Skip to content

CiscoOpsStack/terraform-aws-account-setup-ops_stack

BranchesTags
 
 

Repository files navigation

Coalfire

AWS Account Setup Terraform Module

Description

The AWS account set up module creates the initial account configuration for your project, including IAM roles, KMS keys, S3 installs bucket, and more.

FedRAMP Compliance: High

Resource List

Resources that are created as a part of this module include:

  • IAM roles
  • IAM policies
  • IAM instance profiles
  • KMS keys
  • S3 buckets
  • Security core module resources

Assumptions

  • application_account_numbers isn't required - you can feed it application_account_numbers=[""]

Usage

module "account-setup" {
  source = "github.com/Coalfire-CF/terraform-aws-account-setup"

  aws_region = "us-east-1"
  default_aws_region = "us-east-1"

  application_account_numbers = ["account-number1", "account-number2", "account-number3"]
  account_number = "your-account-number"

  resource_prefix = "pre"
  create_cloudtrail = true
  partition = "aws"
  ad_secrets_manager_path = "your/ad/path"
  enable_aws_config = true
  delete_after = 90
}

Requirements

Name Version
terraform >=1.5.0
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

Name Source Version
additional_kms_keys github.com/Coalfire-CF/terraform-aws-kms v0.0.6
backup_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6
cloudwatch_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6
ebs_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6
lambda_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6
rds_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6
s3-accesslogs github.com/Coalfire-CF/terraform-aws-s3 v1.0.1
s3-backups github.com/Coalfire-CF/terraform-aws-s3 v1.0.1
s3-elb-accesslogs github.com/Coalfire-CF/terraform-aws-s3 v1.0.1
s3-installs github.com/Coalfire-CF/terraform-aws-s3 v1.0.1
security-core github.com/Coalfire-CF/terraform-aws-securitycore v0.0.17
sm_kms_key github.com/Coalfire-CF/terraform-aws-kms v0.0.6

Resources

Name Type
aws_iam_instance_profile.packer_profile resource
aws_iam_policy.packer_policy resource
aws_iam_policy_attachment.packer_access_attach_policy resource
aws_iam_role.packer_role resource
aws_kms_grant.packer_ebs resource
aws_kms_grant.packer_s3 resource
aws_elb_service_account.main data source
aws_iam_policy_document.cloudwatch_key data source
aws_iam_policy_document.ebs_key data source
aws_iam_policy_document.elb_accesslogs_bucket_policy data source
aws_iam_policy_document.packer_assume_role_policy_document data source
aws_iam_policy_document.packer_policy_document data source
aws_iam_policy_document.s3_accesslogs_bucket_policy data source
aws_iam_policy_document.secrets_manager_key data source
aws_partition.current data source

Inputs

Name Description Type Default Required
account_number The AWS account number resources are being deployed into string n/a yes
additional_kms_keys a list of maps of any additional KMS keys that need to be created list(map(string)) [] no
application_account_numbers AWS account numbers for all application accounts list(string) n/a yes
aws_backup_plan_name AWS Backup plan name string "fedramp-aws-backup-plan" no
aws_lb_account_ids https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html map(string) 
{
  "us-east-1": "127311923021",
  "us-east-2": "033677994240",
  "us-gov-east-1": "190560391635",
  "us-gov-west-1": "048591011584",
  "us-west-2": "797873946194"
}
 no
aws_region The AWS region to create resources in string n/a yes
backup_rule_name AWS Backup rule name string "fedramp-aws-backup-default-rule" no
backup_selection_tag_value AWS Backup tag values string "fedramp-daily-aws-backups" no
backup_vault_name AWS Backup vault name string "fedramp-aws-backup-vault" no
config_delivery_frequency AWS Config delivery frequencies string "One_Hour" no
create_backup_kms_key create KMS key for AWS Backups bool true no
create_cloudtrail Whether or not to create cloudtrail resources bool false no
create_cloudwatch_kms_key create KMS key for AWS Cloudwatch bool true no
create_dynamo_kms_key create KMS key for dynamodb bool true no
create_ebs_kms_key create KMS key for ebs bool true no
create_lambda_kms_key create KMS key for lambda bool true no
create_rds_kms_key create KMS key for rds bool true no
create_s3_kms_key create KMS key for S3 bool true no
create_sm_kms_key create KMS key for secrets manager bool true no
default_aws_region The default AWS region to create resources in string n/a yes
delete_after Number of days after which a recovery point should be deleted number 35 no
enable_aws_config Enable AWS config for this account bool false no
lambda_time_zone The time zone for lambda functions string "US/Eastern" no
resource_prefix The prefix for the s3 bucket names string n/a yes

Outputs

Name Description
additional_kms_key_arns n/a
additional_kms_key_ids n/a
backup_kms_key_arn n/a
backup_kms_key_id n/a
cloudwatch_kms_key_arn n/a
cloudwatch_kms_key_id n/a
dynamo_kms_key_arn n/a
dynamo_kms_key_id n/a
dynamodb_table_name n/a
ebs_kms_key_arn n/a
ebs_kms_key_id n/a
lambda_kms_key_arn n/a
lambda_kms_key_id n/a
rds_kms_key_arn n/a
rds_kms_key_id n/a
s3_access_logs_arn n/a
s3_access_logs_id n/a
s3_backups_arn n/a
s3_backups_id n/a
s3_elb_access_logs_arn n/a
s3_elb_access_logs_id n/a
s3_installs_arn n/a
s3_installs_id n/a
s3_kms_key_arn n/a
s3_kms_key_id n/a
s3_tstate_bucket_name n/a
sm_kms_key_arn n/a
sm_kms_key_id n/a

Contributing

If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.

License

License

Copyright

Copyright © 2023 Coalfire Systems Inc.

About

Coalfire AWS Account Setup Terraform Module

coalfire.com/opensource

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

20 tags

Packages

No packages published

Languages

  • HCL 100.0%