├── .editorconfig
├── .github
├── CODEOWNERS
├── ISSUE_TEMPLATE
│ ├── bug_report.md
│ ├── bug_report.yml
│ ├── config.yml
│ ├── feature_request.md
│ ├── feature_request.yml
│ └── question.md
├── PULL_REQUEST_TEMPLATE.md
├── banner.png
├── mergify.yml
├── renovate.json
├── settings.yml
└── workflows
│ ├── branch.yml
│ ├── chatops.yml
│ ├── release.yml
│ └── scheduled.yml
├── .gitignore
├── LICENSE
├── README.md
├── README.yaml
├── atmos.yaml
├── catalog
├── account.yaml
├── acm.yaml
├── alb.yaml
├── ami.yaml
├── apigw.yaml
├── asg.yaml
├── cloudformation.yaml
├── cloudfront.yaml
├── cloudtrail.yaml
├── cloudwatch.yaml
├── cmk.yaml
├── codebuild.yaml
├── codepipeline.yaml
├── dms.yaml
├── dynamodb.yaml
├── ec2.yaml
├── efs.yaml
├── eip.yaml
├── eks.yaml
├── elasticache.yaml
├── elasticsearch.yaml
├── elb.yaml
├── emr.yaml
├── fms.yaml
├── guardduty.yaml
├── iam.yaml
├── kms.yaml
├── lambda.yaml
├── mfa.yaml
├── network.yaml
├── rds.yaml
├── redshift.yaml
└── vpc.yaml
├── context.tf
├── examples
├── cis
│ ├── context.tf
│ ├── fixtures.us-east-2.tfvars
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── complete
│ ├── context.tf
│ ├── fixtures.us-east-2.tfvars
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
└── hipaa
│ ├── context.tf
│ ├── fixtures.us-east-2.tfvars
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── main.tf
├── modules
├── cis-1-2-rules
│ ├── README.md
│ ├── context.tf
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
└── conformance-pack
│ ├── README.md
│ ├── context.tf
│ ├── main.tf
│ ├── outputs.tf
│ ├── variables.tf
│ └── versions.tf
├── outputs.tf
├── test
├── .gitignore
├── Makefile
├── Makefile.alpine
└── src
│ ├── .gitignore
│ ├── Makefile
│ ├── examples_cis_test.go
│ ├── examples_complete_test.go
│ ├── examples_hipaa_test.go
│ ├── go.mod
│ └── go.sum
├── variables.tf
└── versions.tf
/.editorconfig:
--------------------------------------------------------------------------------
1 | # Unix-style newlines with a newline ending every file
2 | [*]
3 | charset = utf-8
4 | end_of_line = lf
5 | indent_size = 2
6 | indent_style = space
7 | insert_final_newline = true
8 | trim_trailing_whitespace = true
9 |
10 | [*.{tf,tfvars}]
11 | indent_size = 2
12 | indent_style = space
13 |
14 | [*.md]
15 | max_line_length = 0
16 | trim_trailing_whitespace = false
17 |
18 | # Override for Makefile
19 | [{Makefile, makefile, GNUmakefile, Makefile.*}]
20 | tab_width = 2
21 | indent_style = tab
22 | indent_size = 4
23 |
24 | [COMMIT_EDITMSG]
25 | max_line_length = 0
26 |
--------------------------------------------------------------------------------
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # Use this file to define individuals or teams that are responsible for code in a repository.
2 | # Read more:
3 | #
4 | # Order is important: the last matching pattern has the highest precedence
5 |
6 | # These owners will be the default owners for everything
7 | * @cloudposse/engineering @cloudposse/contributors
8 |
9 | # Cloud Posse must review any changes to Makefiles
10 | **/Makefile @cloudposse/engineering
11 | **/Makefile.* @cloudposse/engineering
12 |
13 | # Cloud Posse must review any changes to GitHub actions
14 | .github/* @cloudposse/engineering
15 |
16 | # Cloud Posse must review any changes to standard context definition,
17 | # but some changes can be rubber-stamped.
18 | **/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
19 | README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
20 | README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
21 | docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers
22 |
23 | # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration
24 | .github/mergify.yml @cloudposse/admins
25 | .github/CODEOWNERS @cloudposse/admins
26 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | about: Create a report to help us improve
4 | title: ''
5 | labels: 'bug'
6 | assignees: ''
7 |
8 | ---
9 |
10 | Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help.
11 |
12 | [](https://slack.cloudposse.com)
13 |
14 | ## Describe the Bug
15 | A clear and concise description of what the bug is.
16 |
17 | ## Expected Behavior
18 | A clear and concise description of what you expected to happen.
19 |
20 | ## Steps to Reproduce
21 | Steps to reproduce the behavior:
22 | 1. Go to '...'
23 | 2. Run '....'
24 | 3. Enter '....'
25 | 4. See error
26 |
27 | ## Screenshots
28 | If applicable, add screenshots or logs to help explain your problem.
29 |
30 | ## Environment (please complete the following information):
31 |
32 | Anything that will help us triage the bug will help. Here are some ideas:
33 | - OS: [e.g. Linux, OSX, WSL, etc]
34 | - Version [e.g. 10.15]
35 |
36 | ## Additional Context
37 | Add any other context about the problem here.
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Bug report
3 | description: Create a report to help us improve
4 | labels: ["bug"]
5 | assignees: [""]
6 | body:
7 | - type: markdown
8 | attributes:
9 | value: |
10 | Found a bug?
11 |
12 | Please checkout our [Slack Community](https://slack.cloudposse.com)
13 | or visit our [Slack Archive](https://archive.sweetops.com/).
14 |
15 | [](https://slack.cloudposse.com)
16 |
17 | - type: textarea
18 | id: concise-description
19 | attributes:
20 | label: Describe the Bug
21 | description: A clear and concise description of what the bug is.
22 | placeholder: What is the bug about?
23 | validations:
24 | required: true
25 |
26 | - type: textarea
27 | id: expected
28 | attributes:
29 | label: Expected Behavior
30 | description: A clear and concise description of what you expected.
31 | placeholder: What happened?
32 | validations:
33 | required: true
34 |
35 | - type: textarea
36 | id: reproduction-steps
37 | attributes:
38 | label: Steps to Reproduce
39 | description: Steps to reproduce the behavior.
40 | placeholder: How do we reproduce it?
41 | validations:
42 | required: true
43 |
44 | - type: textarea
45 | id: screenshots
46 | attributes:
47 | label: Screenshots
48 | description: If applicable, add screenshots or logs to help explain.
49 | validations:
50 | required: false
51 |
52 | - type: textarea
53 | id: environment
54 | attributes:
55 | label: Environment
56 | description: Anything that will help us triage the bug.
57 | placeholder: |
58 | - OS: [e.g. Linux, OSX, WSL, etc]
59 | - Version [e.g. 10.15]
60 | - Module version
61 | - Terraform version
62 | validations:
63 | required: false
64 |
65 | - type: textarea
66 | id: additional
67 | attributes:
68 | label: Additional Context
69 | description: |
70 | Add any other context about the problem here.
71 | validations:
72 | required: false
73 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
1 | blank_issues_enabled: false
2 |
3 | contact_links:
4 |
5 | - name: Community Slack Team
6 | url: https://cloudposse.com/slack/
7 | about: |-
8 | Please ask and answer questions here.
9 |
10 | - name: Office Hours
11 | url: https://cloudposse.com/office-hours/
12 | about: |-
13 | Join us every Wednesday for FREE Office Hours (lunch & learn).
14 |
15 | - name: DevOps Accelerator Program
16 | url: https://cloudposse.com/accelerate/
17 | about: |-
18 | Own your infrastructure in record time. We build it. You drive it.
19 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature Request
3 | about: Suggest an idea for this project
4 | title: ''
5 | labels: 'feature request'
6 | assignees: ''
7 |
8 | ---
9 |
10 | Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/).
11 |
12 | [](https://slack.cloudposse.com)
13 |
14 | ## Describe the Feature
15 |
16 | A clear and concise description of what the bug is.
17 |
18 | ## Expected Behavior
19 |
20 | A clear and concise description of what you expected to happen.
21 |
22 | ## Use Case
23 |
24 | Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context of why this feature or capability will be valuable.
25 |
26 | ## Describe Ideal Solution
27 |
28 | A clear and concise description of what you want to happen. If you don't know, that's okay.
29 |
30 | ## Alternatives Considered
31 |
32 | Explain what alternative solutions or features you've considered.
33 |
34 | ## Additional Context
35 |
36 | Add any other context or screenshots about the feature request here.
37 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Feature Request
3 | description: Suggest an idea for this project
4 | labels: ["feature request"]
5 | assignees: [""]
6 | body:
7 | - type: markdown
8 | attributes:
9 | value: |
10 | Have a question?
11 |
12 | Please checkout our [Slack Community](https://slack.cloudposse.com)
13 | or visit our [Slack Archive](https://archive.sweetops.com/).
14 |
15 | [](https://slack.cloudposse.com)
16 |
17 | - type: textarea
18 | id: concise-description
19 | attributes:
20 | label: Describe the Feature
21 | description: A clear and concise description of what the feature is.
22 | placeholder: What is the feature about?
23 | validations:
24 | required: true
25 |
26 | - type: textarea
27 | id: expected
28 | attributes:
29 | label: Expected Behavior
30 | description: A clear and concise description of what you expected.
31 | placeholder: What happened?
32 | validations:
33 | required: true
34 |
35 | - type: textarea
36 | id: use-case
37 | attributes:
38 | label: Use Case
39 | description: |
40 | Is your feature request related to a problem/challenge you are trying
41 | to solve?
42 |
43 | Please provide some additional context of why this feature or
44 | capability will be valuable.
45 | validations:
46 | required: true
47 |
48 | - type: textarea
49 | id: ideal-solution
50 | attributes:
51 | label: Describe Ideal Solution
52 | description: A clear and concise description of what you want to happen.
53 | validations:
54 | required: true
55 |
56 | - type: textarea
57 | id: alternatives-considered
58 | attributes:
59 | label: Alternatives Considered
60 | description: Explain alternative solutions or features considered.
61 | validations:
62 | required: false
63 |
64 | - type: textarea
65 | id: additional
66 | attributes:
67 | label: Additional Context
68 | description: |
69 | Add any other context about the problem here.
70 | validations:
71 | required: false
72 |
--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/question.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudposse/terraform-aws-config/3c48c8cd43a06ad6c77058ba0aaab0628504040d/.github/ISSUE_TEMPLATE/question.md
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | ## what
2 |
3 |
7 |
8 | ## why
9 |
10 |
15 |
16 | ## references
17 |
18 |
22 |
--------------------------------------------------------------------------------
/.github/banner.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudposse/terraform-aws-config/3c48c8cd43a06ad6c77058ba0aaab0628504040d/.github/banner.png
--------------------------------------------------------------------------------
/.github/mergify.yml:
--------------------------------------------------------------------------------
1 | extends: .github
2 |
--------------------------------------------------------------------------------
/.github/renovate.json:
--------------------------------------------------------------------------------
1 | {
2 | "extends": [
3 | "config:base",
4 | ":preserveSemverRanges",
5 | ":rebaseStalePrs"
6 | ],
7 | "baseBranches": ["main"],
8 | "labels": ["auto-update"],
9 | "dependencyDashboardAutoclose": true,
10 | "enabledManagers": ["terraform"],
11 | "terraform": {
12 | "ignorePaths": ["**/context.tf"]
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/.github/settings.yml:
--------------------------------------------------------------------------------
1 | # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
2 | _extends: .github
3 | repository:
4 | name: terraform-aws-config
5 | description: This module configures AWS Config, a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
6 | homepage: https://cloudposse.com/accelerate
7 | topics: compliance, terraform, terraform-modules, terraform-module
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/.github/workflows/branch.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Branch
3 | on:
4 | pull_request:
5 | branches:
6 | - main
7 | - release/**
8 | types: [opened, synchronize, reopened, labeled, unlabeled]
9 | push:
10 | branches:
11 | - main
12 | - release/v*
13 | paths-ignore:
14 | - '.github/**'
15 | - 'docs/**'
16 | - 'examples/**'
17 | - 'test/**'
18 | - 'README.md'
19 |
20 | permissions: {}
21 |
22 | jobs:
23 | terraform-module:
24 | uses: cloudposse/.github/.github/workflows/shared-terraform-module.yml@main
25 | secrets: inherit
26 |
--------------------------------------------------------------------------------
/.github/workflows/chatops.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: chatops
3 | on:
4 | issue_comment:
5 | types: [created]
6 |
7 | permissions:
8 | pull-requests: write
9 | id-token: write
10 | contents: write
11 | statuses: write
12 |
13 | jobs:
14 | test:
15 | uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main
16 | if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }}
17 | secrets: inherit
18 |
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: release
3 | on:
4 | release:
5 | types:
6 | - published
7 |
8 | permissions:
9 | id-token: write
10 | contents: write
11 | pull-requests: write
12 |
13 | jobs:
14 | terraform-module:
15 | uses: cloudposse/.github/.github/workflows/shared-release-branches.yml@main
16 | secrets: inherit
17 |
--------------------------------------------------------------------------------
/.github/workflows/scheduled.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: scheduled
3 | on:
4 | workflow_dispatch: { } # Allows manually trigger this workflow
5 | schedule:
6 | - cron: "0 3 * * *"
7 |
8 | permissions:
9 | pull-requests: write
10 | id-token: write
11 | contents: write
12 |
13 | jobs:
14 | scheduled:
15 | uses: cloudposse/.github/.github/workflows/shared-terraform-scheduled.yml@main
16 | secrets: inherit
17 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Local .terraform directories
2 | **/.terraform/*
3 |
4 | # .tfstate files
5 | *.tfstate
6 | *.tfstate.*
7 | .terraform
8 | .terraform.tfstate.lock.info
9 | .terraform.lock.hcl
10 |
11 | **/.idea
12 | **/*.iml
13 |
14 | # Cloud Posse Build Harness https://github.com/cloudposse/build-harness
15 | **/.build-harness
16 | **/build-harness
17 |
18 | # Crash log files
19 | crash.log
20 | test.log
21 |
22 | # MacOS service files
23 | .DS_Store
24 |
25 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright 2020 Cloud Posse, LLC
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-config
8 |
9 | # Logo for this project
10 | #logo: docs/logo.png
11 |
12 | # License of this project
13 | license: "APACHE2"
14 |
15 | # Copyrights
16 | copyrights:
17 | - name: "Cloud Posse, LLC"
18 | url: "https://cloudposse.com"
19 | year: "2021"
20 |
21 | # Canonical GitHub repo
22 | github_repo: cloudposse/terraform-aws-config
23 |
24 | # Badges to display
25 | badges:
26 | - name: Latest Release
27 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-config.svg?style=for-the-badge
28 | url: https://github.com/cloudposse/terraform-aws-config/releases/latest
29 | - name: Last Updated
30 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-config.svg?style=for-the-badge
31 | url: https://github.com/cloudposse/terraform-aws-config/commits
32 | - name: Slack Community
33 | image: https://slack.cloudposse.com/for-the-badge.svg
34 | url: https://cloudposse.com/slack
35 |
36 | # List any related terraform modules that this module may be used with or that this module depends on.
37 | related:
38 | - name: "terraform-null-label"
39 | description: "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention."
40 | url: "https://github.com/cloudposse/terraform-null-label"
41 | - name: "terraform-aws-config-storage"
42 | description: "Terraform module that creates an S3 bucket suitable for storing AWS Config data."
43 | url: "https://github.com/cloudposse/terraform-aws-config-storage"
44 | - name: "terraform-aws-guardduty"
45 | description: "Terraform module that enables and configures AWS GuardDuty."
46 | url: "https://github.com/cloudposse/terraform-aws-guardduty"
47 | - name: "terraform-aws-security-hub"
48 | description: "Terraform module that enables and configures AWS Security Hub."
49 | url: "https://github.com/cloudposse/terraform-aws-security-hub"
50 |
51 | # List any resources helpful for someone to get started. For example, link to the hashicorp documentation or AWS documentation.
52 | references:
53 | - name: "List of AWS Config Managed Rules"
54 | description: "A list of rules AWS Config currently supports in the analytics; compute; cryptography and PKI; database; machine learning; management and governance; migration and transfer; network and content delivery; security; identity and compliance; and storage categories."
55 | url: "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"
56 |
57 | # Short description of this project
58 | description: |-
59 | This module enables [AWS Config](https://aws.amazon.com/config/) and optionally sets up an SNS topic to receive notifications of its findings.
60 |
61 | # Introduction to the project
62 | #introduction: |-
63 | # This is an introduction.
64 |
65 | # How to use this module. Should be an easy example to copy and paste.
66 | usage: |-
67 | For a complete example, see [examples/complete](examples/complete).
68 |
69 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
70 | (which tests and deploys the example on AWS), see [test](test).
71 |
72 | ```hcl
73 | module "example" {
74 | source = "cloudposse/config/aws"
75 | # Cloud Posse recommends pinning every module to a specific version
76 | # version = "x.x.x"
77 |
78 | create_sns_topic = true
79 | create_iam_role = true
80 |
81 | managed_rules = {
82 | account-part-of-organizations = {
83 | description = "Checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.",
84 | identifier = "ACCOUNT_PART_OF_ORGANIZATIONS",
85 | trigger_type = "PERIODIC"
86 | enabled = true
87 | }
88 | }
89 | }
90 | ```
91 |
92 | # Example usage
93 | examples: |-
94 | Here is an example of using this module:
95 | - [`examples/complete`](https://github.com/cloudposse/terraform-aws-config/) - complete example of using this module
96 |
97 | # How to get started quickly
98 | #quickstart: |-
99 | # Here's how to get started...
100 |
101 | # Other files to include in this README from the project folder
102 | include: []
103 | contributors: []
104 |
--------------------------------------------------------------------------------
/atmos.yaml:
--------------------------------------------------------------------------------
1 | # Atmos Configuration — powered by https://atmos.tools
2 | #
3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos.
4 | #
5 | # Included features:
6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands
7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate
8 | #
9 |
10 | # Import shared configuration used by all modules
11 | import:
12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml
13 |
--------------------------------------------------------------------------------
/catalog/account.yaml:
--------------------------------------------------------------------------------
1 | account-part-of-organizations:
2 | identifier: ACCOUNT_PART_OF_ORGANIZATIONS
3 | description: >-
4 | Checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of
5 | AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # MasterAccountId
10 | {}
11 | enabled: true
12 | tags:
13 | catalog/account: true
14 |
15 | root-account-hardware-mfa-enabled:
16 | identifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
17 | description: >-
18 | Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with
19 | root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root
20 | credentials.
21 | inputParameters: {}
22 | enabled: true
23 | tags:
24 | catalog/account: true
25 |
26 | root-account-mfa-enabled:
27 | identifier: ROOT_ACCOUNT_MFA_ENABLED
28 | description: >-
29 | Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root
30 | credentials.
31 | inputParameters: {}
32 | enabled: true
33 | tags:
34 | catalog/account: true
35 |
--------------------------------------------------------------------------------
/catalog/acm.yaml:
--------------------------------------------------------------------------------
1 | acm-certificate-expiration-check:
2 | identifier: ACM_CERTIFICATE_EXPIRATION_CHECK
3 | description: >-
4 | Checks whether ACM Certificates in your account are marked for expiration within the specified number of days.
5 | Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you
6 | import.
7 | inputParameters:
8 | daysToExpiration: "30"
9 | enabled: true
10 | tags:
11 | catalog/acm: true
12 |
--------------------------------------------------------------------------------
/catalog/alb.yaml:
--------------------------------------------------------------------------------
1 | alb-http-drop-invalid-header-enabled:
2 | identifier: ALB_HTTP_DROP_INVALID_HEADER_ENABLED
3 | description: >-
4 | Checks if rule evaluates Application Load Balancers (ALBs) to ensure they are configured to drop http headers. The
5 | rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/alb: true
10 |
11 | alb-http-to-https-redirection-check:
12 | identifier: ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK
13 | description: >-
14 | Checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancer. The rule
15 | is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection
16 | configured.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/alb: true
21 |
22 | alb-waf-enabled:
23 | identifier: ALB_WAF_ENABLED
24 | description: >-
25 | Checks if Web Application Firewall (WAF) is enabled on Application Load Balancers (ALBs). This rule is NON_COMPLIANT
26 | if key waf.enabled is set to false.
27 | inputParameters:
28 | # The following parameters are optional:
29 | #
30 | # wafWebAclIds: Comma separated list of web ACL ID (for WAF) or web ACL ARN (for WAFV2) checking for ALB association
31 | {}
32 | enabled: true
33 | tags:
34 | catalog/alb: true
35 |
--------------------------------------------------------------------------------
/catalog/ami.yaml:
--------------------------------------------------------------------------------
1 | approved-amis-by-id:
2 | identifier: APPROVED_AMIS_BY_ID
3 | description: >-
4 | Checks whether running instances are using specified AMIs. Specify a list of approved AMI IDs. Running instances
5 | with AMIs that are not on this list are NON_COMPLIANT.
6 | inputParameters:
7 | # The following parameters are required:
8 | #
9 | # The AMI IDs (comma-separated list of up to 10).
10 | amiIds: ""
11 | enabled: true
12 | tags:
13 | catalog/ami: true
14 |
15 | approved-amis-by-tag:
16 | identifier: APPROVED_AMIS_BY_TAG
17 | description: >-
18 | Checks whether running instances are using specified AMIs. Specify the tags that identify the AMIs. Running
19 | instances with AMIs that don't have at least one of the specified tags are NON_COMPLIANT.
20 | inputParameters:
21 | amisByTagKeyAndValue: {}
22 | enabled: true
23 | tags:
24 | catalog/ami: true
25 |
--------------------------------------------------------------------------------
/catalog/apigw.yaml:
--------------------------------------------------------------------------------
1 | api-gw-cache-enabled-and-encrypted:
2 | identifier: API_GW_CACHE_ENABLED_AND_ENCRYPTED
3 | description: >-
4 | Checks that all methods in Amazon API Gateway stages have caching enabled and encrypted. The rule is NON_COMPLIANT
5 | if any method in an API Gateway stage is not configured for caching or the cache is not encrypted.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/apigw: true
10 |
11 | api-gw-endpoint-type-check:
12 | identifier: API_GW_ENDPOINT_TYPE_CHECK
13 | description: >-
14 | Checks that Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType. The
15 | rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter.
16 | inputParameters:
17 | # The following parameters are required:
18 | #
19 | # endpointConfigurationTypes: Comma-separated list of allowed endpoint types. Allowed values are REGIONAL, PRIVATE and EDGE
20 | endpointConfigurationTypes: ""
21 | enabled: true
22 | tags:
23 | catalog/apigw: true
24 |
25 | api-gw-execution-logging-enabled:
26 | identifier: API_GW_EXECUTION_LOGGING_ENABLED
27 | description: >-
28 | Checks that all methods in Amazon API Gateway stage has logging enabled. The rule is NON_COMPLIANT if logging is not
29 | enabled. The rule is NON_COMPLIANT if loggingLevel is neither ERROR nor INFO.
30 | inputParameters:
31 | # The following parameters are optional:
32 | #
33 | # loggingLevel: Comma-separated list of specific logging levels (for example, ERROR, INFO or ERROR,INFO)
34 | {}
35 | enabled: true
36 | tags:
37 | catalog/apigw: true
38 |
--------------------------------------------------------------------------------
/catalog/asg.yaml:
--------------------------------------------------------------------------------
1 | autoscaling-group-elb-healthcheck-required:
2 | identifier: AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED
3 | description: >-
4 | Checks whether your Auto Scaling groups that are associated with a load balancer areusing Elastic Load Balancing
5 | health checks.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/asg: true
10 |
--------------------------------------------------------------------------------
/catalog/cloudformation.yaml:
--------------------------------------------------------------------------------
1 | cloudformation-stack-drift-detection-check:
2 | identifier: CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK
3 | description: >-
4 | Checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected
5 | configuration. A stack is considered to have drifted if one or more of its resources differ from their expected
6 | configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack
7 | are NON_COMPLIANT when the stack drift status is DRIFTED.
8 | inputParameters:
9 | # The following parameters are required:
10 | #
11 | # The AWS CloudFormation role ARN with IAM policy permissions to detect drift for AWS CloudFormation stacks.
12 | cloudformationRoleArn
13 | enabled: true
14 | tags:
15 | catalog/cloudformation: true
16 |
17 | cloudformation-stack-notification-check:
18 | identifier: CLOUDFORMATION_STACK_NOTIFICATION_CHECK
19 | description: >-
20 | Checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether
21 | specified SNS topics are used.
22 | inputParameters:
23 | # The following parameters are optional:
24 | #
25 | # snsTopic1
26 | # snsTopic2
27 | # snsTopic3
28 | # snsTopic4
29 | # snsTopic5
30 | {}
31 | enabled: true
32 | tags:
33 | catalog/cloudformation: true
34 |
--------------------------------------------------------------------------------
/catalog/cloudfront.yaml:
--------------------------------------------------------------------------------
1 | cloudfront-default-root-object-configured:
2 | identifier: CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED
3 | description: >-
4 | Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root
5 | object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/cloudfront: true
10 |
11 | cloudfront-origin-access-identity-enabled:
12 | identifier: CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
13 | description: >-
14 | Checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured.
15 | This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is
16 | not OAI configured.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/cloudfront: true
21 |
22 | cloudfront-origin-failover-enabled:
23 | identifier: CLOUDFRONT_ORIGIN_FAILOVER_ENABLED
24 | description: >-
25 | Checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for
26 | Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.
27 | inputParameters: {}
28 | enabled: true
29 | tags:
30 | catalog/cloudfront: true
31 |
32 | cloudfront-sni-enabled:
33 | identifier: CLOUDFRONT_SNI_ENABLED
34 | description: >-
35 | Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve
36 | HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is
37 | using a dedicated IP address.
38 | inputParameters: {}
39 | enabled: true
40 | tags:
41 | catalog/cloudfront: true
42 |
43 | cloudfront-viewer-policy-https:
44 | identifier: CLOUDFRONT_VIEWER_POLICY_HTTPS
45 | description: >-
46 | Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is
47 | NON_COMPLIANT if the value of ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for
48 | cacheBehaviors. This means that the rule is non compliant when viewers can use HTTP or HTTPS.
49 | inputParameters: {}
50 | enabled: true
51 | tags:
52 | catalog/cloudfront: true
53 |
--------------------------------------------------------------------------------
/catalog/cloudtrail.yaml:
--------------------------------------------------------------------------------
1 | cloud-trail-cloud-watch-logs-enabled:
2 | identifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
3 | description: >-
4 | Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is
5 | NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/cloudtrail: true
10 | compliance/cis-aws-foundations/1.2: true
11 | compliance/cis-aws-foundations/1.2/controls: 2.4
12 |
13 | cloud-trail-encryption-enabled:
14 | identifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
15 | description: >-
16 | Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS
17 | KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.
18 | inputParameters: {}
19 | enabled: true
20 | tags:
21 | catalog/cloudtrail: true
22 | compliance/cis-aws-foundations/1.2: true
23 | compliance/cis-aws-foundations/filters/logging-account-only: true
24 | compliance/cis-aws-foundations/1.2/controls: 2.7
25 |
26 | cloud-trail-log-file-validation-enabled:
27 | identifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
28 | description: >-
29 | Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must
30 | be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.
31 | inputParameters: {}
32 | enabled: true
33 | tags:
34 | catalog/cloudtrail: true
35 | compliance/cis-aws-foundations/1.2: true
36 | compliance/cis-aws-foundations/1.2/controls: 2.2
37 |
38 | multi-region-cloudtrail-enabled:
39 | identifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
40 | description: >-
41 | Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match
42 | inputs parameters.
43 | inputParameters:
44 | # The following parameters are optional:
45 | #
46 | # s3BucketName: Name of Amazon S3 bucket for AWS CloudTrail to deliver log files to.
47 | # snsTopicArn: Amazon SNS topic ARN for AWS CloudTrail to use for notifications.
48 | # cloudWatchLogsLogGroupArn: Amazon CloudWatch log group ARN for AWS CloudTrail to send data to.
49 | # includeManagementEvents: Event selector to include management events for the AWS CloudTrail.
50 | # readWriteType: ReadOnly, WriteOnly or ALL
51 | {}
52 | enabled: true
53 | tags:
54 | catalog/cloudtrail: true
55 | compliance/cis-aws-foundations/1.2: true
56 | compliance/cis-aws-foundations/1.2/controls: 2.1
57 |
58 | s3-bucket-public-read-prohibited:
59 | identifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
60 | description: >-
61 | Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access
62 | settings, the bucket policy, and the bucket access control list (ACL).
63 | inputParameters: {}
64 | enabled: true
65 | tags:
66 | catalog/cloudtrail: true
67 | compliance/cis-aws-foundations/1.2: true
68 | compliance/cis-aws-foundations/1.2/controls: 2.3
69 |
70 | s3-bucket-public-write-prohibited:
71 | identifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
72 | description: >-
73 | Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access
74 | settings, the bucket policy, and the bucket access control list (ACL).
75 | inputParameters: {}
76 | enabled: true
77 | tags:
78 | catalog/cloudtrail: true
79 | compliance/cis-aws-foundations/1.2: true
80 | compliance/cis-aws-foundations/1.2/controls: 2.3
81 |
82 | cloudtrail-enabled:
83 | identifier: CLOUD_TRAIL_ENABLED
84 | description: >-
85 | Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS
86 | topic, and Amazon CloudWatch Logs ARN to use.
87 | inputParameters:
88 | # The following parameters are optional:
89 | #
90 | # s3BucketName: The name of the S3 bucket for AWS CloudTrail to deliver log files to.
91 | # snsTopicArn: The ARN of the SNS topic for AWS CloudTrail to use for notifications.
92 | # cloudWatchLogsLogGroupArn: The ARN of the Amazon CloudWatch log group for AWS CloudTrail to send data to.
93 | enabled: true
94 | tags:
95 | catalog/cloudtrail: true
96 |
97 | cloudtrail-s3-dataevents-enabled:
98 | identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
99 | description: >-
100 | Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.The rule is
101 | NON_COMPLIANT if trails that log data events for S3 buckets are not configured.
102 | inputParameters:
103 | # The following parameters are optional:
104 | #
105 | # S3BucketNames: Comma-separated list of S3 bucket names for which data events logging should be enabled. Default
106 | # behavior checks for all S3 buckets.
107 | enabled: true
108 | tags:
109 | catalog/cloudtrail: true
110 |
111 | cloudtrail-security-trail-enabled:
112 | identifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
113 | description: >-
114 | Checks that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT
115 | if there is at least one trail that meets all of the following
116 | inputParameters: {}
117 | enabled: true
118 | tags:
119 | catalog/cloudtrail: true
120 |
--------------------------------------------------------------------------------
/catalog/cloudwatch.yaml:
--------------------------------------------------------------------------------
1 | cloudwatch-alarm-action-check:
2 | identifier: CLOUDWATCH_ALARM_ACTION_CHECK
3 | description: >-
4 | Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action
5 | enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # action1: The action to execute, specified as an ARN.
10 | # action2: The action to execute, specified as an ARN.
11 | # action3: The action to execute, specified as an ARN.
12 | # action4: The action to execute, specified as an ARN.
13 | # action5: The action to execute, specified as an ARN.
14 | alarmActionRequired: "true"
15 | insufficientDataActionRequired: "true"
16 | okActionRequired: "false"
17 | enabled: true
18 | tags:
19 | catalog/cloudwatch: true
20 |
21 | cloudwatch-alarm-resource-check:
22 | identifier: CLOUDWATCH_ALARM_RESOURCE_CHECK
23 | description: >-
24 | Checks whether the specified resource type has a CloudWatch alarm for the specified metric. For resource type, you
25 | can specify EBS volumes, EC2 instances, RDS clusters, or S3 buckets.
26 | inputParameters:
27 | # The following parameters are required:
28 | #
29 | # resourceType:AWS resource type. The value can be one of the following:AWS::EC2::Volume, AWS::EC2::Instance,
30 | # AWS::EC2::Bucket
31 | # metricName: The name of the metric associated with the alarm (for example, "CPUUtilization" for EC2 instances).
32 | resourceType: ""
33 | metricName: ""
34 | enabled: true
35 | tags:
36 | catalog/cloudwatch: true
37 |
38 | cloudwatch-alarm-settings-check:
39 | identifier: CLOUDWATCH_ALARM_SETTINGS_CHECK
40 | description: >-
41 | Checks whether CloudWatch alarms with the given metric name have the specified settings.
42 | inputParameters:
43 | # The following parameters are required:
44 | #
45 | # metricName: The name for the metric associated with the alarm.
46 | # threshold: The value against which the specified statistic is compared.
47 | # evaluationPeriod: The number of periods in which data is compared to the specified threshold.
48 | # period: The period, in seconds, during which the specified statistic is applied.
49 | # comparisonOperator: The operation for comparing the specified statistic and threshold. For example,
50 | # "GreaterThanThreshold".
51 | # statistic: The statistic for the metric associated with the alarm (for example, "Average" or "Sum").
52 | {}
53 | enabled: true
54 | tags:
55 | catalog/cloudwatch: true
56 |
57 | cloudwatch-log-group-encrypted:
58 | identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
59 | description: >-
60 | Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed
61 | Customer Master Keys (CMK). The rule is NON_COMPLIANT if no AWS KMS CMK is configured on the log groups.
62 | inputParameters:
63 | # The following parameters are optional:
64 | #
65 | # KmsKeyId: Amazon Resource Name (ARN) of an AWS Key Management Service (KMS) key that is used to encrypt the
66 | # CloudWatch Logs log group.
67 | {}
68 | enabled: true
69 | tags:
70 | catalog/cloudwatch: true
71 |
72 | cw-loggroup-retention-period-check:
73 | identifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
74 | description: >-
75 | Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days. The rule is
76 | NON_COMPLIANT if the retention period is not set or is less than the configured retention period.
77 | inputParameters:
78 | # The following parameters are optional:
79 | #
80 | # LogGroupNames: A comma-separated list of Log Group names to check the retention period.
81 | # MinRetentionTime: Specify the retention time. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365,
82 | # 400, 545, 731, 1827, and 3653. The default retention period is 365 days.
83 | {}
84 | enabled: true
85 | tags:
86 | catalog/cloudwatch: true
87 |
--------------------------------------------------------------------------------
/catalog/cmk.yaml:
--------------------------------------------------------------------------------
1 | cmk-backing-key-rotation-enabled:
2 | identifier: CMK_BACKING_KEY_ROTATION_ENABLED
3 | description: >-
4 | Checks that key rotation is enabled for each key and matches to the key ID of the customer master key (CMK). Rule is
5 | COMPLIANT, if key rotation enabled for specific key object. Rule is not applicable to CMKs that have imported key
6 | material.
7 | inputParameters: {}
8 | enabled: true
9 | tags:
10 | catalog/cmk: true
11 | compliance/cis-aws-foundations/1.2: true
12 | compliance/cis-aws-foundations/1.2/controls: 2.8
13 |
--------------------------------------------------------------------------------
/catalog/codebuild.yaml:
--------------------------------------------------------------------------------
1 | codebuild-project-envvar-awscred-check:
2 | identifier: CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK
3 | description: >-
4 | Checks whether the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is
5 | NON_COMPLIANT when the project environment variables contains plaintext credentials.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/codebuild: true
10 |
11 | codebuild-project-source-repo-url-check:
12 | identifier: CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK
13 | description: >-
14 | Checks whether the GitHub or Bitbucket source repository URL contains either personal access tokens or user name and
15 | password. The rule is COMPLIANT with the usage of OAuth to grant authorization for accessing GitHub or Bitbucket
16 | repositories.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/codebuild: true
21 |
--------------------------------------------------------------------------------
/catalog/codepipeline.yaml:
--------------------------------------------------------------------------------
1 | codepipeline-deployment-count-check:
2 | identifier: CODEPIPELINE_DEPLOYMENT_COUNT_CHECK
3 | description: >-
4 | Checks whether the first deployment stage of the AWS CodePipeline performs more than one deployment. Optionally,
5 | checks if each of the subsequent remaining stages deploy to more than the specified number of deployments
6 | (deploymentLimit). The rule is NON_COMPLIANT if the first stage in the AWS CodePipeline deploys to more than one
7 | region and the AWS CodePipeline deploys to more than the number specified in the deploymentLimit.
8 | inputParameters:
9 | # The following parameters are required:
10 | #
11 | # deploymentLimit: The maximum number of deployments each stage can perform.
12 | {}
13 | enabled: true
14 | tags:
15 | catalog/codepipeline: true
16 |
17 | codepipeline-region-fanout-check:
18 | identifier: CODEPIPELINE_REGION_FANOUT_CHECK
19 | description: >-
20 | ? Checks whether each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS
21 | CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first
22 | deployment stage can deploy to a maximum of one region and the second deployment stage can deploy to a maximum
23 | number specified in the regionFanoutFactor. If you do not provide a regionFanoutFactor, by default the value is
24 | three. For example
25 | : If 1st deployment stage deploys to one region and 2nd deployment stage deploys to three regions, 3rd deployment
26 | stage can deploy to 12 regions, that is, sum of previous stages multiplied by the region fanout (three) number.
27 | The rule is NON_COMPLIANT if the deployment is in more than one region in 1st stage or three regions in 2nd stage
28 | or 12 regions in 3rd stage.
29 | inputParameters:
30 | # The following parameters are required:
31 | #
32 | # regionFanoutFactor: The number of regions the AWS CodePipeline has deployed to in all previous stages is the
33 | # acceptable number of regions any stage can deploy to.
34 | enabled: true
35 | tags:
36 | catalog/codepipeline: true
37 |
--------------------------------------------------------------------------------
/catalog/dms.yaml:
--------------------------------------------------------------------------------
1 | dms-replication-not-public:
2 | identifier: DMS_REPLICATION_NOT_PUBLIC
3 | description: >-
4 | Checks whether AWS Database Migration Service replication instances are public. The rule is NON_COMPLIANT if
5 | PubliclyAccessible field is true.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/dms: true
10 |
--------------------------------------------------------------------------------
/catalog/dynamodb.yaml:
--------------------------------------------------------------------------------
1 | dynamodb-autoscaling-enabled:
2 | identifier: DYNAMODB_AUTOSCALING_ENABLED
3 | description: >-
4 | Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
5 | Optionally you can set the read and write capacity units for the table or global secondary index.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # minProvisionedReadCapacity: The minimum number of units that should be provisioned with read capacity in the
10 | # Auto Scaling group.
11 | # minProvisionedWriteCapacity: The minimum number of units that should be provisioned with write capacity in the
12 | # Auto Scaling group.
13 | # maxProvisionedReadCapacity: The maximum number of units that should be provisioned with read capacity in the
14 | # Auto Scaling group.
15 | # maxProvisionedWriteCapacity: The maximum number of units that should be provisioned with write capacity in the
16 | # Auto Scaling group.
17 | # targetReadUtilization: The target utilization percentage for read capacity. Target utilization is expressed
18 | # in terms of the ratio of consumed capacity to provisioned capacity.
19 | # targetWriteUtilization: The target utilization percentage for write capacity. Target utilization is
20 | # expressed in terms of the ratio of consumed capacity to provisioned capacity.
21 | {}
22 | enabled: true
23 | tags:
24 | catalog/dynamodb: true
25 |
26 | dynamodb-in-backup-plan:
27 | identifier: DYNAMODB_IN_BACKUP_PLAN
28 | description: >-
29 | Checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables
30 | are not present in any AWS Backup plan.
31 | inputParameters: {}
32 | enabled: true
33 | tags:
34 | catalog/dynamodb: true
35 |
36 | dynamodb-pitr-enabled:
37 | identifier: DYNAMODB_PITR_ENABLED
38 | description: >-
39 | Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point
40 | in time recovery is not enabled for Amazon DynamoDB tables.
41 | inputParameters: {}
42 | enabled: true
43 | tags:
44 | catalog/dynamodb: true
45 |
46 | dynamodb-table-encrypted-kms:
47 | identifier: DYNAMODB_TABLE_ENCRYPTED_KMS
48 | description: >-
49 | Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT
50 | if DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not
51 | present in kmsKeyArns input parameter.
52 | inputParameters:
53 | # The following parameters are optional:
54 | #
55 | # kmsKeyArns: Comma separated list of AWS KMS Key ARN list.
56 | enabled: true
57 | tags:
58 | catalog/dynamodb: true
59 |
60 | dynamodb-table-encryption-enabled:
61 | identifier: DYNAMODB_TABLE_ENCRYPTION_ENABLED
62 | description: >-
63 | Checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status
64 | is enabled or enabling.
65 | inputParameters: {}
66 | enabled: true
67 | tags:
68 | catalog/dynamodb: true
69 |
70 | dynamodb-throughput-limit-check:
71 | identifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK
72 | description: >-
73 | Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the
74 | rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.
75 | inputParameters:
76 | # The following parameters are optional:
77 | #
78 | # accountRCUThresholdPercentage: Percentage of provisioned read capacity units for your account. When this value is
79 | # reached, the rule is marked as NON_COMPLIANT.
80 | # accountWCUThresholdPercentage: Percentage of provisioned write capacity units for your account. When this value is
81 | # reached, the rule is marked as NON_COMPLIANT.
82 | {}
83 | enabled: true
84 | tags:
85 | catalog/dynamodb: true
86 |
87 | dax-encryption-enabled:
88 | identifier: DAX_ENCRYPTION_ENABLED
89 | description: >-
90 | Checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not
91 | encrypted.
92 | inputParameters: {}
93 | enabled: true
94 | tags:
95 | catalog/dynamodb: true
96 |
--------------------------------------------------------------------------------
/catalog/ec2.yaml:
--------------------------------------------------------------------------------
1 | ec2-ebs-encryption-by-default:
2 | identifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
3 | description: >-
4 | Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the
5 | encryption is not enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/ec2: true
10 |
11 | ec2-imdsv2-check:
12 | identifier: EC2_IMDSV2_CHECK
13 | description: >-
14 | Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance
15 | Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT
16 | if the HttpTokens is set to optional.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/ec2: true
21 |
22 | ec2-instance-detailed-monitoring-enabled:
23 | identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
24 | description: >-
25 | Checks whether detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is
26 | not enabled.
27 | inputParameters: {}
28 | enabled: true
29 | tags:
30 | catalog/ec2: true
31 |
32 | ec2-instance-managed-by-systems-manager:
33 | identifier: EC2_INSTANCE_MANAGED_BY_SSM
34 | description: >-
35 | Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
36 | inputParameters: {}
37 | enabled: true
38 | tags:
39 | catalog/ec2: true
40 |
41 | ec2-instance-no-public-ip:
42 | identifier: EC2_INSTANCE_NO_PUBLIC_IP
43 | description: >-
44 | Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is
45 | NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only
46 | to IPv4.
47 | inputParameters: {}
48 | enabled: true
49 | tags:
50 | catalog/ec2: true
51 |
52 | ec2-instances-in-vpc:
53 | identifier: INSTANCES_IN_VPC
54 | description: >-
55 | Checks whether your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to
56 | associate with your instances.
57 | inputParameters:
58 | # The following parameters are optional:
59 | #
60 | # vpcId: The ID of the VPC that contains these instances.
61 | enabled: true
62 | tags:
63 | catalog/ec2: true
64 |
65 | ec2-managedinstance-applications-blacklisted:
66 | identifier: EC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED
67 | description: >-
68 | Checks that none of the specified applications are installed on the instance. Optionally, specify the application
69 | version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the
70 | rule only to instances running that platform.
71 | inputParameters:
72 | # The following parameters are required:
73 | #
74 | # applicationNames: Comma-separated list of application names. Optionally, specify versions appended with ":", for
75 | # example, "Chrome:0.5.3, FireFox"). Note The application names must be an exact match. For
76 | # example, use firefox on Linux or firefox-compat on Amazon Linux. In addition, AWS Config does
77 | # not currently support wildcards for the applicationNames parameter (for example, firefox*).
78 | #
79 | # The following parameters are optional:
80 | #
81 | # platformType: The platform type (for example, "Linux" or "Windows").
82 | {}
83 | enabled: true
84 | tags:
85 | catalog/ec2: true
86 |
87 | ec2-managedinstance-applications-required:
88 | identifier: EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED
89 | description: >-
90 | Checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum
91 | acceptable version. You can also specify the platform to apply the rule only to instances running that platform.
92 | inputParameters:
93 | # The following parameters are required:
94 | #
95 | # applicationNames: Comma-separated list of application names. Optionally, specify versions appended with ":", for
96 | # example, "Chrome:0.5.3, FireFox"). Note The application names must be an exact match. For
97 | # example, use firefox on Linux or firefox-compat on Amazon Linux. In addition, AWS Config does
98 | # not currently support wildcards for the applicationNames parameter (for example, firefox*).
99 | #
100 | # The following parameters are optional:
101 | #
102 | # platformType: The platform type (for example, "Linux" or "Windows").
103 | {}
104 | enabled: true
105 | tags:
106 | catalog/ec2: true
107 |
108 | ec2-managedinstance-association-compliance-status-check:
109 | identifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
110 | description: >-
111 | Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT
112 | after the association execution on the instance. The rule is COMPLIANT if the field status is COMPLIANT.
113 | inputParameters: {}
114 | enabled: true
115 | tags:
116 | catalog/ec2: true
117 |
118 | ec2-managedinstance-inventory-blacklisted:
119 | identifier: EC2_MANAGEDINSTANCE_INVENTORY_BLACKLISTED
120 | description: >-
121 | Checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.
122 | inputParameters: inventoryNames
123 | enabled: true
124 | tags:
125 | catalog/ec2: true
126 |
127 | ec2-managedinstance-patch-compliance-status-check:
128 | identifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
129 | description: >-
130 | Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or
131 | NON_COMPLIANT after the patch installation on the instance. The rule is COMPLIANT if the field status is COMPLIANT.
132 | inputParameters: {}
133 | enabled: true
134 | tags:
135 | catalog/ec2: true
136 |
137 | ec2-managedinstance-platform-check:
138 | identifier: EC2_MANAGEDINSTANCE_PLATFORM_CHECK
139 | description: >-
140 | Checks whether EC2 managed instances have the desired configurations.
141 | inputParameters: agentVersion
142 | enabled: true
143 | tags:
144 | catalog/ec2: true
145 |
146 | ec2-security-group-attached-to-eni:
147 | identifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI
148 | description: >-
149 | Checks that Amazon Elastic Compute Cloud (Amazon EC2) instances use security groups that are attached to an elastic
150 | network interface. The rule returns NON_COMPLIANT if a security group is not associated with an elastic network
151 | interface.
152 | inputParameters: {}
153 | enabled: true
154 | tags:
155 | catalog/ec2: true
156 |
157 | ec2-stopped-instance:
158 | identifier: EC2_STOPPED_INSTANCE
159 | description: >-
160 | Checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT
161 | if the state of the ec2 instance has been stopped for longer than the allowed number of days.
162 | inputParameters:
163 | # The following parameters are optional:
164 | #
165 | # AllowedDays: The number of days an ec2 instance can be stopped before it is NON_COMPLIANT. The default number of
166 | # days is 30.
167 | {}
168 | enabled: true
169 | tags:
170 | catalog/ec2: true
171 |
172 | ec2-volume-inuse-check:
173 | identifier: EC2_VOLUME_INUSE_CHECK
174 | description: >-
175 | Checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion
176 | when an instance is terminated.
177 | inputParameters:
178 | # The following parameters are optional:
179 | #
180 | # deleteOnTermination: EBS volumes are marked for deletion when an instance is terminated.
181 | {}
182 | enabled: true
183 | tags:
184 | catalog/ec2: true
185 |
186 | desired-instance-tenancy:
187 | identifier: DESIRED_INSTANCE_TENANCY
188 | description: >-
189 | Checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or
190 | specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with
191 | commas.
192 | inputParameters:
193 | # The following parameters are required:
194 | #
195 | # tenancy: The desired tenancy of the instances. Valid values are DEDICATED, HOST, and DEFAULT.
196 | #
197 | # The following parameters are optional:
198 | #
199 | # imageId: The rule evaluates instances launched only from the AMI with the specified ID. Separate multiple AMI IDs
200 | # with commas.
201 | # hostId: The ID of the Amazon EC2 Dedicated Host on which the instances are meant to be launched. Separate
202 | # multiple host IDs with commas.
203 | tenancy; "DEFAULT"
204 | enabled: true
205 | tags:
206 | catalog/ec2: true
207 |
208 | desired-instance-type:
209 | identifier: DESIRED_INSTANCE_TYPE
210 | description: >-
211 | Checks whether your EC2 instances are of the specified instance types.
212 | inputParameters:
213 | # The following parameters are optional:
214 | #
215 | # instanceType: Comma-separated list of EC2 instance types (for example, "t2.small, m4.large, i2.xlarge").
216 | enabled: true
217 | tags:
218 | catalog/ec2: true
219 |
220 | encrypted-volumes:
221 | identifier: ENCRYPTED_VOLUMES
222 | description: >-
223 | Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for
224 | encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with
225 | that KMS key.
226 | inputParameters:
227 | # The following parameters are required:
228 | #
229 | # kmsId: ID or ARN of the KMS key that is used to encrypt the volume.
230 | kmsId: ""
231 | enabled: true
232 | tags:
233 | catalog/ec2: true
234 |
--------------------------------------------------------------------------------
/catalog/efs.yaml:
--------------------------------------------------------------------------------
1 | efs-encrypted-check:
2 | identifier: EFS_ENCRYPTED_CHECK
3 | description: >-
4 | Checks whether Amazon Elastic File System (Amazon EFS) is configured to encrypt the file data using AWS Key
5 | Management Service (AWS KMS). The rule is NON_COMPLIANT if the encrypted key is set to false on DescribeFileSystems
6 | or if the KmsKeyId key on DescribeFileSystems does not match the KmsKeyId parameter.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # KmsKeyId: Amazon Resource Name (ARN) of the AWS KMS key that is used to encrypt the Amazon EFS file system.
11 | enabled: true
12 | tags:
13 | catalog/efs: true
14 |
15 | efs-in-backup-plan:
16 | identifier: EFS_IN_BACKUP_PLAN
17 | description: >-
18 | Checks whether Amazon Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup. The
19 | rule is NON_COMPLIANT if EFS file systems are not included in the backup plans.
20 | inputParameters: {}
21 | enabled: true
22 | tags:
23 | catalog/efs: true
24 |
--------------------------------------------------------------------------------
/catalog/eip.yaml:
--------------------------------------------------------------------------------
1 | eip-attached:
2 | identifier: EIP_ATTACHED
3 | description: >-
4 | Checks whether all Elastic IP addresses that are allocated to an AWS account are attached to EC2 instances or in-use
5 | elastic network interfaces (ENIs).
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/eip: true
10 |
--------------------------------------------------------------------------------
/catalog/eks.yaml:
--------------------------------------------------------------------------------
1 | eks-endpoint-no-public-access:
2 | identifier: EKS_ENDPOINT_NO_PUBLIC_ACCESS
3 | description: >-
4 | Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is
5 | NON_COMPLIANT if the endpoint is publicly accessible.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/eks: true
10 |
11 | eks-secrets-encrypted:
12 | identifier: EKS_SECRETS_ENCRYPTED
13 | description: >-
14 | Checks whether Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using
15 | AWS Key Management Service (KMS) keys. This rule is COMPLIANT if an EKS cluster has an encryptionConfig with secrets
16 | as one of the resources. This rule is also COMPLIANT if the key used to encrypt EKS secrets matches with the
17 | parameter. This rule is NON_COMPLIANT if an EKS cluster does not have an encryptionConfig or if the encryptionConfig
18 | resources do not include secrets. This rule is also NON_COMPLIANT if the key used to encrypt EKS secrets does not
19 | match with the parameter.
20 | inputParameters:
21 | # The following parameters are optional:
22 | #
23 | # kmsKeyArns: Comma separated list of Amazon Resource Name (ARN) of the KMS key that should be used for encrypted
24 | # secrets in an EKS cluster.
25 | enabled: true
26 | tags:
27 | catalog/eks: true
28 |
--------------------------------------------------------------------------------
/catalog/elasticache.yaml:
--------------------------------------------------------------------------------
1 | elasticache-redis-cluster-automatic-backup-check:
2 | identifier: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
3 | description: >-
4 | ? Check if the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the
5 | SnapshotRetentionLimit for Redis cluster is less than the SnapshotRetentionPeriod parameter. For example
6 | : If the parameter is 15 then the rule is non-compliant if the snapshotRetentionPeriod is between 0-15.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # snapshotRetentionPeriod: Minimum snapshot retention period in days for Redis cluster. The default is 15 days.
11 | {}
12 | enabled: true
13 | tags:
14 | catalog/elastocache: true
15 |
--------------------------------------------------------------------------------
/catalog/elasticsearch.yaml:
--------------------------------------------------------------------------------
1 | elasticsearch-encrypted-at-rest:
2 | identifier: ELASTICSEARCH_ENCRYPTED_AT_REST
3 | description: >-
4 | Checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The
5 | rule is NON_COMPLIANT if the EncryptionAtRestOptions field is not enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/elasticsearch: true
10 |
11 | elasticsearch-in-vpc-only:
12 | identifier: ELASTICSEARCH_IN_VPC_ONLY
13 | description: >-
14 | Checks whether Amazon Elasticsearch Service (Amazon ES) domains are in Amazon Virtual Private Cloud (Amazon VPC).
15 | The rule is NON_COMPLIANT if the Amazon ES domain endpoint is public.
16 | inputParameters: {}
17 | enabled: true
18 | tags:
19 | catalog/elasticsearch: true
20 |
21 | elasticsearch-node-to-node-encryption-check:
22 | identifier: ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK
23 | description: >-
24 | Check that Amazon ElasticSearch Service nodes are encrypted end to end. The rule is NON_COMPLIANT if the
25 | node-to-node encryption is disabled on the domain.
26 | inputParameters: {}
27 | enabled: true
28 | tags:
29 | catalog/elasticsearch: true
30 |
--------------------------------------------------------------------------------
/catalog/elb.yaml:
--------------------------------------------------------------------------------
1 | elb-acm-certificate-required:
2 | identifier: ELB_ACM_CERTIFICATE_REQUIRED
3 | description: >-
4 | Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this
5 | rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load
6 | Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
7 | inputParameters: {}
8 | enabled: true
9 | tags:
10 | catalog/elb: true
11 |
12 | elb-cross-zone-load-balancing-enabled:
13 | identifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
14 | description: >-
15 | Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if
16 | cross-zone load balancing is not enabled for a CLB.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/elb: true
21 |
22 | elb-custom-security-policy-ssl-check:
23 | identifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
24 | description: >-
25 | Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if
26 | there are SSL listeners for the Classic Load Balancer.
27 | inputParameters: sslProtocolsAndCiphers
28 | enabled: true
29 | tags:
30 | catalog/elb: true
31 |
32 | elb-deletion-protection-enabled:
33 | identifier: ELB_DELETION_PROTECTION_ENABLED
34 | description: >-
35 | Checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if
36 | deletion_protection.enabled is false.
37 | inputParameters: {}
38 | enabled: true
39 | tags:
40 | catalog/elb: true
41 |
42 | elb-logging-enabled:
43 | identifier: ELB_LOGGING_ENABLED
44 | description: >-
45 | Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The rule is
46 | NON_COMPLIANT if the access_logs.s3.enabled is false or access_logs.S3.bucket is not equal to the s3BucketName that
47 | you provided.
48 | inputParameters:
49 | # The following parameters are optional:
50 | #
51 | # s3BucketNames: Comma-separated list of Amazon S3 bucket names for Elastic Load Balancing to deliver the log files.
52 | {}
53 | enabled: true
54 | tags:
55 | catalog/elb: true
56 |
57 | elb-predefined-security-policy-ssl-check:
58 | identifier: ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
59 | description: >-
60 | Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable
61 | if there are SSL listeners for the Classic Load Balancer.
62 | inputParameters:
63 | # The following parameters are required:
64 | #
65 | # predefinedPolicyName: Name of the predefined policy.
66 | predefinedPolicyName: ""
67 | enabled: true
68 | tags:
69 | catalog/elb: true
70 |
71 | elb-tls-https-listeners-only:
72 | identifier: ELB_TLS_HTTPS_LISTENERS_ONLY
73 | description: >-
74 | Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is applicable if a
75 | Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the
76 | rule returns NOT_APPLICABLE. The rule is COMPLIANT if the Classic Load Balancer listeners is configured with SSL or
77 | HTTPS. The rule is NON_COMPLIANT if the listener is not configured with SSL or HTTPS.
78 | inputParameters: {}
79 | enabled: true
80 | tags:
81 | catalog/elb: true
82 |
--------------------------------------------------------------------------------
/catalog/emr.yaml:
--------------------------------------------------------------------------------
1 | emr-kerberos-enabled:
2 | identifier: EMR_KERBEROS_ENABLED
3 | description: >-
4 | Checks that Amazon EMR clusters have Kerberos enabled. The rule is NON_COMPLIANT if a security configuration is not
5 | attached to the cluster or the security configuration does not satisfy the specified rule parameters.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # ticketLifetimeInHours: Period for which Kerberos ticket issued by cluster's KDC is valid.
10 | # realm: Kereberos realm name of the other realm in the trust relationship.
11 | # domain: Domain name of the other realm in the trust relationship.
12 | # adminServer: Fully qualified domain of the admin server in the other realm of the trust relationship.
13 | # kdcServer: Fully qualified domain of the KDC server in the other realm of the trust relationship.
14 | {}
15 | enabled: true
16 | tags:
17 | catalog/emr: true
18 |
19 | emr-master-no-public-ip:
20 | identifier: EMR_MASTER_NO_PUBLIC_IP
21 | description: >-
22 | Checks whether Amazon Elastic MapReduce (EMR) clusters' master nodes have public IPs. The rule is NON_COMPLIANT if
23 | the master node has a public IP.
24 | inputParameters: {}
25 | enabled: true
26 | tags:
27 | catalog/emr: true
28 |
--------------------------------------------------------------------------------
/catalog/fms.yaml:
--------------------------------------------------------------------------------
1 | fms-shield-resource-policy-check:
2 | identifier: FMS_SHIELD_RESOURCE_POLICY_CHECK
3 | description: >-
4 | Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP
5 | has AWS Shield protection. This rule also checks if they have web ACL associated for Application Load Balancer and
6 | Amazon CloudFront distributions.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # webACLId: The WebACLId of the web ACL.
11 | # resourceTags: The resource tags associated with the rule. For example, { "tagKey1" : ["tagValue1"],
12 | # "tagKey2" : ["tagValue2", "tagValue3"] }").
13 | # excludeResourceTags: If true, exclude the resources that match the resourceTags. If false, include all the
14 | # resources that match the resourceTags.
15 | # fmsManagedToken: A token generated by AWS Firewall Manager when creating the rule in your account. AWS
16 | # Config ignores this parameter when you create this rule.
17 | # fmsRemediationEnabled: If true, AWS Firewall Manager will update NON_COMPLIANT resources according to FMS policy.
18 | # AWS Config ignores this parameter when you create this rule.
19 | webACLId: ""
20 | resourceTags: ""
21 | excludeResourceTags: ""
22 | fmsManagedToken: ""
23 | fmsRemediationEnabled: ""
24 | enabled: true
25 | tags:
26 | catalog/fms: true
27 |
28 | fms-webacl-resource-policy-check:
29 | identifier: FMS_WEBACL_RESOURCE_POLICY_CHECK
30 | description: >-
31 | Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront
32 | distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS
33 | policy and can optionally enable remediation.
34 | inputParameters: webACLId
35 | enabled: true
36 | tags:
37 | catalog/fms: true
38 |
39 | fms-webacl-rulegroup-association-check:
40 | identifier: FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK
41 | description: >-
42 | Checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by
43 | the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the
44 | highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy
45 | and can optionally enable remediation.
46 | inputParameters: ruleGroups
47 | enabled: true
48 | tags:
49 | catalog/fms: true
50 |
--------------------------------------------------------------------------------
/catalog/guardduty.yaml:
--------------------------------------------------------------------------------
1 | guardduty-enabled-centralized:
2 | identifier: GUARDDUTY_ENABLED_CENTRALIZED
3 | description: >-
4 | Checks whether Amazon GuardDuty is enabled in your AWS account and region. If you provide an AWS account for
5 | centralization, the rule evaluates the Amazon GuardDuty results in the centralized account. The rule is COMPLIANT
6 | when Amazon GuardDuty is enabled.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # CentralMonitoringAccount: Specify 12-digit AWS Account for centralization of Amazon GuardDuty results.
11 | {}
12 | enabled: true
13 | tags:
14 | catalog/guardduty: true
15 |
16 | guardduty-non-archived-findings:
17 | identifier: GUARDDUTY_NON_ARCHIVED_FINDINGS
18 | description: >-
19 | Checks whether the Amazon GuardDuty has findings that are non archived. The rule is NON_COMPLIANT if Amazon
20 | GuardDuty has non archived low/medium/high severity findings older than the specified number in the
21 | daysLowSev/daysMediumSev/daysHighSev parameter.
22 | inputParameters:
23 | # The following parameters are optional:
24 | #
25 | # daysLowSev: The number of days Amazon GuardDuty low severity findings are allowed to stay non archived. The
26 | # default is 30 days.
27 | # daysMediumSev: The number of days the Amazon GuardDuty medium severity findings are allowed to stay non archived.
28 | # The default is 7 days.
29 | # daysHighSev: The number of days Amazon GuardDuty high severity findings are allowed to stay non archived. The
30 | # default is 1 day.
31 | enabled: true
32 | tags:
33 | catalog/guardduty: true
34 |
--------------------------------------------------------------------------------
/catalog/iam.yaml:
--------------------------------------------------------------------------------
1 | access-keys-rotated:
2 | identifier: ACCESS_KEYS_ROTATED
3 | description: >-
4 | Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule
5 | is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.
6 | inputParameters:
7 | maxAccessKeyAge: "90"
8 | enabled: true
9 | tags:
10 | catalog/iam: true
11 | compliance/cis-aws-foundations/1.2: true
12 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
13 | compliance/cis-aws-foundations/1.2/controls: 1.4
14 |
15 | iam-password-policy:
16 | identifier: IAM_PASSWORD_POLICY
17 | description: >-
18 | Checks whether the account password policy for IAM users meets the specified requirements indicated in the
19 | parameters. This rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.
20 | inputParameters:
21 | RequireUppercaseCharacters: "true"
22 | RequireLowercaseCharacters: "true"
23 | RequireSymbols: "true"
24 | RequireNumbers: "true"
25 | MinimumPasswordLength: "14"
26 | PasswordReusePrevention: "24"
27 | MaxPasswordAge: "90"
28 | enabled: true
29 | tags:
30 | catalog/iam: true
31 | compliance/cis-aws-foundations/1.2: true
32 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
33 | compliance/cis-aws-foundations/1.2/controls: 1.5 1.6 1.7 1.8 1.9 1.10 1.11
34 |
35 | iam-policy-in-use:
36 | identifier: IAM_POLICY_IN_USE
37 | description: >-
38 | Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM
39 | role with one or more trusted entity.
40 | inputParameters:
41 | policyARN: "MANDATORY"
42 | policyUsageType: "ANY"
43 | enabled: true
44 | tags:
45 | catalog/iam: true
46 | compliance/cis-aws-foundations/1.2: true
47 | compliance/cis-aws-foundations/1.2/controls: 1.20
48 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
49 |
50 | iam-policy-no-statements-with-admin-access:
51 | identifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
52 | description: >-
53 | Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
54 | The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource":
55 | "*".
56 | inputParameters: {}
57 | enabled: true
58 | tags:
59 | catalog/iam: true
60 | compliance/cis-aws-foundations/1.2: true
61 | compliance/cis-aws-foundations/1.2/controls: 1.22
62 |
63 | iam-root-access-key-check:
64 | identifier: IAM_ROOT_ACCESS_KEY_CHECK
65 | description: >-
66 | Checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.
67 | inputParameters: {}
68 | enabled: true
69 | tags:
70 | catalog/iam: true
71 | compliance/cis-aws-foundations/1.2: true
72 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
73 | compliance/cis-aws-foundations/1.2/controls: 1.12
74 |
75 | iam-user-no-policies-check:
76 | identifier: IAM_USER_NO_POLICIES_CHECK
77 | description: >-
78 | Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or
79 | roles.
80 | inputParameters: {}
81 | enabled: true
82 | tags:
83 | catalog/iam: true
84 | compliance/cis-aws-foundations/1.2: true
85 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
86 | compliance/cis-aws-foundations/1.2/controls: 1.16
87 |
88 | iam-user-unused-credentials-check:
89 | identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
90 | description: >-
91 | Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have
92 | not been used within the specified number of days you provided.
93 | inputParameters:
94 | maxCredentialUsageAge: "90"
95 | enabled: true
96 | tags:
97 | catalog/iam: true
98 | compliance/cis-aws-foundations/1.2: true
99 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
100 | compliance/cis-aws-foundations/1.2/controls: 1.3
101 |
102 | mfa-enabled-for-iam-console-access:
103 | identifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
104 | description: >-
105 | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM)
106 | users that use a console password. The rule is COMPLIANT if MFA is enabled.
107 | inputParameters: {}
108 | enabled: true
109 | tags:
110 | catalog/iam: true
111 | compliance/cis-aws-foundations/1.2: true
112 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
113 | compliance/cis-aws-foundations/1.2/controls: 1.2
114 |
115 | root-account-hardware-mfa-enabled:
116 | identifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
117 | description: >-
118 | Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with
119 | root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root
120 | credentials.
121 | inputParameters: {}
122 | enabled: true
123 | tags:
124 | catalog/iam: true
125 | compliance/cis-aws-foundations/1.2: true
126 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
127 | compliance/cis-aws-foundations/1.2/controls: 1.14
128 |
129 | root-account-mfa-enabled:
130 | identifier: ROOT_ACCOUNT_MFA_ENABLED
131 | description: >-
132 | Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root
133 | credentials.
134 | inputParameters: {}
135 | enabled: true
136 | tags:
137 | catalog/iam: true
138 | compliance/cis-aws-foundations/1.2: true
139 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
140 | compliance/cis-aws-foundations/1.2/controls: 1.13
141 |
142 | iam-customer-policy-blocked-kms-actions:
143 | identifier: IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS
144 | description: >-
145 | Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on
146 | all AWS AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS AWS KMS keys by the
147 | managed IAM policy.
148 | inputParameters:
149 | # The following parameters are required:
150 | #
151 | # blockedActionsPatterns: Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt,
152 | # kms:ReEncrypt*.
153 | blockedActionsPatterns: "kms:*"
154 | enabled: true
155 | tags:
156 | catalog/iam: true
157 |
158 | iam-group-has-users-check:
159 | identifier: IAM_GROUP_HAS_USERS_CHECK
160 | description: >-
161 | Checks whether IAM groups have at least one IAM user.
162 | inputParameters: {}
163 | enabled: true
164 | tags:
165 | catalog/iam: true
166 |
167 | iam-inline-policy-blocked-kms-actions:
168 | identifier: IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS
169 | description: >-
170 | Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not
171 | allow blocked actions on all AWS Key Management Service keys. The rule is NON_COMPLIANT if any blocked action is
172 | allowed on all AWS KMS keys in an inline policy.
173 | inputParameters:
174 | # The following parameters are required:
175 | #
176 | # blockedActionsPatterns: Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt,
177 | # kms:ReEncrypt*.
178 | blockedActionsPatterns: "kms:*"
179 | enabled: true
180 | tags:
181 | catalog/iam: true
182 |
183 | iam-no-inline-policy-check:
184 | identifier: IAM_NO_INLINE_POLICY_CHECK
185 | description: >-
186 | Checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management
187 | (IAM) user, IAM role or IAM group has any inline policy.
188 | inputParameters: {}
189 | enabled: true
190 | tags:
191 | catalog/iam: true
192 |
193 | iam-policy-blacklisted-check:
194 | identifier: IAM_POLICY_BLACKLISTED_CHECK
195 | description: >-
196 | Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource. The rule
197 | is NON_COMPLIANT if the policy ARN is attached to the IAM resource. AWS Config marks the resource as COMPLIANT if
198 | the IAM resource is part of the exceptionList parameter irrespective of the presence of the policy ARN.
199 | inputParameters:
200 | # The following parameters are required:
201 | #
202 | # policyArns: Comma-separated list of policy ARNs.
203 | # exceptionList: Comma-separated list IAM users, groups, or roles that are exempt from this rule. For example,
204 | # users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3].
205 | policyArns: ""
206 | exceptionList: ""
207 | enabled: true
208 | tags:
209 | catalog/iam: true
210 |
211 | iam-role-managed-policy-check:
212 | identifier: IAM_ROLE_MANAGED_POLICY_CHECK
213 | description: >-
214 | Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.
215 | The rule is NON_COMPLIANT if the IAM managed policy is not attached to the IAM role.
216 | inputParameters:
217 | # The following parameters are required:
218 | #
219 | # managedPolicyNames: Comma-separated list of AWS managed policy ARNs.
220 | managedPolicyNames: ""
221 | enabled: true
222 | tags:
223 | catalog/iam: true
224 |
225 | iam-user-mfa-enabled:
226 | identifier: IAM_USER_MFA_ENABLED
227 | description: >-
228 | Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.
229 | inputParameters: {}
230 | enabled: true
231 | tags:
232 | catalog/iam: true
233 |
--------------------------------------------------------------------------------
/catalog/kms.yaml:
--------------------------------------------------------------------------------
1 | kms-cmk-not-scheduled-for-deletion:
2 | identifier: KMS_CMK_NOT_SCHEDULED_FOR_DELETION
3 | description: >-
4 | Checks whether customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (KMS). The
5 | rule is NON_COMPLIANT if CMKs are scheduled for deletion.
6 | inputParameters: kmsKeyIds
7 | enabled: true
8 | tags:
9 | catalog/kms: true
10 |
--------------------------------------------------------------------------------
/catalog/lambda.yaml:
--------------------------------------------------------------------------------
1 | lambda-concurrency-check:
2 | identifier: LAMBDA_CONCURRENCY_CHECK
3 | description: >-
4 | Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The rule is
5 | NON_COMPLIANT if the Lambda function is not configured with function-level concurrent execution limit.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # ConcurrencyLimitLow: Minimum concurrency execution limit
10 | # ConcurrencyLimitHigh: Maximum concurrency execution limit
11 | enabled: true
12 | tags:
13 | catalog/lambda: true
14 |
15 | lambda-dlq-check:
16 | identifier: LAMBDA_DLQ_CHECK
17 | description: >-
18 | Checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the
19 | Lambda function is not configured with a dead-letter queue.
20 | inputParameters:
21 | # The following parameters are optional:
22 | #
23 | # dlqArns: Comma-separated list of Amazon SQS and Amazon SNS ARNs that must be configured as the Lambda function dead-letter queue target.
24 | enabled: true
25 | tags:
26 | catalog/lambda: true
27 |
28 | lambda-function-public-access-prohibited:
29 | identifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
30 | description: >-
31 | Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda
32 | function policy allows public access it is NON_COMPLIANT.
33 | inputParameters: {}
34 | enabled: true
35 | tags:
36 | catalog/lambda: true
37 |
38 | lambda-function-settings-check:
39 | identifier: LAMBDA_FUNCTION_SETTINGS_CHECK
40 | description: >-
41 | Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.
42 | inputParameters:
43 | # The following parameters are required:
44 | #
45 | # runtime: Comma-separated list of runtime values.
46 | # role: IAM role.
47 | # timeout: Timeout in seconds.
48 | # memorySize: Memory size in MB.
49 | runtime: ""
50 | role: ""
51 | timeout: "30"
52 | memorySize: "1024"
53 | enabled: true
54 | tags:
55 | catalog/lambda: true
56 |
57 | lambda-inside-vpc:
58 | identifier: LAMBDA_INSIDE_VPC
59 | description: >-
60 | Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda
61 | function is not in a VPC.
62 | inputParameters:
63 | # The following parameters are optional:
64 | #
65 | # subnetIds: Comma-separated list of subnet IDs that Lambda functions must be associated with.
66 | {}
67 | enabled: true
68 | tags:
69 | catalog/lambda: true
70 |
--------------------------------------------------------------------------------
/catalog/mfa.yaml:
--------------------------------------------------------------------------------
1 | mfa-enabled-for-iam-console-access:
2 | identifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
3 | description: >-
4 | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM)
5 | users that use a console password. The rule is COMPLIANT if MFA is enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/mfa: true
10 |
--------------------------------------------------------------------------------
/catalog/network.yaml:
--------------------------------------------------------------------------------
1 | restricted-common-ports:
2 | identifier: RESTRICTED_INCOMING_TRAFFIC
3 | description: >-
4 | Checks whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. The
5 | rule is COMPLIANT when the IP addresses for inbound TCP connections are restricted to the specified ports. This rule
6 | applies only to IPv4.
7 | inputParameters:
8 | blockedPort1: "3389"
9 | enabled: true
10 | tags:
11 | catalog/network: true
12 | compliance/cis-aws-foundations/1.2: true
13 | compliance/cis-aws-foundations/1.2/controls: 4.2
14 | region/excluded/an3: true
15 |
16 | restricted-ssh:
17 | identifier: INCOMING_SSH_DISABLED
18 | description: >-
19 | Checks whether the incoming SSH traffic for the security groups is accessible. The rule is COMPLIANT when IP
20 | addresses of the incoming SSH traffic in the security groups are restricted. This rule applies only to IPv4.
21 | inputParameters: {}
22 | enabled: true
23 | tags:
24 | catalog/network: true
25 | compliance/cis-aws-foundations/1.2: true
26 | compliance/cis-aws-foundations/1.2/controls: 4.1
27 | region/excluded/an3: true
28 |
29 | vpc-default-security-group-closed:
30 | identifier: VPC_DEFAULT_SECURITY_GROUP_CLOSED
31 | description: >-
32 | Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound
33 | traffic. The rule is NON_COMPLIANT if the default security group has one or more inbound or outbound traffic.
34 | inputParameters: {}
35 | enabled: true
36 | tags:
37 | catalog/network: true
38 | compliance/cis-aws-foundations/1.2: true
39 | compliance/cis-aws-foundations/1.2/controls: 4.3
40 |
--------------------------------------------------------------------------------
/catalog/rds.yaml:
--------------------------------------------------------------------------------
1 | rds-cluster-deletion-protection-enabled:
2 | identifier: RDS_CLUSTER_DELETION_PROTECTION_ENABLED
3 | description: >-
4 | Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is
5 | NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/rds: true
10 |
11 | rds-enhanced-monitoring-enabled:
12 | identifier: RDS_ENHANCED_MONITORING_ENABLED
13 | description: >-
14 | Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.
15 | inputParameters:
16 | # The following parameters are optional:
17 | #
18 | # monitoringInterval: An integer value in seconds between points when enhanced monitoring metrics are collected for
19 | # the database instance. The valid values are 1, 5, 10, 15, 30, and 60.
20 | enabled: true
21 | tags:
22 | catalog/rds: true
23 |
24 | rds-in-backup-plan:
25 | identifier: RDS_IN_BACKUP_PLAN
26 | description: >-
27 | Checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS
28 | databases are not included in any AWS Backup plan.
29 | inputParameters: {}
30 | enabled: true
31 | tags:
32 | catalog/rds: true
33 |
34 | rds-instance-deletion-protection-enabled:
35 | identifier: RDS_INSTANCE_DELETION_PROTECTION_ENABLED
36 | description: >-
37 | Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is
38 | NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to
39 | false.
40 | inputParameters: {}
41 | enabled: true
42 | tags:
43 | catalog/rds: true
44 |
45 | rds-instance-iam-authentication-enabled:
46 | identifier: RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED
47 | description: >-
48 | Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM)
49 | authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication
50 | enabled i.e configuration.iAMDatabaseAuthenticationEnabled is set to false.
51 | inputParameters: {}
52 | enabled: true
53 | tags:
54 | catalog/rds: true
55 |
56 | rds-instance-public-access-check:
57 | identifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
58 | description: >-
59 | Check whether the Amazon Relational Database Service instances are not publicly accessible. The rule is
60 | NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.
61 | inputParameters: {}
62 | enabled: true
63 | tags:
64 | catalog/rds: true
65 |
66 | rds-logging-enabled:
67 | identifier: RDS_LOGGING_ENABLED
68 | description: >-
69 | Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is
70 | NON_COMPLIANT if any log types are not enabled.
71 | inputParameters: additionalLogs (Optional)
72 | enabled: true
73 | tags:
74 | catalog/rds: true
75 |
76 | rds-multi-az-support:
77 | identifier: RDS_MULTI_AZ_SUPPORT
78 | description: >-
79 | Checks whether high availability is enabled for your RDS DB instances.
80 | inputParameters: {}
81 | enabled: true
82 | tags:
83 | catalog/rds: true
84 |
85 | rds-snapshot-encrypted:
86 | identifier: RDS_SNAPSHOT_ENCRYPTED
87 | description: >-
88 | Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is
89 | NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.
90 | inputParameters: {}
91 | enabled: true
92 | tags:
93 | catalog/rds: true
94 |
95 | rds-snapshots-public-prohibited:
96 | identifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
97 | description: >-
98 | Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is NON_COMPLIANT if any
99 | existing and new Amazon RDS snapshots are public.
100 | inputParameters: {}
101 | enabled: true
102 | tags:
103 | catalog/rds: true
104 |
105 | rds-storage-encrypted:
106 | identifier: RDS_STORAGE_ENCRYPTED
107 | description: >-
108 | Checks whether storage encryption is enabled for your RDS DB instances.
109 | inputParameters:
110 | # The following parameters are required:
111 | #
112 | # kmsKeyId: KMS key ID or ARN used to encrypt the storage.
113 | kmsKeyId: ""
114 | enabled: true
115 | tags:
116 | catalog/rds: true
117 |
118 | db-instance-backup-enabled:
119 | identifier: DB_INSTANCE_BACKUP_ENABLED
120 | description: >-
121 | Checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and
122 | the backup window.
123 | inputParameters:
124 | # The following parameters are optional:
125 | #
126 | # backupRetentionPeriod: Retention period for backups.
127 | # preferredBackupWindow: Time range in which backups are created.
128 | # checkReadReplicas: Checks whether RDS DB instances have backups enabled for read replicas.
129 | enabled: true
130 | tags:
131 | catalog/rds: true
132 |
--------------------------------------------------------------------------------
/catalog/redshift.yaml:
--------------------------------------------------------------------------------
1 | redshift-backup-enabled:
2 | identifier: REDSHIFT_BACKUP_ENABLED
3 | description: >-
4 | Checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for
5 | automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is
6 | 0.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # MinRetentionPeriod: Minimum value for the retention period. Minimum value is 1.
11 | # MaxRetentionPeriod: Maximum value for the retention period. Maximum value is 35.
12 | enabled: true
13 | tags:
14 | catalog/redshift: true
15 |
16 | redshift-cluster-configuration-check:
17 | identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
18 | description: >-
19 | Checks whether Amazon Redshift clusters have the specified settings.
20 | inputParameters:
21 | # The following parameters are optional:
22 | #
23 | # clusterDbEncrypted: Database encryption is enabled.
24 | # nodeTypes: Specify node type.
25 | # loggingEnabled: Audit logging is enabled.
26 | enabled: true
27 | tags:
28 | catalog/redshift: true
29 |
30 | redshift-cluster-maintenancesettings-check:
31 | identifier: REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
32 | description: >-
33 | Checks whether Amazon Redshift clusters have the specified maintenance settings.
34 | inputParameters:
35 | # The following parameters are optional:
36 | #
37 | # allowVersionUpgrade: Allow version upgrade is enabled.
38 | # preferredMaintenanceWindow: Scheduled maintenance window for clusters (for example, Mon:09:30-Mon:10:00).
39 | # automatedSnapshotRetentionPeriod: Number of days to retain automated snapshots.
40 | allowVersionUpgrade: "true"
41 | preferredMaintenanceWindow: ""
42 | automatedSnapshotRetentionPeriod: "30"
43 | enabled: true
44 | tags:
45 | catalog/redshift: true
46 |
47 | redshift-cluster-public-access-check:
48 | identifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
49 | description: >-
50 | Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the
51 | publiclyAccessible field is true in the cluster configuration item.
52 | inputParameters: {}
53 | enabled: true
54 | tags:
55 | catalog/redshift: true
56 |
57 | redshift-require-tls-ssl:
58 | identifier: REDSHIFT_REQUIRE_TLS_SSL
59 | description: >-
60 | Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is
61 | NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.
62 | inputParameters: {}
63 | enabled: true
64 | tags:
65 | catalog/redshift: true
66 |
--------------------------------------------------------------------------------
/catalog/vpc.yaml:
--------------------------------------------------------------------------------
1 | vpc-flow-logs-enabled:
2 | identifier: VPC_FLOW_LOGS_ENABLED
3 | description: >-
4 | Checks whether Amazon Virtual Private Cloud flow logs are found and enabled for Amazon VPC.
5 | inputParameters:
6 | trafficType: ALL
7 | enabled: true
8 | tags:
9 | compliance/cis-aws-foundations/1.2: true
10 | compliance/cis-aws-foundations/1.2/controls: 2.9
11 |
--------------------------------------------------------------------------------
/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/cis/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/cis/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | region = "us-east-2"
2 | namespace = "eg"
3 | environment = "ue2"
4 | stage = "test"
5 |
6 | create_sns_topic = true
7 | create_iam_role = true
8 | global_resource_collector_region = "us-east-2"
9 | force_destroy = true
10 |
11 | is_logging_account = true
12 | cloudtrail_bucket_name = "some-valid-bucket-name"
13 |
--------------------------------------------------------------------------------
/examples/cis/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | module "test_label" {
6 | source = "cloudposse/label/null"
7 | version = "0.22.1"
8 |
9 | attributes = ["test", "policy"]
10 | context = module.this.context
11 | }
12 |
13 | resource "aws_iam_role" "support_role" {
14 | name = module.test_label.id
15 |
16 | assume_role_policy = <`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | region = "us-east-2"
2 | namespace = "eg"
3 | environment = "ue2"
4 | stage = "test"
5 |
6 | create_sns_topic = true
7 | create_iam_role = true
8 | global_resource_collector_region = "us-east-2"
9 | force_destroy = true
10 |
11 | managed_rules = {
12 | access-keys-rotated = {
13 | identifier = "ACCESS_KEYS_ROTATED"
14 | description = "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days."
15 | input_parameters = {
16 | maxAccessKeyAge : "90"
17 | }
18 | enabled = true
19 | tags = {
20 | "compliance/cis-aws-foundations/1.2" = true
21 | "compliance/cis-aws-foundations/filters/global-resource-region-only" = true
22 | "compliance/cis-aws-foundations/1.2/controls" = 1.4
23 | }
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | locals {
6 | subscribers = {
7 | email = {
8 | protocol = "email"
9 | endpoint = "test@example.com"
10 | endpoint_auto_confirms = true
11 | }
12 | }
13 | }
14 |
15 | module "aws_config_storage" {
16 | source = "cloudposse/config-storage/aws"
17 | version = "1.0.0"
18 |
19 | force_destroy = var.force_destroy
20 | tags = module.this.tags
21 |
22 | context = module.this.context
23 | }
24 |
25 | module "aws_config" {
26 | source = "../.."
27 |
28 | create_sns_topic = var.create_sns_topic
29 | create_iam_role = var.create_iam_role
30 | managed_rules = var.managed_rules
31 | force_destroy = var.force_destroy
32 | s3_bucket_id = module.aws_config_storage.bucket_id
33 | s3_bucket_arn = module.aws_config_storage.bucket_arn
34 | global_resource_collector_region = var.global_resource_collector_region
35 | subscribers = local.subscribers
36 |
37 | context = module.this.context
38 | }
39 |
--------------------------------------------------------------------------------
/examples/complete/outputs.tf:
--------------------------------------------------------------------------------
1 | output "config_recorder_id" {
2 | value = module.aws_config.aws_config_configuration_recorder_id
3 | description = "The id of the AWS Config Recorder that was created"
4 | }
5 |
6 | output "iam_role" {
7 | description = <<-DOC
8 | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with
9 | the account.
10 | DOC
11 | value = module.aws_config.iam_role
12 | }
13 |
14 | output "storage_bucket_id" {
15 | value = module.aws_config_storage.bucket_id
16 | description = "Bucket Name (aka ID)"
17 | }
18 |
19 | output "storage_bucket_arn" {
20 | value = module.aws_config_storage.bucket_arn
21 | description = "Bucket ARN"
22 | }
23 |
--------------------------------------------------------------------------------
/examples/complete/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | type = string
3 | description = "AWS Region"
4 | }
5 | variable "create_iam_role" {
6 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
7 | type = bool
8 | default = false
9 | }
10 |
11 | variable "create_sns_topic" {
12 | description = <<-DOC
13 | Flag to indicate whether an SNS topic should be created for notifications
14 | If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
15 | DOC
16 |
17 | type = bool
18 | default = false
19 | }
20 |
21 | variable "force_destroy" {
22 | type = bool
23 | description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"
24 | default = false
25 | }
26 |
27 | variable "managed_rules" {
28 | description = <<-DOC
29 | A list of AWS Managed Rules that should be enabled on the account.
30 |
31 | See the following for a list of possible rules to enable:
32 | https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
33 | DOC
34 | type = map(object({
35 | description = string
36 | identifier = string
37 | input_parameters = any
38 | tags = map(string)
39 | enabled = bool
40 | }))
41 | default = {}
42 | }
43 |
44 | variable "parameter_overrides" {
45 | type = map(map(string))
46 | description = <<-DOC
47 | Map of parameters for interpolation within the YAML config templates
48 |
49 | For example, to override the maxCredentialUsageAge parameter in the access-keys-rotated.yaml rule, you would specify
50 | the following:
51 |
52 | parameter_overrides = {
53 | "access-keys-rotated" : { maxCredentialUsageAge : "120" }
54 | }
55 | DOC
56 | default = {}
57 | }
58 |
59 | variable "global_resource_collector_region" {
60 | description = "The region that collects AWS Config data for global resources such as IAM"
61 | type = string
62 | }
63 |
--------------------------------------------------------------------------------
/examples/complete/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | local = {
6 | source = "hashicorp/local"
7 | version = ">= 1.2"
8 | }
9 | aws = {
10 | source = "hashicorp/aws"
11 | version = ">= 5.0"
12 | }
13 | }
14 | }
15 |
--------------------------------------------------------------------------------
/examples/hipaa/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/hipaa/fixtures.us-east-2.tfvars:
--------------------------------------------------------------------------------
1 | region = "us-east-2"
2 | namespace = "eg"
3 | environment = "ue2"
4 | stage = "test"
5 |
6 | create_sns_topic = true
7 | create_iam_role = true
8 | force_destroy = true
9 |
--------------------------------------------------------------------------------
/examples/hipaa/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 | }
4 |
5 | module "aws_config_storage" {
6 | source = "cloudposse/config-storage/aws"
7 | version = "1.0.0"
8 |
9 | force_destroy = var.force_destroy
10 | tags = module.this.tags
11 |
12 | context = module.this.context
13 | }
14 |
15 | module "aws_config" {
16 | source = "../.."
17 |
18 | create_sns_topic = var.create_sns_topic
19 | create_iam_role = var.create_iam_role
20 | force_destroy = var.force_destroy
21 | s3_bucket_id = module.aws_config_storage.bucket_id
22 | s3_bucket_arn = module.aws_config_storage.bucket_arn
23 | global_resource_collector_region = data.aws_region.current.name
24 |
25 | context = module.this.context
26 | }
27 |
28 | module "hipaa_conformance_pack" {
29 | source = "../../modules/conformance-pack"
30 | context = module.this.context
31 | name = "operational-best-practices-for-HIPAA-Security"
32 |
33 | conformance_pack = "https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
34 | parameter_overrides = {
35 | AccessKeysRotatedParamMaxAccessKeyAge = "45"
36 | }
37 |
38 | depends_on = [
39 | module.aws_config
40 | ]
41 | }
42 |
43 | data "aws_caller_identity" "current" {}
44 | data "aws_region" "current" {}
45 |
--------------------------------------------------------------------------------
/examples/hipaa/outputs.tf:
--------------------------------------------------------------------------------
1 | output "config_recorder_id" {
2 | value = module.aws_config.aws_config_configuration_recorder_id
3 | description = "The id of the AWS Config Recorder that was created"
4 | }
5 |
6 | output "storage_bucket_id" {
7 | value = module.aws_config_storage.bucket_id
8 | description = "Bucket Name (aka ID)"
9 | }
10 |
11 | output "storage_bucket_arn" {
12 | value = module.aws_config_storage.bucket_arn
13 | description = "Bucket ARN"
14 | }
15 |
16 | output "conformance_pack_arn" {
17 | value = module.hipaa_conformance_pack.arn
18 | description = "Conformance Pack ARN"
19 | }
20 |
--------------------------------------------------------------------------------
/examples/hipaa/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | type = string
3 | description = "AWS Region"
4 | }
5 | variable "create_iam_role" {
6 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
7 | type = bool
8 | default = false
9 | }
10 |
11 | variable "create_sns_topic" {
12 | description = <<-DOC
13 | Flag to indicate whether an SNS topic should be created for notifications
14 | If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
15 | DOC
16 |
17 | type = bool
18 | default = false
19 | }
20 |
21 | variable "force_destroy" {
22 | type = bool
23 | description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"
24 | default = false
25 | }
26 |
--------------------------------------------------------------------------------
/examples/hipaa/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.0"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/README.md:
--------------------------------------------------------------------------------
1 | # AWS Config Rules for CIS AWS Foundations Benchmark Compliance
2 |
3 | This module outputs a map of [AWS Config](https://aws.amazon.com/config) Rules that should be in place as part of acheiving compliance with the [CIS AWS Foundation Benchmak 1.2](https://www.cisecurity.org/cis-benchmarks/#amazon_web_services) standard. These rules are meant to be used as an input to the [Cloud Posse AWS Config Module](../../) and are defined in the rules [catalog](../../catalog).
4 |
5 | ## Usage
6 |
7 | ### Which Account(s) Should Rules Be Applied In
8 |
9 | In general, these rules are meant to be enabled in every region of each of your accounts, with some exceptions noted below.
10 |
11 | ### Controls You May Want to Disable
12 |
13 | There are some controls that are part of the standard that should be disabled in certain scenarios.
14 |
15 | #### CIS AWS Foundations Benchmark Control 2.7: Ensure CloudTrail logs are encrypted at rest using AWS KMS CMKs
16 |
17 | When you are using a centralized CloudTrail account, you should only run this rule in the centralized account. The rule can be enabled in the centralized account by setting the `is_logging_account` variable to true and disabled in all other accounts by setting `is_logging_account` to false or omitting it as false is the default value.
18 |
19 | #### CIS AWS Foundations Benchmark Controls 1.2-1.14, 1.16, 1.20, 1.22, and 2.5: Global Resources
20 |
21 | These controls deal with ensuring various global resources, such as IAM Users, are configured in a way that aligns with the Benchmark. Since these resources are global, there is no reason to have AWS Config check them in each region. One region should be designated as the _Global Region_ for AWS Config and checks for these controls should only be run in that region. This set of checks can be enabled in the _Global Region_ by setting the `is_global_resource_region` to true and disabled in all other regions by setting `is_global_resource_region` to false or omitting it as false is the default value.
22 |
23 | ### Parameter Overrides
24 |
25 | You may also override the values any of the AWS Config Parameters set by the rules from our [catalog](../../catalog) by providing a map of maps to the `parameter_overrides` variable. The example below shows overriding the `MaxPasswordAge` of the `iam-password-policy` rule. The rule defaults to 90 days, while in this example we want to set it to 45 days.
26 |
27 | **IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
28 | Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-config/releases).
29 |
30 | For a complete example, see [examples/cis](../../examples/cis).
31 |
32 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
33 | (which tests and deploys the example on AWS), see [test](test).
34 |
35 | ```hcl
36 | module "cis_1_2_rules" {
37 | source = "cloudposse/config/aws//modules/cis-1-2-rules"
38 | # Cloud Posse recommends pinning every module to a specific version
39 | # version = "x.x.x"
40 |
41 |
42 | is_global_resource_region = true
43 | is_logging_account = true
44 |
45 | parameter_overrides = {
46 | "iam-password-policy": {
47 | "MaxPasswordAge": "45"
48 | }
49 | }
50 | }
51 |
52 | module "config" {
53 | source = "cloudposse/config/aws"
54 | # Cloud Posse recommends pinning every module to a specific version
55 | # version = "x.x.x"
56 |
57 | create_sns_topic = true
58 | create_iam_role = true
59 |
60 | managed_rules = module.cis_1_2_rules.rules
61 | }
62 | }
63 | ```
64 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | current_region = module.utils.region_az_alt_code_maps.to_fixed[data.aws_region.current.name]
3 |
4 | file_rules = module.aws_config_rules_yaml_config.map_configs
5 | rules_with_tags = { for k, rule in local.file_rules : k => rule if rule.tags != null }
6 |
7 | compliance_standard_tag = "compliance/cis-aws-foundations/1.2"
8 | logging_only_tag = "compliance/cis-aws-foundations/filters/logging-account-only"
9 | global_only_tag = "compliance/cis-aws-foundations/filters/global-resource-region-only"
10 | region_exclusion_tag = "region/excluded/${local.current_region}"
11 |
12 | tagged_rules = { for key, rule in local.rules_with_tags : key => rule if lookup(rule.tags, local.compliance_standard_tag, false) == true }
13 | logging_account_rules = { for key, rule in local.tagged_rules : key => rule if var.is_logging_account && lookup(rule.tags, local.logging_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false) }
14 | global_resource_rules = { for key, rule in local.tagged_rules : key => rule if var.is_global_resource_region && lookup(rule.tags, local.global_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false) }
15 | base_rules = { for key, rule in local.tagged_rules : key => rule if(!lookup(rule.tags, local.logging_only_tag, false) && !lookup(rule.tags, local.global_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false)) }
16 | all_rules = merge(local.base_rules, local.logging_account_rules, local.global_resource_rules)
17 |
18 | base_params = {
19 |
20 | "s3-bucket-logging-enabled" : {
21 | "targetBucket" : var.cloudtrail_bucket_name
22 | }
23 | "multi-region-cloudtrail-enabled" : {
24 | "s3BucketName" : var.cloudtrail_bucket_name
25 | }
26 | }
27 |
28 | global_resource_params = {
29 | "iam-policy-in-use" : {
30 | "policyARN" : var.support_policy_arn
31 | }
32 | }
33 |
34 | params = var.is_global_resource_region ? merge(local.base_params, local.global_resource_params) : local.base_params
35 |
36 | enabled_rules = { for key, rule in local.all_rules : key => {
37 | description = rule.description,
38 | identifier = rule.identifier,
39 | input_parameters = merge(rule.inputParameters, lookup(local.params, key, {}), lookup(var.parameter_overrides, key, {})),
40 | tags = rule.tags,
41 | enabled = rule.enabled,
42 | } if module.this.enabled }
43 | }
44 |
45 | module "aws_config_rules_yaml_config" {
46 | source = "cloudposse/config/yaml"
47 | version = "1.0.2"
48 |
49 | map_config_local_base_path = path.module
50 | map_config_paths = var.config_rules_paths
51 |
52 | context = module.this.context
53 | }
54 |
55 | data "aws_region" "current" {}
56 |
57 | module "utils" {
58 | source = "cloudposse/utils/aws"
59 | version = "1.0.0"
60 | }
61 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/outputs.tf:
--------------------------------------------------------------------------------
1 | output "rules" {
2 | value = local.enabled_rules
3 | description = "Enabled rules"
4 | }
5 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/variables.tf:
--------------------------------------------------------------------------------
1 | variable "support_policy_arn" {
2 | description = <<-DOC
3 | The ARN of the IAM Policy required for compliance with 1.20 of the Benchmark, which states:
4 |
5 | Ensure a support role has been created to manage incidents with AWS Support
6 |
7 | AWS provides a support center that can be used for incident notification and response, as well as technical support
8 | and customer services.
9 |
10 | Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege
11 | for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to
12 | manage incidents with AWS Support.
13 | DOC
14 | type = string
15 | }
16 |
17 | variable "cloudtrail_bucket_name" {
18 | description = <<-DOC
19 | The name of the S3 bucket where CloudTrail logs are being sent. This is needed to comply with 2.6 of the Benchmark
20 | which states:
21 |
22 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
23 | DOC
24 | type = string
25 | }
26 |
27 | variable "config_rules_paths" {
28 | description = "Set of PATH'es to files with config rules"
29 | type = set(string)
30 | default = [
31 | "../../catalog/cloudtrail.yaml",
32 | "../../catalog/cmk.yaml",
33 | "../../catalog/iam.yaml",
34 | "../../catalog/network.yaml",
35 | "../../catalog/vpc.yaml",
36 | ]
37 | }
38 |
39 | variable "parameter_overrides" {
40 | type = map(map(string))
41 | description = <<-DOC
42 | Map of parameters for interpolation within the YAML config templates
43 |
44 | For example, to override the maxCredentialUsageAge parameter in the access-keys-rotated.yaml rule, you would specify
45 | the following:
46 |
47 | parameter_overrides = {
48 | "access-keys-rotated" : { maxCredentialUsageAge : "120" }
49 | }
50 | DOC
51 | default = {}
52 | }
53 |
54 | variable "is_logging_account" {
55 | description = <<-DOC
56 | Flag to indicate if this instance of AWS Config is being installed into a centralized logging account. If this flag
57 | is set to true, then the config rules associated with logging in the catalog (loggingAccountOnly: true) will be
58 | installed. If false, they will not be installed.
59 | installed.
60 | DOC
61 | type = bool
62 | default = false
63 | }
64 |
65 | variable "is_global_resource_region" {
66 | description = <<-DOC
67 | Flag to indicate if this instance of AWS Config is being installed to monitor global resources (such as IAM). In
68 | order to save money, you can disable the monitoring of global resources in all but region. If this flag is set to
69 | true, then the config rules associated with global resources in the catalog (globalResource: true) will be
70 | installed. If false, they will not be installed.
71 | DOC
72 | type = bool
73 | default = false
74 | }
75 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.0"
8 | }
9 |
10 | http = {
11 | source = "hashicorp/http"
12 | version = ">= 3.4.1"
13 | }
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/modules/conformance-pack/README.md:
--------------------------------------------------------------------------------
1 | # AWS Config Conformance Pack
2 |
3 | This module deploys a [Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html). A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions.
4 |
5 | The Conformance Pack cannot be deployed until AWS Config is deployed, which can be deployed using the [root module](../../) of this repository.
6 |
7 | ## Usage
8 |
9 | **IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
10 | Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-config/releases).
11 |
12 | For a complete example, see [examples/hipaa](../../examples/hipaa).
13 |
14 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)(which tests and deploys the example on AWS), see [test](test).
15 |
16 | ```hcl
17 | module "hipaa_conformance_pack" {
18 | source = "cloudposse/config/aws//modules/conformance-pack"
19 | # Cloud Posse recommends pinning every module to a specific version
20 | # version = "x.x.x"
21 |
22 | name = "Operational-Best-Practices-for-HIPAA-Security"
23 |
24 | conformance_pack="https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
25 | parameter_overrides = {
26 | AccessKeysRotatedParamMaxAccessKeyAge = "45"
27 | }
28 |
29 | depends_on = [
30 | module.config
31 | ]
32 | }
33 |
34 | module "config" {
35 | source = "cloudposse/config/aws"
36 | # Cloud Posse recommends pinning every module to a specific version
37 | # version = "x.x.x"
38 |
39 | create_sns_topic = true
40 | create_iam_role = true
41 | }
42 | ```
43 |
--------------------------------------------------------------------------------
/modules/conformance-pack/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/modules/conformance-pack/main.tf:
--------------------------------------------------------------------------------
1 | resource "aws_config_conformance_pack" "default" {
2 | name = module.this.name
3 |
4 | dynamic "input_parameter" {
5 | for_each = var.parameter_overrides
6 | content {
7 | parameter_name = input_parameter.key
8 | parameter_value = input_parameter.value
9 | }
10 | }
11 |
12 | template_body = data.http.conformance_pack.response_body
13 | }
14 |
15 | data "http" "conformance_pack" {
16 |
17 | url = var.conformance_pack
18 | request_headers = var.access_token == "" ? {} : { Authorization = "token ${var.access_token}" }
19 | }
20 |
--------------------------------------------------------------------------------
/modules/conformance-pack/outputs.tf:
--------------------------------------------------------------------------------
1 | output "arn" {
2 | value = aws_config_conformance_pack.default.arn
3 | description = "ARN of the conformance pack"
4 | }
5 |
--------------------------------------------------------------------------------
/modules/conformance-pack/variables.tf:
--------------------------------------------------------------------------------
1 | variable "conformance_pack" {
2 | type = string
3 | description = "The URL to a Conformance Pack"
4 | }
5 |
6 | variable "access_token" {
7 | type = string
8 | description = "Optional: access token required to access private GitHub repos, where custom conformance packs could be stored"
9 | default = ""
10 | }
11 |
12 | variable "parameter_overrides" {
13 | type = map(any)
14 | description = "A map of parameters names to values to override from the template"
15 | default = {}
16 | }
17 |
--------------------------------------------------------------------------------
/modules/conformance-pack/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.0"
8 | }
9 |
10 | http = {
11 | source = "hashicorp/http"
12 | version = ">= 3.4.1"
13 | }
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "aws_config_configuration_recorder_id" {
2 | value = join("", aws_config_configuration_recorder.recorder[*].id)
3 | description = "The ID of the AWS Config Recorder"
4 | }
5 |
6 | output "storage_bucket_id" {
7 | value = var.s3_bucket_id
8 | description = "Bucket Name (aka ID)"
9 | }
10 |
11 | output "storage_bucket_arn" {
12 | value = var.s3_bucket_arn
13 | description = "Bucket ARN"
14 | }
15 |
16 | output "iam_role" {
17 | description = <<-DOC
18 | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with
19 | the account.
20 | DOC
21 | value = local.create_iam_role ? module.iam_role[0].arn : var.iam_role_arn
22 | }
23 |
24 | output "iam_role_organization_aggregator" {
25 | description = <<-DOC
26 | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with
27 | the account.
28 | DOC
29 | value = local.create_organization_aggregator_iam_role ? module.iam_role_organization_aggregator[0].arn : var.iam_role_organization_aggregator_arn
30 | }
31 |
32 | output "sns_topic" {
33 | description = "SNS topic"
34 | value = local.create_sns_topic ? module.sns_topic[0].sns_topic : null
35 | }
36 |
37 | output "sns_topic_subscriptions" {
38 | description = "SNS topic subscriptions"
39 | value = local.create_sns_topic ? module.sns_topic[0].aws_sns_topic_subscriptions : null
40 | }
41 |
--------------------------------------------------------------------------------
/test/.gitignore:
--------------------------------------------------------------------------------
1 | .test-harness
2 |
--------------------------------------------------------------------------------
/test/Makefile:
--------------------------------------------------------------------------------
1 | TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git
2 | TEST_HARNESS_BRANCH ?= master
3 | TEST_HARNESS_PATH = $(realpath .test-harness)
4 | BATS_ARGS ?= --tap
5 | BATS_LOG ?= test.log
6 |
7 | # Define a macro to run the tests
8 | define RUN_TESTS
9 | @echo "Running tests in $(1)"
10 | @cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS)))
11 | endef
12 |
13 | default: all
14 |
15 | -include Makefile.*
16 |
17 | ## Provision the test-harnesss
18 | .test-harness:
19 | [ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@
20 |
21 | ## Initialize the tests
22 | init: .test-harness
23 |
24 | ## Install all dependencies (OS specific)
25 | deps::
26 | @exit 0
27 |
28 | ## Clean up the test harness
29 | clean:
30 | [ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH)
31 |
32 | ## Run all tests
33 | all: module examples/complete
34 |
35 | ## Run basic sanity checks against the module itself
36 | module: export TESTS ?= installed lint get-modules get-plugins module-pinning provider-pinning validate terraform-docs input-descriptions output-descriptions
37 | module: deps
38 | $(call RUN_TESTS, ../)
39 |
40 | ## Run tests against example
41 | examples/complete: export TESTS ?= installed lint get-modules get-plugins validate
42 | examples/complete: deps
43 | $(call RUN_TESTS, ../$@)
44 |
45 | examples/cis: export TESTS ?= installed lint get-modules get-plugins validate
46 | examples/cis: deps
47 | $(call RUN_TESTS, ../$@)
48 |
--------------------------------------------------------------------------------
/test/Makefile.alpine:
--------------------------------------------------------------------------------
1 | ifneq (,$(wildcard /sbin/apk))
2 | ## Install all dependencies for alpine
3 | deps:: init
4 | @apk add --update terraform-docs@cloudposse json2hcl@cloudposse
5 | endif
6 |
--------------------------------------------------------------------------------
/test/src/.gitignore:
--------------------------------------------------------------------------------
1 | .gopath
2 | vendor/
3 |
--------------------------------------------------------------------------------
/test/src/Makefile:
--------------------------------------------------------------------------------
1 | export TF_CLI_ARGS_init ?= -get-plugins=true
2 | export TERRAFORM_VERSION ?= $(shell curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version' | cut -d. -f1-2)
3 |
4 | .DEFAULT_GOAL : all
5 | .PHONY: all
6 |
7 | ## Default target
8 | all: test
9 |
10 | .PHONY : init
11 | ## Initialize tests
12 | init:
13 | @exit 0
14 |
15 | .PHONY : test
16 | ## Run tests
17 | test/complete: init
18 | go mod download
19 | go test -v -timeout 60m -run TestExamplesComplete
20 | test/cis: init
21 | go mod download
22 | go test -v -timeout 60m -run TestExamplesCIS
23 | test: test/complete test/cis
24 |
25 |
26 | ## Run tests in docker container
27 | docker/test:
28 | docker run --name terratest --rm -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e GITHUB_TOKEN \
29 | -e PATH="/usr/local/terraform/$(TERRAFORM_VERSION)/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
30 | -v $(CURDIR)/../../:/module/ cloudposse/test-harness:latest -C /module/test/src test
31 |
32 | .PHONY : clean
33 | ## Clean up files
34 | clean:
35 | rm -rf ../../examples/complete/*.tfstate*
36 |
--------------------------------------------------------------------------------
/test/src/examples_cis_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "math/rand"
5 | "strconv"
6 | "testing"
7 | "time"
8 | "fmt"
9 |
10 | "github.com/gruntwork-io/terratest/modules/terraform"
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | // Test the Terraform module in examples/complete using Terratest.
15 | func TestExamplesCIS(t *testing.T) {
16 | t.Parallel()
17 |
18 | rand.Seed(time.Now().UnixNano())
19 | randID := strconv.Itoa(rand.Intn(100000))
20 | attributes := []string{randID}
21 |
22 | terraformOptions := &terraform.Options{
23 | // The path to where our Terraform code is located
24 | TerraformDir: "../../examples/cis",
25 | Upgrade: true,
26 | // Variables to pass to our Terraform code using -var-file options
27 | VarFiles: []string{"fixtures.us-east-2.tfvars"},
28 | // We always include a random attribute so that parallel tests
29 | // and AWS resources do not interfere with each other
30 | Vars: map[string]interface{}{
31 | "attributes": attributes,
32 | },
33 | }
34 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
35 | defer terraform.Destroy(t, terraformOptions)
36 |
37 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
38 | terraform.InitAndApply(t, terraformOptions)
39 |
40 | // Run `terraform output` to get the value of an output variable
41 | configRecorderID := terraform.Output(t, terraformOptions, "config_recorder_id")
42 | bucketID := terraform.Output(t, terraformOptions, "storage_bucket_id")
43 |
44 | // Ensure we get the attribute included in the IDs
45 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-config", randID), configRecorderID)
46 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-aws-config",randID), bucketID)
47 | }
48 |
--------------------------------------------------------------------------------
/test/src/examples_complete_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "math/rand"
5 | "strconv"
6 | "testing"
7 | "time"
8 | "fmt"
9 |
10 | "github.com/gruntwork-io/terratest/modules/terraform"
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | // Test the Terraform module in examples/complete using Terratest.
15 | func TestExamplesComplete(t *testing.T) {
16 | t.Parallel()
17 |
18 | rand.Seed(time.Now().UnixNano())
19 | randID := strconv.Itoa(rand.Intn(100000))
20 | attributes := []string{randID}
21 |
22 | terraformOptions := &terraform.Options{
23 | // The path to where our Terraform code is located
24 | TerraformDir: "../../examples/complete",
25 | Upgrade: true,
26 | // Variables to pass to our Terraform code using -var-file options
27 | VarFiles: []string{"fixtures.us-east-2.tfvars"},
28 | // We always include a random attribute so that parallel tests
29 | // and AWS resources do not interfere with each other
30 | Vars: map[string]interface{}{
31 | "attributes": attributes,
32 | },
33 | }
34 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
35 | defer terraform.Destroy(t, terraformOptions)
36 |
37 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
38 | terraform.InitAndApply(t, terraformOptions)
39 |
40 | // Run `terraform output` to get the value of an output variable
41 | configRecorderID := terraform.Output(t, terraformOptions, "config_recorder_id")
42 | bucketID := terraform.Output(t, terraformOptions, "storage_bucket_id")
43 | iamRoleArn := terraform.Output(t, terraformOptions, "iam_role")
44 |
45 | // Ensure we get the attribute included in the IDs
46 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-config", randID), configRecorderID)
47 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-aws-config",randID), bucketID)
48 | assert.NotEqual(t, nil, iamRoleArn)
49 | }
50 |
--------------------------------------------------------------------------------
/test/src/examples_hipaa_test.go:
--------------------------------------------------------------------------------
1 | package test
2 |
3 | import (
4 | "fmt"
5 | "math/rand"
6 | "strconv"
7 | "testing"
8 | "time"
9 |
10 | "github.com/gruntwork-io/terratest/modules/terraform"
11 | "github.com/stretchr/testify/assert"
12 | )
13 |
14 | // Test the Terraform module in examples/complete using Terratest.
15 | func TestExamplesHipaa(t *testing.T) {
16 | t.Parallel()
17 |
18 | rand.Seed(time.Now().UnixNano())
19 | randID := strconv.Itoa(rand.Intn(100000))
20 | attributes := []string{randID}
21 |
22 | terraformOptions := &terraform.Options{
23 | // The path to where our Terraform code is located
24 | TerraformDir: "../../examples/hipaa",
25 | Upgrade: true,
26 | // Variables to pass to our Terraform code using -var-file options
27 | VarFiles: []string{"fixtures.us-east-2.tfvars"},
28 | // We always include a random attribute so that parallel tests
29 | // and AWS resources do not interfere with each other
30 | Vars: map[string]interface{}{
31 | "attributes": attributes,
32 | },
33 | }
34 | // At the end of the test, run `terraform destroy` to clean up any resources that were created
35 | defer terraform.Destroy(t, terraformOptions)
36 |
37 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors
38 | terraform.InitAndApply(t, terraformOptions)
39 |
40 | // Run `terraform output` to get the value of an output variable
41 | configRecorderID := terraform.Output(t, terraformOptions, "config_recorder_id")
42 | bucketID := terraform.Output(t, terraformOptions, "storage_bucket_id")
43 | conformancePackArn := terraform.Output(t, terraformOptions, "conformance_pack_arn")
44 |
45 | // Ensure we get the attribute included in the IDs
46 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-config", randID), configRecorderID)
47 | assert.Equal(t, fmt.Sprintf("eg-ue2-test-%s-aws-config", randID), bucketID)
48 | assert.NotEqual(t, nil, conformancePackArn)
49 | }
50 |
--------------------------------------------------------------------------------
/test/src/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/cloudposse/terraform-aws-config
2 |
3 | go 1.13
4 |
5 | require (
6 | github.com/gruntwork-io/terratest v0.32.14
7 | github.com/stretchr/testify v1.7.0
8 | golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
9 | golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
10 | golang.org/x/sys v0.0.0-20200828194041-157a740278f4 // indirect
11 | gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
12 | )
13 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "s3_bucket_id" {
2 | description = "The id (name) of the S3 bucket used to store the configuration history"
3 | type = string
4 | }
5 |
6 | variable "s3_bucket_arn" {
7 | description = "The ARN of the S3 bucket used to store the configuration history"
8 | type = string
9 | }
10 |
11 | variable "create_sns_topic" {
12 | description = <<-DOC
13 | Flag to indicate whether an SNS topic should be created for notifications
14 | If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
15 | DOC
16 |
17 | type = bool
18 | default = false
19 | }
20 |
21 | variable "sns_encryption_key_id" {
22 | description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK."
23 | type = string
24 | default = "" # Use "alias/aws/sns" for AWS Managed Key
25 | }
26 |
27 | variable "sqs_queue_kms_master_key_id" {
28 | type = string
29 | description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS Queue or a custom CMK"
30 | default = "" # Use "alias/aws/sqs" for AWS Managed Key
31 | }
32 |
33 | variable "subscribers" {
34 | type = map(any)
35 | description = <<-DOC
36 | A map of subscription configurations for SNS topics
37 |
38 | For more information, see:
39 | https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference
40 |
41 | protocol:
42 | The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
43 | supported, see link) (email is an option but is unsupported in terraform, see link).
44 | endpoint:
45 | The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
46 | endpoint_auto_confirms (Optional):
47 | Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
48 | false
49 | raw_message_delivery (Optional):
50 | Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.
51 | DOC
52 | default = {}
53 | }
54 |
55 | variable "findings_notification_arn" {
56 | description = <<-DOC
57 | The ARN for an SNS topic to send findings notifications to. This is only used if create_sns_topic is false.
58 | If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set
59 | create_sns_topic to false.
60 | DOC
61 | default = null
62 | type = string
63 | }
64 |
65 | variable "create_iam_role" {
66 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
67 | type = bool
68 | default = false
69 | }
70 |
71 | variable "create_organization_aggregator_iam_role" {
72 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config to send logs from organization accounts"
73 | type = bool
74 | default = false
75 | }
76 |
77 | variable "iam_role_arn" {
78 | description = <<-DOC
79 | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
80 | AWS resources associated with the account. This is only used if create_iam_role is false.
81 |
82 | If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
83 | create_iam_role to false.
84 |
85 | See the AWS Docs for further information:
86 | http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
87 | DOC
88 | default = null
89 | type = string
90 | }
91 |
92 | variable "iam_role_organization_aggregator_arn" {
93 | description = <<-DOC
94 | The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts.
95 | This is only used if create_organization_aggregator_iam_role is false.
96 |
97 | If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set
98 | create_organization_aggregator_iam_role to false.
99 |
100 | See the AWS docs for further information:
101 | http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
102 | DOC
103 | default = null
104 | type = string
105 | }
106 |
107 | variable "global_resource_collector_region" {
108 | description = "The region that collects AWS Config data for global resources such as IAM"
109 | type = string
110 | }
111 |
112 | variable "central_resource_collector_account" {
113 | description = "The account ID of a central account that will aggregate AWS Config from other accounts"
114 | type = string
115 | default = null
116 | }
117 |
118 | variable "child_resource_collector_accounts" {
119 | description = "The account IDs of other accounts that will send their AWS Configuration to this account"
120 | type = set(string)
121 | default = null
122 | }
123 |
124 | variable "force_destroy" {
125 | type = bool
126 | description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"
127 | default = false
128 | }
129 |
130 | variable "managed_rules" {
131 | description = <<-DOC
132 | A list of AWS Managed Rules that should be enabled on the account.
133 |
134 | See the following for a list of possible rules to enable:
135 | https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
136 | DOC
137 | type = map(object({
138 | description = string
139 | identifier = string
140 | input_parameters = any
141 | tags = map(string)
142 | enabled = bool
143 | }))
144 | default = {}
145 | }
146 |
147 | variable "recording_mode" {
148 | description = <<-DOC
149 | The mode for AWS Config to record configuration changes.
150 |
151 | recording_frequency:
152 | The frequency with which AWS Config records configuration changes (service defaults to CONTINUOUS).
153 | - CONTINUOUS
154 | - DAILY
155 |
156 | You can also override the recording frequency for specific resource types.
157 | recording_mode_override:
158 | description:
159 | A description for the override.
160 | recording_frequency:
161 | The frequency with which AWS Config records configuration changes for the specified resource types.
162 | - CONTINUOUS
163 | - DAILY
164 | resource_types:
165 | A list of resource types for which AWS Config records configuration changes. For example, AWS::EC2::Instance.
166 |
167 | See the following for more information:
168 | https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html
169 |
170 | /*
171 | recording_mode = {
172 | recording_frequency = "DAILY"
173 | recording_mode_override = {
174 | description = "Override for specific resource types"
175 | recording_frequency = "CONTINUOUS"
176 | resource_types = ["AWS::EC2::Instance"]
177 | }
178 | }
179 | */
180 | DOC
181 | type = object({
182 | recording_frequency = string
183 | recording_mode_override = optional(object({
184 | description = string
185 | recording_frequency = string
186 | resource_types = list(string)
187 | }))
188 | })
189 | default = null
190 | }
191 |
192 | variable "s3_key_prefix" {
193 | type = string
194 | description = <<-DOC
195 | The prefix for AWS Config objects stored in the the S3 bucket. If this variable is set to null, the default, no
196 | prefix will be used.
197 |
198 | Examples:
199 |
200 | with prefix: {S3_BUCKET NAME}:/{S3_KEY_PREFIX}/AWSLogs/{ACCOUNT_ID}/Config/*.
201 | without prefix: {S3_BUCKET NAME}:/AWSLogs/{ACCOUNT_ID}/Config/*.
202 | DOC
203 | default = null
204 | }
205 |
206 | // Config aggregation isn't enabled for ap-northeast-3, maybe others in the future
207 | // https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
208 | variable "disabled_aggregation_regions" {
209 | type = list(string)
210 | description = "A list of regions where config aggregation is disabled"
211 | default = ["ap-northeast-3"]
212 | }
213 |
214 | variable "is_organization_aggregator" {
215 | type = bool
216 | default = false
217 | description = "The aggregator is an AWS Organizations aggregator"
218 | }
219 |
220 | variable "allowed_aws_services_for_sns_published" {
221 | type = list(string)
222 | description = "AWS services that will have permission to publish to SNS topic. Used when no external JSON policy is used"
223 | default = []
224 | }
225 |
226 | variable "allowed_iam_arns_for_sns_publish" {
227 | type = list(string)
228 | description = "IAM role/user ARNs that will have permission to publish to SNS topic. Used when no external json policy is used."
229 | default = []
230 | }
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.0"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.38.0"
8 | }
9 |
10 | http = {
11 | source = "hashicorp/http"
12 | version = ">= 3.4.1"
13 | }
14 | }
15 | }
16 |
--------------------------------------------------------------------------------