├── .gitignore
├── .kitchen.yml
├── Gemfile
├── LICENSE.md
├── README.md
├── TESTING_AGAINST_AWS.md
├── pre-kitchen.rb
└── test
    └── integration
        ├── cis
            ├── build
            │   ├── account_settings.tf
            │   ├── aws.tf
            │   ├── cloudtrail.tf
            │   ├── cloudwatch.tf
            │   ├── configservice.tf
            │   ├── configservice_us_east_1.tf
            │   ├── configservice_us_east_2.tf
            │   ├── configservice_us_west_1.tf
            │   ├── configservice_us_west_2.tf
            │   ├── ec2.tf
            │   ├── iam_manager.tf
            │   ├── iam_master.tf
            │   ├── outputs.tf
            │   ├── variables.tf
            │   ├── vpc.tf
            │   └── vpc_ssh_security_group.tf
            └── inspec.yml
        └── minimal
            ├── build
                ├── aws.tf
                └── variables.tf
            ├── inspec.yml
            └── verify
                ├── controls
                    └── aws_iam_root_user.rb
                └── inspec.yml


/.gitignore:
--------------------------------------------------------------------------------
  1 | *.lock
  2 | *.gem
  3 | *.rbc
  4 | 
  5 | !Gemfile.lock
  6 | .attribute.yml
  7 | 
  8 | /.config
  9 | /coverage/
 10 | /InstalledFiles
 11 | /pkg/
 12 | /spec/reports/
 13 | /spec/examples.txt
 14 | inspec-azure.plan
 15 | inspec-aws-*.plan
 16 | 
 17 | 
 18 | *.tfstate
 19 | *.tfstate.*
 20 | .terraform/
 21 | terraform.tfvars
 22 | 
 23 | .kitchen/
 24 | .kitchen.local.yml
 25 | kitchen.local.yml
 26 | 
 27 | .vagrant
 28 | 
 29 | inspec-deprecations-in-cfg.txt
 30 | inspec-deprecations-in-lib.txt
 31 | 
 32 | # Docker
 33 | *.retry
 34 | .backup
 35 | 
 36 | 
 37 | # OSX
 38 | # General
 39 | .DS_Store
 40 | .AppleDouble
 41 | .LSOverride
 42 | 
 43 | # Icon must end with two \r
 44 | Icon
 45 | 
 46 | # Thumbnails
 47 | ._*
 48 | 
 49 | # Files that might appear in the root of a volume
 50 | .DocumentRevisions-V100
 51 | .fseventsd
 52 | .Spotlight-V100
 53 | .TemporaryItems
 54 | .Trashes
 55 | .VolumeIcon.icns
 56 | .com.apple.timemachine.donotpresent
 57 | 
 58 | # Directories potentially created on remote AFP share
 59 | .AppleDB
 60 | .AppleDesktop
 61 | Network Trash Folder
 62 | Temporary Items
 63 | .apdisk
 64 | 
 65 | # Logs
 66 | *.log
 67 | 
 68 | 
 69 | ## Documentation cache and generated files:
 70 | /.yardoc/
 71 | /_yardoc/
 72 | /doc/
 73 | /rdoc/
 74 | 
 75 | # Ignore bundler config
 76 | /.bundle/
 77 | /vendor/
 78 | /vendor/bundle
 79 | vendor/cookbooks
 80 | 
 81 | # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 82 | .rvmrc
 83 | .packer
 84 | 
 85 | # for a library or gem, you might want to ignore these files since the code is
 86 | # intended to run in multiple environments; otherwise, check them in:
 87 | .ruby-version
 88 | .ruby-gemset
 89 | 
 90 | 
 91 | ## JetBrain
 92 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
 93 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 94 | .idea/
 95 | 
 96 | ## Specific to RubyMotion:
 97 | .dat*
 98 | .repl_history
 99 | *.bridgesupport
100 | 
101 | # File-based project format
102 | *.iws
103 | 
104 | # IntelliJ
105 | out/
106 | 
107 | # mpeltonen/sbt-idea plugin
108 | .idea_modules/
109 | 
110 | # Crashlytics plugin (for Android Studio and IntelliJ)
111 | com_crashlytics_export_strings.xml
112 | crashlytics.properties
113 | crashlytics-build.properties
114 | fabric.properties
115 | 
116 | # JIRA plugin
117 | atlassian-ide-plugin.xml
118 | 
119 | 
120 | # Build Folder
121 | /build/
122 | /build-iPhoneOS/
123 | /build-iPhoneSimulator/
124 | 
125 | 
126 | # Ignore rendered files from docs/
127 | source/docs/reference/
128 | examples/meta-profile/vendor/
129 | habitat/VERSION
130 | habitat/results
131 | /lib/bundler/man/
132 | 
133 | 
134 | # USER
135 | /.gitignoredir/
136 | /tmp/
137 | /test/tmp/
138 | /test/version_tmp/
139 | /.emacs.desktop
140 | .gitter
141 | *.elc
142 | nbproject
143 | auto-save-list
144 | tramp
145 | /.direnv
146 | /.envrc
147 | results/
148 | contrib/*
149 | 
150 | 


--------------------------------------------------------------------------------
/.kitchen.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | driver:
 3 |   name: terraform
 4 |   variables:
 5 |     region: "<%= ENV['AWS_DEFAULT_REGION'] %>"
 6 |     instance_type: "<%= ENV['AWS_DEFAULT_INSTANCE_TYPE'] %>"
 7 |     ssh_security_group_cidr: "<%= ENV['SSH_SG_CIDR'] %>"
 8 | 
 9 | provisioner:
10 |   name: terraform
11 | 
12 | platforms:
13 |   - name: setup
14 | 
15 | verifier:
16 |   name: terraform
17 |   format: json  
18 |   output: aws_results.json
19 |   groups:
20 |     - name: default
21 | 
22 | suites:
23 |   - name: minimal
24 |     driver:
25 |       root_module_directory: "./test/integration/minimal/build/"
26 |     verifier:
27 |       inspec_tests:
28 |         - path: "./test/integration/minimal/verify"
29 | 
30 |   - name: cis
31 |     driver:
32 |       variables:
33 |         prefix: "cis"
34 |       root_module_directory: "./test/integration/cis/build/"
35 | 
36 |     verifier:
37 |       inspec_tests:
38 |         - git: https://github.com/mitre/cis-aws-foundations-baseline.git
39 | 


--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
 1 | # encoding: utf-8
 2 | 
 3 | source 'https://rubygems.org'
 4 | 
 5 | gem 'test-kitchen'
 6 | gem 'kitchen-terraform'
 7 | gem 'inspec', '~> 1.51.0' #remove version pinning after json output bug is fixed
 8 | gem 'kitchen-inspec'
 9 | 
10 | gem 'aws-sdk', '~> 2'
11 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
 1 | Licensed under the Apache 2.0 license, except as noted below.   
 2 | 
 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:  
 4 | 
 5 | - Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice.  
 6 | 
 7 | - Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution.  
 8 | 
 9 | - Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.  
10 | 
11 | MITRE’s licensed products include third-party materials that are subject to open source or free software licenses (“Open Source Materials”). The Open Source Materials are as follows:   
12 | 
13 | * CIS Benchmarks. Please visit www.cisecurity.org for full terms of use.  
14 | 
15 | The Open Source Materials are licensed under the terms of the applicable third-party licenses that accompany the Open Source Materials. MITTRE’s license does not limit a licensee’s rights under the terms of the Open Source Materials license. MITRE’s license also does not grant licensee rights to the Open Source Materials that supersede the terms and conditions of the Open Source Materials license.  
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # cis-aws-foundations-hardening - v1.1.0
  2 | 
  3 | A terraform / kitchen-terraform hardening baseline the CIS AWS Foundations Benchmark v1.1.0.
  4 | 
  5 | ## Overview
  6 | 
  7 | This will help you setup and validate an AWS Environment as per CIS AWS Benchmark. This build will not modify existing resources.
  8 | It will modify default `default vpc` and each `default security group` as per CIS guidance.
  9 | 
 10 | ## Versioning and State of Development
 11 | This project uses the [Semantic Versioning Policy](https://semver.org/). 
 12 | 
 13 | ### Branches
 14 | The master branch contains the latest version of the software leading up to a new release. 
 15 | 
 16 | Other branches contain feature-specific updates. 
 17 | 
 18 | ### Tags
 19 | Tags indicate official releases of the project.
 20 | 
 21 | Please note 0.x releases are works in progress (WIP) and may change at any time.   
 22 | 
 23 | ### Tech Used
 24 | - kitchen-terraform (>=v3.0.0)
 25 | - test-kitchen (v.1.60.0)
 26 | - inspec.io
 27 | - terraform ( > v0.10.2)
 28 | - tfenv
 29 | - awscli (v1.1)
 30 | 
 31 | ## Pre-Checks
 32 | 
 33 | A. Use `tfenv` to switch to your `tf v0.11.0` environment  
 34 | B. Install any needed gems via `bundle install`  
 35 | C. Use the `pre-kitchen.rb` script to ensure you have all the env_vars setup as needed.  
 36 | ```
 37 | ruby pre-kitchen.rb
 38 | ```
 39 | 
 40 | ## Usage
 41 | 
 42 | ### Setup your Environment  
 43 | 
 44 | Please see TESTING_AGAINST_AWS.md for details on how to setup the needed AWS accounts to perform testing.
 45 | 
 46 | Follow these instructions carefully.
 47 | 
 48 | 1. Create an AWS account.  Make a note of the account email and root password in a secure secret storage system.
 49 | 2. Create an IAM user named `test-fixture-maker`.
 50 |   * Enable programmatic access (to generate an access key)
 51 |   * Note the access key and secret key ID that are generated.
 52 | 3. Create an IAM Group named `test-fixture-maker-group`.
 53 |   * Direct-attach the policy AdministratorAccess
 54 |   * Add user `test-fixture-maker` to the group
 55 | 
 56 | 4. Set the required env variables.
 57 | 
 58 | - AWS Credentials
 59 | ```
 60 | AWS_ACCESS_KEY_ID         - The AWS Access Key that is to be used (default: none)
 61 | AWS_SECRET_ACCESS_KEY     - The AWS Secret Access Key that is to be used (default: none)
 62 | ```
 63 | - TF_VAR_ prevents credentials from being populated on terrafrom logs
 64 | ```
 65 | TF_VAR_aws_ssh_key_id     - The value is the name of the AWS key pair you want to use (default: none) (hide from logs)
 66 | TF_VAR_aws_access_key     - The AWS Access Key that is to be used (default: none) (hide from logs)
 67 | TF_VAR_aws_secret_key     - The AWS Secret Access Key that is to be used (default: none) (hide from logs)
 68 | ```
 69 | - Infrastructure Data
 70 | ```
 71 | AWS_DEFAULT_REGION        - The AWS Region you would like to use (default: us-east-1)
 72 | AWS_DEFAULT_INSTANCE_TYPE - The EC2 instance type (also known as size) to use. (default: none)
 73 | SSH_SG_CIDR               - Specify an IP address in CIDR notation, a CIDR block for ssh ingress rule. (default: none)
 74 | ```
 75 | 
 76 | ### Build/Verify
 77 | 
 78 | Run Test kitchen
 79 | 
 80 |   a. `bundle exec kitchen list`  
 81 |   b. `bundle exec kitchen create cis-setup`  
 82 |   c. `bundle exec kitchen converge cis-setup`  
 83 |   d. `bundle exec kitchen verify cis-setup`  
 84 |   e. `bundle exec kitchen destroy cis-setup`  
 85 | 
 86 | 
 87 | ### Known Issues
 88 | 
 89 | 1) AWS Simple Queue Service takes a few minutes to build, so please wait a few minutes before running `kitchen verify`.
 90 | 
 91 | 2) Known Terrafrom bug that affects Managed policy attachment shows up on a second `kitchen converge` or `kitchen destroy`. 
 92 | https://github.com/hashicorp/terraform/issues/5979 .
 93 | Please converge or destroy again to get past the error.
 94 | 
 95 | ## Questions
 96 | 
 97 | - see: https://newcontext-oss.github.io/kitchen-terraform/tutorials/amazon_provider_ec2.html
 98 | - see: https://github.com/chef/inspec-aws
 99 | 
100 | ## Developing
101 | 
102 | We use a feature-branch model for development. Plese create a fork and push a PR as a feature-branch.
103 | 
104 | ## NOTICE 
105 | 
106 | © 2018 The MITRE Corporation.  
107 | 
108 | Approved for Public Release; Distribution Unlimited. Case Number 18-3678.    
109 | 
110 | ## NOTICE
111 | MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
112 | 
113 | ## NOTICE  
114 | 
115 | This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.   
116 | 
117 | No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.   
118 | 
119 | For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA  22102-7539, (703) 983-6000.  
120 | 
121 | ## NOTICE
122 | 
123 | CIS Benchmarks are published by the Center for Internet Security (CIS), see: https://www.cisecurity.org/.
124 | 


--------------------------------------------------------------------------------
/TESTING_AGAINST_AWS.md:
--------------------------------------------------------------------------------
 1 | # Testing Against AWS - Integration Testing
 2 | 
 3 | ## Problem Statement
 4 | 
 5 | We want to be able to test AWS-related InSpec resources against AWS itself.  This means we need to create constructs ("test fixtures") in AWS to examine using InSpec.  For cost management, we also want to be able to destroy 
 6 | 
 7 | ## General Approach
 8 | 
 9 | We use Terraform to setup test fixtures in AWS, then run a CIS AWS Foundations Inspec Profile against these (which should all pass), and finally tear down the test fixtures with Terraform.  For fixtures that cannot be managed by Terraform, we manually setup fixtures using instructions below.
10 | 
11 | We use the AWS CLI credentials system to manage credentials.
12 | 
13 | 
14 | ### Installing Terraform
15 | 
16 | Download [Terraform](https://www.terraform.io/downloads.html).  We require at least v0.10 . To install and choose from multiple Terraform versions, consider using [tfenv](https://github.com/kamatama41/tfenv).
17 | 
18 | ### Installing AWS CLI
19 | 
20 | Install the [AWS CLI](http://docs.aws.amazon.com/cli/latest/userguide/installing.html). We will store profiles for testing in the `~/.aws/credentials` file.
21 | 
22 | ## Limitations
23 | 
24 | There are some things that we can't (or very much shouldn't) do via Terraform - like manipulating the root account MFA settings.
25 | 
26 | Also, there are some singleton resources (such as the default VPC, or Config status) that we should not manipulate without consequences.
27 | 
28 | ## Current Solution
29 | 
30 | Our solution is to create two AWS accounts, each dedicated to the task of integration testing inspec-aws.
31 | 
32 | In the "default" account, we setup all fixtures that can be handled by Terraform.  For any remaining fixtures,
33 | such as enabling MFA on the root account, we manually set one value in the "default" account, and manually set the opposing value in the "minimal" account.  This allows use to perform testing on any reachable resource or property, regardless of whether or not Terraform can manage it.
34 | 
35 | All tests (and test fixtures) that do not require special handling are placed in the "default" set.  That includes both positive and negative checks.
36 | 
37 | Note that some tests will fail for the first day or two after you set up the accounts, due to the tests checking properties such as the last usage time of an access key, for example.  
38 | 
39 | Additionally, the first time you run the tests, you will need to accept the user agreement in the AWS marketplace for the linux AMIs we use.  You'll need to do it 4 times, once for each of debian and centos on the two accounts.
40 | 
41 | ### Creating the build/verify account
42 | 
43 | Follow these instructions carefully.  Do not perform any action not specified.
44 | 
45 | 1. Create an AWS account.  Make a note of the account email and root password in a secure secret storage system.
46 | 2. Create an IAM user named `test-fixture-maker`.
47 |   * Enable programmatic access (to generate an access key)
48 |   * Note the access key and secret key ID that are generated.
49 | 3. Create an IAM Group named `test-fixture-maker-group`.
50 |   * Direct-attach the policy AdministratorAccess
51 |   * Add user `test-fixture-maker` to the group
52 | 
53 | 
54 | 
55 | 


--------------------------------------------------------------------------------
/pre-kitchen.rb:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/ruby
 2 | require 'yaml'
 3 | 
 4 | @run_kitchen = true
 5 | my_vars =
 6 |   [
 7 |     'AWS_ACCESS_KEY_ID',
 8 |     'AWS_SECRET_ACCESS_KEY',
 9 |     'TF_VAR_aws_ssh_key_id',
10 |     'TF_VAR_aws_access_key',
11 |     'TF_VAR_aws_secret_key',
12 |     'AWS_DEFAULT_REGION',
13 |     'AWS_DEFAULT_INSTANCE_TYPE',
14 |     'SSH_SG_CIDR',
15 |   ]
16 | 
17 | my_vars.each do |value|
18 |   if ENV.fetch(value,nil).to_s != ''
19 |     puts "#{value} is: " + ENV.fetch(value,nil).to_s
20 |   else
21 |     @run_kitchen=false
22 |     puts "Please set #{value}"
23 |   end
24 | end
25 | 
26 | puts "If you want to get JSON output, please set the USE_JSON = 'true'"
27 | 
28 | puts ''
29 | puts '----------'
30 | puts 'You are OK to run Test Kitchen' if @run_kitchen == true
31 | puts 'Please SET the above Envrioment variables before running kitchen' if @run_kitchen == false
32 | 
33 | require 'rubygems'; require 'json';
34 | 
35 | 
36 | my_vpcs =  JSON.parse(%x[aws ec2 describe-vpcs]);
37 | 
38 | 
39 | re = Regexp.union('false')
40 | if my_vpcs['Vpcs'][0]['IsDefault'].to_s.match(re)
41 | 	puts 'Default VPC does NOT exist'
42 |         puts ' --- '
43 | 	puts '  - please use an account/region with default VPC'
44 | 	puts '  - alternativelly,  consider hard-coding default vpc with terraform by setting Environment Variable to your VPC (below)'
45 | 	puts '  export TF_VAR_vpc_id=' + my_vpcs['Vpcs'][0]['VpcId']
46 | else
47 | 	puts 'Default VPC Exists'
48 | end


--------------------------------------------------------------------------------
/test/integration/cis/build/account_settings.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_iam_account_password_policy" "CISBenchmark" {
 2 |   minimum_password_length      = 14
 3 |   password_reuse_prevention    = 24
 4 |   max_password_age             = 90
 5 |   require_uppercase_characters = true
 6 |   require_lowercase_characters = true
 7 |   require_symbols              = true
 8 |   require_numbers              = true
 9 | }
10 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/aws.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = "> 0.10.0"
 3 | }
 4 | 
 5 | provider "aws" {
 6 |   access_key = "${var.aws_access_key}"
 7 |   secret_key = "${var.aws_secret_key}"
 8 |   region     = "${var.region}"
 9 |   version    = "~> 1.4"
10 | }
11 | 
12 | data "aws_caller_identity" "creds" {}
13 | 
14 | data "aws_region" "region" {}
15 | 
16 | provider "aws" {
17 |   alias  = "east1"
18 |   region = "us-east-1"
19 | }
20 | 
21 | provider "aws" {
22 |   alias  = "east2"
23 |   region = "us-east-2"
24 | }
25 | 
26 | provider "aws" {
27 |   alias  = "west1"
28 |   region = "us-west-1"
29 | }
30 | 
31 | provider "aws" {
32 |   alias  = "west2"
33 |   region = "us-west-2"
34 | }
35 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/cloudtrail.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_s3_bucket" "cloudtrail_bucket_access_log_bucket" {
  2 |   bucket_prefix = "${var.prefix}-cloudtrail-access-log-bucket-"
  3 |   force_destroy = true
  4 |   acl           = "log-delivery-write"
  5 | }
  6 | 
  7 | resource "aws_s3_bucket" "cloudtrail_bucket" {
  8 |   bucket_prefix = "${var.prefix}-cloudtrail-bucket-"
  9 |   force_destroy = true
 10 | 
 11 |   logging {
 12 |     target_bucket = "${aws_s3_bucket.cloudtrail_bucket_access_log_bucket.id}"
 13 |     target_prefix = "log/"
 14 |   }
 15 | }
 16 | 
 17 | resource "aws_s3_bucket_policy" "cloudtrail_bucket_policy" {
 18 |   bucket = "${aws_s3_bucket.cloudtrail_bucket.id}"
 19 | 
 20 |   policy = <<POLICY
 21 | {
 22 |     "Version": "2012-10-17",
 23 |     "Statement": [
 24 |         {
 25 |             "Sid": "AWSCloudTrailAclCheck",
 26 |             "Effect": "Allow",
 27 |             "Principal": {
 28 |               "Service": "cloudtrail.amazonaws.com"
 29 |             },
 30 |             "Action": "s3:GetBucketAcl",
 31 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail_bucket.id}"
 32 |         },
 33 |         {
 34 |             "Sid": "AWSCloudTrailWrite",
 35 |             "Effect": "Allow",
 36 |             "Principal": {
 37 |               "Service": "cloudtrail.amazonaws.com"
 38 |             },
 39 |             "Action": "s3:PutObject",
 40 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.cloudtrail_bucket.id}/*",
 41 |             "Condition": {
 42 |                 "StringEquals": {
 43 |                     "s3:x-amz-acl": "bucket-owner-full-control"
 44 |                 }
 45 |             }
 46 |         }
 47 |     ]
 48 | }
 49 | POLICY
 50 | }
 51 | 
 52 | resource "aws_iam_role" "cloud_watch_logs_role" {
 53 |   name = "${var.prefix}-cloud-watch-logs-role"
 54 | 
 55 |   assume_role_policy = <<POLICY
 56 | {
 57 |     "Version": "2012-10-17",
 58 |     "Statement": [
 59 |         {
 60 |           "Sid": "",
 61 |           "Effect": "Allow",
 62 |           "Principal": {
 63 |             "Service": "cloudtrail.amazonaws.com"
 64 |           },
 65 |           "Action": "sts:AssumeRole"
 66 |         }
 67 |     ]
 68 | }
 69 | POLICY
 70 | }
 71 | 
 72 | resource "aws_iam_role_policy" "cloud_watch_logs_role_policy" {
 73 |   depends_on = ["aws_iam_role.cloud_watch_logs_role"]
 74 | 
 75 |   name = "${var.prefix}-cloud-watch-logs-role-policy"
 76 |   role = "${var.prefix}-cloud-watch-logs-role"
 77 | 
 78 |   policy = <<POLICY
 79 | {
 80 |     "Version": "2012-10-17",
 81 |     "Statement": [
 82 |         {
 83 |             "Sid": "AWSCloudTrailCreateLogStream",
 84 |             "Effect": "Allow",
 85 |             "Action": [
 86 |                 "logs:CreateLogStream"
 87 |             ],
 88 |             "Resource": [
 89 |                 "arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.cloudwatch_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
 90 |             ]
 91 |         },
 92 |         {
 93 |             "Sid": "AWSCloudTrailPutLogEvents",
 94 |             "Effect": "Allow",
 95 |             "Action": [
 96 |                 "logs:PutLogEvents"
 97 |             ],
 98 |             "Resource": [
 99 |                 "arn:aws:logs:${data.aws_region.region.name}:${data.aws_caller_identity.creds.account_id}:log-group:${aws_cloudwatch_log_group.cloudwatch_log_group.name}:log-stream:${data.aws_caller_identity.creds.account_id}_CloudTrail_${data.aws_region.region.name}*"
100 |             ]
101 |         }
102 |     ]
103 | }
104 | POLICY
105 | }
106 | 
107 | resource "aws_kms_key" "cloudtrail_key" {
108 |   description             = "${var.prefix}-cloudtrail-key"
109 |   deletion_window_in_days = 7
110 |   enable_key_rotation     = true
111 | 
112 |   policy = <<POLICY
113 | {
114 |   "Version": "2012-10-17",
115 |   "Id": "Key policy created by CloudTrail",
116 |   "Statement": [
117 |     {
118 |       "Sid": "Enable IAM User Permissions",
119 |       "Effect": "Allow",
120 |       "Principal": {
121 |         "AWS": "arn:aws:iam::${data.aws_caller_identity.creds.account_id}:root"
122 |       },
123 |       "Action": "kms:*",
124 |       "Resource": "*"
125 |     },
126 |     {
127 |       "Sid": "Allow CloudTrail to encrypt logs",
128 |       "Effect": "Allow",
129 |       "Principal": {
130 |         "Service": "cloudtrail.amazonaws.com"
131 |       },
132 |       "Action": "kms:GenerateDataKey*",
133 |       "Resource": "*",
134 |       "Condition": {
135 |         "StringLike": {
136 |           "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.creds.account_id}:trail/*"
137 |         }
138 |       }
139 |     },
140 |     {
141 |       "Sid": "Allow CloudTrail to describe key",
142 |       "Effect": "Allow",
143 |       "Principal": {
144 |         "Service": "cloudtrail.amazonaws.com"
145 |       },
146 |       "Action": "kms:DescribeKey",
147 |       "Resource": "*"
148 |     },
149 |     {
150 |       "Sid": "Allow principals in the account to decrypt log files",
151 |       "Effect": "Allow",
152 |       "Principal": {
153 |         "AWS": "*"
154 |       },
155 |       "Action": [
156 |         "kms:Decrypt",
157 |         "kms:ReEncryptFrom"
158 |       ],
159 |       "Resource": "*",
160 |       "Condition": {
161 |         "StringEquals": {
162 |           "kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
163 |         },
164 |         "StringLike": {
165 |           "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:${data.aws_caller_identity.creds.account_id}:trail/*"
166 |         }
167 |       }
168 |     },
169 |     {
170 |       "Sid": "Allow alias creation during setup",
171 |       "Effect": "Allow",
172 |       "Principal": {
173 |         "AWS": "*"
174 |       },
175 |       "Action": "kms:CreateAlias",
176 |       "Resource": "*",
177 |       "Condition": {
178 |         "StringEquals": {
179 |           "kms:ViaService": "ec2.${data.aws_region.region.name}.amazonaws.com",
180 |           "kms:CallerAccount": "${data.aws_caller_identity.creds.account_id}"
181 |         }
182 |       }
183 |     }
184 |   ]
185 | }
186 | POLICY
187 | }
188 | 
189 | resource "aws_cloudtrail" "trail_1" {
190 |   depends_on = [
191 |     "aws_iam_role.cloud_watch_logs_role",
192 |     "aws_iam_role_policy.cloud_watch_logs_role_policy",
193 |     "aws_s3_bucket.cloudtrail_bucket",
194 |     "aws_s3_bucket_policy.cloudtrail_bucket_policy",
195 |     "aws_kms_key.cloudtrail_key",
196 |   ]
197 | 
198 |   name                          = "${var.prefix}-trail-01"
199 |   s3_bucket_name                = "${aws_s3_bucket.cloudtrail_bucket.id}"
200 |   include_global_service_events = true
201 |   enable_logging                = true
202 |   is_multi_region_trail         = true
203 |   enable_log_file_validation    = true
204 | 
205 |   cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudwatch_log_group.arn}"
206 |   cloud_watch_logs_role_arn  = "${aws_iam_role.cloud_watch_logs_role.arn}"
207 |   kms_key_id                 = "${aws_kms_key.cloudtrail_key.arn}"
208 | }
209 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/cloudwatch.tf:
--------------------------------------------------------------------------------
  1 | #===========================================================================#
  2 | #                  Cloudwatch Log Group For Cloudwatch Alarm
  3 | #===========================================================================#
  4 | 
  5 | resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
  6 |   name = "${var.prefix}-cloudwatch-log-group"
  7 | }
  8 | 
  9 | #===========================================================================#
 10 | #                      SNS Topic For Cloudwatch Alarm
 11 | #===========================================================================#
 12 | 
 13 | resource "aws_sns_topic" "metric_sns" {
 14 |   name = "${var.prefix}-metric-sns"
 15 | }
 16 | 
 17 | resource "aws_sqs_queue" "sqs_metric_sns" {
 18 |   name = "${var.prefix}-sqs-metric-sns"
 19 | }
 20 | 
 21 | resource "aws_sns_topic_subscription" "metric_sns_subscription" {
 22 |   topic_arn = "${aws_sns_topic.metric_sns.arn}"
 23 |   protocol  = "sqs"
 24 |   endpoint  = "${aws_sqs_queue.sqs_metric_sns.arn}"
 25 | }
 26 | 
 27 | # Contains resources and outputs related to testing the aws_cloudwatch_* resources.
 28 | 
 29 | #======================================================#
 30 | #                    Log Metric Filters
 31 | #======================================================#
 32 | 
 33 | # pattern = '{ ($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*") }'
 34 | 
 35 | resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls_metric" {
 36 |   name = "unauthorized_api_calls_metric"
 37 | 
 38 |   pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
 39 | 
 40 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
 41 | 
 42 |   metric_transformation {
 43 |     name      = "unauthorized_api_calls_metric"
 44 |     namespace = "CISBenchmark"
 45 |     value     = "1"
 46 |   }
 47 | }
 48 | 
 49 | resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls_alarm" {
 50 |   alarm_name          = "unauthorized_api_calls_alarm"
 51 |   comparison_operator = "GreaterThanOrEqualToThreshold"
 52 |   evaluation_periods  = "1"
 53 |   metric_name         = "unauthorized_api_calls_metric"
 54 |   namespace           = "CISBenchmark"
 55 |   period              = "300"
 56 |   statistic           = "Sum"
 57 |   threshold           = "1"
 58 | 
 59 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
 60 | }
 61 | 
 62 | # pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
 63 | 
 64 | resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_metric" {
 65 |   name = "no_mfa_console_signin_metric"
 66 | 
 67 |   pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
 68 | 
 69 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
 70 | 
 71 |   metric_transformation {
 72 |     name      = "no_mfa_console_signin_metric"
 73 |     namespace = "CISBenchmark"
 74 |     value     = "1"
 75 |   }
 76 | }
 77 | 
 78 | resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin_alarm" {
 79 |   alarm_name          = "no_mfa_console_signin_alarm"
 80 |   comparison_operator = "GreaterThanOrEqualToThreshold"
 81 |   evaluation_periods  = "1"
 82 |   metric_name         = "no_mfa_console_signin_metric"
 83 |   namespace           = "CISBenchmark"
 84 |   period              = "300"
 85 |   statistic           = "Sum"
 86 |   threshold           = "1"
 87 | 
 88 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
 89 | }
 90 | 
 91 | # pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
 92 | 
 93 | resource "aws_cloudwatch_log_metric_filter" "root_usage_metric" {
 94 |   name = "root_usage_metric"
 95 | 
 96 |   pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
 97 | 
 98 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
 99 | 
100 |   metric_transformation {
101 |     name      = "root_usage_metric"
102 |     namespace = "CISBenchmark"
103 |     value     = "1"
104 |   }
105 | }
106 | 
107 | resource "aws_cloudwatch_metric_alarm" "root_usage_alarm" {
108 |   alarm_name          = "root_usage_alarm"
109 |   comparison_operator = "GreaterThanOrEqualToThreshold"
110 |   evaluation_periods  = "1"
111 |   metric_name         = "root_usage_metric"
112 |   namespace           = "CISBenchmark"
113 |   period              = "300"
114 |   statistic           = "Sum"
115 |   threshold           = "1"
116 | 
117 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
118 | }
119 | 
120 | # pattern = "{ ($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
121 | 
122 | resource "aws_cloudwatch_log_metric_filter" "iam_changes_metric" {
123 |   name = "iam_changes_metric"
124 | 
125 |   pattern = "{ ($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy) }"
126 | 
127 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
128 | 
129 |   metric_transformation {
130 |     name      = "iam_changes_metric"
131 |     namespace = "CISBenchmark"
132 |     value     = "1"
133 |   }
134 | }
135 | 
136 | resource "aws_cloudwatch_metric_alarm" "iam_changes_alarm" {
137 |   alarm_name          = "iam_changes_alarm"
138 |   comparison_operator = "GreaterThanOrEqualToThreshold"
139 |   evaluation_periods  = "1"
140 |   metric_name         = "iam_changes_metric"
141 |   namespace           = "CISBenchmark"
142 |   period              = "300"
143 |   statistic           = "Sum"
144 |   threshold           = "1"
145 | 
146 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
147 | }
148 | 
149 | # pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
150 | 
151 | resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes_metric" {
152 |   name = "cloudtrail_cfg_changes_metric"
153 | 
154 |   pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
155 | 
156 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
157 | 
158 |   metric_transformation {
159 |     name      = "cloudtrail_cfg_changes_metric"
160 |     namespace = "CISBenchmark"
161 |     value     = "1"
162 |   }
163 | }
164 | 
165 | resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes_alarm" {
166 |   alarm_name          = "cloudtrail_cfg_changes_alarm"
167 |   comparison_operator = "GreaterThanOrEqualToThreshold"
168 |   evaluation_periods  = "1"
169 |   metric_name         = "cloudtrail_cfg_changes_metric"
170 |   namespace           = "CISBenchmark"
171 |   period              = "300"
172 |   statistic           = "Sum"
173 |   threshold           = "1"
174 | 
175 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
176 | }
177 | 
178 | # pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
179 | 
180 | resource "aws_cloudwatch_log_metric_filter" "console_signin_failure_metric" {
181 |   name = "console_signin_failure_metric"
182 | 
183 |   pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
184 | 
185 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
186 | 
187 |   metric_transformation {
188 |     name      = "console_signin_failure_metric"
189 |     namespace = "CISBenchmark"
190 |     value     = "1"
191 |   }
192 | }
193 | 
194 | resource "aws_cloudwatch_metric_alarm" "console_signin_failure_alarm" {
195 |   alarm_name          = "console_signin_failure_alarm"
196 |   comparison_operator = "GreaterThanOrEqualToThreshold"
197 |   evaluation_periods  = "1"
198 |   metric_name         = "console_signin_failure_metric"
199 |   namespace           = "CISBenchmark"
200 |   period              = "300"
201 |   statistic           = "Sum"
202 |   threshold           = "1"
203 | 
204 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
205 | }
206 | 
207 | # pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName=DisableKey)||($.eventName=ScheduleKeyDeletion))}"
208 | 
209 | resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk_metric" {
210 |   name = "disable_or_delete_cmk_metric"
211 | 
212 |   pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
213 | 
214 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
215 | 
216 |   metric_transformation {
217 |     name      = "disable_or_delete_cmk_metric"
218 |     namespace = "CISBenchmark"
219 |     value     = "1"
220 |   }
221 | }
222 | 
223 | resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk_alarm" {
224 |   alarm_name          = "disable_or_delete_cmk_alarm"
225 |   comparison_operator = "GreaterThanOrEqualToThreshold"
226 |   evaluation_periods  = "1"
227 |   metric_name         = "disable_or_delete_cmk_metric"
228 |   namespace           = "CISBenchmark"
229 |   period              = "300"
230 |   statistic           = "Sum"
231 |   threshold           = "1"
232 | 
233 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
234 | }
235 | 
236 | # pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
237 | 
238 | resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes_metric" {
239 |   name = "s3_bucket_policy_changes_metric"
240 | 
241 |   pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
242 | 
243 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
244 | 
245 |   metric_transformation {
246 |     name      = "s3_bucket_policy_changes_metric"
247 |     namespace = "CISBenchmark"
248 |     value     = "1"
249 |   }
250 | }
251 | 
252 | resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes_alarm" {
253 |   alarm_name          = "s3_bucket_policy_changes_alarm"
254 |   comparison_operator = "GreaterThanOrEqualToThreshold"
255 |   evaluation_periods  = "1"
256 |   metric_name         = "s3_bucket_policy_changes_metric"
257 |   namespace           = "CISBenchmark"
258 |   period              = "300"
259 |   statistic           = "Sum"
260 |   threshold           = "1"
261 | 
262 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
263 | }
264 | 
265 | # pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}"
266 | 
267 | resource "aws_cloudwatch_log_metric_filter" "aws_config_changes_metric" {
268 |   name = "aws_config_changes_metric"
269 | 
270 |   pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder))}"
271 | 
272 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
273 | 
274 |   metric_transformation {
275 |     name      = "aws_config_changes_metric"
276 |     namespace = "CISBenchmark"
277 |     value     = "1"
278 |   }
279 | }
280 | 
281 | resource "aws_cloudwatch_metric_alarm" "aws_config_changes_alarm" {
282 |   alarm_name          = "aws_config_changes_alarm"
283 |   comparison_operator = "GreaterThanOrEqualToThreshold"
284 |   evaluation_periods  = "1"
285 |   metric_name         = "aws_config_changes_metric"
286 |   namespace           = "CISBenchmark"
287 |   period              = "300"
288 |   statistic           = "Sum"
289 |   threshold           = "1"
290 | 
291 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
292 | }
293 | 
294 | # pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
295 | 
296 | resource "aws_cloudwatch_log_metric_filter" "security_group_changes_metric" {
297 |   name = "security_group_changes_metric"
298 | 
299 |   pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup) }"
300 | 
301 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
302 | 
303 |   metric_transformation {
304 |     name      = "security_group_changes_metric"
305 |     namespace = "CISBenchmark"
306 |     value     = "1"
307 |   }
308 | }
309 | 
310 | resource "aws_cloudwatch_metric_alarm" "security_group_changes_alarm" {
311 |   alarm_name          = "security_group_changes_alarm"
312 |   comparison_operator = "GreaterThanOrEqualToThreshold"
313 |   evaluation_periods  = "1"
314 |   metric_name         = "security_group_changes_metric"
315 |   namespace           = "CISBenchmark"
316 |   period              = "300"
317 |   statistic           = "Sum"
318 |   threshold           = "1"
319 | 
320 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
321 | }
322 | 
323 | # pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
324 | 
325 | resource "aws_cloudwatch_log_metric_filter" "nacl_changes_metric" {
326 |   name = "nacl_changes_metric"
327 | 
328 |   pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
329 | 
330 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
331 | 
332 |   metric_transformation {
333 |     name      = "nacl_changes_metric"
334 |     namespace = "CISBenchmark"
335 |     value     = "1"
336 |   }
337 | }
338 | 
339 | resource "aws_cloudwatch_metric_alarm" "nacl_changes_alarm" {
340 |   alarm_name          = "nacl_changes_alarm"
341 |   comparison_operator = "GreaterThanOrEqualToThreshold"
342 |   evaluation_periods  = "1"
343 |   metric_name         = "nacl_changes_metric"
344 |   namespace           = "CISBenchmark"
345 |   period              = "300"
346 |   statistic           = "Sum"
347 |   threshold           = "1"
348 | 
349 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
350 | }
351 | 
352 | # pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
353 | 
354 | resource "aws_cloudwatch_log_metric_filter" "network_gw_changes_metric" {
355 |   name = "network_gw_changes_metric"
356 | 
357 |   pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
358 | 
359 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
360 | 
361 |   metric_transformation {
362 |     name      = "network_gw_changes_metric"
363 |     namespace = "CISBenchmark"
364 |     value     = "1"
365 |   }
366 | }
367 | 
368 | resource "aws_cloudwatch_metric_alarm" "network_gw_changes_alarm" {
369 |   alarm_name          = "network_gw_changes_alarm"
370 |   comparison_operator = "GreaterThanOrEqualToThreshold"
371 |   evaluation_periods  = "1"
372 |   metric_name         = "network_gw_changes_metric"
373 |   namespace           = "CISBenchmark"
374 |   period              = "300"
375 |   statistic           = "Sum"
376 |   threshold           = "1"
377 | 
378 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
379 | }
380 | 
381 | # pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
382 | 
383 | resource "aws_cloudwatch_log_metric_filter" "route_table_changes_metric" {
384 |   name = "route_table_changes_metric"
385 | 
386 |   pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
387 | 
388 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
389 | 
390 |   metric_transformation {
391 |     name      = "route_table_changes_metric"
392 |     namespace = "CISBenchmark"
393 |     value     = "1"
394 |   }
395 | }
396 | 
397 | resource "aws_cloudwatch_metric_alarm" "route_table_changes_alarm" {
398 |   alarm_name          = "route_table_changes_alarm"
399 |   comparison_operator = "GreaterThanOrEqualToThreshold"
400 |   evaluation_periods  = "1"
401 |   metric_name         = "route_table_changes_metric"
402 |   namespace           = "CISBenchmark"
403 |   period              = "300"
404 |   statistic           = "Sum"
405 |   threshold           = "1"
406 | 
407 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
408 | }
409 | 
410 | # pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
411 | 
412 | resource "aws_cloudwatch_log_metric_filter" "vpc_changes_metric" {
413 |   name = "vpc_changes_metric"
414 | 
415 |   pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
416 | 
417 |   log_group_name = "${aws_cloudwatch_log_group.cloudwatch_log_group.name}"
418 | 
419 |   metric_transformation {
420 |     name      = "vpc_changes_metric"
421 |     namespace = "CISBenchmark"
422 |     value     = "1"
423 |   }
424 | }
425 | 
426 | resource "aws_cloudwatch_metric_alarm" "vpc_changes_alarm" {
427 |   alarm_name          = "vpc_changes_alarm"
428 |   comparison_operator = "GreaterThanOrEqualToThreshold"
429 |   evaluation_periods  = "1"
430 |   metric_name         = "vpc_changes_metric"
431 |   namespace           = "CISBenchmark"
432 |   period              = "300"
433 |   statistic           = "Sum"
434 |   threshold           = "1"
435 | 
436 |   alarm_actions = ["${aws_sns_topic.metric_sns.arn}"]
437 | }
438 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/configservice.tf:
--------------------------------------------------------------------------------
 1 | #======================================================#
 2 | #              Bucket for ConfigService
 3 | #======================================================#
 4 | 
 5 | resource "aws_s3_bucket" "config_delivery_bucket" {
 6 |   bucket_prefix = "${var.prefix}-config-delivery-bucket-"
 7 |   force_destroy = true
 8 | }
 9 | 
10 | #======================================================#
11 | #              ConfigServiceRole Policy 
12 | #======================================================#
13 | 
14 | data "aws_iam_policy" "AWSConfigRole" {
15 |   arn = "arn:aws:iam::aws:policy/service-role/AWSConfigRole"
16 | }
17 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/configservice_us_east_1.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #                 Recorder us-east-1
  3 | #======================================================#
  4 | 
  5 | resource "aws_iam_role" "config_recorder_role_east1" {
  6 |   name = "${var.prefix}-config-recorder-role-east1"
  7 | 
  8 |   assume_role_policy = <<POLICY
  9 | {
 10 |   "Version": "2012-10-17",
 11 |   "Statement": [
 12 |     {
 13 |       "Sid": "",
 14 |       "Effect": "Allow",
 15 |       "Principal": {
 16 |         "Service": "config.amazonaws.com"
 17 |       },
 18 |       "Action": "sts:AssumeRole"
 19 |     }
 20 |   ]
 21 | }
 22 | POLICY
 23 | }
 24 | 
 25 | resource "aws_iam_policy_attachment" "attach_east1" {
 26 |   name       = "config-role-attachment"
 27 |   roles      = ["${aws_iam_role.config_recorder_role_east1.id}"]
 28 |   policy_arn = "${data.aws_iam_policy.AWSConfigRole.arn}"
 29 | 
 30 |   depends_on = [
 31 |     "aws_iam_role.config_recorder_role_east1",
 32 |     "data.aws_iam_policy.AWSConfigRole",
 33 |   ]
 34 | }
 35 | 
 36 | resource "aws_sns_topic" "config_sns_east1" {
 37 |   provider = "aws.east1"
 38 |   name     = "${var.prefix}-config-sns"
 39 | }
 40 | 
 41 | resource "aws_sqs_queue" "config_sqs_east1" {
 42 |   provider = "aws.east1"
 43 |   name     = "${var.prefix}-config-sqs"
 44 | }
 45 | 
 46 | resource "aws_sns_topic_subscription" "config_sns_subscription_east1" {
 47 |   provider  = "aws.east1"
 48 |   topic_arn = "${aws_sns_topic.config_sns_east1.arn}"
 49 |   protocol  = "sqs"
 50 |   endpoint  = "${aws_sqs_queue.config_sqs_east1.arn}"
 51 | }
 52 | 
 53 | resource "aws_iam_role_policy" "config_recorder_role_policy_east1" {
 54 |   provider   = "aws.east1"
 55 |   name       = "config-recorder-role-policy_east1"
 56 |   role       = "${aws_iam_role.config_recorder_role_east1.id}"
 57 |   depends_on = ["aws_iam_role.config_recorder_role_east1"]
 58 | 
 59 |   policy = <<POLICY
 60 | {
 61 |     "Version": "2012-10-17",
 62 |     "Statement": [
 63 |         {
 64 |             "Effect": "Allow",
 65 |             "Action": [
 66 |                 "s3:PutObject*"
 67 |             ],
 68 |             "Resource": [
 69 |                 "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}/us-east-1/AWSLogs/${data.aws_caller_identity.creds.account_id}/*"
 70 |             ],
 71 |             "Condition": {
 72 |                 "StringLike": {
 73 |                     "s3:x-amz-acl": "bucket-owner-full-control"
 74 |                 }
 75 |             }
 76 |         },
 77 |         {
 78 |             "Effect": "Allow",
 79 |             "Action": [
 80 |                 "s3:GetBucketAcl"
 81 |             ],
 82 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": "sns:Publish",
 87 |             "Resource": "${aws_sns_topic.config_sns_east1.arn}"
 88 |         }
 89 |     ]
 90 | }
 91 | POLICY
 92 | }
 93 | 
 94 | resource "aws_config_configuration_recorder_status" "config_recorder_status_east1" {
 95 |   provider   = "aws.east1"
 96 |   name       = "${aws_config_configuration_recorder.config_recorder_east1.name}"
 97 |   is_enabled = true
 98 |   depends_on = ["aws_config_delivery_channel.config_delivery_channel_east1"]
 99 | }
100 | 
101 | resource "aws_config_delivery_channel" "config_delivery_channel_east1" {
102 |   provider       = "aws.east1"
103 |   name           = "default"
104 |   s3_bucket_name = "${aws_s3_bucket.config_delivery_bucket.bucket}"
105 | 
106 |   s3_key_prefix = "us-east-1"
107 |   sns_topic_arn = "${aws_sns_topic.config_sns_east1.arn}"
108 |   depends_on    = ["aws_config_configuration_recorder.config_recorder_east1"]
109 | }
110 | 
111 | resource "aws_config_configuration_recorder" "config_recorder_east1" {
112 |   provider = "aws.east1"
113 |   name     = "default"
114 |   role_arn = "${aws_iam_role.config_recorder_role_east1.arn}"
115 | 
116 |   recording_group = {
117 |     all_supported                 = true
118 |     include_global_resource_types = true
119 |   }
120 | }
121 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/configservice_us_east_2.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #                 Recorder us-east-2
  3 | #======================================================#
  4 | 
  5 | resource "aws_iam_role" "config_recorder_role_east2" {
  6 |   name = "${var.prefix}-config-recorder-role-east2"
  7 | 
  8 |   assume_role_policy = <<POLICY
  9 | {
 10 |   "Version": "2012-10-17",
 11 |   "Statement": [
 12 |     {
 13 |       "Sid": "",
 14 |       "Effect": "Allow",
 15 |       "Principal": {
 16 |         "Service": "config.amazonaws.com"
 17 |       },
 18 |       "Action": "sts:AssumeRole"
 19 |     }
 20 |   ]
 21 | }
 22 | POLICY
 23 | }
 24 | 
 25 | resource "aws_iam_policy_attachment" "attach_east2" {
 26 |   name       = "config-role-attachment"
 27 |   roles      = ["${aws_iam_role.config_recorder_role_east2.id}"]
 28 |   policy_arn = "${data.aws_iam_policy.AWSConfigRole.arn}"
 29 | 
 30 |   depends_on = [
 31 |     "aws_iam_role.config_recorder_role_east2",
 32 |     "data.aws_iam_policy.AWSConfigRole",
 33 |   ]
 34 | }
 35 | 
 36 | resource "aws_sns_topic" "config_sns_east2" {
 37 |   provider = "aws.east2"
 38 |   name     = "${var.prefix}-config-sns"
 39 | }
 40 | 
 41 | resource "aws_sqs_queue" "config_sqs_east2" {
 42 |   provider = "aws.east2"
 43 |   name     = "${var.prefix}-config-sqs"
 44 | }
 45 | 
 46 | resource "aws_sns_topic_subscription" "config_sns_subscription_east2" {
 47 |   provider  = "aws.east2"
 48 |   topic_arn = "${aws_sns_topic.config_sns_east2.arn}"
 49 |   protocol  = "sqs"
 50 |   endpoint  = "${aws_sqs_queue.config_sqs_east2.arn}"
 51 | }
 52 | 
 53 | resource "aws_iam_role_policy" "config_recorder_role_policy_east2" {
 54 |   provider   = "aws.east2"
 55 |   name       = "config-recorder-role-policy_east2"
 56 |   role       = "${aws_iam_role.config_recorder_role_east2.id}"
 57 |   depends_on = ["aws_iam_role.config_recorder_role_east2"]
 58 | 
 59 |   policy = <<POLICY
 60 | {
 61 |     "Version": "2012-10-17",
 62 |     "Statement": [
 63 |         {
 64 |             "Effect": "Allow",
 65 |             "Action": [
 66 |                 "s3:PutObject*"
 67 |             ],
 68 |             "Resource": [
 69 |                 "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}/us-east-2/AWSLogs/${data.aws_caller_identity.creds.account_id}/*"
 70 |             ],
 71 |             "Condition": {
 72 |                 "StringLike": {
 73 |                     "s3:x-amz-acl": "bucket-owner-full-control"
 74 |                 }
 75 |             }
 76 |         },
 77 |         {
 78 |             "Effect": "Allow",
 79 |             "Action": [
 80 |                 "s3:GetBucketAcl"
 81 |             ],
 82 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": "sns:Publish",
 87 |             "Resource": "${aws_sns_topic.config_sns_east2.arn}"
 88 |         }
 89 |     ]
 90 | }
 91 | POLICY
 92 | }
 93 | 
 94 | resource "aws_config_configuration_recorder_status" "config_recorder_status_east2" {
 95 |   provider   = "aws.east2"
 96 |   name       = "${aws_config_configuration_recorder.config_recorder_east2.name}"
 97 |   is_enabled = true
 98 |   depends_on = ["aws_config_delivery_channel.config_delivery_channel_east2"]
 99 | }
100 | 
101 | resource "aws_config_delivery_channel" "config_delivery_channel_east2" {
102 |   provider       = "aws.east2"
103 |   name           = "default"
104 |   s3_bucket_name = "${aws_s3_bucket.config_delivery_bucket.bucket}"
105 | 
106 |   s3_key_prefix = "us-east-2"
107 |   sns_topic_arn = "${aws_sns_topic.config_sns_east2.arn}"
108 |   depends_on    = ["aws_config_configuration_recorder.config_recorder_east2"]
109 | }
110 | 
111 | resource "aws_config_configuration_recorder" "config_recorder_east2" {
112 |   provider = "aws.east2"
113 |   name     = "default"
114 |   role_arn = "${aws_iam_role.config_recorder_role_east2.arn}"
115 | 
116 |   recording_group = {
117 |     all_supported                 = true
118 |     include_global_resource_types = true
119 |   }
120 | }
121 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/configservice_us_west_1.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #                 Recorder us-west-1
  3 | #======================================================#
  4 | 
  5 | resource "aws_iam_role" "config_recorder_role_west1" {
  6 |   name = "${var.prefix}-config-recorder-role-west1"
  7 | 
  8 |   assume_role_policy = <<POLICY
  9 | {
 10 |   "Version": "2012-10-17",
 11 |   "Statement": [
 12 |     {
 13 |       "Sid": "",
 14 |       "Effect": "Allow",
 15 |       "Principal": {
 16 |         "Service": "config.amazonaws.com"
 17 |       },
 18 |       "Action": "sts:AssumeRole"
 19 |     }
 20 |   ]
 21 | }
 22 | POLICY
 23 | }
 24 | 
 25 | resource "aws_iam_policy_attachment" "attach_west1" {
 26 |   name       = "config-role-attachment"
 27 |   roles      = ["${aws_iam_role.config_recorder_role_west1.id}"]
 28 |   policy_arn = "${data.aws_iam_policy.AWSConfigRole.arn}"
 29 | 
 30 |   depends_on = [
 31 |     "aws_iam_role.config_recorder_role_west1",
 32 |     "data.aws_iam_policy.AWSConfigRole",
 33 |   ]
 34 | }
 35 | 
 36 | resource "aws_sns_topic" "config_sns_west1" {
 37 |   provider = "aws.west1"
 38 |   name     = "${var.prefix}-config-sns"
 39 | }
 40 | 
 41 | resource "aws_sqs_queue" "config_sqs_west1" {
 42 |   provider = "aws.west1"
 43 |   name     = "${var.prefix}-config-sqs"
 44 | }
 45 | 
 46 | resource "aws_sns_topic_subscription" "config_sns_subscription_west1" {
 47 |   provider  = "aws.west1"
 48 |   topic_arn = "${aws_sns_topic.config_sns_west1.arn}"
 49 |   protocol  = "sqs"
 50 |   endpoint  = "${aws_sqs_queue.config_sqs_west1.arn}"
 51 | }
 52 | 
 53 | resource "aws_iam_role_policy" "config_recorder_role_policy_west1" {
 54 |   provider   = "aws.west1"
 55 |   name       = "config-recorder-role-policy_west1"
 56 |   role       = "${aws_iam_role.config_recorder_role_west1.id}"
 57 |   depends_on = ["aws_iam_role.config_recorder_role_west1"]
 58 | 
 59 |   policy = <<POLICY
 60 | {
 61 |     "Version": "2012-10-17",
 62 |     "Statement": [
 63 |         {
 64 |             "Effect": "Allow",
 65 |             "Action": [
 66 |                 "s3:PutObject*"
 67 |             ],
 68 |             "Resource": [
 69 |                 "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}/us-west-1/AWSLogs/${data.aws_caller_identity.creds.account_id}/*"
 70 |             ],
 71 |             "Condition": {
 72 |                 "StringLike": {
 73 |                     "s3:x-amz-acl": "bucket-owner-full-control"
 74 |                 }
 75 |             }
 76 |         },
 77 |         {
 78 |             "Effect": "Allow",
 79 |             "Action": [
 80 |                 "s3:GetBucketAcl"
 81 |             ],
 82 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": "sns:Publish",
 87 |             "Resource": "${aws_sns_topic.config_sns_west1.arn}"
 88 |         }
 89 |     ]
 90 | }
 91 | POLICY
 92 | }
 93 | 
 94 | resource "aws_config_configuration_recorder_status" "config_recorder_status_west1" {
 95 |   provider   = "aws.west1"
 96 |   name       = "${aws_config_configuration_recorder.config_recorder_west1.name}"
 97 |   is_enabled = true
 98 |   depends_on = ["aws_config_delivery_channel.config_delivery_channel_west1"]
 99 | }
100 | 
101 | resource "aws_config_delivery_channel" "config_delivery_channel_west1" {
102 |   provider       = "aws.west1"
103 |   name           = "default"
104 |   s3_bucket_name = "${aws_s3_bucket.config_delivery_bucket.bucket}"
105 | 
106 |   s3_key_prefix = "us-west-1"
107 |   sns_topic_arn = "${aws_sns_topic.config_sns_west1.arn}"
108 |   depends_on    = ["aws_config_configuration_recorder.config_recorder_west1"]
109 | }
110 | 
111 | resource "aws_config_configuration_recorder" "config_recorder_west1" {
112 |   provider = "aws.west1"
113 |   name     = "default"
114 |   role_arn = "${aws_iam_role.config_recorder_role_west1.arn}"
115 | 
116 |   recording_group = {
117 |     all_supported                 = true
118 |     include_global_resource_types = true
119 |   }
120 | }
121 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/configservice_us_west_2.tf:
--------------------------------------------------------------------------------
  1 | # ======================================================#
  2 | #                 Recorder us-west-2
  3 | # ======================================================#
  4 | 
  5 | resource "aws_iam_role" "config_recorder_role_west2" {
  6 |   name = "${var.prefix}-config-recorder-role-west2"
  7 | 
  8 |   assume_role_policy = <<POLICY
  9 | {
 10 |   "Version": "2012-10-17",
 11 |   "Statement": [
 12 |     {
 13 |       "Sid": "",
 14 |       "Effect": "Allow",
 15 |       "Principal": {
 16 |         "Service": "config.amazonaws.com"
 17 |       },
 18 |       "Action": "sts:AssumeRole"
 19 |     }
 20 |   ]
 21 | }
 22 | POLICY
 23 | }
 24 | 
 25 | resource "aws_iam_policy_attachment" "attach_west2" {
 26 |   name       = "config-role-attachment"
 27 |   roles      = ["${aws_iam_role.config_recorder_role_west2.id}"]
 28 |   policy_arn = "${data.aws_iam_policy.AWSConfigRole.arn}"
 29 | 
 30 |   depends_on = [
 31 |     "aws_iam_role.config_recorder_role_west2",
 32 |     "data.aws_iam_policy.AWSConfigRole",
 33 |   ]
 34 | }
 35 | 
 36 | resource "aws_sns_topic" "config_sns_west2" {
 37 |   provider = "aws.west2"
 38 |   name     = "${var.prefix}-config-sns"
 39 | }
 40 | 
 41 | resource "aws_sqs_queue" "config_sqs_west2" {
 42 |   provider = "aws.west2"
 43 |   name     = "${var.prefix}-config-sqs"
 44 | }
 45 | 
 46 | resource "aws_sns_topic_subscription" "config_sns_subscription_west2" {
 47 |   provider  = "aws.west2"
 48 |   topic_arn = "${aws_sns_topic.config_sns_west2.arn}"
 49 |   protocol  = "sqs"
 50 |   endpoint  = "${aws_sqs_queue.config_sqs_west2.arn}"
 51 | }
 52 | 
 53 | resource "aws_iam_role_policy" "config_recorder_role_policy_west2" {
 54 |   provider   = "aws.west2"
 55 |   name       = "config-recorder-role-policy_west2"
 56 |   role       = "${aws_iam_role.config_recorder_role_west2.id}"
 57 |   depends_on = ["aws_iam_role.config_recorder_role_west2"]
 58 | 
 59 |   policy = <<POLICY
 60 | {
 61 |     "Version": "2012-10-17",
 62 |     "Statement": [
 63 |         {
 64 |             "Effect": "Allow",
 65 |             "Action": [
 66 |                 "s3:PutObject*"
 67 |             ],
 68 |             "Resource": [
 69 |                 "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}/us-west-2/AWSLogs/${data.aws_caller_identity.creds.account_id}/*"
 70 |             ],
 71 |             "Condition": {
 72 |                 "StringLike": {
 73 |                     "s3:x-amz-acl": "bucket-owner-full-control"
 74 |                 }
 75 |             }
 76 |         },
 77 |         {
 78 |             "Effect": "Allow",
 79 |             "Action": [
 80 |                 "s3:GetBucketAcl"
 81 |             ],
 82 |             "Resource": "arn:aws:s3:::${aws_s3_bucket.config_delivery_bucket.bucket}"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": "sns:Publish",
 87 |             "Resource": "${aws_sns_topic.config_sns_west2.arn}"
 88 |         }
 89 |     ]
 90 | }
 91 | POLICY
 92 | }
 93 | 
 94 | resource "aws_config_configuration_recorder_status" "config_recorder_status_west2" {
 95 |   provider   = "aws.west2"
 96 |   name       = "${aws_config_configuration_recorder.config_recorder_west2.name}"
 97 |   is_enabled = true
 98 |   depends_on = ["aws_config_delivery_channel.config_delivery_channel_west2"]
 99 | }
100 | 
101 | resource "aws_config_delivery_channel" "config_delivery_channel_west2" {
102 |   provider       = "aws.west2"
103 |   name           = "default"
104 |   s3_bucket_name = "${aws_s3_bucket.config_delivery_bucket.bucket}"
105 | 
106 |   s3_key_prefix = "us-west-2"
107 |   sns_topic_arn = "${aws_sns_topic.config_sns_west2.arn}"
108 |   depends_on    = ["aws_config_configuration_recorder.config_recorder_west2"]
109 | }
110 | 
111 | resource "aws_config_configuration_recorder" "config_recorder_west2" {
112 |   provider = "aws.west2"
113 |   name     = "default"
114 |   role_arn = "${aws_iam_role.config_recorder_role_west2.arn}"
115 | 
116 |   recording_group = {
117 |     all_supported                 = true
118 |     include_global_resource_types = true
119 |   }
120 | }
121 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/ec2.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #                    EC2 Instances
  3 | #======================================================#
  4 | 
  5 | resource "aws_instance" "aws_support_access_instance" {
  6 |   ami                    = "${data.aws_ami.centos.id}"
  7 |   instance_type          = "${var.instance_type}"
  8 |   vpc_security_group_ids = ["${aws_security_group.ssh.id}"]
  9 |   iam_instance_profile   = "${aws_iam_instance_profile.aws_support_access_instance_profile.name}"
 10 |   key_name               = "${var.aws_ssh_key_id}"
 11 | 
 12 |   tags {
 13 |     Name = "${var.prefix}.aws_support_access_instance"
 14 |   }
 15 | }
 16 | 
 17 | #----------------- has_role property ------------------#
 18 | 
 19 | # Has a role
 20 | resource "aws_iam_role" "aws_support_access_role" {
 21 |   name = "${var.prefix}.aws_support_access_role"
 22 | 
 23 |   assume_role_policy = <<EOF
 24 | {
 25 |   "Version": "2012-10-17",
 26 |   "Statement": [
 27 |     {
 28 |       "Action": "sts:AssumeRole",
 29 |       "Principal": {
 30 |         "Service": "ec2.amazonaws.com"
 31 |       },
 32 |       "Effect": "Allow",
 33 |       "Sid": ""
 34 |     }
 35 |   ]
 36 | }
 37 | EOF
 38 | }
 39 | 
 40 | data "aws_iam_policy" "AWSSupportAccess" {
 41 |   arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
 42 | }
 43 | 
 44 | resource "aws_iam_role_policy_attachment" "aws_support_access_role_attach" {
 45 |   role       = "${aws_iam_role.aws_support_access_role.name}"
 46 |   policy_arn = "${data.aws_iam_policy.AWSSupportAccess.arn}"
 47 | 
 48 |   depends_on = [
 49 |     "aws_iam_role.aws_support_access_role",
 50 |     "data.aws_iam_policy.AWSSupportAccess",
 51 |   ]
 52 | }
 53 | 
 54 | resource "aws_iam_instance_profile" "aws_support_access_instance_profile" {
 55 |   name = "${var.prefix}.aws_support_access_instance_profile"
 56 |   role = "${aws_iam_role.aws_support_access_role.name}"
 57 | 
 58 |   depends_on = [
 59 |     "aws_iam_role.aws_support_access_role",
 60 |   ]
 61 | }
 62 | 
 63 | #---------------------- image_id property --------------------------#
 64 | 
 65 | # Debian
 66 | data "aws_ami" "debian" {
 67 |   most_recent = true
 68 | 
 69 |   filter {
 70 |     name   = "name"
 71 |     values = ["debian-jessie-amd64-hvm-*"]
 72 |   }
 73 | 
 74 |   filter {
 75 |     name   = "architecture"
 76 |     values = ["x86_64"]
 77 |   }
 78 | 
 79 |   filter {
 80 |     name   = "root-device-type"
 81 |     values = ["ebs"]
 82 |   }
 83 | }
 84 | 
 85 | # Centos
 86 | data "aws_ami" "centos" {
 87 |   most_recent = true
 88 | 
 89 |   filter {
 90 |     name   = "name"
 91 |     values = ["CentOS Linux 7 x86_64 HVM EBS*"]
 92 |   }
 93 | 
 94 |   filter {
 95 |     name   = "architecture"
 96 |     values = ["x86_64"]
 97 |   }
 98 | 
 99 |   filter {
100 |     name   = "root-device-type"
101 |     values = ["ebs"]
102 |   }
103 | }
104 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/iam_manager.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #               IAM Manager User
  3 | #======================================================#
  4 | resource "aws_iam_user" "iam_manager_user" {
  5 |   name = "${var.prefix}-iam-manager"
  6 | }
  7 | 
  8 | #======================================================#
  9 | #               IAM Manager Role
 10 | #======================================================#
 11 | resource "aws_iam_role" "iam_manager_role" {
 12 |   name = "${var.prefix}-iam-manager-role"
 13 | 
 14 |   assume_role_policy = <<EOF
 15 | {
 16 |   "Version": "2012-10-17",
 17 |   "Statement": [
 18 |     {
 19 |       "Effect": "Allow",
 20 |       "Principal": {
 21 |         "AWS": "${aws_iam_user.iam_manager_user.arn}"
 22 |       },
 23 |       "Action": "sts:AssumeRole"
 24 |     }
 25 |   ]
 26 | }
 27 | EOF
 28 | }
 29 | 
 30 | resource "aws_iam_role_policy_attachment" "iam_manager_role_attach" {
 31 |   role       = "${aws_iam_role.iam_manager_role.name}"
 32 |   policy_arn = "${aws_iam_policy.iam_manager_policy.arn}"
 33 | 
 34 |   depends_on = [
 35 |     "aws_iam_role.iam_manager_role",
 36 |     "aws_iam_policy.iam_manager_policy",
 37 |   ]
 38 | }
 39 | 
 40 | #======================================================#
 41 | #               IAM Manager Policy
 42 | #======================================================#
 43 | data "aws_iam_policy_document" "iam_manager_permissions_policy" {
 44 |   statement {
 45 |     effect = "Allow"
 46 | 
 47 |     actions = [
 48 |       "iam:AddUserToGroup",
 49 |       "iam:AttachGroupPolicy",
 50 |       "iam:DeleteGroupPolicy",
 51 |       "iam:DeleteUserPolicy",
 52 |       "iam:DetachGroupPolicy",
 53 |       "iam:DetachRolePolicy",
 54 |       "iam:DetachUserPolicy",
 55 |       "iam:PutGroupPolicy",
 56 |       "iam:PutUserPolicy",
 57 |       "iam:RemoveUserFromGroup",
 58 |       "iam:UpdateGroup",
 59 |       "iam:UpdateAssumeRolePolicy",
 60 |       "iam:UpdateUser",
 61 |       "iam:GetPolicy",
 62 |       "iam:GetPolicyVersion",
 63 |       "iam:GetRole",
 64 |       "iam:GetRolePolicy",
 65 |       "iam:GetUser",
 66 |       "iam:GetUserPolicy",
 67 |       "iam:ListEntitiesForPolicy",
 68 |       "iam:ListGroupPolicies",
 69 |       "iam:ListGroups",
 70 |       "iam:ListGroupsForUser",
 71 |       "iam:ListPolicies",
 72 |       "iam:ListPoliciesGrantingServiceAccess",
 73 |       "iam:ListPolicyVersions",
 74 |       "iam:ListRolePolicies",
 75 |       "iam:ListAttachedGroupPolicies",
 76 |       "iam:ListAttachedRolePolicies",
 77 |       "iam:ListAttachedUserPolicies",
 78 |       "iam:ListRoles",
 79 |       "iam:ListUsers",
 80 |     ]
 81 | 
 82 |     resources = [
 83 |       "*",
 84 |     ]
 85 | 
 86 |     condition {
 87 |       test     = "Bool"
 88 |       variable = "aws:MultiFactorAuthPresent"
 89 |       values   = ["true"]
 90 |     }
 91 |   }
 92 | 
 93 |   statement {
 94 |     effect = "Deny"
 95 | 
 96 |     actions = [
 97 |       "iam:AttachRolePolicy",
 98 |       "iam:CreateGroup",
 99 |       "iam:CreatePolicy",
100 |       "iam:CreatePolicyVersion",
101 |       "iam:CreateRole",
102 |       "iam:CreateUser",
103 |       "iam:DeleteGroup",
104 |       "iam:DeletePolicy",
105 |       "iam:DeletePolicyVersion",
106 |       "iam:DeleteRole",
107 |       "iam:DeleteRolePolicy",
108 |       "iam:DeleteUser",
109 |       "iam:PutRolePolicy",
110 |     ]
111 | 
112 |     resources = [
113 |       "*",
114 |     ]
115 |   }
116 | }
117 | 
118 | resource "aws_iam_policy" "iam_manager_policy" {
119 |   name   = "IAM-MANAGER-POLICY"
120 |   path   = "/"
121 |   policy = "${data.aws_iam_policy_document.iam_manager_permissions_policy.json}"
122 | }
123 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/iam_master.tf:
--------------------------------------------------------------------------------
  1 | #======================================================#
  2 | #               IAM Master User
  3 | #======================================================#
  4 | resource "aws_iam_user" "iam_master_user" {
  5 |   name = "${var.prefix}-iam-master"
  6 | }
  7 | 
  8 | #======================================================#
  9 | #               IAM Master Role
 10 | #======================================================#
 11 | resource "aws_iam_role" "iam_master_role" {
 12 |   name = "${var.prefix}-iam-master-role"
 13 | 
 14 |   assume_role_policy = <<EOF
 15 | {
 16 |   "Version": "2012-10-17",
 17 |   "Statement": [
 18 |     {
 19 |       "Effect": "Allow",
 20 |       "Principal": {
 21 |         "AWS": "${aws_iam_user.iam_master_user.arn}"
 22 |       },
 23 |       "Action": "sts:AssumeRole"
 24 |     }
 25 |   ]
 26 | }
 27 | EOF
 28 | }
 29 | 
 30 | resource "aws_iam_role_policy_attachment" "iam_master_role_attach" {
 31 |   role       = "${aws_iam_role.iam_master_role.name}"
 32 |   policy_arn = "${aws_iam_policy.iam_master_policy.arn}"
 33 | 
 34 |   depends_on = [
 35 |     "aws_iam_role.iam_master_role",
 36 |     "aws_iam_policy.iam_master_policy",
 37 |   ]
 38 | }
 39 | 
 40 | #======================================================#
 41 | #               IAM Master Policy
 42 | #======================================================#
 43 | data "aws_iam_policy_document" "iam_master_permissions_policy" {
 44 |   statement {
 45 |     effect = "Allow"
 46 | 
 47 |     actions = [
 48 |       "iam:AttachRolePolicy",
 49 |       "iam:CreateGroup",
 50 |       "iam:CreatePolicy",
 51 |       "iam:CreatePolicyVersion",
 52 |       "iam:CreateRole",
 53 |       "iam:CreateUser",
 54 |       "iam:DeleteGroup",
 55 |       "iam:DeletePolicy",
 56 |       "iam:DeletePolicyVersion",
 57 |       "iam:DeleteRole",
 58 |       "iam:DeleteRolePolicy",
 59 |       "iam:DeleteUser",
 60 |       "iam:PutRolePolicy",
 61 |       "iam:GetPolicy",
 62 |       "iam:GetPolicyVersion",
 63 |       "iam:GetRole",
 64 |       "iam:GetRolePolicy",
 65 |       "iam:GetUser",
 66 |       "iam:GetUserPolicy",
 67 |       "iam:ListEntitiesForPolicy",
 68 |       "iam:ListGroupPolicies",
 69 |       "iam:ListGroups",
 70 |       "iam:ListGroupsForUser",
 71 |       "iam:ListPolicies",
 72 |       "iam:ListPoliciesGrantingServiceAccess",
 73 |       "iam:ListPolicyVersions",
 74 |       "iam:ListRolePolicies",
 75 |       "iam:ListAttachedGroupPolicies",
 76 |       "iam:ListAttachedRolePolicies",
 77 |       "iam:ListAttachedUserPolicies",
 78 |       "iam:ListRoles",
 79 |       "iam:ListUsers",
 80 |     ]
 81 | 
 82 |     resources = [
 83 |       "*",
 84 |     ]
 85 | 
 86 |     condition {
 87 |       test     = "Bool"
 88 |       variable = "aws:MultiFactorAuthPresent"
 89 |       values   = ["true"]
 90 |     }
 91 |   }
 92 | 
 93 |   statement {
 94 |     effect = "Deny"
 95 | 
 96 |     actions = [
 97 |       "iam:AddUserToGroup",
 98 |       "iam:AttachGroupPolicy",
 99 |       "iam:DeleteGroupPolicy",
100 |       "iam:DeleteUserPolicy",
101 |       "iam:DetachGroupPolicy",
102 |       "iam:DetachRolePolicy",
103 |       "iam:DetachUserPolicy",
104 |       "iam:PutGroupPolicy",
105 |       "iam:PutUserPolicy",
106 |       "iam:RemoveUserFromGroup",
107 |       "iam:UpdateGroup",
108 |       "iam:UpdateAssumeRolePolicy",
109 |       "iam:UpdateUser",
110 |     ]
111 | 
112 |     resources = [
113 |       "*",
114 |     ]
115 |   }
116 | }
117 | 
118 | resource "aws_iam_policy" "iam_master_policy" {
119 |   name   = "IAM-MASTER-POLICY"
120 |   path   = "/"
121 |   policy = "${data.aws_iam_policy_document.iam_master_permissions_policy.json}"
122 | }
123 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/outputs.tf:
--------------------------------------------------------------------------------
  1 | output "aws_account_id" {
  2 |   value = "${data.aws_caller_identity.creds.account_id}"
  3 | }
  4 | 
  5 | output "aws_region" {
  6 |   value = "${var.region}"
  7 | }
  8 | 
  9 | output "config_service" {
 10 |   value = "${
 11 |     map(
 12 |       "us-east-1" ,  map(
 13 |         "s3_bucket_name" , "${aws_s3_bucket.config_delivery_bucket.id}",
 14 |         "sns_topic_arn" , "${aws_sns_topic.config_sns_east1.arn}"
 15 |       ),
 16 |       "us-east-2" ,  map(
 17 |         "s3_bucket_name" , "${aws_s3_bucket.config_delivery_bucket.id}",
 18 |         "sns_topic_arn" , "${aws_sns_topic.config_sns_east2.arn}"
 19 | 
 20 |       ),
 21 |       "us-west-1" ,  map(
 22 |         "s3_bucket_name" , "${aws_s3_bucket.config_delivery_bucket.id}",
 23 |         "sns_topic_arn" , "${aws_sns_topic.config_sns_west1.arn}"
 24 | 
 25 |       ),
 26 |       "us-west-2" , map(
 27 |         "s3_bucket_name" , "${aws_s3_bucket.config_delivery_bucket.id}",
 28 |         "sns_topic_arn" , "${aws_sns_topic.config_sns_west2.arn}"
 29 | 
 30 |       )
 31 |     )
 32 |   }"
 33 | }
 34 | 
 35 | output "sns_topics" {
 36 |   value = "${
 37 |         map(
 38 |             "${aws_sns_topic.config_sns_east1.arn}" , "${map(
 39 |               "owner" , "${data.aws_caller_identity.creds.account_id}",
 40 |               "region" , "us-east-1",
 41 |             )}",
 42 |             "${aws_sns_topic.config_sns_east2.arn}" , "${map(
 43 |               "owner" , "${data.aws_caller_identity.creds.account_id}",
 44 |               "region" , "us-east-2",
 45 |             )}",
 46 |             "${aws_sns_topic.config_sns_west1.arn}" , "${map(
 47 |               "owner" , "${data.aws_caller_identity.creds.account_id}",
 48 |               "region" , "us-west-1",
 49 |             )}",
 50 |             "${aws_sns_topic.config_sns_west2.arn}" , "${map(
 51 |               "owner" , "${data.aws_caller_identity.creds.account_id}",
 52 |               "region" , "us-west-2",
 53 |             )}",
 54 |             "${aws_sns_topic.metric_sns.arn}" , "${map(
 55 |               "owner" , "${data.aws_caller_identity.creds.account_id}",
 56 |               "region" , "us-east-1",
 57 |             )}"
 58 |           )
 59 |         }"
 60 | }
 61 | 
 62 | output "sns_subscriptions" {
 63 |   value = "${
 64 |         map(
 65 |                 "${aws_sns_topic_subscription.config_sns_subscription_east1.arn}" , "${map(
 66 |                   "endpoint" , "${aws_sns_topic_subscription.config_sns_subscription_east1.endpoint}",
 67 |                   "protocol" , "${aws_sns_topic_subscription.config_sns_subscription_east1.protocol}",
 68 |                   "owner" , "${data.aws_caller_identity.creds.account_id}",
 69 |                 )}",
 70 |                 "${aws_sns_topic_subscription.config_sns_subscription_east2.arn}" , "${map(
 71 |                   "endpoint" , "${aws_sns_topic_subscription.config_sns_subscription_east2.endpoint}",
 72 |                   "protocol" , "${aws_sns_topic_subscription.config_sns_subscription_east2.protocol}",
 73 |                   "owner" , "${data.aws_caller_identity.creds.account_id}",
 74 |                 )}",
 75 |                 "${aws_sns_topic_subscription.config_sns_subscription_west1.arn}" , "${map(
 76 |                   "endpoint" , "${aws_sns_topic_subscription.config_sns_subscription_west1.endpoint}",
 77 |                   "protocol" , "${aws_sns_topic_subscription.config_sns_subscription_west1.protocol}",
 78 |                   "owner" , "${data.aws_caller_identity.creds.account_id}",
 79 |                 )}",
 80 |                 "${aws_sns_topic_subscription.config_sns_subscription_west2.arn}" , "${map(
 81 |                   "endpoint" , "${aws_sns_topic_subscription.config_sns_subscription_west2.endpoint}",
 82 |                   "protocol" , "${aws_sns_topic_subscription.config_sns_subscription_west2.protocol}",
 83 |                   "owner" , "${data.aws_caller_identity.creds.account_id}",
 84 |                 )}",
 85 |                 "${aws_sns_topic_subscription.metric_sns_subscription.arn}" , "${map(
 86 |                   "endpoint" , "${aws_sns_topic_subscription.metric_sns_subscription.endpoint}",
 87 |                   "protocol" , "${aws_sns_topic_subscription.metric_sns_subscription.protocol}",
 88 |                   "owner" , "${data.aws_caller_identity.creds.account_id}",
 89 |                 )}",
 90 |               )
 91 | 
 92 |         }"
 93 | }
 94 | 
 95 | output "aws_actions_performing_instance_ids" {
 96 |   value = [
 97 |     "${aws_instance.aws_support_access_instance.id}",
 98 |   ]
 99 | }
100 | 
101 | output "iam_manager_user_name" {
102 |   value = "${aws_iam_user.iam_manager_user.name}"
103 | }
104 | 
105 | output "iam_manager_role_name" {
106 |   value = "${aws_iam_role.iam_manager_role.name}"
107 | }
108 | 
109 | output "iam_manager_policy_name" {
110 |   value = "${aws_iam_policy.iam_manager_policy.name}"
111 | }
112 | 
113 | output "iam_master_user_name" {
114 |   value = "${aws_iam_user.iam_master_user.name}"
115 | }
116 | 
117 | output "iam_master_role_name" {
118 |   value = "${aws_iam_role.iam_master_role.name}"
119 | }
120 | 
121 | output "iam_master_policy_name" {
122 |   value = "${aws_iam_policy.iam_master_policy.name}"
123 | }
124 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/variables.tf:
--------------------------------------------------------------------------------
1 | variable "aws_access_key" {}
2 | variable "aws_secret_key" {}
3 | variable "region" {}
4 | variable "prefix" {}
5 | variable "instance_type" {}
6 | variable "aws_ssh_key_id" {}
7 | variable "ssh_security_group_cidr" {}
8 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/vpc.tf:
--------------------------------------------------------------------------------
 1 | #=================================================================#
 2 | #                         Default VPC
 3 | #=================================================================#
 4 | 
 5 | resource "aws_default_vpc" "default" {
 6 |   tags {
 7 |     Name = "default"
 8 |   }
 9 | }
10 | 
11 | #=================================================================#
12 | #                    Default Security Group
13 | #=================================================================#
14 | 
15 | resource "aws_default_security_group" "default" {
16 |   vpc_id = "${aws_default_vpc.default.id}"
17 | }
18 | 
19 | #=================================================================#
20 | #                  Flow Logs for Default VPC
21 | #=================================================================#
22 | 
23 | resource "aws_flow_log" "vpc_flow_log" {
24 |   log_group_name = "${aws_cloudwatch_log_group.vpc_flow_log_group.name}"
25 |   iam_role_arn   = "${aws_iam_role.vpc_flow_log_role.arn}"
26 |   vpc_id         = "${aws_default_vpc.default.id}"
27 |   traffic_type   = "REJECT"
28 | }
29 | 
30 | resource "aws_cloudwatch_log_group" "vpc_flow_log_group" {
31 |   name = "${var.prefix}-vpc-flow-log-group"
32 | }
33 | 
34 | resource "aws_iam_role" "vpc_flow_log_role" {
35 |   name = "${var.prefix}-vpc_flow_log_role"
36 | 
37 |   assume_role_policy = <<EOF
38 | {
39 |   "Version": "2012-10-17",
40 |   "Statement": [
41 |     {
42 |       "Sid": "",
43 |       "Effect": "Allow",
44 |       "Principal": {
45 |         "Service": "vpc-flow-logs.amazonaws.com"
46 |       },
47 |       "Action": "sts:AssumeRole"
48 |     }
49 |   ]
50 | }
51 | EOF
52 | }
53 | 
54 | resource "aws_iam_role_policy" "vpc_flow_log_role_policy" {
55 |   name = "${var.prefix}-vpc_flow_log_role_policy"
56 |   role = "${aws_iam_role.vpc_flow_log_role.id}"
57 | 
58 |   policy = <<EOF
59 | {
60 |   "Version": "2012-10-17",
61 |   "Statement": [
62 |     {
63 |       "Action": [
64 |         "logs:CreateLogGroup",
65 |         "logs:CreateLogStream",
66 |         "logs:PutLogEvents",
67 |         "logs:DescribeLogGroups",
68 |         "logs:DescribeLogStreams"
69 |       ],
70 |       "Effect": "Allow",
71 |       "Resource": "*"
72 |     }
73 |   ]
74 | }
75 | EOF
76 | }
77 | 


--------------------------------------------------------------------------------
/test/integration/cis/build/vpc_ssh_security_group.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_security_group" "ssh" {
 2 |   name   = "ssh"
 3 |   vpc_id = "${aws_default_vpc.default.id}"
 4 | 
 5 |   ingress {
 6 |     from_port = 22
 7 |     to_port   = 22
 8 |     protocol  = "tcp"
 9 | 
10 |     cidr_blocks = [
11 |       "${var.ssh_security_group_cidr}",
12 |     ]
13 |   }
14 | }
15 | 


--------------------------------------------------------------------------------
/test/integration/cis/inspec.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: default
3 | 


--------------------------------------------------------------------------------
/test/integration/minimal/build/aws.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_version = "> 0.10.0"
 3 | }
 4 | 
 5 | provider "aws" {
 6 |   access_key = "${var.aws_access_key}"
 7 |   secret_key = "${var.aws_secret_key}"
 8 |   region     = "${var.region}"
 9 |   version    = "= 1.1"
10 | }
11 | 
12 | data "aws_caller_identity" "creds" {}
13 | 
14 | output "aws_account_id" {
15 |   value = "${data.aws_caller_identity.creds.account_id}"
16 | }
17 | 


--------------------------------------------------------------------------------
/test/integration/minimal/build/variables.tf:
--------------------------------------------------------------------------------
1 | variable "aws_access_key" {}
2 | variable "aws_secret_key" {}
3 | variable "region" {}
4 | 


--------------------------------------------------------------------------------
/test/integration/minimal/inspec.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: default
3 | 


--------------------------------------------------------------------------------
/test/integration/minimal/verify/controls/aws_iam_root_user.rb:
--------------------------------------------------------------------------------
 1 | 
 2 | fixtures = {}
 3 | [
 4 |   'aws_account_id',
 5 | ].each do |fixture_name|
 6 |   fixtures[fixture_name] = attribute(
 7 |     fixture_name,
 8 |     default: "default.#{fixture_name}",
 9 |     description: 'See ../build/iam.tf',
10 |   )
11 | end
12 | 
13 | #------------- Property - has_mfa_enabled -------------#
14 | # Positive test in 'default' test set
15 | control "aws_iam_root_user has_mfa_enabled property" do
16 |   describe aws_iam_root_user do
17 |     it { should_not have_mfa_enabled }
18 |   end
19 | end
20 | 
21 | #------------- Property - has_access_key -------------#
22 | # Negative test in 'default' test set
23 | control "aws_iam_root_user has_access_key property" do
24 |   describe aws_iam_root_user do
25 |     it { should have_access_key }
26 |   end
27 | end
28 | 


--------------------------------------------------------------------------------
/test/integration/minimal/verify/inspec.yml:
--------------------------------------------------------------------------------
1 | name: inspec-aws-minimal-tests
2 | depends:
3 |   - name: aws-resource-pack
4 |     git: https://github.com/chef/inspec-aws.git
5 | 


--------------------------------------------------------------------------------