AWS Account Setup Terraform Module

Description

The AWS account set up module creates the initial account configuration for your project, including IAM roles, KMS keys, S3 installs bucket, and more.

FedRAMP Compliance: High

Resource List

Resources that are created as a part of this module include:

IAM role, policies, and instance profiles for Packer to assume during AMI creation (Optional, one account can build and store AMIs and share them with other accounts)
KMS keys and typically required IAM permissions for commonly used services (S3, DynamoDB, ELB, RDS, EBS, etc.)
S3 buckets (ELB Access Logs bucket is optional, with multiple accounts, you can designate one as a centralized logging account and have other accounts send ELB logs to one account's bucket, this is not possible with S3 access logs where the bucket must be in the same account)
- Set "create_s3_elb_accesslogs_bucket" to "true" if this is run in an account where you want the logs to be sent.
Security core module resources (Optional, Terraform state resources don't have to be in every account)

Assumptions

application_account_numbers isn't required - you can feed it application_account_numbers=[""]

Usage

"Management Core" account. Terraform state is stored here, Packer AMIs are built here, is also Management Account for AWS Organizations:

module "account-setup" {
  source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"

  aws_region         = "us-gov-west-1"
  default_aws_region = "us-gov-west-1"

  application_account_numbers = ["account-number1", "account-number2", "account-number3"]
  account_number              = "your-account-number"

  resource_prefix         = "pak"
  
  ### Cloudtrail ###
  create_cloudtrail                      = true
  is_organization                        = true
  organization_id                        = "your-organization-id"
  cloudwatch_log_group_retention_in_days = 30

  ### KMS ###
  additional_kms_keys = [
    {
      name   = "nfw"
      policy = "${data.aws_iam_policy_document.default_key_policy.json}"
    }
  ]

  ### Packer ###
  create_packer_iam = true # Packer AMIs will be built and kept on this account and shared with other accounts (share accounts is provided to Packer as a variable at build time)

  ### Terraform ###
  create_security_core = true # Terraform state will be kept on this account
}

Member account. Does not need Terraform resources (S3 bucket to store state, DynamoDB table for state lock), Packer AMIs will not be built in this account, is not a Management account for AWS Organizations.

module "account-setup" {
  source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"

  aws_region         = "us-gov-west-1"
  default_aws_region = "us-gov-west-1"

  application_account_numbers = ["account-number1", "account-number2", "account-number3"]
  account_number              = "your-account-number"

  resource_prefix         = "pak"

  ### KMS ###
  additional_kms_keys = [
    {
      name   = "nfw"
      policy = "${data.aws_iam_policy_document.default_key_policy.json}"
    }
  ]
}

Requirements

Name	Version
terraform	>=1.5.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
additional_kms_keys	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
backup_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
cloudwatch_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
config_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
dynamo_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
ebs_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
lambda_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
rds_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
s3-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-backups	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-cloudtrail	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-config	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-elb-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-fedrampdoc	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-installs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
security-core	github.com/Coalfire-CF/terraform-aws-securitycore	v0.0.19
sm_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
sns_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6

Resources

Name	Type
aws_cloudtrail.all_cloudtrail	resource
aws_cloudwatch_log_group.cloudtrail_log_group	resource
aws_iam_instance_profile.packer_profile	resource
aws_iam_policy.cloudtrail-to-cloudwatch	resource
aws_iam_policy.packer_policy	resource
aws_iam_policy_attachment.cloudtrail-to-cloudwatch	resource
aws_iam_policy_attachment.packer_access_attach_policy	resource
aws_iam_role.cloudtrail-role	resource
aws_iam_role.packer_role	resource
aws_kms_grant.packer_ebs	resource
aws_kms_grant.packer_s3	resource
aws_s3_bucket_policy.cloudtrail_bucket_policy	resource
aws_s3_bucket_policy.config_bucket_policy	resource
aws_caller_identity.current	data source
aws_elb_service_account.main	data source
aws_iam_policy_document.cloudtrail_assume_role_policy_document	data source
aws_iam_policy_document.cloudtrail_to_cloudwatch_policy_document	data source
aws_iam_policy_document.cloudwatch_key	data source
aws_iam_policy_document.config_key	data source
aws_iam_policy_document.dynamo_key	data source
aws_iam_policy_document.ebs_key	data source
aws_iam_policy_document.elb_accesslogs_bucket_policy	data source
aws_iam_policy_document.log_bucket_policy	data source
aws_iam_policy_document.packer_assume_role_policy_document	data source
aws_iam_policy_document.packer_policy_document	data source
aws_iam_policy_document.s3_accesslogs_bucket_policy	data source
aws_iam_policy_document.s3_config_bucket_policy_doc	data source
aws_iam_policy_document.s3_key	data source
aws_iam_policy_document.secrets_manager_key	data source
aws_iam_policy_document.sns_key	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
account_number	The AWS account number resources are being deployed into	`string`	n/a	yes
additional_kms_keys	a list of maps of any additional KMS keys that need to be created	`list(map(string))`	`[]`	no
application_account_numbers	AWS account numbers for all application accounts that might need shared access to resources like KMS keys	`list(string)`	n/a	yes
aws_region	The AWS region to create resources in	`string`	n/a	yes
cloudwatch_log_group_retention_in_days	The number of days to retain Cloudwatch logs	`number`	`30`	no
create_backup_kms_key	create KMS key for AWS Backups	`bool`	`true`	no
create_cloudtrail	Whether or not to create cloudtrail resources	`bool`	`false`	no
create_cloudwatch_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_config_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_dynamo_kms_key	create KMS key for dynamodb	`bool`	`true`	no
create_ebs_kms_key	create KMS key for ebs	`bool`	`true`	no
create_lambda_kms_key	create KMS key for lambda	`bool`	`true`	no
create_packer_iam	Whether or not to create Packer IAM resources	`bool`	`false`	no
create_rds_kms_key	create KMS key for rds	`bool`	`true`	no
create_s3_accesslogs_bucket	Create S3 Access Logs Bucket	`bool`	`true`	no
create_s3_backups_bucket	Create S3 Backups Bucket	`bool`	`true`	no
create_s3_config_bucket	Create S3 AWS Config Bucket for conformance pack storage	`bool`	`true`	no
create_s3_elb_accesslogs_bucket	Create S3 ELB Access Logs Bucket	`bool`	`true`	no
create_s3_fedrampdoc_bucket	Create S3 FedRAMP Documents Bucket	`bool`	`true`	no
create_s3_installs_bucket	Create S3 Installs Bucket	`bool`	`true`	no
create_s3_kms_key	create KMS key for S3	`bool`	`true`	no
create_security_core	Whether or not to create Security Core resources	`bool`	`false`	no
create_sm_kms_key	create KMS key for secrets manager	`bool`	`true`	no
create_sns_kms_key	create KMS key for SNS	`bool`	`true`	no
default_aws_region	The default AWS region to create resources in	`string`	n/a	yes
is_organization	Whether or not to enable certain settings for AWS Organization	`bool`	`true`	no
organization_id	AWS Organization ID	`string`	`null`	no
resource_prefix	The prefix for resources	`string`	n/a	yes
root_org_account_number	The AWS account number for the Root Org Account	`string`	n/a	yes

Outputs

Name	Description
additional_kms_key_arns	n/a
additional_kms_key_ids	n/a
backup_kms_key_arn	n/a
backup_kms_key_id	n/a
cloudwatch_kms_key_arn	n/a
cloudwatch_kms_key_id	n/a
config_kms_key_arn	n/a
config_kms_key_id	n/a
dynamo_kms_key_arn	n/a
dynamo_kms_key_id	n/a
dynamodb_table_name	n/a
ebs_kms_key_arn	n/a
ebs_kms_key_id	n/a
lambda_kms_key_arn	n/a
lambda_kms_key_id	n/a
rds_kms_key_arn	n/a
rds_kms_key_id	n/a
s3_access_logs_arn	n/a
s3_access_logs_id	n/a
s3_backups_arn	n/a
s3_backups_id	n/a
s3_cloudtrail_arn	n/a
s3_cloudtrail_id	n/a
s3_config_arn	n/a
s3_config_id	n/a
s3_elb_access_logs_arn	n/a
s3_elb_access_logs_id	n/a
s3_fedrampdoc_arn	n/a
s3_fedrampdoc_id	n/a
s3_installs_arn	n/a
s3_installs_id	n/a
s3_kms_key_arn	n/a
s3_kms_key_id	n/a
s3_tstate_bucket_name	n/a
sm_kms_key_arn	n/a
sm_kms_key_id	n/a
sns_kms_key_arn	n/a
sns_kms_key_id	n/a

Contributing

If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.

License

Copyright

Requirements

Name	Version
terraform	>=1.5.0
aws	~> 5.0

Providers

Name	Version
aws	~> 5.0

Modules

Name	Source	Version
additional_kms_keys	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
backup_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
cloudwatch_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
dynamo_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
ebs_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
lambda_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
rds_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
s3-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-backups	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-cloudtrail	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-elb-accesslogs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-fedrampdoc	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3-installs	github.com/Coalfire-CF/terraform-aws-s3	v1.0.1
s3_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
security-core	github.com/Coalfire-CF/terraform-aws-securitycore	02087ae72394cd06431efc5dbbc4bf1f7f88ad14
sm_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6
sns_kms_key	github.com/Coalfire-CF/terraform-aws-kms	v0.0.6

Resources

Name	Type
aws_cloudtrail.all_cloudtrail	resource
aws_cloudwatch_log_group.cloudtrail_log_group	resource
aws_iam_instance_profile.packer_profile	resource
aws_iam_policy.cloudtrail-to-cloudwatch	resource
aws_iam_policy.packer_policy	resource
aws_iam_policy_attachment.cloudtrail-to-cloudwatch	resource
aws_iam_policy_attachment.packer_access_attach_policy	resource
aws_iam_role.cloudtrail-role	resource
aws_iam_role.packer_role	resource
aws_kms_grant.packer_ebs	resource
aws_kms_grant.packer_s3	resource
aws_s3_bucket_policy.cloudtrail_bucket_policy	resource
aws_elb_service_account.main	data source
aws_iam_policy_document.cloudtrail_assume_role_policy_document	data source
aws_iam_policy_document.cloudtrail_to_cloudwatch_policy_document	data source
aws_iam_policy_document.cloudwatch_key	data source
aws_iam_policy_document.dynamo_key	data source
aws_iam_policy_document.ebs_key	data source
aws_iam_policy_document.elb_accesslogs_bucket_policy	data source
aws_iam_policy_document.log_bucket_policy	data source
aws_iam_policy_document.packer_assume_role_policy_document	data source
aws_iam_policy_document.packer_policy_document	data source
aws_iam_policy_document.s3_accesslogs_bucket_policy	data source
aws_iam_policy_document.s3_key	data source
aws_iam_policy_document.secrets_manager_key	data source
aws_iam_policy_document.sns_key	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
account_number	The AWS account number resources are being deployed into	`string`	n/a	yes
additional_kms_keys	a list of maps of any additional KMS keys that need to be created	`list(map(string))`	`[]`	no
application_account_numbers	AWS account numbers for all application accounts that might need shared access to resources like KMS keys	`list(string)`	n/a	yes
aws_region	The AWS region to create resources in	`string`	n/a	yes
cloudwatch_log_group_retention_in_days	The number of days to retain Cloudwatch logs	`number`	`30`	no
create_backup_kms_key	create KMS key for AWS Backups	`bool`	`true`	no
create_cloudtrail	Whether or not to create cloudtrail resources	`bool`	`false`	no
create_cloudwatch_kms_key	create KMS key for AWS Cloudwatch	`bool`	`true`	no
create_dynamo_kms_key	create KMS key for dynamodb	`bool`	`true`	no
create_ebs_kms_key	create KMS key for ebs	`bool`	`true`	no
create_lambda_kms_key	create KMS key for lambda	`bool`	`true`	no
create_packer_iam	Whether or not to create Packer IAM resources	`bool`	`false`	no
create_rds_kms_key	create KMS key for rds	`bool`	`true`	no
create_s3_accesslogs_bucket	Create S3 Access Logs Bucket	`bool`	`false`	no
create_s3_backups_bucket	Create S3 Backups Bucket	`bool`	`true`	no
create_s3_elb_accesslogs_bucket	Create S3 ELB Access Logs Bucket	`bool`	`false`	no
create_s3_fedrampdoc_bucket	Create S3 FedRAMP Documents Bucket	`bool`	`true`	no
create_s3_installs_bucket	Create S3 Installs Bucket	`bool`	`true`	no
create_s3_kms_key	create KMS key for S3	`bool`	`true`	no
create_security_core	Whether or not to create Security Core resources	`bool`	`false`	no
create_sm_kms_key	create KMS key for secrets manager	`bool`	`true`	no
create_sns_kms_key	create KMS key for SNS	`bool`	`true`	no
default_aws_region	The default AWS region to create resources in	`string`	n/a	yes
is_organization	Whether or not to enable certain settings for AWS Organization	`bool`	`true`	no
organization_id	AWS Organization ID	`string`	`null`	no
resource_prefix	The prefix for resources	`string`	n/a	yes

Outputs

Name	Description
additional_kms_key_arns	n/a
additional_kms_key_ids	n/a
backup_kms_key_arn	n/a
backup_kms_key_id	n/a
cloudtrail_sns_kms_key_arn	n/a
cloudtrail_sns_kms_key_id	n/a
cloudwatch_kms_key_arn	n/a
cloudwatch_kms_key_id	n/a
dynamo_kms_key_arn	n/a
dynamo_kms_key_id	n/a
dynamodb_table_name	n/a
ebs_kms_key_arn	n/a
ebs_kms_key_id	n/a
lambda_kms_key_arn	n/a
lambda_kms_key_id	n/a
rds_kms_key_arn	n/a
rds_kms_key_id	n/a
s3_access_logs_arn	n/a
s3_access_logs_id	n/a
s3_backups_arn	n/a
s3_backups_id	n/a
s3_cloudtrail_arn	n/a
s3_cloudtrail_id	n/a
s3_elb_access_logs_arn	n/a
s3_elb_access_logs_id	n/a
s3_fedrampdoc_arn	n/a
s3_fedrampdoc_id	n/a
s3_installs_arn	n/a
s3_installs_id	n/a
s3_kms_key_arn	n/a
s3_kms_key_id	n/a
s3_tstate_bucket_name	n/a
sm_kms_key_arn	n/a
sm_kms_key_id	n/a

Name		Name	Last commit message	Last commit date
Latest commit History 197 Commits
.github		.github
.gitignore		.gitignore
.terraform.lock.hcl		.terraform.lock.hcl
CONTRIBUTING.md		CONTRIBUTING.md
License.md		License.md
README.md		README.md
cloudtrail.tf		cloudtrail.tf
coalfire_logo.png		coalfire_logo.png
data.tf		data.tf
iam.tf		iam.tf
kms.tf		kms.tf
outputs.tf		outputs.tf
providers.tf		providers.tf
s3-accesslog.tf		s3-accesslog.tf
s3-aws-config.tf		s3-aws-config.tf
s3-backups.tf		s3-backups.tf
s3-cloudtrail.tf		s3-cloudtrail.tf
s3-elb-accesslog.tf		s3-elb-accesslog.tf
s3-fedrampdoc.tf		s3-fedrampdoc.tf
s3-installs.tf		s3-installs.tf
security-core.tf		security-core.tf
variables.tf		variables.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

AWS Account Setup Terraform Module

Description

Resource List

Assumptions

Usage

Requirements

Providers

Modules

Resources

Inputs

Outputs

Contributing

License

Copyright

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Releases 26

Contributors 12

Languages

License

Coalfire-CF/terraform-aws-account-setup

Folders and files

Latest commit

History

Repository files navigation

AWS Account Setup Terraform Module

Description

Resource List

Assumptions

Usage

Requirements

Providers

Modules

Resources

Inputs

Outputs

Contributing

License

Copyright

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases 26

Contributors 12

Languages