Merge pull request #27 from mdr-engineering/feature/ftd_MSOCI-1314_CIS_Hardening_CloudTrail_and_Config

Enabled cloudtrail and config across the aws-us-gov test accounts

bin/terragrunt-apply-all

@@ -95,8 +95,23 @@ for i in `seq -f "%g*" 0 9 | sort -n`; do
     echo "====================================================================================="
     pushd . > /dev/null
     cd $MODULE
-    [[ $TESTING ]] && ${TERRAGRUNT_BIN} plan  # Run a plan if testing
-    [[ $TESTING ]] || ${TERRAGRUNT_BIN} apply # Run an apply otherwise
+    if [[ $(basename $(pwd)) =~ regional ]]; then
+      echo "=========== We are in a regional directory, recursing..."
+      for i in *; do
+        if [[ -d $i ]]; then
+          echo "========== Region: $i"
+          pushd . > /dev/null
+          cd $i
+          [[ $TESTING ]] && ${TERRAGRUNT_BIN} plan  # Run a plan if testing
+          [[ $TESTING ]] || ${TERRAGRUNT_BIN} apply # Run an apply otherwise
+          popd > /dev/null
+          echo "========== Region completed: $i"
+        fi
+      done
+    else
+      [[ $TESTING ]] && ${TERRAGRUNT_BIN} plan  # Run a plan if testing
+      [[ $TESTING ]] || ${TERRAGRUNT_BIN} apply # Run an apply otherwise
+    fi
     popd > /dev/null
     echo "=======================================DONE=========================================="
     echo ""

bin/terragrunt-local

@@ -13,7 +13,14 @@ if [ "$GITSOURCE" == "" ]; then
 fi
 
 # Remove the git URL and the reference
-NEWPATH=$( echo $GITSOURCE | sed 's#^.*//#../../../../../xdr-terraform-modules//#' | sed 's/\?.*$//' )
+if [[ $(pwd) =~ regional ]]; then
+  # Regional directories need an extra layer
+  echo "Regional module detected."
+  NEWPATH=$( echo $GITSOURCE | sed 's#^.*//#../../../../../../xdr-terraform-modules//#' | sed 's/\?.*$//' )
+else
+  NEWPATH=$( echo $GITSOURCE | sed 's#^.*//#../../../../../xdr-terraform-modules//#' | sed 's/\?.*$//' )
+fi
+
 echo Substituting \'$GITSOURCE\' with \'$NEWPATH\'
 
 # Test locally

common/aws-us-gov/partition.hcl

@@ -42,6 +42,12 @@ locals {
   account_list = flatten([
     for env, accounts in local.account_map: accounts
   ])
+  # This is similar to the account_map, but used for "what accounts am I responsible for"?
+  responsible_accounts = {
+    "prod"   = concat(local.account_map["prod"], local.account_map["common"]),
+    "test"   = local.account_map["test"],
+    "common" = concat(local.account_map["prod"], local.account_map["common"], local.account_map["test"]),
+  }
 
   aws_marketplace_ubuntu_owner_id = "874634375141"
 

common/env.hcl

@@ -18,7 +18,10 @@ locals {
   }
 
   legacy_account = "477548533976"
-
+  c2_accounts = {
+    "aws-us-gov" = "721817724804" # mdr-prod-c2-gov
+    "aws"        = "045312110490" # mdr-prod-c2
+  }
   environment_tags = {
     Environment = local.environment
   }

prod/env.hcl

@@ -19,6 +19,10 @@ locals {
   }
 
   legacy_account = "477548533976"
+  c2_accounts = {
+    "aws-us-gov" = "721817724804" # mdr-prod-c2-gov
+    "aws"        = "045312110490" # mdr-prod-c2
+  }
 
   environment_tags = {
     Environment = local.environment

test/aws-us-gov/mdr-test-c2/005-account-standards-c2/README.md

@@ -0,0 +1,3 @@
+# Account Standards
+
+Creates elements that are standard in all accounts, such as access keys, kms keys, etc.

test/aws-us-gov/mdr-test-c2/005-account-standards-c2/terragrunt.hcl

@@ -0,0 +1,34 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_c2?ref=v0.5.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-c2/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-c2/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.0"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,4 +34,5 @@ inputs = {
   tags = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

test/aws-us-gov/mdr-test-c2/account.hcl

@@ -7,6 +7,7 @@ locals {
   instance_termination_protection = false # set to true for production!
   
   account_tags = { } 
+  c2_account_standards_path = "../../mdr-test-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.20.0.0/22"

test/aws-us-gov/mdr-test-malware/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-malware/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.0"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,4 +34,5 @@ inputs = {
   tags = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

test/aws-us-gov/mdr-test-malware/account.hcl

@@ -6,7 +6,8 @@ locals {
   aws_account_id = "876942499057"
   instance_termination_protection = false # set to true for production!
   
-  account_tags = { } 
+  account_tags = { }
+  c2_account_standards_path = "../../mdr-test-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.20.4.0/22"

test/aws-us-gov/mdr-test-modelclient/006-account-standards-regional/us-gov-west-1/terragrunt.hcl

@@ -0,0 +1,61 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+
+  aws_partition  = local.partition_vars.locals.aws_partition
+  account_id     = local.account_vars.locals.aws_account_id
+  common_profile = local.partition_vars.locals.common_profile
+
+  target_aws_region = "us-gov-west-1"
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards_regional?ref=v0.5.0"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+############# Custom provider for the region
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  version = "~> 2.66"
+  region = "${local.target_aws_region}"
+
+  assume_role {
+    role_arn = "arn:${local.aws_partition}:iam::${local.account_id}:role/user/mdr_terraformer"
+    session_name = "terraform"
+  }
+
+  profile = "${local.common_profile}"
+
+  # Only these AWS Account IDs may be operated on by this template
+  allowed_account_ids = ["${local.account_id}"]
+}
+EOF
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}

test/aws-us-gov/mdr-test-modelclient/006-account-standards/terragrunt.hcl

@@ -3,22 +3,22 @@ locals {
   # However, they will all be available as inputs to the module loaded in terraform.source
   # below.
 
-  # e.g. inherited variables:
-  #environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
-  #partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
-  #region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
-  #global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
-
-  # Extract out common variables for reuse
-  #env = local.environment_vars.locals.environment
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
 }
 
 # Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
 # working directory, into a temporary folder, and execute your Terraform commands in that folder.
 terraform {
   # Double slash is intentional and required to show root of modules
-  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.4.0"
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/account_standards?ref=v0.5.0"
+}
+
+dependency "c2_account_standards" {
+  config_path = local.account_vars.locals.c2_account_standards_path
 }
 
 # Include all settings from the root terragrunt.hcl file
@@ -34,4 +34,5 @@ inputs = {
   tags = {
     Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
   }
+  cloudtrail_key_arn = dependency.c2_account_standards.outputs.cloudtrail_logging_bucket.kms_key_id
 }

test/aws-us-gov/mdr-test-modelclient/account.hcl

@@ -6,7 +6,8 @@ locals {
   aws_account_id = "701341250728"
   instance_termination_protection = false # set to true for production!
   
-  account_tags = { } 
+  account_tags = { }
+  c2_account_standards_path = "../../mdr-test-c2/005-account-standards-c2"
 
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   standard_vpc_cidr = "10.20.8.0/22"

test/env.hcl

@@ -18,6 +18,10 @@ locals {
   }
 
   legacy_account = "527700175026"
+  c2_accounts = {
+    "aws-us-gov" = "738800754746" # mdr-test-c2-gov
+    "aws"        = "816914342178" # mdr-test-c2
+  }
 
   environment_tags = {
     Environment = local.environment