5 years ago · 10a1de5308
--- a/base/account_standards/default-vpc.tf
+++ b/base/account_standards/default-vpc.tf
@@ -0,0 +1,21 @@
 
				+# Make the default VPC compliant
			
 
				+resource "aws_default_vpc" "default" {
			
 
				+  tags = merge(var.standard_tags, var.tags, { "Notes" = "Not connected. For testing only. VPC not for production use." })
			
 
				+}
			
 
				+
			
 
				+resource "aws_flow_log" "default-flowlogs" {
			
 
				+  iam_role_arn = aws_iam_role.flowlogs.arn
			
 
				+  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
			
 
				+
			
 
				+  traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
			
 
				+  vpc_id = aws_default_vpc.default.id
			
 
				+}
			
 
				+
			
 
				+# CIS 4.3 - Default security group should restrict all traffic
			
 
				+#
			
 
				+# This resource is special, and clears out existing rules. See:
			
 
				+# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
			
 
				+resource "aws_default_security_group" "default" {
			
 
				+  vpc_id = aws_default_vpc.default.id
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+}
			
--- a/base/account_standards/standard-vpc.tf
+++ b/base/account_standards/standard-vpc.tf
@@ -1,19 +0,0 @@
 
				-# For now, we've left the standard VPC, but we still need it compliant.
			
 
				-# If we change our minds, this would be a good place to delete the standard vpc.
			
 
				-data "aws_vpcs" "foo" {
			
 
				-  filter {
			
 
				-    name = "isDefault"
			
 
				-    values = [ true ]
			
 
				-  }
			
 
				-}
			
 
				-
			
 
				-resource "aws_flow_log" "flowlogs" {
			
 
				-  # Note: Flow log configuration is "special" here. For a generic version you can copy to your own module,
			
 
				-  # see the example in standard_vpc
			
 
				-  for_each = data.aws_vpcs.foo.ids
			
 
				-  iam_role_arn = aws_iam_role.flowlogs.arn
			
 
				-  log_destination = aws_cloudwatch_log_group.vpc_flow_logs.arn
			
 
				-
			
 
				-  traffic_type = "REJECT" # CIS only requires reject, and "ALL" is expensive
			
 
				-  vpc_id = each.value
			
 
				-}
			
--- a/base/account_standards_c2/iam.moose-hf.tf
+++ b/base/account_standards_c2/iam.moose-hf.tf
@@ -95,6 +95,9 @@ resource "aws_iam_role_policy_attachment" "moose-hf" {
 
				 
			
 
				 ######################
			
 
				 # the user
			
 
				+#
			
 
				+# Note: CIS requires that policies _NOT_ be directly attached to a user. Users must
			
 
				+# be members of groups, and those groups can have policies.
			
 
				 resource "aws_iam_user" "moose-hf" {
			
 
				   name = "moose-hf"
			
 
				   path = "/instance/"
			
@@ -102,7 +105,18 @@ resource "aws_iam_user" "moose-hf" {
 
				   tags = merge(var.standard_tags, var.tags)
			
 
				 }
			
 
				 
			
 
				-resource "aws_iam_user_policy_attachment" "moose-hf-user" {
			
 
				-  user       = aws_iam_user.moose-hf.name
			
 
				+resource "aws_iam_group" "moose-hf" {
			
 
				+  name = "moose-hf"
			
 
				+  path = "/instance/"
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_user_group_membership" "moose-hf" {
			
 
				+  user = aws_iam_user.moose-hf.name
			
 
				+
			
 
				+  groups = [ aws_iam_group.moose-hf.name ]
			
 
				+}
			
 
				+
			
 
				+resource "aws_iam_group_policy_attachment" "moose-hf-group" {
			
 
				+  group      = aws_iam_group.moose-hf.name
			
 
				   policy_arn = aws_iam_policy.moose-hf.arn
			
 
				 }
			
--- a/base/qualys_scanners/main.tf
+++ b/base/qualys_scanners/main.tf
@@ -54,3 +54,12 @@ resource "aws_flow_log" "flowlogs" {
 
				   vpc_id          = module.vpc.vpc_id
			
 
				   tags            = merge(var.standard_tags, var.tags)
			
 
				 }
			
 
				+
			
 
				+# CIS 4.3 - Default security group should restrict all traffic
			
 
				+#
			
 
				+# This resource is special, and clears out existing rules. See:
			
 
				+# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
			
 
				+resource "aws_default_security_group" "default" {
			
 
				+  vpc_id = module.vpc.vpc_id
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+}
			
--- a/base/qualys_scanners/vars.tf
+++ b/base/qualys_scanners/vars.tf
@@ -36,7 +36,7 @@ variable "personalization_codes" {
 
				 # Below this line are variables inherited from higher levels, so they
			
 
				 # do not need to be explicitly passed to this module.
			
 
				 variable "standard_tags" { type = map }
			
 
				-variable "vpn_info" { type = map }
			
 
				+variable "dns_info" { type = map }
			
 
				 variable "aws_region" { type = string }
			
 
				 variable "aws_partition" { type = string }
			
 
				 variable "aws_account_id" { type = string }
			
--- a/base/security_vpc/security-groups.tf
+++ b/base/security_vpc/security-groups.tf
@@ -71,3 +71,12 @@ module "allow_all_intravpc" {
 
				   ingress_rules = [ "all-all" ]
			
 
				   ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
			
 
				 }
			
 
				+
			
 
				+# CIS 4.3 - Default security group should restrict all traffic
			
 
				+#
			
 
				+# This resource is special, and clears out existing rules. See:
			
 
				+# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
			
 
				+resource "aws_default_security_group" "default" {
			
 
				+  vpc_id = module.vpc.vpc_id
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+}
			
--- a/base/standard_vpc/outputs.tf
+++ b/base/standard_vpc/outputs.tf
@@ -10,8 +10,8 @@ output private_subnets {
 
				   value = module.vpc.private_subnets
			
 
				 }
			
 
				 
			
 
				-output allow_all_sg_id {
			
 
				-  value = module.allow_all_sg.this_security_group_id
			
 
				+output allow_all_from_trusted_sg_id {
			
 
				+  value = module.allow_all_from_trusted_sg.this_security_group_id
			
 
				 }
			
 
				 
			
 
				 output allow_all_outbound_sg_id {
			
--- a/base/standard_vpc/security-groups.tf
+++ b/base/standard_vpc/security-groups.tf
@@ -46,16 +46,16 @@ module "aws_endpoints_sg" {
 
				 #  vuln_scanner_sgs      = [ "${module.vuln_scanners_sg.this_security_group_id}" ]
			
 
				 #}
			
 
				 
			
 
				-
			
 
				-module "allow_all_sg" {
			
 
				+# "Allow
			
 
				+module "allow_all_from_trusted_sg" {
			
 
				   use_name_prefix = false
			
 
				   source = "terraform-aws-modules/security-group/aws"
			
 
				   version = "~> 3"
			
 
				-  name        = "allow-all"
			
 
				+  name        = "allow-all-from-trusted"
			
 
				   tags        = merge(var.standard_tags, var.tags)
			
 
				   vpc_id      = module.vpc.vpc_id
			
 
				 
			
 
				-  ingress_cidr_blocks = [ "0.0.0.0/0" ]
			
 
				+  ingress_cidr_blocks = concat(var.trusted_ips, [ "10.0.0.0/8" ])
			
 
				   egress_cidr_blocks = [ "0.0.0.0/0" ]
			
 
				   ingress_rules = [ "all-all" ]
			
 
				   egress_rules = [ "all-all" ]
			
@@ -97,3 +97,12 @@ module "typical_host_security_group" {
 
				   aws_region = var.aws_region
			
 
				   aws_partition = var.aws_partition
			
 
				 }
			
 
				+
			
 
				+# CIS 4.3 - Default security group should restrict all traffic
			
 
				+# 
			
 
				+# This resource is special, and clears out existing rules. See:
			
 
				+# See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
			
 
				+resource "aws_default_security_group" "default" {
			
 
				+  vpc_id = module.vpc.vpc_id
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+}
			
--- a/base/standard_vpc/vars.tf
+++ b/base/standard_vpc/vars.tf
@@ -15,6 +15,7 @@ variable "tags" {
 
				 }
			
 
				 
			
 
				 # Inherited
			
 
				+variable "trusted_ips" { type = list(string) }
			
 
				 variable "dns_servers" { type = list(string) }
			
 
				 variable "dns_info" { type = map }
			
 
				 variable "cidr_map" { type = map }