This module creates a conformance pack for CDS based on the CCCS conformance pack found here: https://github.com/awslabs/aws-config-rules/blob/master/aws-config-conformance-packs/Operational-Best-Practices-for-CCCS-Medium.yaml
It uses the same default inputs for terraform as specified in the CCCS conformance pack YAML, but can easily be overridden. Because a cloudformation template can only be 50kb in size when it is created over the wire, we need to create a bucket and upload the conformance pack to it. This module creates a bucket and uploads the conformance pack to it. The name of the bucket is based on the pattern cds-conformance-pack-<random-uuid>.
For example to meet the config rule internet-gateway-authorized-vpc-only you can set the authorized vpcs as follows:
module "conformance_pack" {
source = "github.com/cds-snc/terraform-modules//cds_conformance_pack?ref=v5.1.8"
internet_gateway_authorized_vpc_only_param_authorized_vpc_ids = "vpc-00534274da4ade29d"
billing_tag_value = var.billing_code
}To exclude specific rules from the conformance pack, you can use the excluded_rules variable. For example, to exclude the internet-gateway-authorized-vpc-only rule, you can set the variable as follows:
module "conformance_pack" {
source = "github.com/cds-snc/terraform-modules//cds_conformance_pack?ref=v5.1.8"
excluded_rules = ["InternetGatewayAuthorizedVpcOnly"]
billing_tag_value = var.billing_code
}Note: The rules need to be in the CamelCase format as found in the YAML.
If you would like to append or override the default conformance pack, you can use the custom_conformance_pack_path variable. For example, to append a rule to the conformance pack, you can set the variable as follows:
module "conformance_pack" {
source = "github.com/cds-snc/terraform-modules//cds_conformance_pack?ref=v5.1.8"
custom_conformance_pack_path = "./custom_conformance_pack.yaml"
billing_tag_value = var.billing_code
}The custom conformance pack should be in the same format as the CCCS conformance pack YAML, in that you can use a Parameters, Resources, and Conditions section.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| random | n/a |
| Name | Source | Version |
|---|---|---|
| s3 | github.com/cds-snc/terraform-modules//S3 | v9.4.5 |
| Name | Type |
|---|---|
| aws_config_conformance_pack.cds_conformance_pack | resource |
| aws_s3_object.conformace_pack_yaml | resource |
| random_uuid.bucket_suffix | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_keys_rotated_param_max_access_key_age | (Optional) The maximum age in days before an access key must be rotated. | string |
"90" |
no |
| billing_tag_key | (Optional, default 'CostCentre') The name of the billing tag | string |
"CostCentre" |
no |
| billing_tag_value | (Required) The value of the billing tag | string |
n/a | yes |
| cloudwatch_alarm_action_check_param_alarm_action_required | (Optional) Indicates whether an action is required when the alarm changes to the ALARM state. | string |
"true" |
no |
| cloudwatch_alarm_action_check_param_insufficient_data_action_required | (Optional) Indicates whether an action is required when the alarm changes to the INSUFFICIENT_DATA state. | string |
"true" |
no |
| cloudwatch_alarm_action_check_param_ok_action_required | (Optional) Indicates whether an action is required when the alarm changes to the OK state. | string |
"false" |
no |
| conformance_pack_name | (Optional) The name of the conformance pack. | string |
"CDS-Conformance-Pack" |
no |
| custom_conformance_pack_path | (Optional) The path to the custom conformance pack YAML file. | string |
"" |
no |
| elb_predefined_security_policy_ssl_check_param_predefined_policy_name | (Optional) The name of the predefined security policy for the ELB SSL negotiation configuration. | string |
"TLS-1-2-2017-01" |
no |
| excluded_rules | (Optional) The list of rules to exclude from the conformance pack. These need to be in the CamelCase format as found in the YAML. | list(string) |
[] |
no |
| iam_customer_policy_blocked_kms_actions_param_blocked_actions_patterns | (Optional) The patterns of KMS actions to be blocked in the customer-managed IAM policy. | string |
"kms:*, kms:Decrypt, kms:ReEncrypt*" |
no |
| iam_inline_policy_blocked_kms_actions_param_blocked_actions_patterns | (Optional) The patterns of KMS actions to be blocked in the inline IAM policy. | string |
"kms:*, kms:Decrypt, kms:ReEncrypt*" |
no |
| iam_password_policy_param_max_password_age | (Optional) The maximum password age in days for IAM users. | string |
"90" |
no |
| iam_password_policy_param_minimum_password_length | (Optional) The minimum length for IAM user passwords. | string |
"14" |
no |
| iam_password_policy_param_password_reuse_prevention | (Optional) The number of previous passwords that IAM users are prevented from reusing. | string |
"24" |
no |
| iam_password_policy_param_require_lowercase_characters | (Optional) Indicates whether IAM user passwords must contain at least one lowercase letter. | string |
"true" |
no |
| iam_password_policy_param_require_numbers | (Optional) Indicates whether IAM user passwords must contain at least one number. | string |
"true" |
no |
| iam_password_policy_param_require_symbols | (Optional) Indicates whether IAM user passwords must contain at least one symbol. | string |
"true" |
no |
| iam_password_policy_param_require_uppercase_characters | (Optional) Indicates whether IAM user passwords must contain at least one uppercase letter. | string |
"true" |
no |
| iam_user_unused_credentials_check_param_max_credential_usage_age | (Optional) The maximum age in days for IAM user credentials that have not been used. | string |
"90" |
no |
| internet_gateway_authorized_vpc_only_param_authorized_vpc_ids | (Optional) Comma-separated list of authorized VPC IDs that are allowed to use the Internet Gateway | string |
"here add Comma-separated list of the authorized VPC IDs" |
no |
| redshift_cluster_configuration_check_param_cluster_db_encrypted | (Optional) Boolean value indicating whether the Redshift cluster's database is encrypted | string |
"true" |
no |
| redshift_cluster_configuration_check_param_logging_enabled | (Optional) Boolean value indicating whether logging is enabled for the Redshift cluster | string |
"true" |
no |
| redshift_cluster_maintenancesettings_check_param_allow_version_upgrade | (Optional) Boolean value indicating whether version upgrades are allowed for the Redshift cluster | string |
"true" |
no |
| restricted_incoming_traffic_param_blocked_port1 | (Optional) Port number to block for incoming traffic - 20 (FTP data transfer) | string |
"20" |
no |
| restricted_incoming_traffic_param_blocked_port2 | (Optional) Port number to block for incoming traffic - 21 (FTP control) | string |
"21" |
no |
| restricted_incoming_traffic_param_blocked_port3 | (Optional) Port number to block for incoming traffic - 3389 (RDP) | string |
"3389" |
no |
| restricted_incoming_traffic_param_blocked_port4 | (Optional) Port number to block for incoming traffic - 3306 (MySQL) | string |
"3306" |
no |
| restricted_incoming_traffic_param_blocked_port5 | (Optional) Port number to block for incoming traffic - 4333 | string |
"4333" |
no |
| vpc_sg_open_only_to_authorized_ports_param_authorized_tcp_ports | (Optional) Comma-separated list of authorized TCP ports for inbound traffic to the VPC security group | string |
"443" |
no |
No outputs.