demo project

Author: cdaniluk

.gitignore

@@ -28,3 +28,5 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+*.zip

account/Makefile

@@ -0,0 +1 @@
+../Makefile

account/backend-setup.tf

@@ -1,5 +1,5 @@
 module "backend" {
-  source = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend?ref=v1.2.0"
+  source = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend?ref=v2.0.0"
   bucket = var.bucket
   table  = var.dynamodb_table
   region = var.region

account/backend.auto.tfvars

@@ -1,4 +1,4 @@
-bucket         = "012345678912-us-east-1-tf-state"
+bucket         = "028266382041-us-east-1-tf-state"
 key            = "account.tfstate"
 dynamodb_table = "tf-locktable"
 region         = "us-east-1"

account/default.tfvars

@@ -0,0 +1,9 @@
+env                = "default"
+iam_master_account = "092882053733"
+iam_role_prefix    = "RhythmicOps-"
+
+# Storing these in external env vars.
+#alert_webhook = "https://hooks.slack.com/services/"
+#notify_webhook = "https://hooks.slack.com/services/"
+#ticket_webhook = "https://hooks.slack.com/services/"
+slack_channel = "alerts"

account/main.tf

@@ -1,47 +1,45 @@
 module "tags" {
-  source = "git::https://github.com/rhythmictech/terraform-terraform-tags.git?ref=v0.0.2"
+  source = "git::https://github.com/rhythmictech/terraform-terraform-tags.git?ref=v1.0.0"
 
   names = [
     "account",
     var.env,
     var.namespace
   ]
 
-  tags = {
+  tags = merge(var.tags, {
     "Env"       = var.env,
     "Namespace" = var.namespace,
     "Owner"     = var.owner
-  }
+  })
 }
 
-module "rhythmic-iam-roles" {
-  source         = "git::https://github.com/rhythmictech/terraform-aws-rhythmic-iam-roles.git?ref=v1.0.0"
-  role_prefix    = var.iam_role_prefix
-  master_account = var.iam_master_account
+locals {
+  tags = module.tags.tags_no_name
 }
 
 module "s3logging-bucket" {
-  source        = "git::https://github.com/rhythmictech/terraform-aws-s3logging-bucket?ref=v1.0.0"
+  source        = "git::https://github.com/rhythmictech/terraform-aws-s3logging-bucket?ref=v1.0.1"
   bucket_suffix = "account"
   region        = var.region
-  tags          = module.tags.tags_no_name
+  tags          = local.tags
 }
 
 module "cloudtrail-bucket" {
-  source         = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket?ref=v1.0.0"
+  source         = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-bucket?ref=v1.2.0"
   logging_bucket = module.s3logging-bucket.s3logging_bucket_name
   region         = var.region
-  tags           = module.tags.tags_no_name
+  tags           = local.tags
 
 }
 
 module "cloudtrail-logging" {
-  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging?ref=v1.0.0"
-  region            = var.region
-  cloudtrail_bucket = module.cloudtrail-bucket.bucket_name
+  source            = "git::https://github.com/rhythmictech/terraform-aws-cloudtrail-logging?ref=v1.1.0"
+  cloudtrail_bucket = module.cloudtrail-bucket.s3_bucket_name
   kms_key_id        = module.cloudtrail-bucket.kms_key_id
+  region            = var.region
 }
 
 module "iam-password-policy" {
-  source = "git::ssh://git@github.com/rhythmictech/terraform-aws-iam-password-policy?ref=v1.0.0"
+  source = "git::https://github.com/rhythmictech/terraform-aws-iam-password-policy?ref=v1.0.0"
 }

account/monitoring.tf

@@ -0,0 +1,10 @@
+
+module "monitoring" {
+  source = "git::https://github.com/rhythmictech/terraform-aws-rhythmic-monitoring?ref=demo"
+
+  name           = "SecurityAutomationDemo-Monitoring"
+  alert_webhook  = var.alert_webhook
+  notify_webhook = var.notify_webhook
+  slack_channel  = var.slack_channel
+  tags           = local.tags
+}

account/outputs.tf

@@ -0,0 +1,31 @@
+########################################
+# Monitoring Outputs
+########################################
+output "sns_topic_alert_arn" {
+  description = "Alert Topic ARN"
+  value = module.monitoring.sns_topic_alert_arn
+}
+
+output "sns_topic_notify_arn" {
+  description = "Notification Topic ARN"
+  value = module.monitoring.sns_topic_notify_arn
+}
+
+output "sns_topic_ticket_arn" {
+  description = "Ticketing Topic ARN"
+  value = module.monitoring.sns_topic_ticket_arn
+}
+
+########################################
+# Security Outputs
+########################################
+
+output "cloudtrail_log_group" {
+  description = "CloudTrail CloudWatch log group"
+  value       = module.cloudtrail-logging.cloudwatch_loggroup_name
+}
+
+output "s3_bucket_access_logging" {
+  description = "S3 bucket to receive S3 bucket access logs"
+  value       = module.s3logging-bucket.s3logging_bucket_name
+}

account/setup/main.tf

@@ -3,7 +3,7 @@ provider "aws" {
 }
 
 module "backend" {
-  source = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend?ref=v1.2.0"
+  source = "git::ssh://[email protected]/rhythmictech/terraform-aws-backend?ref=v2.0.0"
   bucket = var.bucket
   table  = var.dynamodb_table
   region = var.region

account/terraform.tfvars

@@ -1,3 +1,7 @@
+########################################
+# General Vars
+########################################
+
 variable "iam_master_account" {
   type = string
 }
@@ -6,17 +10,31 @@ variable "iam_role_prefix" {
   type = string
 }
 
-variable "namespace" {
-  description = "Project name"
-  type        = string
+variable "tags" {
+  type    = map(string)
+  default = {}
 }
 
-variable "owner" {
-  description = "Owner of this infrastructure"
-  type        = string
+########################################
+# Monitoring Vars
+########################################
+
+variable "alert_webhook" {
+  description = "Webhook to send alerts to"
+  type = string
 }
 
-variable "tags" {
-  type    = map(string)
-  default = {}
+variable "notify_webhook" {
+  description = "Webhook to send notifications to"
+  type = string
 }
+
+variable "slack_channel" {
+  description = "Channel to send notifications to"
+  type = string
+}
+
+variable "ticket_webhook" {
+  description = "Webhook to send tickets to"
+  type = string
+}

account/variables.tf

@@ -48,3 +48,13 @@ variable "key" {
   description = "Key that tfstate is stored in"
   type        = string
 }
+
+variable "namespace" {
+  description = "Namespace to associate resources in this account with"
+  type        = string
+}
+
+variable "owner" {
+  description = "Team/person responsible for this account"
+  type        = string
+}

common/common.tf

@@ -0,0 +1 @@
+include ../Makefile

demo/Makefile

@@ -0,0 +1,14 @@
+# demo
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

demo/README.md

@@ -0,0 +1,4 @@
+bucket         = "028266382041-us-east-1-tf-state"
+key            = "demo.tfstate"
+dynamodb_table = "tf-locktable"
+region         = "us-east-1"

demo/backend.auto.tfvars

@@ -0,0 +1 @@
+../common/common.tf

demo/common.tf

@@ -0,0 +1 @@
+env = "default"

demo/default.tfvars

@@ -0,0 +1 @@
+../common/global.auto.tfvars

demo/global.auto.tfvars

@@ -0,0 +1,20 @@
+from __future__ import print_function
+
+import random
+import os
+
+print('Loading function')
+
+thingsToSay = [
+    "INVALID AUTHENTICATION ATTEMPT",
+    "SUCCESSFUL AUTHENTICATION ATTEMPT",
+    "USER LOGGED OUT",
+    "USER WANTS A HAIRCUT"
+]
+
+def handler(event, context):
+    
+    print("Received request.")
+    print(random.choice(thingsToSay))
+    
+    

demo/logSadThings.py

@@ -0,0 +1,66 @@
+resource "aws_iam_group" "billing_group" {
+    name = "BillingUsers"
+
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach" {
+  group      = aws_iam_group.billing_group.name
+  policy_arn = "arn:aws:iam::aws:policy/job-function/Billing"
+}
+
+resource "aws_iam_user" "simple_user" {
+    name = "TheAccountant"
+}
+
+resource "aws_iam_group_membership" "team" {
+  name = aws_iam_group.billing_group.name
+  group = aws_iam_group.billing_group.name
+  users = [aws_iam_user.simple_user.name]
+}
+
+# A Lambda to log random strings
+data "archive_file" "lambda" {
+  type        = "zip"
+  source_file = "logSadThings.py"
+  output_path = "${path.module}/tmp/logSadThing.zip"
+}
+
+data "aws_iam_policy_document" "assume" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "role" {
+  assume_role_policy = data.aws_iam_policy_document.assume.json
+}
+
+resource "aws_iam_role_policy_attachment" "role" {
+  role       = aws_iam_role.role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_lambda_function" "log_sad_things" {
+  filename      = data.archive_file.lambda.output_path
+  function_name = "logSadThings"
+  role          = aws_iam_role.role.arn
+  handler       = "logSadThings.handler"
+  runtime       = "python3.6"
+
+  lifecycle {
+    ignore_changes = [
+      filename,
+      last_modified,
+    ]
+  }
+
+  source_code_hash = data.archive_file.lambda.output_base64sha256
+}
+

demo/main.tf

@@ -0,0 +1 @@
+include ../Makefile

demo/outputs.tf

@@ -0,0 +1,14 @@
+# security
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

demo/variables.tf

@@ -0,0 +1,6 @@
+module "awsconfig" {
+  source         = "git::https://github.com/rhythmictech/terraform-aws-config.git?ref=v0.0.2"
+  logging_bucket = data.terraform_remote_state.account.outputs.s3_bucket_access_logging
+  region         = var.region
+  sns_topic_arn = data.terraform_remote_state.account.outputs.sns_topic_ticket_arn
+}

security/Makefile

@@ -0,0 +1,4 @@
+bucket         = "028266382041-us-east-1-tf-state"
+key            = "security.tfstate"
+dynamodb_table = "tf-locktable"
+region         = "us-east-1"

security/README.md

@@ -0,0 +1 @@
+../common/common.tf

security/awsconfig.tf

@@ -0,0 +1 @@
+env = "default"

security/backend.auto.tfvars

@@ -0,0 +1 @@
+../common/global.auto.tfvars