From a462d02ab48fdb510dfe98382622985356807c51 Mon Sep 17 00:00:00 2001 From: Benjamin Smith Date: Mon, 28 Jun 2021 10:46:15 -0700 Subject: [PATCH] features/firehose support (#4) * feat: initial implementation * upd * Auto Format * upd * Auto Format * upd * Auto Format * upd * Auto Format * last one for today * Auto Format * upd * minor updates * Auto Format * Aws firewall manager allow destroy (dynamic Provider) (#3) * init * add firehose prefix * updates from pr review * comments * make init make github/init make readme * Auto Format * update bucket module * Auto Format * use iam policy document * Auto Format Co-authored-by: SweetOps Co-authored-by: cloudpossebot <11232728+cloudpossebot@users.noreply.github.com> --- .github/CODEOWNERS | 4 +- .github/auto-release.yml | 2 +- .github/mergify.yml | 7 +++ .github/workflows/auto-format.yml | 4 +- .github/workflows/auto-release.yml | 26 ++++++---- .github/workflows/validate-codeowners.yml | 2 + README.md | 29 ++++++++---- docs/terraform.md | 29 ++++++++---- firehose.tf | 58 +++++++++++++++++++++++ main.tf | 8 +++- variables.tf | 18 +++++++ waf_v2.tf | 2 +- 12 files changed, 154 insertions(+), 35 deletions(-) create mode 100644 firehose.tf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2537f2f..6f64b5a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -15,8 +15,8 @@ # Cloud Posse must review any changes to standard context definition, # but some changes can be rubber-stamped. -**/*.tf @cloudposse/engineering @cloudposse/approvers -README.yaml @cloudposse/engineering @cloudposse/approvers +**/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers +README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers diff --git a/.github/auto-release.yml b/.github/auto-release.yml index c78a4d8..39a7f1e 100644 --- a/.github/auto-release.yml +++ b/.github/auto-release.yml @@ -46,7 +46,7 @@ template: | replacers: # Remove irrelevant information from Renovate bot -- search: '/---\s+^#.*Renovate configuration(?:.|\n)*?This PR has been generated .*/gm' +- search: '/(?<=---\s+)+^#.*(Renovate configuration|Configuration)(?:.|\n)*?This PR has been generated .*/gm' replace: '' # Remove Renovate bot banner image - search: '/\[!\[[^\]]*Renovate\][^\]]*\](\([^)]*\))?\s*\n+/gm' diff --git a/.github/mergify.yml b/.github/mergify.yml index b010656..ef15545 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -56,3 +56,10 @@ pull_request_rules: changes_requested: true approved: true message: "This Pull Request has been updated, so we're dismissing all reviews." + +- name: "close Pull Requests without files changed" + conditions: + - "#files=0" + actions: + close: + message: "This pull request has been automatically closed by Mergify because there are no longer any changes." diff --git a/.github/workflows/auto-format.yml b/.github/workflows/auto-format.yml index 990abed..375d0fd 100644 --- a/.github/workflows/auto-format.yml +++ b/.github/workflows/auto-format.yml @@ -6,7 +6,7 @@ on: jobs: auto-format: runs-on: ubuntu-latest - container: cloudposse/build-harness:slim-latest + container: cloudposse/build-harness:latest steps: # Checkout the pull request branch # "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using @@ -29,6 +29,8 @@ jobs: - name: Auto Format if: github.event.pull_request.state == 'open' shell: bash + env: + GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}" run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host # Commit changes (if any) to the PR branch diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 3f48017..1d06d9b 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -3,17 +3,25 @@ name: auto-release on: push: branches: - - master + - main + - master + - production jobs: publish: runs-on: ubuntu-latest steps: - # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 - with: - publish: true - prerelease: false - config-name: auto-release.yml - env: - GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + # Get PR from merged commit to master + - uses: actions-ecosystem/action-get-merged-pull-request@v1 + id: get-merged-pull-request + with: + github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} + # Drafts your next Release notes as Pull Requests are merged into "main" + - uses: release-drafter/release-drafter@v5 + if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')" + with: + publish: true + prerelease: false + config-name: auto-release.yml + env: + GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }} diff --git a/.github/workflows/validate-codeowners.yml b/.github/workflows/validate-codeowners.yml index 386eb28..c5193b6 100644 --- a/.github/workflows/validate-codeowners.yml +++ b/.github/workflows/validate-codeowners.yml @@ -1,5 +1,7 @@ name: Validate Codeowners on: + workflow_dispatch: + pull_request: jobs: diff --git a/README.md b/README.md index f1ed4cd..beeea98 100644 --- a/README.md +++ b/README.md @@ -223,7 +223,7 @@ Available targets: | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.0 | +| [terraform](#requirement\_terraform) | >= 0.15.0 | | [aws](#requirement\_aws) | >= 2.0 | ## Providers @@ -231,12 +231,15 @@ Available targets: | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 2.0 | +| [aws.admin](#provider\_aws.admin) | >= 2.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [dns\_firewall\_label](#module\_dns\_firewall\_label) | cloudposse/label/null | 0.24.1 | +| [firehose\_label](#module\_firehose\_label) | cloudposse/label/null | 0.24.1 | +| [firehose\_s3\_bucket](#module\_firehose\_s3\_bucket) | cloudposse/s3-bucket/aws | 0.38.0 | | [network\_firewall\_label](#module\_network\_firewall\_label) | cloudposse/label/null | 0.24.1 | | [security\_groups\_common\_label](#module\_security\_groups\_common\_label) | cloudposse/label/null | 0.24.1 | | [security\_groups\_content\_audit\_label](#module\_security\_groups\_content\_audit\_label) | cloudposse/label/null | 0.24.1 | @@ -259,41 +262,47 @@ Available targets: | [aws_fms_policy.shiled_advanced](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | | [aws_fms_policy.waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | | [aws_fms_policy.waf_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | +| [aws_iam_role.firehose_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kinesis_firehose_delivery_stream.firehose_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | +| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [admin\_account\_enabled](#input\_admin\_account\_enabled) | Resource for aws\_fms\_admin\_account is enabled and will be created or destroyed | `bool` | `true` | no | | [admin\_account\_id](#input\_admin\_account\_id) | The AWS account ID to associate to associate with AWS Firewall Manager as the AWS Firewall Manager administrator account. This can be an AWS Organizations master account or a member account. Defaults to the current account. | `string` | `null` | no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | | [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [dns\_firewall\_policies](#input\_dns\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
pre\_process\_rule\_groups:
A list of maps of pre-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`.
post\_process\_rule\_groups:
A list of maps post-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`. | `list(any)` | `[]` | no | +| [dns\_firewall\_policies](#input\_dns\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
pre\_process\_rule\_groups:
A list of maps of pre-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`.
post\_process\_rule\_groups:
A list of maps post-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`. | `list(any)` | `[]` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [firehose\_arn](#input\_firehose\_arn) | Kinesis Firehose ARN used to create a Kinesis Firehose destination for WAF\_V2 Rules. Conflicts with `firehose_enabled` | `string` | `null` | no | +| [firehose\_enabled](#input\_firehose\_enabled) | Create a Kinesis Firehose destination for WAF\_V2 Rules. Conflicts with `firehose_arn` | `bool` | `false` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [network\_firewall\_policies](#input\_network\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
stateless\_rule\_group\_references:
A list of maps of configuration blocks containing references to the stateful rule groups that are used in the policy.
Format: `{ "resourceARN": "arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2", "priority": 10 }`
stateless\_default\_actions:
A list of actions to take on a packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_fragment\_default\_actions:
A list of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_custom\_actions:
A list of maps describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions`.
Format: `{ "actionName": "custom1", "actionDefinition": { "publishMetricAction": { "dimensions": [ { "value": "dimension1" } ] } } }`
stateful\_rule\_group\_references\_arns:
A list of ARNs of the stateful rule groups.
orchestration\_config:
single\_firewall\_endpoint\_per\_vpc:
Whether to use single Firewall Endpoint per VPC.
Defaults to `false`.
allowed\_ipv4\_cidrs:
A list of allowed ipv4 cidrs. | `list(any)` | `[]` | no | +| [network\_firewall\_policies](#input\_network\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
stateless\_rule\_group\_references:
A list of maps of configuration blocks containing references to the stateful rule groups that are used in the policy.
Format: `{ "resourceARN": "arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2", "priority": 10 }`
stateless\_default\_actions:
A list of actions to take on a packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_fragment\_default\_actions:
A list of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_custom\_actions:
A list of maps describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions`.
Format: `{ "actionName": "custom1", "actionDefinition": { "publishMetricAction": { "dimensions": [ { "value": "dimension1" } ] } } }`
stateful\_rule\_group\_references\_arns:
A list of ARNs of the stateful rule groups.
orchestration\_config:
single\_firewall\_endpoint\_per\_vpc:
Whether to use single Firewall Endpoint per VPC.
Defaults to `false`.
allowed\_ipv4\_cidrs:
A list of allowed ipv4 cidrs. | `list(any)` | `[]` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
revert\_manual\_security\_group\_changes:
Whether to revert manual Security Group changes.
Defaults to `false`.
exclusive\_resource\_security\_group\_management:
Wheter to exclusive resource Security Group management.
Defaults to `false`.
apply\_to\_all\_ec2\_instance\_enis:
Whether to apply to all EC2 instance ENIs.
Defaults to `false`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | -| [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
security\_group\_action:
For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.
For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Possible values: `ALLOW`, `DENY`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | -| [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
delete\_unused\_security\_groups:
Whether to delete unused Security Groups.
Defaults to `false`.
coalesce\_redundant\_security\_groups:
Whether to coalesce redundant Security Groups.
Defaults to `false`. | `list(any)` | n/a | yes | -| [shiled\_advanced\_policies](#input\_shiled\_advanced\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no | +| [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
revert\_manual\_security\_group\_changes:
Whether to revert manual Security Group changes.
Defaults to `false`.
exclusive\_resource\_security\_group\_management:
Wheter to exclusive resource Security Group management.
Defaults to `false`.
apply\_to\_all\_ec2\_instance\_enis:
Whether to apply to all EC2 instance ENIs.
Defaults to `false`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | +| [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
security\_group\_action:
For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.
For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Possible values: `ALLOW`, `DENY`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | +| [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
delete\_unused\_security\_groups:
Whether to delete unused Security Groups.
Defaults to `false`.
coalesce\_redundant\_security\_groups:
Whether to coalesce redundant Security Groups.
Defaults to `false`. | `list(any)` | n/a | yes | +| [shiled\_advanced\_policies](#input\_shiled\_advanced\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [waf\_policies](#input\_waf\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
rule\_groups:
A list of rule groups. | `list(any)` | `[]` | no | -| [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
override\_customer\_web\_acl\_association:
Wheter to override customer Web ACL association
logging\_configuration:
The WAFv2 Web ACL logging configuration.
pre\_process\_rule\_groups:
A list of pre-proccess rule groups.
post\_process\_rule\_groups:
A list of post-proccess rule groups. | `list(any)` | `[]` | no | +| [waf\_policies](#input\_waf\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
rule\_groups:
A list of rule groups. | `list(any)` | `[]` | no | +| [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
override\_customer\_web\_acl\_association:
Wheter to override customer Web ACL association
logging\_configuration:
The WAFv2 Web ACL logging configuration.
pre\_process\_rule\_groups:
A list of pre-proccess rule groups.
post\_process\_rule\_groups:
A list of post-proccess rule groups. | `list(any)` | `[]` | no | ## Outputs | Name | Description | |------|-------------| -| [admin\_account\_id](#output\_admin\_account\_id) | The AWS account ID of the AWS Firewall Manager administrator account. | +| [admin\_account](#output\_admin\_account) | n/a | diff --git a/docs/terraform.md b/docs/terraform.md index a7db72e..7e4354f 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.0 | +| [terraform](#requirement\_terraform) | >= 0.15.0 | | [aws](#requirement\_aws) | >= 2.0 | ## Providers @@ -11,12 +11,15 @@ | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 2.0 | +| [aws.admin](#provider\_aws.admin) | >= 2.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [dns\_firewall\_label](#module\_dns\_firewall\_label) | cloudposse/label/null | 0.24.1 | +| [firehose\_label](#module\_firehose\_label) | cloudposse/label/null | 0.24.1 | +| [firehose\_s3\_bucket](#module\_firehose\_s3\_bucket) | cloudposse/s3-bucket/aws | 0.38.0 | | [network\_firewall\_label](#module\_network\_firewall\_label) | cloudposse/label/null | 0.24.1 | | [security\_groups\_common\_label](#module\_security\_groups\_common\_label) | cloudposse/label/null | 0.24.1 | | [security\_groups\_content\_audit\_label](#module\_security\_groups\_content\_audit\_label) | cloudposse/label/null | 0.24.1 | @@ -39,39 +42,45 @@ | [aws_fms_policy.shiled_advanced](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | | [aws_fms_policy.waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | | [aws_fms_policy.waf_v2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_policy) | resource | +| [aws_iam_role.firehose_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kinesis_firehose_delivery_stream.firehose_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | +| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [admin\_account\_enabled](#input\_admin\_account\_enabled) | Resource for aws\_fms\_admin\_account is enabled and will be created or destroyed | `bool` | `true` | no | | [admin\_account\_id](#input\_admin\_account\_id) | The AWS account ID to associate to associate with AWS Firewall Manager as the AWS Firewall Manager administrator account. This can be an AWS Organizations master account or a member account. Defaults to the current account. | `string` | `null` | no | | [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {}
}
| no | | [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [dns\_firewall\_policies](#input\_dns\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
pre\_process\_rule\_groups:
A list of maps of pre-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`.
post\_process\_rule\_groups:
A list of maps post-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`. | `list(any)` | `[]` | no | +| [dns\_firewall\_policies](#input\_dns\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
pre\_process\_rule\_groups:
A list of maps of pre-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`.
post\_process\_rule\_groups:
A list of maps post-proccess rule groups in the format `{ "ruleGroupId": "rslvr-frg-1", "priority": 10 }`. | `list(any)` | `[]` | no | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | | [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [firehose\_arn](#input\_firehose\_arn) | Kinesis Firehose ARN used to create a Kinesis Firehose destination for WAF\_V2 Rules. Conflicts with `firehose_enabled` | `string` | `null` | no | +| [firehose\_enabled](#input\_firehose\_enabled) | Create a Kinesis Firehose destination for WAF\_V2 Rules. Conflicts with `firehose_arn` | `bool` | `false` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | | [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | | [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [network\_firewall\_policies](#input\_network\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
stateless\_rule\_group\_references:
A list of maps of configuration blocks containing references to the stateful rule groups that are used in the policy.
Format: `{ "resourceARN": "arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2", "priority": 10 }`
stateless\_default\_actions:
A list of actions to take on a packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_fragment\_default\_actions:
A list of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_custom\_actions:
A list of maps describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions`.
Format: `{ "actionName": "custom1", "actionDefinition": { "publishMetricAction": { "dimensions": [ { "value": "dimension1" } ] } } }`
stateful\_rule\_group\_references\_arns:
A list of ARNs of the stateful rule groups.
orchestration\_config:
single\_firewall\_endpoint\_per\_vpc:
Whether to use single Firewall Endpoint per VPC.
Defaults to `false`.
allowed\_ipv4\_cidrs:
A list of allowed ipv4 cidrs. | `list(any)` | `[]` | no | +| [network\_firewall\_policies](#input\_network\_firewall\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
stateless\_rule\_group\_references:
A list of maps of configuration blocks containing references to the stateful rule groups that are used in the policy.
Format: `{ "resourceARN": "arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2", "priority": 10 }`
stateless\_default\_actions:
A list of actions to take on a packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_fragment\_default\_actions:
A list of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy.
You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe`.
In addition, you can specify custom actions that are compatible with your standard action choice.
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward\_to\_sfe.
stateless\_custom\_actions:
A list of maps describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions`.
Format: `{ "actionName": "custom1", "actionDefinition": { "publishMetricAction": { "dimensions": [ { "value": "dimension1" } ] } } }`
stateful\_rule\_group\_references\_arns:
A list of ARNs of the stateful rule groups.
orchestration\_config:
single\_firewall\_endpoint\_per\_vpc:
Whether to use single Firewall Endpoint per VPC.
Defaults to `false`.
allowed\_ipv4\_cidrs:
A list of allowed ipv4 cidrs. | `list(any)` | `[]` | no | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
revert\_manual\_security\_group\_changes:
Whether to revert manual Security Group changes.
Defaults to `false`.
exclusive\_resource\_security\_group\_management:
Wheter to exclusive resource Security Group management.
Defaults to `false`.
apply\_to\_all\_ec2\_instance\_enis:
Whether to apply to all EC2 instance ENIs.
Defaults to `false`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | -| [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
security\_group\_action:
For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.
For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Possible values: `ALLOW`, `DENY`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | -| [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
delete\_unused\_security\_groups:
Whether to delete unused Security Groups.
Defaults to `false`.
coalesce\_redundant\_security\_groups:
Whether to coalesce redundant Security Groups.
Defaults to `false`. | `list(any)` | n/a | yes | -| [shiled\_advanced\_policies](#input\_shiled\_advanced\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no | +| [security\_groups\_common\_policies](#input\_security\_groups\_common\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
revert\_manual\_security\_group\_changes:
Whether to revert manual Security Group changes.
Defaults to `false`.
exclusive\_resource\_security\_group\_management:
Wheter to exclusive resource Security Group management.
Defaults to `false`.
apply\_to\_all\_ec2\_instance\_enis:
Whether to apply to all EC2 instance ENIs.
Defaults to `false`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | +| [security\_groups\_content\_audit\_policies](#input\_security\_groups\_content\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
security\_group\_action:
For `ALLOW`, all in-scope security group rules must be within the allowed range of the policy's security group rules.
For `DENY`, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Possible values: `ALLOW`, `DENY`.
security\_groups:
A list of Security Group IDs. | `list(any)` | `[]` | no | +| [security\_groups\_usage\_audit\_policies](#input\_security\_groups\_usage\_audit\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
delete\_unused\_security\_groups:
Whether to delete unused Security Groups.
Defaults to `false`.
coalesce\_redundant\_security\_groups:
Whether to coalesce redundant Security Groups.
Defaults to `false`. | `list(any)` | n/a | yes | +| [shiled\_advanced\_policies](#input\_shiled\_advanced\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy. | `list(any)` | `[]` | no | | [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | | [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [waf\_policies](#input\_waf\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
rule\_groups:
A list of rule groups. | `list(any)` | `[]` | no | -| [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
override\_customer\_web\_acl\_association:
Wheter to override customer Web ACL association
logging\_configuration:
The WAFv2 Web ACL logging configuration.
pre\_process\_rule\_groups:
A list of pre-proccess rule groups.
post\_process\_rule\_groups:
A list of post-proccess rule groups. | `list(any)` | `[]` | no | +| [waf\_policies](#input\_waf\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
rule\_groups:
A list of rule groups. | `list(any)` | `[]` | no | +| [waf\_v2\_policies](#input\_waf\_v2\_policies) | name:
The friendly name of the AWS Firewall Manager Policy.
delete\_all\_policy\_resources:
Whether to perform a clean-up process.
Defaults to `true`.
exclude\_resource\_tags:
A boolean value, if `true` the tags that are specified in the `resource_tags` are not protected by this policy.
If set to `false` and `resource_tags` are populated, resources that contain tags will be protected by this policy.
Defaults to `false`.
remediation\_enabled:
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Defaults to `false`.
resource\_type\_list:
A list of resource types to protect. Conflicts with `resource_type`.
resource\_type:
A resource type to protect. Conflicts with `resource_type_list`.
resource\_tags:
A map of resource tags, that if present will filter protections on resources based on the `exclude_resource_tags`.
exclude\_account\_ids:
A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
include\_account\_ids:
A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
policy\_data:
default\_action:
The action that you want AWS WAF to take.
Possible values: `ALLOW`, `BLOCK` or `COUNT`.
override\_customer\_web\_acl\_association:
Wheter to override customer Web ACL association
logging\_configuration:
The WAFv2 Web ACL logging configuration.
pre\_process\_rule\_groups:
A list of pre-proccess rule groups.
post\_process\_rule\_groups:
A list of post-proccess rule groups. | `list(any)` | `[]` | no | ## Outputs | Name | Description | |------|-------------| -| [admin\_account\_id](#output\_admin\_account\_id) | The AWS account ID of the AWS Firewall Manager administrator account. | +| [admin\_account](#output\_admin\_account) | n/a | diff --git a/firehose.tf b/firehose.tf new file mode 100644 index 0000000..4aebad5 --- /dev/null +++ b/firehose.tf @@ -0,0 +1,58 @@ +module "firehose_label" { + source = "cloudposse/label/null" + version = "0.24.1" + + attributes = ["firehose"] + + context = module.this.context +} + +module "firehose_s3_bucket" { + count = local.enabled && var.firehose_enabled ? 1 : 0 + source = "cloudposse/s3-bucket/aws" + version = "0.38.0" + acl = "private" + enabled = true + user_enabled = true + versioning_enabled = false + allowed_bucket_actions = ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"] + name = module.firehose_label.id + stage = module.this.stage + namespace = module.this.namespace + bucket_name = module.firehose_label.id + + context = module.this.context +} + +data "aws_iam_policy_document" "assume_role" { + count = local.enabled ? 1 : 0 + + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["firehose.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "firehose_role" { + count = local.enabled && var.firehose_enabled ? 1 : 0 + name = module.firehose_label.id + + assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json) +} + +resource "aws_kinesis_firehose_delivery_stream" "firehose_stream" { + count = local.enabled && var.firehose_enabled ? 1 : 0 + // `aws-waf-logs-` required by AWS - https://aws.amazon.com/premiumsupport/knowledge-center/waf-configure-comprehensive-logging/ + name = format("%s%s", "aws-waf-logs-", module.this.id) + destination = "s3" + + s3_configuration { + role_arn = join("", aws_iam_role.firehose_role.*.arn) + bucket_arn = join("", module.firehose_s3_bucket.*.bucket_arn) + } +} diff --git a/main.tf b/main.tf index 3bac502..b55ff72 100644 --- a/main.tf +++ b/main.tf @@ -8,10 +8,16 @@ locals { waf_v2_policies = local.enabled && length(var.waf_v2_policies) > 0 ? { for policy in flatten(var.waf_v2_policies) : policy.name => policy } : {} dns_firewall_policies = local.enabled && length(var.dns_firewall_policies) > 0 ? { for policy in flatten(var.dns_firewall_policies) : policy.name => policy } : {} network_firewall_policies = local.enabled && length(var.network_firewall_policies) > 0 ? { for policy in flatten(var.network_firewall_policies) : policy.name => policy } : {} + + + logging_config_firehose_arn = { logDestinationConfigs : [var.firehose_arn], redactedFields : [{ redactedFieldType : "SingleHeader", redactedFieldValue : "Cookies" }, { redactedFieldType : "Method" }] } + logging_config_firehose_enabled = { logDestinationConfigs : [join("", aws_kinesis_firehose_delivery_stream.firehose_stream.*.id)], redactedFields : [{ redactedFieldType : "SingleHeader", redactedFieldValue : "Cookies" }, { redactedFieldType : "Method" }] } + + logging_configuration = local.enabled && var.firehose_enabled ? local.logging_config_firehose_enabled : local.enabled && var.firehose_arn != null ? local.logging_config_firehose_arn : {} } resource "aws_fms_admin_account" "default" { - count = local.enabled ? 1 : 0 + count = local.enabled && var.admin_account_enabled ? 1 : 0 provider = aws.admin account_id = var.admin_account_id diff --git a/variables.tf b/variables.tf index e5969c6..12780d1 100644 --- a/variables.tf +++ b/variables.tf @@ -4,6 +4,24 @@ variable "admin_account_id" { default = null } +variable "admin_account_enabled" { + type = bool + description = "Resource for aws_fms_admin_account is enabled and will be created or destroyed" + default = true +} + +variable "firehose_enabled" { + type = bool + description = "Create a Kinesis Firehose destination for WAF_V2 Rules. Conflicts with `firehose_arn`" + default = false +} + +variable "firehose_arn" { + type = string + description = "Kinesis Firehose ARN used to create a Kinesis Firehose destination for WAF_V2 Rules. Conflicts with `firehose_enabled`" + default = null +} + variable "security_groups_common_policies" { type = list(any) default = [] diff --git a/waf_v2.tf b/waf_v2.tf index cc2fada..5f83e6c 100644 --- a/waf_v2.tf +++ b/waf_v2.tf @@ -48,7 +48,7 @@ resource "aws_fms_policy" "waf_v2" { } overrideCustomerWebACLAssociation = lookup(each.value.policy_data, "override_customer_web_acl_association", false) - loggingConfiguration = lookup(each.value.policy_data, "logging_configuration", {}) + loggingConfiguration = lookup(each.value.policy_data, "logging_configuration", local.logging_configuration) }) } }