Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: AWS Terraform Modules #31

Merged
merged 5 commits into from
Jun 17, 2020
Merged

feat: AWS Terraform Modules #31

merged 5 commits into from
Jun 17, 2020

Conversation

afiune
Copy link
Contributor

@afiune afiune commented Jun 16, 2020
edited
Loading

AWS Terraform Modules

Introducing our AWS Terraform Modules to configure AWS Config and CloudTrail integrations.

This change adds three main Terraform modules:

  • AWS IAM Role (aws/modules/iam_role)
  • AWS Config (aws/modules/config)
  • AWS CloudTrail (aws/modules/cloudtrail)

AWS IAM Role Module

Both of our integrations (Config and CloudTrail) require to have an IAM Role
with an assume role policy, this module abstracts the management of this role
that is used by both AWS Config and AWS CloudTrail Modules.

AWS Config Module

This module creates the Lacework IAM Role and a Lacework AWS_CFG external integration.

provider "aws" {}

provider "lacework" {}

module "aws_config" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/config"
}

AWS CouldTrail Module

Use this module to create and configure CloudTrail in your AWS account, such
configuration will be used to create an AWS CloudTrail external integration in
your Lacework account.

This module will:

  • Enable a CloudTrail
  • Create a CloudTrail S3 bucket
  • Create an SNS topic
  • Create and subscribe an SQS queue to the CT SNS topic
  • Create a Lacework IAM Role
  • Create a cross-account policy and attached to the Lacework IAM Role
  • Create an AWS_CT_SQS Lacework external integration
provider "aws" {}

provider "lacework" {}

module "aws_cloudtrail" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/cloudtrail"
}

Both Modules

Using both modules will allow users to have both Lacework external integrations,
AWS Config and CloudTrail. The modules are designed to work together like the
following example:

provider "aws" {}

provider "lacework" {}

module "aws_config" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/config"
}

module "aws_cloudtrail" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/cloudtrail"
	bucket_force_destroy  = true
	use_existing_iam_role = true
	iam_role_name         = module.aws_config.iam_role_name
	iam_role_external_id  = module.aws_config.external_id
}

Signed-off-by: Salim Afiune Maya [email protected]

@afiune afiune requested a review from scottford-lw June 16, 2020 14:44
@afiune afiune force-pushed the afiune/modules branch 2 times, most recently from 332c7c7 to d41b191 Compare June 16, 2020 16:21
@afiune
feat: create aws config tf module
751fc70 
Signed-off-by: Salim Afiune Maya <[email protected]>
@afiune afiune changed the title feat: create aws config tf module feat: new AWS terraform modules Jun 16, 2020
@afiune afiune changed the title feat: new AWS terraform modules feat: AWS terraform modules Jun 16, 2020
@smford22
Copy link

@afiune I still think we need to be more verbose with our naming conventions for the folder. "simple1-from-scratch" means something to you and me, but maybe not to our users. Thoughts?

@afiune
Copy link
Contributor Author

afiune commented Jun 16, 2020

@scottford-lw I could not agree more with you, we also need a ton of documentation
that I would really appreciate help with. 💯

@afiune afiune self-assigned this Jun 16, 2020
@afiune afiune added the enhancement New feature or request label Jun 16, 2020
scottford-lw
scottford-lw reviewed Jun 17, 2020
View reviewed changes
aws/modules/cloudtrail/examples/simple1-from-scratch/main.tf Outdated

provider "aws" { }

module "aws_cloudtrial" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@afiune spelling ;)

@scottford-lw
Copy link
Contributor

@afiune thinking further I am not sure that we really need examples for the config and iam_role that don't pass any attributes. I think we can just show the examples customizing the vars, but if we want to keep both examples, what do you think about this...?

modules
├── cloudtrail
│   └── examples
│       ├── complete-cloudtrail
│       ├── existing-cloudtrail
│       └── existing-cloudtrail-iam-role
├── config
│   └── examples
│       ├── custom-config
│       └── default-config
└── iam_role
    └── examples
        ├── custom-config
        └── default-config

@scottford-lw
Copy link
Contributor

Once we merge this we will dive into the README files for the project and make it super clear how to get these working.

@afiune afiune requested a review from scottford-lw June 17, 2020 14:00
scottford-lw
scottford-lw approved these changes Jun 17, 2020
View reviewed changes
Copy link
Contributor

@scottford-lw scottford-lw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@afiune afiune merged commit e307836 into master Jun 17, 2020
@afiune afiune changed the title feat: AWS terraform modules feat: AWS Terraform Modules Jun 17, 2020
@afiune afiune deleted the afiune/modules branch July 29, 2020 13:19
@afiune afiune mentioned this pull request Aug 31, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scottford-lw scottford-lw scottford-lw approved these changes

Assignees

@afiune afiune

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@afiune @smford22 @scottford-lw