Fixed SubModule Reference

.config/.terraform-docs.yml

@@ -9,7 +9,7 @@ content: |-
 
   GitHub: [StratusGrid/terraform-account-starter](https://github.com/StratusGrid/terraform-account-starter)
 
-  This is to showcase the use of many of the StratusGrid modules working together using terraform version 0.12.
+  This is to showcase the use of many of the StratusGrid modules working together using terraform.
 
   It will initiate a fully configured AWS account with config and logging set up in all 4 US regions, with terraform state and cloudtrail in us-east-1
 
@@ -19,8 +19,10 @@ content: |-
   - Delete the default VPCs in all regions you will be using (at least all regions with config rules...)
   - Tag the default RDS DB Security Groups in all regions with your required tags (cli to do so is below)
   - Determine if you're enabling centralized logging
+  - Block S3 Public Access Account Wide - See [here](https://s3.console.aws.amazon.com/s3/settings?region=us-east-1)
 
   ```bash
+  # If multiple environments share an account don't do this, or pick a single env
   aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-1:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-east-1
   aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-2:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-east-2
   aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-west-1:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-west-1
@@ -38,7 +40,7 @@ content: |-
 
   ## Centralized Logging
 
-  This repo is fully configured to allow for centralized logging with S3 and it's controlled via a few variables. To enable centralized logging set the following variables `log_archive_retention`, `aws_org_id`, `s3_destination_bucket_name`, `logging_account_id` to their required values and uncomment this block in `s3-bucket-logging.tf`.
+  This repo is fully configured to allow for centralized logging with S3 and it's controlled via a few variables. To enable centralized logging set the following variables `log_archive_retention`, `aws_org_id`, `s3_destination_bucket_name`, `logging_account_id` to the required values and uncomment this block in `s3-bucket-logging.tf`.
   If the apply file you're doing is for the log archive account these vars should be modified `enable_centralized_logging`, `log_archive_account` in addition to the prior variables with the proper values set.
 
   # SNS Topics
@@ -66,7 +68,7 @@ content: |-
   - This repo is based upon the AWS `~> 4.9.0` provider
   - The following packages are installed via brew: `tflint`, `terrascan`, `terraform-docs`, `gitleaks`, `tfsec`, `pre-commit', 'sops`, `go`
   - This assumes SOPs v3.7.2
-  - Install `bash` through Brew for Bash 5.0, otherwise it will fail with the error that looks like `declare: -g: invalid option`
+  - If you encounter an error like `declare: -g: invalid option` reference [this](https://github.com/antonbabenko/pre-commit-terraform/issues/337) and install Bash 5
   - If you need more tflint plugins, please edit the `.tflint.hcl` file with the instructions from [here](https://github.com/terraform-linters/tflint)
   - It's highly recommend that you follow the Git Pre-Commit Instructions below, these will run in GitHub though they should be ran locally to reduce issues
   - By default Terraform docs will always run so our auto generated docs are always up to date
@@ -102,7 +104,7 @@ content: |-
   Each file is generally self contained except where it can't be. All variables are in `variables.tf`, all data is in `data.tf`, and etc.
 
   ### `billing-alerts.tf`
-  This file contains the SG module for billing alert anomalies
+  This file contains the SG module for billing alert anomalies. If you wish to enable Slack Alerts please edit this file for the Slack SSM Parameters.
 
   ### `config-recorder.tf1
   This file contains the SG module for configuring AWS Config Recorder, this is only enabled if `control_tower_enabled == false`.

.gitignore

@@ -39,4 +39,4 @@ override.tf.json
 
 # IntelliJ
 .idea/workspace.xml
-.idea
+.idea

.prettierignore

@@ -1,3 +1,3 @@
 README.md
 .terraform
-/.config
+/.config

.tflint.hcl

@@ -2,4 +2,4 @@ plugin "aws" {
     enabled = true
     version = "0.13.2"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
-}
+}

LICENSE

@@ -199,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

README.md

@@ -3,7 +3,7 @@
 
 GitHub: [StratusGrid/terraform-account-starter](https://github.com/StratusGrid/terraform-account-starter)
 
-This is to showcase the use of many of the StratusGrid modules working together using terraform version 0.12.
+This is to showcase the use of many of the StratusGrid modules working together using terraform.
 
 It will initiate a fully configured AWS account with config and logging set up in all 4 US regions, with terraform state and cloudtrail in us-east-1
 
@@ -13,8 +13,10 @@ It will initiate a fully configured AWS account with config and logging set up i
 - Delete the default VPCs in all regions you will be using (at least all regions with config rules...)
 - Tag the default RDS DB Security Groups in all regions with your required tags (cli to do so is below)
 - Determine if you're enabling centralized logging
+- Block S3 Public Access Account Wide - See [here](https://s3.console.aws.amazon.com/s3/settings?region=us-east-1)
 
 ```bash
+# If multiple environments share an account don't do this, or pick a single env
 aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-1:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-east-1
 aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-east-2:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-east-2
 aws rds add-tags-to-resource --resource-name "arn:aws:rds:us-west-1:<account_number>:secgrp:default" --tags "[{\"Key\": \"Environment\",\"Value\": \"<env>\"},{\"Key\": \"Customer\",\"Value\": \"Shared\"}]" --region us-west-1
@@ -32,7 +34,7 @@ aws ecs put-account-setting-default --name containerInsights --value enabled --r
 
 ## Centralized Logging
 
-This repo is fully configured to allow for centralized logging with S3 and it's controlled via a few variables. To enable centralized logging set the following variables `log_archive_retention`, `aws_org_id`, `s3_destination_bucket_name`, `logging_account_id` to their required values and uncomment this block in `s3-bucket-logging.tf`.
+This repo is fully configured to allow for centralized logging with S3 and it's controlled via a few variables. To enable centralized logging set the following variables `log_archive_retention`, `aws_org_id`, `s3_destination_bucket_name`, `logging_account_id` to the required values and uncomment this block in `s3-bucket-logging.tf`.
 If the apply file you're doing is for the log archive account these vars should be modified `enable_centralized_logging`, `log_archive_account` in addition to the prior variables with the proper values set.
 
 # SNS Topics
@@ -60,7 +62,7 @@ This repo has several base requirements
 - This repo is based upon the AWS `~> 4.9.0` provider
 - The following packages are installed via brew: `tflint`, `terrascan`, `terraform-docs`, `gitleaks`, `tfsec`, `pre-commit', 'sops`, `go`
 - This assumes SOPs v3.7.2
-- Install `bash` through Brew for Bash 5.0, otherwise it will fail with the error that looks like `declare: -g: invalid option`
+- If you encounter an error like `declare: -g: invalid option` reference [this](https://github.com/antonbabenko/pre-commit-terraform/issues/337) and install Bash 5
 - If you need more tflint plugins, please edit the `.tflint.hcl` file with the instructions from [here](https://github.com/terraform-linters/tflint)
 - It's highly recommend that you follow the Git Pre-Commit Instructions below, these will run in GitHub though they should be ran locally to reduce issues
 - By default Terraform docs will always run so our auto generated docs are always up to date
@@ -96,7 +98,7 @@ The way that this repo is structured is supposed to be an infrastructure starter
 Each file is generally self contained except where it can't be. All variables are in `variables.tf`, all data is in `data.tf`, and etc.
 
 ### `billing-alerts.tf`
-This file contains the SG module for billing alert anomalies
+This file contains the SG module for billing alert anomalies. If you wish to enable Slack Alerts please edit this file for the Slack SSM Parameters.
 
 ### `config-recorder.tf1
 This file contains the SG module for configuring AWS Config Recorder, this is only enabled if `control_tower_enabled == false`.

config-recorder.tf

@@ -41,4 +41,4 @@ module "aws_config_recorder_us_west_2" {
   providers = {
     aws = aws.us-west-2
   }
-}
+}

eventbridge.tf

@@ -37,4 +37,4 @@ resource "aws_cloudwatch_event_target" "aws_backup_to_sns" {
   event_bus_name = "default"
   rule           = aws_cloudwatch_event_rule.required_tags[0].name
   target_id      = "${var.name_prefix}-backup-notifications${local.name_suffix}"
-}
+}

iam-policy-restricted-admin.tf

@@ -38,4 +38,3 @@ resource "aws_iam_policy" "restricted_admin" {
   description = "Policy to grant restricted admin. This admin can't do some functions such as delete the CloudTrail audit trail."
   policy      = data.aws_iam_policy_document.restricted_admin.json
 }
-

iam-policy-restricted-read-only.tf

@@ -46,4 +46,4 @@ resource "aws_iam_policy" "read_only_restrictions" {
   name        = "${var.name_prefix}-read-only-restrictions${local.name_suffix}"
   description = "Policy to restrict read only users from accessing data and secrets."
   policy      = data.aws_iam_policy_document.read_only_restrictions.json
-}
+}

iam-role-restricted-read-only.tf

@@ -10,4 +10,3 @@ module "restricted_read_only" {
   require_mfa    = true
   input_tags     = merge() # This is blank for module compatability, we feed it null tags as our provider level will take over
 }
-

iam-s3-replication.tf

@@ -64,4 +64,4 @@ module "iam_role_s3" {
   tags = {
     "Name" = "${var.name_prefix}-s3-central-replication${local.name_suffix}"
   }
-}
+}

init-tfvars/sgdev.tfvars

@@ -1,4 +1,4 @@
 bucket         = "sgdev-remote-state-backend-dev"
 dynamodb_table = "sgdev-remote-state-backend-dev"
 key            = "sgdev_client_account_starter_demo.tfstate"
-kms_key_id     = "arn:aws:kms:us-east-1:973081273628:key/5fdbd4f9-2686-4e7b-b60c-7f44217cf3ff"
+kms_key_id     = "arn:aws:kms:us-east-1:973081273628:key/5fdbd4f9-2686-4e7b-b60c-7f44217cf3ff"

locals.tf

@@ -2,4 +2,3 @@
 locals {
   name_suffix = coalesce(var.override_name_suffix, "${var.prepend_name_suffix}-${var.env_name}${var.append_name_suffix}")
 }
-

outputs.tf

@@ -71,4 +71,4 @@ output "sops_kms_id" {
 output "ec2_default_instance_arn" {
   description = "The ec2 default instance IAM role that was created ARN"
   value       = module.ec2_default_instance_profile.instance_profile_id
-}
+}

provider.tf

@@ -3,7 +3,7 @@ provider "aws" {
   default_tags {
     tags = merge(
       local.common_tags,
-      { Region_Purpose = "Active" }
+      { Region_Purpose = "Active" } # The purpose of tag is to define the primary region, to more easily allow this template to be replicated to other regions
     )
   }
 }
@@ -14,8 +14,7 @@ provider "aws" {
   region = "us-east-1"
   default_tags {
     tags = merge(
-      local.common_tags,
-      { Region_Purpose = "Active" }
+      local.common_tags
     )
   }
 }
@@ -25,8 +24,7 @@ provider "aws" {
   region = "us-east-2"
   default_tags {
     tags = merge(
-      local.common_tags,
-      { Region_Purpose = "Active" }
+      local.common_tags
     )
   }
 }
@@ -36,8 +34,7 @@ provider "aws" {
   region = "us-west-1"
   default_tags {
     tags = merge(
-      local.common_tags,
-      { Region_Purpose = "Active" }
+      local.common_tags
     )
   }
 }
@@ -47,8 +44,7 @@ provider "aws" {
   region = "us-west-2"
   default_tags {
     tags = merge(
-      local.common_tags,
-      { Region_Purpose = "Active" }
+      local.common_tags
     )
   }
-}
+}

s3-bucket-cloudtrail.tf

@@ -1,9 +1,7 @@
 module "cloudtrail" {
   #ts:skip=AC_AWS_0207 SG_Sub_Module
-  /* source  = "StratusGrid/cloudtrail/aws"
-  version = "~> 3.0" */
-
-  source = "github.com/StratusGrid/terraform-aws-cloudtrail.git?ref=aws4.x"
+  source  = "StratusGrid/cloudtrail/aws"
+  version = "~> 3.0"
 
   name_prefix = var.name_prefix
   name_suffix = local.name_suffix

s3-bucket-logging.tf

@@ -68,4 +68,4 @@ module "s3_bucket_logging_us_west_2" {
   s3_destination_bucket_name = var.s3_destination_bucket_name
   iam_role_s3_replication_arn = module.iam_role_s3[0].iam_role_arn
   logging_account_id = var.logging_account_id */
-}
+}

s3-centralized-logging.tf

@@ -152,4 +152,4 @@ data "aws_iam_policy_document" "central_logging" {
     ]
     sid = "Set permissions on bucket"
   }
-}
+}

service-limits.tf

@@ -20,4 +20,4 @@ module "aws_limits" {
   input_tags = merge() # Module input tags
 
   email = var.service_limit_email
-}
+}

sns-topics.tf

@@ -6,7 +6,7 @@ resource "aws_kms_key" "sns_topics" {
 
 # SNS Topic KMS Key
 resource "aws_kms_alias" "sns_topics" {
-  name          = "alias/${var.name_prefix}-sns_topics-default-key${local.name_suffix}"
+  name          = "alias/${var.name_prefix}-sns-topics-default-key${local.name_suffix}"
   target_key_id = aws_kms_key.sns_topics.key_id
 
   depends_on = [aws_kms_key.sns_topics]
@@ -18,4 +18,4 @@ resource "aws_sns_topic" "infrastructure_alerts" {
   provider = aws.us-east-1
 
   kms_master_key_id = aws_kms_alias.sns_topics.arn
-}
+}

sops.tf

@@ -8,4 +8,4 @@ resource "aws_kms_key" "sops" {
 resource "aws_kms_alias" "sops" {
   name          = "alias/${var.name_prefix}-sops-default-key${local.name_suffix}"
   target_key_id = aws_kms_key.sops.key_id
-}
+}

variables.tf

@@ -109,4 +109,4 @@ variable "s3_destination_bucket_name" {
 variable "logging_account_id" {
   description = "Centralized Logging Account ID, This will only ever be used when enabling centralized logging"
   type        = string
-}
+}

versions.tf

@@ -7,4 +7,4 @@ terraform {
       version = "~> 4.9"
     }
   }
-}
+}