Merge pull request #1 from 3scale-ops/initial-release

Initial release of tf-aws-config

.github/ISSUE_TEMPLATE/bug.md

@@ -0,0 +1,25 @@
+---
+name: Bug Report
+about: Report a bug encountered while using the module
+title: 'bug: '
+labels: kind/bug
+
+---
+
+<!--
+Please use this template while reporting a bug and provide as much info as possible.
+Thanks!
+-->
+
+#### What happened:
+
+#### What you expected to happen:
+
+#### How to reproduce it (as minimally and precisely as possible):
+
+#### Anything else we need to know?:
+
+#### Environment:
+- Terraform version:
+- Module version:
+- Others:

.github/ISSUE_TEMPLATE/feature.md

@@ -0,0 +1,36 @@
+---
+name: Feature
+about: Default feature template
+title: 'feature: '
+labels: needs-priority, kind/feature
+assignees: ''
+
+---
+
+## Why?
+
+> A clear and concise description of what the feature tries to achieve and its context. Consider coming back to a feature request months later and being able to understand where it came for just reading this.
+
+## How?
+
+> If this has been somehow defined in the grooming, specify here. Not always required.
+
+## Requirements
+
+> The list of requirements agreed on the grooming. This list should never change in the middle of a sprint, unless approved by all team members, and only exceptionally in that case.
+
+ - [ ] requirement1
+ - [ ] requirement2
+ - [ ] ...
+
+## Acceptance Criteria
+
+> Describe how to check if some of the requirements are met, when not obvious.
+
+ - [ ] check1
+ - [ ] check2
+ - [ ] ...
+
+## Notes
+
+> Optional seccion for notes related to the feature, links, ...

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,51 @@
+<!--  Thanks for sending a pull request! -->
+
+#### What type of PR is this?
+
+<!--
+Add one of the following kinds:
+/kind bug
+/kind cleanup
+/kind documentation
+/kind feature
+/kind design
+-->
+
+#### What this PR does / why we need it:
+
+#### Which issue(s) this PR fixes:
+<!--
+*Automatically closes linked issue when PR is merged.
+Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`.
+-->
+
+Fixes #
+
+#### Special notes for your reviewer:
+
+#### Does this PR introduce a user-facing change?
+
+<!--
+If no, just write "NONE" in the release-note block below.
+If yes, a release note is required:
+Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
+-->
+
+```release-note
+
+```
+
+#### Additional documentation e.g., usage docs, etc.:
+
+<!--
+
+This section can be blank if this pull request does not require a release note.
+
+Please use the following format for linking documentation:
+- [Usage]: <link>
+- [Other doc]: <link>
+-->
+
+```docs
+
+```

.github/workflows/format-tests.yaml

@@ -0,0 +1,19 @@
+name: format-tests
+
+on:
+  pull_request:
+
+jobs:
+
+  test:
+    runs-on: ubuntu-latest
+    container: quay.io/3scale/soyuz:v0.3.0-ci
+    steps:
+
+    - uses: actions/checkout@v2
+
+    - name: Run docs tests
+      run: make test-docs
+
+    - name: Run terraform tests
+      run: make test-terraform

.gitignore

@@ -0,0 +1,32 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Lock file
+.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*

Makefile

@@ -0,0 +1,39 @@
+TEST_DOCKER_IMAGE = quay.io/3scale/soyuz:v0.3.0-ci
+TEST_DOCKER_RUN = docker run -ti --rm -w /src -v $(PWD):/src $(TEST_DOCKER_IMAGE)
+
+help: ## Print this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+install-test-tools: ## Install test dependencies
+	GO111MODULE=on go get github.com/raviqqe/liche
+
+update-test-tools: ## Update test dependencies
+	GO111MODULE=on go get -u github.com/raviqqe/liche
+
+test: test-docs test-terraform ## Run all tests
+
+docker-test: docker-test-docs docker-test-terraform ## Run all tests with docker
+
+test-terraform: test-terraform-fmt ## Run all terraform tests
+
+docker-test-terraform: docker-test-terraform-fmt ## Run all terraform tests with docker
+
+TF_FMT_CHECK_CMD = terraform fmt -check -diff -recursive .
+
+test-terraform-fmt: ## Run terraform format test
+	$(TF_FMT_CHECK_CMD)
+
+docker-test-terraform-fmt: ## Run terraform format test with docker
+	$(TEST_DOCKER_RUN) $(TF_FMT_CHECK_CMD)
+
+test-docs: test-docs-relative-links ## Run all documentation tests
+
+docker-test-docs: docker-test-docs-relative-links ## Run all documentation tests with docker
+
+DOCS_LICHE_CMD = liche -r . --exclude http.*
+
+test-docs-relative-links: ## Run documentation relative links tests
+	$(DOCS_LICHE_CMD)
+
+docker-test-docs-relative-links: ## Run documentation relative links tests with docker
+	$(TEST_DOCKER_RUN) $(DOCS_LICHE_CMD)

OWNERS

@@ -0,0 +1,8 @@
+approvers:
+  - raelga
+  - roivaz
+  - slopezz
+reviewers:
+  - raelga
+  - roivaz
+  - slopezz

README.md

@@ -1,2 +1,24 @@
 # tf-aws-config
-Terraform module to configure aws config 
+
+[![format-tests](https://github.com/3scale-ops/tf-aws-config/workflows/format-tests/badge.svg)](https://github.com/3scale-ops/tf-aws-config/actions/workflows/format-tests.yaml?query=workflow%3Aformat-tests)
+[![license](https://badgen.net/github/license/3scale-ops/tf-aws-config)](https://github.com/3scale-ops/tf-aws-config/blob/main/LICENSE)
+
+This module tries to standarize the way we configure AWS Config in aws accounts
+
+## Outputs
+
+| Output | Description                               |
+| ------ | ----------------------------------------- |
+| config_bucket_name | Config S3 bucket name |
+
+## Contributing
+
+You can contribute by:
+
+* Raising any issues you find using the module
+* Fixing issues by opening [Pull Requests](https://github.com/3scale-ops/tf-aws-config/pulls)
+* Submitting a patch or opening a PR
+* Improving documentation
+* Talking about the module
+
+All bugs, tasks or enhancements are tracked as [GitHub issues](https://github.com/3scale-ops/tf-aws-config/issues).

main.tf

@@ -0,0 +1,143 @@
+## Label
+module "config_label" {
+  source      = "[email protected]:3scale-ops/tf-aws-label.git?ref=tags/0.1.2"
+  project     = var.project
+  environment = var.environment
+  workload    = var.workload
+  type        = "config"
+  tf_config   = var.tf_config
+}
+
+## Config bucket
+module "config_bucket" {
+  source                  = "terraform-aws-modules/s3-bucket/aws"
+  bucket                  = module.config_label.id
+  acl                     = "private"
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  force_destroy           = true
+  attach_policy           = true
+  policy                  = data.aws_iam_policy_document.config_bucket_policy.json
+  tags                    = module.config_label.tags
+  versioning = {
+    enabled = true
+  }
+}
+
+data "aws_iam_policy_document" "config_bucket_policy" {
+  statement {
+    sid = "AWSConfigBucketPermissionsCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetBucketAcl",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${module.config_label.id}",
+    ]
+  }
+
+  statement {
+    sid = "AWSConfigBucketExistenceCheck"
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:ListBucket",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${module.config_label.id}",
+    ]
+  }
+
+  statement {
+    sid = "AWSConfigBucketDelivery"
+
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:PutObject",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${module.config_label.id}/*",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "s3:x-amz-acl"
+
+      values = [
+        "bucket-owner-full-control",
+      ]
+    }
+  }
+}
+
+## SNS
+#resource "aws_sns_topic" "config" {
+#  name = module.config_label.id
+#}
+#
+#data "aws_iam_policy_document" "config_sns_policy" {
+#  statement {
+#    effect = "Allow"
+#    principals {
+#      type        = "AWS"
+#      identifiers = [module.config.aws_config_role_arn]
+#    }
+#    actions   = ["SNS:Publish"]
+#    resources = [aws_sns_topic.config.arn]
+#  }
+#}
+#
+#resource "aws_sns_topic_policy" "config" {
+#  arn    = aws_sns_topic.config.arn
+#  policy = data.aws_iam_policy_document.config_sns_policy.json
+#}
+#
+#resource "aws_sns_topic_subscription" "email" {
+#  topic_arn = aws_sns_topic.config.arn
+#  protocol  = "email"
+#  endpoint  = "var.email"
+#}
+
+## Config
+module "config" {
+  source             = "trussworks/config/aws"
+  version            = "4.3.0"
+  config_name        = module.config_label.id
+  config_logs_bucket = module.config_bucket.this_s3_bucket_id
+  #config_sns_topic_arn                     = aws_sns_topic.config.arn
+  check_cloud_trail_encryption             = true
+  check_cloud_trail_log_file_validation    = true
+  check_multi_region_cloud_trail           = true
+  check_guard_duty                         = true
+  check_mfa_enabled_for_iam_console_access = true
+  check_root_account_mfa_enabled           = true
+  check_rds_public_access                  = true
+  check_s3_bucket_ssl_requests_only        = false
+  tags                                     = module.config_label.tags
+}
+
+# Delete all default rules from default SG of default VPC
+resource "aws_default_vpc" "default" {
+}
+
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_default_vpc.default.id
+}

outputs.tf

@@ -0,0 +1,3 @@
+output "config_bucket_name" {
+  value = module.config_bucket.this_s3_bucket_id
+}