An open API service indexing awesome lists of open source software.

https://github.com/cisagov/bod-18-01-cloudwatch-users

Create AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning
https://github.com/cisagov/bod-18-01-cloudwatch-users

aws cloudwatch iam users

Last synced: 4 months ago
JSON representation

Create AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning

Awesome Lists containing this project

README

          

# bod-18-01-cloudwatch-users #

[![GitHub Build Status](https://github.com/cisagov/bod-18-01-cloudwatch-users/workflows/build/badge.svg)](https://github.com/cisagov/bod-18-01-cloudwatch-users/actions)
[![License](https://img.shields.io/github/license/cisagov/bod-18-01-cloudwatch-users)](https://spdx.org/licenses/)
[![CodeQL](https://github.com/cisagov/bod-18-01-cloudwatch-users/workflows/CodeQL/badge.svg)](https://github.com/cisagov/bod-18-01-cloudwatch-users/actions/workflows/codeql-analysis.yml)

This is a Terraform project for creating AWS users that only have
permission to view CloudWatch logs related to BOD 18-01 scanning.

## Pre-requisites ##

- [Terraform](https://www.terraform.io/) installed on your system.
- AWS CLI access
[configured](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
for the appropriate account on your system.
- An accessible AWS S3 bucket to store Terraform state
(specified in [`backend.tf`](backend.tf)).
- An accessible AWS DynamoDB database to store the Terraform state lock
(specified in [`backend.tf`](backend.tf)).
- User accounts for all users must have been created previously. We recommend
using the
[`cisagov/cyhy-users-non-admin`](https://github.com/cisagov/cyhy-users-non-admin)
repository to create users.

## Customizing Your Environment ##

Create a terraform variables file to be used for your environment (e.g.
`production.tfvars`), based on the variables listed in [Inputs](#inputs)
below. Here is a sample of what that file might look like:

```hcl
aws_region = "us-east-2"

usernames = ["firstname1.lastname1", "firstname2.lastname2"]

scan_types = ["pshtt", "trustymail"]
lambda_function_names = {
"pshtt" = "task_pshtt",
"trustymail" = "task_trustymail"
}

tags = {
Team = "CISA Development Team"
Application = "BOD 18-01 Scanning"
Workspace = "production"
}
```

## Building the Terraform-based infrastructure ##

1. Create a Terraform workspace (if you haven't already done so) by running:

```console
terraform workspace new `
```

1. Create a `.tfvars` file with all of the required
variables and any optional variables desired (see [Inputs](#inputs) below
for details).
1. Run the command `terraform init`.
1. Create the Terraform infrastructure by running the command:

```console
terraform apply -var-file=.tfvars
```

## Tearing down the Terraform-based infrastructure ##

1. Select the appropriate Terraform workspace by running
`terraform workspace select `.
1. Destroy the Terraform infrastructure in that workspace by running
`terraform destroy -var-file=.tfvars`.

## Requirements ##

| Name | Version |
|------|---------|
| terraform | ~> 1.1 |
| aws | ~> 4.9 |

## Providers ##

| Name | Version |
|------|---------|
| aws | ~> 4.9 |

## Modules ##

No modules.

## Resources ##

| Name | Type |
|------|------|
| [aws_iam_group.bod_log_watchers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
| [aws_iam_group_policy_attachment.bodlambdalogreadaccess_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_policy.bodlambdalogreadaccess_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user_group_membership.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_cloudwatch_log_group.bod_lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudwatch_log_group) | data source |
| [aws_iam_policy_document.bodlambdalogreadaccess_policy_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_user) | data source |

## Inputs ##

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| aws\_availability\_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | `string` | `"a"` | no |
| aws\_region | The AWS region to deploy into (e.g. us-east-1). | `string` | `"us-east-1"` | no |
| bod\_lambdas | A map whose keys are the names of the BOD scan types and whose values are the names of the corresponding AWS Lambdas. Example: { "pshtt" = "task\_pshtt" } | `map(string)` | n/a | yes |
| bod\_log\_watchers\_group\_name | The base name of the group to be created for BOD 18-01 Lambda log access users. Note that in production workspaces, '-production' is automatically appended this group name. In non-production workspaces, '-' is automatically appended to this group name. | `string` | `"bod_log_watchers"` | no |
| bodlambdalogreadaccess\_policy\_description | The description to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. | `string` | `"Allows read access to the BOD 18-01 Lambda logs."` | no |
| bodlambdalogreadaccess\_policy\_name | The base name to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. Note that in production workspaces, '-production' is automatically appended this policy name. In non-production workspaces, '-' is automatically appended to this policy name. | `string` | `"BODLambdaLogReadAccess"` | no |
| tags | Tags to apply to all AWS resources created. | `map(string)` | `{}` | no |
| users | A list of the usernames for the users that should be given access to the BOD 18-01 CloudWatch logs. Example: ["firstname1.lastname1", "firstname2.lastname2"] | `list(string)` | n/a | yes |

## Outputs ##

No outputs.

## Notes ##

Running `pre-commit` requires running `terraform init` in every directory that
contains Terraform code. In this repository, this is only the main directory.

## Contributing ##

We welcome contributions! Please see [`CONTRIBUTING.md`](CONTRIBUTING.md) for
details.

## License ##

This project is in the worldwide [public domain](LICENSE).

This project is in the public domain within the United States, and
copyright and related rights in the work worldwide are waived through
the [CC0 1.0 Universal public domain
dedication](https://creativecommons.org/publicdomain/zero/1.0/).

All contributions to this project will be released under the CC0
dedication. By submitting a pull request, you are agreeing to comply
with this waiver of copyright interest.