modified files

Author: Helenaden

ec2.tf

@@ -18,8 +18,8 @@ data "aws_ami" "amazon_linux_2" {
   }
 }
 
-resource "aws_key_pair" "terraform_key" {
-  key_name   = "ec2-new-key"
+resource "aws_key_pair" "terraform_key_3" {
+  key_name   = "ec2-new3-key"
   public_key = tls_private_key.rsa.public_key_openssh
 }
 
@@ -28,13 +28,14 @@ resource "tls_private_key" "rsa" {
   rsa_bits  = 4096
 }
 
-resource "aws_secretsmanager_secret" "ec2_private_key" {
-  name        = "ec2-private-key"
+resource "aws_secretsmanager_secret" "ec2_private_key_new" {
+  name        = "ec2-private-key-new"
   description = "EC2 private key for SSH access"
+  kms_key_id  = aws_kms_key.secrets_key.arn
 }
 
 resource "aws_secretsmanager_secret_version" "ec2_private_key_version" {
-  secret_id     = aws_secretsmanager_secret.ec2_private_key.id
+  secret_id     = aws_secretsmanager_secret.ec2_private_key_new.id
   secret_string = tls_private_key.rsa.private_key_pem
 }
 
@@ -53,7 +54,7 @@ resource "aws_launch_template" "web_tier_template" {
   name_prefix     = "web-tier-"
   image_id        = data.aws_ami.amazon_linux_2.id
   instance_type   = "t2.micro"
-  key_name        = aws_key_pair.terraform_key.key_name
+  key_name        = aws_key_pair.terraform_key_3.key_name
   user_data       = base64encode(data.template_file.web_user_data.rendered)
 
   block_device_mappings {
@@ -83,7 +84,7 @@ resource "aws_launch_template" "app_tier_template" {
   name_prefix     = "app-tier-"
   image_id        = data.aws_ami.amazon_linux_2.id
   instance_type   = "t2.micro"
-  key_name        = aws_key_pair.terraform_key.key_name
+  key_name        = aws_key_pair.terraform_key_3.key_name
   user_data       = base64encode(data.template_file.app_user_data.rendered)
 
   block_device_mappings {

iam.tf

@@ -57,7 +57,7 @@ data "aws_iam_policy_document" "web_tier_policy_doc" {
       # The ARN of the secret we'll create later in kms_secrets.tf
       "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:db-credentials*",
       # New: Permission to retrieve the EC2 private key
-      aws_secretsmanager_secret.ec2_private_key.arn,
+      aws_secretsmanager_secret.ec2_private_key_new.arn,
     ]
   }
 }
@@ -82,7 +82,7 @@ data "aws_iam_policy_document" "app_tier_policy_doc" {
     resources = [
       "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:db-credentials*",
       # New: Permission to retrieve the EC2 private key
-      aws_secretsmanager_secret.ec2_private_key.arn,
+      aws_secretsmanager_secret.ec2_private_key_new.arn,
     ]
   }
 
@@ -111,10 +111,10 @@ resource "aws_iam_role_policy" "app_tier_policy" {
 #Add an IAM policy for the Inspector agent.
 resource "aws_iam_role_policy_attachment" "inspector_agent_web_policy_attach" {
   role       = aws_iam_role.web_tier_role.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2RoleforSSM"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
 resource "aws_iam_role_policy_attachment" "inspector_agent_app_policy_attach" {
   role       = aws_iam_role.app_tier_role.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2RoleforSSM"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }

kms-secrets.tf

@@ -44,16 +44,16 @@ resource "aws_kms_key" "secrets_key" {
 }
 
 # Create an RDS MySQL database secret
-resource "aws_secretsmanager_secret" "db_credentials" {
-  name                     = "db-credentials"
+resource "aws_secretsmanager_secret" "db_credentials_new" {
+  name                     = "db-credentials-new"
   description              = "RDS MySQL database credentials"
   kms_key_id               = aws_kms_key.secrets_key.arn
 }
 
 # Store the actual secret value. 
 # This should be a securely generated value, not hardcoded.
 resource "aws_secretsmanager_secret_version" "db_credentials_version" {
-  secret_id = aws_secretsmanager_secret.db_credentials.id
+  secret_id = aws_secretsmanager_secret.db_credentials_new.id
   secret_string = jsonencode({
     username = var.db_username
     password = random_password.db_password.result
@@ -63,6 +63,7 @@ resource "aws_secretsmanager_secret_version" "db_credentials_version" {
 resource "random_password" "db_password" {
   length  = 16
   special = true
+  override_special = "!#$%&*()_+-=[]{}<>:;?|~" # Customize as needed
   keepers = {
     version = "1"
   }

security.tf

@@ -1,13 +1,28 @@
 # Description: This file implements CloudTrail and WAF.
 # -------------------------------------------------------------
 
+# -------------------------------------------------------------
+# CloudTrail and CloudWatch Resources
+# -------------------------------------------------------------
+
 # CloudTrail S3 Bucket for log storage
 resource "aws_s3_bucket" "cloudtrail_logs" {
   # The bucket name must be globally unique across all of AWS
   # We use the account ID to ensure uniqueness
   bucket = "cloudtrail-logs-${data.aws_caller_identity.current.account_id}"
 }
 
+# S3 Bucket Public Access Block
+# This is a best practice to prevent the bucket from being publicly accessible.
+resource "aws_s3_bucket_public_access_block" "cloudtrail_logs" {
+  bucket = aws_s3_bucket.cloudtrail_logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 # S3 Bucket Policy for CloudTrail logs
 resource "aws_s3_bucket_policy" "cloudtrail_logs_policy" {
   bucket = aws_s3_bucket.cloudtrail_logs.id
@@ -17,30 +32,49 @@ resource "aws_s3_bucket_policy" "cloudtrail_logs_policy" {
     Version = "2012-10-17"
     Statement = [
       {
-        Effect    = "Allow"
+        Effect = "Allow"
         Principal = {
           Service = "cloudtrail.amazonaws.com"
         }
-        Action    = "s3:PutObject"
-        Resource  = "${aws_s3_bucket.cloudtrail_logs.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
+        Action = "s3:PutObject"
+        Resource = "${aws_s3_bucket.cloudtrail_logs.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/*"
       },
       {
-        Effect    = "Allow"
+        Effect = "Allow"
         Principal = {
           Service = "cloudtrail.amazonaws.com"
         }
-        Action    = "s3:GetBucketAcl"
-        Resource  = aws_s3_bucket.cloudtrail_logs.arn
+        Action = "s3:GetBucketAcl"
+        Resource = aws_s3_bucket.cloudtrail_logs.arn
       },
     ]
   })
 }
 
+# S3 Bucket Versioning
+resource "aws_s3_bucket_versioning" "cloudtrail_logs_versioning" {
+  bucket = aws_s3_bucket.cloudtrail_logs.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+# S3 Bucket Server-Side Encryption
+resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_s3_bucket_sse" {
+  bucket = aws_s3_bucket.cloudtrail_logs.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+      # Use the ARN of the KMS key data source
+      kms_master_key_id = aws_kms_key.secrets_key.arn
+    }
+  }
+}
+
 # CloudTrail CloudWatch Log Group
 resource "aws_cloudwatch_log_group" "cloudtrail_log_group" {
   name              = "CloudTrail-Log-Group"
   retention_in_days = 90
-  kms_key_id        = aws_kms_key.secrets_key.arn
 }
 
 # IAM Role for CloudTrail to publish logs to CloudWatch
@@ -50,11 +84,11 @@ resource "aws_iam_role" "cloudtrail_role" {
     Version = "2012-10-17"
     Statement = [
       {
-        Effect    = "Allow"
+        Effect = "Allow"
         Principal = {
           Service = "cloudtrail.amazonaws.com"
         }
-        Action    = "sts:AssumeRole"
+        Action = "sts:AssumeRole"
       },
     ]
   })
@@ -68,49 +102,32 @@ resource "aws_iam_role_policy" "cloudtrail_policy" {
     Version = "2012-10-17"
     Statement = [
       {
-        Effect   = "Allow"
-        Action   = [
+        Effect = "Allow"
+        # ADDED `logs:DescribeLogGroups` to fix the validation error
+        Action = [
           "logs:CreateLogStream",
-          "logs:PutLogEvents"
+          "logs:PutLogEvents",
+          "logs:DescribeLogGroups"
         ]
-        Resource = aws_cloudwatch_log_group.cloudtrail_log_group.arn
+        Resource = "${aws_cloudwatch_log_group.cloudtrail_log_group.arn}:*"
       },
     ]
   })
 }
 
 # AWS CloudTrail Trail
 resource "aws_cloudtrail" "trail" {
-  name                       = "management-events-trail"
-  s3_bucket_name             = aws_s3_bucket.cloudtrail_logs.id
-  is_multi_region_trail      = true
-  enable_log_file_validation = true # Ensures log integrity
-  # Corrected ARN - removed the trailing :*
-  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.cloudtrail_log_group.arn
-  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_role.arn
-}
-
-# S3 Bucket Versioning
-# This enables versioning on the bucket, which helps protect against accidental
-# deletion or modification of log files.
-resource "aws_s3_bucket_versioning" "cloudtrail_logs_versioning" {
-  bucket = aws_s3_bucket.cloudtrail_logs.id
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-# S3 Bucket Server-Side Encryption
-# This enforces server-side encryption for all objects in the bucket,
-# ensuring your logs are encrypted at rest.
-resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail_s3_bucket_sse" {
-  bucket = aws_s3_bucket.cloudtrail_logs.id
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm     = "aws:kms"
-      kms_master_key_id = aws_kms_key.secrets_key.arn
-    }
-  }
+  depends_on = [
+    aws_cloudwatch_log_group.cloudtrail_log_group,
+    aws_iam_role.cloudtrail_role,
+    aws_iam_role_policy.cloudtrail_policy
+  ]
+  name                          = "management-events-trail"
+  s3_bucket_name                = aws_s3_bucket.cloudtrail_logs.id
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.cloudtrail_log_group.arn}:*"
+  cloud_watch_logs_role_arn     = aws_iam_role.cloudtrail_role.arn
 }
 
 # Web Application Firewall (WAF)
@@ -126,18 +143,16 @@ resource "aws_wafv2_web_acl" "web_acl" {
   # that protects against common exploits like SQLi and XSS.
   rule {
     # Use a unique name for this rule
-    name     = "CommonRuleSet"
-    priority = 1
+    name       = "CommonRuleSet"
+    priority   = 1
     statement {
       managed_rule_group_statement {
-        vendor_name = "AWS"
-        # This is the correct managed rule group name from AWS
         name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
       }
     }
-    action {
-      # This action should be 'block' to protect against common exploits
-      block {}
+    override_action {
+      none {}
     }
     visibility_config {
       cloudwatch_metrics_enabled = true
@@ -146,20 +161,19 @@ resource "aws_wafv2_web_acl" "web_acl" {
     }
   }
 
-  # Rule to protect against Log4j2 vulnerabilities and other bad inputs
+  # Rule to protect against known bad inputs and scanners
   rule {
     # Use a unique name for this rule
-    name     = "KnownBadInputs"
-    priority = 2
+    name       = "KnownBadInputs"
+    priority   = 2
     statement {
       managed_rule_group_statement {
+        name        = "AWSManagedRulesAmazonIpReputationList"
         vendor_name = "AWS"
-        # This is the correct managed rule group name from AWS
-        name        = "AWSManagedRulesKnownBadInputsRuleSet"
       }
     }
-    action {
-      block {}
+    override_action {
+      none {}
     }
     visibility_config {
       cloudwatch_metrics_enabled = true