16 |
17 |
18 | 
19 |
20 |
21 | 
22 |
23 |
24 | 
25 |
26 |
27 |
28 | 8 | With our comprehensive DevOps toolkit - streamline operations, automate workflows, enhance collaboration and, most importantly, deploy with confidence. 9 |
10 | 11 | 12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
30 |
31 |
32 | 
33 |
34 |
35 | 
36 |
37 |
38 | 
39 |
40 |
41 | 
42 |
43 |
44 |
We are The Cloud Experts!
61 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
63 | 64 | [website]: https://clouddrove.com 65 | [github]: https://github.com/clouddrove 66 | [linkedin]: https://cpco.io/linkedin 67 | [twitter]: https://twitter.com/clouddrove/ 68 | [email]: https://clouddrove.com/contact-us.html 69 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 70 | -------------------------------------------------------------------------------- /examples/alarm/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | provider "aws" { 4 | region = "us-east-1" 5 | } 6 | 7 | #Module : ALARM 8 | #Description : Provides a CloudWatch Metric Alarm resource. 9 | module "alarm" { 10 | source = "../../../modules/alarm" 11 | name = "alarm" 12 | environment = "test" 13 | label_order = ["name", "environment"] 14 | 15 | enabled = true 16 | unauthorized_api_calls = true 17 | no_mfa_console_signin = true 18 | root_usage = true 19 | iam_changes = true 20 | cloudtrail_cfg_changes = true 21 | console_signin_failures = true 22 | disable_or_delete_cmk = true 23 | s3_bucket_policy_changes = true 24 | security_group_changes = true 25 | nacl_changes = true 26 | network_gw_changes = true 27 | route_table_changes = true 28 | vpc_changes = true 29 | alarm_namespace = "Alert_Alarm" 30 | aws_config_changes_enabled = true 31 | 32 | variables = { 33 | SLACK_WEBHOOK = "" # Webhook for the slack notification 34 | SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive 35 | } 36 | } -------------------------------------------------------------------------------- /examples/alarm/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "alarm_sns_id" { 5 | description = "The SNS topic to which CloudWatch Alarms will be sent." 6 | value = module.alarm.alarm_sns_id 7 | } 8 | 9 | output "alarm_sns_arn" { 10 | description = "The SNS topic to which CloudWatch Alarms will be sent." 11 | value = module.alarm.alarm_sns_arn 12 | } -------------------------------------------------------------------------------- /examples/analyzer/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Analyzer Terraform Module Example 4 | 5 | This Terraform module is designed to facilitate the creation of AWS Analyzer resources. It provides a generic way of creating analyzers, archive rules, and findings. 6 | 7 | ## Usage 8 | 9 | To run this example you need to execute: 10 | 11 | ``` 12 | $ terraform init 13 | $ terraform plan 14 | $ terraform apply 15 | ``` 16 | 17 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 18 | 19 | 20 | 21 | 22 | 23 | 24 | ## Feedback 25 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 26 | 27 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 28 | 29 | ## About us 30 | 31 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 32 | 33 |We are The Cloud Experts!
34 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
36 | 37 | [website]: https://clouddrove.com 38 | [github]: https://github.com/clouddrove 39 | [linkedin]: https://cpco.io/linkedin 40 | [twitter]: https://twitter.com/clouddrove/ 41 | [email]: https://clouddrove.com/contact-us.html 42 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 43 | -------------------------------------------------------------------------------- /examples/analyzer/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | #Module : Analyzer 9 | #Description : This module helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. 10 | module "analyzer" { 11 | source = "../../../modules/analyzer" 12 | 13 | name = "analyzer" 14 | environment = "test" 15 | label_order = ["name", "environment"] 16 | enabled = true 17 | 18 | ## IAM Access Analyzer 19 | type = "ACCOUNT" 20 | 21 | variables = { 22 | slack_webhook = "" # Webhook for the slack notification 23 | slack_channel = "" # Channel of the Slack where the notification will receive 24 | } 25 | } -------------------------------------------------------------------------------- /examples/analyzer/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "analyzer_name" { 5 | value = module.analyzer.analyzer_name 6 | description = "IAM Access Analyzer name of." 7 | } -------------------------------------------------------------------------------- /examples/analyzer/organisation_account/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Analyzer Terraform Module for Organization Account Example 4 | 5 | This module creates an AWS Access Analyzer Analyzer for an organization account. AWS Access Analyzer is a service that helps you identify resource-based policies that allow access to your resources from outside your AWS account. 6 | 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/analyzer/organisation_account/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | #Module : Analyzer 9 | #Description : This module helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. 10 | module "analyzer" { 11 | source = "../../../modules/analyzer" 12 | 13 | name = "analyzer" 14 | environment = "test" 15 | label_order = ["name", "environment"] 16 | enabled = true 17 | 18 | ## IAM Access Analyzer 19 | type = "ORGANIZATION" 20 | 21 | variables = { 22 | slack_webhook = "" # Webhook for the slack notification 23 | slack_channel = "" # Channel of the Slack where the notification will receive 24 | } 25 | } -------------------------------------------------------------------------------- /examples/analyzer/organisation_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "analyzer_name" { 5 | value = module.analyzer.analyzer_name 6 | description = "IAM Access Analyzer name of." 7 | } -------------------------------------------------------------------------------- /examples/cloudtrail/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS CloudTrail Terraform Module Example 4 | 5 | This Terraform module is designed to facilitate the creation of AWS CloudTrail resources. It provides a generic way of creating CloudTrail trails and configuring them to send logs to CloudWatch. 6 | 7 | ## Usage 8 | 9 | To run this example you need to execute: 10 | 11 | ``` 12 | $ terraform init 13 | $ terraform plan 14 | $ terraform apply 15 | ``` 16 | 17 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 18 | 19 | 20 | 21 | 22 | 23 | 24 | ## Feedback 25 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 26 | 27 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 28 | 29 | ## About us 30 | 31 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 32 | 33 |We are The Cloud Experts!
34 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
36 | 37 | [website]: https://clouddrove.com 38 | [github]: https://github.com/clouddrove 39 | [linkedin]: https://cpco.io/linkedin 40 | [twitter]: https://twitter.com/clouddrove/ 41 | [email]: https://clouddrove.com/contact-us.html 42 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 43 | -------------------------------------------------------------------------------- /examples/cloudtrail/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | locals { 9 | name = "cloudtrail-testing" 10 | } 11 | 12 | #Module : CLOUDTRAIL 13 | #Description : enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. 14 | module "cloudtrail" { 15 | source = "../../../modules/cloudtrail" 16 | 17 | name = local.name 18 | environment = "security" 19 | label_order = ["name", "environment"] 20 | 21 | # Cloudtrail S3 Bucket Configuration 22 | create_bucket = true 23 | bucket_versioning = true 24 | logging = true 25 | force_destroy = true 26 | block_public_acls = true 27 | block_public_policy = true 28 | ignore_public_acls = true 29 | restrict_public_buckets = true 30 | 31 | # Cloudtrail Configuration 32 | enabled_cloudtrail = true 33 | enable_cloudwatch = true 34 | bucket_policy = true 35 | is_multi_region_trail = true 36 | kms_enabled = true 37 | enable_logging = true 38 | 39 | event_ignore_list = jsonencode([ 40 | "^Describe*", 41 | "^Assume*", 42 | "^List*", 43 | "^Get*", 44 | "^Decrypt*", 45 | "^Lookup*", 46 | "^BatchGet*", 47 | "^CreateLogStream$", 48 | "^RenewRole$", 49 | "^REST.GET.OBJECT_LOCK_CONFIGURATION$", 50 | "TestEventPattern", 51 | "TestScheduleExpression", 52 | "CreateNetworkInterface", 53 | "ValidateTemplate" 54 | ]) 55 | event_alert_list = jsonencode([ 56 | "DetachRolePolicy", 57 | "ConsoleLogin" 58 | ]) 59 | user_ignore_list = jsonencode([ 60 | "^awslambda_*", 61 | "^aws-batch$", 62 | "^bamboo*", 63 | "^i-*", 64 | "^[0-9]*$", 65 | "^ecs-service-scheduler$", 66 | "^AutoScaling$", 67 | "^AWSCloudFormation$", 68 | "^CloudTrailBot$", 69 | "^SLRManagement$" 70 | ]) 71 | source_list = jsonencode([ 72 | "aws-sdk-go" 73 | ]) 74 | 75 | # Slack Alerts 76 | slack_webhook = "" # Webhook for the slack notification 77 | slack_channel = "" # Channel of the Slack where the notification will receive 78 | } -------------------------------------------------------------------------------- /examples/cloudtrail/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "cloudtrail_arn" { 5 | value = module.cloudtrail.*.cloudtrail_arn 6 | description = "The Amazon Resource Name of the trail." 7 | } 8 | 9 | output "cloudtrail_s3_id" { 10 | value = try(module.cloudtrail.s3_id, "") 11 | description = "The Name of S3 bucket for logging of Cloudtrail." 12 | } -------------------------------------------------------------------------------- /examples/cloudtrail/organisation_account/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS CloudTrail Terraform Module for Organization Account Example 4 | 5 | This module creates an AWS CloudTrail for an organization account. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. 6 | 7 | ## Usage 8 | 9 | To run this example you need to execute: 10 | 11 | ``` 12 | $ terraform init 13 | $ terraform plan 14 | $ terraform apply 15 | ``` 16 | 17 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 18 | 19 | 20 | 21 | 22 | 23 | 24 | ## Feedback 25 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 26 | 27 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 28 | 29 | ## About us 30 | 31 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 32 | 33 |We are The Cloud Experts!
34 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
36 | 37 | [website]: https://clouddrove.com 38 | [github]: https://github.com/clouddrove 39 | [linkedin]: https://cpco.io/linkedin 40 | [twitter]: https://twitter.com/clouddrove/ 41 | [email]: https://clouddrove.com/contact-us.html 42 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 43 | -------------------------------------------------------------------------------- /examples/cloudtrail/organisation_account/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "cloudtrail" { 9 | source = "../../../modules/cloudtrail" 10 | 11 | name = "cloudtrail-testing" 12 | environment = "security" 13 | label_order = ["name", "environment"] 14 | 15 | enabled_cloudtrail = true 16 | bucket_policy = true 17 | is_multi_region_trail = true 18 | kms_enabled = true 19 | bucket_versioning = true 20 | logging = true 21 | 22 | is_organization_trail = true 23 | 24 | event_ignore_list = jsonencode([ 25 | "^Describe*", 26 | "^Assume*", 27 | "^List*", 28 | "^Get*", 29 | "^Decrypt*", 30 | "^Lookup*", 31 | "^BatchGet*", 32 | "^CreateLogStream$", 33 | "^RenewRole$", 34 | "^REST.GET.OBJECT_LOCK_CONFIGURATION$", 35 | "TestEventPattern", 36 | "TestScheduleExpression", 37 | "CreateNetworkInterface", 38 | "ValidateTemplate" 39 | ]) 40 | event_alert_list = jsonencode([ 41 | "DetachRolePolicy", 42 | "ConsoleLogin" 43 | ]) 44 | user_ignore_list = jsonencode([ 45 | "^awslambda_*", 46 | "^aws-batch$", 47 | "^bamboo*", 48 | "^i-*", 49 | "^[0-9]*$", 50 | "^ecs-service-scheduler$", 51 | "^AutoScaling$", 52 | "^AWSCloudFormation$", 53 | "^CloudTrailBot$", 54 | "^SLRManagement$" 55 | ]) 56 | source_list = jsonencode([ 57 | "aws-sdk-go" 58 | ]) 59 | 60 | # Slack Alerts 61 | slack_webhook = "" # Webhook for the slack notification 62 | slack_channel = "" # Channel of the Slack where the notification will receive 63 | } -------------------------------------------------------------------------------- /examples/cloudtrail/organisation_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "cloudtrail_arn" { 5 | value = module.cloudtrail.*.cloudtrail_arn 6 | description = "The Amazon Resource Name of the trail." 7 | } 8 | 9 | output "cloudtrail_s3_id" { 10 | value = try(module.cloudtrail.s3_id, "") 11 | description = "The Name of S3 bucket for logging of Cloudtrail." 12 | } -------------------------------------------------------------------------------- /examples/config/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Config Terraform Module Example 5 | 6 | This module creates an AWS Config for an organization account. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/config/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "config" { 9 | source = "../../../modules/config" 10 | 11 | name = "config" 12 | environment = "security" 13 | label_order = ["name", "environment"] 14 | config_s3_bucket_name = "config-bucketssss" 15 | enabled = true 16 | 17 | # S3 Configurations 18 | versioning = true 19 | logging = true 20 | block_public_acls = true 21 | block_public_policy = true 22 | ignore_public_acls = true 23 | restrict_public_buckets = true 24 | 25 | # roles 26 | restricted_ports = true 27 | restricted_ports_list = "{\"blockedPort1\": \"22\", \"blockedPort2\": \"3306\",\"blockedPort3\": \"6379\", \"blockedPort4\": \"5432\"}" 28 | iam_mfa = true 29 | unused_credentials = true 30 | user_no_policies = true 31 | no_policies_with_full_admin_access = true 32 | acm_certificate_expiration_check = true 33 | ec2_volume_inuse_check = true 34 | ebs_snapshot_public_restorable = true 35 | rds_instance_public_access_check = true 36 | rds_snapshots_public_prohibited = true 37 | guardduty_enabled_centralized = true 38 | s3_bucket_public_write_prohibited = true 39 | eip_attached = false 40 | ec2_encrypted_volumes = true 41 | iam_root_access_key = true 42 | vpc_default_security_group_closed = false 43 | s3_bucket_ssl_requests_only = false 44 | multi_region_cloudtrail_enabled = true 45 | instances_in_vpc = true 46 | cloudwatch_log_group_encrypted = false 47 | rds_storage_encrypted = true 48 | 49 | iam_password_policy = false 50 | password_require_uppercase = true 51 | password_require_lowercase = true 52 | password_require_symbols = true 53 | password_require_numbers = true 54 | password_max_age = 90 55 | slack_enabled = false 56 | 57 | variables = { 58 | SLACK_WEBHOOK = "" # Webhook for the slack notification 59 | SLACK_CHANNEL = "" # Channel of the Slack where the notification will receive 60 | } 61 | } -------------------------------------------------------------------------------- /examples/config/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "configuration_recorder_id" { 5 | value = module.config.configuration_recorder_id 6 | description = "The ID of configuration recorder." 7 | } 8 | 9 | output "configuration_recorder_arn" { 10 | value = module.config.configuration_recorder_arn 11 | description = "The ARN of configuration recorder." 12 | } 13 | 14 | output "config_sns_id" { 15 | value = module.config.config_sns_id 16 | description = "The SNS topic to which CloudWatch Alarms will be sent." 17 | } -------------------------------------------------------------------------------- /examples/ebs/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS EBS Default Encryption Terraform Module Example 5 | 6 | This module enables default encryption for all new EBS volumes in an AWS account. When default encryption is enabled, all new EBS volumes are encrypted by default using the specified KMS key. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/ebs/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "ebs" { 9 | source = "../../../modules/ebs" 10 | 11 | enabled = true 12 | enable_default_ebs_encryption = true 13 | } -------------------------------------------------------------------------------- /examples/guardduty/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS GuardDuty Terraform Module Example 5 | 6 | This module enables AWS GuardDuty in an AWS account. AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/guardduty/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "guardduty" { 9 | source = "../../../modules/guardduty" 10 | 11 | name = "test-guardduty" 12 | label_order = ["name"] 13 | enabled = true 14 | ipset_iplist = ["10.10.0.0/16"] 15 | 16 | finding_publishing_frequency = "ONE_HOUR" 17 | 18 | # S3 19 | block_public_acls = true 20 | block_public_policy = true 21 | ignore_public_acls = true 22 | restrict_public_buckets = true 23 | 24 | organization_auto_enable = false 25 | 26 | # Slack Alerts 27 | slack_enabled = false # Pass true to enable lambda 28 | } 29 | -------------------------------------------------------------------------------- /examples/guardduty/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "detector_id" { 5 | value = module.guardduty.detector_id 6 | description = "The ID of the GuardDuty detector" 7 | } 8 | 9 | output "account_id" { 10 | value = module.guardduty.account_id 11 | description = "The AWS account ID of the GuardDuty detector" 12 | } 13 | 14 | output "s3_bucket_id" { 15 | value = module.guardduty.bucket_id 16 | description = "The bucket id of S3 for guardduty logs." 17 | } -------------------------------------------------------------------------------- /examples/guardduty/organisation_account/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS GuardDuty Terraform Module for Organization Account Example 5 | 6 | This module enables AWS GuardDuty for an organization account. AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/guardduty/organisation_account/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "guardduty" { 9 | source = "../../../modules/guardduty" 10 | 11 | name = "test-guardduty" 12 | label_order = ["name"] 13 | enabled = true 14 | ipset_iplist = ["10.10.0.0/16"] 15 | 16 | finding_publishing_frequency = "ONE_HOUR" 17 | 18 | is_guardduty_member = false 19 | organization_auto_enable = true 20 | guardduty_admin_id = "112233445566" # Delegated account id that will be centralised guardduty administrator for all guardduty accounts 21 | 22 | datasources = { 23 | s3_logs = false, 24 | kubernetes_audit_logs = true, 25 | malware_protection_ebs = true 26 | } 27 | 28 | # Organization member accounts 29 | member_list = [ 30 | { 31 | account_id = "333333333333", # Member account id of the organization member account 32 | invite = true, 33 | email = "email@example.com" 34 | }, 35 | # { 36 | # account_id = "222222222222" # Member account id of the organization member account 37 | # invite = true, 38 | # email = "email@example.com" 39 | # } 40 | ] 41 | 42 | # Slack Alerts 43 | slack_enabled = false # Pass true to enable lambda 44 | } 45 | -------------------------------------------------------------------------------- /examples/guardduty/organisation_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "detector_id" { 5 | value = module.guardduty.detector_id 6 | description = "The ID of the GuardDuty detector" 7 | } 8 | 9 | output "account_id" { 10 | value = module.guardduty.account_id 11 | description = "The AWS account ID of the GuardDuty detector" 12 | } 13 | 14 | output "s3_bucket_id" { 15 | value = module.guardduty.bucket_id 16 | description = "The bucket id of S3 for guardduty logs." 17 | } -------------------------------------------------------------------------------- /examples/iam/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS IAM Terraform Module Example 5 | 6 | This module manages AWS Identity and Access Management (IAM) resources. AWS IAM enables you to manage access to AWS services and resources securely. With IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/iam/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | data "aws_caller_identity" "current" {} 5 | 6 | provider "aws" { 7 | region = "us-east-1" 8 | } 9 | 10 | module "iam-baseline" { 11 | source = "../../../modules/iam" 12 | 13 | name = "iam-baseline" 14 | environment = "test" 15 | label_order = ["name", "environment"] 16 | enabled = true 17 | 18 | master_iam_role_name = "IAM-Master" 19 | master_iam_role_policy_name = "IAM-master-Policy" 20 | manager_iam_role_name = "IAM-manager" 21 | manager_iam_role_policy_name = "IAM-Manager-Policy" 22 | support_iam_role_name = "IAM-Policy" 23 | support_iam_role_principal_arn = data.aws_caller_identity.current.arn 24 | } -------------------------------------------------------------------------------- /examples/iam/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "master_iam_role" { 5 | description = "The IAM role used for the master user." 6 | value = module.iam-baseline.master_iam_role 7 | } 8 | 9 | output "manager_iam_role" { 10 | description = "The IAM role used for the manager user." 11 | value = module.iam-baseline.manager_iam_role 12 | } 13 | 14 | output "support_iam_role" { 15 | description = "The IAM role used for the support user." 16 | value = module.iam-baseline.support_iam_role 17 | } 18 | -------------------------------------------------------------------------------- /examples/inspector/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Inspector Terraform Module Example 5 | 6 | This module enables AWS Inspector in an AWS account. AWS Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. This module enables Inspector in one region of one account and optionally enables various rules packages provided by AWS. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/inspector/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | data "aws_caller_identity" "current" {} 5 | 6 | provider "aws" { 7 | region = "us-east-1" 8 | } 9 | 10 | module "inspector" { 11 | source = "../../../modules/inspector" 12 | 13 | ## Tags 14 | name = "inspector" 15 | environment = "security" 16 | label_order = ["name", "environment"] 17 | enabled = true 18 | 19 | instance_tags = { 20 | "Inspector" = true 21 | } 22 | 23 | duration = 300 24 | lambda_enabled = true 25 | schedule_expression = "cron(0/10 * ? * * *)" 26 | handler = "index.handler" 27 | statement_ids = ["AllowExecutionFromEvents"] 28 | actions = ["lambda:InvokeFunction"] 29 | principals = ["events.amazonaws.com"] 30 | 31 | iam_actions = [ 32 | "inspector:StartAssessmentRun", 33 | "logs:CreateLogGroup", 34 | "logs:CreateLogStream", 35 | "logs:PutLogEvents" 36 | ] 37 | } -------------------------------------------------------------------------------- /examples/inspector/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | output "resource_group" { 5 | value = module.inspector.resource_group 6 | description = "The resource group ARN." 7 | } 8 | 9 | output "assessment_target" { 10 | value = module.inspector.assessment_target 11 | description = "The target assessment ARN." 12 | } 13 | 14 | output "assessment_template" { 15 | value = module.inspector.assessment_template 16 | description = "The template assessment ARN." 17 | } 18 | 19 | output "lambda_arn" { 20 | value = module.inspector.lambda_arn 21 | description = "The Amazon Resource Name (ARN) identifying your Lambda Function." 22 | } -------------------------------------------------------------------------------- /examples/security-hub/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Security Hub Terraform Module Complete Example 5 | 6 | This module enables AWS Security Hub in an AWS account. AWS Security Hub is a security service that provides a comprehensive view of your security alerts and compliance status across your AWS accounts. This module enables Security Hub in one region of one account and optionally sets up an SNS topic to receive notifications of its findings. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/security-hub/complete/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "security-hub" { 9 | source = "../../../modules/security_hub" 10 | 11 | security_hub_enabled = true 12 | 13 | #standards 14 | enabled_standards = [ 15 | "standards/aws-foundational-security-best-practices/v/1.0.0", 16 | "ruleset/cis-aws-foundations-benchmark/v/1.2.0" 17 | ] 18 | 19 | #products 20 | enabled_products = [ 21 | "product/aws/guardduty", 22 | "product/aws/inspector" 23 | ] 24 | } -------------------------------------------------------------------------------- /examples/security-hub/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | #Module : Security-hub 5 | #Description : Terraform module to securitry hub outputs. 6 | output "id" { 7 | value = module.security-hub.id 8 | description = "The ID of the secuirty hub." 9 | } 10 | 11 | output "arn" { 12 | value = module.security-hub.arn 13 | description = "The ID of the secuirty hub." 14 | } -------------------------------------------------------------------------------- /examples/security-hub/managed_security_hub/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Nested Security Hub Terraform Module Example 5 | 6 | This module enables AWS Security Hub in an AWS account as a nested module. AWS Security Hub is a security service that provides a comprehensive view of your security alerts and compliance status across your AWS accounts. This module enables Security Hub in one region of one account and optionally sets up an SNS topic to receive notifications of its findings. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/security-hub/managed_security_hub/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "security-hub" { 9 | source = "../../../modules/security_hub" 10 | 11 | security_hub_enabled = false 12 | master_account_id = "112233445566" # Master ID of the account id of the Account where the security hub is available. 13 | 14 | # Id of the security hub in master account. 15 | security_hub_id = "123456789012" 16 | # Optional: ARN of the security hub in master account. 17 | security_hub_arn = "arn:aws:securityhub:us-east-1:112233445566:hub/default" 18 | # Note: 19 | # To find the ARN for security hub you can run AWS command to get the details. e.g. aws securityhub describe-hub --query 'HubArn' 20 | 21 | } -------------------------------------------------------------------------------- /examples/security-hub/managed_security_hub/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | #Module : Security-hub 5 | #Description : Terraform module to securitry hub outputs. 6 | output "id" { 7 | value = module.security-hub.id 8 | description = "The ID of the secuirty hub." 9 | } 10 | 11 | output "arn" { 12 | value = module.security-hub.arn 13 | description = "The ID of the secuirty hub." 14 | } -------------------------------------------------------------------------------- /examples/security-hub/organisation_account/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Security Hub Terraform Module for Organization Accounts Example 5 | 6 | This module enables AWS Security Hub for an organization account. This module enables Security Hub for all AWS accounts that are current members of the target organization in AWS Organizations, turns on the Auto-Enable feature in Security Hub, which automatically enables Security Hub for any accounts that are added to the target organization in the future, and allows you to select the Regions where you want to enable Security Hub. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/security-hub/organisation_account/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | provider "aws" { 5 | region = "us-east-1" 6 | } 7 | 8 | module "security-hub" { 9 | source = "../../../modules/security_hub" 10 | 11 | security_hub_enabled = true 12 | 13 | #standards 14 | enabled_standards = [ 15 | "standards/aws-foundational-security-best-practices/v/1.0.0", 16 | "ruleset/cis-aws-foundations-benchmark/v/1.2.0" 17 | ] 18 | 19 | #products 20 | enabled_products = [ 21 | "product/aws/guardduty", 22 | "product/aws/inspector" 23 | ] 24 | 25 | # member account details 26 | member_details = [ 27 | { 28 | account_id = "111222333444" # Account id of the organisation member 29 | email_id = "test@example.com" # The email of the member AWS Account 30 | invite = true # Whether to invite the account to Security Hub as a member 31 | }, 32 | { 33 | account_id = "555666777888" 34 | email_id = "test@example.com" 35 | invite = true 36 | } 37 | ] 38 | } -------------------------------------------------------------------------------- /examples/security-hub/organisation_account/outputs.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | #Module : Security-hub 5 | #Description : Terraform module to securitry hub outputs. 6 | output "id" { 7 | value = module.security-hub.id 8 | description = "The ID of the secuirty hub." 9 | } 10 | 11 | output "arn" { 12 | value = module.security-hub.arn 13 | description = "The ID of the secuirty hub." 14 | } -------------------------------------------------------------------------------- /examples/shield/complete/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # AWS Shield Terraform Module Complete Example 5 | 6 | This module enables AWS Shield in an AWS account. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. This module enables Shield for all resources in the specified region of the account. 7 | 8 | ## Usage 9 | 10 | To run this example you need to execute: 11 | 12 | ``` 13 | $ terraform init 14 | $ terraform plan 15 | $ terraform apply 16 | ``` 17 | 18 | Note that this example may create resources which cost money. Run terraform destroy when you don't need these resources. 19 | 20 | 21 | 22 | 23 | 24 | 25 | ## Feedback 26 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 27 | 28 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 29 | 30 | ## About us 31 | 32 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 33 | 34 |We are The Cloud Experts!
35 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
37 | 38 | [website]: https://clouddrove.com 39 | [github]: https://github.com/clouddrove 40 | [linkedin]: https://cpco.io/linkedin 41 | [twitter]: https://twitter.com/clouddrove/ 42 | [email]: https://clouddrove.com/contact-us.html 43 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 44 | -------------------------------------------------------------------------------- /examples/shield/complete/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = "us-east-1" 3 | } 4 | 5 | module "aws_shield" { 6 | source = "../../../modules/shield" 7 | 8 | name = "shield" 9 | environment = "security" 10 | label_order = ["name", "environment"] 11 | enabled = false 12 | 13 | ## AWS SHIELD 14 | resource_arn = [] # ARN of the Resource that needs to be protect with Shield. e.g. cloudfront, ALB, EIP, Route53 etc. 15 | 16 | } -------------------------------------------------------------------------------- /examples/shield/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | value = module.aws_shield.*.id 3 | description = "The unique identifier (ID) for the Protection object that is created." 4 | } 5 | 6 | output "arn" { 7 | value = module.aws_shield.*.arn 8 | description = "The unique identifier (ID) for the Protection object that is created." 9 | } 10 | -------------------------------------------------------------------------------- /modules/alarm/_json/delivery_policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "http": { 3 | "defaultHealthyRetryPolicy": { 4 | "minDelayTarget": 20, 5 | "maxDelayTarget": 20, 6 | "numRetries": 3, 7 | "numMaxDelayRetries": 0, 8 | "numNoDelayRetries": 0, 9 | "numMinDelayRetries": 0, 10 | "backoffFunction": "linear" 11 | }, 12 | "disableSubscriptionOverrides": false, 13 | "defaultThrottlePolicy": { 14 | "maxReceivesPerSecond": 1 15 | } 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /modules/alarm/data.tf: -------------------------------------------------------------------------------- 1 | data "aws_caller_identity" "current" {} 2 | 3 | #Data : KMS 4 | #Description : Terraform Data block to read an AWS IAM policy document for kms. 5 | data "aws_iam_policy_document" "kms" { 6 | version = "2012-10-17" 7 | statement { 8 | sid = "Enable IAM User Permissions" 9 | effect = "Allow" 10 | principals { 11 | type = "AWS" 12 | identifiers = ["*"] 13 | } 14 | actions = ["kms:*"] 15 | resources = ["*"] 16 | } 17 | 18 | statement { 19 | sid = "Allow principals in the account to decrypt log files" 20 | effect = "Allow" 21 | principals { 22 | type = "AWS" 23 | identifiers = ["*"] 24 | } 25 | actions = [ 26 | "kms:Decrypt", 27 | "kms:ReEncryptFrom" 28 | ] 29 | resources = ["*"] 30 | condition { 31 | test = "StringEquals" 32 | variable = "kms:CallerAccount" 33 | values = [data.aws_caller_identity.current.account_id] 34 | } 35 | } 36 | 37 | statement { 38 | sid = "Allow alias creation during setup" 39 | effect = "Allow" 40 | principals { 41 | type = "AWS" 42 | identifiers = ["*"] 43 | } 44 | actions = ["kms:CreateAlias"] 45 | resources = ["*"] 46 | } 47 | } -------------------------------------------------------------------------------- /modules/alarm/outputs.tf: -------------------------------------------------------------------------------- 1 | 2 | output "alarm_sns_id" { 3 | description = "The SNS topic to which CloudWatch Alarms will be sent." 4 | value = var.enabled ? module.sns.topic-id : null 5 | } 6 | 7 | output "alarm_sns_arn" { 8 | description = "The SNS topic to which CloudWatch Alarms will be sent." 9 | value = var.enabled ? module.sns.topic-arn : null 10 | } 11 | output "tags" { 12 | value = module.labels.tags 13 | description = "A mapping of tags to assign to the resource." 14 | } 15 | -------------------------------------------------------------------------------- /modules/alarm/slack/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | export WRKDIR=$(pwd) 3 | export LYR_PDS_DIR="slack" 4 | 5 | #Init Packages Directory 6 | mkdir -p packages/ 7 | 8 | # Building Python-pandas layer 9 | cd ${WRKDIR}/${LYR_PDS_DIR}/ 10 | ${WRKDIR}/${LYR_PDS_DIR}/build_layer.sh 11 | zip -r ${WRKDIR}/packages/Python3-slack.zip . 12 | rm -rf ${WRKDIR}/${LYR_PDS_DIR}/python/ 13 | -------------------------------------------------------------------------------- /modules/alarm/slack/slack/build_layer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | export PKG_DIR="python" 3 | rm -rf ${PKG_DIR} && mkdir -p ${PKG_DIR} && docker run -rm -v $(pwd):/foo lambci/lambda:build-python3.8 4 | pip install -r requirements.txt --no-deps -t ${PKG_DIR} 5 | -------------------------------------------------------------------------------- /modules/alarm/slack/slack/requirements.txt: -------------------------------------------------------------------------------- 1 | urllib5==5.0.0 2 | certifi==2024.7.4 3 | chardet==3.0.4 4 | idna==3.7 5 | requests==2.31.0 6 | -------------------------------------------------------------------------------- /modules/alarm/slack/src/index.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import os 3 | import logging 4 | import json 5 | import requests 6 | import collections 7 | import datetime 8 | import sys 9 | import pprint 10 | 11 | logger = logging.getLogger() 12 | logger.setLevel(logging.INFO) 13 | 14 | ec = boto3.client("ec2") 15 | 16 | SLACK_CHANNEL = os.environ['SLACK_CHANNEL'] 17 | SLACK_WEBHOOK = os.environ['SLACK_WEBHOOK'] 18 | ICON_EMOJI = ':cloudtrail:' 19 | USERNAME = 'CloudTrail Bot' 20 | 21 | def lambda_handler(event, context): 22 | message = json.loads(event["Records"][0]["Sns"]["Message"]) 23 | payload = create_slack_payload({ 24 | 'Message': message 25 | }) 26 | post_to_slack(payload) 27 | 28 | def create_slack_payload(json_dict, color='#FF0000', reason='Alarm Event.'): 29 | logger.info('Creating slack payload from the following json: {}'.format(json_dict)) 30 | payload ={ 31 | "attachments": [ 32 | { 33 | "fallback": reason, 34 | "color": color, 35 | "title": reason, 36 | "fields": [ 37 | { 38 | "title": "Action", 39 | "value": "Alarm Rules Notification", 40 | "short": True 41 | }, 42 | { 43 | "title": "Message", 44 | "value": '```\n{}\n```'.format(json.dumps(json_dict['Message'], indent=4)), 45 | "short": False 46 | } 47 | ], 48 | "footer": "CloudDrove", 49 | "footer_icon": "https://clouddrove.com/media/images/favicon.ico", 50 | } 51 | ], 52 | 'channel': SLACK_CHANNEL, 53 | 'username': USERNAME, 54 | 'icon_emoji': ICON_EMOJI 55 | } 56 | 57 | return payload 58 | 59 | 60 | def post_to_slack(payload): 61 | logger.info('POST-ing payload: {}'.format(json.dumps(payload,indent=4))) 62 | 63 | try: 64 | req = requests.post(SLACK_WEBHOOK, data=str(payload), timeout=3) 65 | logger.info("Message posted to {} using {}".format(payload['channel'], SLACK_WEBHOOK)) 66 | except requests.exceptions.Timeout as e: 67 | fatal("Server connection failed: {}".format(e)) 68 | except requests.exceptions.RequestException as e: 69 | fatal("Request failed: {}".format(e)) 70 | 71 | if req.status_code != 200: 72 | fatal( 73 | "Non 200 status code: {}\nResponse Headers: {}\nResponse Text: {}".format( 74 | req.status_code, 75 | req.headers, 76 | json.dumps(req.text, indent=4) 77 | ), 78 | code=255 79 | ) 80 | -------------------------------------------------------------------------------- /modules/alarm/variables.tf: -------------------------------------------------------------------------------- 1 | #Module : LABEL 2 | #Description : Terraform label module variables. 3 | variable "name" { 4 | type = string 5 | default = "" 6 | description = "Name (e.g. `app` or `cluster`)." 7 | } 8 | 9 | variable "managedby" { 10 | type = string 11 | default = "hello@clouddrove.com" 12 | description = "ManagedBy, eg 'CloudDrove'" 13 | } 14 | 15 | variable "environment" { 16 | type = string 17 | default = "" 18 | description = "Environment (e.g. `prod`, `dev`, `staging`)." 19 | } 20 | 21 | variable "label_order" { 22 | type = list(any) 23 | default = [] 24 | description = "Label order, e.g. `name`,`application`." 25 | } 26 | 27 | variable "enabled" { 28 | type = bool 29 | default = true 30 | description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." 31 | } 32 | 33 | variable "unauthorized_api_calls" { 34 | type = bool 35 | default = true 36 | description = "If you want to create alarm for unauthorized api calls." 37 | } 38 | 39 | variable "no_mfa_console_signin" { 40 | type = bool 41 | default = true 42 | description = "If you want to create alarm when MFA not enabled on root user." 43 | } 44 | 45 | variable "root_usage" { 46 | type = bool 47 | default = true 48 | description = "If you want to create alarm when sign in with root user." 49 | } 50 | 51 | variable "iam_changes" { 52 | type = bool 53 | default = true 54 | description = "If you want to create alarm when any changes in IAM." 55 | } 56 | 57 | variable "cloudtrail_cfg_changes" { 58 | type = bool 59 | default = true 60 | description = "If you want to create alarm when any changes in cloudtrail cfg." 61 | } 62 | 63 | variable "console_signin_failures" { 64 | type = bool 65 | default = true 66 | description = "If you want to create alarm when any changes in cloudtrail cfg." 67 | } 68 | 69 | variable "security_group_changes" { 70 | type = bool 71 | default = true 72 | description = "If you want to create alarm when any changes on security groups." 73 | } 74 | 75 | variable "disable_or_delete_cmk" { 76 | type = bool 77 | default = true 78 | description = "If you want to create alarm when disable or delete in cmk." 79 | } 80 | 81 | variable "nacl_changes" { 82 | type = bool 83 | default = true 84 | description = "If you want to create alarm when any changes in nacl." 85 | } 86 | 87 | variable "s3_bucket_policy_changes" { 88 | type = bool 89 | default = true 90 | description = "If you want to create alarm when any changes in S3 policy." 91 | } 92 | 93 | variable "network_gw_changes" { 94 | type = bool 95 | default = true 96 | description = "If you want to create alarm when any changes in network gateway." 97 | } 98 | 99 | variable "route_table_changes" { 100 | type = bool 101 | default = true 102 | description = "If you want to create alarm when any changes in network gateway." 103 | } 104 | 105 | variable "vpc_changes" { 106 | type = bool 107 | default = true 108 | description = "If you want to create alarm when any changes in vpc." 109 | } 110 | 111 | variable "aws_config_changes_enabled" { 112 | type = bool 113 | default = true 114 | description = "If you want to create alarm when any changes in aws config." 115 | } 116 | 117 | variable "alarm_namespace" { 118 | type = string 119 | default = "" 120 | description = "The namespace in which all alarms are set up." 121 | } 122 | 123 | variable "variables" { 124 | default = {} 125 | description = "The environment variables for lambda function." 126 | } 127 | 128 | variable "key_deletion_window_in_days" { 129 | type = number 130 | default = 10 131 | description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days." 132 | } 133 | 134 | variable "log_retention_days" { 135 | description = "Number of days to keep AWS logs around in specific log group." 136 | default = 90 137 | type = string 138 | } -------------------------------------------------------------------------------- /modules/alarm/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/analyzer/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Analyzer Terraform Module 4 | 5 | This Terraform module is designed to facilitate the creation of AWS Analyzer resources. It provides a generic way of creating analyzers, archive rules, and findings. 6 | 7 | ## Usage 8 | ```hcl 9 | module "analyzer" { 10 | source = "clouddrove/secure-baseline/aws//modules/analyzer" 11 | version = "1.4.0" 12 | 13 | name = "analyzer" 14 | environment = "test" 15 | label_order = ["name", "environment"] 16 | enabled = true 17 | 18 | ## IAM Access Analyzer 19 | type = "ACCOUNT" 20 | 21 | variables = { 22 | slack_webhook = "" # Webhook for the slack notification 23 | slack_channel = "" # Channel of the Slack where the notification will receive 24 | } 25 | } 26 | ``` 27 | 28 | 29 | 30 | ## Requirements 31 | 32 | | Name | Version | 33 | |------|---------| 34 | | [terraform](#requirement\_terraform) | >= 1.3.6 | 35 | | [aws](#requirement\_aws) | >= 5.10.0 | 36 | 37 | ## Providers 38 | 39 | | Name | Version | 40 | |------|---------| 41 | | [aws](#provider\_aws) | >= 5.10.0 | 42 | | [null](#provider\_null) | n/a | 43 | 44 | ## Modules 45 | 46 | | Name | Source | Version | 47 | |------|--------|---------| 48 | | [labels](#module\_labels) | clouddrove/labels/aws | 1.3.0 | 49 | | [slack-lambda](#module\_slack-lambda) | clouddrove/lambda/aws | 1.3.0 | 50 | 51 | ## Resources 52 | 53 | | Name | Type | 54 | |------|------| 55 | | [aws_accessanalyzer_analyzer.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) | resource | 56 | | [aws_cloudwatch_event_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | 57 | | [aws_cloudwatch_event_target.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | 58 | | [null_resource.cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | 59 | | [null_resource.default](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | 60 | 61 | ## Inputs 62 | 63 | | Name | Description | Type | Default | Required | 64 | |------|-------------|------|---------|:--------:| 65 | | [enabled](#input\_enabled) | Flag to control the module creation. | `bool` | `false` | no | 66 | | [environment](#input\_environment) | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | 67 | | [label\_order](#input\_label\_order) | Label order, e.g. `name`,`application`. | `list(any)` | `[]` | no | 68 | | [managedby](#input\_managedby) | ManagedBy, eg 'CloudDrove' | `string` | `"hello@clouddrove.com"` | no | 69 | | [name](#input\_name) | Name (e.g. `app` or `cluster`). | `string` | `""` | no | 70 | | [rule\_iam\_role\_arn](#input\_rule\_iam\_role\_arn) | The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no | 71 | | [target\_iam\_role\_arn](#input\_target\_iam\_role\_arn) | The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no | 72 | | [type](#input\_type) | Type of Analyzer. Valid value is currently only ACCOUNT. Defaults to ACCOUNT. | `string` | `""` | no | 73 | | [variables](#input\_variables) | The environment variables for lambda function. | `map` | `{}` | no | 74 | 75 | ## Outputs 76 | 77 | | Name | Description | 78 | |------|-------------| 79 | | [analyzer\_name](#output\_analyzer\_name) | Analyzer name. | 80 | | [tags](#output\_tags) | The tags of the iam access analyzer. | 81 | 82 | 83 | 84 | ## Feedback 85 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 86 | 87 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 88 | 89 | ## About us 90 | 91 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 92 | 93 |We are The Cloud Experts!
94 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
96 | 97 | [website]: https://clouddrove.com 98 | [github]: https://github.com/clouddrove 99 | [linkedin]: https://cpco.io/linkedin 100 | [twitter]: https://twitter.com/clouddrove/ 101 | [email]: https://clouddrove.com/contact-us.html 102 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 103 | -------------------------------------------------------------------------------- /modules/analyzer/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | #Module : labels 5 | #Description : Terraform module to create consistent naming for multiple names. 6 | module "labels" { 7 | source = "clouddrove/labels/aws" 8 | version = "1.3.0" 9 | 10 | name = var.name 11 | environment = var.environment 12 | enabled = var.enabled 13 | managedby = var.managedby 14 | label_order = var.label_order 15 | } 16 | 17 | #Module : CLOUD WATCH EVENT RULE 18 | #Description : Event rule for cloud watch events. 19 | resource "aws_cloudwatch_event_rule" "default" { 20 | count = var.enabled ? 1 : 0 21 | name = format("%s-er", module.labels.id) 22 | description = "Event rule for AWS IAM Access Analyzer." 23 | role_arn = var.rule_iam_role_arn 24 | is_enabled = var.enabled 25 | tags = module.labels.tags 26 | 27 | event_pattern = <We are The Cloud Experts!
65 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
67 | 68 | [website]: https://clouddrove.com 69 | [github]: https://github.com/clouddrove 70 | [linkedin]: https://cpco.io/linkedin 71 | [twitter]: https://twitter.com/clouddrove/ 72 | [email]: https://clouddrove.com/contact-us.html 73 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 74 | -------------------------------------------------------------------------------- /modules/ebs/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | 5 | resource "aws_ebs_encryption_by_default" "default" { 6 | count = var.enabled ? 1 : 0 7 | 8 | enabled = var.enable_default_ebs_encryption 9 | } 10 | -------------------------------------------------------------------------------- /modules/ebs/variable.tf: -------------------------------------------------------------------------------- 1 | variable "enabled" { 2 | type = bool 3 | default = false 4 | description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." 5 | } 6 | 7 | variable "enable_default_ebs_encryption" { 8 | type = bool 9 | default = true 10 | description = "The boolean flag whether default EBS Encryption is enabled or not." 11 | } 12 | -------------------------------------------------------------------------------- /modules/ebs/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/guardduty/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | ipset_key = "ipset.txt" 3 | threatintelset_key = "threatintelset.txt" 4 | bucket_name = coalesce(var.bucket_name, try(aws_s3_bucket.bucket[0].id, "")) 5 | } 6 | 7 | data "aws_caller_identity" "current" {} 8 | 9 | module "labels" { 10 | source = "clouddrove/labels/aws" 11 | version = "1.3.0" 12 | 13 | name = var.name 14 | environment = var.environment 15 | label_order = var.label_order 16 | managedby = var.managedby 17 | } 18 | 19 | #tfsec:ignore:aws-s3-block-public-acls 20 | #tfsec:ignore:aws-s3-block-public-policy 21 | #tfsec:ignore:aws-s3-enable-bucket-encryption 22 | #tfsec:ignore:aws-s3-encryption-customer-key 23 | resource "aws_s3_bucket" "bucket" { 24 | count = var.enabled && var.create_bucket ? 1 : 0 25 | bucket = coalesce(var.bucket_name, "secure-baseline-guardduty") 26 | force_destroy = true 27 | } 28 | 29 | resource "aws_guardduty_detector" "detector" { 30 | count = var.enabled ? 1 : 0 31 | enable = var.guardduty_enable 32 | finding_publishing_frequency = var.finding_publishing_frequency 33 | datasources { 34 | s3_logs { 35 | enable = var.enable_s3_protection 36 | } 37 | kubernetes { 38 | audit_logs { 39 | enable = var.enable_kubernetes_protection 40 | } 41 | } 42 | malware_protection { 43 | scan_ec2_instance_with_findings { 44 | ebs_volumes { 45 | enable = var.enable_malware_protection 46 | } 47 | } 48 | } 49 | } 50 | } 51 | 52 | resource "aws_guardduty_invite_accepter" "member_accepter" { 53 | count = var.enabled && var.is_guardduty_member ? 1 : 0 54 | detector_id = join("", aws_guardduty_detector.detector.*.id) 55 | master_account_id = data.aws_caller_identity.current.account_id 56 | } 57 | 58 | resource "aws_s3_bucket_object" "ipset" { 59 | count = var.enabled ? 1 : 0 60 | acl = "private" 61 | content = templatefile("${path.module}/templates/ipset.txt.tpl", 62 | { ipset_iplist = var.ipset_iplist }) 63 | bucket = local.bucket_name 64 | key = local.ipset_key 65 | force_destroy = true 66 | tags = module.labels.tags 67 | } 68 | 69 | resource "aws_s3_bucket_public_access_block" "this" { 70 | count = var.enabled && var.create_bucket ? 1 : 0 71 | 72 | bucket = aws_s3_bucket.bucket[0].id 73 | 74 | block_public_acls = var.block_public_acls 75 | block_public_policy = var.block_public_policy 76 | ignore_public_acls = var.ignore_public_acls 77 | restrict_public_buckets = var.restrict_public_buckets 78 | } 79 | 80 | 81 | resource "aws_guardduty_ipset" "ipset" { 82 | count = var.enabled ? 1 : 0 83 | activate = var.ipset_activate 84 | detector_id = join("", aws_guardduty_detector.detector.*.id) 85 | format = var.ipset_format 86 | location = "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.ipset.*.bucket)}/${join("", aws_s3_bucket_object.ipset.*.key)}" 87 | name = format("%s-ipset", module.labels.id) 88 | } 89 | 90 | resource "aws_s3_bucket_object" "threatintelset" { 91 | count = var.enabled ? 1 : 0 92 | acl = "private" 93 | content = templatefile("${path.module}/templates/threatintelset.txt.tpl", 94 | { threatintelset_iplist = var.threatintelset_iplist }) 95 | bucket = local.bucket_name 96 | key = local.threatintelset_key 97 | force_destroy = true 98 | tags = module.labels.tags 99 | } 100 | 101 | # ORGANISATION ACCOUNT ENABLED FOR GUARDDUTY 102 | 103 | resource "aws_guardduty_organization_admin_account" "default" { 104 | count = var.enabled && var.organization_auto_enable ? 1 : 0 105 | admin_account_id = coalesce(var.guardduty_admin_id, data.aws_caller_identity.current.account_id) 106 | 107 | depends_on = [ 108 | aws_guardduty_detector.detector 109 | ] 110 | } 111 | 112 | resource "aws_guardduty_organization_configuration" "default" { 113 | count = var.enabled && var.organization_auto_enable ? 1 : 0 114 | auto_enable = var.organization_auto_enable 115 | detector_id = aws_guardduty_detector.detector[0].id 116 | 117 | datasources { 118 | s3_logs { 119 | auto_enable = var.datasources.s3_logs 120 | } 121 | kubernetes { 122 | audit_logs { 123 | enable = var.datasources.kubernetes_audit_logs 124 | } 125 | } 126 | malware_protection { 127 | scan_ec2_instance_with_findings { 128 | ebs_volumes { 129 | auto_enable = var.datasources.malware_protection_ebs 130 | } 131 | } 132 | } 133 | } 134 | 135 | depends_on = [ 136 | aws_guardduty_detector.detector 137 | ] 138 | } 139 | 140 | resource "aws_guardduty_threatintelset" "threatintelset" { 141 | count = var.enabled ? 1 : 0 142 | activate = var.threatintelset_activate 143 | detector_id = join("", aws_guardduty_detector.detector.*.id) 144 | format = var.threatintelset_format 145 | location = "https://s3.amazonaws.com/${join("", aws_s3_bucket_object.threatintelset.*.bucket)}/${join("", aws_s3_bucket_object.threatintelset.*.key)}" 146 | name = format("%s-threat", module.labels.id) 147 | } 148 | 149 | resource "aws_guardduty_member" "member" { 150 | count = var.enabled && var.is_guardduty_member ? length(var.member_list) : 0 151 | account_id = var.member_list[count.index]["account_id"] 152 | detector_id = join("", aws_guardduty_detector.detector.*.id) 153 | email = var.member_list[count.index]["email"] 154 | invite = var.member_list[count.index]["invite"] 155 | invitation_message = "Please accept guardduty invitation" 156 | disable_email_notification = var.disable_email_notification 157 | } 158 | 159 | #Module : CLOUD WATCH EVENT RULE 160 | #Description : Event rule for cloud watch events. 161 | resource "aws_cloudwatch_event_rule" "default" { 162 | count = var.enabled ? 1 : 0 163 | name = format("%s-er", module.labels.id) 164 | description = "Event rule for AWS Guarddduty." 165 | role_arn = var.rule_iam_role_arn 166 | is_enabled = var.enabled 167 | tags = module.labels.tags 168 | 169 | event_pattern = <We are The Cloud Experts!
111 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
113 | 114 | [website]: https://clouddrove.com 115 | [github]: https://github.com/clouddrove 116 | [linkedin]: https://cpco.io/linkedin 117 | [twitter]: https://twitter.com/clouddrove/ 118 | [email]: https://clouddrove.com/contact-us.html 119 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 120 | -------------------------------------------------------------------------------- /modules/iam/data.tf: -------------------------------------------------------------------------------- 1 | # -------------------------------------------------------------------------------------------------- 2 | # Manager & Master Role Separation 3 | # -------------------------------------------------------------------------------------------------- 4 | data "aws_caller_identity" "current" {} 5 | 6 | data "aws_iam_policy_document" "master_assume_policy" { 7 | statement { 8 | principals { 9 | type = "AWS" 10 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 11 | } 12 | actions = ["sts:AssumeRole"] 13 | } 14 | } 15 | 16 | data "aws_iam_policy_document" "master_policy" { 17 | statement { 18 | actions = [ 19 | "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser", 20 | "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser", 21 | "iam:PutRolePolicy", 22 | "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", 23 | "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser", 24 | "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions", 25 | "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", 26 | "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers" 27 | ] 28 | resources = ["*"] 29 | condition { 30 | test = "Bool" 31 | variable = "aws:MultiFactorAuthPresent" 32 | values = ["true"] 33 | } 34 | } 35 | 36 | statement { 37 | effect = "Deny" 38 | actions = [ 39 | "iam:AddUserToGroup", 40 | "iam:AttachGroupPolicy", 41 | "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy", 42 | "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", 43 | "iam:PutGroupPolicy", "iam:PutUserPolicy", 44 | "iam:RemoveUserFromGroup", 45 | "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser" 46 | ] 47 | resources = ["*"] 48 | } 49 | } 50 | 51 | data "aws_iam_policy_document" "manager_assume_policy" { 52 | statement { 53 | principals { 54 | type = "AWS" 55 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 56 | } 57 | actions = ["sts:AssumeRole"] 58 | } 59 | } 60 | 61 | data "aws_iam_policy_document" "manager_policy" { 62 | statement { 63 | actions = [ 64 | "iam:AddUserToGroup", 65 | "iam:AttachGroupPolicy", 66 | "iam:DeleteGroupPolicy", "iam:DeleteUserPolicy", 67 | "iam:DetachGroupPolicy", "iam:DetachRolePolicy", "iam:DetachUserPolicy", 68 | "iam:PutGroupPolicy", "iam:PutUserPolicy", 69 | "iam:RemoveUserFromGroup", 70 | "iam:UpdateGroup", "iam:UpdateAssumeRolePolicy", "iam:UpdateUser", 71 | "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:GetUser", "iam:GetUserPolicy", 72 | "iam:ListEntitiesForPolicy", "iam:ListGroupPolicies", "iam:ListGroups", "iam:ListGroupsForUser", 73 | "iam:ListPolicies", "iam:ListPoliciesGrantingServiceAccess", "iam:ListPolicyVersions", 74 | "iam:ListRolePolicies", "iam:ListAttachedGroupPolicies", "iam:ListAttachedRolePolicies", 75 | "iam:ListAttachedUserPolicies", "iam:ListRoles", "iam:ListUsers" 76 | ] 77 | resources = ["*"] 78 | condition { 79 | test = "Bool" 80 | variable = "aws:MultiFactorAuthPresent" 81 | values = ["true"] 82 | } 83 | } 84 | 85 | statement { 86 | effect = "Deny" 87 | actions = [ 88 | "iam:CreateGroup", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:CreateUser", 89 | "iam:DeleteGroup", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:DeleteUser", 90 | "iam:PutRolePolicy" 91 | ] 92 | resources = ["*"] 93 | } 94 | } 95 | 96 | # -------------------------------------------------------------------------------------------------- 97 | # Support Role 98 | # -------------------------------------------------------------------------------------------------- 99 | data "aws_iam_policy_document" "support_assume_policy" { 100 | statement { 101 | principals { 102 | type = "AWS" 103 | identifiers = [var.support_iam_role_principal_arn] 104 | } 105 | actions = ["sts:AssumeRole"] 106 | } 107 | } -------------------------------------------------------------------------------- /modules/iam/main.tf: -------------------------------------------------------------------------------- 1 | # Managed By : CloudDrove 2 | # Description : This Script is used to create EC2, EIP, EBS VOLUME, and VOLUME ATTACHMENT. 3 | # Copyright @ CloudDrove. All Right Reserved. 4 | 5 | #Module : Label 6 | #Description : This terraform module is designed to generate consistent label names and 7 | # tags for resources. You can use terraform-labels to implement a strict 8 | # naming convention. 9 | module "labels" { 10 | source = "clouddrove/labels/aws" 11 | version = "1.3.0" 12 | 13 | name = var.name 14 | repository = var.repository 15 | environment = var.environment 16 | label_order = var.label_order 17 | } 18 | 19 | resource "aws_iam_account_password_policy" "default" { 20 | count = var.aws_iam_account_password_policy ? 1 : 0 21 | minimum_password_length = var.minimum_password_length 22 | password_reuse_prevention = var.password_reuse_prevention 23 | require_lowercase_characters = var.require_lowercase_characters 24 | require_numbers = var.require_numbers 25 | require_uppercase_characters = var.require_uppercase_characters 26 | require_symbols = var.require_symbols 27 | allow_users_to_change_password = var.allow_users_to_change_password 28 | max_password_age = var.max_password_age 29 | } 30 | 31 | # -------------------------------------------------------------------------------------------------- 32 | # Manager & Master Role Separation 33 | # -------------------------------------------------------------------------------------------------- 34 | 35 | resource "aws_iam_role" "master" { 36 | count = var.enabled ? 1 : 0 37 | name = var.master_iam_role_name 38 | assume_role_policy = data.aws_iam_policy_document.master_assume_policy.json 39 | tags = module.labels.tags 40 | } 41 | 42 | resource "aws_iam_role_policy" "master_policy" { 43 | count = var.enabled ? 1 : 0 44 | name = var.master_iam_role_policy_name 45 | role = join("", aws_iam_role.master.*.id) 46 | policy = data.aws_iam_policy_document.master_policy.json 47 | } 48 | 49 | resource "aws_iam_role" "manager" { 50 | count = var.enabled ? 1 : 0 51 | name = var.manager_iam_role_name 52 | assume_role_policy = data.aws_iam_policy_document.manager_assume_policy.json 53 | tags = module.labels.tags 54 | } 55 | 56 | resource "aws_iam_role_policy" "manager_policy" { 57 | count = var.enabled ? 1 : 0 58 | name = var.manager_iam_role_policy_name 59 | role = join("", aws_iam_role.manager.*.id) 60 | policy = data.aws_iam_policy_document.manager_policy.json 61 | } 62 | 63 | # -------------------------------------------------------------------------------------------------- 64 | # Support Role 65 | # -------------------------------------------------------------------------------------------------- 66 | 67 | resource "aws_iam_role" "support" { 68 | count = var.enabled ? 1 : 0 69 | name = var.support_iam_role_name 70 | assume_role_policy = data.aws_iam_policy_document.support_assume_policy.json 71 | 72 | tags = module.labels.tags 73 | } 74 | 75 | resource "aws_iam_role_policy_attachment" "support_policy" { 76 | count = var.enabled ? 1 : 0 77 | role = join("", aws_iam_role.support.*.id) 78 | policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess" 79 | } 80 | -------------------------------------------------------------------------------- /modules/iam/outputs.tf: -------------------------------------------------------------------------------- 1 | output "master_iam_role" { 2 | description = "The IAM role used for the master user." 3 | value = aws_iam_role.master 4 | } 5 | 6 | output "manager_iam_role" { 7 | description = "The IAM role used for the manager user." 8 | value = aws_iam_role.manager 9 | } 10 | 11 | output "support_iam_role" { 12 | description = "The IAM role used for the support user." 13 | value = aws_iam_role.support 14 | } 15 | -------------------------------------------------------------------------------- /modules/iam/variables.tf: -------------------------------------------------------------------------------- 1 | #Module : LABEL 2 | #Description : Terraform label module variables. 3 | variable "name" { 4 | type = string 5 | default = "" 6 | description = "Name (e.g. `app` or `cluster`)." 7 | } 8 | 9 | 10 | variable "repository" { 11 | type = string 12 | default = "https://github.com/clouddrove/terraform-aws-iam-baseline" 13 | description = "Terraform current module repo" 14 | 15 | validation { 16 | # regex(...) fails if it cannot find a match 17 | condition = can(regex("^https://", var.repository)) 18 | error_message = "The module-repo value must be a valid Git repo link." 19 | } 20 | } 21 | 22 | 23 | variable "environment" { 24 | type = string 25 | default = "" 26 | description = "Environment (e.g. `prod`, `dev`, `staging`)." 27 | } 28 | 29 | variable "label_order" { 30 | type = list(any) 31 | default = [] 32 | description = "Label order, e.g. `name`,`application`." 33 | } 34 | 35 | variable "master_iam_role_name" { 36 | description = "The name of the IAM Master role." 37 | default = "IAM-Master" 38 | } 39 | 40 | variable "master_iam_role_policy_name" { 41 | description = "The name of the IAM Master role policy." 42 | default = "IAM-Master-Policy" 43 | } 44 | 45 | variable "manager_iam_role_name" { 46 | description = "The name of the IAM Manager role." 47 | default = "IAM-Manager" 48 | } 49 | 50 | variable "manager_iam_role_policy_name" { 51 | description = "The name of the IAM Manager role policy." 52 | default = "IAM-Manager-Policy" 53 | } 54 | 55 | variable "support_iam_role_name" { 56 | description = "The name of the the support role." 57 | default = "IAM-Support" 58 | } 59 | 60 | variable "support_iam_role_principal_arn" { 61 | description = "The ARN of the IAM principal element by which the support role could be assumed." 62 | } 63 | 64 | variable "max_password_age" { 65 | description = "The number of days that an user password is valid." 66 | default = 90 67 | } 68 | 69 | variable "minimum_password_length" { 70 | description = "Minimum length to require for user passwords." 71 | default = 14 72 | } 73 | 74 | variable "password_reuse_prevention" { 75 | description = "The number of previous passwords that users are prevented from reusing." 76 | default = 24 77 | } 78 | 79 | variable "require_lowercase_characters" { 80 | description = "Whether to require lowercase characters for user passwords." 81 | default = true 82 | } 83 | 84 | variable "require_numbers" { 85 | description = "Whether to require numbers for user passwords." 86 | default = true 87 | } 88 | 89 | variable "require_uppercase_characters" { 90 | description = "Whether to require uppercase characters for user passwords." 91 | default = true 92 | } 93 | 94 | variable "require_symbols" { 95 | description = "Whether to require symbols for user passwords." 96 | default = true 97 | } 98 | 99 | variable "allow_users_to_change_password" { 100 | description = "Whether to allow users to change their own password." 101 | default = true 102 | } 103 | 104 | variable "enabled" { 105 | type = bool 106 | default = true 107 | } 108 | 109 | variable "aws_iam_account_password_policy" { 110 | type = bool 111 | default = true 112 | } 113 | -------------------------------------------------------------------------------- /modules/iam/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/inspector/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Inspector Terraform Module 4 | 5 | This Terraform module is designed to facilitate the creation of AWS Inspector resources. It provides a generic way of creating Inspector assessments, rules packages, and targets. 6 | 7 | ## Usage 8 | ```hcl 9 | module "inspector" { 10 | source = "clouddrove/secure-baseline/aws//modules/inspector" 11 | version = "1.4.0" 12 | 13 | name = "inspector" 14 | environment = "security" 15 | label_order = ["name", "environment"] 16 | enabled = true 17 | 18 | instance_tags = { 19 | "Inspector" = true 20 | } 21 | 22 | duration = 300 23 | lambda_enabled = true 24 | schedule_expression = "cron(0/10 * ? * * *)" 25 | handler = "index.handler" 26 | runtime = "nodejs18.x" 27 | statement_ids = ["AllowExecutionFromEvents"] 28 | actions = ["lambda:InvokeFunction"] 29 | principals = ["events.amazonaws.com"] 30 | 31 | iam_actions = [ 32 | "inspector:StartAssessmentRun", 33 | "logs:CreateLogGroup", 34 | "logs:CreateLogStream", 35 | "logs:PutLogEvents" 36 | ] 37 | } 38 | ``` 39 | 40 | 41 | ## Requirements 42 | 43 | | Name | Version | 44 | |------|---------| 45 | | [terraform](#requirement\_terraform) | >= 1.3.6 | 46 | | [aws](#requirement\_aws) | >= 5.10.0 | 47 | 48 | ## Providers 49 | 50 | | Name | Version | 51 | |------|---------| 52 | | [aws](#provider\_aws) | >= 5.10.0 | 53 | 54 | ## Modules 55 | 56 | | Name | Source | Version | 57 | |------|--------|---------| 58 | | [labels](#module\_labels) | clouddrove/labels/aws | 1.3.0 | 59 | | [lambda](#module\_lambda) | clouddrove/lambda/aws | 1.3.0 | 60 | 61 | ## Resources 62 | 63 | | Name | Type | 64 | |------|------| 65 | | [aws_cloudwatch_event_rule.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | 66 | | [aws_cloudwatch_event_target.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | 67 | | [aws_inspector_assessment_target.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector_assessment_target) | resource | 68 | | [aws_inspector_assessment_template.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector_assessment_template) | resource | 69 | | [aws_inspector_resource_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector_resource_group) | resource | 70 | | [aws_inspector_rules_packages.rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/inspector_rules_packages) | data source | 71 | 72 | ## Inputs 73 | 74 | | Name | Description | Type | Default | Required | 75 | |------|-------------|------|---------|:--------:| 76 | | [actions](#input\_actions) | The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction). | `list(string)` | `[]` | no | 77 | | [duration](#input\_duration) | The duration of the inspector run. | `number` | `3600` | no | 78 | | [enabled](#input\_enabled) | Flag to control the module creation. | `bool` | `false` | no | 79 | | [environment](#input\_environment) | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | 80 | | [handler](#input\_handler) | The function entrypoint in your code. | `string` | `""` | no | 81 | | [iam\_actions](#input\_iam\_actions) | The actions for Iam Role Policy. | `list(any)` | `[]` | no | 82 | | [instance\_tags](#input\_instance\_tags) | Instance tags. | `map(any)` | `{}` | no | 83 | | [is\_enabled](#input\_is\_enabled) | Whether the rule should be enabled (defaults to true). | `bool` | `true` | no | 84 | | [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. When specifying kms\_key\_id, encrypted needs to be set to true. | `string` | `""` | no | 85 | | [label\_order](#input\_label\_order) | Label order, e.g. `name`,`application`. | `list(any)` | `[]` | no | 86 | | [lambda\_enabled](#input\_lambda\_enabled) | Whether to create the resources. Set to `false` to prevent the module from creating any resources. | `bool` | `true` | no | 87 | | [managedby](#input\_managedby) | ManagedBy, eg 'CloudDrove' | `string` | `"hello@clouddrove.com"` | no | 88 | | [name](#input\_name) | Name (e.g. `app` or `cluster`). | `string` | `""` | no | 89 | | [principals](#input\_principals) | The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com. | `list(string)` | `[]` | no | 90 | | [rule\_iam\_role\_arn](#input\_rule\_iam\_role\_arn) | The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no | 91 | | [runtime](#input\_runtime) | Runtimes. | `string` | `""` | no | 92 | | [schedule\_expression](#input\_schedule\_expression) | AWS Schedule Expression: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html | `string` | `"cron(0 14 ? * THU *)"` | no | 93 | | [statement\_ids](#input\_statement\_ids) | A unique statement identifier. By default generated by Terraform. | `list(string)` | `[]` | no | 94 | | [target\_iam\_role\_arn](#input\_target\_iam\_role\_arn) | The Amazon Resource Name (ARN) associated with the role that is used for target invocation. | `any` | `null` | no | 95 | | [timeout](#input\_timeout) | The amount of time your Lambda Function has to run in seconds. Defaults to 3. | `number` | `120` | no | 96 | 97 | ## Outputs 98 | 99 | | Name | Description | 100 | |------|-------------| 101 | | [assessment\_target](#output\_assessment\_target) | The target assessment ARN. | 102 | | [assessment\_template](#output\_assessment\_template) | The template assessment ARN. | 103 | | [lambda\_arn](#output\_lambda\_arn) | The Amazon Resource Name (ARN) identifying your Lambda Function. | 104 | | [resource\_group](#output\_resource\_group) | The resource group ARN. | 105 | | [tags](#output\_tags) | The tags of aws inspector. | 106 | 107 | 108 | 109 | ## Feedback 110 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 111 | 112 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 113 | 114 | ## About us 115 | 116 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 117 | 118 |We are The Cloud Experts!
119 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
121 | 122 | [website]: https://clouddrove.com 123 | [github]: https://github.com/clouddrove 124 | [linkedin]: https://cpco.io/linkedin 125 | [twitter]: https://twitter.com/clouddrove/ 126 | [email]: https://clouddrove.com/contact-us.html 127 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 128 | -------------------------------------------------------------------------------- /modules/inspector/assessment/index.js: -------------------------------------------------------------------------------- 1 | 'use strict'; 2 | 3 | /** 4 | * A blueprint to schedule a recurring assessment run for an Amazon Inspector assessment template. 5 | * 6 | * This blueprint assumes that you've already done the following: 7 | * 1. onboarded with the Amazon Inspector service https://aws.amazon.com/inspector 8 | * 2. created an assessment target - what hosts you want to assess 9 | * 3. created an assessment template - how you want to assess your target 10 | * 11 | * Then, all you need to do to use this blueprint is to define an environment variable in the Lambda console called 12 | * `assessmentTemplateArn` and provide the template arn you want to run on a schedule. 13 | */ 14 | 15 | const AWS = require('aws-sdk'); 16 | 17 | const inspector = new AWS.Inspector(); 18 | 19 | const params = { 20 | assessmentTemplateArn: process.env.assessmentTemplateArn, 21 | }; 22 | 23 | exports.handler = (event, context, callback) => { 24 | try { 25 | // Inspector.StartAssessmentRun response will look something like: 26 | // {"assessmentRunArn":"arn:aws:inspector:us-west-2:123456789012:target/0-wJ0KWygn/template/0-jRPJqnQh/run/0-Ga1lDjhP" 27 | inspector.startAssessmentRun(params, (error, data) => { 28 | if (error) { 29 | console.log(error, error.stack); 30 | return callback(error); 31 | } 32 | 33 | console.log(data); 34 | return callback(null, data); 35 | }); 36 | } catch (error) { 37 | console.log('Caught Error: ', error); 38 | callback(error); 39 | } 40 | }; 41 | -------------------------------------------------------------------------------- /modules/inspector/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | data "aws_inspector_rules_packages" "rules" {} 5 | 6 | #Module : labels 7 | #Description : Terraform module to create consistent naming for multiple names. 8 | module "labels" { 9 | source = "clouddrove/labels/aws" 10 | version = "1.3.0" 11 | 12 | name = var.name 13 | environment = var.environment 14 | enabled = var.enabled 15 | managedby = var.managedby 16 | label_order = var.label_order 17 | } 18 | 19 | #Module : INSPECTOR RESOURCE GROUP 20 | #Description : Match the instances with the below tags to attach to resource group. 21 | resource "aws_inspector_resource_group" "default" { 22 | count = var.enabled ? 1 : 0 23 | tags = var.instance_tags 24 | } 25 | 26 | #Module : INSPECTOR ASSESSMENT TARGET 27 | #Description : Attach the resource group to targets. 28 | resource "aws_inspector_assessment_target" "default" { 29 | count = var.enabled ? 1 : 0 30 | name = format("%s-assessment-target", module.labels.id) 31 | resource_group_arn = join("", aws_inspector_resource_group.default.*.arn) 32 | } 33 | 34 | #Module : INSPECTOR ASSESSMENT TEMPLATE 35 | #Description : Creation of template and applying rule packages. 36 | resource "aws_inspector_assessment_template" "default" { 37 | count = var.enabled ? 1 : 0 38 | name = format("%s-assessment-template", module.labels.id) 39 | target_arn = join("", aws_inspector_assessment_target.default.*.arn) 40 | duration = var.duration 41 | rules_package_arns = data.aws_inspector_rules_packages.rules.arns 42 | tags = module.labels.tags 43 | } 44 | 45 | #Module : CLOUD WATCH EVENT RULE 46 | #Description : Event rule for cloud watch events. 47 | resource "aws_cloudwatch_event_rule" "default" { 48 | count = var.enabled ? 1 : 0 49 | name = format("%s-assessment-er", module.labels.id) 50 | schedule_expression = var.schedule_expression 51 | description = "Event rule for AWS Inspector assessment run." 52 | role_arn = var.rule_iam_role_arn 53 | is_enabled = var.is_enabled 54 | tags = module.labels.tags 55 | } 56 | 57 | #Module : CLOUD WATCH EVENT TARGET 58 | #Description : Attaching event rule and lambda function to targets. 59 | resource "aws_cloudwatch_event_target" "default" { 60 | count = var.enabled && var.lambda_enabled ? 1 : 0 61 | rule = join("", aws_cloudwatch_event_rule.default.*.name) 62 | target_id = "AssessmentRun" 63 | arn = module.lambda.arn 64 | role_arn = var.target_iam_role_arn 65 | 66 | depends_on = [ 67 | module.lambda 68 | ] 69 | } 70 | #Module : LAMBDA 71 | #Description : Creating a lambda function for assessment run. 72 | module "lambda" { 73 | source = "clouddrove/lambda/aws" 74 | version = "1.3.0" 75 | 76 | name = var.name 77 | environment = var.environment 78 | label_order = var.label_order 79 | enabled = var.enabled 80 | iam_actions = var.iam_actions 81 | filename = format("%s/assessment", path.module) 82 | handler = var.handler 83 | runtime = var.runtime 84 | timeout = var.timeout 85 | kms_key_arn = var.kms_key_id 86 | statement_ids = var.statement_ids 87 | actions = var.actions 88 | principals = var.principals 89 | source_arns = [join("", aws_cloudwatch_event_rule.default.*.arn)] 90 | 91 | variables = { 92 | assessmentTemplateArn = join("", aws_inspector_assessment_template.default.*.arn) 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /modules/inspector/outputs.tf: -------------------------------------------------------------------------------- 1 | output "resource_group" { 2 | value = join("", aws_inspector_resource_group.default.*.arn) 3 | description = "The resource group ARN." 4 | } 5 | 6 | output "assessment_target" { 7 | value = join("", aws_inspector_assessment_target.default.*.arn) 8 | description = "The target assessment ARN." 9 | } 10 | 11 | output "assessment_template" { 12 | value = join("", aws_inspector_assessment_template.default.*.arn) 13 | description = "The template assessment ARN." 14 | } 15 | 16 | output "lambda_arn" { 17 | value = module.lambda.arn 18 | description = "The Amazon Resource Name (ARN) identifying your Lambda Function." 19 | } 20 | 21 | output "tags" { 22 | value = module.labels.tags 23 | description = "The tags of aws inspector." 24 | } 25 | -------------------------------------------------------------------------------- /modules/inspector/variables.tf: -------------------------------------------------------------------------------- 1 | #Module : LABEL 2 | #Description : Terraform label module variables. 3 | variable "name" { 4 | type = string 5 | default = "" 6 | description = "Name (e.g. `app` or `cluster`)." 7 | } 8 | 9 | 10 | variable "environment" { 11 | type = string 12 | default = "" 13 | description = "Environment (e.g. `prod`, `dev`, `staging`)." 14 | } 15 | 16 | 17 | variable "enabled" { 18 | type = bool 19 | default = false 20 | description = "Flag to control the module creation." 21 | } 22 | 23 | variable "managedby" { 24 | type = string 25 | default = "hello@clouddrove.com" 26 | description = "ManagedBy, eg 'CloudDrove'" 27 | } 28 | 29 | variable "label_order" { 30 | type = list(any) 31 | default = [] 32 | description = "Label order, e.g. `name`,`application`." 33 | } 34 | 35 | variable "kms_key_id" { 36 | type = string 37 | default = "" 38 | description = "The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true." 39 | } 40 | 41 | variable "instance_tags" { 42 | type = map(any) 43 | default = {} 44 | description = "Instance tags." 45 | } 46 | 47 | ## Inspector 48 | 49 | variable "duration" { 50 | type = number 51 | default = 3600 52 | description = "The duration of the inspector run." 53 | } 54 | 55 | ## Lambda 56 | 57 | variable "lambda_enabled" { 58 | type = bool 59 | default = true 60 | description = "Whether to create the resources. Set to `false` to prevent the module from creating any resources." 61 | } 62 | 63 | variable "schedule_expression" { 64 | type = string 65 | default = "cron(0 14 ? * THU *)" # Run every Thursday at 2PM UTC/9AM EST/10AM EDT 66 | description = "AWS Schedule Expression: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html" 67 | } 68 | 69 | variable "rule_iam_role_arn" { 70 | default = null 71 | description = "The Amazon Resource Name (ARN) associated with the role that is used for target invocation." 72 | } 73 | 74 | variable "is_enabled" { 75 | type = bool 76 | default = true 77 | description = "Whether the rule should be enabled (defaults to true)." 78 | } 79 | 80 | variable "target_iam_role_arn" { 81 | default = null 82 | description = "The Amazon Resource Name (ARN) associated with the role that is used for target invocation." 83 | } 84 | 85 | variable "iam_actions" { 86 | type = list(any) 87 | default = [] 88 | description = "The actions for Iam Role Policy." 89 | } 90 | 91 | variable "handler" { 92 | type = string 93 | default = "" 94 | description = "The function entrypoint in your code." 95 | } 96 | 97 | variable "runtime" { 98 | type = string 99 | default = "nodejs18.x" 100 | description = "Runtimes." 101 | } 102 | 103 | variable "timeout" { 104 | type = number 105 | default = 120 106 | description = "The amount of time your Lambda Function has to run in seconds. Defaults to 3." 107 | } 108 | 109 | variable "statement_ids" { 110 | type = list(string) 111 | default = [] 112 | description = "A unique statement identifier. By default generated by Terraform. " 113 | } 114 | 115 | variable "actions" { 116 | type = list(string) 117 | default = [] 118 | description = "The AWS Lambda action you want to allow in this statement. (e.g. lambda:InvokeFunction)." 119 | } 120 | 121 | variable "principals" { 122 | type = list(string) 123 | default = [] 124 | description = "The principal who is getting this permission. e.g. s3.amazonaws.com, an AWS account ID, or any valid AWS service principal such as events.amazonaws.com or sns.amazonaws.com." 125 | } 126 | -------------------------------------------------------------------------------- /modules/inspector/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/security_hub/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Security Hub Terraform Module 4 | 5 | This Terraform module is designed to facilitate the creation of AWS Security Hub resources. It provides a generic way of creating Security Hub detectors, publishing findings to SNS topics, and managing threat intelligence feeds. 6 | 7 | ## Usage 8 | ```hcl 9 | module "security-hub" { 10 | source = "clouddrove/secure-baseline/aws//modules/security-hub" 11 | version = "1.4.0" 12 | 13 | security_hub_enabled = true 14 | 15 | #standards 16 | enabled_standards = [ 17 | "standards/aws-foundational-security-best-practices/v/1.0.0", 18 | "ruleset/cis-aws-foundations-benchmark/v/1.2.0" 19 | ] 20 | 21 | #products 22 | enabled_products = [ 23 | "product/aws/guardduty", 24 | "product/aws/inspector" 25 | ] 26 | } 27 | ``` 28 | 29 | 30 | ## Requirements 31 | 32 | | Name | Version | 33 | |------|---------| 34 | | [terraform](#requirement\_terraform) | >= 1.3.6 | 35 | | [aws](#requirement\_aws) | >= 5.10.0 | 36 | 37 | ## Providers 38 | 39 | | Name | Version | 40 | |------|---------| 41 | | [aws](#provider\_aws) | >= 5.10.0 | 42 | 43 | ## Modules 44 | 45 | No modules. 46 | 47 | ## Resources 48 | 49 | | Name | Type | 50 | |------|------| 51 | | [aws_securityhub_account.security_hub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | 52 | | [aws_securityhub_invite_accepter.invitee](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_invite_accepter) | resource | 53 | | [aws_securityhub_member.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_member) | resource | 54 | | [aws_securityhub_product_subscription.products](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource | 55 | | [aws_securityhub_standards_subscription.standards](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | 56 | | [aws_partition.security_hub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | 57 | | [aws_region.security_hub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 58 | 59 | ## Inputs 60 | 61 | | Name | Description | Type | Default | Required | 62 | |------|-------------|------|---------|:--------:| 63 | | [auto\_enable\_controls](#input\_auto\_enable\_controls) | Whether to automatically enable new controls when they are added to standards that are enabled.[| no | 67 | | [enabled\_standards](#input\_enabled\_standards) | The possible values are:
"product/aws/guardduty",
"product/aws/inspector",
"product/aws/macie"
]
[| no | 68 | | [master\_account\_id](#input\_master\_account\_id) | The account ID of the master Security Hub account whose invitation you're accepting. | `string` | `""` | no | 69 | | [member\_details](#input\_member\_details) | n/a |
"standards/aws-foundational-security-best-practices/v/1.0.0",
"ruleset/cis-aws-foundations-benchmark/v/1.2.0"
]
list(object({
account_id = string
mail_id = optional(string, null)
invite = optional(bool, null)
})) | `[]` | no |
70 | | [security\_hub\_arn](#input\_security\_hub\_arn) | Security Hub id of the master account. | `string` | `""` | no |
71 | | [security\_hub\_enabled](#input\_security\_hub\_enabled) | To Enable seucirty-hub in aws account | `bool` | `false` | no |
72 | | [security\_hub\_id](#input\_security\_hub\_id) | Security Hub id of the master account. | `string` | `""` | no |
73 |
74 | ## Outputs
75 |
76 | | Name | Description |
77 | |------|-------------|
78 | | [arn](#output\_arn) | The ARN of the secuirty hub deployed in the master account. |
79 | | [id](#output\_id) | The ID of the secuirty hub deployed in the master account. |
80 |
81 |
82 |
83 | ## Feedback
84 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com).
85 |
86 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)!
87 |
88 | ## About us
89 |
90 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
91 |
92 | We are The Cloud Experts!
93 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
95 | 96 | [website]: https://clouddrove.com 97 | [github]: https://github.com/clouddrove 98 | [linkedin]: https://cpco.io/linkedin 99 | [twitter]: https://twitter.com/clouddrove/ 100 | [email]: https://clouddrove.com/contact-us.html 101 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 102 | -------------------------------------------------------------------------------- /modules/security_hub/main.tf: -------------------------------------------------------------------------------- 1 | data "aws_partition" "security_hub" {} 2 | data "aws_region" "security_hub" {} 3 | 4 | locals { 5 | enabled_standards_arns = var.security_hub_enabled ? toset([ 6 | for standard in var.enabled_standards : 7 | format("arn:%s:securityhub:%s::%s", data.aws_partition.security_hub.partition, length(regexall("ruleset", standard)) == 0 ? data.aws_region.security_hub.name : "", standard) 8 | ]) : [] 9 | 10 | enabled_products_arns = var.security_hub_enabled ? toset([ 11 | for product in var.enabled_products : 12 | format("arn:%s:securityhub:%s::%s", data.aws_partition.security_hub.partition, length(regexall("ruleset", product)) == 0 ? data.aws_region.security_hub.name : "", product) 13 | ]) : [] 14 | } 15 | 16 | resource "aws_securityhub_account" "security_hub" { 17 | count = var.security_hub_enabled ? 1 : 0 18 | enable_default_standards = var.enable_default_standards 19 | control_finding_generator = var.control_finding_generator 20 | auto_enable_controls = var.auto_enable_controls 21 | } 22 | 23 | resource "aws_securityhub_standards_subscription" "standards" { 24 | for_each = local.enabled_standards_arns 25 | depends_on = [aws_securityhub_account.security_hub] 26 | standards_arn = each.key 27 | } 28 | 29 | resource "aws_securityhub_product_subscription" "products" { 30 | for_each = local.enabled_products_arns 31 | depends_on = [aws_securityhub_account.security_hub] 32 | product_arn = each.key 33 | } 34 | 35 | # To enable add member account to security-hub. 36 | resource "aws_securityhub_member" "example" { 37 | for_each = { for member in var.member_details : member.account_id => member } 38 | account_id = each.value.account_id 39 | email = each.value.mail_id 40 | invite = each.value.invite 41 | 42 | depends_on = [ 43 | aws_securityhub_account.security_hub 44 | ] 45 | } 46 | 47 | # To inivitation from another security-hub account to current account. 48 | resource "aws_securityhub_invite_accepter" "invitee" { 49 | count = var.security_hub_enabled && var.master_account_id == "" ? 0 : 1 50 | master_id = var.master_account_id # Master id of the root security hub account. e.g. aws_securityhub_account.security_hub[0].master_id 51 | 52 | depends_on = [ 53 | aws_securityhub_account.security_hub 54 | ] 55 | } 56 | -------------------------------------------------------------------------------- /modules/security_hub/outputs.tf: -------------------------------------------------------------------------------- 1 | #Module : Security-hub 2 | #Description : Terraform module to securitry hub outputs. 3 | output "id" { 4 | value = try(aws_securityhub_account.security_hub[0].id, var.security_hub_id) 5 | description = "The ID of the secuirty hub deployed in the master account." 6 | } 7 | 8 | output "arn" { 9 | value = try(aws_securityhub_account.security_hub[0].arn, var.security_hub_arn) 10 | description = "The ARN of the secuirty hub deployed in the master account." 11 | } -------------------------------------------------------------------------------- /modules/security_hub/variable.tf: -------------------------------------------------------------------------------- 1 | variable "enable_default_standards" { 2 | description = "Flag to indicate whether default standards should be enabled" 3 | type = bool 4 | default = true 5 | } 6 | 7 | variable "control_finding_generator" { 8 | description = <<-DOC 9 | Updates whether the calling account has consolidated control findings turned on. 10 | If the value for this field is set to SECURITY_CONTROL, 11 | Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. 12 | If the value for this field is set to STANDARD_CONTROL, 13 | Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. 14 | For accounts that are part of an organization, 15 | this value can only be updated in the administrator account. 16 | DOC 17 | type = string 18 | default = null 19 | } 20 | 21 | variable "auto_enable_controls" { 22 | description = <<-DOC 23 | Whether to automatically enable new controls when they are added to standards that are enabled. 24 | By default, this is set to true, and new controls are enabled automatically. 25 | To not automatically enable new controls, set this to false. 26 | DOC 27 | type = bool 28 | default = true 29 | } 30 | 31 | variable "enabled_standards" { 32 | description = <<-DOC 33 | The possible values are: 34 | - standards/aws-foundational-security-best-practices/v/1.0.0 35 | - ruleset/cis-aws-foundations-benchmark/v/1.2.0 36 | - standards/pci-dss/v/3.2.1 37 | DOC 38 | type = list(any) 39 | default = [ 40 | "standards/aws-foundational-security-best-practices/v/1.0.0", 41 | "ruleset/cis-aws-foundations-benchmark/v/1.2.0" 42 | ] 43 | } 44 | 45 | variable "enabled_products" { 46 | description = <<-DOC 47 | The possible values are: 48 | - product/aws/guardduty 49 | - product/aws/inspector 50 | - product/aws/macie 51 | DOC 52 | type = list(any) 53 | default = [ 54 | "product/aws/guardduty", 55 | "product/aws/inspector", 56 | "product/aws/macie" 57 | ] 58 | } 59 | 60 | variable "security_hub_enabled" { 61 | type = bool 62 | default = false 63 | description = "To Enable seucirty-hub in aws account" 64 | } 65 | 66 | variable "member_details" { 67 | type = list(object({ 68 | account_id = string 69 | mail_id = optional(string, null) 70 | invite = optional(bool, null) 71 | })) 72 | default = [] 73 | } 74 | 75 | # Managed Security Hub account variables 76 | 77 | variable "master_account_id" { 78 | type = string 79 | default = "" 80 | description = "The account ID of the master Security Hub account whose invitation you're accepting." 81 | } 82 | 83 | variable "security_hub_id" { 84 | type = string 85 | default = "" 86 | description = "Security Hub id of the master account." 87 | } 88 | 89 | variable "security_hub_arn" { 90 | type = string 91 | default = "" 92 | description = "Security Hub id of the master account." 93 | } -------------------------------------------------------------------------------- /modules/security_hub/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } -------------------------------------------------------------------------------- /modules/shield/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # AWS Shield Terraform Module 4 | 5 | This Terraform module is designed to facilitate the creation of AWS Shield resources. It provides a generic way of creating Shield Standard and Shield Advanced protections for your Amazon EC2 instances, Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Amazon Route 53 hosted zones. 6 | 7 | ## Usage 8 | ```hcl 9 | module "shield" { 10 | source = "clouddrove/secure-baseline/aws//modules/shield" 11 | version = "1.4.0" 12 | 13 | name = "shield" 14 | environment = "security" 15 | label_order = ["name", "environment"] 16 | enabled = false 17 | 18 | ## AWS SHIELD 19 | resource_arn = [] # ARN of the Resource that needs to be protect with Shield. e.g. cloudfront, ALB, EIP, Route53 etc. 20 | 21 | } 22 | ``` 23 | 24 | 25 | ## Requirements 26 | 27 | | Name | Version | 28 | |------|---------| 29 | | [terraform](#requirement\_terraform) | >= 1.3.6 | 30 | | [aws](#requirement\_aws) | >= 5.10.0 | 31 | 32 | ## Providers 33 | 34 | | Name | Version | 35 | |------|---------| 36 | | [aws](#provider\_aws) | >= 5.10.0 | 37 | 38 | ## Modules 39 | 40 | | Name | Source | Version | 41 | |------|--------|---------| 42 | | [labels](#module\_labels) | clouddrove/labels/aws | 1.3.0 | 43 | 44 | ## Resources 45 | 46 | | Name | Type | 47 | |------|------| 48 | | [aws_shield_protection.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection) | resource | 49 | 50 | ## Inputs 51 | 52 | | Name | Description | Type | Default | Required | 53 | |------|-------------|------|---------|:--------:| 54 | | [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `false` | no | 55 | | [environment](#input\_environment) | Environment (e.g. `prod`, `dev`, `staging`). | `string` | `""` | no | 56 | | [label\_order](#input\_label\_order) | Label order, e.g. `name`,`application`. | `list(any)` | `[]` | no | 57 | | [managedby](#input\_managedby) | ManagedBy, eg 'CloudDrove' | `string` | `"hello@clouddrove.com"` | no | 58 | | [name](#input\_name) | Name (e.g. `app` or `cluster`). | `string` | `""` | no | 59 | | [resource\_arn](#input\_resource\_arn) | The ARN (Amazon Resource Name) of the resource to be protected. | `list(any)` | `[]` | no | 60 | 61 | ## Outputs 62 | 63 | | Name | Description | 64 | |------|-------------| 65 | | [arn](#output\_arn) | The unique identifier (ID) for the Protection object that is created. | 66 | | [id](#output\_id) | The unique identifier (ID) for the Protection object that is created. | 67 | 68 | 69 | 70 | ## Feedback 71 | If you come accross a bug or have any feedback, please log it in our [issue tracker](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm/issues), or feel free to drop us an email at [hello@clouddrove.com](mailto:hello@clouddrove.com). 72 | 73 | If you have found it worth your time, go ahead and give us a ★ on [our GitHub](https://github.com/clouddrove/terraform-aws-secure-baseline/modules/alarm)! 74 | 75 | ## About us 76 | 77 | At [CloudDrove][website], we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering. 78 | 79 |We are The Cloud Experts!
80 |We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.
82 | 83 | [website]: https://clouddrove.com 84 | [github]: https://github.com/clouddrove 85 | [linkedin]: https://cpco.io/linkedin 86 | [twitter]: https://twitter.com/clouddrove/ 87 | [email]: https://clouddrove.com/contact-us.html 88 | [terraform_modules]: https://github.com/clouddrove?utf8=%E2%9C%93&q=terraform-&type=&language= 89 | -------------------------------------------------------------------------------- /modules/shield/main.tf: -------------------------------------------------------------------------------- 1 | ## Managed By : CloudDrove 2 | ## Copyright @ CloudDrove. All Right Reserved. 3 | 4 | #Module : Label 5 | #Description : This terraform module is designed to generate consistent label names and 6 | # tags for resources. You can use terraform-labels to implement a strict 7 | # naming convention 8 | module "labels" { 9 | source = "clouddrove/labels/aws" 10 | version = "1.3.0" 11 | 12 | name = var.name 13 | environment = var.environment 14 | label_order = var.label_order 15 | managedby = var.managedby 16 | } 17 | 18 | 19 | resource "aws_shield_protection" "default" { 20 | count = var.enabled ? length(var.resource_arn) : 0 21 | name = format("%s-shield-%s", module.labels.id, count.index) 22 | resource_arn = var.resource_arn[count.index] 23 | tags = module.labels.tags 24 | } 25 | -------------------------------------------------------------------------------- /modules/shield/output.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | value = join("", aws_shield_protection.default.*.id) 3 | description = "The unique identifier (ID) for the Protection object that is created." 4 | } 5 | 6 | output "arn" { 7 | value = join("", aws_shield_protection.default.*.arn) 8 | description = "The unique identifier (ID) for the Protection object that is created." 9 | } 10 | -------------------------------------------------------------------------------- /modules/shield/variable.tf: -------------------------------------------------------------------------------- 1 | #Module : LABEL 2 | #Description : Terraform label module variables. 3 | variable "name" { 4 | type = string 5 | default = "" 6 | description = "Name (e.g. `app` or `cluster`)." 7 | } 8 | 9 | variable "environment" { 10 | type = string 11 | default = "" 12 | description = "Environment (e.g. `prod`, `dev`, `staging`)." 13 | } 14 | 15 | variable "label_order" { 16 | type = list(any) 17 | default = [] 18 | description = "Label order, e.g. `name`,`application`." 19 | } 20 | 21 | variable "managedby" { 22 | type = string 23 | default = "hello@clouddrove.com" 24 | description = "ManagedBy, eg 'CloudDrove'" 25 | } 26 | 27 | 28 | variable "enabled" { 29 | type = bool 30 | default = false 31 | description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." 32 | } 33 | 34 | variable "resource_arn" { 35 | type = list(any) 36 | default = [] 37 | description = "The ARN (Amazon Resource Name) of the resource to be protected." 38 | } 39 | -------------------------------------------------------------------------------- /modules/shield/versions.tf: -------------------------------------------------------------------------------- 1 | # Terraform version 2 | terraform { 3 | required_version = ">= 1.3.6" 4 | 5 | required_providers { 6 | aws = { 7 | source = "hashicorp/aws" 8 | version = ">= 5.10.0" 9 | } 10 | } 11 | } --------------------------------------------------------------------------------