From a3f7b3344e4015f108580193c7563f5df7cc3677 Mon Sep 17 00:00:00 2001 From: Moty Michaely Date: Wed, 26 Feb 2025 13:24:27 +0200 Subject: [PATCH 1/2] Adds IL and ME regions --- analyzer_baselines.tf | 28 ++++++++++++++++++++ ebs_baselines.tf | 18 +++++++++++++ examples/organization/master/main.tf | 2 ++ examples/organization/member/main.tf | 2 ++ examples/select-region/main.tf | 2 ++ examples/simple/main.tf | 17 ++++++++++++- examples/simple/regions.tf | 10 ++++++++ main.tf | 2 ++ securityhub_baselines.tf | 34 +++++++++++++++++++++++++ variables.tf | 2 ++ vpc_baselines.tf | 38 ++++++++++++++++++++++++++++ 11 files changed, 154 insertions(+), 1 deletion(-) diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..10c0d6ea 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -243,3 +243,31 @@ module "analyzer_baseline_us-west-2" { tags = var.tags } + +module "analyzer_baseline_il-central-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "il-central-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.il-central-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + +module "analyzer_baseline_me-central-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "me-central-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.me-central-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..41136389 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -154,3 +154,21 @@ module "ebs_baseline_us-west-2" { aws = aws.us-west-2 } } + +module "ebs_baseline_il-central-1" { + count = contains(var.target_regions, "il-central-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.il-central-1 + } +} + +module "ebs_baseline_me-central-1" { + count = contains(var.target_regions, "me-central-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.me-central-1 + } +} diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..02ef6729 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -59,6 +59,8 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.il-central-1 = aws.il-central-1 + aws.me-central-1 = aws.me-central-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..290323c1 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -52,6 +52,8 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.il-central-1 = aws.il-central-1 + aws.me-central-1 = aws.me-central-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..5d451035 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -50,6 +50,8 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.il-central-1 = aws.il-central-1 + aws.me-central-1 = aws.me-central-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..635edfb2 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -21,7 +21,20 @@ resource "aws_iam_user" "admin" { } module "secure_baseline" { - source = "../../" + # Option 1: Using HTTPS + source = "git::https://github.com/YOUR_USERNAME/terraform-aws-secure-baseline.git" + + # Option 2: Using SSH + # source = "git::ssh://git@github.com/YOUR_USERNAME/terraform-aws-secure-baseline.git" + + # Option 3: Using a specific branch + # source = "git::https://github.com/YOUR_USERNAME/terraform-aws-secure-baseline.git?ref=feature-branch" + + # Option 4: Using a specific tag + # source = "git::https://github.com/YOUR_USERNAME/terraform-aws-secure-baseline.git?ref=v1.0.0" + + # Option 5: Using a specific commit + # source = "git::https://github.com/YOUR_USERNAME/terraform-aws-secure-baseline.git?ref=abcd1234" audit_log_bucket_name = var.audit_s3_bucket_name aws_account_id = data.aws_caller_identity.current.account_id @@ -47,6 +60,8 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.il-central-1 = aws.il-central-1 + aws.me-central-1 = aws.me-central-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..8d1f7a58 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -88,3 +88,13 @@ provider "aws" { alias = "us-west-2" } +provider "aws" { + region = "il-central-1" + alias = "il-central-1" +} + +provider "aws" { + region = "me-central-1" + alias = "me-central-1" +} + diff --git a/main.tf b/main.tf index 1b807f35..cd5bac4a 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,8 @@ terraform { aws.eu-central-1, aws.eu-north-1, aws.eu-west-1, aws.eu-west-2, aws.eu-west-3, + aws.il-central-1, + aws.me-central-1, aws.sa-east-1, aws.us-east-1, aws.us-east-2, aws.us-west-1, aws.us-west-2, diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..98292d60 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -294,3 +294,37 @@ module "securityhub_baseline_us-west-2" { master_account_id = local.securityhub_master_account_id member_accounts = local.securityhub_member_accounts } + +module "securityhub_baseline_il-central-1" { + count = contains(var.target_regions, "il-central-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.il-central-1 + } + + aggregate_findings = var.region == "il-central-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + +module "securityhub_baseline_me-central-1" { + count = contains(var.target_regions, "me-central-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.me-central-1 + } + + aggregate_findings = var.region == "me-central-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} diff --git a/variables.tf b/variables.tf index a942f3c9..dcc0c617 100644 --- a/variables.tf +++ b/variables.tf @@ -55,6 +55,8 @@ variable "target_regions" { "eu-west-1", "eu-west-2", "eu-west-3", + "il-central-1", + "me-central-1", "sa-east-1", "us-east-1", "us-east-2", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..b5ed8ae9 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -385,3 +385,41 @@ module "vpc_baseline_us-west-2" { tags = var.tags } + +module "vpc_baseline_il-central-1" { + count = var.vpc_enable && contains(var.target_regions, "il-central-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.il-central-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + +module "vpc_baseline_me-central-1" { + count = var.vpc_enable && contains(var.target_regions, "me-central-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.me-central-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} From 30f0d5d4b82cffcd41c4add81e3ca1cea4bc2b1f Mon Sep 17 00:00:00 2001 From: Moty Michaely Date: Thu, 6 Mar 2025 18:54:21 +0200 Subject: [PATCH 2/2] Change aws_s3_bucket_ownership_controls to allow ACLs to be applied --- examples/organization/master/main.tf | 1 + examples/organization/master/variables.tf | 1 + modules/secure-bucket/main.tf | 23 +++++++++++++++++++++++ 3 files changed, 25 insertions(+) diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index 02ef6729..809fe623 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -25,6 +25,7 @@ resource "aws_organizations_organization" "org" { "access-analyzer.amazonaws.com", "cloudtrail.amazonaws.com", "config.amazonaws.com", + "securityhub.amazonaws.com" ] feature_set = "ALL" } diff --git a/examples/organization/master/variables.tf b/examples/organization/master/variables.tf index 91abcd10..2b97a7ea 100644 --- a/examples/organization/master/variables.tf +++ b/examples/organization/master/variables.tf @@ -17,3 +17,4 @@ variable "region" { default = "us-east-1" } + diff --git a/modules/secure-bucket/main.tf b/modules/secure-bucket/main.tf index 44c9425d..b12e1d56 100644 --- a/modules/secure-bucket/main.tf +++ b/modules/secure-bucket/main.tf @@ -18,6 +18,14 @@ data "aws_iam_policy_document" "access_log_policy" { } } +resource "aws_s3_bucket_ownership_controls" "access_log" { + bucket = aws_s3_bucket.access_log.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket" "access_log" { bucket = var.log_bucket_name force_destroy = var.force_destroy @@ -28,6 +36,9 @@ resource "aws_s3_bucket" "access_log" { resource "aws_s3_bucket_acl" "access_log" { bucket = aws_s3_bucket.access_log.id acl = "log-delivery-write" + depends_on = [ + aws_s3_bucket_ownership_controls.access_log, + ] } resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" { @@ -75,6 +86,14 @@ resource "aws_s3_bucket_public_access_block" "access_log" { restrict_public_buckets = true } +resource "aws_s3_bucket_ownership_controls" "content" { + bucket = aws_s3_bucket.content.id + + rule { + object_ownership = "BucketOwnerPreferred" + } +} + resource "aws_s3_bucket" "content" { bucket = var.bucket_name force_destroy = var.force_destroy @@ -89,6 +108,10 @@ resource "aws_s3_bucket" "content" { resource "aws_s3_bucket_acl" "content" { bucket = aws_s3_bucket.content.id acl = "private" + + depends_on = [ + aws_s3_bucket_ownership_controls.content, + ] } resource "aws_s3_bucket_server_side_encryption_configuration" "content" {