cyhy-tf-root

This is a Terraform root module that can be used to create a Cyber Hygiene (CyHy) environment in AWS.

Pre-requisites

• Terraform installed on your system.

• An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).

• An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).

• To configure a CyHy account within a COOL environment, we strongly recommend using cisagov/cool-accounts-cyhy.

• A cyhy-cvesync Lambda deployment package stored in an S3 bucket (see the cvesync_lambda_s3_bucket and cvesync_lambda_s3_key variables).

• A cyhy-kevsync Lambda deployment package stored in an S3 bucket (see the kevsync_lambda_s3_bucket and kevsync_lambda_s3_key variables).

• Valid CyHy configurations stored in the Systems Manager (SSM) Parameter Store of the Cyber Hygiene account for:

  • The cyhy-cvesync Lambda (see the cvesync_lambda_config_ssm_key variable)
  • The cyhy-kevsync Lambda (see the kevsync_lambda_config_ssm_key variable)

• A Terraform variables file customized for your use case, for example:

  cvesync_lambda_s3_bucket = "my-lambda-deployment-artifacts"
  kevsync_lambda_s3_bucket = "my-lambda-deployment-artifacts"
  ssh_public_key_path      = "/home/.ssh"
  
  tags = {
    Team        = "DevSecOps"
    Application = "Cyber Hygiene"
  }

Requirements

Name	Version
terraform	~> 1.1
aws	~> 5.0

Providers

Name	Version
aws.provisionaccount	~> 5.0

Modules

Name	Source	Version
aws_key_pair	cloudposse/key-pair/aws	0.18.3
cvesync_eventbridge	terraform-aws-modules/eventbridge/aws	3.11.0
cvesync_lambda	terraform-aws-modules/lambda/aws	7.9.0
documentdb-cluster	cloudposse/documentdb-cluster/aws	0.27.0
ec2	cloudposse/ec2-instance/aws	1.6.0
kevsync_eventbridge	terraform-aws-modules/eventbridge/aws	3.11.0
kevsync_lambda	terraform-aws-modules/lambda/aws	7.9.0
subnets	cloudposse/dynamic-subnets/aws	2.4.2
vpc	cloudposse/vpc/aws	2.1.1

Resources

Name	Type
aws_lambda_invocation.cvesync	resource
aws_lambda_invocation.kevsync	resource
aws_security_group_rule.egress_from_ec2_to_documentdb	resource
aws_security_group_rule.ingress_from_ec2_to_documentdb	resource
aws_caller_identity.cyhy	data source
aws_s3_object.cvesync_lambda	data source
aws_s3_object.kevsync_lambda	data source

Inputs

Name	Description	Type	Default	Required
aws_availability_zones	The list of AWS availability zones to deploy into (e.g. ["us-east-1a", "us-east-1b", "us-east-1c"].	list(string)	[ "us-east-1a", "us-east-1b", "us-east-1c" ]	no
aws_region	The AWS region to deploy into (e.g. "us-east-1").	string	"us-east-1"	no
cvesync_lambda_cloudwatch_logs_retention_in_days	The number of days to retain CloudWatch logs for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	number	90	no
cvesync_lambda_config_ssm_key	The SSM key that contains the configuration to use for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	string	"/cyhy-cvesync/config"	no
cvesync_lambda_description	The description to associate with the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	string	"Syncs CVE data to the database in the Cyber Hygiene account."	no
cvesync_lambda_env_variables	The environment variables to set for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	map(string)	{}	no
cvesync_lambda_handler	The handler to use for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	string	"lambda_handler.handler"	no
cvesync_lambda_memory	The amount of memory (in MB) to allocate to the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	number	2048	no
cvesync_lambda_name	The name to assign the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	string	"cyhy-cvesync"	no
cvesync_lambda_runtime	The runtime to use for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	string	"python3.12"	no
cvesync_lambda_s3_bucket	The name of the S3 bucket where the cyhy-cvesync Lambda deployment package is stored.	string	n/a	yes
cvesync_lambda_s3_key	The key of the cyhy-cvesync Lambda deployment package in the S3 bucket.	string	"cyhy-cvesync-lambda.zip"	no
cvesync_lambda_schedule	The EventBridge expression that represents when to run the Lambda function that syncs CVE data to the database in the Cyber Hygiene account. The default value indicates that the Lambda will run every day at 5:00 AM UTC. See https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html for details on EventBridge expression syntax.	string	"cron(0 5 * * ? *)"	no
cvesync_lambda_timeout	The timeout (in seconds) to use for the Lambda function that syncs CVE data to the database in the Cyber Hygiene account.	number	900	no
db_cluster_size	The number of instances to use for the DocumentDB cluster.	number	3	no
db_instance_class	The instance class to use for the DocumentDB cluster.	string	"db.r5.large"	no
db_name	The name of the database to create.	string	"cyhy"	no
db_password	The master password for the database user.	string	n/a	yes
db_port	The port to use for the DocumentDB cluster.	number	27017	no
db_username	The master username for the database user.	string	n/a	yes
ec2_trusted_ingress_cidr_blocks	The CIDR blocks to allow access to the EC2 instance.	list(string)	[]	no
kevsync_lambda_cloudwatch_logs_retention_in_days	The number of days to retain CloudWatch logs for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	number	90	no
kevsync_lambda_config_ssm_key	The SSM key that contains the configuration to use for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	string	"/cyhy-kevsync/config"	no
kevsync_lambda_description	The description to associate with the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	string	"Syncs KEV data to the database in the Cyber Hygiene account."	no
kevsync_lambda_env_variables	The environment variables to set for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	map(string)	{}	no
kevsync_lambda_handler	The handler to use for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	string	"lambda_handler.handler"	no
kevsync_lambda_name	The name to assign the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	string	"cyhy-kevsync"	no
kevsync_lambda_runtime	The runtime to use for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	string	"python3.12"	no
kevsync_lambda_s3_bucket	The name of the S3 bucket where the cyhy-kevsync Lambda deployment package is stored.	string	n/a	yes
kevsync_lambda_s3_key	The key of the cyhy-kevsync Lambda deployment package in the S3 bucket.	string	"cyhy-kevsync-lambda.zip"	no
kevsync_lambda_schedule	The EventBridge expression that represents when to run the Lambda function that syncs KEV data to the database in the Cyber Hygiene account. The default value indicates that the Lambda will run every day at 6:00 AM UTC. See https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-scheduled-rule-pattern.html for details on EventBridge expression syntax.	string	"cron(0 6 * * ? *)"	no
kevsync_lambda_timeout	The timeout (in seconds) to use for the Lambda function that syncs KEV data to the database in the Cyber Hygiene account.	number	300	no
ssh_public_key_path	The local path to store the SSH public key used to access the EC2 instance.	string	n/a	yes
tags	Tags to apply to all AWS resources created.	map(string)	{}	no
vpc_cidr_block	The CIDR block to use for the VPC (e.g. "10.0.0.0/16").	string	"10.0.0.0/16"	no

Outputs

Name	Description
documentdb_arn	The ARN of the DocumentDB cluster.
documentdb_endpoint	The endpoint of the DocumentDB cluster.
documentdb_sg_arn	The ARN of the DocumentDB cluster security group.
ec2	The EC2 instance that is allowed to access the DocumentDB cluster.
subnets	The subnets within the CyHy VPC.
vpc	The CyHy VPC.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.