "<your your identity center role - consistent across accounts typically read only - if relevant>"The tagging enforcement feature updates the default IAM boundaries deployed by this module to include additional policy blocking the creation of resources without the required tags; defined in the var.enforcable_tags variable. The restrictions will be applied to all actions found in the var.enforcable_tagging_actions. These are the same IAM boundaries which are intended to be used by machine roles (i.e. CI/CD).
Switching on the feature will also deploy a stackset across the entire organization implementing the tagging policy deny logic. This should be referenced by roles within the account.
The IAM policy which is used to enforce the tagging policy follows the below template
- Sid: EnforceTaggingPolicy
Effect: Deny
Action:
%{ for action in actions ~}
- "${action}"
%{ endfor ~}
Resource: [
%{ for resource in resources ~}
- "${resource}"
%{ endfor ~}
Condition:
Null:
%{ for tag in tags ~}
"aws:RequestTag/${tag}": "true"
%{ endfor ~}An example supplying the following tags - Environment, Product, Owner, GitRepo and using the default actions defined in the variables would render to.
- Sid: EnforceTaggingPolicy
Effect: Deny
Action:
- ec2:CreateInternetGateway
- ec2:CreateVolume
- ec2:CreateVpcPeeringConnection
- ec2:RunInstances
- ecs:CreateCluster
- ecs:CreateService
- ecs:CreateTaskSet
- eks:CreateCluster
- elasticfilesystem:CreateAccessPoint
- elasticfilesystem:CreateFileSystem
- elasticloadbalancing:CreateListener
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateRule
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:CreateTrustStore
- network-firewall:CreateFirewall
- network-firewall:CreateFirewallPolicy
- network-firewall:CreateRuleGroup
- ram:CreatePermission
- ram:CreateResourceShare
- redshift:CreateCluster
- redshift:CreateClusterParameterGroup
- redshift:CreateClusterSecurityGroup
- redshift:CreateClusterSubnetGroup
- route53:CreateHostedZone
- secretsmanager:CreateSecret
Resource: ["*"]
Condition:
Null:
"aws:RequestTag/Environment": "true"
"aws:RequestTag/Product": "true"
"aws:RequestTag/Owner": "true"
"aws:RequestTag/GitRepo": "true"The terraform-docs utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.ymlfile - Fetch the
terraform-docsbinary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
| Name | Version |
|---|---|
| terraform | >= 1.1.4 |
| archive | ~> 2.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| archive | 2.6.0 |
| aws | 5.67.0 |
| aws.audit | 5.67.0 |
| aws.management | 5.67.0 |
| aws.network | 5.67.0 |
| Name | Source | Version |
|---|---|---|
| alarm_baseline | appvia/alarm-baseline/aws | 0.2.5 |
| cost_management | appvia/oidc/aws//modules/role | 1.3.2 |
| default_boundary | appvia/boundary-stack/aws | 0.1.7 |
| management_landing_zone | appvia/oidc/aws//modules/role | 1.3.2 |
| management_sso_identity | appvia/oidc/aws//modules/role | 1.3.2 |
| network_inspection_vpc_admin | appvia/oidc/aws//modules/role | 1.3.2 |
| network_transit_gateway_admin | appvia/oidc/aws//modules/role | 1.3.2 |
| permissive_boundary | appvia/boundary-stack/aws | 0.1.7 |
| securityhub_notifications | appvia/notifications/aws | 1.0.4 |
| tagging_boundary | appvia/boundary-stack/aws | 0.1.7 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accounts_id_to_name | A mapping of account id and account name - used by notification lamdba to map an account ID to a human readable name | map(string) |
{} |
no |
| aws_accounts | Map of AWS account names to their account IDs | object({ |
n/a | yes |
| aws_support_role_name | Name of the AWS Support role | string |
"AWSSupportAccessRole" |
no |
| breakglass_users | The number of breakglass users to create | number |
2 |
no |
| cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-ro" |
no |
| cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-rw" |
no |
| cloudwatch_identity_center_role | The name of the role to use when redirecting through Identity Center for cloudwatch events | string |
null |
no |
| costs_boundary_name | Name of the IAM policy to use as a permissions boundary for cost-related roles | string |
"lza-costs-boundary" |
no |
| default_permissions_boundary_name | Name of the default IAM policy to use as a permissions boundary | string |
"lza-default-boundary" |
no |
| enable_aws_support | Indicates if we should enable AWS Support role | bool |
true |
no |
| enable_breakglass | Indicates if we should enable breakglass users and group | bool |
false |
no |
| enable_cis_alarms | Indicates if we should enable CIS alerts | bool |
true |
no |
| enable_securityhub_alarms | Indicates if we should enable SecurityHub alarms | bool |
true |
no |
| enforcable_tagging_actions | List of enforceable tagging actions | list(string) |
[ |
no |
| enforcable_tagging_policy_name | Name of the IAM policy to use as a permissions boundary for enforceable tags | string |
"lza-enforceable-tags-boundary" |
no |
| enforcable_tagging_resources | List of enforceable tagging resources | list(string) |
[ |
no |
| enforcable_tags | List of enforceable tags | list(string) |
[] |
no |
| identity_center_start_url | The start URL of your Identity Center instance | string |
null |
no |
| notifications | Configuration for the notifications | object({ |
{ |
no |
| permissive_permissions_boundary_name | Name of the permissive IAM policy to use as a permissions boundary | string |
"lza-permissive-boundary" |
no |
| repositories | List of repository locations for the pipelines | object({ |
{} |
no |
| scm_name | Name of the source control management system (github or gitlab) | string |
"github" |
no |
| security_hub_identity_center_role | The name of the role to use when redirecting through Identity Center for security hub events | string |
null |
no |
| securityhub_event_bridge_rule_name | Display name of the EventBridge rule for Security Hub findings | string |
"lza-securityhub-alerts" |
no |
| securityhub_lambda_function_name | Name of the Security Hub Lambda function | string |
"lza-securityhub-lambda-forwarder" |
no |
| securityhub_lambda_log_group_kms_alias | Name of the KMS alias for the CloudWatch log group | string |
"alias/accelerator/kms/cloudwatch/key" |
no |
| securityhub_lambda_role_name | Name of the IAM role for the Security Hub Lambda function | string |
"lza-securityhub-lambda-role" |
no |
| securityhub_lambda_runtime | Runtime for the Security Hub Lambda function | string |
"python3.12" |
no |
| securityhub_severity_filter | Indicates if we should enable SecurityHub | list(string) |
[ |
no |
| securityhub_sns_topic_name | Name of the SNS topic to send Security Hub findings to | string |
"lza-securityhub-alerts" |
no |
| tags | Tags to apply to all resources | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
| cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
| default_permission_boundary_name | The name of the default permissions iam boundary |
| default_permissive_boundary_name | The name of the default permissive iam boundary |
| identity_role_ro_name | The name of the IAM readonly role which can be assumed by the identity stack in all accounts |
| identity_role_rw_name | The name of the IAM readwrite role which can be assumed by the identity stack in all accounts |
| identity_stack_name | The name of the identity stack |