Merge pull request #14 from confusdcodr/kms-integration

kms integration & managed rules on default security groups

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.0.1
+current_version = 0.0.2
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,9 +4,21 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 0.0.2
+
+**Commit Delta**: [Change from 0.0.1 release](https://github.com/plus3it/tardigrade/compare/0.0.1...0.0.2)
+
+**Released**: 2020.01.02
+
+**Summary**:
+
+*   Update cloudtrail version which integrates kms
+*   Remove rules from default vpc's default security group
+*   Remove 0.0.0.0/0 rule from the created vpc's default security group
+
 ### 0.0.1
 
-**Commit Delta**: 
+**Commit Delta**: [Change from 0.0.0 release](https://github.com/plus3it/tardigrade/compare/0.0.0...0.0.1)
 
 **Released**: 2019.10.28
 

Makefile

@@ -106,7 +106,7 @@ json/format: | guard/program/jq
 	@ echo "[$@]: Successfully formatted JSON files!"
 
 tfdocs-awk/install: $(BIN_DIR)
-tfdocs-awk/install: ARCHIVE := https://github.com/plus3it/tfdocs-awk/archive/0.0.1.tar.gz
+tfdocs-awk/install: ARCHIVE := https://github.com/plus3it/tfdocs-awk/archive/0.0.2.tar.gz
 tfdocs-awk/install:
 	$(CURL) $(ARCHIVE) | tar -C $(BIN_DIR) --strip-components=1 --wildcards '*.sh' --wildcards '*.awk' -xzvf -
 

tardigrade/aws/tenant-global.tfvars.yaml

@@ -4,3 +4,14 @@ keystore_bucket: tardigrade-keystore
 vpcflowlog_bucket: tardigrade-vpc-flow-log
 cloudtrail_bucket: tardigrade-cloudtrail
 config_bucket: tardigrade-config
+vpc_module_sg_ingress_rules:
+  - from_port: 0
+    to_port: 0
+    protocol: -1
+    self: true
+
+vpc_module_sg_egress_rules:
+  - from_port: 0
+    to_port: 0
+    protocol: -1
+    self: true

tardigrade/roots/aws/baseline/main.tf

@@ -199,7 +199,7 @@ locals {
   # setup users to be created
   users = [{
     name = "alpha",
-  },{
+    }, {
     name = "beta",
   }]
 }
@@ -334,7 +334,7 @@ module "cloudtrail_bucket" {
 }
 
 module "cloudtrail" {
-  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail.git?ref=1.0.1"
+  source = "git::https://github.com/plus3it/terraform-aws-tardigrade-cloudtrail.git?ref=2.2.2"
 
   providers = {
     aws = aws
@@ -417,3 +417,83 @@ module "inspector" {
   schedule         = "rate(7 days)"
   tags             = local.tags
 }
+
+##### MANAGING DEFAULT RESOURCES #####
+### DEFAULT VPC ###
+data "aws_vpc" "default" {
+  default = true
+}
+
+### DEFAULT SECURITY GROUPS ###
+#default vpc security group
+resource "aws_default_security_group" "default" {
+  vpc_id = data.aws_vpc.default.id
+
+  dynamic "ingress" {
+    for_each = var.default_vpc_sg_ingress_rules
+    content {
+      cidr_blocks      = lookup(ingress.value, "cidr_blocks", null)
+      description      = lookup(ingress.value, "description", null)
+      from_port        = lookup(ingress.value, "from_port", null)
+      ipv6_cidr_blocks = lookup(ingress.value, "ipv6_cidr_blocks", null)
+      prefix_list_ids  = lookup(ingress.value, "prefix_list_ids", null)
+      protocol         = lookup(ingress.value, "protocol", null)
+      security_groups  = lookup(ingress.value, "security_groups", null)
+      self             = lookup(ingress.value, "self", null)
+      to_port          = lookup(ingress.value, "to_port", null)
+    }
+  }
+
+  dynamic "egress" {
+    for_each = var.default_vpc_sg_egress_rules
+    content {
+      cidr_blocks      = lookup(egress.value, "cidr_blocks", null)
+      description      = lookup(egress.value, "description", null)
+      from_port        = lookup(egress.value, "from_port", null)
+      ipv6_cidr_blocks = lookup(egress.value, "ipv6_cidr_blocks", null)
+      prefix_list_ids  = lookup(egress.value, "prefix_list_ids", null)
+      protocol         = lookup(egress.value, "protocol", null)
+      security_groups  = lookup(egress.value, "security_groups", null)
+      self             = lookup(egress.value, "self", null)
+      to_port          = lookup(egress.value, "to_port", null)
+    }
+  }
+  revoke_rules_on_delete = var.default_vpc_revoke_rules_on_delete
+  tags                   = var.tags
+}
+
+resource "aws_default_security_group" "this" {
+  vpc_id = module.vpc.vpc_id
+
+  dynamic "ingress" {
+    for_each = var.vpc_module_sg_ingress_rules
+    content {
+      cidr_blocks      = lookup(ingress.value, "cidr_blocks", null)
+      description      = lookup(ingress.value, "description", null)
+      from_port        = lookup(ingress.value, "from_port", null)
+      ipv6_cidr_blocks = lookup(ingress.value, "ipv6_cidr_blocks", null)
+      prefix_list_ids  = lookup(ingress.value, "prefix_list_ids", null)
+      protocol         = lookup(ingress.value, "protocol", null)
+      security_groups  = lookup(ingress.value, "security_groups", null)
+      self             = lookup(ingress.value, "self", null)
+      to_port          = lookup(ingress.value, "to_port", null)
+    }
+  }
+
+  dynamic "egress" {
+    for_each = var.vpc_module_sg_egress_rules
+    content {
+      cidr_blocks      = lookup(egress.value, "cidr_blocks", null)
+      description      = lookup(egress.value, "description", null)
+      from_port        = lookup(egress.value, "from_port", null)
+      ipv6_cidr_blocks = lookup(egress.value, "ipv6_cidr_blocks", null)
+      prefix_list_ids  = lookup(egress.value, "prefix_list_ids", null)
+      protocol         = lookup(egress.value, "protocol", null)
+      security_groups  = lookup(egress.value, "security_groups", null)
+      self             = lookup(egress.value, "self", null)
+      to_port          = lookup(egress.value, "to_port", null)
+    }
+  }
+  revoke_rules_on_delete = var.vpc_module_revoke_rules_on_delete
+  tags                   = var.tags
+}

tardigrade/roots/aws/baseline/variables.tf

@@ -113,3 +113,40 @@ variable "config_bucket_versioning" {
   description = "Whether versioning is enabled on parent config bucket"
   default     = false
 }
+
+##### SECURITY GROUP VARIABLES #####
+variable "default_vpc_sg_ingress_rules" {
+  description = "A schema list of ingress rules for the default vpc's default security group, see https://www.terraform.io/docs/providers/aws/r/security_group.html#ingress"
+  type        = list
+  default     = []
+}
+
+variable "default_vpc_sg_egress_rules" {
+  description = "A schema list of egress rules for the default vpc's default security group, see https://www.terraform.io/docs/providers/aws/r/security_group.html#egress"
+  type        = list
+  default     = []
+}
+
+variable "default_vpc_revoke_rules_on_delete" {
+  description = "Determines whether to forcibly remove rules when destroying the default vpc's default security group"
+  type        = string
+  default     = false
+}
+
+variable "vpc_module_sg_ingress_rules" {
+  description = "A schema list of ingress rules for the vpc module's default security group, see https://www.terraform.io/docs/providers/aws/r/security_group.html#ingress"
+  type        = list
+  default     = []
+}
+
+variable "vpc_module_sg_egress_rules" {
+  description = "A schema list of egress rules for the vpc module's default security group, see https://www.terraform.io/docs/providers/aws/r/security_group.html#egress"
+  type        = list
+  default     = []
+}
+
+variable "vpc_module_revoke_rules_on_delete" {
+  description = "Determines whether to forcibly remove rules when destroying the vpc module's default security group"
+  type        = string
+  default     = false
+}

tests/example_testcase/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version  = "~> 0.11.0"
+  required_version = "~> 0.11.0"
 }
 
 module "example" {