trussworks / Terraform Aws Config
Licence: bsd-3-clause
Enables AWS Config and adds managed config rules with good defaults.
Stars: ✭ 107
Projects that are alternatives of or similar to Terraform Aws Config
Ecs Pipeline
☁️ 🐳 ⚡️ 🚀 Create environment and deployment pipelines to ECS Fargate with CodePipeline, CodeBuild and Github using Terraform
Stars: ✭ 85 (-20.56%)
Mutual labels: aws, terraform, hcl
Gitops Terraform Jenkins
GitOps Workflow with Jenkins and Terraform
Stars: ✭ 73 (-31.78%)
Mutual labels: aws, terraform, hcl
Terraform Aws Wireguard
Terraform module to deploy WireGuard on AWS
Stars: ✭ 72 (-32.71%)
Mutual labels: aws, terraform, hcl
Mikado
🤖💨Mikado helps managing your AWS infrastructure for WordPress sites by defining an out-of-box, highly available, easy-to-deploy setup
Stars: ✭ 80 (-25.23%)
Mutual labels: aws, terraform, hcl
Terraform Aws Dynamic Subnets
Terraform module for public and private subnets provisioning in existing VPC
Stars: ✭ 106 (-0.93%)
Mutual labels: aws, terraform, hcl
Terraform Aws Rabbitmq
Terraform configuration for creating RabbitMQ cluster on AWS.
Stars: ✭ 86 (-19.63%)
Mutual labels: aws, terraform, hcl
Terraform Aws S3 Log Storage
This module creates an S3 bucket suitable for receiving logs from other AWS services such as S3, CloudFront, and CloudTrail
Stars: ✭ 65 (-39.25%)
Mutual labels: aws, terraform, hcl
Tf aws elasticsearch
Terraform module which creates AWS Elasticsearch resources
Stars: ✭ 73 (-31.78%)
Mutual labels: aws, terraform, hcl
Terraform Aws Elasticache Redis
Terraform module to provision an ElastiCache Redis Cluster
Stars: ✭ 73 (-31.78%)
Mutual labels: aws, terraform, hcl
Terraform Aws Vpc Peering
Terraform module to create a peering connection between two VPCs in the same AWS account.
Stars: ✭ 70 (-34.58%)
Mutual labels: aws, terraform, hcl
Typhoon
Minimal and free Kubernetes distribution with Terraform
Stars: ✭ 1,397 (+1205.61%)
Mutual labels: aws, terraform, hcl
Terraform Aws Airflow
Terraform module to deploy an Apache Airflow cluster on AWS, backed by RDS PostgreSQL for metadata, S3 for logs and SQS as message broker with CeleryExecutor
Stars: ✭ 69 (-35.51%)
Mutual labels: aws, terraform, hcl
Terraform Aws Ecs Codepipeline
Terraform Module for CI/CD with AWS Code Pipeline and Code Build for ECS https://cloudposse.com/
Stars: ✭ 85 (-20.56%)
Mutual labels: aws, terraform, hcl
Elastic Beanstalk Terraform Setup
🎬 Playbook for setting up & deploying AWS Beanstalk Applications on Docker with 1 command
Stars: ✭ 69 (-35.51%)
Mutual labels: aws, terraform, hcl
Curso Aws Com Terraform
🎦 🇧🇷 Arquivos do curso "DevOps: AWS com Terraform Automatizando sua infraestrutura" publicado na Udemy. Você pode me ajudar comprando o curso utilizando o link abaixo.
Stars: ✭ 62 (-42.06%)
Mutual labels: aws, terraform, hcl
Terraform Aws Couchbase
Reusable infrastructure modules for running Couchbase on AWS
Stars: ✭ 73 (-31.78%)
Mutual labels: aws, terraform, hcl
Aws Minikube
Single node Kubernetes instance implemented using Terraform and kubeadm
Stars: ✭ 101 (-5.61%)
Mutual labels: aws, terraform, hcl
AWS Config Terraform module
Enables AWS Config and adds managed config rules with good defaults.
Supported AWS Config Rules
ACM
- acm-certificate-expiration-check: Ensure ACM Certificates in your account are marked for expiration within the specified number of days.
AMI
- approved-amis-by-tag: Checks whether running instances are using specified AMIs.
CloudTrail
- cloudtrail-enabled: Ensure CloudTrail is enabled.
- cloud-trail-encryption-enabled: Ensure CloudTrail is configured to use server side encryption (SSE) with AWS KMS or CMK encryption.
- cloud-trail-log-file-validation-enabled: Checks whether AWS CloudTrail creates a signed digest file with logs.
- multi-region-cloud-trail-enabled: Ensure that there is at least one multi-region AWS CloudTrail enabled.
CloudWatch Logs
- cloudwatch-log-group-encryption: Ensure that CloudWatch Logs are encrypted.
EC2
- ec2-encrypted-volumes: Evaluates whether EBS volumes that are in an attached state are encrypted.
- ec2-volume-inuse-check: Checks whether EBS volumes are attached to EC2 instances.
- ebs-snapshot-public-restorable-check: Checks whether Amazon Elastic Block Store snapshots are not publicly restorable.
VPC
- eip-attached: Checks whether all EIP addresses that are allocated to a VPC are attached to EC2 or in-use ENIs.
- instances-in-vpc: Ensure all EC2 instances run in a VPC.
- vpc-default-security-group-closed: Checks that the default security group of any Amazon Virtual Private Cloud (VPC) does not allow inbound or outbound traffic.
GuardDuty
- guardduty-enabled-centralized: Checks whether Amazon GuardDuty is enabled in your AWS account and region.
IAM
- iam-password-policy: Ensure the account password policy for IAM users meets the specified requirements.
- iam-user-no-policies-check: Ensure that none of your IAM users have policies attached; IAM users must inherit permissions from IAM groups or roles.
- iam-group-has-users-check: Checks whether IAM groups have at least one IAM user.
- root-account-mfa-enabled: Ensure root AWS account has MFA enabled.
- iam-root-access-key: Ensure root AWS account does not have Access Keys.
Tagging
- required-tags: Checks if resources are deployed with configured tags.
RDS
- rds-instance-public-access-check: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible.
- rds-snapshots-public-prohibited: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public.
- rds-storage-encrypted: Checks whether storage encryption is enabled for your RDS DB instances.
S3
- s3-bucket-public-write-prohibited: Checks that your S3 buckets do not allow public write access.
- s3-bucket-ssl-requests-only: Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
Terraform Versions
Terraform 0.13 and newer. Pin module version to ~> 4.x. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 3.0. Submit pull-requests to terraform012 branch.
Usage
Note: This module sets up AWS IAM Roles and Policies, which are globally namespaced. If you plan to have multiple instances of AWS Config, make sure they have unique values for config_name.
Note: If you use this module in multiple regions, be sure to disable duplicative checks and global resource types.
module "aws_config" {
source = "trussworks/config/aws"
config_name = "my-aws-config"
config_logs_bucket = "my-aws-logs"
}
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.12.7 |
| aws | >= 2.70 |
| template | >= 2.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 2.70 |
| template | >= 2.0 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| acm_days_to_expiration | Specify the number of days before the rule flags the ACM Certificate as noncompliant. | number |
14 |
no |
| aggregate_organization | Aggregate compliance data by organization | bool |
false |
no |
| ami_required_tag_key_value | Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2 | string |
"" |
no |
| check_acm_certificate_expiration_check | Enable acm-certificate-expiration-check rule | bool |
true |
no |
| check_approved_amis_by_tag | Enable approved-amis-by-tag rule | bool |
false |
no |
| check_cloud_trail_encryption | Enable cloud-trail-encryption-enabled rule | bool |
false |
no |
| check_cloud_trail_log_file_validation | Enable cloud-trail-log-file-validation-enabled rule | bool |
false |
no |
| check_cloudtrail_enabled | Enable cloudtrail-enabled rule | bool |
true |
no |
| check_cloudwatch_log_group_encrypted | Enable cloudwatch-log-group-encryption rule | bool |
true |
no |
| check_ebs_snapshot_public_restorable | Enable ebs-snapshot-public-restorable rule | bool |
true |
no |
| check_ec2_encrypted_volumes | Enable ec2-encrypted-volumes rule | bool |
true |
no |
| check_ec2_volume_inuse_check | Enable ec2-volume-inuse-check rule | bool |
true |
no |
| check_eip_attached | Enable eip-attached rule | bool |
false |
no |
| check_guard_duty | Enable guardduty-enabled-centralized rule | bool |
false |
no |
| check_iam_group_has_users_check | Enable iam-group-has-users-check rule | bool |
true |
no |
| check_iam_password_policy | Enable iam-password-policy rule | bool |
true |
no |
| check_iam_root_access_key | Enable iam-root-access-key rule | bool |
true |
no |
| check_iam_user_no_policies_check | Enable iam-user-no-policies-check rule | bool |
true |
no |
| check_instances_in_vpc | Enable instances-in-vpc rule | bool |
true |
no |
| check_mfa_enabled_for_iam_console_access | Enable mfa-enabled-for-iam-console-access rule | bool |
false |
no |
| check_multi_region_cloud_trail | Enable multi-region-cloud-trail-enabled rule | bool |
false |
no |
| check_rds_public_access | Enable rds-instance-public-access-check rule | bool |
false |
no |
| check_rds_snapshots_public_prohibited | Enable rds-snapshots-public-prohibited rule | bool |
true |
no |
| check_rds_storage_encrypted | Enable rds-storage-encrypted rule | bool |
true |
no |
| check_required_tags | Enable required-tags rule | bool |
false |
no |
| check_restricted_ssh | Enable restricted-ssh rule | bool |
false |
no |
| check_root_account_mfa_enabled | Enable root-account-mfa-enabled rule | bool |
false |
no |
| check_s3_bucket_public_write_prohibited | Enable s3-bucket-public-write-prohibited rule | bool |
true |
no |
| check_s3_bucket_ssl_requests_only | Enable s3-bucket-ssl-requests-only rule | bool |
true |
no |
| check_vpc_default_security_group_closed | Enable vpc-default-security-group-closed rule | bool |
true |
no |
| config_aggregator_name | The name of the aggregator. | string |
"organization" |
no |
| config_delivery_frequency | The frequency with which AWS Config delivers configuration snapshots. | string |
"Six_Hours" |
no |
| config_logs_bucket | The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string. | string |
n/a | yes |
| config_logs_prefix | The S3 prefix for AWS Config logs. | string |
"config" |
no |
| config_max_execution_frequency | The maximum frequency with which AWS Config runs evaluations for a rule. | string |
"TwentyFour_Hours" |
no |
| config_name | The name of the AWS Config instance. | string |
"aws-config" |
no |
| config_sns_topic_arn | An SNS topic to stream configuration changes and notifications to. | string |
null |
no |
| enable_config_recorder | Enables configuring the AWS Config recorder resources in this module. | bool |
true |
no |
| include_global_resource_types | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | bool |
true |
no |
| password_max_age | Number of days before password expiration. | number |
90 |
no |
| password_min_length | Password minimum length. | number |
14 |
no |
| password_require_lowercase | Require at least one lowercase character in password. | bool |
true |
no |
| password_require_numbers | Require at least one number in password. | bool |
true |
no |
| password_require_symbols | Require at least one symbol in password. | bool |
true |
no |
| password_require_uppercase | Require at least one uppercase character in password. | bool |
true |
no |
| password_reuse_prevention | Number of passwords before allowing reuse. | number |
24 |
no |
| required_tags | A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional. | map(string) |
{} |
no |
| required_tags_resource_types | Resource types to check for tags. | list(string) |
[] |
no |
| tags | Tags to apply to AWS Config resources | map(string) |
{} |
no |
Outputs
| Name | Description |
|---|---|
| aws_config_role_arn | The ARN of the AWS config role. |
| aws_config_role_name | The name of the IAM role used by AWS config |
| required_tags_rule_arn | The ARN of the required-tags config rule. |
Upgrade Paths
Upgrading from 2.3.0 to 2.4.x
Version 2.4.0 changed how AWS Config IAM polcies would be attached to IAM roles. When applying the upgrade, you will likely see a race condition resulting in the following error
Error: Provider produced inconsistent result after apply
A second terraform apply should resolve the issue.
Developer Setup
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
Testing
Terratest is being used for
automated testing with this module. Tests in the test folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].