AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
							variable "key_pairs" {
  description = "Public SSH keys"
  type = map
}

variable "tags" {
  description = "Extra tags for the module."
  type = map
  default = { } 
}

# ----------------------------------
# Below this line are variables inherited from higher levels, so they
# do not need to be explicitly passed to this module.
variable "standard_tags" { type = map }
variable "aws_account_id" { type = string }
variable "aws_partition" { type = string }
variable "environment" { type = string }

# ----------------------------------
# Below this line are variables from the CIS standards
locals {
  workspace-cis-hardening-policy = {
    "default"     = "cis_hardening_iam_role_policy.json.tpl"
    "prod"        = "cis_hardening_iam_role_policy_prod.json.tpl"
    "common"      = "cis_hardening_iam_role_policy_prod.json.tpl"
    "test"        = "cis_hardening_iam_role_policy_test.json.tpl"
  }
  workspace-dps-s3-cloudtrail-bucket = {
    "default"     = "dps-mdr-cloudtrail"
    "prod"        = "dps-mdr-cloudtrail-prod"
    "common"      = "dps-mdr-cloudtrail-prod"
    "test"        = "dps-mdr-cloudtrail-test"
    "description" = "S3 bucket name for CloudTrail Logs"
  }
  workspace-dps-s3-cloudtrail-bucket-policy = { 
    "default"     = "cloudtrail_s3_policy.json.tpl"
    "prod"        = "cloudtrail_s3_policy_prod.json.tpl"
    "common"      = "cloudtrail_s3_policy_prod.json.tpl"
    "test"        = "cloudtrail_s3_policy_test.json.tpl"
    "description" = "S3 IAM Policy for Cloudtrail Bucket" 
  }

  workspace-dps-cloudtrail-cloudwatch-logs-role = {
    "default"     = "cloudtrail_cloudwatch_logs_role_policy.json.tpl"
    "prod"        = "cloudtrail_cloudwatch_logs_role_policy_prod.json.tpl"
    "common"      = "cloudtrail_cloudwatch_logs_role_policy_prod.json.tpl"
    "test"        = "cloudtrail_cloudwatch_logs_role_policy_test.json.tpl"
    "description" = "IAM Role for Cloudtrails Cloudwatch Logs" 
  }

  workspace-dps-cloudtrail-cloudwatch-logs-policy = {
    "default"     = "cloudtrail_cloudwatch_logs_inline_policy.json.tpl"
    "prod"        = "cloudtrail_cloudwatch_logs_inline_policy_prod.json.tpl"
    "common"      = "cloudtrail_cloudwatch_logs_inline_policy_prod.json.tpl"
    "test"        = "cloudtrail_cloudwatch_logs_inline_policy_test.json.tpl"
    "description" = "IAM Role for Cloudtrails Cloudwatch Logs" 
  }

  workspace-billing-s3-bucket-name = {
    "default"     = "dps-mdr-billing"
    "prod"        = "dps-mdr-billing-prod"
    "common"      = "dps-mdr-billing-prod"
    "test"        = "dps-mdr-billing-test"
    "description" = "S3 bucket name for Billing Logs"
  }
 
  workspace-ebs-kms-key-encryption-policy = {
    "prod"        = "ebs_root_encrypt_decrypt_policy_prod.json.tpl"
    "common"      = "ebs_root_encrypt_decrypt_policy_prod.json.tpl"
    "test"        = "ebs_root_encrypt_decrypt_policy_test.json.tpl"
  }
}

variable "alarm_namespace" {
  description = "The namespace in which all alarms are set up."
  default     = "dps-alarm-benchmark"
}

variable "cloudtrail_log_group_name" {
  description = "The name of the CloudWatch Logs group to which CloudTrail events are delivered."
  default     = "aws-cis-logs"
}

variable "sns_topic_name" {
  description = "The name of the SNS Topic which will be notified when any alarm is performed."
  default     = "dps-alarm"
}

variable "sqs_queue_name" {
  description = "The name of the SQS queue to receive alerts from cloudwatch"
  default     = "dps-alarm-sqs"
}

variable "resource_name_prefix" {
  description = "All the resources will be prefixed with this varible"
  default     = "aws-cis"
}

variable "lambda_timeout" {
  description = "Default timeout of lambda fucntions"
  default     = 180
}

variable "lambda_dry_run" {
  description = "Sets DRY_RUN environment variable for all lambda functions"
  default     = false
}

variable "lambda_aggressive" {
  description = "Sets AGGRESSIVE mode as true for lambda fucntions"
  default     = true
}

variable "lambda_mfa_checker_user_prefix" {
  description = "Comma separated list of prefixes that mfa checker lambda helper will ignore"
  default     = ""
}

variable "lambda_mfa_checker_user_suffix" {
  description = "Comma separated list of suffixes that mfa checker lambda helper will ignore"
  default     = ""
}

variable "lambda_user_inactivity_limit" {
  description = "Disable inactive users more than N days"
  default     = 90
}

variable "lambda_access_key_age_max" {
  description = "Expire access keys after N days"
  default     = 90
}

variable "lambda_access_key_age_notify" {
  description = "Start to send notifications for expiring keys N before"
  default     = 7
}

variable "lambda_cron_schedule" {
  description = "Default Cron schedule for lambda helpers"
  default     = "cron(0 6 * * ? *)"
}

variable "temp_artifacts_dir" {
  description = "The path for creating the zip file"
  default     = "/tmp/terraform-aws-cis-fundatentals/artifacts"
}

variable "iam_require_uppercase_characters" {
  description = "Require at least one uppercase letter in passwords"
  default     = true
}

variable "iam_require_lowercase_characters" {
  description = "Require at least one lowercase letter in passwords"
  default     = true
}

variable "iam_require_symbols" {
  description = "Require at least one symbol in passwords"
  default     = true
}

variable "iam_require_numbers" {
  description = "Require at least one number in passwords"
  default     = true
}

variable "iam_minimum_password_length" {
  description = "Require minimum lenght of password"
  default     = 14
}

variable "iam_password_reuse_prevention" {
  description = "Prevent password reuse N times"
  default     = 24
}

variable "iam_max_password_age" {
  description = "Passwords expire in N days"
  default     = 90
}

variable "iam_allow_users_to_change_password" {
  description = "Can users change their own password"
  default     = true
}

variable "iam_hard_expiry" {
  description = "Everyone needs hard reset for expired passwords"
  default     = true
}

variable "billing_s3_bucket_policy" {
  description = "Custom S3 bucket policy for billing logs. The default policy will be used if not defined"
  default     = ""
}

# The default policy will be used if this left empty
variable "cloudtrail_kms_policy" {
  description = "KMS policy for Cloudtrail logs."
  default     = ""
}

# "ReadOnly", "WriteOnly", "All".
variable "clodtrail_event_selector_type" {
  description = "Log type for event selectors"
  default     = "All"
}