Moves security vpc out of palo alto directory

Adds legacy account support to account standards (requires importing of tf11 resources)

base/account_standards/ebs-kms-key.tf

@@ -3,14 +3,15 @@ module "ebs_root_encrypt_decrypt" {
 
   name = "ebs_root_encrypt_decrypt"
   alias = "alias/ebs_root_encrypt_decrypt"
-  description = "Default key for encrypting and decryption EBS volumes."
+  description = "encrypt and decrypt root volume" # updated to match legacy
   tags = merge(var.standard_tags, var.tags)
-  key_admin_arns = [ ]
-  key_user_arns = [ ]
-  key_attacher_arns =  [ ]
+  key_admin_arns = var.extra_ebs_key_admins
+  key_user_arns = var.extra_ebs_key_users
+  key_attacher_arns = var.extra_ebs_key_attachers
   standard_tags = var.standard_tags
   aws_account_id = var.aws_account_id
   aws_partition = var.aws_partition
+  is_legacy = var.is_legacy
 }
 
 # Note: The following wasn't configured in tf11

base/account_standards/vars.tf

@@ -8,9 +8,29 @@ variable "cloudtrail_key_arn" {
   type = string
 }
 
+variable extra_ebs_key_admins {
+  description = "Extra EBS encryption key admins."
+  type = list
+  default = [ ]
+}
+
+variable extra_ebs_key_users {
+  description = "Extra EBS encryption key users."
+  type = list
+  default = [ ]
+}
+
+variable extra_ebs_key_attachers {
+  description = "Extra EBS encryption key attachers."
+  type = list
+  default = [ ]
+}
+
+
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
+variable "is_legacy" { type = bool }
 variable "standard_tags" { type = map }
 variable "account_list" { type = list }
 variable "aws_account_id" { type = string }

base/account_standards_c2/config_bucket.tf

@@ -89,6 +89,9 @@ data "aws_iam_policy_document" "awsconfig_bucket_policy" {
 resource "aws_s3_bucket_policy" "awsconfig_bucket_policy" {
   bucket = aws_s3_bucket.xdr_config_bucket.id
   policy = data.aws_iam_policy_document.awsconfig_bucket_policy.json
+
+  # Ordering bug, see https://github.com/terraform-providers/terraform-provider-aws/issues/7628
+  depends_on = [ aws_s3_bucket_public_access_block.awsconfig_bucket_block_public_access ]
 }
 
 resource "aws_kms_key" "config_encryption" {

base/palo_alto/security_vpc/ebs-kms-key.tf

@@ -1,29 +0,0 @@
-module "kms_security" {
-  source = "../../../submodules/kms/ebs-key"
-
-  name = "kms_security"
-  alias = "alias/kms_security"
-  description = "Used for encrypting security things such as the interconnects ebs drives."
-  tags = merge(var.standard_tags, var.tags)
-  key_admin_arns = [ ]
-  key_user_arns = [ ]
-  key_attacher_arns =  [ ]
-  standard_tags = var.standard_tags
-  aws_account_id = var.aws_account_id
-  aws_partition = var.aws_partition
-}
-
-module "kms_palo" {
-  source = "../../../submodules/kms/ebs-key"
-
-  name = "palo_alto_ebs"
-  alias = "alias/palo_alto_ebs"
-  description = "Used for encrypting palo alto and panorama images."
-  tags = merge(var.standard_tags, var.tags)
-  key_admin_arns = [ ]
-  key_user_arns = [ ]
-  key_attacher_arns =  [ ]
-  standard_tags = var.standard_tags
-  aws_account_id = var.aws_account_id
-  aws_partition = var.aws_partition
-}

base/security_vpc/ebs-kms-key.tf

@@ -0,0 +1,30 @@
+module "kms_security" {
+  source = "../../submodules/kms/ebs-key"
+
+  name = "kms_security"
+  alias = "alias/kms_security"
+  description = "Used for encrypting security things such as the interconnects ebs drives."
+  tags = merge(var.standard_tags, var.tags)
+  key_admin_arns = [ ]
+  key_user_arns = [ ]
+  key_attacher_arns =  [ ]
+  standard_tags = var.standard_tags
+  aws_account_id = var.aws_account_id
+  aws_partition = var.aws_partition
+  is_legacy = var.is_legacy
+}
+
+#module "kms_palo" {
+#  source = "../../../submodules/kms/ebs-key"
+#
+#  name = "palo_alto_ebs"
+#  alias = "alias/palo_alto_ebs"
+#  description = "Used for encrypting palo alto and panorama images."
+#  tags = merge(var.standard_tags, var.tags)
+#  key_admin_arns = [ ]
+#  key_user_arns = [ ]
+#  key_attacher_arns =  [ ]
+#  standard_tags = var.standard_tags
+#  aws_account_id = var.aws_account_id
+#  aws_partition = var.aws_partition
+#}

base/palo_alto/security_vpc/outputs.tf → base/security_vpc/outputs.tf

@@ -59,6 +59,6 @@ output kms_security_arn {
   value = module.kms_security.key_arn
 }
 
-output kms_palo_key_arn {
-  value = module.kms_palo.key_arn
-}
+#output kms_palo_key_arn {
+#  value = module.kms_palo.key_arn
+#}

base/palo_alto/security_vpc/vars.tf → base/security_vpc/vars.tf

@@ -15,6 +15,7 @@ variable "tags" {
 # ----------------------------------
 # Below this line are variables inherited from higher levels, so they
 # do not need to be explicitly passed to this module.
+variable "is_legacy" { type = bool }
 variable "standard_tags" { type = map }
 variable "inside_domain" { type = string }
 variable "aws_account_id" { type = string }

submodules/kms/ebs-key/main.tf

@@ -19,6 +19,14 @@ resource "aws_kms_alias" "alias" {
   target_key_id = aws_kms_key.key.key_id
 }
 
+locals {
+  iam_admins_legacy = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
+  iam_admins_tf12   = [ 
+    "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
+    "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
+  ]
+}
+
 data "aws_iam_policy_document" "kms_policy" {
   policy_id = "${var.name}-policy"
 
@@ -27,12 +35,7 @@ data "aws_iam_policy_document" "kms_policy" {
       effect = "Allow"
       principals {
         type = "AWS"
-        identifiers = [ 
-          # The 'root' account is the entire account, we don't want that
-          #"arn:${var.aws_partition}:iam::${var.aws_account_id}:root" 
-          "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin", # MDRAdmin as a break glass
-          "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer" # Terraformer always gets full access
-        ]
+        identifiers = var.is_legacy ? local.iam_admins_legacy : local.iam_admins_tf12
       }
       actions = [ "kms:*" ]
       resources = [ "*" ]

submodules/kms/ebs-key/vars.tf

@@ -9,3 +9,4 @@ variable "key_attacher_arns" { type = list }
 variable "standard_tags" { type = map }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
+variable "is_legacy" { type = bool }