Merge pull request #1 from zoitech/add_variables

Add variables
zoitech · Dec 9, 2019 · b338804 · b338804
2 parents a179d0b + cac49fc
commit b338804
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -0,0 +1,42 @@
+# terraform-aws-config
+
+This is a terraform module for enabling and configuring AWS Config.
+
+## Description
+
+AWS Config rules will be set up in the account to check on the following things:
+
+* Resource Tagging
+   * Checks if the resources in your account are tagged properly
+* Access Key Rotation
+* RDS Instances without backups enabled
+* EC2 Instances with Public IP addresses enabled
+* ElasticSearch outside a VPC
+* Logging enabled for all LoadBalancers
+* Root User with access and secret key
+* RDS Instances with Public access
+* S3 Buckets configured as a static WebServer
+* IAM Users with Console Login enabled
+
+## Usage
+
+The following default values are set:
+
+* accessKeyRotate_maxAccessKeyAge               = 30
+* dbInstanceBackupEnabled_RetentionPeriod       = 30
+* dbInstanceBackupEnabled_PreferredBackupWindow = "22:00-24:00"
+* dbInstanceBackupEnabled_CheckReadReplicas     = true
+* elbLoggingEnabled_s3BucketNames               = "backup"
+* lambda_timeout                                = 30
+
+```hcl
+module "aws-config" {
+  source = "git::https://github.com/zoitech/terraform-aws-config.git?ref=v1.0.0"
+  accessKeyRotate_maxAccessKeyAge               = 180
+  dbInstanceBackupEnabled_RetentionPeriod       = 90
+  dbInstanceBackupEnabled_PreferredBackupWindow = "23:00-01:00"
+  dbInstanceBackupEnabled_CheckReadReplicas     = true
+  elbLoggingEnabled_s3BucketNames               = "backup"
+  lambda_timeout                                = 60
+}
+```
diff --git a/config.tf b/config.tf
@@ -7,17 +7,14 @@
 #}
 
 resource "aws_config_organization_managed_rule" "resourcesTagged" {
-  name = "instanceTagged"
-  input_parameters = <<EOF
-  {
-    "tag1Key" : "owner"
-  }
-EOF
+  name             = "instanceTagged"
+  input_parameters = var.required_tags
+
   rule_identifier = "REQUIRED_TAGS"
 }
 
 resource "aws_config_organization_managed_rule" "accessKeyRotated" {
-  name = "access_key_rotated"
+  name             = "access_key_rotated"
   input_parameters = <<EOF
   {
     "maxAccessKeyAge" : "${var.accessKeyRotated_maxAccessKeyAge}"
@@ -28,7 +25,7 @@ EOF
 }
 
 resource "aws_config_organization_managed_rule" "dbInstanceBackupEnabled" {
-  name = "db_instance_backup_enabled"
+  name             = "db_instance_backup_enabled"
   input_parameters = <<EOF
   {
     "backupRetentionPeriod" : "${var.dbInstanceBackupEnabled_RetentionPeriod}",
@@ -53,7 +50,7 @@ resource "aws_config_organization_managed_rule" "elasticsearchInVpcOnly" {
 }
 
 resource "aws_config_organization_managed_rule" "elbLoggingEnabled" {
-  name = "elb_logging_enabled"
+  name             = "elb_logging_enabled"
   input_parameters = <<EOF
   {
     "s3BucketNames" : "${var.elbLoggingEnabled_s3BucketNames}"
@@ -81,13 +78,13 @@ resource "aws_config_organization_custom_rule" "s3WebserverBuckets" {
 
   #depends_on = ["aws_config_configuration_recorder.config-recorder", "aws_lambda_permission.s3_webserver_buckets_config_permissions"]
   lambda_function_arn = "${aws_lambda_function.s3_webserver_buckets.arn}"
-  trigger_types = ["ScheduledNotification"]
+  trigger_types       = ["ScheduledNotification"]
 }
 
 resource "aws_config_organization_custom_rule" "iam_console_login" {
   name = "iam_console_login"
 
   lambda_function_arn = "${aws_lambda_function.iam_console_login.arn}"
-  trigger_types = ["ScheduledNotification"]
+  trigger_types       = ["ScheduledNotification"]
 }
 
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,43 @@
+# aws_config_organization_managed_rule - resourcesTagged
+variable required_tags {
+  # https://docs.aws.amazon.com/config/latest/developerguide/required-tags.html
+  description = "A map of the required tag keys and/or values to evaluate"
+  type        = map(string)
+  default = {
+    "tag1Key" : "owner"
+  }
+}
+
+# aws_config_organization_managed_rule - accessKeyRotated
+variable accessKeyRotated_maxAccessKeyAge {
+  description = "Every Access Key will be defined as Non-Compliant after exceeding the number of days defined in this variable"
+  default     = 30
+}
+
+# aws_config_organization_managed_rule - dbInstanceBackupEnabled
+variable dbInstanceBackupEnabled_RetentionPeriod {
+  description = "The retention period in days for the RDS Databases to check"
+  default     = 30
+}
+
+variable dbInstanceBackupEnabled_PreferredBackupWindow {
+  description = "The format is hh24:min-hh24:min. Example: 23:00-02:00"
+  default     = "22:00-24:00"
+}
+
+variable dbInstanceBackupEnabled_CheckReadReplicas {
+  description = "Defines if AWS Config should Check if the RDS instance has backups enabled for the ReadReplicas"
+  default     = true
+}
+
+# aws_config_organization_managed_rule - elbLoggingEnabled
+variable elbLoggingEnabled_s3BucketNames {
+  description = "Comma separated list of S3 bucket names for ELB to deliver the log files"
+  default     = "backup"
+}
+
+# aws_lambda_function - s3_webserver_buckets
+variable lambda_timeout {
+  description = "The timeout for the custom lambda scripts which define more custom AWS Config rules"
+  default     = 30
+}