Skip to content

dave-dotnet-overall/terraform-aws-krrv-sra-application-stack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

Requirements

Name Version
terraform >= 1.4.4
aws >= 4.61.0

Providers

Name Version
aws.me_south_1 >= 4.61.0

Modules

Name Source Version
cloudtrail ../krrv-sra-cloudtrail n/a
cross_account_iam_roles ../krrv-sra-iam-roles n/a
iam_groups ../krrv-sra-iam-groups n/a
iam_user_password_policy ../krrv-sra-iam-password-policy n/a
multiregion_ebs_encryption ../krrv-sra-ebs-encryption-multi-region n/a
multiregion_iam_access_analyzer ../krrv-sra-iam-accessanalyzer-multi-region n/a

Resources

Name Type
aws_caller_identity.current data source

Inputs

Name Description Type Default Required
additional_config_rules Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details 
map(object({
    # Description of the rule
    description : string
    # Identifier of an available AWS Config Managed Rule to call.
    identifier : string
    # Trigger type of the rule, must be one of ´CONFIG_CHANGE´ or ´PERIODIC´.
    trigger_type : string
    # A map of input parameters for the rule. If you don't have parameters, pass in an empty map ´{}´.
    input_parameters : map(string)
    # Whether or not this applies to global (non-regional) resources like IAM roles. When true, these rules are disabled
    # if var.enable_global_resource_rules is false.
    applies_to_global_resources = bool
  }))
 {} no
allow_billing_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. list(string) [] no
allow_billing_access_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
allow_cloudtrail_access_with_iam If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in kms_key_user_iam_arns will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) bool true no
allow_dev_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in dev_permitted_services. list(string) [] no
allow_dev_access_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
allow_full_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. list(string) [] no
allow_full_access_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
allow_logs_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If cloudtrail_kms_key_arn is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. list(string) [] no
allow_read_only_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. list(string) [] no
allow_read_only_access_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
allow_support_access_from_other_account_arns A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account. list(string) [] no
allow_support_access_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
aws_account_id The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. string n/a yes
aws_region The AWS Region to use as the global config recorder and seed region for GuardDuty. string n/a yes
cloudtrail_allow_kms_describe_key_to_external_aws_accounts Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. bool false no
cloudtrail_cloudwatch_logs_group_name Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to null to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. string "cloudtrail-logs" no
cloudtrail_data_logging_enabled If true, logging of data events will be enabled. bool false no
cloudtrail_data_logging_include_management_events Specify if you want your event selector to include management events for your trail. bool true no
cloudtrail_data_logging_read_write_type Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. string "All" no
cloudtrail_data_logging_resources Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource' block within the 'event_selector' block of the 'aws_cloudtrail' resource for context: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource. map(list(string)) {} no
cloudtrail_external_aws_account_ids_with_write_access Provide a list of AWS account IDs that will be allowed to send CloudTrail logs to this account. This is only required if you are aggregating CloudTrail logs in this account (e.g., this is the logs account) from other accounts. list(string) [] no
cloudtrail_force_destroy If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! bool false no
cloudtrail_iam_role_permissions_boundary The ARN of the policy that is used to set the permissions boundary for the IAM role string null no
cloudtrail_kms_key_administrator_iam_arns All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., if this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given administrator permissions for CMK, including the ability to change who can access this CMK and the extended log data it protects. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists (e.g., if this is the stage or prod account), set this parameter to an empty list. list(string) [] no
cloudtrail_kms_key_arn All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists (e.g., if this is the stage or prod account and you want to use a CMK that already exists in the logs account), set this to the ARN of that CMK. Otherwise (e.g., if this is the logs account), set this to null, and a new CMK will be created. string null no
cloudtrail_kms_key_arn_is_alias If the kms_key_arn provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be true for multi-account scenarios. bool false no
cloudtrail_kms_key_service_principals Additional service principals beyond CloudTrail that should have access to the KMS key used to encrypt the logs. This is useful for granting access to the logs for the purposes of constructing metric filters. 
list(object({
    # The name of the service principal (e.g.: s3.amazonaws.com).
    name = string

    # The list of actions that the given service principal is allowed to perform (e.g. ["kms:DescribeKey",
    # "kms:GenerateDataKey"]).
    actions = list(string)

    # List of conditions to apply to the permissions for the service principal. Use this to apply conditions on the
    # permissions for accessing the KMS key (e.g., only allow access for certain encryption contexts).
    conditions = list(object({
      # Name of the IAM condition operator to evaluate.
      test = string

      # Name of a Context Variable to apply the condition to. Context variables may either be standard AWS variables
      # starting with aws: or service-specific variables prefixed with the service name.
      variable = string

      # Values to evaluate the condition against. If multiple values are provided, the condition matches if at least one
      # of them applies. That is, AWS evaluates multiple values as though using an "OR" boolean operation.
      values = list(string)
    }))
  }))
 [] no
cloudtrail_kms_key_user_iam_arns All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given user access to this CMK, which will allow this user to read CloudTrail Logs. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists, set this parameter to an empty list (e.g., if this is the stage or prod account). list(string) [] no
cloudtrail_num_days_after_which_archive_log_data After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. number 30 no
cloudtrail_num_days_after_which_delete_log_data After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. number 365 no
cloudtrail_num_days_to_retain_cloudwatch_logs After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. number 0 no
cloudtrail_s3_bucket_already_exists Set to false to create an S3 bucket of name cloudtrail_s3_bucket_name in this account for storing CloudTrail logs (e.g., if this is the logs account). Set to true to assume the bucket specified in cloudtrail_s3_bucket_name already exists in another AWS account (e.g., if this is the stage or prod account and cloudtrail_s3_bucket_name is the name of a bucket in the logs account). bool true no
cloudtrail_s3_bucket_key_enabled Optional whether or not to use Amazon S3 Bucket Keys for SSE-KMS. bool false no
cloudtrail_s3_bucket_name The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account (e.g., if this is the logs account) or the name of a bucket in another AWS account where logs should be sent (e.g., if this is the stage or prod account and you're specifying the name of a bucket in the logs account). string null no
cloudtrail_s3_mfa_delete Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. bool false no
cloudtrail_tags Tags to apply to the CloudTrail resources. map(string) {} no
config_aggregate_config_data_in_external_account Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the config_central_account_id variable. This redundant variable has to exist because Terraform does not allow computed data in count and for_each parameters and config_central_account_id may be computed if its the ID of a newly-created AWS account. bool false no
config_central_account_id If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account (e.g., if this is the stage or prod account, set this to the ID of the logs account). If the S3 bucket and SNS topics live in this account (e.g., this is the logs account), set this variable to null. Only used if config_aggregate_config_data_in_external_account is true. string null no
config_create_account_rules Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts. bool true no
config_delivery_channel_kms_key_arn Optional KMS key to use for encrypting S3 objects on the AWS Config delivery channel for an externally managed S3 bucket. This must belong to the same region as the destination S3 bucket. If null, AWS Config will default to encrypting the delivered data with AES-256 encryption. Only used if should_create_s3_bucket is false - otherwise, config_s3_bucket_kms_key_arn is used. string null no
config_delivery_channel_kms_key_by_name Same as config_delivery_channel_kms_key_arn, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for the delivery region (indexed by the name) will be used. Note that if both config_delivery_channel_kms_key_arn and config_delivery_channel_kms_key_by_name are configured, the key in config_delivery_channel_kms_key_arn will always be used. 
object({
    name   = string
    region = string
  })
 null no
config_force_destroy If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! bool false no
config_linked_accounts Provide a list of AWS account IDs that will be allowed to send AWS Config data to this account. This is only required if you are aggregating config data in this account (e.g., this is the logs account) from other accounts. list(string) [] no
config_num_days_after_which_archive_log_data After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. number 365 no
config_num_days_after_which_delete_log_data After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. number 730 no
config_opt_in_regionslist Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. list(string) n/a yes
config_s3_bucket_kms_key_arn Optional KMS key to use for encrypting S3 objects on the AWS Config bucket, when the S3 bucket is created within this module (config_should_create_s3_bucket is true). For encrypting S3 objects on delivery for an externally managed S3 bucket, refer to the config_delivery_channel_kms_key_arn input variable. If null, data in S3 will be encrypted using the default aws/s3 key. If provided, the key policy of the provided key must permit the IAM role used by AWS Config. See https://docs.aws.amazon.com/sns/latest/dg/sns-key-management.html. Note that the KMS key must reside in the global recorder region (as configured by aws_region). string null no
config_s3_bucket_kms_key_by_name Same as config_s3_bucket_kms_key_arn, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for the global recorder region (indexed by the name) will be used. Note that if both config_s3_bucket_kms_key_arn and config_s3_bucket_kms_key_by_name are configured, the key in config_s3_bucket_kms_key_arn will always be used. string null no
config_s3_bucket_name The name of the S3 Bucket where Config items will be stored. Can be in the same account or in another account. string null no
config_s3_mfa_delete Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. bool false no
config_should_create_s3_bucket Set to true to create an S3 bucket of name config_s3_bucket_name in this account for storing AWS Config data (e.g., if this is the logs account). Set to false to assume the bucket specified in config_s3_bucket_name already exists in another AWS account (e.g., if this is the stage or prod account and config_s3_bucket_name is the name of a bucket in the logs account). bool false no
config_should_create_sns_topic set to true to create an sns topic in this account for sending aws config notifications (e.g., if this is the logs account). set to false to assume the topic specified in config_sns_topic_name already exists in another aws account (e.g., if this is the stage or prod account and config_sns_topic_name is the name of an sns topic in the logs account). bool false no
config_sns_topic_kms_key_by_name_region_map Same as config_sns_topic_kms_key_region_map, except the value is a name of a KMS key configured with kms_customer_master_keys. The module created KMS key for each region (indexed by the name) will be used. Note that if an entry exists for a region in both config_sns_topic_kms_key_region_map and config_sns_topic_kms_key_by_name_region_map, then the key in config_sns_topic_kms_key_region_map will always be used. map(string) null no
config_sns_topic_kms_key_region_map Optional KMS key to use for each region for configuring default encryption for the SNS topic (encoded as a map from region - e.g. us-east-1 - to ARN of KMS key). If null or the region key is missing, encryption will not be configured for the SNS topic in that region. map(string) null no
config_sns_topic_name the name of the sns topic in where aws config notifications will be sent. can be in the same account or in another account. string "ConfigTopic" no
config_tags A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. map(string) {} no
configrules_maximum_execution_frequency The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency string "TwentyFour_Hours" no
custom_cloudtrail_trail_name A custom name to use for the Cloudtrail Trail. If null, defaults to the name_prefix input variable. string null no
dev_permitted_services A list of AWS services for which the developers from the accounts in allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ['ec2','machinelearning']. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. list(string) [] no
ebs_enable_encryption If set to true (default), all new EBS volumes will have encryption enabled by default bool true no
ebs_kms_key_name Optional map of region names to KMS keys to use by default for encrypting EBS volumes, if ebs_enable_encryption and ebs_use_existing_kms_keys are enabled. The name must match the name given the kms_customer_master_keys variable. map(string) {} no
ebs_opt_in_regions Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. list(string) n/a yes
ebs_use_existing_kms_keys If set to true, the KMS Customer Managed Keys (CMK) with the name in ebs_kms_key_name will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. bool false no
enable_cloudtrail Set to true (default) to enable CloudTrail in this app account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default. bool true no
enable_config Set to true to enable AWS Config in this app account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). bool true no
enable_encrypted_volumes Checks whether the EBS volumes that are in an attached state are encrypted. bool true no
enable_guardduty Set to true (default) to enable GuardDuty in this app account. Set to false to disable GuardDuty (note: all other GuardDuty variables will be ignored). Note that if you have enabled organization level GuardDuty in the root (parent) account, you should set this to false; the organization GuardDuty will enable GuardDuty on child accounts by default. bool true no
enable_iam_access_analyzer A feature flag to enable or disable this module. bool false no
enable_iam_cross_account_roles A feature flag to enable or disable this module. bool true no
enable_iam_password_policy Checks whether the account password policy for IAM users meets the specified requirements. bool true no
enable_iam_user_password_policy Set to true (default) to enable the IAM User Password Policies in this app account. Set to false to disable the policies. (Note: all other IAM User Password Policy variables will be ignored). bool true no
enable_insecure_sg_rules Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. bool true no
enable_rds_storage_encrypted Checks whether storage encryption is enabled for your RDS DB instances. bool true no
enable_root_account_mfa Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. bool true no
enable_s3_bucket_public_read_prohibited Checks that your Amazon S3 buckets do not allow public read access. bool true no
enable_s3_bucket_public_write_prohibited Checks that your Amazon S3 buckets do not allow public write access. bool true no
encrypted_volumes_kms_id ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. string null no
guardduty_cloudwatch_event_rule_name Name of the Cloudwatch event rules. string "guardduty-finding-events" no
guardduty_finding_publishing_frequency Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. string null no
guardduty_findings_sns_topic_name Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true. string "guardduty-findings" no
guardduty_opt_in_regionslist Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. list(string) n/a yes
guardduty_publish_findings_to_sns Send GuardDuty findings to SNS topics specified by findings_sns_topic_name. bool false no
iam_access_analyzer_name The name of the IAM Access Analyzer module string "baseline_app-iam_access_analyzer" no
iam_access_analyzer_opt_in_regions Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. list(string) n/a yes
iam_access_analyzer_type If set to ORGANIZATION, the analyzer will be scanning the current organization and any policies that refer to linked resources such as S3, IAM, Lambda and SQS policies. string "ORGANIZATION" no
iam_password_policy_allow_users_to_change_password Allow users to change their own password. bool true no
iam_password_policy_hard_expiry Password expiration requires administrator reset. bool true no
iam_password_policy_max_password_age Number of days before password expiration. number 30 no
iam_password_policy_minimum_password_length Password minimum length. number 16 no
iam_password_policy_password_reuse_prevention Number of passwords before allowing reuse. number 5 no
iam_password_policy_require_lowercase_characters Require at least one lowercase character in password. bool true no
iam_password_policy_require_numbers Require at least one number in password. bool true no
iam_password_policy_require_symbols Require at least one symbol in password. bool true no
iam_password_policy_require_uppercase_characters Require at least one uppercase character in password. bool true no
iam_role_tags The tags to apply to all the IAM role resources. map(string) {} no
insecure_sg_rules_authorized_tcp_ports Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. string "443" no
insecure_sg_rules_authorized_udp_ports Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. string null no
kms_cmk_global_tag A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value. map(string) {} no
kms_cmk_opt_in_regions Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. list(string) n/a yes
kms_customer_master_keys You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key. map(any) {} no
kms_grant_region The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources. map(string) {} no
kms_grants Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account. 
map(object({
    # ARN of the KMS CMK that the grant applies to. Note that the region is introspected based on the ARN.
    kms_cmk_arn = string

    # The principal that is given permission to perform the operations that the grant permits. This must be in ARN
    # format. For example, the grantee principal for ASG is:
    # arn:aws:iam::111122223333:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
    grantee_principal = string

    # A list of operations that the grant permits. The permitted values are:
    # Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, CreateGrant,
    # RetireGrant, DescribeKey
    granted_operations = list(string)
  }))
 {} no
max_session_duration_human_users The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see max_session_duration_machine_users. number 43200 no
name_prefix The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. string n/a yes
rds_storage_encrypted_kms_id KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. string null no
service_linked_roles Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles. set(string) [] no
should_require_mfa Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) bool true no
use_managed_iam_policies When true, all IAM policies will be managed as dedicated policies rather than inline policies attached to the IAM roles. Dedicated managed policies are friendlier to automated policy checkers, which may scan a single resource for findings. As such, it is important to avoid inline policies when targeting compliance with various security standards. bool true no

Outputs

Name Description
allow_billing_access_from_other_accounts_iam_role_arn -------------------------------------------------------------------------------------------------- Outputs --------------------------------------------------------------------------------------------------
allow_billing_access_from_other_accounts_iam_role_id n/a
allow_billing_access_sign_in_url n/a
allow_dev_access_from_other_accounts_iam_role_arn n/a
allow_dev_access_from_other_accounts_iam_role_id n/a
allow_dev_access_sign_in_url n/a
allow_full_access_from_other_accounts_iam_role_arn n/a
allow_full_access_from_other_accounts_iam_role_id n/a
allow_full_access_sign_in_url n/a
allow_iam_admin_access_from_other_accounts_iam_role_arn n/a
allow_iam_admin_access_from_other_accounts_iam_role_id n/a
allow_iam_admin_access_sign_in_url n/a
allow_logs_access_from_other_accounts_iam_role_arn n/a
allow_logs_access_from_other_accounts_iam_role_id n/a
allow_logs_access_sign_in_url n/a
allow_read_only_access_from_other_accounts_iam_role_arn n/a
allow_read_only_access_from_other_accounts_iam_role_id n/a
allow_read_only_access_sign_in_url n/a
allow_support_access_from_other_accounts_iam_role_arn n/a
allow_support_access_from_other_accounts_iam_role_id n/a
allow_support_access_sign_in_url n/a
aws_ebs_encryption_by_default_enabled A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region.
aws_ebs_encryption_default_kms_key A map from region to the ARN of the KMS key used for default EBS encryption for each region.
cloudtrail_cloudwatch_group_arn The ARN of the cloudwatch log group.
cloudtrail_cloudwatch_group_name The name of the cloudwatch log group.
cloudtrail_iam_role_arn The ARN of the IAM role used by the cloudwatch log group.
cloudtrail_iam_role_name The name of the IAM role used by the cloudwatch log group.
cloudtrail_kms_key_alias_name The alias of the KMS key used by the S3 bucket to encrypt cloudtrail logs.
cloudtrail_kms_key_arn The ARN of the KMS key used by the S3 bucket to encrypt cloudtrail logs.
cloudtrail_s3_access_logging_bucket_name The name of the S3 bucket where server access logs are delivered.
cloudtrail_s3_bucket_name The name of the S3 bucket where cloudtrail logs are delivered.
cloudtrail_trail_arn The ARN of the cloudtrail trail.
invalid_cmk_inputs Map of CMKs from the input customer_master_keys that had an invalid region, and thus were not created. The structure of the map is the same as the input. This will only include KMS key inputs that were not created because the region attribute was invalid (either not a valid region identifier, the region is not enabled on the account, or the region is not included in the opt_in_regions input).
kms_key_aliases A map from region to aliases of the KMS CMKs that were created. The value will also be a map mapping the keys from the customer_master_keys input variable to the corresponding alias.
kms_key_arns A map from region to ARNs of the KMS CMKs that were created. The value will also be a map mapping the keys from the kms_customer_master_keys input variable to the corresponding ARN.
kms_key_ids A map from region to IDs of the KMS CMKs that were created. The value will also be a map mapping the keys from the kms_customer_master_keys input variable to the corresponding ID.
service_linked_role_arns A map of ARNs of the service linked roles created from service_linked_roles.

About

SRA baseline to be applied to member AWS accounts

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
May 1, 2023

Packages

No packages published

Languages