Skip to content

Latest commit

 

History

History
200 lines (149 loc) · 22.3 KB

README.md

File metadata and controls

200 lines (149 loc) · 22.3 KB

<

Terraform AWS Cloudtrail

Terraform Licence

Prerequisites

This module has a few dependencies:

Examples

For detailed examples on how to use this module, please refer to the Examples directory within this repository.

License

This Terraform module is provided under the '[License Name]' License. Please see the LICENSE file for more details.

Examples

IMPORTANT: Since the master branch used in source varies based on new modifications, we suggest that you use the release versions here.

Simple Example

Here is an example of how you can use this module in your inventory structure:

module "cloudtrail" {
source = "git@github.com:slovink/slovink-terraform-aws-cloudtrail.git?ref=v1.0.0"

name                          = "cloudtrail"
environment                   = "security"
label_order                   = ["name", "environment"]
s3_bucket_name                = module.s3_logs.id
enable_logging                = true
enable_log_file_validation    = true
include_global_service_events = true
is_organization_trail         = false
log_retention_days            = 90

}

Feedback

If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at devops@slovink.com.

If you have found it worth your time, go ahead and give us a ★ on our GitHub!

Requirements

Name Version
terraform >= 1.6.4, < 1.7.0
aws >= 5.32.1
tls >= 4.0

Providers

Name Version
aws >= 5.32.1

Modules

Name Source Version
labels git::git@github.com:slovink/terraform-aws-labels.git 1.0.0

Resources

Name Type
aws_iam_group_policy_attachment.assign_force_mfa_policy_to_groups resource
aws_iam_policy.enable_mfa resource
aws_iam_user_policy_attachment.assign_force_mfa_policy_to_users resource
aws_iam_policy_document.enable_mfa data source

Inputs

Name Description Type Default Required
bgp_asn The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). number 65000 no
certificate_arn certificate_arn (e.g. ''). string "" no
create_virtual_private_gateway Set this to false to use existing Virtual Private Gateway(vgw) and prevent creation of vgw bool true no
customer_ip_address The IP of the Customer Gateway. string n/a yes
enable_vpn_connection Set to false to prevent the creation of a VPN Connection. bool true no
enable_vpn_gateway_attachment Set to false to prevent attachment of the vGW to the VPC. bool true no
environment Environment (e.g. prod, dev, staging). string "" no
label_order Label order, e.g. name,application. list(any)
[
"environment",
"name"
]
no
local_ipv4_network_cidr n/a string "0.0.0.0/0" no
local_ipv6_network_cidr (Optional) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection. string null no
managedby ManagedBy, eg 'slovink' string "" no
name Name (e.g. app or cluster). string "" no
remote_ipv4_network_cidr n/a string "0.0.0.0/0" no
remote_ipv6_network_cidr (Optional) The IPv6 CIDR on AWS side of the VPN connection. string null no
transit_gateway_id The ID of the Transit Gateway. string null no
tunnel1_dpd_timeout_action (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. string "none" no
tunnel1_dpd_timeout_seconds (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30 number null no
tunnel1_enable_tunnel_lifecycle_control (Optional) Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true | false bool null no
tunnel1_ike_versions (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2. list(string) null no
tunnel1_inside_cidr The CIDR block of the inside IP addresses for the first VPN tunnel. string "169.254.33.88/30" no
tunnel1_log_options (Optional) Options for sending VPN tunnel logs to CloudWatch. any {} no
tunnel1_phase1_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. list(number) null no
tunnel1_phase1_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) null no
tunnel1_phase1_integrity_algorithms Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. list(string)
[
"SHA1"
]
no
tunnel1_phase1_lifetime_seconds (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800 number null no
tunnel1_phase2_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 list(number) null no
tunnel1_phase2_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) null no
tunnel1_phase2_integrity_algorithms Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. list(string)
[
"SHA1"
]
no
tunnel1_phase2_lifetime_seconds (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600 number null no
tunnel1_preshared_key The preshared key of the first VPN tunnel. string "123456789" no
tunnel1_rekey_fuzz_percentage (Optional, Default 100) The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100 number null no
tunnel1_rekey_margin_time_seconds (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds number null no
tunnel1_replay_window_size (Optional, Default 1024) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048. number null no
tunnel1_startup_action (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart. string "add" no
tunnel2_dpd_timeout_action (Optional, Default clear) The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart string null no
tunnel2_enable_tunnel_lifecycle_control (Optional) Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true | false bool null no
tunnel2_ike_versions (Optional) The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2 list(string) null no
tunnel2_inside_cidr The CIDR block of the inside IP addresses for the second VPN tunnel. string "" no
tunnel2_log_options (Optional) Options for sending VPN tunnel logs to CloudWatch. any {} no
tunnel2_phase1_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 list(number) null no
tunnel2_phase1_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) null no
tunnel2_phase1_integrity_algorithms Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512. list(string)
[
"SHA1"
]
no
tunnel2_phase2_dh_group_numbers (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 list(number) null no
tunnel2_phase2_encryption_algorithms (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. list(string) null no
tunnel2_phase2_integrity_algorithms (Optional) List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512 list(string) null no
tunnel2_phase2_lifetime_seconds (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600 number null no
tunnel2_preshared_key The preshared key of the second VPN tunnel. string "" no
tunnel2_rekey_fuzz_percentage (Optional, Default 100) The percentage of the rekey window for the second VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100 number null no
tunnel2_rekey_margin_time_seconds (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds number null no
tunnel2_replay_window_size (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048. number null no
tunnel2_startup_action (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start string null no
tunnel_inside_ip_version (Optional) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway. string "ipv4" no
virtual_private_gateway_id Provide id of existing Virtual Private Gateway string null no
vpc_id The id of the VPC where the VPN Gateway lives. string n/a yes
vpc_subnet_route_table_count The number of subnet route table ids being passed in via vpc_subnet_route_table_ids. string 0 no
vpc_subnet_route_table_ids The ids of the VPC subnets for which routes from the VPN Gateway will be propagated. list(string) [] no
vpn_connection_static_routes_destinations List of CIDRs to be used as destination for static routes (used with vpn_connection_static_routes_only = true). Routes to destinations set here will be propagated to the routing tables of the subnets defined in vpc_subnet_route_table_ids. list(string) [] no
vpn_connection_static_routes_only Set to true for the enabled VPN connection to use static routes exclusively (only if enable_vpn_connection = true). Static routes must be used for devices that don't support BGP. bool true no
vpn_connection_type The type of VPN connection. The only type AWS supports at this time is 'ipsec.1'. string "ipsec.1" no
vpn_gateway_amazon_side_asn The Autonomous System Number (ASN) for the Amazon side of the VPN gateway. If you don't specify an ASN, the Virtual Private Gateway is created with the default ASN number 64512 no

Outputs

Name Description
customer_gateway_id The ID of the VPN Connection Route.
gateway_attachment_id The ID of the Gateway Attachment.
tags A mapping of tags to assign to the resource.
vpn_connection_id The ID of the VPN Connection.
vpn_connection_tunnel1_address A list with the the public IP address of the first VPN tunnel if create_vpn_connection = true, or empty otherwise
vpn_connection_tunnel1_cgw_inside_address A list with the the RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side) if create_vpn_connection = true, or empty otherwise
vpn_gateway_id The ID of the VPN gateway.