From dd6423244e1153eff7fdb1040c8d044b2042eacc Mon Sep 17 00:00:00 2001 From: janvt Date: Fri, 26 May 2023 13:50:25 +0200 Subject: [PATCH] initial commit --- .editorconfig | 19 ++ .github/.templatesyncignore | 5 + .github/pull_request-template.md | 21 ++ .github/workflows/linter.yaml | 122 +++++++++++ .github/workflows/release.yaml | 96 +++++++++ .github/workflows/semantic-pr.yaml | 73 +++++++ .github/workflows/sync-templates.yaml | 63 ++++++ .github/workflows/validate.yaml | 46 ++++ .gitignore | 32 +++ .pre-commit-config.yaml | 16 ++ .terraform-docs.yml | 46 ++++ .tflint.hcl | 10 + LICENSE | 201 ++++++++++++++++++ Makefile | 43 ++++ README.md | 78 +++++++ docs/10-header.md | 1 + docs/20-badges.md | 31 +++ examples/full/main.tf | 7 + examples/minimum/main.tf | 3 + main.tf | 20 ++ modules/cloudwatch/.terraform-docs.yml | 13 ++ modules/cloudwatch/README.md | 33 +++ modules/cloudwatch/main.tf | 17 ++ modules/cloudwatch/variables.tf | 5 + modules/cloudwatch/versions.tf | 10 + .../iam_password_policy/.terraform-docs.yml | 13 ++ modules/iam_password_policy/README.md | 34 +++ modules/iam_password_policy/main.tf | 19 ++ modules/iam_password_policy/variables.tf | 53 +++++ modules/iam_password_policy/versions.tf | 10 + modules/s3/.terraform-docs.yml | 13 ++ modules/s3/README.md | 30 +++ modules/s3/main.tf | 13 ++ modules/s3/variables.tf | 23 ++ modules/s3/versions.tf | 10 + outputs.tf | 0 test/.gitignore | 0 variables.tf | 20 ++ versions.tf | 3 + 39 files changed, 1252 insertions(+) create mode 100644 .editorconfig create mode 100644 .github/.templatesyncignore create mode 100644 .github/pull_request-template.md create mode 100644 .github/workflows/linter.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .github/workflows/semantic-pr.yaml create mode 100644 .github/workflows/sync-templates.yaml create mode 100644 .github/workflows/validate.yaml create mode 100644 .gitignore create mode 100644 .pre-commit-config.yaml create mode 100644 .terraform-docs.yml create mode 100644 .tflint.hcl create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 README.md create mode 100644 docs/10-header.md create mode 100644 docs/20-badges.md create mode 100644 examples/full/main.tf create mode 100644 examples/minimum/main.tf create mode 100644 main.tf create mode 100644 modules/cloudwatch/.terraform-docs.yml create mode 100644 modules/cloudwatch/README.md create mode 100644 modules/cloudwatch/main.tf create mode 100644 modules/cloudwatch/variables.tf create mode 100644 modules/cloudwatch/versions.tf create mode 100644 modules/iam_password_policy/.terraform-docs.yml create mode 100644 modules/iam_password_policy/README.md create mode 100644 modules/iam_password_policy/main.tf create mode 100644 modules/iam_password_policy/variables.tf create mode 100644 modules/iam_password_policy/versions.tf create mode 100644 modules/s3/.terraform-docs.yml create mode 100644 modules/s3/README.md create mode 100644 modules/s3/main.tf create mode 100644 modules/s3/variables.tf create mode 100644 modules/s3/versions.tf create mode 100644 outputs.tf create mode 100644 test/.gitignore create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..2705490 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,19 @@ +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 120 +trim_trailing_whitespace = true + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false + +[{Makefile,**.mk}] +indent_style = tab diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore new file mode 100644 index 0000000..e988577 --- /dev/null +++ b/.github/.templatesyncignore @@ -0,0 +1,5 @@ +README.md +.github/workflows/* +.terraform-docs.yml +docs/20-badges.md +*.tf diff --git a/.github/pull_request-template.md b/.github/pull_request-template.md new file mode 100644 index 0000000..60761ad --- /dev/null +++ b/.github/pull_request-template.md @@ -0,0 +1,21 @@ + + + +## What it solves + +... + +## How this PR fixes it + +... + +## Readiness Checklist + +### Author/Contributor +- [ ] If documentation is needed for this change, has that been included in this pull request +- [ ] Pull request title is brief and descriptive (for a changelog entry) + +### Reviewing Maintainer +- [ ] Label as `breaking` if this is a large fundamental change +- [ ] Label as either `automation`, `bug`, `documentation`, or `enhancement` +- [ ] Label as `bump:patch`, `bump:minor`, or `bump:major` if this PR should create a new release diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml new file mode 100644 index 0000000..79f6699 --- /dev/null +++ b/.github/workflows/linter.yaml @@ -0,0 +1,122 @@ +--- +################ +## Run linter ## +################ + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Lint +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +############### +# Run the job # +############### +jobs: + ########## + # TF fmt # + ########## + tf-fmt: + name: FMT + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ##################### + # Run Terraform fmt # + ##################### + - name: Terraform fmt + uses: dflook/terraform-fmt-check@v1.29.1 + + ########## + # TFLint # + ########## + tf-lint: + name: TFLint + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ################# + # Cache plugins # + ################# + - name: Cache plugin dir + uses: actions/cache@v3.0.11 + with: + path: ~/.tflint.d/plugins + key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }} + + ################ + # Setup TFLint # + ################ + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v2 + with: + tflint_version: v0.42.2 + + ############### + # Init TFLint # + ############### + - name: Init TFLint + run: tflint --init + + ############## + # Run TFLint # + ############## + - name: Run TFLint + run: tflint -f compact + + ########### + # TF docs # + ########### + tf-docs: + name: Docs + if: ${{ github.event_name == 'pull_request' }} + permissions: + contents: write + pull-requests: write + + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + + #################### + # Update README.md # + #################### + - name: Terraform docs + uses: terraform-docs/gh-actions@v1.0.0 + with: + ref: ${{ github.event.pull_request.head.ref }} + config-file: .terraform-docs.yml + git-push: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..a66b5c7 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,96 @@ +--- +##################### +## Create releases ## +##################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Release +on: + push: + branches: [ main ] + tags: [ 'v*.*.*' ] + pull_request: + types: [ labeled ] + +################# +# Start the job # +################# +jobs: + ############### + # Steps below # + ############### + create-release: + name: Create Release + if: github.event.action != 'labeled' + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ################################### + # Bump version depending on label # + ################################### + - name: Bump version + if: "!startsWith(github.ref, 'refs/tags/')" + id: bumpr + uses: haya14busa/action-bumpr@v1 + + ################### + # Update the tags # + ################### + - name: Update tag + if: "!steps.bumpr.outputs.skip" + uses: haya14busa/action-update-semver@v1 + with: + tag: ${{ steps.bumpr.outputs.next_version }} + + ################ + # Get tag name # + ################ + - name: Get tag name + id: tag + uses: haya14busa/action-cond@v1 + with: + cond: "${{ startsWith(github.ref, 'refs/tags/') }}" + if_true: ${{ github.ref }} + if_false: ${{ steps.bumpr.outputs.next_version }} + + ################## + # Create release # + ################## + - name: Create release + uses: softprops/action-gh-release@v1 + if: "steps.tag.outputs.value != ''" + with: + name: Release ${{ steps.tag.outputs.value }} + body: ${{ steps.bumpr.outputs.message }} + tag_name: ${{ steps.tag.outputs.value }} + draft: false + prerelease: false + + ########################### + # Release preview comment # + ########################### + release-check: + if: github.event.action == 'labeled' + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Post status comment # + ####################### + - name: Post bumpr status comment + uses: haya14busa/action-bumpr@v1 diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml new file mode 100644 index 0000000..528ee15 --- /dev/null +++ b/.github/workflows/semantic-pr.yaml @@ -0,0 +1,73 @@ +--- +##################### +## Run Semantic PR ## +##################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Semantic PR +on: + pull_request: + types: [ opened, edited, synchronize ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +permissions: + contents: read + pull-requests: write + +############### +# Run the job # +############### +jobs: + ############### + # Semantic PR # + ############### + semantic-pr: + name: Validate PR + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + ############ + # Check PR # + ############ + - name: Check PR + id: lint-pr-title + uses: amannn/action-semantic-pull-request@v5.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + ############################# + # Add PR comment with error # + ############################# + - name: Add PR error comment + uses: marocchino/sticky-pull-request-comment@v2.3.0 + if: always() && (steps.lint-pr-title.outputs.error_message != null) + with: + header: pr-title-lint-error + message: | + We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted. + + Details: + + ``` + ${{ steps.lint-pr-title.outputs.error_message }} + ``` + + ################################ + # Delete PR comment with error # + ################################ + - name: Delete PR error comment + uses: marocchino/sticky-pull-request-comment@v2.3.0 + if: ${{ steps.lint_pr_title.outputs.error_message == null }} + with: + header: pr-title-lint-error + delete: true diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml new file mode 100644 index 0000000..dfa10ab --- /dev/null +++ b/.github/workflows/sync-templates.yaml @@ -0,0 +1,63 @@ +--- +######################### +## Sync template files ## +######################### + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Sync templates +on: + workflow_dispatch: # Trigger manually + schedule: + - cron: "0 0 1 * *" # Run at 00:00 on the first day of every month + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +############### +# Run the job # +############### +jobs: + ############### + # Sync labels # + ############### + sync-labels: + name: Sync labels + runs-on: ubuntu-latest + steps: + ################################## + # Sync labels with template Repo # + ################################## + - name: Sync labels + uses: EndBug/label-sync@v2.3.1 + with: + config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml + + ####################### + # Sync template files # + ####################### + sync-template-files: + name: Sync template files + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ####################### + # Sync template files # + ####################### + - name: actions-template-sync + uses: AndreasAugustin/actions-template-sync@v0.7.3 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + source_repo_path: geekcell/terraform-aws-module-template diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml new file mode 100644 index 0000000..1d0cd87 --- /dev/null +++ b/.github/workflows/validate.yaml @@ -0,0 +1,46 @@ +--- +################## +## Run validate ## +################## + +# +# Documentation: +# https://help.github.com/en/articles/workflow-syntax-for-github-actions +# + +name: Validate +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +########################## +# Prevent duplicate jobs # +########################## +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +############### +# Run the job # +############### +jobs: + ############### + # TF validate # + ############### + tf-validate: + name: Validate + runs-on: ubuntu-latest + steps: + ############################ + # Checkout the source code # + ############################ + - name: Checkout Code + uses: actions/checkout@v3.1.0 + + ########################## + # Run Terraform validate # + ########################## + - name: Terraform validate + uses: dflook/terraform-validate@v1.29.1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2485c8f --- /dev/null +++ b/.gitignore @@ -0,0 +1,32 @@ +# Local .terraform directories +**/.terraform + +# Terraform lockfile +.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Exclude all .tfvars files, which are likely to contain sentitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore CLI configuration files +.terraformrc +terraform.rc + +# IDE +.idea diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..e7c9291 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,16 @@ +repos: + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.76.0 + hooks: + - id: terraform_docs + - id: terraform_fmt + - id: terraform_validate + exclude: '^[^/]+$' + - id: terraform_tflint + exclude: ^examples/ + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer diff --git a/.terraform-docs.yml b/.terraform-docs.yml new file mode 100644 index 0000000..ba774e5 --- /dev/null +++ b/.terraform-docs.yml @@ -0,0 +1,46 @@ +formatter: "md table" +header-from: main.tf + +recursive: + # Enable this if your module has submodules + enabled: true + +content: |- + {{ include "docs/10-header.md" }} + + {{ include "docs/20-badges.md" }} + + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} + + {{ .Providers }} + + ## Resources + {{ range .Module.Resources }} + - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }}) + {{- end }} + + # Examples + ### Full + ```hcl + {{ include "examples/full/main.tf" }} + ``` + + ### Minimum + ```hcl + {{ include "examples/minimum/main.tf" }} + ``` + +output: + file: "README.md" + mode: inject + template: |- + + {{ .Content }} + + +settings: + lockfile: false diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..db94b46 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,10 @@ +plugin "terraform" { + enabled = true + preset = "all" +} + +plugin "aws" { + enabled = true + version = "0.18.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" +} diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c844c70 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2017-2020 Cloud Posse, LLC + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..8567b26 --- /dev/null +++ b/Makefile @@ -0,0 +1,43 @@ +.DEFAULT_GOAL = help + +TEMPLATE_REPO := https://github.com/geekcell/template-terraform-module.git +UPDATABLE_TEMPLATE_FILES := .github/ docs/logo.md .editorconfig .gitignore .pref-commit-config.yaml .terraform-docs.yml .tflint.hcl LICENSE Makefile + +######### +# SETUP # +######### +.PHONY: setup/run +setup/run: setup/install-tools pre-commit/install-hooks ## Install and setup necessary tools + +.PHONY: setup/install-tools +setup/install-tools: # Install required tools +ifeq (, $(shell which brew)) + @echo "No brew in $$PATH. Currently only brew is supported for installing tools." +else + @brew install pre-commit terraform terraform-docs tflint +endif + +.PHONY: setup/update-template +setup/update-template: ## Pull the latest template files from the main repo + @git config remote.terraform-module-template.url >&- || git remote add terraform-module-template $(TEMPLATE_REPO) + @git fetch terraform-module-template main + @git checkout -p terraform-module-template/main $(UPDATABLE_TEMPLATE_FILES) + +############## +# PRE-COMMIT # +############## +.PHONY: pre-commit/install-hooks +pre-commit/install-hooks: ## Install pre-commit git hooks script + @git init + @pre-commit install + +.PHONY: pre-commit/run-all +pre-commit/run-all: ## Run pre-commit against all files + @pre-commit run -a + +######## +# HELP # +######## +.PHONY: help +help: ## Shows this help + @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_\-\.\/]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) diff --git a/README.md b/README.md new file mode 100644 index 0000000..11bb43a --- /dev/null +++ b/README.md @@ -0,0 +1,78 @@ + +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) + +### Code Quality +[![License](https://img.shields.io/github/license/geekcell/terraform-aws-account-defaults)](https://github.com/geekcell/terraform-aws-account-defaults/blob/master/LICENSE) +[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-account-defaults?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-account-defaults/releases) +[![Release](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml) +[![Validate](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml) +[![Lint](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml) + +### Security +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=INFRASTRUCTURE+SECURITY) + +#### Cloud +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.3) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.3) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GCP+V1.1) + +##### Container +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes_16)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.6) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_eks_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+EKS+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gke_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GKE+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.5) + +#### Data protection +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=SOC2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=ISO27001) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=NIST-800-53) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=HIPAA) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=FEDRAMP+%28MODERATE%29) + +# Terraform AWS Account Defaults + +This module takes care of some general account-wide settings in the running AWS account. See the documentation for +each module for more information. All modules are enabled by default. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [enable\_cloudwatch\_defaults](#input\_enable\_cloudwatch\_defaults) | Enable the Cloudwatch submodule. | `bool` | `true` | no | +| [enable\_iam\_account\_password\_policy](#input\_enable\_iam\_account\_password\_policy) | Enable the IAM Account Password Policy submodule. | `bool` | `true` | no | +| [enable\_s3\_defaults](#input\_enable\_s3\_defaults) | Enable the S3 submodule. | `bool` | `true` | no | + +## Outputs + +No outputs. + +## Providers + +No providers. + +## Resources + + +# Examples +### Full +```hcl +module "full" { + source = "../../" + + enable_s3_defaults = true + enable_cloudwatch_defaults = true + enable_iam_account_password_policy = true +} +``` + +### Minimum +```hcl +module "minimum" { + source = "../../" +} +``` + diff --git a/docs/10-header.md b/docs/10-header.md new file mode 100644 index 0000000..3843bbf --- /dev/null +++ b/docs/10-header.md @@ -0,0 +1 @@ +[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/) diff --git a/docs/20-badges.md b/docs/20-badges.md new file mode 100644 index 0000000..69732ca --- /dev/null +++ b/docs/20-badges.md @@ -0,0 +1,31 @@ +### Code Quality +[![License](https://img.shields.io/github/license/geekcell/terraform-aws-account-defaults)](https://github.com/geekcell/terraform-aws-account-defaults/blob/master/LICENSE) +[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-account-defaults?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-account-defaults/releases) +[![Release](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml) +[![Validate](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml) +[![Lint](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml) + +### Security +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=INFRASTRUCTURE+SECURITY) + +#### Cloud +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.3) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.3) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GCP+V1.1) + +##### Container +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes_16)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.6) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_eks_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+EKS+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gke_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GKE+V1.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.5) + +#### Data protection +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=SOC2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2.1) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=ISO27001) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=NIST-800-53) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=HIPAA) +[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=FEDRAMP+%28MODERATE%29) diff --git a/examples/full/main.tf b/examples/full/main.tf new file mode 100644 index 0000000..3ebba4e --- /dev/null +++ b/examples/full/main.tf @@ -0,0 +1,7 @@ +module "full" { + source = "../../" + + enable_s3_defaults = true + enable_cloudwatch_defaults = true + enable_iam_account_password_policy = true +} diff --git a/examples/minimum/main.tf b/examples/minimum/main.tf new file mode 100644 index 0000000..ca6431f --- /dev/null +++ b/examples/minimum/main.tf @@ -0,0 +1,3 @@ +module "minimum" { + source = "../../" +} diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..63c2caa --- /dev/null +++ b/main.tf @@ -0,0 +1,20 @@ +/** + * # Terraform AWS Account Defaults + * + * This module takes care of some general account-wide settings in the running AWS account. See the documentation for + * each module for more information. All modules are enabled by default. + */ +module "s3" { + count = var.enable_s3_defaults ? 1 : 0 + source = "./modules/s3" +} + +module "cloudwatch" { + count = var.enable_cloudwatch_defaults ? 1 : 0 + source = "./modules/cloudwatch" +} + +module "iam_account_password_policy" { + count = var.enable_iam_account_password_policy ? 1 : 0 + source = "./modules/iam_password_policy" +} diff --git a/modules/cloudwatch/.terraform-docs.yml b/modules/cloudwatch/.terraform-docs.yml new file mode 100644 index 0000000..ba5f612 --- /dev/null +++ b/modules/cloudwatch/.terraform-docs.yml @@ -0,0 +1,13 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} + + {{ .Providers }} + + ## Resources + {{ range .Module.Resources }} + - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }}) + {{- end }} diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md new file mode 100644 index 0000000..baf4eb4 --- /dev/null +++ b/modules/cloudwatch/README.md @@ -0,0 +1,33 @@ + +# Terraform AWS Account Defaults Cloudwatch + +Each RDS instance writes its OS metrics to the same Cloudwatch Log Group. This is automatically created by AWS and +is therefore not under control with Terraform. Since the data in it gets very large very quickly, we want to at least +configure retention of the data. + +It is not possible to encrypt this Cloudwatch Log Group, otherwise AWS RDS will not be able to write to it because +they do not have access to the AWS KMS. But we want to set the retention\_in\_days in Terraform. + +How to import when already exists +terraform import 'aws\_cloudwatch\_log\_group.rds\_log\_group' 'RDSOSMetrics' + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days](#input\_cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days) | The number of days log events are kept in CloudWatch Logs for the default RDSOSMetrics group. | `number` | `365` | no | + +## Outputs + +No outputs. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4.0 | + +## Resources + +- resource.aws_cloudwatch_log_group.rdsosmetrics (modules/cloudwatch/main.tf#14) + diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf new file mode 100644 index 0000000..77ebd0b --- /dev/null +++ b/modules/cloudwatch/main.tf @@ -0,0 +1,17 @@ +/** +* # Terraform AWS Account Defaults Cloudwatch +* +* Each RDS instance writes its OS metrics to the same Cloudwatch Log Group. This is automatically created by AWS and +* is therefore not under control with Terraform. Since the data in it gets very large very quickly, we want to at least +* configure retention of the data. +* +* It is not possible to encrypt this Cloudwatch Log Group, otherwise AWS RDS will not be able to write to it because +* they do not have access to the AWS KMS. But we want to set the retention_in_days in Terraform. +* +* How to import when already exists +* terraform import 'aws_cloudwatch_log_group.rds_log_group' 'RDSOSMetrics' +*/ +resource "aws_cloudwatch_log_group" "rdsosmetrics" { + name = "RDSOSMetrics" + retention_in_days = var.cloudwatch_log_group_rdsosmetrics_retention_in_days +} diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf new file mode 100644 index 0000000..9fe135a --- /dev/null +++ b/modules/cloudwatch/variables.tf @@ -0,0 +1,5 @@ +variable "cloudwatch_log_group_rdsosmetrics_retention_in_days" { + description = "The number of days log events are kept in CloudWatch Logs for the default RDSOSMetrics group." + default = 365 + type = number +} diff --git a/modules/cloudwatch/versions.tf b/modules/cloudwatch/versions.tf new file mode 100644 index 0000000..8ad760d --- /dev/null +++ b/modules/cloudwatch/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/modules/iam_password_policy/.terraform-docs.yml b/modules/iam_password_policy/.terraform-docs.yml new file mode 100644 index 0000000..ba5f612 --- /dev/null +++ b/modules/iam_password_policy/.terraform-docs.yml @@ -0,0 +1,13 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} + + {{ .Providers }} + + ## Resources + {{ range .Module.Resources }} + - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }}) + {{- end }} diff --git a/modules/iam_password_policy/README.md b/modules/iam_password_policy/README.md new file mode 100644 index 0000000..1392f28 --- /dev/null +++ b/modules/iam_password_policy/README.md @@ -0,0 +1,34 @@ + +# Terraform AWS Account Defaults IAM Account Password Policy + +Sets a strong default password policy for the AWS account. Should be compliant with most cloud security monitoring +tools. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [iam\_account\_password\_policy\_allow\_users\_to\_change\_password](#input\_iam\_account\_password\_policy\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | `true` | no | +| [iam\_account\_password\_policy\_hard\_expiry](#input\_iam\_account\_password\_policy\_hard\_expiry) | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset). | `bool` | `false` | no | +| [iam\_account\_password\_policy\_max\_password\_age](#input\_iam\_account\_password\_policy\_max\_password\_age) | The number of days that an user password is valid. | `number` | `90` | no | +| [iam\_account\_password\_policy\_minimum\_password\_length](#input\_iam\_account\_password\_policy\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | `14` | no | +| [iam\_account\_password\_policy\_password\_reuse\_prevention](#input\_iam\_account\_password\_policy\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | `24` | no | +| [iam\_account\_password\_policy\_require\_lowercase\_characters](#input\_iam\_account\_password\_policy\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | `true` | no | +| [iam\_account\_password\_policy\_require\_numbers](#input\_iam\_account\_password\_policy\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | `true` | no | +| [iam\_account\_password\_policy\_require\_symbols](#input\_iam\_account\_password\_policy\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | `true` | no | +| [iam\_account\_password\_policy\_require\_uppercase\_characters](#input\_iam\_account\_password\_policy\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | `true` | no | + +## Outputs + +No outputs. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4.0 | + +## Resources + +- resource.aws_iam_account_password_policy.main (modules/iam_password_policy/main.tf#7) + diff --git a/modules/iam_password_policy/main.tf b/modules/iam_password_policy/main.tf new file mode 100644 index 0000000..bee6f72 --- /dev/null +++ b/modules/iam_password_policy/main.tf @@ -0,0 +1,19 @@ +/** +* # Terraform AWS Account Defaults IAM Account Password Policy +* +* Sets a strong default password policy for the AWS account. Should be compliant with most cloud security monitoring +* tools. +*/ +resource "aws_iam_account_password_policy" "main" { + allow_users_to_change_password = var.iam_account_password_policy_allow_users_to_change_password + hard_expiry = var.iam_account_password_policy_hard_expiry + + max_password_age = var.iam_account_password_policy_max_password_age + password_reuse_prevention = var.iam_account_password_policy_password_reuse_prevention + + minimum_password_length = var.iam_account_password_policy_minimum_password_length + require_lowercase_characters = var.iam_account_password_policy_require_lowercase_characters + require_uppercase_characters = var.iam_account_password_policy_require_uppercase_characters + require_numbers = var.iam_account_password_policy_require_numbers + require_symbols = var.iam_account_password_policy_require_symbols +} diff --git a/modules/iam_password_policy/variables.tf b/modules/iam_password_policy/variables.tf new file mode 100644 index 0000000..53806c6 --- /dev/null +++ b/modules/iam_password_policy/variables.tf @@ -0,0 +1,53 @@ +variable "iam_account_password_policy_allow_users_to_change_password" { + description = "Whether to allow users to change their own password." + default = true + type = bool +} + +variable "iam_account_password_policy_hard_expiry" { + description = "Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)." + default = false + type = bool +} + +variable "iam_account_password_policy_max_password_age" { + description = "The number of days that an user password is valid." + default = 90 + type = number +} + +variable "iam_account_password_policy_password_reuse_prevention" { + description = "The number of previous passwords that users are prevented from reusing." + default = 24 + type = number +} + +variable "iam_account_password_policy_minimum_password_length" { + description = "Minimum length to require for user passwords." + default = 14 + type = number +} + +variable "iam_account_password_policy_require_lowercase_characters" { + description = "Whether to require lowercase characters for user passwords." + default = true + type = bool +} + +variable "iam_account_password_policy_require_uppercase_characters" { + description = "Whether to require uppercase characters for user passwords." + default = true + type = bool +} + +variable "iam_account_password_policy_require_numbers" { + description = "Whether to require numbers for user passwords." + default = true + type = bool +} + +variable "iam_account_password_policy_require_symbols" { + description = "Whether to require symbols for user passwords." + default = true + type = bool +} diff --git a/modules/iam_password_policy/versions.tf b/modules/iam_password_policy/versions.tf new file mode 100644 index 0000000..8ad760d --- /dev/null +++ b/modules/iam_password_policy/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/modules/s3/.terraform-docs.yml b/modules/s3/.terraform-docs.yml new file mode 100644 index 0000000..ba5f612 --- /dev/null +++ b/modules/s3/.terraform-docs.yml @@ -0,0 +1,13 @@ +content: |- + {{ .Header }} + + {{ .Inputs }} + + {{ .Outputs }} + + {{ .Providers }} + + ## Resources + {{ range .Module.Resources }} + - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }}) + {{- end }} diff --git a/modules/s3/README.md b/modules/s3/README.md new file mode 100644 index 0000000..e678fdd --- /dev/null +++ b/modules/s3/README.md @@ -0,0 +1,30 @@ + +# Terraform AWS Account Defaults S3 + +With AWS S3 it was standard that every bucket is public, we would of course like to prevent this +directly and configure it directly in the account. Sets the default S3 bucket ACLs and policies for the account +to block any public access. A security best practice. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [s3\_account\_public\_access\_block\_public\_acls](#input\_s3\_account\_public\_access\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this account. | `bool` | `true` | no | +| [s3\_account\_public\_access\_block\_public\_policy](#input\_s3\_account\_public\_access\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this account. | `bool` | `true` | no | +| [s3\_account\_public\_access\_ignore\_public\_acls](#input\_s3\_account\_public\_access\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this account. | `bool` | `true` | no | +| [s3\_account\_public\_access\_restrict\_public\_buckets](#input\_s3\_account\_public\_access\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this account. | `bool` | `true` | no | + +## Outputs + +No outputs. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4.0 | + +## Resources + +- resource.aws_s3_account_public_access_block.main (modules/s3/main.tf#8) + diff --git a/modules/s3/main.tf b/modules/s3/main.tf new file mode 100644 index 0000000..a77ba42 --- /dev/null +++ b/modules/s3/main.tf @@ -0,0 +1,13 @@ +/** +* # Terraform AWS Account Defaults S3 +* +* With AWS S3 it was standard that every bucket is public, we would of course like to prevent this +* directly and configure it directly in the account. Sets the default S3 bucket ACLs and policies for the account +* to block any public access. A security best practice. +*/ +resource "aws_s3_account_public_access_block" "main" { + block_public_acls = var.s3_account_public_access_block_public_acls + block_public_policy = var.s3_account_public_access_block_public_policy + ignore_public_acls = var.s3_account_public_access_ignore_public_acls + restrict_public_buckets = var.s3_account_public_access_restrict_public_buckets +} diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf new file mode 100644 index 0000000..63169c4 --- /dev/null +++ b/modules/s3/variables.tf @@ -0,0 +1,23 @@ +variable "s3_account_public_access_block_public_acls" { + description = "Whether Amazon S3 should block public ACLs for this account." + default = true + type = bool +} + +variable "s3_account_public_access_block_public_policy" { + description = "Whether Amazon S3 should block public bucket policies for this account." + default = true + type = bool +} + +variable "s3_account_public_access_ignore_public_acls" { + description = "Whether Amazon S3 should ignore public ACLs for this account." + default = true + type = bool +} + +variable "s3_account_public_access_restrict_public_buckets" { + description = "Whether Amazon S3 should restrict public bucket policies for this account." + default = true + type = bool +} diff --git a/modules/s3/versions.tf b/modules/s3/versions.tf new file mode 100644 index 0000000..8ad760d --- /dev/null +++ b/modules/s3/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/test/.gitignore b/test/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..f3203ad --- /dev/null +++ b/variables.tf @@ -0,0 +1,20 @@ +## S3 PUBLIC ACCESS +variable "enable_s3_defaults" { + description = "Enable the S3 submodule." + default = true + type = bool +} + +## CLOUDWATCH +variable "enable_cloudwatch_defaults" { + description = "Enable the Cloudwatch submodule." + default = true + type = bool +} + +## IAM ACCOUNT PASSWORD POLICY +variable "enable_iam_account_password_policy" { + description = "Enable the IAM Account Password Policy submodule." + default = true + type = bool +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..e6b4cbd --- /dev/null +++ b/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = "~> 1.3" +}