Nonfunctional. Submodules.

sample/caller.tf

@@ -1 +1,2 @@
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

sample/child_accounts.all_regions.tf

@@ -0,0 +1,34 @@
+# Run the child account module for each additional profile
+module "child-monkeybox-test1-us-east-2" {
+  source = "./child_accounts.all_regions"
+
+  providers = {
+    aws = "aws.monkeybox-test1-us-east-2"
+    aws.fcm-security-account = "aws"
+  }
+
+  security_account = "${data.aws_caller_identity.current.account_id}"
+}
+
+module "child-monkeybox-test1-us-east-1" {
+  source = "./child_accounts.all_regions"
+
+  providers = {
+    aws = "aws.monkeybox-test1-us-east-1"
+    aws.fcm-security-account = "aws"
+  }
+
+  security_account = "${data.aws_caller_identity.current.account_id}"
+}
+
+module "child-monkeybox-test1-us-west-1" {
+  source = "./child_accounts.all_regions"
+
+  providers = {
+    aws = "aws.monkeybox-test1-us-west-1"
+    aws.fcm-security-account = "aws"
+  }
+
+  security_account = "${data.aws_caller_identity.current.account_id}"
+}
+

sample/child_accounts.all_regions/README.md

@@ -0,0 +1,3 @@
+# Contains files and resources necessary for all child accounts.
+
+`all_regions` subdirectory contains resources needed in all regions, as well.

sample/security_account/all_regions/caller.tf → sample/child_accounts.all_regions/caller.tf

@@ -1 +1,2 @@
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

sample/child_accounts/cloudwatch.tf → sample/child_accounts.all_regions/cloudwatch.tf

@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_event_rule" "fcm-event-DisableEbsEncryptionByDefault" {
   name        = "fcm-event-DisableEbsEncryptionByDefault"
-  description = "FCM Compliance for EbsEncryptionByDefault Event - ${var.eventbusid}"
+  description = "FCM Compliance for EbsEncryptionByDefault Event"
 
   event_pattern = <<PATTERN
 {
@@ -25,7 +25,8 @@ PATTERN
 resource "aws_cloudwatch_event_target" "fcm-event-DisableEbsEncryptionByDefault" {
   rule      = "${aws_cloudwatch_event_rule.fcm-event-DisableEbsEncryptionByDefault.name}"
   target_id = "fcm-security-account-eventbus"
-  arn       = "arn:aws:events:us-east-2:${var.security_account}:event-bus/default"
+  arn       = "arn:aws:events:${data.aws_region.current.name}:${var.security_account}:event-bus/default"
+  depends_on = [ "aws_cloudwatch_event_permission.CrossAccount" ]
 }
 
 resource "aws_cloudwatch_event_rule" "fcm-event-EnableEbsEncryptionByDefault" {
@@ -55,5 +56,6 @@ PATTERN
 resource "aws_cloudwatch_event_target" "fcm-event-EnableEbsEncryptionByDefault" {
   rule      = "${aws_cloudwatch_event_rule.fcm-event-EnableEbsEncryptionByDefault.name}"
   target_id = "fcm-security-account-eventbus"
-  arn       = "arn:aws:events:us-east-2:${var.security_account}:event-bus/default"
+  arn       = "arn:aws:events:${data.aws_region.current.name}:${var.security_account}:event-bus/default"
+  depends_on = [ "aws_cloudwatch_event_permission.CrossAccount" ]
 }

sample/child_accounts.all_regions/eventbus.tf

@@ -0,0 +1,6 @@
+# Allow this account to publish to the master account event bus
+resource "aws_cloudwatch_event_permission" "CrossAccount" {
+  principal    = "${data.aws_caller_identity.current.account_id}"
+  statement_id = "monkeybox-test-1"
+  provider = aws.fcm-security-account
+}

sample/child_accounts.all_regions/provider.tf

@@ -0,0 +1,14 @@
+#provider "aws" {
+#  profile = "${var.account_profile}"
+#  # Specify keys if not provided by shared crednentials file
+#  #  access_key = "${var.access_key}"
+#  #  secret_key = "${var.secret_key}"
+#  region     = "us-east-2"
+#}
+
+provider "aws" {
+}
+
+provider "aws" {
+  alias = "fcm-security-account"
+}

sample/child_accounts.all_regions/supported_regions.tf

@@ -0,0 +1,5 @@
+variable "supported_regions" {
+  description = "The list of regions to monitor. Each additional region will increase costs slightly."
+  type = list(string)
+  default = [ "us-east-1", "us-east-2", "us-west-1" ]
+}

sample/child_accounts.all_regions/vars.tf

@@ -0,0 +1,4 @@
+variable "security_account" {
+  description = "The Account ID of the Security Account"
+  type = string
+}

sample/child_accounts.tf

@@ -1,8 +1,12 @@
 # Run the child account module for each additional profile
-module "child1" {
+module "child-monkeybox-test1" {
   source = "./child_accounts"
-  account_profile = "monkeybox-test1"
+
+  providers = {
+    aws = "aws.monkeybox-test1-us-east-2"
+    aws.fcm-security-account = "aws"
+  }
+
   security_account = "${data.aws_caller_identity.current.account_id}"
-  eventbusid = "${module.security_account.event_bus_dependency}" # Workaround for no depends_on
 }
 

sample/child_accounts/caller.tf

@@ -1 +1,2 @@
 data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

sample/child_accounts/iam.shared.tf

@@ -1,39 +0,0 @@
-resource "aws_iam_policy" "fcm-lambda-base" {
-  name        = "fcm-lambda-base"
-  path        = "/fcm/"
-  description = "FCM policy for EbsEncryptionByDefault Enforcement Analysis"
-
-  policy = <<LAMBDABASE
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "logs:CreateLogGroup",
-            "Resource": "arn:aws:logs:us-east-2:${data.aws_caller_identity.current.account_id}:log-group:*"
-        },
-        {
-            "Effect": "Allow",
-            "Action": [
-                "logs:CreateLogStream",
-                "logs:PutLogEvents"
-            ],
-            "Resource": "arn:aws:logs:us-east-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/*"
-        },
-        {
-            "Sid": "FCMRequiredAccess",
-            "Effect": "Allow",
-            "Action": [
-                "kms:Decrypt",
-                "kms:GenerateDataKey*",
-                "sqs:ReceiveMessage",
-                "sqs:DeleteMessage",
-                "sqs:GetQueueAttributes"
-            ],
-            "Resource": "*"
-         }
-     ]
-}
-LAMBDABASE
-}
-

sample/child_accounts/provider.tf

@@ -1,7 +1,14 @@
+#provider "aws" {
+#  profile = "${var.account_profile}"
+#  # Specify keys if not provided by shared crednentials file
+#  #  access_key = "${var.access_key}"
+#  #  secret_key = "${var.secret_key}"
+#  region     = "us-east-2"
+#}
+
 provider "aws" {
-  profile = "${var.account_profile}"
-  # Specify keys if not provided by shared crednentials file
-  #  access_key = "${var.access_key}"
-  #  secret_key = "${var.secret_key}"
-  region     = "us-east-2"
+}
+
+provider "aws" {
+  alias = "fcm-security-account"
 }

sample/child_accounts/vars.tf

@@ -1,14 +1,4 @@
-variable "account_profile" {
-  description = "The name of the account profile to use, passed in from the module call."
-  type = string
-}
-
 variable "security_account" {
   description = "The Account ID of the Security Account"
   type = string
 }
-
-variable "eventbusid" {
-  description = "Just a dependency."
-  type = string
-}

sample/provider.tf

@@ -1,7 +1,49 @@
+# The default AWS provider is used when the provider is not specified, and defaults
+# to the security account in the default region.
 provider "aws" {
   profile = "fcm-security-account"
   # Specify keys if not provided by shared crednentials file
   #  access_key = "${var.access_key}"
   #  secret_key = "${var.secret_key}"
   region     = "us-east-2"
+  version = "~> 2.29" # Probably only need this one
+}
+
+### Security Account - Other Regions
+provider "aws" {
+  profile = "fcm-security-account"
+  region     = "us-east-1"
+  alias = "fcm-security-account-us-east-1"
+}
+provider "aws" {
+  profile = "fcm-security-account"
+  region     = "us-east-2"
+  alias = "fcm-security-account-us-east-2"
+}
+provider "aws" {
+  profile = "fcm-security-account"
+  region     = "us-west-1"
+  alias = "fcm-security-account-us-west-1"
+}
+
+### Child Accounts
+provider "aws" {
+  profile = "monkeybox-test1"
+  region     = "us-east-1"
+  alias = "monkeybox-test1-us-east-1"
+}
+provider "aws" {
+  profile = "monkeybox-test1"
+  region     = "us-east-2"
+  alias = "monkeybox-test1-us-east-2"
+}
+provider "aws" {
+  profile = "monkeybox-test1"
+  region     = "us-west-1"
+  alias = "monkeybox-test1-us-west-1"
+}
+
+### Generic Providers
+provider "archive" {
+  version = "~> 1.2"
 }

sample/security_account/all_regions.tf → sample/security_account.all_regions.tf

@@ -1,24 +1,38 @@
 module "all_regions-us-east-2" {
-  source = "./all_regions"
+  source = "./security_account.all_regions"
+  providers = {
+    aws = "aws.fcm-security-account-us-east-2"
+    aws.fcm-security-account = "aws"
+  }
+
   security_account = "${data.aws_caller_identity.current.account_id}"
   security_region = "${data.aws_region.current.name}"
-
   dest_region = "us-east-2"
 }
 
 module "all_regions-us-east-1" {
-  source = "./all_regions"
+  source = "./security_account.all_regions"
+
+  providers = {
+    aws = "aws.fcm-security-account-us-east-1"
+    aws.fcm-security-account = "aws"
+  }
+
   security_account = "${data.aws_caller_identity.current.account_id}"
   security_region = "${data.aws_region.current.name}"
-
   dest_region = "us-east-1"
 }
 
 module "all_regions_us-west-1" {
-  source = "./all_regions"
+  source = "./security_account.all_regions"
+
+  providers = {
+    aws = "aws.fcm-security-account-us-west-1"
+    aws.fcm-security-account = "aws"
+  }
+
   security_account = "${data.aws_caller_identity.current.account_id}"
   security_region = "${data.aws_region.current.name}"
-
   dest_region = "us-west-1"
 }
 

sample/security_account.all_regions/backend.tf

@@ -0,0 +1,10 @@
+terraform {
+  backend "s3" {
+    bucket = "fcm-terraform-state"
+    key    = "global/s3/terraform.tfstate"
+    region = "us-east-2"
+    encrypt = true
+    kms_key_id = "alias/terraform"
+    profile = "fcm-security-account"
+  }
+}

sample/security_account.all_regions/caller.tf

@@ -0,0 +1,2 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}

sample/security_account.all_regions/provider.tf

@@ -0,0 +1,4 @@
+provider "aws" { }
+provider "aws" {
+  alias = "fcm-security-account"
+}

sample/security_account.tf

@@ -1,4 +1,10 @@
-# Run the child account module for each additional profile
+# Run the security account modules
 module "security_account" {
   source = "./security_account"
+
+  providers = {
+    aws = aws
+    aws.fcm-security-account = "aws"
+    archive = archive
+  }
 }

sample/security_account/all_regions/eventbus.tf

@@ -1,10 +0,0 @@
-# Allow other accounts to publish to the master account event bus
-resource "aws_cloudwatch_event_permission" "CrossAccount030704852046" {
-  principal    = "030704852046"
-  statement_id = "monkeybox-test-1"
-}
-
-output "event_bus_dependency" {
-  value = "${aws_cloudwatch_event_permission.CrossAccount030704852046.id}"
-  depends_on = [aws_cloudwatch_event_permission.CrossAccount030704852046]
-}

sample/security_account/all_regions/provider.tf

@@ -1,4 +0,0 @@
-provider "aws" {
-  profile = "fcm-security-account"
-  region     = "${var.dest_region}"
-}

sample/security_account/outputs.tf

@@ -1,4 +0,0 @@
-output "event_bus_dependency" {
-  value = "${module.all_regions-us-east-2.event_bus_dependency}"
-  depends_on = [ module.all_regions-us-east-2 ]
-}

sample/security_account/provider.tf

@@ -1,4 +1,7 @@
 provider "aws" {
-  profile = "fcm-security-account"
-  region  = "us-east-2"
 }
+
+provider "aws" {
+  alias = "fcm-security-account"
+}
+