diff --git a/README.md b/README.md index 612cada..b46d6cf 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | alarm\_namespace | Namespace for generated Cloudwatch alarms | `string` | `"CISBenchmark"` | no | +| alarm\_prefix | Prefix for the alarm name | `string` | `""` | no | | alarm\_sns\_topic\_arn | SNS topic ARN for generated alarms | `string` | n/a | yes | | aws\_config\_changes | Toggle AWS Config changes alarm | `bool` | `true` | no | | cloudtrail\_cfg\_changes | Toggle Cloudtrail config changes alarm | `bool` | `true` | no | diff --git a/main.tf b/main.tf index 70b54f8..5dff2c9 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,6 @@ locals { resource_tags = merge(var.tags, { "Automation" = "Terraform" }) + alarm_prefix = var.alarm_prefix != "" ? "${var.alarm_prefix}-" : "" } resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" { @@ -19,7 +20,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" { resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" { count = var.unauthorized_api_calls ? 1 : 0 - alarm_name = "UnauthorizedAPICalls" + alarm_name = "${local.alarm_prefix}UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.unauthorized_api_calls[0].id @@ -66,7 +67,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin_no_assumed_ro resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" { count = var.no_mfa_console_login ? 1 : 0 - alarm_name = "NoMFAConsoleSignin" + alarm_name = "${local.alarm_prefix}NoMFAConsoleSignin" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = var.disable_assumed_role_login_alerts ? aws_cloudwatch_log_metric_filter.no_mfa_console_signin_no_assumed_role[0].id : aws_cloudwatch_log_metric_filter.no_mfa_console_signin_assumed_role[0].id @@ -99,7 +100,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" { resource "aws_cloudwatch_metric_alarm" "root_usage" { count = var.root_usage ? 1 : 0 - alarm_name = "RootUsage" + alarm_name = "${local.alarm_prefix}RootUsage" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.root_usage[0].id @@ -132,7 +133,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" { resource "aws_cloudwatch_metric_alarm" "iam_changes" { count = var.iam_changes ? 1 : 0 - alarm_name = "IAMChanges" + alarm_name = "${local.alarm_prefix}IAMChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.iam_changes[0].id @@ -165,7 +166,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" { resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" { count = var.cloudtrail_cfg_changes ? 1 : 0 - alarm_name = "CloudTrailCfgChanges" + alarm_name = "${local.alarm_prefix}CloudTrailCfgChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes[0].id @@ -198,7 +199,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" { resource "aws_cloudwatch_metric_alarm" "console_signin_failures" { count = var.console_signin_failures ? 1 : 0 - alarm_name = "ConsoleSigninFailures" + alarm_name = "${local.alarm_prefix}ConsoleSigninFailures" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.console_signin_failures[0].id @@ -231,7 +232,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" { resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" { count = var.disable_or_delete_cmk ? 1 : 0 - alarm_name = "DisableOrDeleteCMK" + alarm_name = "${local.alarm_prefix}DisableOrDeleteCMK" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.disable_or_delete_cmk[0].id @@ -264,7 +265,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" { resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" { count = var.s3_bucket_policy_changes ? 1 : 0 - alarm_name = "S3BucketPolicyChanges" + alarm_name = "${local.alarm_prefix}S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes[0].id @@ -297,7 +298,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" { resource "aws_cloudwatch_metric_alarm" "aws_config_changes" { count = var.aws_config_changes ? 1 : 0 - alarm_name = "AWSConfigChanges" + alarm_name = "${local.alarm_prefix}AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.aws_config_changes[0].id @@ -330,7 +331,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" { resource "aws_cloudwatch_metric_alarm" "security_group_changes" { count = var.security_group_changes ? 1 : 0 - alarm_name = "SecurityGroupChanges" + alarm_name = "${local.alarm_prefix}SecurityGroupChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.security_group_changes[0].id @@ -363,7 +364,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" { resource "aws_cloudwatch_metric_alarm" "nacl_changes" { count = var.nacl_changes ? 1 : 0 - alarm_name = "NACLChanges" + alarm_name = "${local.alarm_prefix}NACLChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.nacl_changes[0].id @@ -396,7 +397,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" { resource "aws_cloudwatch_metric_alarm" "network_gw_changes" { count = var.network_gw_changes ? 1 : 0 - alarm_name = "NetworkGWChanges" + alarm_name = "${local.alarm_prefix}NetworkGWChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.network_gw_changes[0].id @@ -429,7 +430,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" { resource "aws_cloudwatch_metric_alarm" "route_table_changes" { count = var.route_table_changes ? 1 : 0 - alarm_name = "RouteTableChanges" + alarm_name = "${local.alarm_prefix}RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.route_table_changes[0].id @@ -462,7 +463,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" { resource "aws_cloudwatch_metric_alarm" "vpc_changes" { count = var.vpc_changes ? 1 : 0 - alarm_name = "VPCChanges" + alarm_name = "${local.alarm_prefix}VPCChanges" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.vpc_changes[0].id diff --git a/variables.tf b/variables.tf index f4f6d96..a938bb4 100644 --- a/variables.tf +++ b/variables.tf @@ -6,6 +6,12 @@ variable "alarm_namespace" { default = "CISBenchmark" } +variable "alarm_prefix" { + description = "Prefix for the alarm name" + type = string + default = "" +} + variable "alarm_sns_topic_arn" { description = "SNS topic ARN for generated alarms" type = string