AWS Account Setup Terraform Module

Description

The AWS account set up module creates the initial account configuration for your project, including IAM roles, KMS keys, S3 installs bucket, and more.

FedRAMP Compliance: High

Resource List

Resources that are created as a part of this module include:

IAM role, policies, and instance profiles for Packer to assume during AMI creation (Optional, one account can build and store AMIs and share them with other accounts)
KMS keys and typically required IAM permissions for commonly used services (S3, DynamoDB, ELB, RDS, EBS, etc.)
S3 buckets (ELB Access Logs bucket is optional, with multiple accounts, you can designate one as a centralized logging account and have other accounts send ELB logs to one account's bucket, this is not possible with S3 access logs where the bucket must be in the same account & region)
- Set "create_s3_elb_accesslogs_bucket" to "true" if this is run in an account where you want the logs to be sent.
Security core module resources (Optional, Terraform state resources don't have to be in every account)

Cross-Account Permissions

There are 3 supported configurations regarding IAM cross-account permissions. Sharing principally concerns S3 Buckets (where applicable) and KMS Key permissions.

Sharing is based on AWS Organization (Recommended, easier to maintain since permissions are granted via AWS Organization ID instead of individual account IDs):

### Sharing ###
  is_organization                        = true # Should be "false" if setting "application_account_numbers"
  organization_id                        = "your-organization-id"

There is no cross-account sharing at all (standalone account):

### Sharing ###
  is_organization                        = false # Should be "false" if setting "application_account_numbers"

Set "is_organization" to "false" (default is "true"), and you can omit "application_account_numbers" and "organization_id".

Sharing is based on a list of AWS Account IDs:

### Sharing ###
  application_account_numbers            = ["account-number1", "account-number2", "account-number3"]
  is_organization                        = false # Should be "false" if setting "application_account_numbers"

AWS Backups

AWS Backups are based on the presence of a tag and can be applied to S3 buckets.

The configuration depends on "s3_backup_settings" and "s3_backup_policy".

Example:

### AWS Backup ###
  s3_backup_policy = "aws-backup-${var.resource_prefix}-default-policy"
  s3_backup_settings = {
    accesslogs = {
      enable_backup = true # Normally "false" because we're assuming that a SIEM will ingest and store these logs
    }
    elb-accesslogs = {
      enable_backup = true # Normally "false" because we're assuming that a SIEM will ingest and store these logs
    }
    backups = {
      enable_backup = true
    }
    installs = {
      enable_backup = true
    }
    fedrampdoc = {
      enable_backup = true
    }
    cloudtrail = {
      enable_backup = true # Normally "false" because we're assuming that a SIEM will ingest and store these logs
    }
    config = {
      enable_backup = true
    }
  }

At a minimum, "s3_backup_policy" must be defined in order for the S3 buckets to be tagged. "s3_backup_settings" is a map variable that lets you enable or disable AWS Backups on individual S3 buckets that this pak creates. The default value will NOT tag the S3 Access Logs, ELB Access Logs, or Cloudtrail buckets for AWS Backup. This is an opinionated default that assumes that a SIEM solution will ingest and store these logs, so having a backup is a waste of money. But if this is not true, then you can individually override this as shown in the example above.

Usage

"Management Core" account. Terraform state is stored here, Packer AMIs are built here, is also Management Account for AWS Organizations:

module "account-setup" {
  source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"

  aws_region         = "us-gov-west-1"
  default_aws_region = "us-gov-west-1"
  account_number     = "your-account-number"

  resource_prefix         = "pak"
  
  ### Cloudtrail ###
  create_cloudtrail                      = true
  cloudwatch_log_group_retention_in_days = 30

  ### KMS ###
  additional_kms_keys = [
    {
      name   = "elasticache"
      policy = "${data.aws_iam_policy_document.elasticache_key_policy.json}"
    }
  ]

  ### Packer ###
  create_packer_iam = true # Packer AMIs will be built and kept on this account and shared with other accounts (share accounts is provided to Packer as a variable at build time)

  ### Terraform ###
  create_security_core = true # Terraform state will be kept on this account

  ### Sharing ###
  is_organization                        = true # Should be "false" if setting "application_account_numbers"
  organization_id                        = "your-organization-id"

  ### AWS Backup ###
  s3_backup_policy = "aws-backup-${var.resource_prefix}-default-policy"
}

Member account. Does not need Terraform resources (S3 bucket to store state, DynamoDB table for state lock), Packer AMIs will not be built in this account, is not a Management account for AWS Organizations, does not need to share IAM permissions (s3 buckets, KMS keys) to any other account. The default configuration also creates individually owned Customer KMS Keys.

module "account-setup" {
  source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"

  aws_region         = "us-gov-west-1"
  default_aws_region = "us-gov-west-1"

  account_number              = "your-account-number"

  resource_prefix         = "pak"

  ### KMS ###
  additional_kms_keys = [
    {
      name   = "elasticache"
      policy = "${data.aws_iam_policy_document.elasticache_key_policy.json}"
    }
  ]

  ### Sharing ###
  is_organization                        = false # Should be "false" if setting "application_account_numbers"

  ### AWS Backup ###
  s3_backup_policy = "aws-backup-${var.resource_prefix}-default-policy"
}

Requirements

Name	Version
terraform	>=1.10.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
additional_kms_keys	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
backup_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
cloudwatch_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
config_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
dynamo_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
ebs_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
ecr_kms_key	github.com/Coalfire-CF/ACE-AWS-KMS	v1.0.1
lambda_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
nfw_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
rds_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
s3-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-backups	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-cloudtrail	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-config	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-elb-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-fedrampdoc	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3-installs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.4
s3_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
security-core	github.com/Coalfire-CF/terraform-aws-securitycore	v0.0.22
sm_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
sns_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v1.0.1
sqs_kms_key	github.com/Coalfire-CF/ACE-AWS-KMS	v1.0.1

Resources

Name	Type
aws_cloudtrail.all_cloudtrail	resource
aws_cloudwatch_log_group.cloudtrail_log_group	resource
aws_iam_instance_profile.packer_profile	resource
aws_iam_policy.cloudtrail-to-cloudwatch	resource
aws_iam_policy.packer_policy	resource
aws_iam_policy_attachment.cloudtrail-to-cloudwatch	resource
aws_iam_policy_attachment.packer_access_attach_policy	resource
aws_iam_role.cloudtrail-role	resource
aws_iam_role.eks_node_role	resource
aws_iam_role.packer_role	resource
aws_iam_role_policy_attachment.ecr_pull_attach	resource
aws_iam_role_policy_attachment.eks_cni_policy	resource
aws_iam_role_policy_attachment.eks_worker_attach	resource
aws_iam_service_linked_role.autoscale	resource
aws_kms_grant.packer_ebs	resource
aws_kms_grant.packer_s3	resource
aws_s3_bucket_policy.cloudtrail_bucket_policy	resource
aws_s3_bucket_policy.config_bucket_policy	resource
aws_caller_identity.current	data source
aws_elb_service_account.main	data source
aws_iam_policy.ecr_pull_policy	data source
aws_iam_policy.eks_cni_policy	data source
aws_iam_policy.eks_worker_policy	data source
aws_iam_policy_document.additional_kms_keys	data source
aws_iam_policy_document.cloudtrail_assume_role_policy_document	data source
aws_iam_policy_document.cloudtrail_to_cloudwatch_policy_document	data source
aws_iam_policy_document.cloudwatch_key	data source
aws_iam_policy_document.config_key	data source
aws_iam_policy_document.dynamo_key	data source
aws_iam_policy_document.ebs_key	data source
aws_iam_policy_document.ecr_kms_policy	data source
aws_iam_policy_document.eks_assume_role_policy	data source
aws_iam_policy_document.elb_accesslogs_bucket_policy	data source
aws_iam_policy_document.kms_base_and_sharing_permissions	data source
aws_iam_policy_document.log_bucket_policy	data source
aws_iam_policy_document.packer_assume_role_policy_document	data source
aws_iam_policy_document.packer_policy_document	data source
aws_iam_policy_document.s3_accesslogs_bucket_policy	data source
aws_iam_policy_document.s3_config_bucket_policy_doc	data source
aws_iam_policy_document.s3_key	data source
aws_iam_policy_document.secrets_manager_key	data source
aws_iam_policy_document.sns_key	data source
aws_iam_policy_document.sqs_key	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
account_number	The AWS account number resources are being deployed into	`string`	n/a	yes
additional_kms_keys	a list of maps of any additional KMS keys that need to be created	`list(map(string))`	`[]`	no
application_account_numbers	AWS account numbers for all application accounts that might need shared access to resources like KMS keys	`list(string)`	`[]`	no
aws_region	The AWS region to create resources in	`string`	n/a	yes
cloudwatch_log_group_retention_in_days	The number of days to retain Cloudwatch logs	`number`	`30`	no
create_backup_kms_key	create KMS key for AWS Backups	`bool`	`true`	no
create_cloudtrail	Whether or not to create cloudtrail resources	`bool`	`false`	no
create_cloudwatch_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_config_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_dynamo_kms_key	create KMS key for dynamodb	`bool`	`true`	no
create_ebs_kms_key	create KMS key for ebs	`bool`	`true`	no
create_ecr_kms_key	create KMS key for ECR	`bool`	`true`	no
create_eks_service_role	Boolean to create an EKS Node Group service role	`bool`	`false`	no
create_lambda_kms_key	create KMS key for lambda	`bool`	`true`	no
create_nfw_kms_key	create KMS key for NFW	`bool`	`true`	no
create_packer_iam	Whether or not to create Packer IAM resources	`bool`	`false`	no
create_rds_kms_key	create KMS key for rds	`bool`	`true`	no
create_s3_accesslogs_bucket	Create S3 Access Logs Bucket	`bool`	`true`	no
create_s3_backups_bucket	Create S3 Backups Bucket	`bool`	`true`	no
create_s3_config_bucket	Create S3 AWS Config Bucket for conformance pack storage	`bool`	`true`	no
create_s3_elb_accesslogs_bucket	Create S3 ELB Access Logs Bucket	`bool`	`true`	no
create_s3_fedrampdoc_bucket	Create S3 FedRAMP Documents Bucket	`bool`	`true`	no
create_s3_installs_bucket	Create S3 Installs Bucket	`bool`	`true`	no
create_s3_kms_key	create KMS key for S3	`bool`	`true`	no
create_security_core	Whether or not to create Security Core resources	`bool`	`false`	no
create_sm_kms_key	create KMS key for secrets manager	`bool`	`true`	no
create_sns_kms_key	create KMS key for SNS	`bool`	`true`	no
create_sqs_kms_key	create KMS key for SQS	`bool`	`true`	no
default_aws_region	The default AWS region to create resources in	`string`	n/a	yes
is_organization	Whether or not to enable certain settings for AWS Organization	`bool`	`true`	no
kms_multi_region	Indicates whether the KMS key is a multi-Region (true) or regional (false) key.	`bool`	`false`	no
organization_id	AWS Organization ID	`string`	`null`	no
packer_additional_iam_principal_arns	List of IAM Principal ARNs allowed to assume the Packer IAM Role	`list(string)`	`[]`	no
resource_prefix	The prefix for resources	`string`	n/a	yes
s3_backup_policy	S3 backup policy to use for S3 buckets in conjunction with AWS Backups, should match an existing policy	`string`	`""`	no
s3_backup_settings	Map of S3 bucket types to their backup settings	map(object({ enable_backup = bool }))	{ "accesslogs": { "enable_backup": false }, "backups": { "enable_backup": true }, "cloudtrail": { "enable_backup": false }, "config": { "enable_backup": true }, "elb-accesslogs": { "enable_backup": false }, "fedrampdoc": { "enable_backup": true }, "installs": { "enable_backup": true } }	no
s3_tags	Tags to be applied to S3 buckets	`map(any)`	`{}`	no

Outputs

Name	Description
additional_kms_key_arns	n/a
additional_kms_key_ids	n/a
backup_kms_key_arn	n/a
backup_kms_key_id	n/a
cloudwatch_kms_key_arn	n/a
cloudwatch_kms_key_id	n/a
config_kms_key_arn	n/a
config_kms_key_id	n/a
dynamo_kms_key_arn	n/a
dynamo_kms_key_id	n/a
dynamodb_table_name	n/a
ebs_kms_key_arn	n/a
ebs_kms_key_id	n/a
ecr_kms_key_arn	n/a
ecr_kms_key_id	n/a
eks_node_role_arn	n/a
eks_node_role_name	n/a
lambda_kms_key_arn	n/a
lambda_kms_key_id	n/a
nfw_kms_key_arn	n/a
nfw_kms_key_id	n/a
packer_iam_role_arn	n/a
packer_iam_role_name	n/a
rds_kms_key_arn	n/a
rds_kms_key_id	n/a
s3_access_logs_arn	n/a
s3_access_logs_id	n/a
s3_backups_arn	n/a
s3_backups_id	n/a
s3_cloudtrail_arn	n/a
s3_cloudtrail_id	n/a
s3_config_arn	n/a
s3_config_id	n/a
s3_elb_access_logs_arn	n/a
s3_elb_access_logs_id	n/a
s3_fedrampdoc_arn	n/a
s3_fedrampdoc_id	n/a
s3_installs_arn	n/a
s3_installs_id	n/a
s3_kms_key_arn	n/a
s3_kms_key_id	n/a
s3_tstate_bucket_name	n/a
sm_kms_key_arn	n/a
sm_kms_key_id	n/a
sns_kms_key_arn	n/a
sns_kms_key_id	n/a
sqs_kms_key_arn	n/a
sqs_kms_key_id	n/a

Contributing

If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.

License

Copyright

Requirements

Name	Version
terraform	>=1.5.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
additional_kms_keys	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
backup_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
cloudwatch_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
dynamo_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
ebs_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
lambda_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
rds_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
s3-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-backups	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-cloudtrail	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-elb-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-fedrampdoc	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-installs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
security-core	github.com/Coalfire-CF/terraform-aws-securitycore	02087ae72394cd06431efc5dbbc4bf1f7f88ad14
sm_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
sns_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6

Resources

Name	Type
aws_cloudtrail.all_cloudtrail	resource
aws_cloudwatch_log_group.cloudtrail_log_group	resource
aws_iam_instance_profile.packer_profile	resource
aws_iam_policy.cloudtrail-to-cloudwatch	resource
aws_iam_policy.packer_policy	resource
aws_iam_policy_attachment.cloudtrail-to-cloudwatch	resource
aws_iam_policy_attachment.packer_access_attach_policy	resource
aws_iam_role.cloudtrail-role	resource
aws_iam_role.packer_role	resource
aws_kms_grant.packer_ebs	resource
aws_kms_grant.packer_s3	resource
aws_s3_bucket_policy.cloudtrail_bucket_policy	resource
aws_elb_service_account.main	data source
aws_iam_policy_document.cloudtrail_assume_role_policy_document	data source
aws_iam_policy_document.cloudtrail_to_cloudwatch_policy_document	data source
aws_iam_policy_document.cloudwatch_key	data source
aws_iam_policy_document.dynamo_key	data source
aws_iam_policy_document.ebs_key	data source
aws_iam_policy_document.elb_accesslogs_bucket_policy	data source
aws_iam_policy_document.log_bucket_policy	data source
aws_iam_policy_document.packer_assume_role_policy_document	data source
aws_iam_policy_document.packer_policy_document	data source
aws_iam_policy_document.s3_accesslogs_bucket_policy	data source
aws_iam_policy_document.s3_key	data source
aws_iam_policy_document.secrets_manager_key	data source
aws_iam_policy_document.sns_key	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
account_number	The AWS account number resources are being deployed into	`string`	n/a	yes
additional_kms_keys	a list of maps of any additional KMS keys that need to be created	`list(map(string))`	`[]`	no
application_account_numbers	AWS account numbers for all application accounts that might need shared access to resources like KMS keys	`list(string)`	n/a	yes
aws_region	The AWS region to create resources in	`string`	n/a	yes
cloudwatch_log_group_retention_in_days	The number of days to retain Cloudwatch logs	`number`	`30`	no
create_backup_kms_key	create KMS key for AWS Backups	`bool`	`true`	no
create_cloudtrail	Whether or not to create cloudtrail resources	`bool`	`false`	no
create_cloudwatch_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_dynamo_kms_key	create KMS key for dynamodb	`bool`	`true`	no
create_ebs_kms_key	create KMS key for ebs	`bool`	`true`	no
create_lambda_kms_key	create KMS key for lambda	`bool`	`true`	no
create_packer_iam	Whether or not to create Packer IAM resources	`bool`	`false`	no
create_rds_kms_key	create KMS key for rds	`bool`	`true`	no
create_s3_accesslogs_bucket	Create S3 Access Logs Bucket	`bool`	`false`	no
create_s3_backups_bucket	Create S3 Backups Bucket	`bool`	`true`	no
create_s3_elb_accesslogs_bucket	Create S3 ELB Access Logs Bucket	`bool`	`false`	no
create_s3_fedrampdoc_bucket	Create S3 FedRAMP Documents Bucket	`bool`	`true`	no
create_s3_installs_bucket	Create S3 Installs Bucket	`bool`	`true`	no
create_s3_kms_key	create KMS key for S3	`bool`	`true`	no
create_security_core	Whether or not to create Security Core resources	`bool`	`false`	no
create_sm_kms_key	create KMS key for secrets manager	`bool`	`true`	no
create_sns_kms_key	create KMS key for SNS	`bool`	`true`	no
default_aws_region	The default AWS region to create resources in	`string`	n/a	yes
is_organization	Whether or not to enable certain settings for AWS Organization	`bool`	`true`	no
organization_id	AWS Organization ID	`string`	`null`	no
resource_prefix	The prefix for resources	`string`	n/a	yes

Outputs

Name	Description
additional_kms_key_arns	n/a
additional_kms_key_ids	n/a
backup_kms_key_arn	n/a
backup_kms_key_id	n/a
cloudtrail_sns_kms_key_arn	n/a
cloudtrail_sns_kms_key_id	n/a
cloudwatch_kms_key_arn	n/a
cloudwatch_kms_key_id	n/a
dynamo_kms_key_arn	n/a
dynamo_kms_key_id	n/a
dynamodb_table_name	n/a
ebs_kms_key_arn	n/a
ebs_kms_key_id	n/a
lambda_kms_key_arn	n/a
lambda_kms_key_id	n/a
rds_kms_key_arn	n/a
rds_kms_key_id	n/a
s3_access_logs_arn	n/a
s3_access_logs_id	n/a
s3_backups_arn	n/a
s3_backups_id	n/a
s3_cloudtrail_arn	n/a
s3_cloudtrail_id	n/a
s3_elb_access_logs_arn	n/a
s3_elb_access_logs_id	n/a
s3_fedrampdoc_arn	n/a
s3_fedrampdoc_id	n/a
s3_installs_arn	n/a
s3_installs_id	n/a
s3_kms_key_arn	n/a
s3_kms_key_id	n/a
s3_tstate_bucket_name	n/a
sm_kms_key_arn	n/a
sm_kms_key_id	n/a

Name		Name	Last commit message	Last commit date
Latest commit History 263 Commits
.github		.github
.gitignore		.gitignore
CONTRIBUTING.md		CONTRIBUTING.md
License.md		License.md
README.md		README.md
cloudtrail.tf		cloudtrail.tf
coalfire_logo.png		coalfire_logo.png
data.tf		data.tf
iam.tf		iam.tf
kms.tf		kms.tf
outputs.tf		outputs.tf
packer_iam.tf		packer_iam.tf
providers.tf		providers.tf
s3-accesslog.tf		s3-accesslog.tf
s3-aws-config.tf		s3-aws-config.tf
s3-backups.tf		s3-backups.tf
s3-cloudtrail.tf		s3-cloudtrail.tf
s3-elb-accesslog.tf		s3-elb-accesslog.tf
s3-fedrampdoc.tf		s3-fedrampdoc.tf
s3-installs.tf		s3-installs.tf
security-core.tf		security-core.tf
variables.tf		variables.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

AWS Account Setup Terraform Module

Description

Resource List

Cross-Account Permissions

AWS Backups

Usage

Requirements

Providers

Modules

Resources

Inputs

Outputs

Contributing

License

Copyright

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Releases 40

Contributors 13

Languages

License

Coalfire-CF/terraform-aws-account-setup

Folders and files

Latest commit

History

Repository files navigation

AWS Account Setup Terraform Module

Description

Resource List

Cross-Account Permissions

AWS Backups

Usage

Requirements

Providers

Modules

Resources

Inputs

Outputs

Contributing

License

Copyright

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases 40

Contributors 13

Languages