Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/moritzheiber/terraform-aws-core-modules

A collection of Terraform "core" modules I would consider to be building blocks of any reasonable AWS account setup
https://github.com/moritzheiber/terraform-aws-core-modules

aws aws-config aws-iam aws-vpc iam terraform terraform-module terraform-modules

Last synced: 3 months ago
JSON representation

A collection of Terraform "core" modules I would consider to be building blocks of any reasonable AWS account setup

Awesome Lists containing this project

README

        

# AWS Core Modules

This is a collection of Terraform "core" modules I would consider to be building blocks of every reasonable AWS account setup.
Please refer to to the [AWS Kickstarter](https://github.com/moritzheiber/aws-kickstarter) to see their application.

Contributions are more than welcome and encouraged!

## Available modules
- [config](#config)
- [iam-resources](#iam-resources)
- [iam-users](#iam-users)
- [vpc](#vpc)

## Config

The module configures AWS Config to monitor your account for non-compliant resources.
You can freely choose which checks to use or discard by modifying the `enable_config_rules`, `disable_config_rules` and `complex_config_rules` variables.

As an example, if you'd wish to enable `AUTOSCALING_CAPACITY_REBALANCING` and disable the `INSTANCES_IN_VPC` check, which is enabled by default, you could use the following code:

```hcl
module "aws_config" {
source = "git::https://github.com/moritzheiber/terraform-aws-core-modules//config"

enable_simple_rules = ["AUTOSCALING_CAPACITY_REBALANCING"]
disable_simple_rules = ["INSTANCE_IN_VPC"]
}
```

If you wanted to change parameters on the `CLOUDWATCH_ALARM_ACTION_CHECK` complex rule you could pass it to the `complex_config_rules` variable:

```hcl
module "aws_config" {
source = "git::https://github.com/moritzheiber/terraform-aws-core-modules//config"

complex_config_rules = {
CLOUDWATCH_ALARM_ACTION_CHECK = {
alarmActionRequired = "false"
insufficientDataActionRequired = "true"
okActionRequired = "true"
}
}
}
```

For a list of available managed rules you can refer [to the AWS Config documentation](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html).
As a rule of thumb:
- **if they require no parameters** you can use either `enable_config_rules` or `disable_config_rules` to manage them.
- **if they require parameters** you can use the `complex_config_rules` map to add them and their input parameters as a `identifier = { parameter = value }` map.

For both cases you need to use their _uppercase, snake case identifier_ (e.g. `autoscaling-capacity-rebalancing` becomes `AUTOSCALING_CAPACITY_REBALANCING`)

### Special cases

For a few rules there is special treatment using variables:

- `IAM_PASSWORD_POLICY`: See the `password_policy` variable
- `IAM_USER_GROUP_MEMBERSHIP_CHECK`: See the `iam_user_groups` variable
- `APPROVED_AMIS_BY_TAG`: See the `amis_by_tag_key_and_value_list` variable
- `ACCESS_KEYS_ROTATED`: See the `max_access_key_age` variable
- `DESIRED_INSTANCE_TYPE`: See the `desired_instance_types` variable (\_Note: the identifier says `type` but this is **a list**\_)

You can disable any of these complex rules by simply unsetting the corresponding variable.

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1 |
| [aws](#requirement\_aws) | ~> 4 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [amis\_by\_tag\_key\_and\_value\_list](#input\_amis\_by\_tag\_key\_and\_value\_list) | Required AMI tags for EC2 instances | `list(string)` | `[]` | no |
| [bucket\_account\_id](#input\_bucket\_account\_id) | The AWS account ID the S3 bucket lives in that AWS Config is writing its records to. Defaults to the ID of the current account | `string` | `""` | no |
| [bucket\_key\_prefix](#input\_bucket\_key\_prefix) | The prefix of the keys AWS Config writes to | `string` | `"aws_config"` | no |
| [bucket\_prefix](#input\_bucket\_prefix) | The prefix for the S3 bucket AWS Config Recorder writes to | `string` | `"aws-config"` | no |
| [complex\_config\_rules](#input\_complex\_config\_rules) | A range of more complex Config rules you wish to have applied. They usually carry input parameters. | `map(map(string))` |

{
"CLOUDWATCH_ALARM_ACTION_CHECK": {
"alarmActionRequired": "true",
"insufficientDataActionRequired": "false",
"okActionRequired": "false"
}
}
| no |
| [config\_delivery\_channel\_name](#input\_config\_delivery\_channel\_name) | The name of the delivery channel for AWS Config | `string` | `"config"` | no |
| [config\_recorder\_name](#input\_config\_recorder\_name) | The name of the recorder for AWS Config | `string` | `"config"` | no |
| [delivery\_frequency](#input\_delivery\_frequency) | The frequency at which AWS Config delivers its recorded findings to S3 | `string` | `"Three_Hours"` | no |
| [desired\_instance\_types](#input\_desired\_instance\_types) | A string of comma-delimited instance types | `set(string)` | `[]` | no |
| [disable\_config\_rules](#input\_disable\_config\_rules) | A set with simple rules you wish to disable. Otherwise all the rules are applied by default. | `set(string)` | `[]` | no |
| [enable\_config\_rules](#input\_enable\_config\_rules) | A set with simple rules you wish to enable. The defaults are pretty solid. If you wish to only disable a few rules take a look at the 'disable\_config\_rules' variable. | `set(string)` |
[
"INSTANCES_IN_VPC",
"EC2_VOLUME_INUSE_CHECK",
"EIP_ATTACHED",
"ENCRYPTED_VOLUMES",
"INCOMING_SSH_DISABLED",
"CLOUD_TRAIL_ENABLED",
"IAM_GROUP_HAS_USERS_CHECK",
"IAM_USER_NO_POLICIES_CHECK",
"ROOT_ACCOUNT_MFA_ENABLED",
"S3_BUCKET_PUBLIC_READ_PROHIBITED",
"S3_BUCKET_PUBLIC_WRITE_PROHIBITED",
"S3_BUCKET_SSL_REQUESTS_ONLY",
"S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED",
"S3_BUCKET_VERSIONING_ENABLED",
"EBS_OPTIMIZED_INSTANCE",
"AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED",
"RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"RDS_SNAPSHOTS_PUBLIC_PROHIBITED",
"IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS",
"IAM_ROOT_ACCESS_KEY_CHECK"
]
| no |
| [enable\_lifecycle\_management\_for\_s3](#input\_enable\_lifecycle\_management\_for\_s3) | Whether or not to enable lifecycle management for the S3 bucket AWS Config writes to | `bool` | `false` | no |
| [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM role created for delegating permissions to AWS Config | `string` | `"config"` | no |
| [iam\_user\_groups](#input\_iam\_user\_groups) | A list of mandatory groups for IAM users | `list(string)` | `[]` | no |
| [lifecycle\_bucket\_expiration](#input\_lifecycle\_bucket\_expiration) | The number of days after which artifacts in the Config S3 bucket are expiring | `number` | `365` | no |
| [max\_access\_key\_age](#input\_max\_access\_key\_age) | The maximum amount of days an access key can live without being rotated | `string` | `"90"` | no |
| [password\_policy](#input\_password\_policy) | A map of values describing the password policy parameters AWS Config is looking for | `map(string)` |
{
"max_password_age": "90",
"minimum_password_length": "32",
"password_reuse_prevention": "5",
"require_lowercase_chars": "true",
"require_numbers": "true",
"require_symbols": "true",
"require_uppercase_chars": "true"
}
| no |
| [s3\_kms\_sse\_encryption\_key\_arn](#input\_s3\_kms\_sse\_encryption\_key\_arn) | The ARN for the KMS key to use for S3 server-side bucket encryption. If none if specified the module creates a KMS key for customer managed encryption. | `string` | `""` | no |

## Outputs

| Name | Description |
|------|-------------|
| [config\_s3\_bucket\_arn](#output\_config\_s3\_bucket\_arn) | The ARN of the S3 bucket AWS Config writes its findings into |

## iam-users

A module to configure the "users" account modeled after a common security principle of separating users from resource accounts through a MFA-enabled role-assumption bridge:

![AWS IAM setup illustration](https://raw.githubusercontent.com/moritzheiber/terraform-aws-core-modules/main/files/aws_iam_setup.png)

These strict separation of privileges follow [an article I wrote a while ago](https://www.thoughtworks.com/insights/blog/using-aws-security-first-class-citizen).
You can also create IAM users and IAM groups with this module and assign the users to specific groups. The module will create two default groups, one for admins and users, which you can disable by setting the `admin_group_name` and `user_group_name` to an empty string.

Creating additional users is done by passing a map called `users` to the module, with a group mapping attached to them (the best practice is to never have users live "outside" of groups).

```hcl
variable "iam_users" {
type = map(map(set(string)))
default = {
my_user = {
groups = ["admins"]
}
}
}

module "iam_users" {
source = "git::https://github.com/moritzheiber/terraform-aws-core-modules.git//iam-users"

iam_users = var.iam_users
}
```

This will run the module and create all the necessary permissions along with a user belonging to the `admins` groups.

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1 |
| [aws](#requirement\_aws) | ~> 4 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_admin\_groups](#input\_additional\_admin\_groups) | A list of additional groups to create associated with administrative privileges | `list(string)` | `[]` | no |
| [additional\_user\_groups](#input\_additional\_user\_groups) | A list of additional groups to create associated with regular users | `list(string)` | `[]` | no |
| [admin\_group\_name](#input\_admin\_group\_name) | The name of the initial group created for administrators | `string` | `"admins"` | no |
| [admin\_multi\_factor\_auth\_age](#input\_admin\_multi\_factor\_auth\_age) | The amount of time (in minutes) for a admin session to be valid | `number` | `60` | no |
| [iam\_account\_alias](#input\_iam\_account\_alias) | A globally unique, human-readable identifier for your AWS account | `string` | `null` | no |
| [iam\_users](#input\_iam\_users) | A list of maps of users and their groups. Default is to create no users. | `map(map(list(string)))` | `{}` | no |
| [password\_policy](#input\_password\_policy) | A map of password policy parameters you want to set differently from the defaults | `map(string)` |

{
"max_password_age": "90",
"minimum_password_length": "32",
"password_reuse_prevention": "5",
"require_lowercase_chars": "true",
"require_numbers": "true",
"require_symbols": "true",
"require_uppercase_chars": "true"
}
| no |
| [resource\_admin\_role\_name](#input\_resource\_admin\_role\_name) | The name of the administrator role one is supposed to assume in the resource account | `string` | `"resource-admin"` | no |
| [resource\_user\_role\_name](#input\_resource\_user\_role\_name) | The name of the user role one is supposed to assume in the resource account | `string` | `"resource-user"` | no |
| [resources\_account\_id](#input\_resources\_account\_id) | The account ID of the AWS account you want to start resources in | `string` | `""` | no |
| [user\_group\_name](#input\_user\_group\_name) | The name of the initial group created for users | `string` | `"users"` | no |
| [user\_multi\_factor\_auth\_age](#input\_user\_multi\_factor\_auth\_age) | The amount of time (in minutes) for a user session to be valid | `number` | `240` | no |

## Outputs

| Name | Description |
|------|-------------|
| [admin\_group\_names](#output\_admin\_group\_names) | The names of the admin groups |
| [user\_group\_names](#output\_user\_group\_names) | The name of the user groups |

## iam-resources

A module to configure the "resources" account modelled after the common security principle of separating users from resource accounts through a MFA-enabled role-assumption bridge.
Please see the [iam-users](https://github.com/moritzheiber/terraform-aws-core-modules/tree/main/iam-users) module for further explanation. It is generally assumed that this module isn't deployed on its own.

### Usage example
```hcl
module "iam_resources" {
source = "git::https://github.com/moritzheiber/terraform-aws-core-modules.git//iam-resources"
```

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1 |
| [aws](#requirement\_aws) | ~> 4 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [admin\_access\_role\_name](#input\_admin\_access\_role\_name) | Name of the admin role | `string` | `"resource-admin"` | no |
| [admin\_multi\_factor\_auth\_age](#input\_admin\_multi\_factor\_auth\_age) | The amount of time (in minutes) for a admin session to be valid | `number` | `60` | no |
| [iam\_account\_alias](#input\_iam\_account\_alias) | A globally unique identifier, human-readable for your AWS account | `string` | `null` | no |
| [user\_access\_role\_name](#input\_user\_access\_role\_name) | Name of the user role | `string` | `"resource-user"` | no |
| [user\_multi\_factor\_auth\_age](#input\_user\_multi\_factor\_auth\_age) | The amount of time (in minutes) for a user session to be valid | `number` | `240` | no |
| [users\_account\_id](#input\_users\_account\_id) | The account ID of where the users are living in | `string` | `null` | no |

## Outputs

| Name | Description |
|------|-------------|
| [resource\_admin\_role\_arn](#output\_resource\_admin\_role\_arn) | The ARN of the role users are able to assume to attain admin privileges |
| [resource\_admin\_role\_name](#output\_resource\_admin\_role\_name) | The name of the role users are able to assume to attain admin privileges |
| [resource\_user\_role\_arn](#output\_resource\_user\_role\_arn) | The ARN of the role users are able to assume to attain user privileges |
| [resource\_user\_role\_name](#output\_resource\_user\_role\_name) | The name of the role users are able to assume to attain user privileges |

## vpc

This module builds a VPC with the default CIDR range of `10.0.0.0/16`, three subnets in a "public" configuration (attached to and routed through an AWS Internet Gateway) and three subnets in a "private" configuration (attached to and routed through three separate AWS NAT Gateways):

![AWS VPC illustration](https://raw.githubusercontent.com/moritzheiber/terraform-aws-core-modules/main/files/aws_vpc.png)

### Usage example

Add the following statement to your `variables.tf` to use the `vpc` module:

```hcl
module "core_vpc" {
source = "git::https://github.com/moritzheiber/terraform-aws-core-modules.git//vpc"

tags = {
Resource = "my_team_name"
Cost_Center = "my_billing_tag"
}
}
```

and run `terraform init` to download the required module files.

**All created subnets will have a tag attached to them which specifies their scope** (i.e. "public" for public subnets and "private" for private subnets) which you can use to filter for the right networks using Terraform data sources:

```hcl
data "aws_vpc" "core" {
tags = {
# `core_vpc` is the default, the variable is `vpc_name`
Name = "core_vpc"
}
}

data "aws_subnets" "public" {
filter {
name = "vpc-id"
values = [data.aws_vpc.core.id]
}

tags = {
Scope = "Public"
}
}

data "aws_subnets" "public" {
filter {
name = "vpc-id"
values = [data.aws_vpc.core.id]
}

tags = {
Scope = "Private"
}
}
```

The result is a list of subnet IDs, either in the public or private VPC zone, you can use to create other resources such as Load Balancers or AutoScalingGroups.

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1 |
| [aws](#requirement\_aws) | ~> 4 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Whether or not to enable VPC DNS hostname support | `bool` | `true` | no |
| [enable\_dns\_support](#input\_enable\_dns\_support) | Whether or not to enable VPC DNS support | `bool` | `true` | no |
| [private\_subnet\_offset](#input\_private\_subnet\_offset) | The amount of IP space between the public and the private subnet | `number` | `2` | no |
| [private\_subnet\_prefix](#input\_private\_subnet\_prefix) | The prefix to attach to the name of the private subnets | `string` | `""` | no |
| [private\_subnet\_size](#input\_private\_subnet\_size) | The size of the private subnet (default: 1022 usable addresses) | `number` | `6` | no |
| [public\_subnet\_prefix](#input\_public\_subnet\_prefix) | The prefix to attach to the name of the public subnets | `string` | `""` | no |
| [public\_subnet\_size](#input\_public\_subnet\_size) | The size of the public subnet (default: 1022 usable addresses) | `number` | `6` | no |
| [tags](#input\_tags) | A map of tags to apply to all VPC resources | `map(string)` | `{}` | no |
| [vpc\_cidr\_range](#input\_vpc\_cidr\_range) | The IP address space to use for the VPC | `string` | `"10.0.0.0/16"` | no |
| [vpc\_name](#input\_vpc\_name) | The name of the VPC | `string` | `"core_vpc"` | no |

## Outputs

| Name | Description |
|------|-------------|
| [private\_subnet\_ids](#output\_private\_subnet\_ids) | A list of private subnet IDs |
| [public\_subnet\_ids](#output\_public\_subnet\_ids) | A list of public subnet IDs |
| [vpc\_id](#output\_vpc\_id) | The ID of the created VPC |