Skip to content

schubergphilis/terraform-aws-mcaf-landing-zone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

terraform-aws-mcaf-landing-zone

Terraform module to setup and manage various components of the SBP AWS Landing Zone.

Overview of Landing Zone tools & services:

The SBP AWS Landing Zone consists of 3 repositories:

Pre-Requisites

Important

Before deploying this module, ensure the following pre-requisites are met:

  • AWS Control Tower is deployed in the core-management account.
  • AWS Control Tower governed regions include at least us-east-1 (and your designated home region).

Basic configuration

Refer to examples/basic for an example of minimal setup.

Specifying the correct regions

Home Region

The mandatory regions.home_region variable specifies the AWS Control Tower home region. This must match the region defined in your AWS provider that deploys this module.

To find your home region:

  1. Log in to the core-management account.
  2. Navigate to AWS Control Tower → Landing Zone Settings.
  3. The home region is listed under Home Region.

Linked Regions

The optional regions.linked_regions variable defines the AWS Control Tower governed regions. This module ensures proper configuration of AWS Security Hub and AWS Config for all specified linked regions to collect data from them.

To find your linked regions:

  1. Log in to the core-management account.
  2. Navigate to AWS Control Tower → Landing Zone Settings.
  3. Linked regions are listed under Landing Zone Regions.

Note: By default, us-east-1 is included as a linked region to ensure data collection from global services. To restrict deployment of non-global resources in this region, use the allowed_regions functionality described in the section below.

Important

All specified linked regions need to be an AWS Control Tower governed region. This ensures that an AWS Config recorder is enabled by AWS Control Tower in all governed regions. AWS Security Hub will only function correctly if an AWS Config recorder exists in all linked regions.

Allowed Regions

The optional regions.allowed_regions variable defines the allowed regions within your AWS Organization. This triggers the deployment of a Service Control Policy (SCP), which is attached to the root of your AWS Organization.

Configuration Scenarios

Scenario 1: Home region only (no deployment in other regions)

  • Home region: eu-central-1
  • Requirement: Prevent deployment in all other regions.

You need to configure the regions variable as follows:

regions = {
  allowed_regions = ["eu-central-1"]
  home_region     = "eu-central-1"
}

Note: Ensure that us-east-1 is included as a governed region in AWS Control Tower since the linked_region variable defaults to this value.

Scenario 2: Home region with additional governed regions

  • Home region: eu-central-1
  • Requirement: Also allow deploying resources in eu-west-1.

You need to configure the regions variable as follows:

regions = {
  allowed_regions = ["eu-central-1", "eu-west-1]
  home_region     = "eu-central-1"
  linked_regions = ["eu-west-1", "us-east-1"]
}

Detailed configuration

AWS SES Root Accounts mail forwarder

Setting the ses_root_accounts_mail_forward variable creates the necessary AWS Simple Email Service (SES) resources to accept mail sent to an AWS hosted domain and forward it to an external recipient or recipients. This can be used to enable secure mailboxes/IT service catalog aliases for all root accounts. Emails are received via AWS SES and forwarded to an email forwarder lambda which sends the email to the destination email server as specified in the recipient_mapping variable of ses_root_accounts_mail_forward.

Before setting the ses_root_accounts_mail_forward variable, make sure that an AWS Route53 hosted zone is created. For example aws.yourcompany.com. Pass this domain using the domain variable of ses_root_accounts_mail_forward.

Example:

ses_root_accounts_mail_forward = {
  domain     = "aws.yourcompany.com"
  from_email = "[email protected]"

  recipient_mapping = {
    "[email protected]" = [
      "[email protected]"
    ]
  }
}

By default, you have to create the email addresses for the accounts created using the MCAF Account Vending Machine (AVM) module yourself. Using this functionality you can pass aliases of the mailbox created. E.g. root+<account-name>@aws.yourcompany.com.

AWS CloudTrail

By default, all CloudTrail logs will be stored in a S3 bucket in the logging account of your AWS Organization. However, this module also supports creating an additional CloudTrail configuration to publish logs to any S3 bucket chosen by you. This trail will be set at the Organization level, meaning that logs from all accounts will be published to the provided bucket.

NOTE: Before enabling this feature, make sure that the bucket policy authorizing CloudTrail to deliver logs is in place and that you have enabled trusted access between AWS Organizations and CloudTrail. If these two steps are not in place, Terraform will fail to create the trail.

Example:

additional_auditing_trail = {
  name   = "additional_auditing_trail"
  bucket = "bucket_name"
}

AWS Config Rules

This module provisions by default a set of basic AWS Config Rules. In order to add extra rules, a list of rule identifiers can be passed via the variable aws_config.rule_identifiers.

If you would like to authorize other accounts to aggregate AWS Config data, the account IDs can also be passed via the variable aws_config.aggregator_account_ids.

NOTE: This module already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  rule_identifiers       = ["ACCESS_KEYS_ROTATED", "ALB_WAF_ENABLED"]
}

AWS GuardDuty

This module supports enabling GuardDuty at the organization level which means that all new accounts that are created in, or added to, the organization are added as member accounts to the audit account GuardDuty detector.

The feature can be controlled via the aws_guardduty variable and is enabled by default.

Note: In case you are migrating an existing AWS organization to this module, all existing accounts except for the management and logging accounts have to be enabled like explained here.

AWS KMS

The module creates 3 AWS KMS keys, one for the management account, one for the audit account, and one for the log archive account. We recommend to further scope down the AWS KMS key policy in the management account by providing a secure policy using kms_key_policy. The default policy "Base Permissions" can be overwritten and should be limited to the root account only, for example by using the statement below:

  statement {
    sid       = "Base Permissions"
    actions   = ["kms:*"]
    effect    = "Allow"
    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "aws:PrincipalType"
      values   = ["Account"]
    }

    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.management.account_id}:root"
      ]
    }
  }

Note that you have to add additional policies allowing for example access to the pipeline user or role. Only applying this policy will result in a The new key policy will not allow you to update the key policy in the future exception.

AWS Security Hub

This module supports enabling Security Hub at an organization level, meaning all accounts that are created in or enrolled to the organization will be added as member accounts to the audit account Security Hub delegated administrator.

The feature can be controlled via the aws_security_hub variable and is enabled by default.

Note: by default auto-enable default standards has been turned off since the default standards are not updated regularly enough. At time of writing only the AWS Foundational Security Best Practices v1.0.0 standard and the CIS AWS Foundations Benchmark v1.2.0 standard are enabled by by default while this module enables the following standards:

  • AWS Foundational Security Best Practices v1.0.0
  • CIS AWS Foundations Benchmark v1.4.0
  • PCI DSS v3.2.1

The enabling of the standards in all member account is controlled via mcaf-account-baseline.

AWS SSO

This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.

This feature can be controlled via the aws_sso_permission_sets variable by passing a map (key-value pair) where every key corresponds to an AWS SSO Permission Set name and the value follows the structure below:

  • assignments: list of maps (key-value pair) of AWS Account IDs as keys and a list of AWS SSO Group names that should have access to the account using the permission set defined
  • inline_policy: valid IAM policy in JSON format (maximum length of 10240 characters)
  • managed_policy_arns: list of strings that contain the ARN's of the managed policies that should be attached to the permission set
  • session_duration: length of time in the ISO-8601 standard

Example:

  aws_sso_permission_sets = {
    PlatformAdmin = {
      inline_policy    = file("${path.module}/template_files/sso/platform_admin.json")
      session_duration = "PT2H"

      managed_policy_arns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
      ]

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name
          ]
        },
        {
          for account in [ 925556789012 ] : account => [
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]
    }
    PlatformUser = {
      session_duration = "PT12H"

      managed_policy_arns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess",
        "arn:aws:iam::aws:policy/AWSSupportAccess"
      ]

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name,
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]

      inline_policy = jsonencode(
        {
          Version = "2012-10-17",
          Statement = concat(
            [
              {
                Effect   = "Allow",
                Action   = "support:*",
                Resource = "*"
              }
            ],
            jsondecode(data.aws_iam_policy.lambda_readonly.policy).Statement
          )
        }
      )
    }
  }

Datadog Integration

This module supports an optional Datadog-AWS integration. This integration makes it easier for you to forward metrics and logs from your AWS account to Datadog.

In order to enable the integration, you can pass an object to the variable datadog containing the following attributes:

In case you don't want to use the integration, you can configure the Datadog provider like in the example below:

provider "datadog" {
  validate = false
}

This should prevent the provider from asking you for a Datadog API Key and allow the module to be provisioned without the integration resources.

Monitoring IAM Activity

By default, this module monitors and notifies activities performed by the root user of all core accounts and AWS SSO Roles. All notifications will be sent to the SNS Topic LandingZone-IAMActivity in the audit account.

These are the type of events that will be monitored:

  • Any activity made by the root user of the account.
  • Any manual changes made by AWS SSO roles (read-only operations and console logins are not taken into account).

In case you would like to disable this functionality, you can set the variable monitor_iam_activity to false.

Organizations Policies: Service Control Policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. See this page for an introduction to SCPs and the value they add.

This module allows using various SCPs as described below. We try to adhere to best practices of not attaching SCPs to the root of the organization when possible; in the event you need to pass a list of OU names, be sure to have the exact name as the matching is case sensitive.

SCP: Deny ability to disable Security Hub

Enabling this SCP removes a member account's ability to disable Security Hub.

This is SCP is enabled by default, but can be disabled by setting aws_deny_disabling_security_hub attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_deny_disabling_security_hub = false
}

SCP: Deny ability to leave Organization

Enabling this SCP removes a member account's ability to leave the AWS organization.

This is SCP is enabled by default, but can be disabled by setting aws_deny_leaving_org attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_deny_leaving_org = false
}

SCP: Require the use of Instance Metadata Service Version 2

By default, all EC2s still allow access to the original metadata service, which means that if an attacker finds an EC2 running a proxy or WAF, or finds and SSRF vulnerability, they likely can steal the IAM role of the EC2. By enforcing IMDSv2, you can mitigate that risk. Be aware that this potentially could break some applications that have not yet been updated to work with the new IMDSv2.

This is SCP is enabled by default, but can be disabled by setting aws_require_imdsv2 attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_require_imdsv2 = false
}

SCP: Restricting AWS Regions

See the section Specifying the correct regions.

SCP: Restricting Root User Access

If you would like to restrict the root user's ability to log into accounts in an OU, you can pass a list of OU names to the aws_deny_root_user_ous attribute in aws_service_control_policies.

Example showing SCP applied to all OUs except the Root OU:

data "aws_organizations_organization" "default" {}

data "aws_organizations_organizational_units" "default" {
  parent_id = data.aws_organizations_organization.default.roots[0].id
}

module "landing_zone" {
  ...
  aws_service_control_policies {
    aws_deny_root_user_ous = [
      for ou in data.aws_organizations_organizational_units.default.children : ou.name if ou.name != "Root"
    ]
  }

AWS Principal exceptions

In case you would like to exempt specific IAM entities from the region restriction, leave the AWS organization and from the ability to disable Security Hub SCP's, you can pass a list of ARN patterns using the principal_exceptions attribute in aws_service_control_policies. This can be useful for roles used by AWS ControlTower, for example. Example:

aws_service_control_policies = {
  principal_exceptions = ["arn:aws:iam::*:role/RoleAllowedToBypassRestrictions"]
}

Organizations Policies: Tag Policies

Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. See this page for an introduction to tag policies and the value they add.

To create a tag policy, set the aws_required_tags variable using a map of OU names and their tag policies. To enforce a tag for all services and resource types that support enforcement, set enforced_for to ["all"].

Please note the OU path key is case sensitive and tag policies will be created per tag key.

Example:

module "landing_zone" {
  ...

  aws_required_tags = {
    "Root/Environments/Production" = [
      {
        name         = "Tag1"
        values       = ["A", "B"]
        enforced_for = ["all"]
      }
    ]
    "Root/Environments/Non-Production" = [
      {
        name         = "Tag2"
        enforced_for = ["secretsmanager:*"]
      }
    ]
  }
}

SNS topic subscription

Topic Name Variable Content
aws-controltower-AggregateSecurityNotifications aws_config_sns_subscription Aggregated AWS Config notifications
LandingZone-SecurityHubFindings aws_security_hub_sns_subscription Aggregated Security Hub findings
LandingZone-IAMActivity monitor_iam_activity_sns_subscription IAM activity findings

Example for https protocol and specified webhook endpoint:

module "landing_zone" {
  ...

  aws_config_sns_subscription = {
    endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
    protocol = "https"
  }
}

Requirements

Name Version
terraform >= 1.6
aws >= 5.54.0
datadog > 3.0.0
mcaf >= 0.4.2

Providers

Name Version
aws >= 5.54.0
aws.audit >= 5.54.0
aws.logging >= 5.54.0
mcaf >= 0.4.2

Modules

Name Source Version
audit_manager_reports schubergphilis/mcaf-s3/aws ~> 0.14.1
aws_config_s3 schubergphilis/mcaf-s3/aws ~> 0.14.1
aws_sso_permission_sets ./modules/permission-set n/a
datadog_audit schubergphilis/mcaf-datadog/aws ~> 0.8.5
datadog_logging schubergphilis/mcaf-datadog/aws ~> 0.8.5
datadog_master schubergphilis/mcaf-datadog/aws ~> 0.8.5
kms_key schubergphilis/mcaf-kms/aws ~> 0.3.0
kms_key_audit schubergphilis/mcaf-kms/aws ~> 0.3.0
kms_key_logging schubergphilis/mcaf-kms/aws ~> 0.3.0
ses-root-accounts-mail-alias schubergphilis/mcaf-ses/aws ~> 0.1.4
ses-root-accounts-mail-forward schubergphilis/mcaf-ses-forwarder/aws ~> 0.3.0
tag_policy_assignment ./modules/tag-policy-assignment n/a

Resources

Name Type
aws_auditmanager_account_registration.default resource
aws_cloudtrail.additional_auditing_trail resource
aws_cloudwatch_event_rule.security_hub_findings resource
aws_cloudwatch_event_target.security_hub_findings resource
aws_cloudwatch_log_metric_filter.iam_activity_master resource
aws_cloudwatch_metric_alarm.iam_activity_master resource
aws_config_aggregate_authorization.audit resource
aws_config_aggregate_authorization.logging resource
aws_config_aggregate_authorization.master resource
aws_config_aggregate_authorization.master_to_audit resource
aws_config_configuration_aggregator.audit resource
aws_config_configuration_recorder.default resource
aws_config_configuration_recorder_status.default resource
aws_config_delivery_channel.default resource
aws_config_organization_managed_rule.default resource
aws_ebs_encryption_by_default.audit resource
aws_ebs_encryption_by_default.logging resource
aws_ebs_encryption_by_default.master resource
aws_guardduty_detector.audit resource
aws_guardduty_organization_admin_account.audit resource
aws_guardduty_organization_configuration.default resource
aws_guardduty_organization_configuration_feature.ebs_malware_protection resource
aws_guardduty_organization_configuration_feature.eks_audit_logs resource
aws_guardduty_organization_configuration_feature.lambda_network_logs resource
aws_guardduty_organization_configuration_feature.rds_login_events resource
aws_guardduty_organization_configuration_feature.runtime_monitoring resource
aws_guardduty_organization_configuration_feature.s3_data_events resource
aws_iam_account_password_policy.audit resource
aws_iam_account_password_policy.logging resource
aws_iam_account_password_policy.master resource
aws_iam_role.sns_feedback resource
aws_iam_role_policy.sns_feedback_policy resource
aws_iam_service_linked_role.config resource
aws_inspector2_delegated_admin_account.default resource
aws_inspector2_enabler.audit_account resource
aws_inspector2_enabler.member_accounts resource
aws_inspector2_member_association.default resource
aws_inspector2_organization_configuration.default resource
aws_organizations_policy.deny_root_user resource
aws_organizations_policy.lz_root_policies resource
aws_organizations_policy_attachment.deny_root_user resource
aws_organizations_policy_attachment.lz_root_policies resource
aws_s3_account_public_access_block.audit resource
aws_s3_account_public_access_block.logging resource
aws_s3_account_public_access_block.master resource
aws_securityhub_account.default resource
aws_securityhub_account.management resource
aws_securityhub_configuration_policy.default resource
aws_securityhub_configuration_policy_association.root resource
aws_securityhub_finding_aggregator.default resource
aws_securityhub_member.logging resource
aws_securityhub_member.management resource
aws_securityhub_organization_admin_account.default resource
aws_securityhub_organization_configuration.default resource
aws_sns_topic.iam_activity resource
aws_sns_topic.security_hub_findings resource
aws_sns_topic_policy.iam_activity resource
aws_sns_topic_policy.security_hub_findings resource
aws_sns_topic_subscription.aws_config resource
aws_sns_topic_subscription.iam_activity resource
aws_sns_topic_subscription.security_hub_findings resource
aws_caller_identity.audit data source
aws_caller_identity.logging data source
aws_caller_identity.management data source
aws_cloudwatch_log_group.cloudtrail_master data source
aws_iam_policy_document.aws_config_s3 data source
aws_iam_policy_document.kms_key data source
aws_iam_policy_document.kms_key_audit data source
aws_iam_policy_document.kms_key_logging data source
aws_iam_policy_document.sns_feedback data source
aws_organizations_organization.default data source
aws_organizations_organizational_units.default data source
aws_region.current data source
aws_sns_topic.all_config_notifications data source
mcaf_aws_all_organizational_units.default data source

Inputs

Name Description Type Default Required
control_tower_account_ids Control Tower core account IDs
object({
audit = string
logging = string
})
n/a yes
regions Region configuration. See the README for more information on the configuration options.
object({
allowed_regions = list(string)
home_region = string
linked_regions = optional(list(string), ["us-east-1"])
})
n/a yes
additional_auditing_trail CloudTrail configuration for additional auditing trail
object({
name = string
bucket = string
kms_key_id = string

event_selector = optional(object({
data_resource = optional(object({
type = string
values = list(string)
}))
exclude_management_event_sources = optional(set(string), null)
include_management_events = optional(bool, true)
read_write_type = optional(string, "All")
}))
})
null no
aws_account_password_policy AWS account password policy parameters for the audit, logging and master account
object({
allow_users_to_change = bool
max_age = number
minimum_length = number
require_lowercase_characters = bool
require_numbers = bool
require_symbols = bool
require_uppercase_characters = bool
reuse_prevention_history = number
})
{
"allow_users_to_change": true,
"max_age": 90,
"minimum_length": 14,
"require_lowercase_characters": true,
"require_numbers": true,
"require_symbols": true,
"require_uppercase_characters": true,
"reuse_prevention_history": 24
}
no
aws_auditmanager AWS Audit Manager config settings
object({
enabled = bool
reports_bucket_prefix = string
})
{
"enabled": true,
"reports_bucket_prefix": "audit-manager-reports"
}
no
aws_config AWS Config settings
object({
aggregator_account_ids = optional(list(string), [])
delivery_channel_s3_bucket_name = optional(string, null)
delivery_channel_s3_key_prefix = optional(string, null)
delivery_frequency = optional(string, "TwentyFour_Hours")
rule_identifiers = optional(list(string), [])
})
{
"aggregator_account_ids": [],
"delivery_channel_s3_bucket_name": null,
"delivery_channel_s3_key_prefix": null,
"delivery_frequency": "TwentyFour_Hours",
"rule_identifiers": []
}
no
aws_config_sns_subscription Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
aws_ebs_encryption_by_default Set to true to enable AWS Elastic Block Store encryption by default bool true no
aws_guardduty AWS GuardDuty settings
object({
enabled = optional(bool, true)
finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES")
ebs_malware_protection_status = optional(bool, true)
eks_audit_logs_status = optional(bool, true)
lambda_network_logs_status = optional(bool, true)
rds_login_events_status = optional(bool, true)
s3_data_events_status = optional(bool, true)
runtime_monitoring_status = optional(object({
enabled = optional(bool, true)
eks_addon_management_status = optional(bool, true)
ecs_fargate_agent_management_status = optional(bool, true)
ec2_agent_management_status = optional(bool, true)
}), {})
})
{} no
aws_inspector AWS Inspector settings, at least one of the scan options must be enabled
object({
enabled = optional(bool, false)
enable_scan_ec2 = optional(bool, true)
enable_scan_ecr = optional(bool, true)
enable_scan_lambda = optional(bool, true)
enable_scan_lambda_code = optional(bool, true)
resource_create_timeout = optional(string, "15m")
})
{
"enable_scan_ec2": true,
"enable_scan_ecr": true,
"enable_scan_lambda": true,
"enable_scan_lambda_code": true,
"enabled": false,
"resource_create_timeout": "15m"
}
no
aws_required_tags AWS Required tags settings
map(list(object({
name = string
values = optional(list(string))
enforced_for = optional(list(string))
})))
null no
aws_security_hub AWS Security Hub settings
object({
aggregator_linking_mode = optional(string, "SPECIFIED_REGIONS")
auto_enable_controls = optional(bool, true)
control_finding_generator = optional(string, "SECURITY_CONTROL")
create_cis_metric_filters = optional(bool, true)
disabled_control_identifiers = optional(list(string), null)
enabled_control_identifiers = optional(list(string), null)
product_arns = optional(list(string), [])
standards_arns = optional(list(string), null)
})
{} no
aws_security_hub_sns_subscription Subscription options for the LandingZone-SecurityHubFindings SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
aws_service_control_policies AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction
object({
aws_deny_disabling_security_hub = optional(bool, true)
aws_deny_leaving_org = optional(bool, true)
aws_deny_root_user_ous = optional(list(string), [])
aws_require_imdsv2 = optional(bool, true)
principal_exceptions = optional(list(string), [])
})
{} no
aws_sso_permission_sets Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account
map(object({
assignments = list(map(list(string)))
inline_policy = optional(string, null)
managed_policy_arns = optional(list(string), [])
session_duration = optional(string, "PT4H")
}))
{} no
datadog Datadog integration options for the core accounts
object({
api_key = string
cspm_resource_collection_enabled = optional(bool, false)
enable_integration = bool
extended_resource_collection_enabled = optional(bool, false)
install_log_forwarder = optional(bool, false)
log_collection_services = optional(list(string), [])
log_forwarder_version = optional(string)
metric_tag_filters = optional(map(string), {})
namespace_rules = optional(list(string), [])
site_url = string
})
null no
datadog_excluded_regions List of regions where metrics collection will be disabled. list(string) [] no
kms_key_policy A list of valid KMS key policy JSON documents list(string) [] no
kms_key_policy_audit A list of valid KMS key policy JSON document for use with audit KMS key list(string) [] no
kms_key_policy_logging A list of valid KMS key policy JSON document for use with logging KMS key list(string) [] no
monitor_iam_activity Whether IAM activity should be monitored bool true no
monitor_iam_activity_sns_subscription Subscription options for the LandingZone-IAMActivity SNS topic
map(object({
endpoint = string
protocol = string
}))
{} no
path Optional path for all IAM users, user groups, roles, and customer managed policies created by this module string "/" no
ses_root_accounts_mail_forward SES config to receive and forward root account emails
object({
domain = string
from_email = string
recipient_mapping = map(any)

dmarc = object({
policy = optional(string)
rua = optional(string)
ruf = optional(string)
})
})
null no
tags Map of tags map(string) {} no

Outputs

Name Description
aws_config_s3_bucket_arn ARN of the AWS Config S3 bucket
kms_key_arn ARN of KMS key for master account
kms_key_audit_arn ARN of KMS key for audit account
kms_key_audit_id ID of KMS key for audit account
kms_key_id ID of KMS key for master account
kms_key_logging_arn ARN of KMS key for logging account
kms_key_logging_id ID of KMS key for logging account
monitor_iam_activity_sns_topic_arn ARN of the SNS Topic in the Audit account for IAM activity monitoring notifications

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Using Pre-commit

To make local development easier, we have added a pre-commit configuration to the repo. to use it, follow these steps:

Install the following tools:

brew install tflint

Install pre-commit:

pip3 install pre-commit --upgrade

To run the pre-commit hooks to see if everything working as expected, (the first time run might take a few minutes):

pre-commit run -a

To install the pre-commit hooks to run before each commit:

pre-commit install