Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules

Variables that affect configuration and are subject to change exist with the modules. There are a few important things to know:

1. If the variable only affects the module itself, just put it in the module directory.
2. If the variable is used by more than one module, put it in the `variables/` directory and create symbolic links into the modules that need it.
3. If a variable is added to `xdr-terraform-live`, it should be one that is set once and never changes. These variables can be found in the `constants.tf` file under `variables/`, and is linked into all modules.
4. When creating a new module, be sure to use `cp -a` instead of `cp -r`. `cp -a` will preserve symbolic links.

Since we still want different settings base on things like environment or account, there are a few "tropes" used to provide this differentiation.

From easiest to most complex, the 3 methods most often employed are as follows. Note that in these examples, all 3 produce the same result:

This is straightforward:

e.g.:
```
  instance_type = var.environment == "prod" ? "m5a.xlarge" : "t3a.micro"
```

This method creates a map of values, and selects the appropriate one immediately. This is good for things that will always have a value.

e.g.:
```
locals {
  instance_type = {
    prod = "m5a.xlarge",
    test = "t3a.micro",
  }[var.environment]
}
```

This method sets a default value, creates a map of exceptions, and then does a `lookup` to determine the final value. This is useful when the same value will be used most of the time, but it can be overridden in certain cases.

e.g.
```
locals {
  instance_type_default = "m5a.xlarge"
  instance_type_exceptions = {
    afs-mdr-test-c2-gov = "t3a.micro"
    afs-mdr-test-malware-gov = "t3a.micro"
  }
  instance_type = lookup(local.instance_type_exceptions, var.account_name, local.instance_type_default
}
```

To be tagged v5.0.0

README.md

@@ -2,4 +2,56 @@
 
 This directory contains modules that are included from the environment directories.
 
-Modules called from other modules should be placed under the `z_Shared_Modules` subdirectory.
+Modules called from other modules should be placed under the `submodules` subdirectory.
+Modules called from other modules should be placed under the `thirdparty` subdirectory.
+
+## Variables
+Added 2022-06-10
+
+Variables that affect configuration and are subject to change exist with the modules. There are a few important things to know:
+
+1. If the variable only affects the module itself, just put it in the module directory.
+2. If the variable is used by more than one module, put it in the `variables/` directory and create symbolic links into the modules that need it.
+3. If a variable is added to `xdr-terraform-live`, it should be one that is set once and never changes. These variables can be found in the `constants.tf` file under `variables/`, and is linked into all modules.
+4. When creating a new module, be sure to use `cp -a` instead of `cp -r`. `cp -a` will preserve symbolic links.
+
+## Variable Differentiation
+Since we still want different settings base on things like environment or account, there are a few "tropes" used to provide this differentiation.
+
+From easiest to most complex, the 3 methods most often employed are as follows. Note that in these examples, all 3 produce the same result:
+
+### 1. Directly during assignment
+This is straightforward:
+
+e.g.:
+```
+  instance_type = var.environment == "prod" ? "m5a.xlarge" : "t3a.micro"
+```
+
+### 2. Map with differentiator
+This method creates a map of values, and selects the appropriate one immediately. This is good for things that will always have a value.
+
+e.g.:
+```
+locals {
+  instance_type = {
+    prod = "m5a.xlarge",
+    test = "t3a.micro",
+  }[var.environment]
+}
+```
+
+### 3. Default with Exceptions
+This method sets a default value, creates a map of exceptions, and then does a `lookup` to determine the final value. This is useful when the same value will be used most of the time, but it can be overridden in certain cases.
+
+e.g.
+```
+locals {
+  instance_type_default = "m5a.xlarge"
+  instance_type_exceptions = {
+    afs-mdr-test-c2-gov = "t3a.micro"
+    afs-mdr-test-malware-gov = "t3a.micro"
+  }
+  instance_type = lookup(local.instance_type_exceptions, var.account_name, local.instance_type_default
+}
+```

base/CA_Infrastructure/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/CA_Infrastructure/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/CA_Infrastructure/root_CA/audit_bucket.tf

@@ -2,7 +2,7 @@ resource "aws_s3_bucket" "audit_reports" {
   provider = aws.c2 # The reports go in the c2 bucket
   bucket   = "xdr-ca-audit-reports"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
 }
 
@@ -135,6 +135,6 @@ resource "aws_s3_bucket_public_access_block" "audit_reports_bucket_block_public_
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 */

base/CA_Infrastructure/root_CA/ca.tf

@@ -21,7 +21,7 @@ resource "aws_acmpca_certificate_authority" "root_CA" {
     }
   }
 
-  tags       = merge(var.standard_tags, var.tags)
+  tags       = merge(local.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }
 

base/CA_Infrastructure/root_CA/crl.tf

@@ -3,7 +3,7 @@
 resource "aws_s3_bucket" "crl" {
   bucket = "xdr-root-crl"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
 }
 
@@ -128,6 +128,6 @@ resource "aws_s3_bucket_policy" "crl" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 */

base/CA_Infrastructure/root_CA/iam_splunk_sh.tf

@@ -17,7 +17,7 @@ resource "aws_iam_role" "run_audit_report_role" {
       ]
   })
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {

base/CA_Infrastructure/root_CA/vars.tf

@@ -1,10 +1 @@
-variable "c2_accounts" { type = map(any) }
 variable "tags" { type = map(any) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }

base/CA_Infrastructure/subordinate_CAs/ca_identity.tf

@@ -44,6 +44,6 @@ resource "aws_acmpca_certificate_authority" "subordinate" {
     }
   }
 
-  tags       = merge(var.standard_tags, var.tags)
+  tags       = merge(local.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }

base/CA_Infrastructure/subordinate_CAs/ca_www.tf

@@ -44,6 +44,6 @@ resource "aws_acmpca_certificate_authority" "www_subordinate" {
     }
   }
 
-  tags       = merge(var.standard_tags, var.tags)
+  tags       = merge(local.standard_tags, var.tags)
   depends_on = [aws_s3_bucket_policy.crl]
 }

base/CA_Infrastructure/subordinate_CAs/crl.tf

@@ -4,7 +4,7 @@ resource "aws_s3_bucket" "crl" {
   provider = aws.common # COMMON SERVICES
   bucket   = "xdr-subordinate-crl"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
 }
 
@@ -126,6 +126,6 @@ resource "aws_s3_bucket_policy" "crl" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 */

base/CA_Infrastructure/subordinate_CAs/iam_splunk_sh.tf

@@ -18,7 +18,7 @@ resource "aws_iam_role" "run_audit_report_role" {
       ]
   })
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 data "aws_iam_policy_document" "run_audit_report_policy_doc" {

base/CA_Infrastructure/subordinate_CAs/vars.tf

@@ -1,12 +1,3 @@
-variable "c2_accounts" { type = map(any) }
 variable "root_authority_arn" { type = string }
 
 variable "tags" { type = map(any) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }

base/account_standards/CIS_conformance_pack.tf

@@ -12,5 +12,5 @@ resource "aws_cloudformation_stack" "CIS-Conformance-Pack" {
 
   template_body = file("files/CIS_conformance_pack.${var.aws_partition}.cft")
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }

base/account_standards/config.tf

@@ -2,7 +2,7 @@
 resource "aws_config_aggregate_authorization" "authorization" {
   account_id = local.c2_account
   region     = var.aws_region
-  tags       = merge(var.standard_tags, var.tags)
+  tags       = merge(local.standard_tags, var.tags)
 }
 
 output "authorizations" {

base/account_standards/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/account_standards/default-vpc.tf

@@ -1,7 +1,7 @@
 # Make the default VPC compliant
 # tfsec:ignore:aws-vpc-no-default-vpc - tfsec says "Don't use the default VPC". We're just making a note not to.
 resource "aws_default_vpc" "default" {
-  tags = merge(var.standard_tags, var.tags, { "Notes" = "Not connected. For testing only. VPC not for production use." })
+  tags = merge(local.standard_tags, var.tags, { "Notes" = "Not connected. For testing only. VPC not for production use." })
 }
 
 resource "aws_kms_key" "default-flowlogs" {
@@ -23,5 +23,5 @@ resource "aws_flow_log" "default-flowlogs" {
 # See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
 resource "aws_default_security_group" "default" {
   vpc_id = aws_default_vpc.default.id
-  tags   = merge(var.standard_tags, var.tags)
+  tags   = merge(local.standard_tags, var.tags)
 }

base/account_standards/ebs-kms-key.tf

@@ -9,11 +9,11 @@ module "ebs_root_encrypt_decrypt" {
   name              = "ebs_root_encrypt_decrypt"
   alias             = "alias/ebs_root_encrypt_decrypt"
   description       = "encrypt and decrypt root volume" # updated to match legacy
-  tags              = merge(var.standard_tags, var.tags)
+  tags              = merge(local.standard_tags, var.tags)
   key_admin_arns    = var.extra_ebs_key_admins
   key_user_arns     = concat([local.root_arn], var.extra_ebs_key_users)
   key_attacher_arns = concat([local.root_arn], var.extra_ebs_key_attachers)
-  standard_tags     = var.standard_tags
+  standard_tags     = local.standard_tags
   aws_account_id    = var.aws_account_id
   aws_partition     = var.aws_partition
   is_legacy         = var.is_legacy

base/account_standards/flowlogs.tf

@@ -3,13 +3,13 @@ resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
   name              = "vpc_flow_logs"
   retention_in_days = 7
   kms_key_id        = var.cloudtrail_key_arn
-  tags              = merge(var.standard_tags, var.tags)
+  tags              = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_iam_role" "flowlogs" {
   name = "flowlogs"
   path = "/aws_services/"
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   assume_role_policy = <<EOF
 {
@@ -58,10 +58,10 @@ module "kinesis_firehose" {
   region                                = var.aws_region
   arn_cloudwatch_logs_to_ship           = "arn:${var.aws_partition}:logs:${var.aws_region}::log-group:/vpc_flow_logs/*"
   name_cloudwatch_logs_to_ship          = "vpc_flow_logs"
-  hec_token                             = var.aws_flowlogs_hec_token
-  hec_url                               = "https://${var.hec_pub_ack}:8088"
+  hec_token                             = local.aws_flowlogs_hec_token
+  hec_url                               = "https://${local.hec_pub_ack}:8088"
   firehose_name                         = "vpc_flow_logs_to_splunk"
-  tags                                  = merge(var.standard_tags, var.tags)
+  tags                                  = merge(local.standard_tags, var.tags)
   cloudwatch_log_retention              = 30 # keep kinesis logs this long
   log_stream_name                       = "SplunkDelivery_VPCFlowLogs"
   s3_bucket_name                        = "kinesis-flowlogs-${var.aws_account_id}-${var.aws_region}"

base/account_standards/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/account_standards/hec_moose.tf

@@ -0,0 +1 @@
+../../variables/hec_moose.tf

base/account_standards/iam.tf

@@ -79,7 +79,7 @@ data "aws_iam_policy_document" "default_instance_policy_s3_binaries_doc" {
     sid    = "UseTheKey"
     effect = "Allow"
     resources = [
-      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${var.binaries_key}"
+      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${local.binaries_key}"
     ]
     actions = [
       "kms:Decrypt",

base/account_standards/locals.tf

@@ -0,0 +1,14 @@
+locals {
+  key_pairs = {
+    # Should be your username -> key pair
+    "msoc-build" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv8N5N/ECQNKdqZKmjQqGkPiAtJc3WmWdpcZmhxUfplGRFW0IlHGH/wPUgkXXg+djWNpMyT+bqWI8B4Q18uw0Y+w09lN+F1t/vp2GNPYyIPHTGbr2u/r5RCuPXc5Gg6ogkneyAipPCPAhBRbvPaFtfLSJ94ba01LoFs4xgCIZXetr/3ql61OlLyB8vb8FohpW/7u32zzOVJwObA+QlDrRgivaYpwNBxd+No9HEz29dUVFMsKb3ko0GpBuu4pptbj73XxP0EeodMj0hee0FH4kEkZy80LVbg2WeTsq6Mi/FRZmeGt5f3oZEcfflGqYOPA4FmhTrc9O9pp36DDOGts79TeZ6abky+a0jRJQvaeN8x8DZ6PQXfVGpOrNst5zw0Z9EP3ZrFAkX6CYfZkckq0h5Fs+rcWLeUfM/ppZqcyNBDys7zxjFNdmWk86pgn+XvdCVIlsp99B6CzgDoAJkay09ROVqh39HTK7m2aKZoyFWZvUpaqUOlLkOb47bMQzIBSp8Yaoo4PozSg0lQOzkJl3JTR0OZksbeN0pFKY4qNcUcpgUU5mVYs5SXWAOsih51kC5s+0F6Uxt+iDjT9ASaF1O+Bl46UnhpwrtN4ckpHsFnp58mdfhJCUMjt6PX+UPxjRlSL21EkjGALybG2C0gPuoGo0x5bEsZl/gFrFJ+3r6gQ== MSOC Build Key",
+    "fdamstra"   = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF3pGU9+HufgfEhPP7P0Lt7kqfGWLTGd6sfJgSypcSo3FP1XhwFOWkaNvZIpoIeQXhux5vTm+RoqYZ/3Gj7hcGMLdoHWArvLHD2AGjxbFnsmiCioQgsC/rYLBjiWNsDdVF5Arofby/RwzivMAi7yivhY4nGzXPsHZoucB0Wi34/9AmxbvXWv6ckuWkMjrXVe+uwFje3U7jQHRW9jQRpCRRfUjVA4FmH0PWqWFBlt/zqsDPOzbxNNhAvyrJho7jVBNjCLsq0++lT8BDKrYbaZiT0F2c9uIDRpHJSdjpqVCf9bghmeJWYMoNHAkGR7WCFjPCJ7QM57a2oRBtm1A/EWcr",
+  }
+
+  # yes, they're identical. But I want to leave the option open.
+  aws_flowlogs_hec_token = {
+    prod   = "4a2cacb2-fea1-4328-8f25-9bef26333e91",
+    test   = "4a2cacb2-fea1-4328-8f25-9bef26333e91",
+    common = "4a2cacb2-fea1-4328-8f25-9bef26333e91"
+  }[var.environment]
+}

base/account_standards/main.tf

@@ -1,6 +1,6 @@
 # Generates everybody's ssh key pairs
 resource "aws_key_pair" "key_pair" {
-  for_each = var.key_pairs
+  for_each = local.key_pairs
 
   key_name   = each.key
   public_key = each.value

base/account_standards/s3_binaries.tf

@@ -0,0 +1 @@
+../../variables/s3_binaries.tf

base/account_standards/vars.tf

@@ -36,22 +36,8 @@ variable "log_group_name" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "account_name" { type = string }
-variable "binaries_bucket" { type = string }
-variable "binaries_key" { type = string }
 variable "is_legacy" { type = bool }
 variable "legacy_account" { type = string }
-variable "common_services_account" { type = string }
-variable "standard_tags" { type = map(any) }
-variable "account_list" { type = list(any) }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "key_pairs" { type = map(any) }
-variable "c2_accounts" { type = map(any) }
-variable "aws_flowlogs_hec_token" { type = string }
-variable "hec_pub_ack" { type = string }
 
 # Calculate some local variables
 locals {

base/account_standards_c2/account_alerts.tf

@@ -1,7 +1,7 @@
 # An SNS queue for email alerts
 resource "aws_sns_topic" "account-alerts" {
   name = "account-alerts"
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_sns_topic_policy" "account-alerts" {
@@ -17,7 +17,7 @@ data "aws_iam_policy_document" "account-alerts" {
     resources = [aws_sns_topic.account-alerts.arn]
     principals {
       type        = "AWS"
-      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
+      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
   }
   statement {
@@ -41,7 +41,7 @@ resource "aws_sqs_queue" "account-alerts" {
   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.account-alerts-dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.account-alerts-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -72,7 +72,7 @@ resource "aws_sqs_queue" "account-alerts-dlq" {
   name                              = "account-alerts-dlq"
   message_retention_seconds         = 300
   receive_wait_time_seconds         = 0
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.account-alerts-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -113,7 +113,7 @@ data "aws_iam_policy_document" "account-alerts-kms-policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
+      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
     actions = [
       "kms:GenerateDataKey",

base/account_standards_c2/accounts.tf

@@ -0,0 +1 @@
+../../variables/accounts.tf

base/account_standards_c2/config_aggregator.tf

@@ -2,7 +2,7 @@ resource "aws_config_configuration_aggregator" "account" {
   name = "xdr-aggregator-${var.environment}"
 
   account_aggregation_source {
-    account_ids = var.responsible_accounts[var.environment]
+    account_ids = local.responsible_accounts[var.environment]
     all_regions = true
   }
 }
@@ -25,7 +25,7 @@ data "aws_iam_policy_document" "config-sns" {
     resources = [aws_sns_topic.config-notifications.arn]
     principals {
       type        = "AWS"
-      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
+      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
   }
 }
@@ -36,7 +36,7 @@ resource "aws_sqs_queue" "config-notifications" {
   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.config-notifications-dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.config-notifications-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -67,7 +67,7 @@ resource "aws_sqs_queue" "config-notifications-dlq" {
   name                              = "config-notifications-dlq"
   message_retention_seconds         = 300
   receive_wait_time_seconds         = 0
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.config-notifications-key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -108,7 +108,7 @@ data "aws_iam_policy_document" "config-notifications-kms-policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
+      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
     }
     actions = [
       "kms:GenerateDataKey",

base/account_standards_c2/config_bucket.tf

@@ -13,13 +13,13 @@ module "xdr_config_logging_bucket" {
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags               = merge(var.standard_tags, var.tags)
+  tags               = merge(local.standard_tags, var.tags)
   versioning_enabled = true
 }
 
 resource "aws_s3_bucket" "xdr_config_bucket" {
   bucket = "xdr-config-${var.environment}"
-  tags   = merge(var.standard_tags, var.tags)
+  tags   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "xdr_config_bucket" {
@@ -110,7 +110,7 @@ resource "aws_kms_key" "config_encryption" {
   deletion_window_in_days = 30
   policy                  = data.aws_iam_policy_document.config_encryption_key_policy.json
   enable_key_rotation     = true
-  tags                    = merge(var.standard_tags, var.tags)
+  tags                    = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_kms_alias" "config_encryption" {

base/account_standards_c2/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/account_standards_c2/elb_bucket.tf

@@ -15,14 +15,14 @@ module "elb_logging_logging_bucket" {
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags               = merge(var.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." })
+  tags               = merge(local.standard_tags, var.tags, { "Note" = "ELB Logging Does Not Support SSE-KMS. Only SSE-S3 is supported." })
   versioning_enabled = true
 }
 
 resource "aws_s3_bucket" "elb_logging_bucket" {
   bucket = "xdr-elb-${var.environment}"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_elb_logging_bucket" {
@@ -68,7 +68,7 @@ data "aws_iam_policy_document" "aws_elb_bucket_policy" {
 
     #    principals {
     #      type        = "AWS"
-    #  identifiers = [ for a in var.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
+    #  identifiers = [ for a in local.responsible_accounts[var.environment]: "arn:${var.aws_partition}:iam::${a}:root" ]
     #}
     principals {
       type        = "AWS"
@@ -199,7 +199,7 @@ resource "aws_sqs_queue" "new_elblog" {
   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.elblog-dlg.arn}\",\"maxReceiveCount\":4}"
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -241,7 +241,7 @@ resource "aws_sqs_queue" "elblog-dlg" {
   name                              = "new-objects-for-${aws_s3_bucket.elb_logging_bucket.bucket}-dlq"
   message_retention_seconds         = 300
   receive_wait_time_seconds         = 0
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -261,7 +261,7 @@ resource "aws_sns_topic_subscription" "elblog_bucket_change_notification_to_queu
 /*resource "aws_s3_bucket" "elb_logging_bucket" {
   bucket = "xdr-elb-${var.environment}"
   acl    = "private"
-  tags   = merge(var.standard_tags, var.tags)
+  tags   = merge(local.standard_tags, var.tags)
 
   versioning {
     enabled = true

base/account_standards_c2/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/account_standards_c2/iam.moose-hf.tf

@@ -108,7 +108,7 @@ resource "aws_iam_user" "moose-hf" {
   name = "moose-hf"
   path = "/instance/"
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_iam_group" "moose-hf" {

base/account_standards_c2/main.tf

@@ -13,18 +13,18 @@ module "s3_logging_bucket" {
       abort_incomplete_multipart_upload_days = 7
     }
   ]
-  tags               = merge(var.standard_tags, var.tags)
+  tags               = merge(local.standard_tags, var.tags)
   versioning_enabled = true
 }
 
 module "cloudtrail_logging_bucket" {
   source = "../../thirdparty/terraform-aws-cloudtrail-bucket"
 
-  allowed_account_ids = var.account_list
+  allowed_account_ids = local.account_list
   bucket_name         = "xdr-cloudtrail-logs-${var.environment}"
   logging_bucket      = module.s3_logging_bucket.s3_bucket_name
   region              = var.aws_region
-  tags                = merge(var.standard_tags, var.tags)
+  tags                = merge(local.standard_tags, var.tags)
   lifecycle_rules = [
     {
       id                                     = "expire-old-logs"
@@ -124,7 +124,7 @@ resource "aws_sqs_queue" "new_s3_object" {
   message_retention_seconds         = 604800 # Keep a message in the queue for 7 days
   receive_wait_time_seconds         = 0      # how long to wait for a message before returning
   redrive_policy                    = "{\"deadLetterTargetArn\":\"${aws_sqs_queue.dlq.arn}\",\"maxReceiveCount\":4}"
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }
@@ -166,7 +166,7 @@ resource "aws_sqs_queue" "dlq" {
   name                              = "new-objects-for-${module.cloudtrail_logging_bucket.s3_bucket_name}-dlq"
   message_retention_seconds         = 300
   receive_wait_time_seconds         = 0
-  tags                              = merge(var.standard_tags, var.tags)
+  tags                              = merge(local.standard_tags, var.tags)
   kms_master_key_id                 = aws_kms_key.new_object_key.id
   kms_data_key_reuse_period_seconds = 3600
 }

base/account_standards_c2/secrets.tf

@@ -7,7 +7,7 @@ resource "aws_secretsmanager_secret" "codebuild_ghe_key" {
   name                    = "GHE/mdr-aws-codebuild/key"
   description             = "GitHub Personal Access Key for the mdr-aws-codebuild account"
   recovery_window_in_days = 30
-  tags                    = merge(var.standard_tags, var.tags)
+  tags                    = merge(local.standard_tags, var.tags)
 }
 
 # This just seeds an initial value. It will not be overwritten each update.

base/account_standards_c2/vars.tf

@@ -6,11 +6,3 @@ variable "tags" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map(any) }
-variable "account_list" { type = list(any) }
-variable "responsible_accounts" { type = map(list(string)) }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "key_pairs" { type = map(any) }

base/account_standards_regional/backup_ami_key.tf

@@ -3,7 +3,7 @@ resource "aws_kms_key" "key" {
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.kms_policy.json
   tags = merge(
-    var.standard_tags,
+    local.standard_tags,
     { "Name" = "ami_backup_key" },
     var.tags
   )

base/account_standards_regional/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/account_standards_regional/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/account_standards_regional/main.tf

@@ -1,7 +1,7 @@
 resource "aws_config_aggregate_authorization" "authorization" {
   account_id = local.c2_account
   region     = var.aws_region
-  tags       = merge(var.standard_tags, var.tags)
+  tags       = merge(local.standard_tags, var.tags)
 }
 
 output "authorizations" {

base/account_standards_regional/vars.tf

@@ -6,14 +6,6 @@ variable "tags" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map(any) }
-variable "account_list" { type = list(any) }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "key_pairs" { type = map(any) }
-variable "c2_accounts" { type = map(any) }
 
 locals {
   logging_environment = var.environment == "common" ? "prod" : var.environment # common logs to prod

base/aws_client_vpn/certificate.tf

@@ -13,7 +13,7 @@ resource "aws_acm_certificate" "cert" {
     command = "sleep 10"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_acm_certificate_validation" "cert" {

base/aws_client_vpn/cloudwatch.tf

@@ -5,7 +5,7 @@ resource "aws_cloudwatch_log_group" "vpn" {
   # TODO: Encrypt
   # kms_key_id = <arn>
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_cloudwatch_log_stream" "vpn" {

base/aws_client_vpn/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/aws_client_vpn/dns_info.tf

@@ -0,0 +1 @@
+../../variables/dns_info.tf

base/aws_client_vpn/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/aws_client_vpn/lambda.tf

@@ -75,7 +75,7 @@ resource "aws_lambda_function" "lambda_connection_authorization" {
     }
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 }
 
 
@@ -111,5 +111,5 @@ resource "aws_lambda_function" "lambda_connection_authorization" {
 ##                 "logs:CreateLogStream",
 ##                 "logs:CreateLogGroup",
 ##                 "logs:PutLogEvents",
-#  tags = merge(var.standard_tags, var.tags)
+#  tags = merge(local.standard_tags, var.tags)
 #}

base/aws_client_vpn/saml.tf

@@ -1,11 +1,11 @@
 resource "aws_iam_saml_provider" "okta" {
   name                   = "okta_aws_vpn${var.suffix}"
   saml_metadata_document = file("files/saml-metadata-okta-${var.environment}.xml")
-  tags                   = merge(var.standard_tags, var.tags)
+  tags                   = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_iam_saml_provider" "okta-self-service" {
   name                   = "okta_aws_vpn_self_service${var.suffix}"
   saml_metadata_document = file("files/saml-metadata-okta-self-service-${var.environment}.xml")
-  tags                   = merge(var.standard_tags, var.tags)
+  tags                   = merge(local.standard_tags, var.tags)
 }

base/aws_client_vpn/security-groups.tf

@@ -2,7 +2,7 @@ resource "aws_security_group" "vpn_access" {
   name_prefix = "${var.dns_name}${var.suffix}_vpn_access"
   description = "Security Group for the AWS VPN"
   vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
+  tags        = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_security_group_rule" "vpn-in-443-tcp" {

base/aws_client_vpn/vars.tf

@@ -42,13 +42,3 @@ variable "azs" { type = list(string) }
 variable "private_subnets" { type = list(string) }
 variable "public_subnets" { type = list(string) }
 variable "vpc_id" { type = string }
-variable "cidr_map" { type = map(any) }
-variable "dns_info" { type = map(any) }
-variable "dns_servers" { type = list(string) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }

base/aws_client_vpn/vpn.tf

@@ -16,7 +16,7 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
 
   security_group_ids = [aws_security_group.vpn_access.id]
 
-  dns_servers = var.dns_servers
+  dns_servers = local.dns_servers
 
   # Certificate based authenticaiton requires the certificate be in the same account
   #authentication_options {

base/aws_scheduler/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/aws_scheduler/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/aws_scheduler/vars.tf

@@ -6,9 +6,3 @@ variable "tags" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "standard_tags" { type = map(any) }
-variable "account_list" { type = list(any) }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }

base/backups/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/backups/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/backups/vars.tf

@@ -7,19 +7,5 @@ variable "tags" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
-variable "account_name" { type = string }
-variable "binaries_bucket" { type = string }
-variable "binaries_key" { type = string }
 variable "is_legacy" { type = bool }
 variable "legacy_account" { type = string }
-variable "common_services_account" { type = string }
-variable "standard_tags" { type = map(any) }
-variable "account_list" { type = list(any) }
-variable "aws_account_id" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "environment" { type = string }
-variable "key_pairs" { type = map(any) }
-variable "c2_accounts" { type = map(any) }
-variable "aws_flowlogs_hec_token" { type = string }
-variable "hec_pub_ack" { type = string }

base/bastion/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/bastion/employee_ips.tf

@@ -0,0 +1 @@
+../../variables/employee_ips.tf

base/bastion/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/bastion/main.tf

@@ -19,12 +19,12 @@ resource "aws_network_interface" "instance" {
   subnet_id       = var.subnets[0]
   security_groups = [data.aws_security_group.typical-host.id, aws_security_group.bastion_security_group.id]
   description     = var.instance_name
-  tags            = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  tags            = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip" "instance" {
   vpc  = true
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 resource "aws_eip_association" "instance" {
@@ -38,7 +38,7 @@ resource "aws_instance" "instance" {
   ebs_optimized                        = true
   disable_api_termination              = var.instance_termination_protection
   instance_initiated_shutdown_behavior = "stop"
-  instance_type                        = var.instance_type
+  instance_type                        = "t3a.medium"
   key_name                             = "msoc-build"
   monitoring                           = false
   iam_instance_profile                 = "msoc-default-instance-profile"
@@ -134,8 +134,8 @@ resource "aws_instance" "instance" {
   }
 
   user_data   = data.template_cloudinit_config.cloud-init.rendered
-  tags        = merge(var.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
-  volume_tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  tags        = merge(local.standard_tags, var.tags, var.instance_tags, { Name = var.instance_name })
+  volume_tags = merge(local.standard_tags, var.tags, { Name = var.instance_name })
 }
 
 module "private_dns_record" {
@@ -178,8 +178,8 @@ data "template_cloudinit_config" "cloud-init" {
         hostname            = var.instance_name
         fqdn                = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
         environment         = var.environment
-        salt_master         = var.salt_master
-        proxy               = var.proxy
+        salt_master         = local.salt_master
+        proxy               = local.proxy
         aws_partition       = var.aws_partition
         aws_partition_alias = var.aws_partition_alias
         aws_region          = var.aws_region
@@ -198,7 +198,7 @@ resource "aws_security_group" "bastion_security_group" {
   name        = "bastion_security_group"
   description = "Security Group for Bastion Server(s)"
   vpc_id      = var.vpc_id
-  tags        = merge(var.standard_tags, var.tags)
+  tags        = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_security_group_rule" "ssh-in" {
@@ -206,7 +206,7 @@ resource "aws_security_group_rule" "ssh-in" {
   from_port         = 22
   to_port           = 22
   protocol          = "tcp"
-  cidr_blocks       = var.trusted_ips
+  cidr_blocks       = local.trusted_ips
   security_group_id = aws_security_group.bastion_security_group.id
 }
 

base/bastion/vars.tf

@@ -38,16 +38,4 @@ variable "reverse_enabled" {
   default     = true
 }
 
-variable "trusted_ips" { type = list(string) }
-variable "proxy" { type = string }
-variable "salt_master" { type = string }
-
-variable "cidr_map" { type = map(any) }
-variable "dns_info" { type = map(any) }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "common_services_account" { type = string }
-variable "instance_termination_protection" { type = bool }
+

base/codebuild_artifact/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_artifact/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_artifact/main.tf

@@ -33,7 +33,7 @@ resource "aws_codebuild_project" "this" {
     packaging              = "NONE"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035

base/codebuild_artifact/vars.tf

@@ -3,11 +3,6 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
 variable "name" { type = string }
 variable "service_role" { type = string }
 variable "artifact_s3_bucket" { type = string }

base/codebuild_ecr_base/accounts.tf

@@ -0,0 +1 @@
+../../variables/accounts.tf

base/codebuild_ecr_base/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_ecr_base/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_ecr_base/repos.tf

@@ -5,7 +5,7 @@ module "codebuild-rhel7" {
   name             = "codebuild-rhel7"
   github_clone_url = "https://github.xdr.accenturefederalcyber.com/mdr-engineering/mdr-codebuild-images.git"
   source_version   = "master"
-  standard_tags    = var.standard_tags
+  standard_tags    = local.standard_tags
   tags             = var.tags
 
   codebuild_assume_role_arn = aws_iam_role.codebuild_role.arn
@@ -33,7 +33,7 @@ module "codebuild-rhel8" {
   name             = "codebuild-rhel8"
   github_clone_url = "https://github.xdr.accenturefederalcyber.com/mdr-engineering/mdr-codebuild-images.git"
   source_version   = "master"
-  standard_tags    = var.standard_tags
+  standard_tags    = local.standard_tags
   tags             = var.tags
 
   codebuild_assume_role_arn = aws_iam_role.codebuild_role.arn
@@ -61,7 +61,7 @@ module "codebuild-rhel9beta" {
   name             = "codebuild-rhel9beta"
   github_clone_url = "https://github.xdr.accenturefederalcyber.com/mdr-engineering/mdr-codebuild-images.git"
   source_version   = "master"
-  standard_tags    = var.standard_tags
+  standard_tags    = local.standard_tags
   tags             = var.tags
 
   codebuild_assume_role_arn = aws_iam_role.codebuild_role.arn

base/codebuild_ecr_base/s3.tf

@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "artifacts" {
     resources = ["${aws_s3_bucket.artifacts.arn}/*"]
     principals {
       type        = "AWS"
-      identifiers = sort([for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
+      identifiers = sort([for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
     }
   }
 }

base/codebuild_ecr_base/vars.tf

@@ -3,11 +3,3 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
-variable "common_services_account" { type = string }
-variable "responsible_accounts" { type = map(list(string)) }

base/codebuild_ecr_customer_portal/accounts.tf

@@ -0,0 +1 @@
+../../variables/accounts.tf

base/codebuild_ecr_customer_portal/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_ecr_customer_portal/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_ecr_customer_portal/main.tf

@@ -32,7 +32,7 @@ resource "aws_codebuild_project" "this_no_artifact" {
     type = "NO_ARTIFACTS"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
@@ -73,7 +73,7 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
       "ecr:DescribeImages",
     ]
     principals {
-      identifiers = [for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
+      identifiers = [for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"]
       type        = "AWS"
     }
   }

base/codebuild_ecr_customer_portal/vars.tf

@@ -3,14 +3,6 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_region" { type = string }
-variable "aws_account_id" { type = string }
-variable "common_services_account" { type = string }
-variable "responsible_accounts" { type = map(list(string)) }
 variable "name" { type = string }
 variable "service_role" { type = string }
 variable "artifact_s3_bucket" { type = string }
@@ -29,4 +21,4 @@ variable "badge_enabled" {
 variable "webhook_branch_filter" {
   type    = string
   default = "^(master|develop)$"
-}
+}

base/codebuild_ecr_project/accounts.tf

@@ -0,0 +1 @@
+../../variables/accounts.tf

base/codebuild_ecr_project/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_ecr_project/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_ecr_project/main.tf

@@ -34,7 +34,7 @@ resource "aws_codebuild_project" "this_no_artifact" {
     type = "NO_ARTIFACTS"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035
@@ -68,7 +68,7 @@ data "aws_iam_policy_document" "ecr_cross_account_policy" {
     ]
     principals {
       type        = "AWS"
-      identifiers = sort([for a in var.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
+      identifiers = sort([for a in local.responsible_accounts[var.environment] : "arn:${var.aws_partition}:iam::${a}:root"])
     }
   }
   # Allow codebuild access

base/codebuild_ecr_project/vars.tf

@@ -22,14 +22,8 @@ variable "enable_webhooks" {
   default     = true
 }
 
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
 variable "name" { type = string }
 variable "service_role" { type = string }
-variable "responsible_accounts" { type = map(list(string)) }
 variable "artifact_s3_bucket" { type = string }
 variable "codebuild_image" { type = string }
 

base/codebuild_lcp_magic_machine/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_lcp_magic_machine/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_lcp_magic_machine/iam.tf

@@ -180,7 +180,7 @@ data "aws_iam_policy_document" "magic_machine_instance_policy_s3_binaries_doc" {
     sid    = "UseTheKey"
     effect = "Allow"
     resources = [
-      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${var.binaries_key}"
+      "arn:${var.aws_partition}:kms:${var.aws_region}:${var.common_services_account}:${local.binaries_key}"
     ]
     actions = [
       "kms:Decrypt",

base/codebuild_lcp_magic_machine/main.tf

@@ -67,7 +67,7 @@ resource "aws_codebuild_project" "this" {
     type = "NO_ARTIFACTS"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # The security group must be created before the codebuild project for the 
   # environmental variables. 

base/codebuild_lcp_magic_machine/s3_binaries.tf

@@ -0,0 +1 @@
+../../variables/s3_binaries.tf

base/codebuild_lcp_magic_machine/security-group.tf

@@ -11,7 +11,7 @@ data "aws_subnet" "this" {
 resource "aws_security_group" "this" {
   name        = "${var.name}_magic_machine_security_group"
   description = "Security Group for magic machine ${var.name}"
-  tags        = merge(var.standard_tags, var.tags)
+  tags        = merge(local.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }
 
@@ -39,7 +39,7 @@ resource "aws_security_group_rule" "allow_outbound_mm" {
 resource "aws_security_group" "codebuild" {
   name        = "${var.name}_codebuild_security_group"
   description = "Security Group for codebuild ${var.name}"
-  tags        = merge(var.standard_tags, var.tags)
+  tags        = merge(local.standard_tags, var.tags)
   vpc_id      = data.aws_vpc.this.id
 }
 

base/codebuild_lcp_magic_machine/vars.tf

@@ -3,12 +3,6 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
 variable "name" { type = string }
 variable "repository_name" { type = string }
 variable "github_clone_url" { type = string }
@@ -16,8 +10,6 @@ variable "vpc_id" { type = string }
 variable "private_subnets" { type = list(any) }
 variable "public_subnets" { type = list(any) }
 variable "service_role" { type = string }
-variable "common_services_account" { type = string }
-variable "binaries_key" { type = string }
 variable "xdr-s3-binaries-policy" { type = string }
 
 variable "kms_key" {
@@ -69,4 +61,4 @@ variable "env_vars" {
 variable "webhook_filter_pattern" {
   type    = string
   default = "^refs/heads/main$"
-}
+}

base/codebuild_portal_lambda/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_portal_lambda/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_portal_lambda/main.tf

@@ -45,7 +45,7 @@ resource "aws_codebuild_project" "this" {
     packaging      = "NONE"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035

base/codebuild_portal_lambda/s3.tf

@@ -8,7 +8,7 @@ locals {
 resource "aws_s3_bucket" "bucket" {
   bucket        = local.bucket_name
   force_destroy = true
-  tags          = merge(var.standard_tags, var.tags)
+  tags          = merge(local.standard_tags, var.tags)
 }
 
 resource "aws_s3_bucket_acl" "s3_acl_bucket" {

base/codebuild_portal_lambda/vars.tf

@@ -3,12 +3,7 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
-variable "environment" { type = string }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
+
 variable "name" { type = string }
 
 variable "kms_key" {
@@ -30,4 +25,4 @@ variable "badge_enabled" {
 variable "webhook_filter_pattern" {
   type    = string
   default = "^refs/heads/develop$"
-}
+}

base/codebuild_project_no_artifact/codebuild.tf

@@ -57,7 +57,7 @@ resource "aws_codebuild_project" "this" {
     type = "NO_ARTIFACTS"
   }
 
-  tags = merge(var.standard_tags, var.tags)
+  tags = merge(local.standard_tags, var.tags)
 
   # Govcloud incompatible with "project visibility"
   # See https://github.com/hashicorp/terraform-provider-aws/issues/22473#issuecomment-1081187035

base/codebuild_project_no_artifact/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf

base/codebuild_project_no_artifact/globals.tf

@@ -0,0 +1 @@
+../../variables/globals.tf

base/codebuild_project_no_artifact/vars.tf

@@ -3,7 +3,6 @@ variable "tags" {
   type        = map(any)
   default     = {}
 }
-variable "standard_tags" { type = map(any) }
 
 variable "name" { type = string }
 variable "service_role" { type = string }
@@ -55,10 +54,3 @@ variable "secondary_sources" {
 }
 
 
-#variable "environment" { type = string }
-#variable "aws_partition" { type = string }
-#variable "aws_region" { type = string }
-#variable "aws_partition_alias" { type = string }
-#variable "aws_account_id" { type = string }
-#variable "common_services_account" { type = string }
-#variable "responsible_accounts" { type = map(list(string)) }

base/codebuild_splunk_apps/constants.tf

@@ -0,0 +1 @@
+../../variables/constants.tf