The AWS account set up module creates the initial account configuration for your project, including IAM roles, KMS keys, S3 installs bucket, and more.
FedRAMP Compliance: High
Resources that are created as a part of this module include:
- IAM role, policies, and instance profiles for Packer to assume during AMI creation (Optional, one account can build and store AMIs and share them with other accounts)
- KMS keys and typically required IAM permissions for commonly used services (S3, DynamoDB, ELB, RDS, EBS, etc.)
- S3 buckets (ELB Access Logs bucket is optional, with multiple accounts, you can designate one as a centralized logging account and have other accounts send ELB logs to one account's bucket, this is not possible with S3 access logs where the bucket must be in the same account)
- Set "create_s3_elb_accesslogs_bucket" to "true" if this is run in an account where you want the logs to be sent.
- Security core module resources (Optional, Terraform state resources don't have to be in every account)
application_account_numbers
isn't required - you can feed itapplication_account_numbers=[""]
"Management Core" account. Terraform state is stored here, Packer AMIs are built here, is also Management Account for AWS Organizations:
module "account-setup" {
source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"
aws_region = "us-gov-west-1"
default_aws_region = "us-gov-west-1"
application_account_numbers = ["account-number1", "account-number2", "account-number3"]
account_number = "your-account-number"
resource_prefix = "pak"
### Cloudtrail ###
create_cloudtrail = true
is_organization = true
organization_id = "your-organization-id"
cloudwatch_log_group_retention_in_days = 30
### KMS ###
additional_kms_keys = [
{
name = "nfw"
policy = "${data.aws_iam_policy_document.default_key_policy.json}"
}
]
### Packer ###
create_packer_iam = true # Packer AMIs will be built and kept on this account and shared with other accounts (share accounts is provided to Packer as a variable at build time)
### Terraform ###
create_security_core = true # Terraform state will be kept on this account
}
Member account. Does not need Terraform resources (S3 bucket to store state, DynamoDB table for state lock), Packer AMIs will not be built in this account, is not a Management account for AWS Organizations.
module "account-setup" {
source = "github.com/Coalfire-CF/terraform-aws-account-setup?ref=v0.0.20"
aws_region = "us-gov-west-1"
default_aws_region = "us-gov-west-1"
application_account_numbers = ["account-number1", "account-number2", "account-number3"]
account_number = "your-account-number"
resource_prefix = "pak"
### KMS ###
additional_kms_keys = [
{
name = "nfw"
policy = "${data.aws_iam_policy_document.default_key_policy.json}"
}
]
}
Name | Version |
---|---|
terraform | >=1.5.0 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | ~> 5.0 |
Name | Source | Version |
---|---|---|
additional_kms_keys | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
backup_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
cloudwatch_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
config_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
dynamo_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
ebs_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
lambda_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
rds_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
s3-accesslogs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-backups | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-cloudtrail | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-config | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-elb-accesslogs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-fedrampdoc | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-installs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
security-core | github.com/Coalfire-CF/terraform-aws-securitycore | v0.0.19 |
sm_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
sns_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_number | The AWS account number resources are being deployed into | string |
n/a | yes |
additional_kms_keys | a list of maps of any additional KMS keys that need to be created | list(map(string)) |
[] |
no |
application_account_numbers | AWS account numbers for all application accounts that might need shared access to resources like KMS keys | list(string) |
n/a | yes |
aws_region | The AWS region to create resources in | string |
n/a | yes |
cloudwatch_log_group_retention_in_days | The number of days to retain Cloudwatch logs | number |
30 |
no |
create_backup_kms_key | create KMS key for AWS Backups | bool |
true |
no |
create_cloudtrail | Whether or not to create cloudtrail resources | bool |
false |
no |
create_cloudwatch_kms_key | create KMS key for AWS Cloudwatch | bool |
true |
no |
create_config_kms_key | create KMS key for AWS Cloudwatch | bool |
true |
no |
create_dynamo_kms_key | create KMS key for dynamodb | bool |
true |
no |
create_ebs_kms_key | create KMS key for ebs | bool |
true |
no |
create_lambda_kms_key | create KMS key for lambda | bool |
true |
no |
create_packer_iam | Whether or not to create Packer IAM resources | bool |
false |
no |
create_rds_kms_key | create KMS key for rds | bool |
true |
no |
create_s3_accesslogs_bucket | Create S3 Access Logs Bucket | bool |
true |
no |
create_s3_backups_bucket | Create S3 Backups Bucket | bool |
true |
no |
create_s3_config_bucket | Create S3 AWS Config Bucket for conformance pack storage | bool |
true |
no |
create_s3_elb_accesslogs_bucket | Create S3 ELB Access Logs Bucket | bool |
true |
no |
create_s3_fedrampdoc_bucket | Create S3 FedRAMP Documents Bucket | bool |
true |
no |
create_s3_installs_bucket | Create S3 Installs Bucket | bool |
true |
no |
create_s3_kms_key | create KMS key for S3 | bool |
true |
no |
create_security_core | Whether or not to create Security Core resources | bool |
false |
no |
create_sm_kms_key | create KMS key for secrets manager | bool |
true |
no |
create_sns_kms_key | create KMS key for SNS | bool |
true |
no |
default_aws_region | The default AWS region to create resources in | string |
n/a | yes |
is_organization | Whether or not to enable certain settings for AWS Organization | bool |
true |
no |
organization_id | AWS Organization ID | string |
null |
no |
resource_prefix | The prefix for resources | string |
n/a | yes |
root_org_account_number | The AWS account number for the Root Org Account | string |
n/a | yes |
Name | Description |
---|---|
additional_kms_key_arns | n/a |
additional_kms_key_ids | n/a |
backup_kms_key_arn | n/a |
backup_kms_key_id | n/a |
cloudwatch_kms_key_arn | n/a |
cloudwatch_kms_key_id | n/a |
config_kms_key_arn | n/a |
config_kms_key_id | n/a |
dynamo_kms_key_arn | n/a |
dynamo_kms_key_id | n/a |
dynamodb_table_name | n/a |
ebs_kms_key_arn | n/a |
ebs_kms_key_id | n/a |
lambda_kms_key_arn | n/a |
lambda_kms_key_id | n/a |
rds_kms_key_arn | n/a |
rds_kms_key_id | n/a |
s3_access_logs_arn | n/a |
s3_access_logs_id | n/a |
s3_backups_arn | n/a |
s3_backups_id | n/a |
s3_cloudtrail_arn | n/a |
s3_cloudtrail_id | n/a |
s3_config_arn | n/a |
s3_config_id | n/a |
s3_elb_access_logs_arn | n/a |
s3_elb_access_logs_id | n/a |
s3_fedrampdoc_arn | n/a |
s3_fedrampdoc_id | n/a |
s3_installs_arn | n/a |
s3_installs_id | n/a |
s3_kms_key_arn | n/a |
s3_kms_key_id | n/a |
s3_tstate_bucket_name | n/a |
sm_kms_key_arn | n/a |
sm_kms_key_id | n/a |
sns_kms_key_arn | n/a |
sns_kms_key_id | n/a |
If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.
Copyright © 2023 Coalfire Systems Inc.
Name | Version |
---|---|
terraform | >=1.5.0 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | ~> 5.0 |
Name | Source | Version |
---|---|---|
additional_kms_keys | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
backup_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
cloudwatch_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
dynamo_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
ebs_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
lambda_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
rds_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
s3-accesslogs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-backups | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-cloudtrail | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-elb-accesslogs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-fedrampdoc | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3-installs | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
s3_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
security-core | github.com/Coalfire-CF/terraform-aws-securitycore | 02087ae72394cd06431efc5dbbc4bf1f7f88ad14 |
sm_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
sns_kms_key | github.com/Coalfire-CF/terraform-aws-kms | v0.0.6 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_number | The AWS account number resources are being deployed into | string |
n/a | yes |
additional_kms_keys | a list of maps of any additional KMS keys that need to be created | list(map(string)) |
[] |
no |
application_account_numbers | AWS account numbers for all application accounts that might need shared access to resources like KMS keys | list(string) |
n/a | yes |
aws_region | The AWS region to create resources in | string |
n/a | yes |
cloudwatch_log_group_retention_in_days | The number of days to retain Cloudwatch logs | number |
30 |
no |
create_backup_kms_key | create KMS key for AWS Backups | bool |
true |
no |
create_cloudtrail | Whether or not to create cloudtrail resources | bool |
false |
no |
create_cloudwatch_kms_key | create KMS key for AWS Cloudwatch | bool |
true |
no |
create_dynamo_kms_key | create KMS key for dynamodb | bool |
true |
no |
create_ebs_kms_key | create KMS key for ebs | bool |
true |
no |
create_lambda_kms_key | create KMS key for lambda | bool |
true |
no |
create_packer_iam | Whether or not to create Packer IAM resources | bool |
false |
no |
create_rds_kms_key | create KMS key for rds | bool |
true |
no |
create_s3_accesslogs_bucket | Create S3 Access Logs Bucket | bool |
false |
no |
create_s3_backups_bucket | Create S3 Backups Bucket | bool |
true |
no |
create_s3_elb_accesslogs_bucket | Create S3 ELB Access Logs Bucket | bool |
false |
no |
create_s3_fedrampdoc_bucket | Create S3 FedRAMP Documents Bucket | bool |
true |
no |
create_s3_installs_bucket | Create S3 Installs Bucket | bool |
true |
no |
create_s3_kms_key | create KMS key for S3 | bool |
true |
no |
create_security_core | Whether or not to create Security Core resources | bool |
false |
no |
create_sm_kms_key | create KMS key for secrets manager | bool |
true |
no |
create_sns_kms_key | create KMS key for SNS | bool |
true |
no |
default_aws_region | The default AWS region to create resources in | string |
n/a | yes |
is_organization | Whether or not to enable certain settings for AWS Organization | bool |
true |
no |
organization_id | AWS Organization ID | string |
null |
no |
resource_prefix | The prefix for resources | string |
n/a | yes |
Name | Description |
---|---|
additional_kms_key_arns | n/a |
additional_kms_key_ids | n/a |
backup_kms_key_arn | n/a |
backup_kms_key_id | n/a |
cloudtrail_sns_kms_key_arn | n/a |
cloudtrail_sns_kms_key_id | n/a |
cloudwatch_kms_key_arn | n/a |
cloudwatch_kms_key_id | n/a |
dynamo_kms_key_arn | n/a |
dynamo_kms_key_id | n/a |
dynamodb_table_name | n/a |
ebs_kms_key_arn | n/a |
ebs_kms_key_id | n/a |
lambda_kms_key_arn | n/a |
lambda_kms_key_id | n/a |
rds_kms_key_arn | n/a |
rds_kms_key_id | n/a |
s3_access_logs_arn | n/a |
s3_access_logs_id | n/a |
s3_backups_arn | n/a |
s3_backups_id | n/a |
s3_cloudtrail_arn | n/a |
s3_cloudtrail_id | n/a |
s3_elb_access_logs_arn | n/a |
s3_elb_access_logs_id | n/a |
s3_fedrampdoc_arn | n/a |
s3_fedrampdoc_id | n/a |
s3_installs_arn | n/a |
s3_installs_id | n/a |
s3_kms_key_arn | n/a |
s3_kms_key_id | n/a |
s3_tstate_bucket_name | n/a |
sm_kms_key_arn | n/a |
sm_kms_key_id | n/a |