Merge pull request #282 from nationalarchives/remove-guardduty-ipsets

CLOP-10: Remove GuardDuty IPSets and update to templatefile
nationalarchives · Jun 24, 2024 · bf0345e · bf0345e
2 parents 2e6401e + b630bf1
commit bf0345e
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 54 deletions.
diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf
@@ -1,19 +1,11 @@
-data "template_file" "cloudtrail_assume_role_policy" {
-  template = file("./tdr-terraform-modules/cloudtrail/templates/assume_role_policy.json.tpl")
-}
-
 resource "aws_iam_role" "cloudtrail_role" {
   name               = "${upper(var.project)}CloudTrail${title(local.environment)}"
-  assume_role_policy = data.template_file.cloudtrail_assume_role_policy.rendered
-}
-
-data "template_file" "cloudwatch_policy" {
-  template = file("./tdr-terraform-modules/cloudtrail/templates/cloudwatch_logs_policy.json.tpl")
+  assume_role_policy = templatefile("./tdr-terraform-modules/cloudtrail/templates/assume_role_policy.json.tpl", {})
 }
 
 resource "aws_iam_policy" "cloudwatch_policy" {
   name   = "${upper(var.project)}Cloudwatch${title(local.environment)}"
-  policy = data.template_file.cloudwatch_policy.rendered
+  policy = templatefile("./tdr-terraform-modules/cloudtrail/templates/cloudwatch_logs_policy.json.tpl", {})
 }
 
 resource "aws_iam_role_policy_attachment" "cloudtrail_policy_attach" {

diff --git a/config/main.tf b/config/main.tf
@@ -19,28 +19,17 @@ resource "aws_sns_topic" "config_topic" {
 
 }
 
-data "template_file" "config_assume_role_policy" {
-  template = file("./tdr-terraform-modules/config/templates/config_assume_role_policy.json.tpl")
-}
-
 resource "aws_iam_role" "config_role" {
   count              = local.region == var.primary_region ? 1 : 0
   name               = "${upper(var.project)}Config${title(local.environment)}"
-  assume_role_policy = data.template_file.config_assume_role_policy.rendered
-}
-
-data "template_file" "s3_access_policy" {
-  template = file("./tdr-terraform-modules/config/templates/s3_access_policy.json.tpl")
-  vars = {
-    bucket_name = var.bucket_id
-  }
+  assume_role_policy = templatefile("./tdr-terraform-modules/config/templates/config_assume_role_policy.json.tpl", {})
 }
 
 resource "aws_iam_policy" "s3_access_policy" {
   count       = local.region == var.primary_region ? 1 : 0
   name        = "${upper(var.project)}Config${title(local.environment)}"
   description = "Allows access to AWS Config S3 bucket"
-  policy      = data.template_file.s3_access_policy.rendered
+  policy      = templatefile("./tdr-terraform-modules/config/templates/s3_access_policy.json.tpl", { bucket_name = var.bucket_id })
 }
 
 resource "aws_iam_role_policy_attachment" "s3_policy_attach" {
@@ -49,15 +38,11 @@ resource "aws_iam_role_policy_attachment" "s3_policy_attach" {
   policy_arn = aws_iam_policy.s3_access_policy.*.arn[0]
 }
 
-data "template_file" "sns_topic_access_policy" {
-  template = file("./tdr-terraform-modules/config/templates/sns_topic_access_policy.json.tpl")
-}
-
 resource "aws_iam_policy" "sns_topic_access_policy" {
   count       = local.region == var.primary_region ? 1 : 0
   name        = "${upper(var.project)}SNSPublish${title(local.environment)}"
   description = "Allows pusblishing to SNS topic"
-  policy      = data.template_file.sns_topic_access_policy.rendered
+  policy      = templatefile("./tdr-terraform-modules/config/templates/sns_topic_access_policy.json.tpl", {})
 }
 
 resource "aws_iam_role_policy_attachment" "sns_topic_policy_attach" {

diff --git a/config/providers.tf b/config/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = ">= 5.0.0"
+  }
+}
diff --git a/guardduty/locals.tf b/guardduty/locals.tf
diff --git a/guardduty/main.tf b/guardduty/main.tf
@@ -1,20 +1,3 @@
-# Create IP Set for GuardDuty in S3 bucket
-resource "aws_s3_bucket_object" "trusted_ip_list" {
-  count   = local.region == var.region ? 1 : 0
-  acl     = "private"
-  content = local.ip_set
-  bucket  = var.bucket_id
-  key     = var.bucket_object_key
-}
-
 resource "aws_guardduty_detector" "master" {
   enable = true
 }
-
-resource "aws_guardduty_ipset" "trusted_ip_list" {
-  activate    = true
-  detector_id = aws_guardduty_detector.master.id
-  format      = "TXT"
-  location    = "https://s3.amazonaws.com/${var.bucket_id}/${var.bucket_object_key}"
-  name        = "trusted-ip-list-${data.aws_region.current.name}"
-}
diff --git a/guardduty/providers.tf b/guardduty/providers.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 1.5.0"
+
+  required_providers {
+    aws = ">= 5.0.0"
+  }
+}
diff --git a/kms/main.tf b/kms/main.tf
@@ -1,11 +1,11 @@
-data "template_file" "key_policy" {
-  template = templatefile("${path.module}/templates/${var.key_policy}.json.tpl", merge(var.policy_variables, { account_id = data.aws_caller_identity.current.account_id, environment = var.environment }))
-}
-
 resource "aws_kms_key" "encryption" {
   description         = "KMS key for encryption within ${var.environment} environment"
   enable_key_rotation = true
-  policy              = data.template_file.key_policy.rendered
+
+  policy = templatefile("${path.module}/templates/${var.key_policy}.json.tpl", merge(var.policy_variables, {
+    account_id  = data.aws_caller_identity.current.account_id,
+    environment = var.environment
+  }))
   tags = merge(
     var.common_tags,
     tomap(