Skip to content

Commit

Permalink
Merge pull request #326 from binbashar/feature/security-layers
Browse files Browse the repository at this point in the history 
Feature/security layers
  • Loading branch information
@lgallard
lgallard authored Nov 3, 2021
2 parents 5890beb + ec63f0d commit ff6c684
Show file tree
Hide file tree
Showing 26 changed files with 101 additions and 86 deletions.
8 changes: 2 additions & 6 deletions .circleci/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,8 @@ jobs:
# Install terraform
sudo apt-get install unzip curl
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VER}/terraform_${TERRAFORM_VER}_linux_amd64.zip
unzip terraform_${TERRAFORM_VER}_linux_amd64.zip
wget https://releases.hashicorp.com/terraform/${TERRAFORM_VER_REF_ARCH}/terraform_${TERRAFORM_VER_REF_ARCH}_linux_amd64.zip
unzip terraform_${TERRAFORM_VER_REF_ARCH}_linux_amd64.zip
sudo mv terraform /usr/local/bin/
terraform --version
#
Expand Down Expand Up @@ -75,10 +75,6 @@ jobs:
cp /home/circleci/.aws/credentials /home/circleci/.aws/bb/credentials
cp /home/circleci/.aws/config /home/circleci/.aws/bb/config
- run:
name: test-terraform-linting
command: make tflint-deep

- slack/notify:
event: fail
mentions: '@leverage-support'
Expand Down
3 changes: 2 additions & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ repos:
- --markdown-linebreak-ext=md

- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.43.0
rev: v1.55.0
hooks:
- id: terraform_fmt
# - id: terraform_validate
4 changes: 2 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
SHELL := /bin/bash
MAKEFILE_PATH := ./Makefile
MAKEFILES_DIR := ./@bin/makefiles
MAKEFILES_VER := v0.1.23
MAKEFILES_VER := v0.1.37

help:
@echo 'Available Commands:'
Expand All @@ -19,4 +19,4 @@ init-makefiles: ## initialize makefiles

-include ${MAKEFILES_DIR}/circleci/circleci.mk
-include ${MAKEFILES_DIR}/release-mgmt/release.mk
-include ${MAKEFILES_DIR}/terraform14/terraform14-root-context.mk
-include ${MAKEFILES_DIR}/terraform1/terraform1-root-context.mk
2 changes: 1 addition & 1 deletion apps-devstg/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "apps-devstg"
environment = "apps-devstg"
10 changes: 5 additions & 5 deletions apps-devstg/config/backend.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
#

# AWS Profile (required by the backend but also used for other resources)
profile = "bb-apps-devstg-devops"
profile = "bb-apps-devstg-devops"

# S3 bucket
bucket = "bb-apps-devstg-terraform-backend"
bucket = "bb-apps-devstg-terraform-backend"

# AWS Region (required by the backend but also used for other resources)
region = "us-east-1"
region = "us-east-1"

# Enable DynamoDB server-side encryption?
encrypt = true
encrypt = true

# DynamoDB Table Name
dynamodb_table = "bb-apps-devstg-terraform-backend"
dynamodb_table = "bb-apps-devstg-terraform-backend"
6 changes: 3 additions & 3 deletions apps-devstg/us-east-1/cdn-s3-frontend --/config.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ provider "aws" {
# binbash-shared route53 cross-account ACM dns validation update
#
provider "aws" {
region = var.region
profile = "${var.project}-shared-devops"
// profile = var.profile_shared
region = var.region
profile = "${var.project}-shared-devops"
// profile = var.profile_shared
shared_credentials_file = "~/.aws/${var.project}/config"
alias = "shared-route53"
}
Expand Down
2 changes: 1 addition & 1 deletion apps-devstg/us-east-1/databases-aurora/rds-export-to-s3/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ locals {
# RDS Export To S3
# -----------------------------------------------------------------------------
module "rds_export_to_s3" {
source = "github.com/binbashar/terraform-aws-rds-export-to-s3.git?ref=master"
source = "github.com/binbashar/terraform-aws-rds-export-to-s3.git?ref=v0.3.0"

# Set a prefix for naming resources
prefix = "aurora-mysql"
Expand Down
15 changes: 9 additions & 6 deletions apps-devstg/us-east-1/security-audit/awscloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
module "cloudtrail" {
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.0"
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
enable_logging = "true"
enable_log_file_validation = "true"
include_global_service_events = "true"
is_multi_region_trail = "true"
enable_logging = true
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = true
s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn
kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn
}

module "cloudtrail_api_alarms" {
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.13.0"
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3"
log_group_region = var.region
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_namespace = var.metric_namespace
Expand All @@ -23,6 +23,9 @@ module "cloudtrail_api_alarms" {
# Uncomment if /notifications SNS is configured and you want to send notifications via slack
sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec
metrics = local.metrics

# KMS key use for encrypting the Amazon SNS topic.
kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id
}

#==================================================================#
Expand Down
2 changes: 1 addition & 1 deletion apps-prd/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "apps-prd"
environment = "apps-prd"
10 changes: 5 additions & 5 deletions apps-prd/config/backend.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
#

# AWS Profile (required by the backend but also used for other resources)
profile = "bb-apps-prd-devops"
profile = "bb-apps-prd-devops"

# S3 bucket
bucket = "bb-apps-prd-terraform-backend"
bucket = "bb-apps-prd-terraform-backend"

# AWS Region (required by the backend but also used for other resources)
region = "us-east-1"
region = "us-east-1"

# Enable DynamoDB server-side encryption?
encrypt = true
encrypt = true

# DynamoDB Table Name
dynamodb_table = "bb-apps-prd-terraform-backend"
dynamodb_table = "bb-apps-prd-terraform-backend"
6 changes: 3 additions & 3 deletions apps-prd/us-east-1/cdn-s3-frontend --/config.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ provider "aws" {
# binbash-shared route53 cross-account ACM dns validation update
#
provider "aws" {
region = var.region
profile = "${var.project}-shared-devops"
// profile = var.profile_shared
region = var.region
profile = "${var.project}-shared-devops"
// profile = var.profile_shared
shared_credentials_file = "~/.aws/${var.project}/config"
alias = "shared-route53"
}
Expand Down
2 changes: 1 addition & 1 deletion network/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "network"
environment = "network"
10 changes: 5 additions & 5 deletions network/config/backend.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
#

# AWS Profile (required by the backend but also used for other resources)
profile = "bb-network-devops"
profile = "bb-network-devops"

# S3 bucket
bucket = "bb-network-terraform-backend"
bucket = "bb-network-terraform-backend"

# AWS Region (required by the backend but also used for other resources)
region = "us-east-1"
region = "us-east-1"

# Enable DynamoDB server-side encryption?
encrypt = true
encrypt = true

# DynamoDB Table Name
dynamodb_table = "bb-network-terraform-backend"
dynamodb_table = "bb-network-terraform-backend"
16 changes: 9 additions & 7 deletions network/us-east-1/security-audit/awscloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,20 @@
module "cloudtrail" {
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.0"
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
enable_logging = "true"
enable_log_file_validation = "true"
include_global_service_events = "true"
is_multi_region_trail = "true"
enable_logging = true
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = true
s3_bucket_name = data.terraform_remote_state.security_audit.outputs.bucket_id
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn
kms_key_arn = data.terraform_remote_state.security_keys.outputs.aws_kms_key_arn
}

module "cloudtrail_api_alarms" {
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.13.0"

source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3"
log_group_region = var.region
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_namespace = var.metric_namespace
Expand All @@ -24,6 +23,9 @@ module "cloudtrail_api_alarms" {
# Uncomment if /notifications SNS is configured and you want to send notifications via slack
sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec
metrics = local.metrics

# KMS key use for encrypting the Amazon SNS topic.
kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id
}

#==================================================================#
Expand Down
1 change: 0 additions & 1 deletion network/us-east-1/security-audit/build.env
View file

This file was deleted.

2 changes: 1 addition & 1 deletion root/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "root"
environment = "root"
10 changes: 5 additions & 5 deletions root/config/backend.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
#

# AWS Profile (required by the backend but also used for other resources)
profile = "bb-root-oaar"
profile = "bb-root-oaar"

# S3 bucket
bucket = "bb-root-terraform-backend"
bucket = "bb-root-terraform-backend"

# AWS Region (required by the backend but also used for other resources)
region = "us-east-1"
region = "us-east-1"

# Enable DynamoDB server-side encryption?
encrypt = true
encrypt = true

# DynamoDB Table Name
dynamodb_table = "bb-root-terraform-backend"
dynamodb_table = "bb-root-terraform-backend"
7 changes: 5 additions & 2 deletions root/us-east-1/security-audit/awscloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
module "cloudtrail" {
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.0"
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
Expand All @@ -14,7 +14,7 @@ module "cloudtrail" {
}

module "cloudtrail_api_alarms" {
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.13.0"
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3"
log_group_region = var.region
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_namespace = var.metric_namespace
Expand All @@ -23,6 +23,9 @@ module "cloudtrail_api_alarms" {
# Uncomment if /notifications SNS is configured and you want to send notifications via slack
sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec
metrics = local.metrics

# KMS key use for encrypting the Amazon SNS topic.
kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id
}

#==================================================================#
Expand Down
2 changes: 1 addition & 1 deletion security/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "security"
environment = "security"
10 changes: 5 additions & 5 deletions security/config/backend.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,16 @@
#

# AWS Profile (required by the backend but also used for other resources)
profile = "bb-security-secops"
profile = "bb-security-secops"

# S3 bucket
bucket = "bb-security-terraform-backend"
bucket = "bb-security-terraform-backend"

# AWS Region (required by the backend but also used for other resources)
region = "us-east-1"
region = "us-east-1"

# Enable DynamoDB server-side encryption?
encrypt = true
encrypt = true

# DynamoDB Table Name
dynamodb_table = "bb-security-terraform-backend"
dynamodb_table = "bb-security-terraform-backend"
19 changes: 12 additions & 7 deletions security/us-east-1/security-audit/awscloudtrail.tf
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
module "cloudtrail" {
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.0"
source = "github.com/binbashar/terraform-aws-cloudtrail.git?ref=0.20.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
enable_logging = "true"
enable_log_file_validation = "true"
include_global_service_events = "true"
is_multi_region_trail = "true"
enable_logging = true
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = true
s3_bucket_name = module.cloudtrail_s3_bucket.bucket_id
cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail.arn}:*"
cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events.arn
kms_key_arn = data.terraform_remote_state.keys.outputs.aws_kms_key_arn
#is_organization_trail = true
}

module "cloudtrail_s3_bucket" {
source = "github.com/binbashar/terraform-aws-cloudtrail-s3-bucket.git?ref=0.18.0"
source = "github.com/binbashar/terraform-aws-cloudtrail-s3-bucket.git?ref=0.23.1"
namespace = var.project
stage = var.environment
name = "cloudtrail-org"
Expand All @@ -35,7 +36,7 @@ module "cloudtrail_s3_bucket" {
}

module "cloudtrail_api_alarms" {
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.13.0"
source = "github.com/binbashar/terraform-aws-cloudtrail-cloudwatch-alarms.git?ref=0.14.3"
log_group_region = var.region
log_group_name = aws_cloudwatch_log_group.cloudtrail.name
metric_namespace = var.metric_namespace
Expand All @@ -44,6 +45,10 @@ module "cloudtrail_api_alarms" {
# Uncomment if /notifications SNS is configured and you want to send notifications via slack
sns_topic_arn = data.terraform_remote_state.notifications.outputs.sns_topic_arn_monitoring_sec
metrics = local.metrics

# KMS key use for encrypting the Amazon SNS topic.
kms_master_key_id = data.terraform_remote_state.keys.outputs.aws_kms_key_id

}

#==================================================================#
Expand Down
9 changes: 6 additions & 3 deletions security/us-east-1/security-keys/kms.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
module "kms_key" {
source = "github.com/binbashar/terraform-aws-kms-key.git?ref=0.10.0"
source = "github.com/binbashar/terraform-aws-kms-key.git?ref=0.11.0"

enabled = true
namespace = var.project
Expand Down Expand Up @@ -37,8 +37,11 @@ data "aws_iam_policy_document" "kms" {
resources = ["*"]

principals {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
type = "Service"
identifiers = [
"cloudtrail.amazonaws.com",
"cloudwatch.amazonaws.com"
]
}
condition {
test = "StringLike"
Expand Down
2 changes: 1 addition & 1 deletion shared/config/account.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@
#

# Environment Name
environment = "shared"
environment = "shared"
Loading

0 comments on commit ff6c684

Please sign in to comment.