Skip to content

appzen-oss/terraform-aws-secure-base

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

95 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.shellcheckrc
.shellcheckrc
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.tflint.hcl
.tflint.hcl
 
 
README.md
README.md
 
 
baselines-ecr.tf
baselines-ecr.tf
 
 
baselines.tf
baselines.tf
 
 
baselines_ebs.tf
baselines_ebs.tf
 
 
cloudtrail.tf
cloudtrail.tf
 
 
config.tf
config.tf
 
 
data.tf
data.tf
 
 
detective.tf
detective.tf
 
 
firewall_manager.tf
firewall_manager.tf
 
 
guardduty.tf
guardduty.tf
 
 
iam_access_analyzer.tf
iam_access_analyzer.tf
 
 
inspector.tf
inspector.tf
 
 
kms.tf
kms.tf
 
 
main.tf
main.tf
 
 
organization.tf
organization.tf
 
 
outputs.tf
outputs.tf
 
 
s3_buckets.tf
s3_buckets.tf
 
 
scp_polices.tf
scp_polices.tf
 
 
securityhub.tf
securityhub.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

terraform-aws-secure-base

Releases

Terraform Module Registry

A terraform module to set up an AWS multi-account, multi-region organization with account/region security setting and security services.

Module is still a Work in Progress

Features

  • Designed to delegate management of all security services to dedicated administrator account
  • Designed to send all logs to a dedicated log account

Usage

Submodules

This module is composed of several submodules, all of which can be used independently.

Examples

Requirements

Name Version
terraform >= 1.1.4
aws >= 4.1.0
time >= 0.7.2

Providers

Name Version
aws 4.2.0

Modules

Name Source Version
baseline_ebs_eu-west-1 ./modules/baseline_ebs n/a
baseline_ebs_us-east-1 ./modules/baseline_ebs n/a
baseline_ebs_us-east-2 ./modules/baseline_ebs n/a
baseline_ecr_eu-west-1 ./modules/baseline_ecr n/a
baseline_ecr_us-east-1 ./modules/baseline_ecr n/a
baseline_ecr_us-east-2 ./modules/baseline_ecr n/a
baseline_iam ./modules/baseline_iam n/a
baseline_s3 ./modules/baseline_s3 n/a
cloudtrail ./modules/cloudtrail n/a
firewall_manager_us-east-1 ./modules/firewall_manager n/a
guardduty-eu-west-1 ./modules/guardduty n/a
guardduty-us-east-1 ./modules/guardduty n/a
guardduty-us-east-2 ./modules/guardduty n/a
iam_access_analyzer-eu-west-1 ./modules/iam_access_analyzer n/a
iam_access_analyzer-us-east-1 ./modules/iam_access_analyzer n/a
iam_access_analyzer-us-east-2 ./modules/iam_access_analyzer n/a
s3_bucket-eu-west-1 ./modules/s3_bucket n/a
s3_bucket-us-east-1 ./modules/s3_bucket n/a
s3_bucket-us-east-2 ./modules/s3_bucket n/a
scp ./modules/scp n/a
securityhub_eu-west-1 ./modules/securityhub n/a
securityhub_us-east-1 ./modules/securityhub n/a
securityhub_us-east-2 ./modules/securityhub n/a

Resources

Name Type
aws_organizations_organization.self resource
aws_organizations_organization.self data source

Inputs

Name Description Type Default Required
account_type AWS account type (master, administrator, log, member) string n/a yes
bucket_custom_policy_json Custom S3 bucket policy override JSON string "" no
cloudtrail_enable_log_file_validation Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs bool true no
cloudtrail_enable_logging Enable logging for the trail bool true no
cloudtrail_include_global_service_events Specifies whether the trail is publishing events from global services such as IAM to the log files bool true no
cloudtrail_insight_selector Specifies an insight selector for identifying unusual operational activity. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#insight_type details for this variable 
list(object({
    insight_type = string
  }))
 
[
  {
    "insight_type": "ApiCallRateInsight"
  },
  {
    "insight_type": "ApiErrorRateInsight"
  }
]
 no
cloudtrail_is_multi_region_trail Specifies whether the trail is created in the current region or in all regions bool true no
cloudtrail_is_organization_trail The trail is an AWS Organizations trail bool true no
cloudtrail_name CloudTrail trail name string "org" no
cloudtrail_s3_bucket CloudTrail S3 bucket string null no
cloudtrail_s3_key_prefix S3 key prefix for CloudTrail string "cloudtrail" no
config_s3_bucket_key_prefix S3 key prefix for Config string "config" no
ecr_scan_type ECR scanning type (BASIC or ENHANCED) string "BASIC" no
ecr_scanning_rules List of ECR scanning rules list(map(string)) 
[
  {
    "filter": "*",
    "frequency": "SCAN_ON_PUSH"
  }
]
 no
enable_cloudtrail Enable AWS CloudTrail service bool true no
enable_config Enable AWS Config service bool true no
enable_ebs_baseline Boolean whether ebs-baseline is enabled. bool true no
enable_ecr_baseline Enable ECR image scanning bool true no
enable_firewall_manager Enable AWS Firewall Manager service bool true no
enable_guardduty Enable AWS GuardDuty service bool true no
enable_iam_access_analyzer Enable AWS IAM Access Analyzer bool true no
enable_iam_baseline Boolean whether iam-baseline is enabled. bool true no
enable_s3_baseline Enable S3 baseline? bool true no
enable_s3_buckets Enable S3 buckets? bool false no
enable_scp Manage organization SCP policies bool true no
enable_securityhub Enable AWS Security Hub service bool true no
force_destroy Allow destroy of S3 bucket with objects bool false no
iam_allow_users_to_change_password Whether to allow users to change their own password. bool true no
iam_create_password_policy Define if the password policy should be created. bool true no
iam_max_password_age The number of days that an user password is valid. number 0 no
iam_minimum_password_length Minimum length to require for user passwords. number 14 no
iam_password_reuse_prevention The number of previous passwords that users are prevented from reusing. number 24 no
iam_require_lowercase_characters Whether to require lowercase characters for user passwords. bool true no
iam_require_numbers Whether to require numbers for user passwords. bool true no
iam_require_symbols Whether to require symbols for user passwords. bool true no
iam_require_uppercase_characters Whether to require uppercase characters for user passwords. bool true no
s3_block_public_acls Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. bool true no
s3_block_public_policy Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. bool true no
s3_ignore_public_acls Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. bool true no
s3_restrict_public_buckets Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. bool true no
security_administrator_account_id AWS Security Administrator Account ID number n/a yes
securityhub_enable_products Subscribe Security Hub to Products list(string) [] no
tags Specifies object tags key and value. This applies to all resources created by this module. map(any) 
{
  "Environment": "infra",
  "Product": "security",
  "Team": "devops",
  "Terraform": true
}
 no
target_regions A list of regions to set up with this module. list(string) 
[
  "eu-west-1",
  "us-east-1",
  "us-east-2"
]
 no
vpc_flow_logs_s3_key_prefix S3 key prefix for VPC Flow Logs string "flow-logs" no

Outputs

Name Description
s3_bucket_arns S3 Bucket ARNs
s3_bucket_names S3 Bucket Names
s3_bucket_region_arn_map Map of regions and S3 ARNs
s3_bucket_region_name_map Map of regions and S3 names

About

AWS multi-account, multi-region organization secure base

registry.terraform.io/modules/appzen-oss/secure-base/aws

Topics

aws security devops terraform s3 iam ebs security-hardening detective terraform-modules ecr devsecops guardduty

Resources

Readme
Activity
Custom properties

Stars

5 stars

Watchers

5 watching

Forks

5 forks
Report repository

Releases 2

v0.0.2 Latest
Mar 12, 2022
+ 1 release

Packages

No packages published

Contributors 2

  •  
  •  

Languages