Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
License: MIT License
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot]")
Currently only name tags are added to those resources. merge the current Name tag with the tags variable.
Hi! Excellent work putting all of this together!
Currently, the structure of the repository means that if someone wants to use anything they need to use everything or copy-paste the code into a separate module. Maybe you could create an organization and put modules into different repositories? This will allow using only what the person needs, and if it wants to use it all there still can be a repo that holds all of the modules.
We have tried enabling this module using the below configuration:
data "aws_caller_identity" "current" {}
data "aws_region" "current" {}
module "secure-baseline" {
source = "nozaq/secure-baseline/aws"
version = "0.9.0"
# insert the 4 required variables here
audit_log_bucket_name = "${var.client}.${var.stage}-cloudwatch-logs"
aws_account_id = "${data.aws_caller_identity.current.account_id}"
region = "${data.aws_region.current.name}"
support_iam_role_principal_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/SomethingSomethingAdministrator"
}
Running terraform apply was unsuccessful.
Below is the error messages:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39236d11-5b8d-11e9-b912-db18f0fda047: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_ap-south-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 394c2a9a-5b8d-11e9-82f0-079f92f291ce: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_us-east-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 3927d9c8-5b8d-11e9-82f0-079f92f291ce: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_us-east-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 388cd2a0-5b8d-11e9-bcba-f9c17b376a5f
* module.secure-baseline.module.guardduty_baseline_ap-southeast-2.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 39326183-5b8d-11e9-8260-13e36b5f3390
* module.secure-baseline.module.guardduty_baseline_ap-northeast-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 3948a815-5b8d-11e9-9ecc-ddb290e7f0c2
* module.secure-baseline.module.vpc_baseline_ap-northeast-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 393fa81a-5b8d-11e9-a0f1-b3dd1ae35edf: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_us-east-2.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 38e26bff-5b8d-11e9-a515-737af496302a
* module.secure-baseline.module.vpc_baseline_us-east-2.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 392282d6-5b8d-11e9-b852-5ff5b1767983: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.audit_log_bucket.aws_s3_bucket.access_log: 1 error(s) occurred:
* aws_s3_bucket.access_log: Error creating S3 bucket: BucketAlreadyOwnedByYou: Your previous request to create the named bucket succeeded and you already own it.
status code: 409, request id: 8665EC6287ABDA3E, host id: 64W3mdLPTgyjx0YjOcV7yUM1JgZzciz3+QGRMSDRynHJ/KFEB+oDdkWZtHcVxda88ACjs7sJMHY=
* module.secure-baseline.module.guardduty_baseline_us-west-2.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 38f2e738-5b8d-11e9-85e3-dbb00e6dba04
* module.secure-baseline.module.guardduty_baseline_ap-southeast-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 38d06a98-5b8d-11e9-962a-f7841804025e
* module.secure-baseline.module.guardduty_baseline_ap-northeast-2.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 3922aa05-5b8d-11e9-93fe-af52707faa87
* module.secure-baseline.module.guardduty_baseline_eu-central-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 39376a98-5b8d-11e9-af5f-b36cc1cb7a95
* module.secure-baseline.module.guardduty_baseline_ap-south-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 394d3ca8-5b8d-11e9-b7b0-8d305d83bc6b
* module.secure-baseline.module.guardduty_baseline_eu-west-3.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 3943ed87-5b8d-11e9-bb7c-f1886c601912
* module.secure-baseline.module.vpc_baseline_ap-southeast-2.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 393287eb-5b8d-11e9-90e6-bd28cc14ba49: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.aws_iam_role.recorder: 1 error(s) occurred:
* aws_iam_role.recorder: Error creating IAM Role Config-Recorder: EntityAlreadyExists: Role with name Config-Recorder already exists.
status code: 409, request id: 38b716a2-5b8d-11e9-85bf-f1422f566699
* module.secure-baseline.module.vpc_baseline_sa-east-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39245743-5b8d-11e9-95f3-a7b2d1ae7ec7: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_eu-west-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 39426730-5b8d-11e9-93fe-af52707faa87
* module.secure-baseline.module.vpc_baseline_us-west-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 3931c51e-5b8d-11e9-ac40-a1deac0117ba: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_us-west-2.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 3925ddf4-5b8d-11e9-96f5-e7fe73a60eee: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_eu-west-2.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 3931501b-5b8d-11e9-b912-db18f0fda047: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_eu-north-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39231f1b-5b8d-11e9-b852-5ff5b1767983: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_eu-west-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 393fa81b-5b8d-11e9-a0f1-b3dd1ae35edf: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_us-west-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 388e5915-5b8d-11e9-a3cd-274b24e3c410
* module.secure-baseline.module.vpc_baseline_eu-west-3.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39465e13-5b8d-11e9-82f0-079f92f291ce: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.vpc_baseline_ap-northeast-2.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39236d23-5b8d-11e9-a00b-3721a4259847: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_ca-central-1.aws_guardduty_detector.default: 1 error(s) occurred:
* aws_guardduty_detector.default: Creating GuardDuty Detector failed: BadRequestException: The request is rejected because a detector already exists for the current account.
status code: 400, request id: 391b7d57-5b8d-11e9-8f4d-4f105a9996e8
* module.secure-baseline.module.vpc_baseline_eu-central-1.aws_cloudwatch_log_group.default_vpc_flow_logs: 1 error(s) occurred:
* aws_cloudwatch_log_group.default_vpc_flow_logs: Creating CloudWatch Log Group failed: ResourceAlreadyExistsException: The specified log group already exists
status code: 400, request id: 39376a86-5b8d-11e9-a0f1-b3dd1ae35edf: The CloudWatch Log Group 'default-vpc-flow-logs' already exists.
* module.secure-baseline.module.guardduty_baseline_eu-west-2.aws_guardduty_detector.default: 1 error(s) occurred:
We couldn't figure what happened here. Seek your assistance.
The new stable version is released and a few things need to be upgraded!
The member_accounts variable is a list(object), see https://github.com/nozaq/terraform-aws-secure-baseline/blob/master/variables.tf#L23-L30
When the list of member accounts changes, it results in churning of the aws_guardduty_member resources as they are force replaced due to the fact that the order of the items changes.
The way to fix this in tf >= 12 is to use a for_each with a map(object), the keys of the map could be the account_id.
This should be possible to support without breaking changes by preferring member_accounts if it is defined, else using the new map(object) perhaps named member_accounts_map
Thank you! Great work.
While trying it out, I have another modules that manages my users/groups/iam policies etc... and in that case forcing to create user for support_iam_role_principal_arn doesn't fit really well as I will end up with 2 different modules managing users.
So it will be great if support_iam_role_principal_arn could be an optional feature.
What do you think? if so I could open a PR for it.
Thanks ๐
I have been trying to integrate the module within my project and I keep running into a problem with the regions. I am getting an error for each of the different regions flow logs that read: "aws_flow_log.default_vpc_flow_logs: Error creating Flow Log for (vpc-e5602182), error: InvalidParameter: LogDestination must be in the same region as the API caller."
Any help would be very appreciated!
What is the recommended way to get the member_accounts input value?
I ask because below would be really simple to get, however, your variable doesn't allow name and arn in.
data "aws_organizations_organization" "main" {}
output "member_accounts" {
value = data.aws_organizations_organization.main.non_master_accounts
}
/*
Outputs:
member_accounts = [
{
"arn" = "arn:aws:organizations::******:account/o-********/**********"
"email" = "[email protected]"
"id" = "*********"
"name" = "testing"
}
]
*/
Add aws_s3_bucket_public_access_block resources for S3 buckets created by secure-bucket module.
See also https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
CloudTrail, AWS Config and GuardDuty support aggregating reports/logs from multiple accounts into one central account.
This module should support the configuration both for master accounts and member accounts.
Reference
The link to your example is not found.
See the sentence below in your main read me file.
Check the example to understand how
Under usage
https://github.com/nozaq/terraform-aws-secure-baseline/blob/master/examples/root-example/regions.tf
Just thought I'd open an issue, as I'm not sure the best way to implement a fix, while remaining backwards compatible with terraform-provider-aws 2.x.
Ultimately, the fix is to update this line:
https://github.com/nozaq/terraform-aws-secure-baseline/blob/master/modules/cloudtrail-baseline/main.tf#L243
To:
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail_events[0].arn}:*"If you wish to remain compatible with 2.x, I guess you could do something like
cloud_watch_logs_group_arn = replace("${aws_cloudwatch_log_group.cloudtrail_events[0].arn}:*", ":*:*", ":*")I see you have also implemented
1.18 - Ensure IAM Master and IAM Manager roles are active (deleted)
on https://raw.githubusercontent.com/nozaq/terraform-aws-secure-baseline/master/modules/iam-baseline/main.tf
This requirement was deleted with -ticket 6371 ( https://workbench.cisecurity.org/tickets/6371 can only be seen with creating free account)
while it does not hurt but it can be deleted.
When target_regions = ["us-east-1", "us-west-2"] is set together with vpc_enable_flow_logs = false TF apply fails for all other regions:
Error: Invalid index
on .terraform/modules/secure-baseline/vpc_baselines.tf line 134, in module "vpc_baseline_ap-southeast-1":
134: flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
|----------------
| aws_iam_role.flow_logs_publisher is empty tuple
The given key does not identify an element in this collection value.
Is this a setting I am missing or it's a bug?
Currently autoassign ipv4 is on by default, can an option be given to disable this
When using local buckets, they do not have server-side encryption enabled by default.
I got the following error when I ran the secure baseline module as master defined in the account type attribute.
Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: audit-logs-XXXX3454-us-west-2
on .terraform/modules/secure_baseline/terraform-aws-secure-baseline-0.17.0/modules/cloudtrail-baseline/main.tf line 223, in resource "aws_cloudtrail" "global":
223: resource "aws_cloudtrail" "global" {
What I see in the output is that are trying to create the cloudtrail resource before creating the s3 bucket policy.
1 - Creating cloudtrail resource
module.secure_baseline.module.cloudtrail_baseline.aws_cloudtrail.global[0]: Creating...
2 - Creating s3 bucket policy
module.secure_baseline.aws_s3_bucket_policy.audit_log[0]: Creating...
3 - Complete policy bucket
module.secure_baseline.aws_s3_bucket_policy.audit_log[0]: Creation comple
Given:
I'd like to maintain the audit logs bucket in the "logs" account, and have the master and other accounts ship logs there. This seems to be a combination of "external-bucket" and "organization" examples.
Which account should have account_type = master ? The actual master/root account or the logs account?
Figure out which updates to handle in this module.
As fate would have it, the arn is in a different format as cis and requires the region. Here is a possible implementation:
resource "aws_securityhub_standards_subscription" "cis" {
count = contains(var.subscriptions, "cis") ? 1 : 0
standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}
resource "aws_securityhub_standards_subscription" "pci-dss" {
count = contains(var.subscriptions, "pci-dss") ? 1 : 0
depends_on = [aws_securityhub_account.main]
standards_arn = "arn:aws:securityhub:${local.region}::standards/pci-dss/v/3.2.1"
}
This would be great for cost considerations. See - aws.amazon.com/cloudwatch/pricing
Maybe this issue is a bit nit-picky. The standard module structure states:
main.tf, variables.tf, outputs.tf. These are the recommended filenames for a minimal module, even if they're empty. main.tf should be the primary entrypoint. For a simple module, this may be where all the resources are created. For a complex module, resource creation may be split into multiple files but any nested module calls should be in the main file.
This repo is calling some modules in the main.tf file, whereas others have specific .tf files (which are not consistently named, ie. analyzer.tf vs config_baselines.tf). IMO it should either have everything in main, or everything in resource-specific files.
These lines prevent any rules from being defined on the default ACL.
At the same time, by reattaching the ACL with the default subnets, they prevent you from defining custom ACLs on those subnets.
Any ideas how we can work around this?
I think a better solution is to remove the subnet_ids line and add
lifecycle {
ignore_changes = ["subnet_ids"]
}Probably a good idea to encrypt the sns using kms_master_key_id = "alias/aws/sns" or the KMS key used for CloudTrail.
Hi @nozaq
I had commented on closed issue #48; however, I now realize that I should have made it a new issue in the first place.
This issue may (or may not) be related to the the "force destroy" option that you put in place for the audit bucket.
Now when I run the secure-baseline module, everything works except for the bucket-related tasks. I get the following error after running terragrunt apply:
Error: Error creating S3 bucket: AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'us-west-2'
status code: 400, request id: EF33E2B670A47024, host id: QV0D2p0NuiJ8cuELIyKcJVyu7d19WLO1SNe+IbEBCa8VcVTB1Yxbb9yDGwlj6jEHwljzA6onKmc=
I'm passing in region = "us-east-1" as one of the inputs in my terragrunt.hcl file. These inputs seem to work fine when used as part of the sub-modules like vpc-baseline; for example, the Default VPC gets changed correctly in each region. However, it appears that any sub-module that depends on creating an S3 bucket (i.e., secure-bucket) - about 45 of the 251 actions - does not work. Any ideas?
I was trying it out and a few things on our account are already managed by other modules, so it will be great to not have more roles and policies that we already have.
For that, I've put a few more variables on the iam-baseline sub-module so we could disable the roles/policies creation.
This doesn't affect the people that are already using the module since the default value is set to create all roles but could help others that will try to use it on an account already in use.
I'll open a PR with the changes to review!
Thanks for the work on that, it's a pretty good module and will help us a lot!
according to https://www.cisecurity.org/benchmark/amazon_web_services/ 1.3.0 is available.
You can add SecurityHub members in the master account when you pass down the list of members accounts:
for_each with variable of type map instead of count in Terraform version 0.12 and laterresource "aws_securityhub_account" "this" {}
resource "aws_securityhub_member" "this" {
depends_on = [aws_securityhub_account.this]
count = var.enable_securityhub_member ? length(var.securityhub_member) : 0
account_id = lookup(var.securityhub_member[count.index], "account_id")
email = lookup(var.securityhub_member[count.index], "email")
invite = lookup(var.securityhub_member[count.index], "invite")
}
variable "securityhub_member" {
description = "Provides a Security Hub member resource."
type = list(map(string))
default = [
{
account_id = ""
email = ""
invite = false
}
]
}
We could use an option to provide a bucket ARN instead of a name which would enable this module to have multiple accounts send audit logs to a single s3 bucket when in a multiple account organization.
Hi.
Looking at the modules separately. Came across this when trying to use the vpc-baseline module.
Error: Unsupported block type
on .terraform/modules/secure-baseline_vpc-baseline/nozaq-terraform-aws-secure-baseline-b6a76d9/modules/vpc-baseline/main.tf line 4, in resource "aws_default_vpc" "default":
4: tags {
Blocks of type "tags" are not expected here. Did you mean to define argument
"tags"? If so, use the equals sign to assign it a value.
Regards.
Jarrett
Does Security Hub get enabled after running terraform apply?
I just looked at all my regions and looks like I still have to manually enable it, or am I missing something?
Hi @nozaq
Thanks again for putting me on the right track with my S3 bucket issue.
This TF module really does a nice job at securing an AWS account. It just occurred to me that it might be nice if your users could specify a list of AWS Regions to disable (or, alternatively, a shorter list of AWS Regions that they want to use).
I think you could add such a feature to your IAM submodule, ala the following:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-enable-disable-regions.html
So, rather than having to enable all the protective measures herein for EVERY region, you could start by disabling any unused Regions, and simplify the process. Just a thought. Thanks again for all your hard work!
This would be great for cost considerations. See - https://aws.amazon.com/cloudwatch/pricing/
Using S3 is twice as cheap.
There are two new standards in SecurityHub - "PCI DSS" and "AWS Foundational Security Best Practices". It would be nice to add their support to this module.
It would also be good to allow each standard to be enabled / disabled independently using module variables.
Warning: Interpolation-only expressions are deprecated
on .terraform/modules/security/bucket.tf line 119, in data "aws_iam_policy_document" "audit_log":
119: "${module.audit_log_bucket.this_bucket.arn}",
Terraform 0.11 and earlier required all non-constant expressions to be
provided via interpolation syntax, but this pattern is now deprecated. To
silence this warning, remove the "${ sequence from the start and the }"
sequence from the end of this expression, leaving just the inner expression.
Template interpolation syntax is still used to construct strings from
expressions when the template includes multiple interpolation sequences or a
mixture of literal strings and interpolations. This deprecation applies only
to templates that consist entirely of a single interpolation sequence.
(and 4 more similar warnings elsewhere)
``
Add a topic policy to only allow alarms created in the module to write to the topic.
The creation of an audit log bucket is currently dependent on an AWS organization.
Right now, if an account is not the start of the OU, it is impossible to create a master account and adding members to them, since said master account needs access to the aws_organization, which is impossible, if it's not at the top of the OU.
This is an issue for accounts already created, and in an already established OU. In addition, the master account would be the one that collects the logs instead of a dedicated 'logs' account, separating it with other access restrictions and permissions such as how AWS Landing Zone does things.
A better set-up would be that the bucket module doesn't make use of the aws_organization_organizations datasource, and using the member_accounts input, leaving free choice as to what accounts to grant access.
Or optionalizing this, since this is the only part of the code that makes use of reading out all the account-IDs related to the organization.
The system I am working on does not need IAM policies as its managed in other ways, is there any way you would consider adding a variable to disable the non-service IAM at top module level?
When running terraform destroy using this very cool module, I get the following error:
Error: error deleting S3 Bucket (clienta-us-east-1-audit-logs): BucketNotEmpty: The bucket you tried to delete is not empty. You must delete all versions in the bucket.
Given you've updated to Terraform 0.12, I think (TF newbie here) you could add the force_destroy = true option to all the places you use the aws_s3_bucket resource.
Hi there,
Upgrading to 0.18.0, I had an issue with my account set up in the following way (some variables redacted, let me know if they are important):
module "secure_baseline" {
source = "nozaq/secure-baseline/aws"
version = "0.18.0"
aws_account_id = "..."
region = "..."
account_type = "master"
audit_log_bucket_name = "..."
config_sns_topic_name = "..."
cloudwatch_logs_retention_in_days = "7"
cloudtrail_name = "multi-region"
cloudtrail_iam_role_name = "..."
cloudtrail_iam_role_policy_name = "..."
cloudtrail_key_deletion_window_in_days = "7"
support_iam_role_principal_arns = [...]
target_regions = ["us-west-2"]
}I received an exception like the following for each region even though I only had a single region in target_regions:
Error: Error enabling Security Hub for account: ResourceConflictException: Account is already subscribed to Security Hub
{
Code_: "ResourceConflictException",
Message_: "Account is already subscribed to Security Hub"
}
on .terraform/modules/secure_baseline/terraform-aws-secure-baseline-0.18.0/modules/securityhub-baseline/main.tf line 4, in resource "aws_securityhub_account" "main":
4: resource "aws_securityhub_account" "main" {
Error: Error enabling Security Hub for account: ResourceConflictException: Account is already subscribed to Security Hub
{
Code_: "ResourceConflictException",
Message_: "Account is already subscribed to Security Hub"
}
on .terraform/modules/secure_baseline/terraform-aws-secure-baseline-0.18.0/modules/securityhub-baseline/main.tf line 4, in resource "aws_securityhub_account" "main":
4: resource "aws_securityhub_account" "main" {
...
It appears to be related to #105.
Activate SecurityHub and setup the CIS benchmark compliance check.
SecurityHub support is being implemented here.
Thx for this great project.
One question regarding Cloudwatch alarms. For example: S3BucketPolicyChanges.
What is the best and fastest way to see WHY an alarm was triggered? In the cloudwatch alarm history I only see the post to the sns topic, but there is no log or something with Cloudtrail in it. Any tips?
Keep up the good work!
After successfully applying the module, I'm now getting this error on future plans / applies:
Error: Invalid index
on .terraform/modules/global.secure_baseline/nozaq-terraform-aws-secure-baseline-46c9702/modules/guardduty-baseline/outputs.tf line 3, in output "guardduty_detector":
3: value = var.enabled ? aws_guardduty_detector.default[0] : null
|----------------
| aws_guardduty_detector.default is empty tuple
The given key does not identify an element in this collection value.
make: *** [apply] Error 1
Error: missing provider provider.aws.ap-northeast-1
terraform 12.20
provider "aws" {
version = "=2.47.0"
data "aws_caller_identity" "current" {
}
data "aws_region" "current" {
}
module "secure-baseline" {
source = "nozaq/secure-baseline/aws"
version = "0.17.0"
audit_log_bucket_name = "audit-log-pipelines-cloud-${var.environment}"
aws_account_id = data.aws_caller_identity.current.account_id
region = data.aws_region.current.name
support_iam_role_principal_arns = ["[email protected]"]
target_regions = data.aws_region.current.name
providers = {
aws = aws
aws.ap-northeast-1 = aws.ap-northeast-1
aws.ap-northeast-2 = aws.ap-northeast-2
aws.ap-south-1 = aws.ap-south-1
aws.ap-southeast-1 = aws.ap-southeast-1
aws.ap-southeast-2 = aws.ap-southeast-2
aws.ca-central-1 = aws.ca-central-1
aws.eu-central-1 = aws.eu-central-1
aws.eu-north-1 = aws.eu-north-1
aws.eu-west-1 = aws.eu-west-1
aws.eu-west-2 = aws.eu-west-2
aws.eu-west-3 = aws.eu-west-3
aws.sa-east-1 = aws.sa-east-1
aws.us-east-1 = aws.us-east-1
aws.us-east-2 = aws.us-east-2
aws.us-west-1 = aws.us-west-1
aws.us-west-2 = aws.us-west-2
}
}
Hi,
I just setupped your module (0.21.0), which is quite awesome ๐
I however get these errors (1 for each region) in my master organization account:
Error: Error enabling Security Hub for account: ResourceConflictException: Account is already subscribed to Security Hub
{
RespMetadata: {
StatusCode: 409,
RequestID: "xxx"
},
Code_: "ResourceConflictException",
Message_: "Account is already subscribed to Security Hub"
}
Config is:
module "secure-baseline" {
source = "nozaq/secure-baseline/aws"
version = "0.21.0"
account_type = "master"
member_accounts = local.member_accounts
audit_log_bucket_name = local.audit_log_bucket_name
aws_account_id = data.aws_caller_identity.current.account_id
region = local.main_region
support_iam_role_principal_arns = [data.aws_caller_identity.current.arn]
tags = {
terraform = "true"
customer = "xxx"
environment = "prod"
}
providers = {
aws = aws
aws.ap-northeast-1 = aws.ap-northeast-1
aws.ap-northeast-2 = aws.ap-northeast-2
aws.ap-northeast-3 = aws.ap-northeast-3
aws.ap-south-1 = aws.ap-south-1
aws.ap-southeast-1 = aws.ap-southeast-1
aws.ap-southeast-2 = aws.ap-southeast-2
aws.ca-central-1 = aws.ca-central-1
aws.eu-central-1 = aws.eu-central-1
aws.eu-north-1 = aws.eu-north-1
aws.eu-west-1 = aws.eu-west-1
aws.eu-west-2 = aws.eu-west-2
aws.eu-west-3 = aws.eu-west-3
aws.sa-east-1 = aws.sa-east-1
aws.us-east-1 = aws.us-east-1
aws.us-east-2 = aws.us-east-2
aws.us-west-1 = aws.us-west-1
aws.us-west-2 = aws.us-west-2
}
}Any clue?
module.secure_baseline.module.config_baseline_ap-southeast-2.aws_config_config_rule.restricted_ports: Creation complete after 4s [id=RestrictedIncomingTraffic]
Error: configuration for module.secure_baseline.data.aws_iam_policy_document.recoder_publish_policy still contains unknown values during apply (this is a bug in Terraform; please report it!)
Error: Error putting S3 policy: InvalidParameter: 1 validation error(s) found.
- minimum field size of 1, PutBucketPolicyInput.Bucket.
on ../../bucket.tf line 37, in resource "aws_s3_bucket_policy" "audit_log":
37: resource "aws_s3_bucket_policy" "audit_log" {
Error: InvalidS3BucketNameException: Bucket name should be between 3 and 63 characters long:
status code: 400, request id: f7a4bae2-1a88-4948-98f5-0c0e28d93b4a
on ../../modules/cloudtrail-baseline/main.tf line 158, in resource "aws_cloudtrail" "global":
158: resource "aws_cloudtrail" "global" {
Error: Creating Delivery Channel failed: NoSuchBucketException: Cannot find a s3 bucket with an empty bucket name.
status code: 400, request id: 62a2dbac-f351-43ec-b279-e265e0c41f16
on ../../modules/config-baseline/main.tf line 20, in resource "aws_config_delivery_channel" "bucket":
20: resource "aws_config_delivery_channel" "bucket" {
...
Hi,
Good day.
I get the following error for the simple example:
Error: Error describing organization: AWSOrganizationsNotInUseException: Your account is not a member of an organization.
status code: 400, request id: 3e449e5a-082f-4c16-99a4-65ef6cdb07d8
on .terraform/modules/secure-baseline_example_simple/nozaq-terraform-aws-secure-baseline-bb9cc79/bucket.tf line 40, in data "aws_organizations_organization" "org":
40: data "aws_organizations_organization" "org" {}
In my main.tf:
module "secure-baseline_example_simple" {
source = "nozaq/secure-baseline/aws//examples/simple"
version = "0.16.0"
access_key = "qwer"
audit_s3_bucket_name = "zxcv"
secret_key = "asdf"
}
Regards.
Enable terraform_docs to automatically generate terraform docs in pre-commit hook.
Blocked until terraform-docs supports HCL2 syntax.
Reference Issues:
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.