β οΈ ππ» These instruction are outdated, certain features might have been removed or added.
This terraform modules configures the following in IAM:
- Creates a policy to enforce MFA;
- Sets a script password policy;
- Creates a group with admin privileges, with MFA enable_admin_group;
- Creates a group with read-only policy (disabled by default);
- Creates a global cloud trail (disabled by default);
- Creates a user including access keys for monitoring purposes (disabled by default).
All features can be enabled or disabled, default is enabled.
The following AWS Config rules can be enabled (AWS Config is disabled by default, each rule can be enabled individually):
- Require a specific tag on the resources1;
- Require root account MFA enabled;
- Cloud trail enabled;
- IAM password policy compliance.
In addition this module is able to create the necessary resources to enable CloudWatch cross-account observability (oam), this feature is disabled by default. Make sure you have an AWS account configured as monitoring account before enabling. More details can be found here.
1Terraform does not allow passing unset value similar to !Ref "AWS::NoValue". Due to this limitation only a single tag tag1Key can be passed as a parameter to to this module. If you require additional key-value pairs in your AWS config REQUIRED_TAGS rule, the module must be extended manually.
β οΈ ππ» This is an example, it might be that certain settings are not 'best-practise'.
module "account_setup" {
source = "git@github.com:dovetailworld/terraform-aws-account-setup.git?ref=<version>"
# iam
enable_account_password_policy = false
enable_read_only_group = false
enable_admin_group = false
# cloudtrail
enable_cloudtrail = true
cloudtrail_bucket = ""
kms_key_id = ""
trail_name = local.account-name
# cloudwatch
enable_cloudwatch_logs = true
# oam
# Note: Do not enable this on the monitoring account itself!
enable_oam = true
sink_identifier = ""
monitoring_account = ""
# config
enable_aws_config = false
enable_rule_require_tag = false
enable_rule_require_root_account_MFA = false
enable_rule_iam_password_policy = false
enable_rule_require_cloud_trail = false
# ssm session manager
enable_ssm_session_manager = true
s3_bucket_name = ""
s3_key_prefix = "${local.account-id}-${local.account-name}"
}| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | ~> 5.0 |
| null | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| null | ~> 3.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_group_name | Name of the admin group. | string |
"admins" |
no |
| allow_users_to_change_password | Whether to allow users to change their own password | bool |
true |
no |
| aws_config_notification_emails | A list of email addresses for that will receive AWS Config changes notifications | list(string) |
[] |
no |
| cloudtrail_bucket | The name of the cloudtrail bucket | string |
n/a | yes |
| cloudwatch_encryption_enabled | Encrypt log data. | bool |
false |
no |
| cloudwatch_iam_policy_name | The name of the policy which is used for the cloudtrail cloudwatch role | string |
"terraform-cloudwatch-policy" |
no |
| cloudwatch_iam_role_name | The name of the role which of the cloudtrail cloudwatch role | string |
"terraform-cloudwatch-role" |
no |
| cloudwatch_log_group_name | The name of the cloudwatch log name | string |
"CloudTrail/DefaultLogGroup" |
no |
| dynamodb_tables_creation | Whether to create dynamodb tables for terraform state file | bool |
false |
no |
| dynamodb_tables_name | The dynamodb tables name | string |
"" |
no |
| enable_account_password_policy | Enable custom (strict) password policy. | bool |
true |
no |
| enable_admin_group | Create an admin group. | bool |
true |
no |
| enable_aws_config | Specifies if the AWS Config should be enabled | bool |
false |
no |
| enable_cloudtrail | Create a default cloudtrail for the account. | bool |
false |
no |
| enable_cloudwatch_logs | Enable Cloudwatch Logs for Cloudtrail. | bool |
false |
no |
| enable_log_file_validation | Specifies whether log file integrity validation is enabled. | bool |
true |
no |
| enable_mfa | Enable to force MFA usages. | bool |
true |
no |
| enable_monitor_readonly_user | Create a user that can read monitor metrics (e.g. for grafana) | bool |
false |
no |
| enable_oam | Whether to create resources used for oam | bool |
false |
no |
| enable_read_only_group | Creates a group with read-only IAM policy assigned to it. | bool |
false |
no |
| enable_rule_iam_password_policy | Specifies if 'IAM password policy' rule should be enabled | bool |
false |
no |
| enable_rule_require_cloud_trail | Specifies if 'Cloud Trail enabled' rule should be enabled | bool |
false |
no |
| enable_rule_require_root_account_MFA | Specifies if 'Require root account MFA enabled' rule should be enabled | bool |
false |
no |
| enable_rule_require_tag | Specifies if 'Require Tag' rule should be enabled | bool |
false |
no |
| enable_ssm_session_manager | Specifies if the ssm session manager should be enabled | bool |
false |
no |
| event_selector | Specifies an event selector for enabling data event logging, It needs to be a list of map values. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this map variable | list(string) |
[] |
no |
| hard_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | bool |
false |
no |
| include_global_service_events | Specifies whether the trail is publishing events from global services such as IAM to the log files. | bool |
true |
no |
| is_multi_region_trail | Specifies whether the trail is created in the current region or in all regions. | bool |
true |
no |
| kms_key_id | The arn of the CMK key which is used for encrypting cloudtrail logs | string |
n/a | yes |
| max_password_age | The number of days that an user password is valid. | number |
33 |
no |
| minimum_password_length | Minimum length to require for user passwords. | number |
32 |
no |
| monitor_readonly_user_name | The user name for the monitor read only user | string |
"monitor_readonly" |
no |
| monitoring_account | AWS monitoring account ID | string |
n/a | yes |
| password_reuse_prevention | The number of previous passwords that users are prevented from reusing. | number |
1 |
no |
| read_only_group_name | Name for read-only group. | string |
"read-only" |
no |
| require_lowercase_characters | Whether to require lowercase characters for user passwords. | bool |
true |
no |
| require_numbers | Whether to require numbers for user passwords. | bool |
true |
no |
| require_symbols | Whether to require symbols for user passwords. | bool |
true |
no |
| require_uppercase_characters | Whether to require uppercase characters for user passwords. | bool |
true |
no |
| s3_bucket_name | (Optional) The name of bucket to store session logs. Specifying this enables writing session output to an Amazon S3 bucket. | string |
"" |
no |
| s3_bucket_state_file_creation | Whether to create S3 bucket in the AWS Account to store terraform state file | bool |
false |
no |
| s3_bucket_state_file_name | The S3 bucket name which store the terraform state file | string |
"" |
no |
| s3_encryption_enabled | Encrypt log data. | bool |
false |
no |
| s3_key_prefix | (Optional) To write output to a sub-folder, enter a sub-folder name. | string |
"" |
no |
| sink_identifier | Sink ID | string |
n/a | yes |
| tag1Key | Specifies value of the Key for Tag1 | string |
"" |
no |
| tags | Map of tags to apply on the resources | map(string) |
{} |
no |
| trail_name | Name of the cloud trail. Required if the cloudtrail is enabled. | string |
n/a | yes |
| Name | Description |
|---|---|
| cloudwatch_log_group_arn | Cloud trail arn. |
| mfa_policy_arn | MFA Policy arn. |
| monitor_readonly_user_access_key_id | Access key id for the monitor readonly user |
| monitor_readonly_user_arn | ARN for the monitor readonly user |
| monitor_readonly_user_secret_access_key | Secret access key for the monitor readonly user |
| trail_arn | Cloud trail arn. |