Updated the module versions (#13) (#14)

* AD-183: Updated Module versions and added comments

* AD-183: Updated Module versions and added comments

* Set billing mode in dynamoDB to On-demand

Co-authored-by: ankush-sqops <[email protected]>

Author: vinayakgautamops

IAM.md

@@ -49,6 +49,16 @@ The Policy required is:
         {
             "Sid": "VisualEditor2",
             "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeAccountAttributes"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
             "Action": [
                 "iam:AttachRolePolicy",
                 "iam:CreatePolicy",
@@ -73,14 +83,21 @@ The Policy required is:
             ]
         },
         {
-            "Sid": "VisualEditor3",
+            "Sid": "VisualEditor4",
             "Effect": "Allow",
             "Action": [
+                "kms:CreateAlias",
                 "kms:CreateKey",
+                "kms:DeleteAlias",
                 "kms:DescribeKey",
+                "kms:DisableKey",
+                "kms:EnableKey",
+                "kms:EnableKeyRotation",
                 "kms:GetKeyPolicy",
                 "kms:GetKeyRotationStatus",
+                "kms:ListAliases",
                 "kms:ListResourceTags",
+                "kms:PutKeyPolicy",
                 "kms:ScheduleKeyDeletion",
                 "kms:TagResource",
                 "kms:UntagResource"
@@ -90,21 +107,76 @@ The Policy required is:
             ]
         },
         {
-            "Sid": "VisualEditor4",
+            "Sid": "VisualEditor5",
             "Effect": "Allow",
             "Action": [
                 "logs:AssociateKmsKey",
                 "logs:CreateLogGroup",
                 "logs:DeleteLogGroup",
+                "logs:DeleteRetentionPolicy",
                 "logs:DescribeLogGroups",
                 "logs:DisassociateKmsKey",
                 "logs:ListTagsLogGroup",
+                "logs:PutRetentionPolicy",
                 "logs:TagLogGroup",
                 "logs:UntagLogGroup"
             ],
             "Resource": [
                 "*"
             ]
+        },
+        {
+            "Sid": "VisualEditor6",
+            "Effect": "Allow",
+            "Action": [
+                "s3:CreateBucket",
+                "s3:DeleteBucket",
+                "s3:DeleteBucketWebsite",
+                "s3:GetAccelerateConfiguration",
+                "s3:GetBucketAcl",
+                "s3:GetBucketCORS",
+                "s3:GetBucketLocation",
+                "s3:GetBucketLogging",
+                "s3:GetBucketObjectLockConfiguration",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketPublicAccessBlock",
+                "s3:GetBucketRequestPayment",
+                "s3:GetBucketTagging",
+                "s3:GetBucketVersioning",
+                "s3:GetBucketWebsite",
+                "s3:GetEncryptionConfiguration",
+                "s3:GetIntelligentTieringConfiguration",
+                "s3:GetInventoryConfiguration",
+                "s3:GetLifecycleConfiguration",
+                "s3:GetMetricsConfiguration",
+                "s3:GetObject",
+                "s3:GetObjectAcl",
+                "s3:GetReplicationConfiguration",
+                "s3:ListAllMyBuckets",
+                "s3:ListBucket",
+                "s3:PutAccelerateConfiguration",
+                "s3:PutBucketAcl",
+                "s3:PutBucketCORS",
+                "s3:PutBucketLogging",
+                "s3:PutBucketObjectLockConfiguration",
+                "s3:PutBucketPolicy",
+                "s3:PutBucketPublicAccessBlock",
+                "s3:PutBucketRequestPayment",
+                "s3:PutBucketVersioning",
+                "s3:PutBucketWebsite",
+                "s3:PutEncryptionConfiguration",
+                "s3:PutIntelligentTieringConfiguration",
+                "s3:PutInventoryConfiguration",
+                "s3:PutLifecycleConfiguration",
+                "s3:PutMetricsConfiguration",
+                "s3:PutObject",
+                "s3:PutObjectLegalHold",
+                "s3:PutObjectRetention",
+                "s3:PutReplicationConfiguration"
+            ],
+            "Resource": [
+                "*"
+            ]
         }
     ]
 }

README.md

@@ -66,9 +66,9 @@ In this module, we have implemented the following CIS Compliance checks for S3:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | clouddrove/kms/aws | 0.15.0 |
-| <a name="module_log_bucket"></a> [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.10.0 |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.10.0 |
+| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | clouddrove/kms/aws | 1.3.1 |
+| <a name="module_log_bucket"></a> [log\_bucket](#module\_log\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.2 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.2 |
 
 ## Resources
 

examples/state-storage-backend/README.md

@@ -14,7 +14,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_backend"></a> [backend](#module\_backend) | squareops/tfstate/aws | n/a |
+| <a name="module_backend"></a> [backend](#module\_backend) | ../../ | n/a |
 
 ## Resources
 

examples/state-storage-backend/main.tf

@@ -9,7 +9,7 @@ locals {
 }
 
 module "backend" {
-  source                       = "squareops/tfstate/aws"
+  source                       = "../../"
   logging                      = true
   bucket_name                  = "production-tfstate-bucket" #unique global s3 bucket name
   environment                  = local.environment

logging.tf

@@ -1,3 +1,4 @@
+# Create a cloudtrail trail to track all management events data events ( only for S3 bucket and lambda function) and  store them in log_bucket.
 resource "aws_cloudtrail" "s3_cloudtrail" {
   count                         = var.logging ? 1 : 0
   depends_on                    = [aws_iam_role_policy_attachment.s3_cloudtrail_policy_attachment]
@@ -28,6 +29,7 @@ resource "aws_cloudtrail" "s3_cloudtrail" {
   )
 }
 
+#Create a log_group in cloudwatch for storing logs generated by cloudtrail Trail.
 resource "aws_cloudwatch_log_group" "s3_cloudwatch" {
   count             = var.logging && var.cloudwatch_logging_enabled ? 1 : 0
   name              = format("%s-%s-S3", var.bucket_name, data.aws_caller_identity.current.account_id)
@@ -39,6 +41,7 @@ resource "aws_cloudwatch_log_group" "s3_cloudwatch" {
   )
 }
 
+# Create an IAM role to be attached with cloudtrail trail
 resource "aws_iam_role" "s3_cloudtrail_cloudwatch_role" {
   count              = var.logging && var.cloudwatch_logging_enabled ? 1 : 0
   name               = format("%s-cloudtrail-cloudwatch-S3", var.bucket_name)
@@ -49,6 +52,7 @@ resource "aws_iam_role" "s3_cloudtrail_cloudwatch_role" {
   )
 }
 
+#  AWS IAM policy document that allows AWS CloudTrail to assume roles for accessing AWS services.
 data "aws_iam_policy_document" "cloudtrail_assume_role" {
   count = var.logging ? 1 : 0
   statement {
@@ -62,6 +66,7 @@ data "aws_iam_policy_document" "cloudtrail_assume_role" {
   }
 }
 
+#  AWS IAM policy defining permissions for AWS CloudTrail to interact with CloudWatch Logs for S3 logging.
 resource "aws_iam_policy" "s3_cloudtrail_cloudwatch_policy" {
   count  = var.logging && var.cloudwatch_logging_enabled ? 1 : 0
   name   = format("%s-cloudtrail-cloudwatch-S3", var.bucket_name)
@@ -99,17 +104,18 @@ EOF
 }
 
 
-
+#Attach the IAM policy to the IAM role created above.
 resource "aws_iam_role_policy_attachment" "s3_cloudtrail_policy_attachment" {
   count      = var.logging && var.cloudwatch_logging_enabled ? 1 : 0
   role       = aws_iam_role.s3_cloudtrail_cloudwatch_role[0].name
   policy_arn = aws_iam_policy.s3_cloudtrail_cloudwatch_policy[0].arn
 }
 
+# Create a S3 logger bucket to add bucket access logs and cloudtrial logs
 module "log_bucket" {
   count                                 = var.logging ? 1 : 0
   source                                = "terraform-aws-modules/s3-bucket/aws"
-  version                               = "3.10.0"
+  version                               = "4.1.2"
   bucket                                = format("%s-%s-log-bucket", var.bucket_name, data.aws_caller_identity.current.account_id)
   force_destroy                         = true
   attach_elb_log_delivery_policy        = true
@@ -168,11 +174,12 @@ module "log_bucket" {
 POLICY
 }
 
+# Create KMS key used to encrypt cloudwatch log group and CloudTrail trail.
 module "kms_key" {
   count      = var.logging ? 1 : 0
   depends_on = [data.aws_iam_policy_document.default]
   source     = "clouddrove/kms/aws"
-  version    = "0.15.0"
+  version    = "1.3.1"
 
   name                    = format("%s-%s-kms-03", var.bucket_name, data.aws_caller_identity.current.account_id)
   enabled                 = true
@@ -182,6 +189,8 @@ module "kms_key" {
   enable_key_rotation     = true
 }
 
+
+#  IAM policy document defining permissions for AWS KMS related to AWS CloudTrail encryption and decryption.
 data "aws_iam_policy_document" "default" {
   count   = var.logging ? 1 : 0
   version = "2012-10-17"
@@ -238,7 +247,7 @@ data "aws_iam_policy_document" "default" {
       test     = "StringEquals"
       variable = "kms:CallerAccount"
       values = [
-      "${data.aws_caller_identity.current.account_id}"]
+      data.aws_caller_identity.current.account_id]
     }
     condition {
       test     = "StringLike"

main.tf

@@ -7,6 +7,7 @@ locals {
 data "aws_region" "region" {}
 data "aws_caller_identity" "current" {}
 
+#Create a KMS KeyValue pair for encrypting S3 buckets created for storing terrafrom state
 resource "aws_kms_key" "mykey" {
   description             = "This key is used to encrypt bucket objects"
   deletion_window_in_days = 10
@@ -15,6 +16,7 @@ resource "aws_kms_key" "mykey" {
     local.tags,
   )
 }
+#IAM role created for EC2 instance to call AWS services on its behalf
 resource "aws_iam_role" "this" {
   assume_role_policy = <<EOF
 {
@@ -37,6 +39,7 @@ EOF
   )
 }
 
+#Generates an Bucket policy in JSON format so as to attach it with S3 bucket
 data "aws_iam_policy_document" "bucket_policy" {
   statement {
     principals {
@@ -54,9 +57,10 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
+# Create an S3 bucket for storing terraform state
 module "s3_bucket" {
   source                                = "terraform-aws-modules/s3-bucket/aws"
-  version                               = "3.10.0"
+  version                               = "4.1.2"
   bucket                                = format("%s-%s", var.bucket_name, data.aws_caller_identity.current.account_id)
   force_destroy                         = var.force_destroy
   attach_policy                         = true
@@ -91,19 +95,21 @@ module "s3_bucket" {
   object_ownership         = "BucketOwnerPreferred"
 }
 
+# Create a DynampDB table for locking terraform state
 resource "aws_dynamodb_table" "dynamodb_table" {
-  name           = format("%s-%s-%s", var.bucket_name, "lock-dynamodb", data.aws_caller_identity.current.account_id)
-  hash_key       = "LockID"
-  read_capacity  = 20
-  write_capacity = 20
-
+  name         = format("%s-%s-%s", var.bucket_name, "lock-dynamodb", data.aws_caller_identity.current.account_id)
+  hash_key     = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
   attribute {
     name = "LockID"
     type = "S"
   }
 
   tags = merge(
-    { "Name" = format("%s-%s-%s", var.bucket_name, "lock-dynamodb", data.aws_caller_identity.current.account_id) },
+    {
+      "Name" = format("%s-%s-%s", var.bucket_name, "lock-dynamodb", data.aws_caller_identity.current.account_id),
+      "Cost" = format("%s-%s-%s", var.bucket_name, "lock-dynamodb", data.aws_caller_identity.current.account_id)
+    },
     local.tags,
   )
 }