Terraform AWS CloudAccess LZA

Description

The purpose of this module is to provision the baseline requirements for a landing zone environment, and to provide a pattern moving forward for pipeline access.

Usage

Add example usage here

## Provision the Landing Zone Access permissions
module "landing_zone" {
  source  = "appvia/cloudaccess-lza/aws"
  version = "0.0.1"

  aws_accounts = {
    network    = var.aws_accounts["network"]
    management = var.aws_accounts["management"]
  }
  repositories = {
    accelerator_repository_url  = var.landing_zone_repositories.accelerator_repository_url
    connectivity_repository_url = var.landing_zone_repositories.connectivity_repository_url
    firewall_repository_url     = var.landing_zone_repositories.firewall_repository_url
    identity_repository_url     = var.landing_zone_repositories.identity_repository_url
  }
  tags = var.tags

  providers = {
    management = aws.management
    network    = aws.network
  }
}

CIS Alarms & Notifications

This module can configure CIS alarms and notifications. To enable this functionality, set the enable_cis_alarms variable to true. These will use a CloudWatch log group, defaulting to the AWS Control Tower organizational trail. In order to receive notifications on this events

1. Use the notifications_emails variable to specify a list of email addresses to send notifications to.

enable_cis_alarms = true
notifications_emails = ["security@example.com"]

For notifications to slack

1. Create a JSON secret lza/cloudaccess/alarms in AWS Secrets Manager with the following format:

{
  "webhook_url": "https://hooks.slack.com/services/..."
  "channel": "cloud-notifications"
}

2. Use the slack_notification_secret_name variable to specify the name of the secret in AWS Secrets Manager that contains the Slack webhook URL.

enable_cis_alarms = true
notification_secret_name = "lza/cloudaccess/alarms"

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

1. Make changes to the .terraform-docs.yml file
2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Requirements

Name	Version
terraform	>= 1.1.4
aws	~> 5.0

Providers

Name	Version
aws	5.47.0
aws.management	5.47.0
aws.network	5.47.0

Modules

Name	Source	Version
alarm_baseline	appvia/alarm-baseline/aws	0.1.6
cost_management	appvia/oidc/aws//modules/role	1.2.1
default_boundary	appvia/boundary-stack/aws	0.1.5
management_landing_zone	appvia/oidc/aws//modules/role	1.2.1
management_sso_identity	appvia/oidc/aws//modules/role	1.2.1
network_inspection_vpc_admin	appvia/oidc/aws//modules/role	1.2.1
network_transit_gateway_admin	appvia/oidc/aws//modules/role	1.2.1
permissive_boundary	appvia/boundary-stack/aws	0.1.5

Resources

Name	Type
aws_cloudformation_stack.aws_support_stack_instance_management_account	resource
aws_cloudformation_stack_set.aws_support_stack	resource
aws_cloudformation_stack_set.identity_stackset	resource
aws_cloudformation_stack_set_instance.aws_support_stack_instance	resource
aws_cloudformation_stack_set_instance.identity_stack	resource
aws_iam_group.breakglass	resource
aws_iam_group_policy_attachment.breakglass	resource
aws_iam_group_policy_attachment.test-attach	resource
aws_iam_policy.breakglass	resource
aws_iam_policy.code_contributor	resource
aws_iam_policy.code_release	resource
aws_iam_policy.cost_iam_boundary	resource
aws_iam_policy.costs_admin	resource
aws_iam_policy.costs_viewer	resource
aws_iam_policy.ipam_admin	resource
aws_iam_policy.user_management	resource
aws_iam_user.breakglass	resource
aws_iam_user_group_membership.breakglass	resource
aws_caller_identity.current	data source
aws_iam_policy_document.breakglass	data source
aws_organizations_organization.current	data source
aws_region.current	data source
aws_secretsmanager_secret.notification	data source
aws_secretsmanager_secret_version.notification	data source

Inputs

Name	Description	Type	Default	Required
aws_accounts	Map of AWS account names to their account IDs	object({ network_account_id = optional(string, "") remoteaccess_account_id = optional(string, "") })	n/a	yes
aws_support_role_name	Name of the AWS Support role	string	"AWSSupportAccess"	no
breakglass_users	The number of breakglass users to create	number	2	no
cloudaccess_terraform_state_ro_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role	string	"lza-cloudaccess-tfstate-ro"	no
cloudaccess_terraform_state_rw_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role	string	"lza-cloudaccess-tfstate-rw"	no
costs_boundary_name	Name of the IAM policy to use as a permissions boundary for cost-related roles	string	"lza-costs-boundary"	no
default_permissions_boundary_name	Name of the default IAM policy to use as a permissions boundary	string	"lza-default-boundary"	no
enable_aws_support	Indicates if we should enable AWS Support role	bool	true	no
enable_breakglass	Indicates if we should enable breakglass users and group	bool	false	no
enable_cis_alarms	Indicates if we should enable CIS alerts	bool	true	no
enable_slack_notifications	Indicates if we should enable Slack notifications	bool	false	no
enable_teams_notifications	Indicates if we should enable Teams notifications	bool	false	no
notification_emails	List of email addresses to send notifications to	list(string)	[]	no
notification_secret_name	Name of the secret in AWS Secrets Manager that contains the secrets for notifications	string	""	no
permissive_permissions_boundary_name	Name of the permissive IAM policy to use as a permissions boundary	string	"lza-permissive-boundary"	no
repositories	List of repository locations for the pipelines	object({ accelerator = optional(object({ url = string role_name = optional(string, "lza-accelerator") }), null) connectivity = optional(object({ url = string role_name = optional(string, "lza-connectivity") }), null) cost_management = optional(object({ url = string role_name = optional(string, "lza-cost-management") }), null) firewall = optional(object({ url = string role_name = optional(string, "lza-firewall") }), null) identity = optional(object({ url = string role_name = optional(string, "lza-identity") }), null) })	{}	no
scm_name	Name of the source control management system (github or gitlab)	string	"github"	no
tags	Tags to apply to all resources	map(string)	n/a	yes

Outputs

Name	Description
cloudaccess_terraform_state_ro_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role
cloudaccess_terraform_state_rw_policy_name	Name of the IAM policy to attach to the CloudAccess Terraform state role
default_permission_boundary_name	The name of the default permissions iam boundary
default_permissive_boundary_name	The name of the default permissive iam boundary
identity_role_ro_name	The name of the IAM readonly role which can be assumed by the identity stack in all accounts
identity_role_rw_name	The name of the IAM readwrite role which can be assumed by the identity stack in all accounts
identity_stack_name	The name of the identity stack