This is a Terraform deployment for creating the site-to-site VPN tunnel between the COOL and the CDM (Continuous Diagnostics and Mitigation) environment in the COOL Shared Services account. It also creates:
- The resources necessary to stream the COOL Shared Services CloudWatch logs into an S3 bucket where they can be imported into the CDM environment
- An IAM user and role that allows access to the CloudTrail logs in the COOL Shared Services account and the S3 bucket where the CloudWatch logs are stored
This deployment should be applied immediately after cisagov/cool-sharedservices-networking, and before cisagov/cool-sharedservices-freeipa or cisagov/cool-sharedservices-openvpn.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 5.0 |
| null | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| aws.organizationsreadonly | ~> 5.0 |
| aws.sharedservicesprovisionaccount | ~> 5.0 |
| null | ~> 3.0 |
| terraform | n/a |
| Name | Source | Version |
|---|---|---|
| cdm_cloudtrail | github.com/cisagov/cool-cdm-cloudtrail-tf-module | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The AWS region where the Shared Services account resides (e.g. "us-east-1"). | string |
"us-east-1" |
no |
| cdm_cidr | The CIDR block on the CDM end of the site-to-site VPN tunnel (e.g. "10.201.0.0/16"). | string |
n/a | yes |
| cdm_cloudtrail_assume_role_policy_description | The description to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "The IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data in the AccountName account."). | string |
n/a | yes |
| cdm_cloudtrail_assume_role_policy_name | The name to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "ACCTNAME-AssumeCdmCloudTrail"). | string |
n/a | yes |
| cdm_cloudwatch_bucket_name | The name of the S3 bucket that will receive logs from CloudWatch so that they can later be ingested by CDM (e.g. "cdm-cloudwatch-logs"). | string |
n/a | yes |
| cdm_dns_ips | The DNS server IPs for the CDM environment (e.g. ["100.200.75.25", "100.200.100.50"]). | list(string) |
n/a | yes |
| cdm_domains | The domains for the CDM environment (e.g. ["thulsa.example.com", "doom.example.com", "222.111.10.in-addr.arpa"]). The first domain listed should be the main CDM domain, as it will be used as an additional search domain for DNS lookups. | list(string) |
n/a | yes |
| cdm_tunnel_ip | The IP address of the site-to-site VPN tunnel endpoint on the CDM side (e.g. "100.200.75.25"). | string |
n/a | yes |
| cdm_user_name | The user name of the CDM user who will assume the role to access the CloudTrail data. | string |
n/a | yes |
| cdm_vpn_preshared_key | The pre-shared key to use for setting up the site-to-site VPN connection between the COOL and CDM. This must be a string of 36 characters, which can include alphanumerics, periods, and underscores (e.g. "abcdefghijklmnopqrstuvwxyz01234567._"). | string |
n/a | yes |
| cloudwatch_logs_sns_topic_name | The name of the SNS topic that will receive notifications from the CDM S3 bucket when objects are added to it (e.g. "cdm-cloudwatch-logs"). | string |
"cdm-cloudwatch-logs" |
no |
| cloudwatch_logs_sqs_queue_name | The name of the SQS queue that will receive CloudWatch log events when objects are added to the CDM S3 bucket (e.g. "cdm-cloudwatch-logs"). Note that this name will be appended with "-dead-letter" to create the name of the SQS dead-letter queue that receives events that could not be delivered to the main queue. | string |
"cdm-cloudwatch-logs" |
no |
| cloudwatch_policy_description | The description to associate with the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested. | string |
"Allows read access to the specific CloudWatch log streams in which CDM is interested." |
no |
| cloudwatch_policy_instances | Each string corresponds to the name of an instance, which itself corresponds to a CloudWatch log stream to which CDM is to be allowed read access. (The name of the instance should be as it appears in the CloudWatch log stream; in some cases this is the FQDN and in others it is just the hostname.) The selected CloudWatch log groups in which these streams reside are defined by the variable cloudwatch_policy_log_groups. | list(string) |
[] |
no |
| cloudwatch_policy_log_groups | Each string corresponds to the name of a CloudWatch log group for which CDM is to be allowed read access for selected CloudWatch log streams. The selected CloudWatch log streams inside these log groups to which CDM is to be allowed access are defined by the variable cloudwatch_policy_log_streams. | list(string) |
[] |
no |
| cloudwatch_policy_name | The name to assign the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested. | string |
"CdmCloudWatchReadOnly" |
no |
| cloudwatch_to_firehose_role_description | The description to associate with the IAM policy and role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM. | string |
"The IAM policy/role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM." |
no |
| cloudwatch_to_firehose_role_name | The name to assign the IAM policy and role that allow CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM. | string |
"CdmCloudWatchLogsToFirehose" |
no |
| firehose_delivery_stream_name | The name to assign the Firehose delivery stream that will receive the CloudWatch log events and send them to the CDM S3 bucket. | string |
"cdm-cloudwatch-logs" |
no |
| firehose_to_s3_role_description | The description to associate with the IAM policy and role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM. | string |
"The IAM policy/role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM." |
no |
| firehose_to_s3_role_name | The name to assign the IAM policy and role that allow Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM. | string |
"CdmFirehoseToS3" |
no |
| provisionaccount_role_name | The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account. | string |
"ProvisionAccount" |
no |
| provisioncdm_policy_description | The description to associate with the IAM policy that allows provisioning of the CDM layer in the Shared Services account. | string |
"Allows provisioning of the CDM layer in the Shared Services account." |
no |
| provisioncdm_policy_name | The name to assign the IAM policy that allows provisioning of the CDM layer in the Shared Services account. | string |
"ProvisionCdm" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| cdm_cloudtrail_access_policy | The IAM policy with the necessary permissions to access the CDM CloudTrail data. |
| cdm_cloudtrail_access_role | The IAM role that can be assumed to access the CDM CloudTrail data. |
| cdm_cloudtrail_assume_access_role_policy | The IAM policy that allows the CDM user to assume the IAM role that allows access the CDM CloudTrail data. |
| cdm_cloudtrail_bucket | The S3 bucket where CloudTrail logs are stored for CDM. |
| cdm_cloudtrail_deadletter_queue | The SQS deadletter queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket for which processing has failed. |
| cdm_cloudtrail_queue | The SQS queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket. |
| cdm_cloudtrail_topic | The SNS topic for notifications of CloudTrail logs being written to the CDM S3 bucket. |
| cdm_cloudtrail_trail | The CloudTrail trail for CDM. |
| cdm_cloudwatch_access_policy | The IAM policy with the necessary permissions to access the CDM CloudWatch data. |
| cdm_cloudwatch_logs_bucket | The S3 bucket where CloudWatch logs are stored for CDM. |
| cdm_cloudwatch_logs_sns_topic | The SNS topic that receives notifications from the CDM S3 bucket and is subscribed to by the SQS queue. |
| cdm_cloudwatch_logs_sqs_dead_letter_queue | The SQS dead letter queue that receives events that could not be delivered to the main queue. |
| cdm_cloudwatch_logs_sqs_queue | The SQS queue that receives CloudWatch log events when objects are added to the CDM S3 bucket. |
| cdm_customer_gateway | The gateway for the site-to-site VPN connection to CDM. |
| cdm_security_group | A security group that allows for all necessary communications between the CDM agents and the CDM CIDRs. |
| cdm_tgw_route_table | The custom Transit Gateway route table for the CDM VPN connection. |
| cdm_tgw_route_table_association | The association between the CDM VPN connection and its custom Transit Gateway route table. |
| cdm_vpc_dhcp_options | The Shared Services VPC DHCP options. These are identical to the DHCP options created in cisagov/cool-sharedservices-networking, except that we add the main CDM domain (var.cdm_domains[0]) to the DNS search path. |
| cdm_vpc_dhcp_options_association | The association between the Shared Services VPC and the CDM-enhanced DHCP options. |
| cdm_vpn_connection | The site-to-site VPN connection to CDM. |
| dns_from_cdm_security_group | The security group that allows DNS requests from the CDM environment. |
| dns_to_cdm_security_group | The security group that allows DNS requests to the CDM environment. |
| route53_resolver_endpoint_from_cdm | The Route53 resolver that allows the CDM environment to resolve DNS queries in our environment. |
| route53_resolver_endpoint_to_cdm | The Route53 resolver that allows us to resolve DNS queries in the CDM environment. |
| route53_resolver_rules_to_cdm | The Route53 resolver rules that allow us to resolve DNS queries in the CDM environment. |
| route53_resolver_rules_to_cdm_ram_shares | The RAM shares for the Route53 resolver rules that allow us to resolve DNS queries in the CDM environment. |
Running pre-commit requires running terraform init in every
directory that contains Terraform code. In this repository, this is
only the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.