Terraform AWS Landing Zone Baseline

Description

The purpose of this module is to provision the baseline requirements for a landing zone environment, and to provide a pattern moving forward for pipeline access.

Usage

Add example usage here

## Provision the Landing Zone Access permissions
module "landing_zone" {
  source  = "appvia/cloudaccess-lza/aws"
  version = "0.0.1"

  aws_accounts = {
    network    = var.aws_accounts["network"]
    management = var.aws_accounts["management"]
  }
  repositories = {
    accelerator_repository_url  = var.landing_zone_repositories.accelerator_repository_url
    connectivity_repository_url = var.landing_zone_repositories.connectivity_repository_url
    firewall_repository_url     = var.landing_zone_repositories.firewall_repository_url
    identity_repository_url     = var.landing_zone_repositories.identity_repository_url
  }
  tags = var.tags

  providers = {
    management = aws.management
    network    = aws.network
  }
}

CIS Alarms & Notifications

This module can configure CIS alarms and notifications. To enable this functionality, set the enable_cis_alarms variable to true. These will use a CloudWatch log group, defaulting to the AWS Control Tower organizational trail. In order to receive notifications on this events

Use the notifications_emails variable to specify a list of email addresses to send notifications to.

enable_cis_alarms = true
enable_email_notifications = true
notifications = {
  email = {
    addresses = ["security@example.com"]
  }
}

For notifications to slack

Configuration the notifications block accordingly

enable_email_notifications = true
notifications = {
  slack = {
    webhook_url = "https://hooks.slack.com/services/..."
    channel = "cloud-notifications"
  }
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

Make changes to the .terraform-docs.yml file
Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Requirements

Name	Version
terraform	>= 1.1.4
archive	~> 2.0
aws	~> 5.0

Providers

Name	Version
archive	2.4.2
aws	5.50.0
aws.audit	5.50.0
aws.management	5.50.0
aws.network	5.50.0

Modules

Name	Source	Version
alarm_baseline	appvia/alarm-baseline/aws	0.2.0
cost_management	appvia/oidc/aws//modules/role	1.3.0
default_boundary	appvia/boundary-stack/aws	0.1.6
management_landing_zone	appvia/oidc/aws//modules/role	1.3.0
management_sso_identity	appvia/oidc/aws//modules/role	1.3.0
network_inspection_vpc_admin	appvia/oidc/aws//modules/role	1.3.0
network_transit_gateway_admin	appvia/oidc/aws//modules/role	1.3.0
permissive_boundary	appvia/boundary-stack/aws	0.1.6
securityhub_notifications	appvia/notifications/aws	0.1.6

Resources

Name	Type
aws_cloudformation_stack.aws_support_stack_instance_management_account	resource
aws_cloudformation_stack_set.aws_support_stack	resource
aws_cloudformation_stack_set.identity_stackset	resource
aws_cloudformation_stack_set_instance.aws_support_stack_instance	resource
aws_cloudformation_stack_set_instance.identity_stack	resource
aws_cloudwatch_event_rule.securityhub_findings	resource
aws_cloudwatch_event_target.security_hub_findings_target	resource
aws_cloudwatch_log_group.securityhub_lambda_log_group	resource
aws_iam_group.breakglass	resource
aws_iam_group_policy_attachment.breakglass	resource
aws_iam_group_policy_attachment.test-attach	resource
aws_iam_policy.breakglass	resource
aws_iam_policy.code_contributor	resource
aws_iam_policy.code_release	resource
aws_iam_policy.cost_iam_boundary	resource
aws_iam_policy.costs_admin	resource
aws_iam_policy.costs_viewer	resource
aws_iam_policy.ipam_admin	resource
aws_iam_policy.user_management	resource
aws_iam_role.securityhub_lambda_role	resource
aws_iam_user.breakglass	resource
aws_iam_user_group_membership.breakglass	resource
aws_lambda_function.securityhub_lambda_function	resource
aws_lambda_permission.securityhub_event_bridge	resource
archive_file.securityhub_lambda_package	data source
aws_caller_identity.current	data source
aws_iam_policy_document.breakglass	data source
aws_iam_policy_document.lambda_assume_role_policy	data source
aws_iam_policy_document.securityhub_lambda_cloudwatch_logs_policy	data source
aws_iam_policy_document.securityhub_notifications_policy	data source
aws_kms_alias.securityhub_kms_key	data source
aws_organizations_organization.current	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
aws_accounts	Map of AWS account names to their account IDs	object({ network_account_id = optional(string, "") remoteaccess_account_id = optional(string, "") })	n/a	yes
aws_support_role_name	Name of the AWS Support role	`string`	`"AWSSupportAccess"`	no
breakglass_users	The number of breakglass users to create	`number`	`2`	no
cloudaccess_terraform_state_ro_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role	`string`	`"lza-cloudaccess-tfstate-ro"`	no
cloudaccess_terraform_state_rw_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role	`string`	`"lza-cloudaccess-tfstate-rw"`	no
costs_boundary_name	Name of the IAM policy to use as a permissions boundary for cost-related roles	`string`	`"lza-costs-boundary"`	no
default_permissions_boundary_name	Name of the default IAM policy to use as a permissions boundary	`string`	`"lza-default-boundary"`	no
enable_aws_support	Indicates if we should enable AWS Support role	`bool`	`true`	no
enable_breakglass	Indicates if we should enable breakglass users and group	`bool`	`false`	no
enable_cis_alarms	Indicates if we should enable CIS alerts	`bool`	`true`	no
enable_securityhub_alarms	Indicates if we should enable SecurityHub alarms	`bool`	`true`	no
notifications	Configuration for the notifications	object({ email = optional(object({ addresses = list(string) }), null) slack = optional(object({ webhook_url = string channel = string }), null) teams = optional(object({ webhook_url = string }), null) })	{ "email": { "addresses": [] }, "slack": null, "teams": null }	no
permissive_permissions_boundary_name	Name of the permissive IAM policy to use as a permissions boundary	`string`	`"lza-permissive-boundary"`	no
repositories	List of repository locations for the pipelines	object({ accelerator = optional(object({ url = string role_name = optional(string, "lza-accelerator") }), null) connectivity = optional(object({ url = string role_name = optional(string, "lza-connectivity") }), null) cost_management = optional(object({ url = string role_name = optional(string, "lza-cost-management") }), null) firewall = optional(object({ url = string role_name = optional(string, "lza-firewall") }), null) identity = optional(object({ url = string role_name = optional(string, "lza-identity") }), null) })	`{}`	no
scm_name	Name of the source control management system (github or gitlab)	`string`	`"github"`	no
securityhub_event_bridge_rule_name	Display name of the EventBridge rule for Security Hub findings	`string`	`"lza-securityhub-alerts"`	no
securityhub_lambda_function_name	Name of the Security Hub Lambda function	`string`	`"lza-securityhub-lambda-forwarder"`	no
securityhub_lambda_log_group_kms_alias	Name of the KMS alias for the CloudWatch log group	`string`	`"alias/accelerator/kms/cloudwatch/key"`	no
securityhub_lambda_role_name	Name of the IAM role for the Security Hub Lambda function	`string`	`"lza-securityhub-lambda-role"`	no
securityhub_lambda_runtime	Runtime for the Security Hub Lambda function	`string`	`"python3.12"`	no
securityhub_severity_filter	Indicates if we should enable SecurityHub	`list(string)`	[ "CRITICAL", "HIGH" ]	no
securityhub_sns_topic_name	Name of the SNS topic to send Security Hub findings to	`string`	`"lza-securityhub-alerts"`	no
tags	Tags to apply to all resources	`map(string)`	n/a	yes

Outputs

Name	Description
cloudaccess_terraform_state_ro_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role
cloudaccess_terraform_state_rw_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role
default_permission_boundary_name	The name of the default permissions iam boundary
default_permissive_boundary_name	The name of the default permissive iam boundary
identity_role_ro_name	The name of the IAM readonly role which can be assumed by the identity stack in all accounts
identity_role_rw_name	The name of the IAM readwrite role which can be assumed by the identity stack in all accounts
identity_stack_name	The name of the identity stack

Name		Name	Last commit message	Last commit date
Latest commit History 121 Commits
.github		.github
assets		assets
examples/basic		examples/basic
tests		tests
.gitignore		.gitignore
.terraform.lock.hcl		.terraform.lock.hcl
.trivyignore		.trivyignore
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
SECURITY.md		SECURITY.md
aws_support.tf		aws_support.tf
boundaries.tf		boundaries.tf
breakglass.tf		breakglass.tf
data.tf		data.tf
identity-stack.tf		identity-stack.tf
locals.tf		locals.tf
main.tf		main.tf
management.tf		management.tf
network.tf		network.tf
outputs.tf		outputs.tf
securityhub.tf		securityhub.tf
terraform.tf		terraform.tf
variables.tf		variables.tf

License

appvia/terraform-aws-cloudaccess-lza

Folders and files

Latest commit

History

Repository files navigation

Terraform AWS Landing Zone Baseline

Description

Usage

CIS Alarms & Notifications

Update Documentation

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Languages