diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8b1a7ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.terraform/ \ No newline at end of file diff --git a/LICENSE b/LICENSE index 083e1f2..67bc678 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright 2017 Threat Stack, Inc. +Copyright 2017-2019 Threat Stack, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 9e4261c..f26672f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,9 @@ -# tf_threatstack_aws_integration -Setup Threat Stack <-> AWS integration module +# tf_threatstack_control_plane_monitoring_integration +Setup Threat Stack <-> Control Plane Monitoring integration module -This module provides the ability to setup Threat Stack integration via Terraform. This module will setup the following: +This module provides the ability to define the Threat Stack integration infrastructure via Terraform. Currently only AWS Cloudtrail is supported, and it automates the [AWS Manual Integration Setup](https://threatstack.zendesk.com/hc/en-us/articles/206512364-AWS-Manual-Integration-Setup) + +This module will create and manage the following: * AWS CloudTrail * multi-region trail @@ -13,61 +15,177 @@ This module provides the ability to setup Threat Stack integration via Terraform * AWS SQS queue Threat Stack will check for events * Cross account IAM role for Threat Stack +## Dependencies + +This Terraform module currently depends on the following providers as dependencies: + +* `template` ~> 2.1 +* `aws` ~> 2.0 ## Usage -To use this module you need to create a Terraform configuration that utilizes this module. A basic example configuration would look as follows (Be sure to adjust the git ref in the source value appropriately): +> **This version of the module is compatible with Terraform 0.12+.** Terraform 0.11 and earlier are not supported, and this module will not work. For a pre-0.12-compatible version of this module, see [v1.0.0 of this module](https://github.com/threatstack/threatstack-terraform/tree/v1.0.0). + +To use, a user-created module should be defined that _imports_ this module (via the `source` parameter on the `module` setting. Terraform will download and use the source module with the `terraform init` command, so there is no need to download it separately for use. The minimum configuration for the user would look as follows (Be sure to adjust the git ref in the source value appropriately): ```hcl -module "threatstack_aws_integration" { - source = "github.com/threatstack/tf_threatstack_aws_integration?ref=v1.0.0" - aws_account = "" - aws_account_id = "" - aws_region = "us-east-1" - threatstack_account_id = "" - threatstack_external_id = "" +module "threatstack_aws_integration" { # THe name of the module here is arbitrary and can be whatever makes it easily identifiable to the end-user + source = "github.com/threatstack/threatstack-terraform?ref=" + + threatstack = { + account_id = "" + external_id = "" + } + + aws_account_info = { + account_id = "" + region = "us-east-1" + } } ``` ## Threat Stack Setup -In Threat Stack click `Add Profile` under _AWS Profiles_ fill in the relevant output values on the _Integrations_ page under _Settings_ and get the Threat Stack _Account ID_ and _External ID_. Use these values for the `threatstack_account_id` and `threatstack_external_id`. Run Terraform and get the outputs from it. -![Terraform output](https://github.com/threatstack/tf_threatstack_aws_integration/raw/master/doc/terraform_output.png "Terraform output") +In Threat Stack click `Add Account` under _AWS Accounts_ fill in the relevant output values on the _Integrations_ page under _Settings_ and get the Threat Stack _Account ID_ and _External ID_. Use these values for the `threatstack.account_id` and `threatstack.external_id` input variables (see below). Run Terraform and get the outputs from it. -With the output values, fill in the Threat Stack profile screen. +![Terraform output](https://github.com/threatstack/threatstack-terraform/raw/master/doc/terraform_output.png "Terraform output") -![Threat Stack setup](https://github.com/threatstack/tf_threatstack_aws_integration/raw/master/doc/threat_stack_setup.png "Threat Stack setup screen") +Record the Terraform output values, and use them to complete the configuration of the Threat Stack platform's side integration. See sections 3 & 6 of the [AWS Manual Integration Setup](https://threatstack.zendesk.com/hc/en-us/articles/206512364-AWS-Manual-Integration-Setup) page for details. ## Variables -* ___aws_account:___ Name of AWS account. Used to find remote state information and is prepended to bucket names. -* ___aws_account_id:___ Account ID, used for CloudTrail integration. +The module's input variables are defined in their own Terraform variable objects. They are as follows: + +* ___threatstack:___ **(REQUIRED)** Threat Stack-specific settings to deploy the integration. The defaults are null, so the integration will fail if not set. + +* ___aws_account_info:___ **(REQUIRED)** AWS account specifics to deploy the integration. The defaults are null, so the integration will fail if not set. + +* ___aws_flags:___ **(Optional)** The flags have defaults, so the module can work without these explicitly set. + +* ___aws_optional_conf:___ **(Optional)** The settings have defaults, so the module can work without these explicitly set. + + +#### Threat Stack configuration + +All of the Threat Stack configuration is required. Not explicitly defining these values when using this module will cause the integration to not work as expected. + +The Threat Stack configuration is defined as follows: + +```hcl +module "threatstack_aws_integration" { + source = "github.com/threatstack/threatstack-terraform?ref=" + + # Strings generated from the Threat Stack Add Account page + threatstack = { + + account_id = string + external_id = string + + } +} +``` -* ___aws_region:___ AWS region. Used to find remote state. +* ___threatstack.account_id:___ Threat Stack account ID associated with the Threat Stack org. Used to find remote state information and is prepended to bucket names. -* ___aws_cloudtrail_name (optional):___ Name of CloudTrail trail. +* ___threatstack.external_id:___ Account ID, used for CloudTrail integration. -* ___aws_iam_role_name (optional):___ Name of cross account IAM role grating access for Threat Stack to AWS environment. -* ___aws_sns_topic_name (optional):___ Name of SNS topic used by CloudTrail. +#### AWS configuration -* ___aws_sns_topic_display_name (optional):___ SNS topic display name. +This Terraform input variable is split into 3 sections: required settings, flag settings, and optional settings -* ___aws_sqs_queue_name (optional):___ Name of SQS queue to forward events to. +##### Required settings -* ___s3_bucket_name (optional):___ Name of bucket to create to store logs. Pay attention to the fact that domain name and account name will be prepended to thebucket to help prevent name collisions. +```hcl +module "threatstack_aws_integration" { + source = "github.com/threatstack/threatstack-terraform?ref=" + + aws_account_info = { + + # ... + + account_id = string + region = string + + #... + + } +} +``` + +* ___aws_account_info.account_id:___ Account ID, used for CloudTrail integration. + +* ___aws_account_info.region:___ AWS region. Used to find remote state. + +##### Flag settings + +```hcl +module "threatstack_aws_integration" { + source = "github.com/threatstack/threatstack-terraform?ref=" + + aws_flags = { + + # ... + + enable_logging = bool # Defaults to `true` + enable_log_file_validation = bool # Defaults to `true` + include_global_service_events = bool # Defaults to `true` + is_multi_region_trail = bool # Defaults to `true` + s3_force_destroy = bool # Defaults to `false` + + #... + + } +} + +``` +* ___aws_flags.enable_logging (optional):___ Enable logging, set to 'false' to pause logging. + +* ___aws_flags.enable_log_file_validation (optional):___ Create signed digest file to validated contents of logs. + +* ___aws_flags.include_global_service_events (optional):___ Include evnets from global services such as IAM. + +* ___aws_flags.is_multi_region_trail (optional):___ Whether the trail is created in all regions or just the current region. + +* ___aws_flags.s3_force_destroy (optional):___ Bucket destroy will fail if the bucket is not empty. Set to `"true"` if you REALLY want to destroy logs on teardown. + + +##### Optional settings + +```hcl +module "threatstack_aws_integration" { + source = "github.com/threatstack/threatstack-terraform?ref=" + + aws_optional_conf = { + + # ... + + cloudtrail_name = string # Defaults to "ThreatStackIntegration" + iam_role_name = string # Defaults to "ThreatStackIntegration" + sns_topic_name = string # Defaults to "ThreatStackIntegration" + sns_topic_display_name = string # Defaults to "Threat Stack integration topic." + sqs_queue_name = string # Defaults to "ThreatStackIntegration" + s3_bucket_name = string # Defaults to "threatstack-integration" + s3_force_destroy = string # Defaults to "/" + + #... + + } +} +``` -* ___s3_bucket_prefix (optional):___ S3 prefix path for logs. Useful is using a bucket used by other services. (Not recommended) +* ___aws_optional_conf.cloudtrail_name (optional):___ Name of CloudTrail trail. -* ___s3_force_destroy (optional):___ Bucket destroy will fail if the bucket is not empty. Set to `"true"` if you REALLY want to destroy logs on teardown. +* ___aws_optional_conf.iam_role_name (optional):___ Name of cross account IAM role gating access for Threat Stack to AWS environment. -* ___enable_logging (optional):___ Enable logging, set to 'false' to pause logging. +* ___aws_optional_conf.sns_topic_name (optional):___ Name of SNS topic used by CloudTrail. -* ___enable_log_file_validation (optional):___ Create signed digest file to validated contents of logs. +* ___aws_optional_conf.sns_topic_display_name (optional):___ SNS topic display name. -* ___include_global_service_events (optional):___ Include evnets from global services such as IAM. +* ___aws_optional_conf.sqs_queue_name (optional):___ Name of SQS queue to forward events to. -* ___is_multi_region_trail (optional):___ Whether the trail is created in all regions or just the current region. +* ___aws_optional_conf.s3_bucket_name (optional):___ Name of bucket to create to store logs. Pay attention to the fact that account name will be prepended to the provided bucket name to help prevent name collisions. +* ___aws_optional_conf.s3_bucket_prefix (optional):___ S3 prefix path for logs. Useful is using a bucket used by other services. (Not recommended) ## Outputs * ___cloudtrail_arn:___ ARN of CloudTrail. @@ -78,7 +196,7 @@ With the output values, fill in the Threat Stack profile screen. * ___cloudwatch_log_group_arn:___ ARN of CloudWatch log group for cloudTrail events. -* ___iam_role_arn:___ ARN of cross account IAM role granting Threat Stack access to environment. (Enter this value into Threat Stack when setting up.) +* ___iam_role_arn:___ ARN of cross account IAM role granting Threat Stack access to environment. **(Enter this value into Threat Stack when setting up.)** * ___iam_role_name:___ Name of cross account IAM role granting Threat Stack access to environment. @@ -88,7 +206,7 @@ With the output values, fill in the Threat Stack profile screen. * ___s3_bucket_arn:___ ARN of bucket for CloudTrail events. -* ___s3_bucket_id:___ Name of bucket for CloudTrail events. (Enter this value into Threat Stack when setting up.) +* ___s3_bucket_id:___ Name of bucket for CloudTrail events. **(Enter this value into Threat Stack when setting up.)** * ___sns_topic_arn:___ ARN of SNS topic where CloudTrail events are forwarded to. @@ -96,4 +214,4 @@ With the output values, fill in the Threat Stack profile screen. * ___sqs_queue_id:___ SQS queue ID / endpoint. -* ___sqs_queue_source:___ Name of SQS queue Threat Stack reads events from. (Enter this value into Threat Stack when setting up.) +* ___sqs_queue_source:___ Name of SQS queue Threat Stack reads events from. **(Enter this value into Threat Stack when setting up.)** diff --git a/aws_cloudtrail.tf b/aws_cloudtrail.tf index 5691a32..48d0324 100644 --- a/aws_cloudtrail.tf +++ b/aws_cloudtrail.tf @@ -1,48 +1,51 @@ // AWS Cloudtrail data "template_file" "aws_iam_cloudtrail_to_cloudwatch_assume_role_policy" { - template = "${file("${path.module}/aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.tpl")}" + template = file( + "${path.module}/aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.tpl", + ) } data "template_file" "aws_iam_cloudtrail_to_cloudwatch_policy" { - template = "${file("${path.module}/aws_iam_cloudtrail_to_cloudwatch_policy.tpl")}" - vars { - aws_account_id = "${var.aws_account_id}" - aws_cloudtrail_name = "${var.aws_cloudtrail_name}" - aws_region = "${var.aws_region}" + template = file("${path.module}/aws_iam_cloudtrail_to_cloudwatch_policy.tpl") + vars = { + aws_account_id = var.aws_account_info.account_id + aws_cloudtrail_name = var.aws_optional_conf.cloudtrail_name + aws_region = var.aws_account_info.region } } - resource "aws_cloudwatch_log_group" "ct" { - name = "/aws/cloudtrail/${var.aws_cloudtrail_name}" - tags { + name = "/aws/cloudtrail/${var.aws_optional_conf.cloudtrail_name}" + tags = { terraform = "true" } - depends_on = ["aws_iam_role_policy.ct", "aws_s3_bucket_policy.bucket"] + depends_on = [ + aws_iam_role_policy.ct, + aws_s3_bucket_policy.bucket, + ] } resource "aws_iam_role" "ct" { - name = "${var.aws_cloudtrail_name}-CloudTrailToCloudWatch" - assume_role_policy = "${data.template_file.aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.rendered}" + name = "${var.aws_optional_conf.cloudtrail_name}-CloudTrailToCloudWatch" + assume_role_policy = data.template_file.aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.rendered } resource "aws_iam_role_policy" "ct" { - name = "CloudTrailToCloudWatch" - role = "${aws_iam_role.ct.id}" - policy = "${data.template_file.aws_iam_cloudtrail_to_cloudwatch_policy.rendered}" - + name = "CloudTrailToCloudWatch" + role = aws_iam_role.ct.id + policy = data.template_file.aws_iam_cloudtrail_to_cloudwatch_policy.rendered } resource "aws_cloudtrail" "ct" { - name = "${var.aws_cloudtrail_name}" - s3_bucket_name = "${aws_s3_bucket.bucket.id}" - enable_logging = "${var.enable_logging}" - enable_log_file_validation = "${var.enable_log_file_validation}" - include_global_service_events = "${var.include_global_service_events}" - is_multi_region_trail = "${var.is_multi_region_trail}" - cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.ct.arn}" - cloud_watch_logs_role_arn = "${aws_iam_role.ct.arn}" - sns_topic_name = "${aws_sns_topic.sns.arn}" - depends_on = ["aws_s3_bucket_policy.bucket"] + name = var.aws_optional_conf.cloudtrail_name + s3_bucket_name = aws_s3_bucket.bucket.id + enable_logging = var.aws_flags.enable_logging + enable_log_file_validation = var.aws_flags.enable_log_file_validation + include_global_service_events = var.aws_flags.include_global_service_events + is_multi_region_trail = var.aws_flags.is_multi_region_trail + cloud_watch_logs_group_arn = aws_cloudwatch_log_group.ct.arn + cloud_watch_logs_role_arn = aws_iam_role.ct.arn + sns_topic_name = aws_sns_topic.sns.arn + depends_on = [aws_s3_bucket_policy.bucket] } diff --git a/aws_iam_role.tf b/aws_iam_role.tf index 0cb6874..67fbba9 100644 --- a/aws_iam_role.tf +++ b/aws_iam_role.tf @@ -1,32 +1,31 @@ // AWS Iam role for cross account access data "template_file" "aws_iam_assume_role_policy" { - template = "${file("${path.module}/aws_iam_assume_role_policy.tpl")}" - vars { - threatstack_account_id = "${var.threatstack_account_id}" - threatstack_external_id = "${var.threatstack_external_id}" + template = file("${path.module}/aws_iam_assume_role_policy.tpl") + vars = { + threatstack_account_id = var.threatstack.account_id + threatstack_external_id = var.threatstack.external_id } } data "template_file" "aws_iam_role_policy" { - template = "${file("${path.module}/aws_iam_role_policy.tpl")}" - vars { - sqs_queue_arn = "${aws_sqs_queue.sqs.arn}" - s3_resource = "${aws_s3_bucket.bucket.arn}/*" + template = file("${path.module}/aws_iam_role_policy.tpl") + vars = { + sqs_queue_arn = aws_sqs_queue.sqs.arn + s3_resource = "${aws_s3_bucket.bucket.arn}/*" } } - resource "aws_iam_role" "role" { - name = "${var.aws_iam_role_name}" - assume_role_policy = "${data.template_file.aws_iam_assume_role_policy.rendered}" - depends_on = ["aws_iam_role_policy.ct"] + name = var.aws_optional_conf.iam_role_name + assume_role_policy = data.template_file.aws_iam_assume_role_policy.rendered + depends_on = [aws_iam_role_policy.ct] } resource "aws_iam_role_policy" "role" { - name = "${var.aws_iam_role_name}" - role = "${aws_iam_role.role.id}" + name = var.aws_optional_conf.iam_role_name + role = aws_iam_role.role.id - policy = "${data.template_file.aws_iam_role_policy.rendered}" + policy = data.template_file.aws_iam_role_policy.rendered } diff --git a/aws_s3_bucket.tf b/aws_s3_bucket.tf index b428c82..e6ff3f3 100644 --- a/aws_s3_bucket.tf +++ b/aws_s3_bucket.tf @@ -1,31 +1,31 @@ // AWS CloudTrail S3 Bucket data "template_file" "aws_s3_bucket_policy" { - template = "${file("${path.module}/aws_s3_bucket_policy.tpl")}" + template = file("${path.module}/aws_s3_bucket_policy.tpl") - vars { - aws_account_id = "${var.aws_account_id}" - s3_bucket_arn = "${aws_s3_bucket.bucket.arn}" + vars = { + aws_account_id = var.aws_account_info.account_id + s3_bucket_arn = aws_s3_bucket.bucket.arn } } resource "aws_s3_bucket" "bucket" { - # This is to keep things consistrent and prevent conflicts across + # This is to keep things consistent and prevent conflicts across # environments. - bucket = "${var.aws_account}-${var.s3_bucket_name}" + bucket = var.aws_optional_conf.s3_bucket_name acl = "private" - versioning = { + versioning { enabled = "false" } - force_destroy = "${var.s3_force_destroy}" + force_destroy = var.aws_flags.s3_force_destroy tags = { terraform = "true" } - depends_on = ["aws_sns_topic_subscription.sqs"] + depends_on = [aws_sns_topic_subscription.sqs] } resource "aws_s3_bucket_policy" "bucket" { - bucket = "${aws_s3_bucket.bucket.id}" - policy = "${data.template_file.aws_s3_bucket_policy.rendered}" + bucket = aws_s3_bucket.bucket.id + policy = data.template_file.aws_s3_bucket_policy.rendered } diff --git a/aws_sns_topic.tf b/aws_sns_topic.tf index 15b22ab..721be44 100644 --- a/aws_sns_topic.tf +++ b/aws_sns_topic.tf @@ -1,18 +1,17 @@ // SNS topic data "template_file" "aws_sns_topic_policy" { - template = "${file("${path.module}/aws_sns_topic_policy.tpl")}" + template = file("${path.module}/aws_sns_topic_policy.tpl") } - resource "aws_sns_topic" "sns" { - name = "${var.aws_sns_topic_name}" - display_name = "${var.aws_sns_topic_display_name}" - depends_on = ["aws_iam_role.role"] + name = var.aws_optional_conf.sns_topic_name + display_name = var.aws_optional_conf.sns_topic_display_name + depends_on = [aws_iam_role.role] } resource "aws_sns_topic_policy" "sns" { - arn = "${aws_sns_topic.sns.arn}" - policy = "${data.template_file.aws_sns_topic_policy.rendered}" + arn = aws_sns_topic.sns.arn + policy = data.template_file.aws_sns_topic_policy.rendered } diff --git a/aws_sqs_queue.tf b/aws_sqs_queue.tf index d129b99..e3309e3 100644 --- a/aws_sqs_queue.tf +++ b/aws_sqs_queue.tf @@ -1,27 +1,26 @@ // Setup SQS data "template_file" "aws_sqs_queue_policy" { - template = "${file("${path.module}/aws_sqs_queue_policy.tpl")}" - vars { - sns_arn = "${aws_sns_topic.sns.arn}" + template = file("${path.module}/aws_sqs_queue_policy.tpl") + vars = { + sns_arn = aws_sns_topic.sns.arn } } - resource "aws_sqs_queue" "sqs" { - name = "${var.aws_sqs_queue_name}" - depends_on = ["aws_sns_topic_policy.sns"] + name = var.aws_optional_conf.sqs_queue_name + depends_on = [aws_sns_topic_policy.sns] } resource "aws_sqs_queue_policy" "sqs" { - queue_url = "${aws_sqs_queue.sqs.id}" - policy = "${data.template_file.aws_sqs_queue_policy.rendered}" + queue_url = aws_sqs_queue.sqs.id + policy = data.template_file.aws_sqs_queue_policy.rendered } resource "aws_sns_topic_subscription" "sqs" { - topic_arn = "${aws_sns_topic.sns.arn}" - protocol = "sqs" - endpoint = "${aws_sqs_queue.sqs.arn}" - depends_on = ["aws_sqs_queue_policy.sqs"] + topic_arn = aws_sns_topic.sns.arn + protocol = "sqs" + endpoint = aws_sqs_queue.sqs.arn + depends_on = [aws_sqs_queue_policy.sqs] } diff --git a/doc/threat_stack_setup.png b/doc/threat_stack_setup.png deleted file mode 100644 index fe0c5d8..0000000 Binary files a/doc/threat_stack_setup.png and /dev/null differ diff --git a/main.tf b/main.tf deleted file mode 100644 index 0ff0d6f..0000000 --- a/main.tf +++ /dev/null @@ -1,2 +0,0 @@ -// Setup Threat Stack integration - diff --git a/outputs.tf b/outputs.tf index 560598b..7dfafce 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,57 +1,57 @@ // Outputs output "cloudtrail_id" { - value = "${aws_cloudtrail.ct.id}" + value = aws_cloudtrail.ct.id } output "cloudtrail_home_region" { - value = "${aws_cloudtrail.ct.home_region}" + value = aws_cloudtrail.ct.home_region } output "cloudtrail_arn" { - value = "${aws_cloudtrail.ct.arn}" + value = aws_cloudtrail.ct.arn } output "iam_role_cloudtrail_name" { - value = "${aws_iam_role.ct.name}" + value = aws_iam_role.ct.name } output "iam_role_cloudtrail_arn" { - value = "${aws_iam_role.ct.arn}" + value = aws_iam_role.ct.arn } output "cloudwatch_log_group_arn" { - value = "${aws_cloudwatch_log_group.ct.arn}" + value = aws_cloudwatch_log_group.ct.arn } output "iam_role_name" { - value = "${aws_iam_role.role.name}" + value = aws_iam_role.role.name } output "iam_role_arn" { - value = "${aws_iam_role.role.arn}" + value = aws_iam_role.role.arn } output "s3_bucket_id" { - value = "${aws_s3_bucket.bucket.id}" + value = aws_s3_bucket.bucket.id } output "s3_bucket_arn" { - value = "${aws_s3_bucket.bucket.arn}" + value = aws_s3_bucket.bucket.arn } output "sns_topic_arn" { - value = "${aws_sns_topic.sns.arn}" + value = aws_sns_topic.sns.arn } output "sqs_queue_id" { - value = "${aws_sqs_queue.sqs.id}" + value = aws_sqs_queue.sqs.id } output "sqs_queue_arn" { - value = "${aws_sqs_queue.sqs.arn}" + value = aws_sqs_queue.sqs.arn } output "sqs_queue_source" { - value = "${element(split(":", aws_sqs_queue.sqs.arn), 5)}" + value = element(split(":", aws_sqs_queue.sqs.arn), 5) } diff --git a/variables.tf b/variables.tf index c54fb10..1cf6edf 100644 --- a/variables.tf +++ b/variables.tf @@ -1,96 +1,83 @@ -// Setup a default CloudTrail trail. - -//Variables -variable "threatstack_account_id" { - type = "string" - description = "Threat Stack AWS account ID." -} - -variable "threatstack_external_id" { - type = "string" - description = "Threat Stack AWS external ID." -} - -variable "aws_account" { - type = "string" - description = "Used for naming S3 bucket in tf_example_aws_s3" -} - -variable "aws_account_id" { - type = "string" - description = "AWS account ID" -} - -variable "aws_region" { - type = "string" - description = "Used for finding root state in tf_example_aws_s3" -} - -variable "aws_cloudtrail_name" { - type = "string" - description = "Name of CloudTrail trail." - default = "ThreatStackIntegration" -} - -variable "aws_iam_role_name" { - type = "string" - description = "Threat Stack IAM role Name" - default = "ThreatStackIntegration" -} - -variable "aws_sns_topic_name" { - type = "string" - description = "Name of SNS topic." - default = "ThreatStackIntegration" -} - -variable "aws_sns_topic_display_name" { - type = "string" - description = "SNS topic display name" - default = "Threat Stack integration topic." +# Set up default Control Plane Monitoring. +# +# Currently only AWS Cloudtrail is supported + +# Variables + +# Threat Stack platform integration (REQUIRED) +# +# Threat Stack-specific settings to deploy the integration +# The defaults are null, so the integration will fail if not set +variable "threatstack" { + description = "(REQUIRED) Threat Stack-related Configuration" + type = object({ + # Required parameters + account_id = string + external_id = string + }) +} + +# AWS account information (REQUIRED) +# +# AWS account specifics to deploy the integration. +# The defaults are null, so the integration will fail if not set +variable "aws_account_info" { + description = "(REQUIRED) AWS account settings" + type = object({ + account_id = string + region = string + }) + + default = { + account_id = null + region = null + } +} + +# AWS-related configuration flags (Optional) +# +# The flags have defaults, so the module can work without these explicitly set +variable "aws_flags" { + description = "(Optional) AWS-related Configuration flags" + type = object({ + s3_force_destroy = bool + enable_logging = bool + enable_log_file_validation = bool + include_global_service_events = bool + is_multi_region_trail = bool + }) + + default = { + s3_force_destroy = false + enable_logging = true + enable_log_file_validation = true + include_global_service_events = true + is_multi_region_trail = true + } +} + +# AWS-related configuration settings (Optional) +# +# The settings have defaults, so the module can work without these explicitly set +variable "aws_optional_conf" { + description = "(Optional) AWS-related Configuration settings" + type = object({ + cloudtrail_name = string + iam_role_name = string + sns_topic_name = string + sns_topic_display_name = string + sqs_queue_name = string + s3_bucket_name = string + s3_bucket_prefix = string + }) + + default = { + cloudtrail_name = "ThreatStackIntegration" + iam_role_name = "ThreatStackIntegration" + sns_topic_name = "ThreatStackIntegration" + sns_topic_display_name = "Threat Stack integration topic." + sqs_queue_name = "ThreatStackIntegration" + s3_bucket_name = "threatstack-integration" + s3_bucket_prefix = "/" + } } - -variable "aws_sqs_queue_name" { - type = "string" - description = "Name of SNS topic." - default = "ThreatStackIntegration" -} - -variable "s3_bucket_name" { - type = "string" - description = "S3 Bucket for logs" - default = "threatstack-integration" -} - -variable "s3_bucket_prefix" { - type = "string" - description = "S3 prefix path for logs" - default = "/" -} - -variable "s3_force_destroy" { - type = "string" - description = "Destroy S3 bucket even if not empty." - default = "false" -} - -variable "enable_logging" { - description = "Enable logging, set to 'false' to pause logging." - default = true -} - -variable "enable_log_file_validation" { - description = "Create signed digest file to validated contents of logs." - default = true -} - -variable "include_global_service_events" { - description = "include evnets from global services such as IAM." - default = true -} - -variable "is_multi_region_trail" { - description = "Whether the trail is created in all regions or just the current region." - default = true -} - diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..ac97c6a --- /dev/null +++ b/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +}