diff --git a/baselines/CHANGELOG.md b/baselines/CHANGELOG.md deleted file mode 100644 index 13a36bde8..000000000 --- a/baselines/CHANGELOG.md +++ /dev/null @@ -1,49 +0,0 @@ -# CHANGELOG FOR BASELINES - -## v0.2.0 (November 25, 2019) - -### FEATURES: - -- New Baseline: azure_sub_import -- New Baseline: aws_permission -- New Baseline: gcp_permission - -### ENHANCEMENTS: - -- Supports Terraform version 12. -- Supports Turbot provider version 1.0.0-beta.8 and above -- Supports Turbot smart folders -- Updated mod list -- Updated terraform syntax and style conventions -- Updated README files - -### TECHNICAL - -- New implemented file structure. -- Inclusion of .tfvars files consisting values for each baseline defaults - -### BREAKING CHANGES - -- resource/turbot_policy_setting - rename policy_type to type -- resource/turbot_policy_value - rename policy_type to type -- renamed credentials environment variables TURBOT_ACCESS_KEY and TURBOT_SECRET_KEY -- resource/turbot_policy_setting - change default precedence to REQUIRED - - -## v0.1.0 (October 30, 2019) - -Baselines v0.1.0 work on and follow the syntax of Terraform version 11. - -Supports Turbot provider version 1.0.0-beta.5 or below. - -### FEATURES: - -- New Baseline: s3_baseline -- New Baseline: mod_install -- New Baseline: aws_setup -- New Baseline: aws_account_import -- New Baseline: aws_services -- New Baseline: azure_setup -- New Baseline: azure_provider_registration -- New Baseline: gcp_setup -- New Baseline: gcp_services \ No newline at end of file diff --git a/baselines/README.md b/baselines/README.md index 64ffdfd52..759cdb1e2 100644 --- a/baselines/README.md +++ b/baselines/README.md @@ -4,120 +4,63 @@ Turbot Guardrails Baselines provide best-practice configurations and examples fo ## Current Baselines -| Baseline | Path | Description | -| --------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | -| Local Directory | [local_directory](./turbot/local_directory) | Create local directory and users in your workspace | -| AWS Setup | [aws_setup](./aws/aws_setup) | Common quickstart setup for AWS - prepare your environment to import an AWS account | -| AWS Account Import | [aws_account_import](./aws/aws_account_import) | Import an AWS Account into Guardrails | -| AWS Services | [aws_services](./aws/aws_services) | Enable/Disable AWS Services in Guardrails | -| GCP Setup | [gcp_setup](./gcp/gcp_setup) | Common quickstart setup for GCP - prepare your environment to import GCP Projects | -| GCP Services | [gcp_services](./gcp/gcp_services) | Enable/Disable GCP Services in Guardrails & also enforce api enabled policy based on service Enable/Disable | -| Azure Subscription Import | [azure_sub_import](./azure/azure_sub_import) | Import an Azure subscription into Guardrails | -| Azure Subscription Readonly | [azure_sub_import_ro](./azure/azure_sub_create_then_import_ro) | Import an Azure subscription into Guardrails with event handler and readonly mode | -| Azure Services | [azure_services](./azure/azure_services) | Enable/Disable Azure Services in Guardrails | -| Azure Provider Registration | [azure_provider_registration](./azure/azure_provider_registration) | Set the policy for Azure provider registration | - -## Prerequisites - -To run Turbot Guardrails baselines, you must install: +| Baseline | Path | Description | +|-----------------------|--------------------------------------------------------|----------------------------------------------------------------------------------| +| AWS Mods | [aws_mods](./aws/aws_mods) | A common list of AWS mods to install | +| AWS Service Enabled | [aws_service_enabled](./aws/aws_service_enabled) | Enable or disable AWS services in Guardrails | +| Azure Mods | [azure_mods](./azure/azure_mods) | A common list of Azure mods to install | +| Azure Service Enabled | [azure_service_enabled](./azure/azure_service_enabled) | Enable or disable Azure services in Guardrails; register or deregister Azure providers | +| GCP Mods | [gcp_mods](./gcp/gcp_mods) | A common list of Google Cloud Platform (GCP) mods to install | +| GCP Service Enabled | [gcp_service_enabled](./gcp/gcp_service_enabled) | Enable or disable GCP services in Guardrails; enable or disable GCP Service APIs | +| Folder Hierarchy | [folder_hierarchy](./guardrails/folder_hierarchy) | Create a folder hierarchy in your workspace | +| Guardrails Mods | [guardrails_mods](./guardrails/guardrails_mods) | A common list of Guardrails mods to install | +| Local Directory | [local_directory](./guardrails/local_directory) | Create a local directory and users in your workspace | +| Turbot Directory | [turbot_directory](./guardrails/turbot_profiles) | Create Turbot directory and profiles in your workspace | +| Workspace Settings | [workspace_settings](./guardrails/workspace_settings) | Apply a common set of policies for better management of your workspace | + +## Getting Started + +### Requirements - [Terraform](https://developer.hashicorp.com/terraform/install) -- [Turbot Guardrails Terraform Provider](https://turbot.com/guardrails/docs/reference/terraform) -Additionally, You must set your `config.tf` or environment variables to connect to your Turbot Guardrails workspace, as detail in the Turbot Guardrails Terraform Provider [Installation Instructions](https://turbot.com/guardrails/docs/reference/terraform/setup) +### Credentials -## Running a Baseline +To create a policy pack through Terraform: -To run a baseline: +- Ensure you have `Turbot/Owner` permissions in Guardrails +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails -1. Install and configure the [prerequisites](#prerequisites) -1. At the command line, go to the directory for the baseline, for example: `cd mod_install` -1. Run `terraform init` to initialize terraform in the directory -1. Edit any variables in the .tf file that you wish to change, or override with [environment variables](https://www.terraform.io/docs/commands/environment-variables.html) or [variable files](https://www.terraform.io/docs/configuration/variables.html#variable-definitions-tfvars-files) -1. Run `terraform plan -var-file=".tfvars"` and inspect the changes -1. Run `terraform apply -var-file=".tfvars"` to apply the configuration +And then set your credentials: -## Contributing +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` -### Structure +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. -Baselines are implemented as independently deployable terraform configurations in a sub-directory of this repository. +## Usage -Commonly changed parameters are implemented using variables. All variables have default values, but they may not be the settings that you want, you may change them as required. +### Install Baseline -The baseline mods contain an individual `README.md` file and follows a specified file structure containing the parameters and configurations. Each baseline mod contains: +Clone: -- `Variables.tf` containing the variable definitions +```sh +git clone https://github.com/turbot/guardrails-samples.git +cd guardrails-samples/baselines/guardrails/local_directory +``` -- `main.tf` containing the terraform resources that creates the objects +Run the Terraform to create the policy pack in your workspace: -- `outputs.tf` containing the return values defined. The file should be optionally created when there is an output block included in the configuration +```sh +terraform init +terraform plan +``` -- `default.tfvars` containing the defaults for the variables +Then apply the changes: +```sh +terraform apply ``` -Baseline -. -├── README.md -├── main.tf -├── variables.tf -├── outputs.tf -└── default.tfvar -``` - -### Style Guide - -Our baselines adopts styling conventions provided by [Terraform](https://www.terraform.io/docs/configuration/style.html) like: - -- Align the equal to signs for arguments appearing on consecutive lines with values. -- Variables should use snake case: `this_is_an_example` -- Use empty lines to separate logical groups of arguments within a block. - -To maintain consistency between files and modules, we recommend adopting the below added styling conventions: - -- For each baseline, include the variable definitions in the variables.tf file, the resources in main.tf file, and the output in outputs.tf file. -- For `turbot_policy_setting` and `turbot_policy_value` resources , include the policy type hierarchy in a comment before the resource. For example: - - ```terraform - # AWS > Account > Turbot IAM Role > External ID - resource "turbot_policy_setting" "turbotIamRoleExternalId" { - resource = turbot_resource.account_resource.id - type = "tmod:@turbot/aws#/policy/types/turbotIamRoleExternalId" - value = var.turbot_external_id - } - ``` - -- Use a single hash for comments that refer only to a single resource, immediately before the resource, for example: - - ```terraform - # 1.4 Ensure access keys are rotated every 90 days or less (Scored) - # AWS > IAM > Access Key > Active > Age - # Setting value to "Force inactive if age > 90" days to meet remediation - resource "turbot_policy_setting" "AWS_IAM_AccessKey_Active_Age" { - resource = var.target_resource - type = "tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge" - value = "Force inactive if age > 90 days" - } - ``` - -- Use 4 hashes for comments that describe a group of resources, or general behavior: - - ```terraform - #### Set the credentials (Role, external id) for the account via Guardrails policies - ``` - -- All variables should have a description, and as a result should not require individual comments -- Most variables should have a reasonable default -- Where baselines apply policies, they generally should use a variable for the target resource - - - it should be called target_resource - - it should default to "tmod:@turbot/turbot#/" - - it should have a comment that states that it may be changes or overridden - - ```terraform - variable "target_resource" { - type = "string" - description = "Enter the target resource id or aka" - default = "tmod:@turbot/turbot#/" # You may change/override this value to the id of target folder or resource - } - ``` diff --git a/baselines/aws/aws_account_import/README.md b/baselines/aws/aws_account_import/README.md deleted file mode 100644 index e5743e3c4..000000000 --- a/baselines/aws/aws_account_import/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# AWS Account Import Baseline - -The AWS account import baseline terraform configuration lets you import an AWS Account into turbot with the necessary roles and permissions. - - - It is recommended that you import accounts into Turbot Folders, as it provides greater flexibility and ease of management. - - Give the role a purposeful name such as `turbot-readonly` (read only) or `turbot-superuser` (for full access). - - By default, Turbot is installed with administrator access to enable full functionality. However, You may change this if required. - - -## Prerequisites - -To run the account import baseline, you must have: - - - [Terraform](https://www.terraform.io) Version 12 - - [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - - Terraform [AWS Provider](https://www.terraform.io/docs/providers/aws/index.html) - - [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - - CloudTrail set up in every region of your account. - - -## Running the Baseline - -To run the aws account import baseline: - - - Go to the aws account import baseline directory in the repository with `cd aws_account_import` - - Update `default.tfvars` with appropriate values - - Run `terraform plan -var-file=default.tfvars` and review the plan for import - - Run `terraform apply -var-file=default.tfvars` to import the account diff --git a/baselines/aws/aws_account_import/default.tfvars b/baselines/aws/aws_account_import/default.tfvars deleted file mode 100644 index 8935f479a..000000000 --- a/baselines/aws/aws_account_import/default.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -# Variable definitions are defined in variables.tf -aws_account_id = "<12 digit aws account id to be imported>" - -parent_resource = "<15 digit tubot folder id under which the aws account to be imported>" - -turbot_account_id = "<12 digit master account id>" - -turbot_external_id = "<8 digit sts:ExternalId>" - -aws_region = "" - -aws_profile = "" - -role_name = "turbot_service_role" diff --git a/baselines/aws/aws_account_import/main.tf b/baselines/aws/aws_account_import/main.tf deleted file mode 100644 index e5bf5f380..000000000 --- a/baselines/aws/aws_account_import/main.tf +++ /dev/null @@ -1,94 +0,0 @@ -#### Configures the provider to use a specific profile, otherwise the provider will use the default profile -provider "aws" { - profile = var.aws_profile - region = var.aws_region -} - -#### Create the AWS IAM role for Turbot -resource "aws_iam_role" "turbot_service_role" { - name = var.role_name - assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Action" : "sts:AssumeRole", - "Principal" : { - "AWS" : "arn:aws:iam::${var.turbot_account_id}:root" - }, - "Effect" : "Allow", - "Sid" : "", - "Condition" : { - "StringEquals" : { - "sts:ExternalId" : "${var.turbot_external_id}" - } - } - } - ] - }) -} - -#### Attach the AdministratorAccess policy to the Turbot Role -resource "aws_iam_role_policy_attachment" "role_admin_policy" { - role = aws_iam_role.turbot_service_role.name - policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" - count = var.read_only_access ? 0 : 1 -} - -#### Attach the ReadOnlyAccess policy to the Turbot Role -resource "aws_iam_role_policy_attachment" "role_readonly_policy" { - role = aws_iam_role.turbot_service_role.name - policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" - count = var.read_only_access ? 1 : 0 -} - -#### Attach the CloudWatchFullAccess policy to the Turbot Role -resource "aws_iam_role_policy_attachment" "role_cloudwatch_admin_policy" { - role = aws_iam_role.turbot_service_role.name - policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess" - count = var.read_only_access ? 1 : 0 -} - -#### Attach the CloudWatchEventsFullAccess policy to the Turbot Role -resource "aws_iam_role_policy_attachment" "role_events_admin_policy" { - role = aws_iam_role.turbot_service_role.name - policy_arn = "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess" - count = var.read_only_access ? 1 : 0 -} - -#### Attach the AmazonSNSFullAccess policy to the Turbot Role -resource "aws_iam_role_policy_attachment" "role_sns_admin_policy" { - role = aws_iam_role.turbot_service_role.name - policy_arn = "arn:aws:iam::aws:policy/AmazonSNSFullAccess" - count = var.read_only_access ? 1 : 0 -} - -#### Create the AWS > Account resource in Turbot -resource "turbot_resource" "account_resource" { - parent = var.parent_resource - type = "tmod:@turbot/aws#/resource/types/account" - metadata = jsonencode({ - "aws" : { - "accountId" : "${var.aws_account_id}", - "partition" : "aws" - } - }) - data = jsonencode({ - "Id" : "${var.aws_account_id}" - }) -} - -#### Set the credentials (Role, exteranl id) for the account via Turbot policies - -# AWS > Account > Turbot IAM Role > External ID -resource "turbot_policy_setting" "turbotIamRoleExternalId" { - resource = turbot_resource.account_resource.id - type = "tmod:@turbot/aws#/policy/types/turbotIamRoleExternalId" - value = var.turbot_external_id -} - -# AWS > Account > Turbot IAM Role -resource "turbot_policy_setting" "turbotIamRole" { - resource = turbot_resource.account_resource.id - type = "tmod:@turbot/aws#/policy/types/turbotIamRole" - value = aws_iam_role.turbot_service_role.arn -} diff --git a/baselines/aws/aws_account_import/turbot_service_readonly.cf.yaml b/baselines/aws/aws_account_import/turbot_service_readonly.cf.yaml deleted file mode 100644 index 0ffd8dd76..000000000 --- a/baselines/aws/aws_account_import/turbot_service_readonly.cf.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -AWSTemplateFormatVersion: "2010-09-09" - -Parameters: - RoleName: - Type: String - Default: turbot_service_readonly - Description: The role that Turbot uses to connect to this account - - TurbotAccountId: - Type: String - Default: 287590803701 - Description: | - The AWS Account ID where Turbot is installed. - This will be added to the trust policy of the role to allow access for Turbot - TurbotExternalId: - Type: String - NoEcho: True - MinLength: 1 - Description: | - The AWS External ID to add to the trust policy of the Turbot role - -Resources: - - TurbotReadOnlyRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - - Effect: Allow - Principal: - AWS: !Sub arn:aws:iam::${TurbotAccountId}:root - Action: - - sts:AssumeRole - Condition: - StringEquals: - sts:ExternalId: !Ref TurbotExternalId - Path: /turbot/core/ - ManagedPolicyArns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - - "arn:aws:iam::aws:policy/CloudWatchFullAccess" - - "arn:aws:iam::aws:policy/AmazonSNSFullAccess" - - "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess" - - RoleName: !Ref RoleName - -Outputs: - - RoleARN: - Description: Turbot Role ARN for Import - Value: !GetAtt TurbotReadOnlyRole.Arn diff --git a/baselines/aws/aws_account_import/turbot_service_superuser.cf.yaml b/baselines/aws/aws_account_import/turbot_service_superuser.cf.yaml deleted file mode 100644 index e7eaee38b..000000000 --- a/baselines/aws/aws_account_import/turbot_service_superuser.cf.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -AWSTemplateFormatVersion: "2010-09-09" - -Parameters: - RoleName: - Type: String - Default: turbot_service_superuser - Description: The role that Turbot uses to connect to this account - - TurbotAccountId: - Type: String - Default: 287590803701 - Description: | - The AWS Account ID where Turbot is installed. - This will be added to the trust policy of the role to allow access for Turbot - TurbotExternalId: - Type: String - NoEcho: True - MinLength: 1 - Description: | - The AWS External ID to add to the trust policy of the Turbot role - -Resources: - - TurbotSuperuserRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - - Effect: Allow - Principal: - AWS: !Sub arn:aws:iam::${TurbotAccountId}:root - Action: - - sts:AssumeRole - Condition: - StringEquals: - sts:ExternalId: !Ref TurbotExternalId - Path: /turbot/core/ - ManagedPolicyArns: - - "arn:aws:iam::aws:policy/AdministratorAccess" - RoleName: !Ref RoleName - -Outputs: - - RoleARN: - Description: Turbot Role ARN for Import - Value: !GetAtt TurbotSuperuserRole.Arn diff --git a/baselines/aws/aws_account_import/variables.tf b/baselines/aws/aws_account_import/variables.tf deleted file mode 100644 index 42afd5024..000000000 --- a/baselines/aws/aws_account_import/variables.tf +++ /dev/null @@ -1,40 +0,0 @@ -variable "aws_account_id" { - description = "Enter the Account ID that you wish to import. Note that you must set your AWS credentials for this account either in your environment variables or default profile." - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the AWS account, or `tmod:@turbot/turbot#/` to import at the Turbot root." - type = string - default = "tmod:@turbot/turbot#/" -} - -variable "role_name" { - description = "Enter the name of the AWS role that will be created. Turbot will use this role to connect to your AWS account." - type = string -} - -variable "turbot_account_id" { - description = "Enter the AWS account id from which Turbot will connect - This will be added to the trust policy for the Turbot role. Leave the default of'525041748188' for turbot-dev.com, or enter the account ID where you have installed Turbot if you are running Turbot Enterprise." - type = string -} - -variable "turbot_external_id" { - description = "Enter the External ID to be used in the AWS Trust Policy for the Turbot role." - type = string -} - -variable "aws_region" { - description = "The region where AWS operations will take place." - type = string -} - -variable "aws_profile" { - description = "The AWS profile which will when running the script. Leaving this value blank will use the default profile." - type = string -} - -# By default, Turbot is installed with administrator access to enable full functionlity. If you wish to install Turbot in readonly mode (plus limited admin access to set up event routing) change this value to `true` -variable "read_only_access" { - default = false -} diff --git a/baselines/aws/aws_disable_cmdb/README.md b/baselines/aws/aws_disable_cmdb/README.md deleted file mode 100644 index 927b2ac2f..000000000 --- a/baselines/aws/aws_disable_cmdb/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# AWS Disable CMDB Baseline - -Turbot AWS Disable CMDB baseline provides a Terraform configuration to enable or disable resource discovery and CMDB updates for AWS services in Turbot. - -## Prerequisites - -To run the AWS Disable CMDB baseline, you must have: - - - [Terraform](https://www.terraform.io) Version 13 - - [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - - [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - -## Running the Baseline - -To execute the AWS Disable CMDB baseline, run terraform and specify the AWS services you wish to enable or disable. - -To run the AWS Disable CMDB baseline: - - - Uncomment the Resource Type and related policy mappings in `terraform.tfvars` for the services you would like to disable resource discovery/CMDB updates for - - Run `terraform plan` to review the changes to be applied - - Run `terraform apply` to apply the changes - -* When prompted for a `var.turbot_profile` value, use the name of your profile specified in your Turbot credentials file. \ No newline at end of file diff --git a/baselines/aws/aws_disable_cmdb/aws_cmdb.tf b/baselines/aws/aws_disable_cmdb/aws_cmdb.tf deleted file mode 100644 index 19122acbc..000000000 --- a/baselines/aws/aws_disable_cmdb/aws_cmdb.tf +++ /dev/null @@ -1,7 +0,0 @@ -#Loop through var.service_status and set disable policies -resource "turbot_policy_setting" "set_resource_cmdb_policies" { - for_each = var.resource_cmdb - resource = turbot_smart_folder.aws_cmdb.id - type = var.policy_map[each.key] - value = each.value -} diff --git a/baselines/aws/aws_disable_cmdb/main.tf b/baselines/aws/aws_disable_cmdb/main.tf deleted file mode 100644 index 0be93d0d6..000000000 --- a/baselines/aws/aws_disable_cmdb/main.tf +++ /dev/null @@ -1,29 +0,0 @@ -# Disable AWS resources from being discovered in the CMDB. - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -provider "turbot" { - profile = var.turbot_profile -} - - -## Create Smart Folder at the Turbot level - -resource "turbot_smart_folder" "aws_cmdb" { - parent = "tmod:@turbot/turbot#/" - title = "SF - AWS Disable CMDB Policies" -} - - -## Vars to Map resources to enable or disable CMDB -variable "resource_cmdb" { - description = "Map of the list of resources that need to be set for CMDB. please update in terraform.tfvars:" - type = map -} - -variable "policy_map" { - description = "This is a map of Turbot policy types to service names. You probably should not modify this:" - type = map -} \ No newline at end of file diff --git a/baselines/aws/aws_disable_cmdb/versions.tf b/baselines/aws/aws_disable_cmdb/versions.tf deleted file mode 100644 index 24d2520c8..000000000 --- a/baselines/aws/aws_disable_cmdb/versions.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} diff --git a/baselines/aws/aws_mods/README.md b/baselines/aws/aws_mods/README.md new file mode 100644 index 000000000..055d25c67 --- /dev/null +++ b/baselines/aws/aws_mods/README.md @@ -0,0 +1,94 @@ +# AWS Mods Installation + +Turbot provides numerous AWS mods, covering a wide range of AWS resources with thousands of policies and controls. By default, mods are installed with the top Turbot resource as the parent, meaning administrators must have Turbot/Owner permissions at the Turbot resource level to install, uninstall, or update mods in the environment. + +## Documentation + +- **[Review Mods Documentation →](https://turbot.com/guardrails/docs/mods)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To install AWS mods using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `aws_mods` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the mods in one of two ways, depending on your needs: + +#### 1. Using an Input Variable File + +By default, the `default.tfvars` file is configured to install all the mods necessary for CIS (Center for Internet Security) compliance. You can further customize this file to include additional mods as needed. To apply the mods using this specific input variable file, run the following command: + +```sh +terraform apply --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +If you choose not to use an input variable file, the command will install **all** available AWS mods. To proceed with this option, run: + +```sh +terraform apply -parallelism=1 +``` + +### Destroy + +You can destroy the mods in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the mods using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the mods without using an input variable file: + +```sh +terraform destroy -parallelism=1 +``` + +## Commenting Strategy + +All Turbot policies used in the installation include links to the official Turbot Mods documentation. + +These links provide further details about: + +- The purpose of the policy +- Policy URI name +- Parent information +- Category information +- Target information +- All valid values diff --git a/baselines/aws/aws_mods/default.tfvars b/baselines/aws/aws_mods/default.tfvars new file mode 100644 index 000000000..6e3a93255 --- /dev/null +++ b/baselines/aws/aws_mods/default.tfvars @@ -0,0 +1,175 @@ +mod_list = [ + "aws", + # "aws-acm", + # "aws-amplify", + # "aws-apigateway", + # "aws-appconfig", + # "aws-appfabric", + # "aws-appflow", + # "aws-appmesh", + # "aws-appstream", + # "aws-appsync", + # "aws-artifact", + # "aws-athena", + # "aws-auditmanager", + # "aws-backup", + # "aws-batch", + # "aws-bedrock", + # "aws-billing", + # "aws-braket", + # "aws-chatbot", + # "aws-chime", + # "aws-cisv1", + # "aws-cisv1-4", + # "aws-cisv2-0", + "aws-cisv3-0", + # "aws-cleanrooms", + # "aws-cloud9", + # "aws-clouddirectory", + # "aws-cloudformation", + # "aws-cloudfront", + # "aws-cloudhsm", + # "aws-cloudmap", + # "aws-cloudsearch", + # "aws-cloudshell", + "aws-cloudtrail", + "aws-cloudwatch", + # "aws-codebuild", + # "aws-codecommit", + # "aws-codedeploy", + # "aws-codepipeline", + # "aws-codestar", + # "aws-codewhisperer", + # "aws-cognito", + # "aws-comprehend", + # "aws-computeoptimizer", + "aws-config", + # "aws-connect", + # "aws-datapipeline", + # "aws-datasync", + # "aws-dax", + # "aws-devicefarm", + # "aws-directconnect", + # "aws-directoryservice", + # "aws-dms", + # "aws-docdb", + # "aws-dynamodb", + "aws-ec2", + # "aws-ec2imagebuilder", + # "aws-ecr", + # "aws-ecs", + "aws-efs", + # "aws-eks", + # "aws-elasticache", + # "aws-elasticbeanstalk", + # "aws-elasticinference", + # "aws-elasticsearch", + # "aws-elastictranscoder", + # "aws-emr", + # "aws-eventbridgepipes", + # "aws-eventbridgescheduler", + "aws-events", + # "aws-fms", + # "aws-fsx", + # "aws-gamelift", + # "aws-glacier", + # "aws-globalaccelerator", + # "aws-glue", + # "aws-gluedatabrew", + # "aws-greengrass", + # "aws-guardduty", + # "aws-health", + # "aws-hipaa", + "aws-iam", + # "aws-inspector", + # "aws-iot", + # "aws-iot1click", + # "aws-iotanalytics", + # "aws-iotevents", + # "aws-iotsitewise", + # "aws-iotthingsgraph", + # "aws-kendra", + # "aws-kinesis", + "aws-kms", + # "aws-lakeformation", + "aws-lambda", + # "aws-lex", + # "aws-lightsail", + # "aws-location", + "aws-logs", + # "aws-machinelearning", + # "aws-macie", + # "aws-mediaconnect", + # "aws-mediaconvert", + # "aws-medialive", + # "aws-mediapackage", + # "aws-mediastore", + # "aws-mediatailor", + # "aws-mq", + # "aws-msk", + # "aws-mwaa", + # "aws-neptune", + # "aws-nist-800-53", + # "aws-omics", + # "aws-opensearch", + # "aws-organizations", + # "aws-os", + # "aws-outposts", + # "aws-pciv3-2-1", + # "aws-pinpoint", + # "aws-polly", + # "aws-qldb", + # "aws-quicksight", + # "aws-ram", + "aws-rds", + # "aws-redshift", + # "aws-redshiftserverless", + # "aws-rekognition", + # "aws-resourcegroups", + # "aws-robomaker", + # "aws-route53", + # "aws-route53domains", + # "aws-route53recoverycontrolconfig", + # "aws-route53recoveryreadiness", + # "aws-route53resolver", + "aws-s3", + # "aws-s3multiregionaccesspoint", + # "aws-sagemaker", + # "aws-savingsplans", + # "aws-scheduler", + # "aws-secretsmanager", + "aws-securityhub", + # "aws-serverlessapplicationrepository", + # "aws-servermigration", + # "aws-servicecatalog", + # "aws-servicequotas", + # "aws-ses", + # "aws-shield", + # "aws-signer", + # "aws-simpledb", + # "aws-snowball", + "aws-sns", + # "aws-sqs", + # "aws-ssm", + # "aws-stepfunctions", + # "aws-storagegateway", + # "aws-swf", + # "aws-tagging", + # "aws-textract", + # "aws-transcribe", + # "aws-transfer", + # "aws-translate", + # "aws-trustedadvisor", + "aws-vpc-connect", + "aws-vpc-core", + "aws-vpc-internet", + "aws-vpc-security", + # "aws-vpclattice", + # "aws-waf", + # "aws-wafregional", + # "aws-wellarchitected", + # "aws-wellarchitected-framework", + # "aws-workdocs", + # "aws-workspaces", + # "aws-xray" +] diff --git a/baselines/aws/aws_mods/mod_install.tf b/baselines/aws/aws_mods/mod_install.tf new file mode 100644 index 000000000..4b545069a --- /dev/null +++ b/baselines/aws/aws_mods/mod_install.tf @@ -0,0 +1,1874 @@ +# https://hub.guardrails.turbot.com/mods/aws/mods/aws +resource "turbot_mod" "aws" { + parent = "tmod:@turbot/turbot#/" + org = "turbot" + mod = "aws" + version = ">=5.0.0" + count = contains(var.mod_list, "aws") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-acm +resource "turbot_mod" "aws-acm" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-acm" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-acm") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-amplify +resource "turbot_mod" "aws-amplify" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-amplify" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-amplify") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-apigateway +resource "turbot_mod" "aws-apigateway" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-apigateway" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-apigateway") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appconfig +resource "turbot_mod" "aws-appconfig" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appconfig" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appconfig") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appfabric +resource "turbot_mod" "aws-appfabric" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appfabric" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appfabric") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appflow +resource "turbot_mod" "aws-appflow" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appflow" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appflow") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appmesh +resource "turbot_mod" "aws-appmesh" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appmesh" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appmesh") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appstream +resource "turbot_mod" "aws-appstream" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appstream" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appstream") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-appsync +resource "turbot_mod" "aws-appsync" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-appsync" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-appsync") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-artifact +resource "turbot_mod" "aws-artifact" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-artifact" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-artifact") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-athena +resource "turbot_mod" "aws-athena" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-athena" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-athena") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-auditmanager +resource "turbot_mod" "aws-auditmanager" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-auditmanager" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-auditmanager") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-backup +resource "turbot_mod" "aws-backup" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-backup" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-backup") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-batch +resource "turbot_mod" "aws-batch" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-batch" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-batch") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-bedrock +resource "turbot_mod" "aws-bedrock" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-bedrock" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-bedrock") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-billing +resource "turbot_mod" "aws-billing" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-billing" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-billing") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-braket +resource "turbot_mod" "aws-braket" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-braket" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-braket") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-chatbot +resource "turbot_mod" "aws-chatbot" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-chatbot" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-chatbot") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-chime +resource "turbot_mod" "aws-chime" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-chime" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-chime") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cisv1 +resource "turbot_mod" "aws-cisv1" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-config, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-logs, + turbot_mod.aws-sns, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-security + ] + org = "turbot" + mod = "aws-cisv1" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cisv1") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cisv1-4 +resource "turbot_mod" "aws-cisv1-4" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-config, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-logs, + turbot_mod.aws-rds, + turbot_mod.aws-s3, + turbot_mod.aws-sns, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-security + ] + org = "turbot" + mod = "aws-cisv1-4" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cisv1-4") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cisv2-0 +resource "turbot_mod" "aws-cisv2-0" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-config, + turbot_mod.aws-ec2, + turbot_mod.aws-efs, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-logs, + turbot_mod.aws-rds, + turbot_mod.aws-s3, + turbot_mod.aws-securityhub, + turbot_mod.aws-sns, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-security + ] + org = "turbot" + mod = "aws-cisv2-0" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cisv2-0") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cisv3-0 +resource "turbot_mod" "aws-cisv3-0" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-config, + turbot_mod.aws-ec2, + turbot_mod.aws-efs, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-logs, + turbot_mod.aws-rds, + turbot_mod.aws-s3, + turbot_mod.aws-securityhub, + turbot_mod.aws-sns, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-security + ] + org = "turbot" + mod = "aws-cisv3-0" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cisv3-0") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cleanrooms +resource "turbot_mod" "aws-cleanrooms" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cleanrooms" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cleanrooms") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloud9 +resource "turbot_mod" "aws-cloud9" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloud9" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloud9") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-clouddirectory +resource "turbot_mod" "aws-clouddirectory" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-clouddirectory" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-clouddirectory") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudformation +resource "turbot_mod" "aws-cloudformation" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudformation" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudformation") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudfront +resource "turbot_mod" "aws-cloudfront" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudfront" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudfront") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudhsm +resource "turbot_mod" "aws-cloudhsm" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudhsm" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudhsm") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudmap +resource "turbot_mod" "aws-cloudmap" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudmap" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudmap") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudsearch +resource "turbot_mod" "aws-cloudsearch" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] + org = "turbot" + mod = "aws-cloudsearch" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudsearch") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudshell +resource "turbot_mod" "aws-cloudshell" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudshell" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudshell") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudtrail +resource "turbot_mod" "aws-cloudtrail" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudtrail" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudtrail") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cloudwatch +resource "turbot_mod" "aws-cloudwatch" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cloudwatch" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cloudwatch") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codebuild +resource "turbot_mod" "aws-codebuild" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codebuild" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codebuild") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codecommit +resource "turbot_mod" "aws-codecommit" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codecommit" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codecommit") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codedeploy +resource "turbot_mod" "aws-codedeploy" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codedeploy" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codedeploy") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codepipeline +resource "turbot_mod" "aws-codepipeline" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codepipeline" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codepipeline") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codestar +resource "turbot_mod" "aws-codestar" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codestar" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codestar") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-codewhisperer +resource "turbot_mod" "aws-codewhisperer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-codewhisperer" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-codewhisperer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-cognito +resource "turbot_mod" "aws-cognito" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-cognito" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-cognito") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-comprehend +resource "turbot_mod" "aws-comprehend" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-comprehend" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-comprehend") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-computeoptimizer +resource "turbot_mod" "aws-computeoptimizer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-computeoptimizer" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-computeoptimizer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-config +resource "turbot_mod" "aws-config" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-config" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-config") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-connect +resource "turbot_mod" "aws-connect" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-connect" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-connect") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-datapipeline +resource "turbot_mod" "aws-datapipeline" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-datapipeline" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-datapipeline") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-datasync +resource "turbot_mod" "aws-datasync" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-datasync" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-datasync") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-dax +resource "turbot_mod" "aws-dax" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-dax" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-dax") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-devicefarm +resource "turbot_mod" "aws-devicefarm" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-devicefarm" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-devicefarm") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-directconnect +resource "turbot_mod" "aws-directconnect" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-directconnect" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-directconnect") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-directoryservice +resource "turbot_mod" "aws-directoryservice" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-directoryservice" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-directoryservice") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-dms +resource "turbot_mod" "aws-dms" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-kms] + org = "turbot" + mod = "aws-dms" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-dms") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-docdb +resource "turbot_mod" "aws-docdb" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-rds] + org = "turbot" + mod = "aws-docdb" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-docdb") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-dynamodb +resource "turbot_mod" "aws-dynamodb" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-dynamodb" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-dynamodb") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ec2 +resource "turbot_mod" "aws-ec2" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-kms] + org = "turbot" + mod = "aws-ec2" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ec2") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ec2imagebuilder +resource "turbot_mod" "aws-ec2imagebuilder" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ec2imagebuilder" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ec2imagebuilder") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ecr +resource "turbot_mod" "aws-ecr" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ecr" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ecr") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ecs +resource "turbot_mod" "aws-ecs" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ecs" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ecs") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-efs +resource "turbot_mod" "aws-efs" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-efs" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-efs") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-eks +resource "turbot_mod" "aws-eks" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-eks" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-eks") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-elasticache +resource "turbot_mod" "aws-elasticache" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-elasticache" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-elasticache") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-elasticbeanstalk +resource "turbot_mod" "aws-elasticbeanstalk" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-elasticbeanstalk" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-elasticbeanstalk") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-elasticinference +resource "turbot_mod" "aws-elasticinference" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-elasticinference" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-elasticinference") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-elasticsearch +resource "turbot_mod" "aws-elasticsearch" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-elasticsearch" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-elasticsearch") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-elastictranscoder +resource "turbot_mod" "aws-elastictranscoder" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-elastictranscoder" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-elastictranscoder") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-emr +resource "turbot_mod" "aws-emr" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-emr" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-emr") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-eventbridgepipes +resource "turbot_mod" "aws-eventbridgepipes" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-eventbridgepipes" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-eventbridgepipes") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-eventbridgescheduler +resource "turbot_mod" "aws-eventbridgescheduler" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-eventbridgescheduler" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-eventbridgescheduler") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-events +resource "turbot_mod" "aws-events" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-events" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-events") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-fms +resource "turbot_mod" "aws-fms" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-fms" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-fms") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-fsx +resource "turbot_mod" "aws-fsx" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-fsx" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-fsx") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-gamelift +resource "turbot_mod" "aws-gamelift" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-gamelift" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-gamelift") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-glacier +resource "turbot_mod" "aws-glacier" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-glacier" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-glacier") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-globalaccelerator +resource "turbot_mod" "aws-globalaccelerator" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-globalaccelerator" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-globalaccelerator") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-glue +resource "turbot_mod" "aws-glue" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-glue" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-glue") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-gluedatabrew +resource "turbot_mod" "aws-gluedatabrew" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-gluedatabrew" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-gluedatabrew") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-greengrass +resource "turbot_mod" "aws-greengrass" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-greengrass" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-greengrass") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-guardduty +resource "turbot_mod" "aws-guardduty" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-guardduty" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-guardduty") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-health +resource "turbot_mod" "aws-health" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-health" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-health") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-hipaa +resource "turbot_mod" "aws-hipaa" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, + turbot_mod.aws-acm, + turbot_mod.aws-apigateway, + turbot_mod.aws-backup, + turbot_mod.aws-cloudfront, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-codebuild, + turbot_mod.aws-dax, + turbot_mod.aws-dms, + turbot_mod.aws-dynamodb, + turbot_mod.aws-ec2, + turbot_mod.aws-efs, + turbot_mod.aws-eks, + turbot_mod.aws-elasticache, + turbot_mod.aws-elasticsearch, + turbot_mod.aws-emr, + turbot_mod.aws-fsx, + turbot_mod.aws-guardduty, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-lambda, + turbot_mod.aws-logs, + turbot_mod.aws-rds, + turbot_mod.aws-redshift, + turbot_mod.aws-s3, + turbot_mod.aws-sagemaker, + turbot_mod.aws-secretsmanager, + turbot_mod.aws-sns, + turbot_mod.aws-ssm, + turbot_mod.aws-vpc-connect, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-internet, + turbot_mod.aws-vpc-security, + turbot_mod.aws-waf + ] + org = "turbot" + mod = "aws-hipaa" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-hipaa") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iam +resource "turbot_mod" "aws-iam" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws] + org = "turbot" + mod = "aws-iam" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iam") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-inspector +resource "turbot_mod" "aws-inspector" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-inspector" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-inspector") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iot +resource "turbot_mod" "aws-iot" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iot" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iot") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iot1click +resource "turbot_mod" "aws-iot1click" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iot1click" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iot1click") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iotanalytics +resource "turbot_mod" "aws-iotanalytics" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iotanalytics" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iotanalytics") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iotevents +resource "turbot_mod" "aws-iotevents" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iotevents" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iotevents") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iotsitewise +resource "turbot_mod" "aws-iotsitewise" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iotsitewise" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iotsitewise") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-iotthingsgraph +resource "turbot_mod" "aws-iotthingsgraph" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-iotthingsgraph" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-iotthingsgraph") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-kendra +resource "turbot_mod" "aws-kendra" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-kendra" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-kendra") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-kinesis +resource "turbot_mod" "aws-kinesis" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-kinesis" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-kinesis") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-kms +resource "turbot_mod" "aws-kms" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-kms" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-kms") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-lakeformation +resource "turbot_mod" "aws-lakeformation" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-lakeformation" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-lakeformation") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-lambda +resource "turbot_mod" "aws-lambda" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-lambda" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-lambda") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-lex +resource "turbot_mod" "aws-lex" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-lex" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-lex") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-lightsail +resource "turbot_mod" "aws-lightsail" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-lightsail" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-lightsail") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-location +resource "turbot_mod" "aws-location" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-location" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-location") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-logs +resource "turbot_mod" "aws-logs" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-logs" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-logs") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-machinelearning +resource "turbot_mod" "aws-machinelearning" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-machinelearning" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-machinelearning") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-macie +resource "turbot_mod" "aws-macie" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-macie" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-macie") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mediaconnect +resource "turbot_mod" "aws-mediaconnect" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mediaconnect" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mediaconnect") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mediaconvert +resource "turbot_mod" "aws-mediaconvert" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mediaconvert" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mediaconvert") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-medialive +resource "turbot_mod" "aws-medialive" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-medialive" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-medialive") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mediapackage +resource "turbot_mod" "aws-mediapackage" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mediapackage" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mediapackage") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mediastore +resource "turbot_mod" "aws-mediastore" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mediastore" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mediastore") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mediatailor +resource "turbot_mod" "aws-mediatailor" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mediatailor" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mediatailor") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mq +resource "turbot_mod" "aws-mq" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mq" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mq") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-msk +resource "turbot_mod" "aws-msk" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-msk" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-msk") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-mwaa +resource "turbot_mod" "aws-mwaa" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-mwaa" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-mwaa") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-neptune +resource "turbot_mod" "aws-neptune" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-rds] + org = "turbot" + mod = "aws-neptune" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-neptune") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-nist-800-53 +resource "turbot_mod" "aws-nist-800-53" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, + turbot_mod.aws-acm, + turbot_mod.aws-apigateway, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-cloudwatch, + turbot_mod.aws-codebuild, + turbot_mod.aws-dms, + turbot_mod.aws-dynamodb, + turbot_mod.aws-ec2, + turbot_mod.aws-ecs, + turbot_mod.aws-efs, + turbot_mod.aws-elasticache, + turbot_mod.aws-elasticsearch, + turbot_mod.aws-emr, + turbot_mod.aws-guardduty, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-lambda, + turbot_mod.aws-logs, + turbot_mod.aws-rds, + turbot_mod.aws-redshift, + turbot_mod.aws-s3, + turbot_mod.aws-sagemaker, + turbot_mod.aws-secretsmanager, + turbot_mod.aws-securityhub, + turbot_mod.aws-sns, + turbot_mod.aws-ssm, + turbot_mod.aws-vpc-connect, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-internet, + turbot_mod.aws-vpc-security, + turbot_mod.aws-waf + ] + org = "turbot" + mod = "aws-nist-800-53" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-nist-800-53") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-omics +resource "turbot_mod" "aws-omics" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-omics" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-omics") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-opensearch +resource "turbot_mod" "aws-opensearch" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-opensearch" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-opensearch") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-organizations +resource "turbot_mod" "aws-organizations" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-organizations" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-organizations") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-outposts +resource "turbot_mod" "aws-outposts" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-outposts" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-outposts") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-pciv3-2-1 +resource "turbot_mod" "aws-pciv3-2-1" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, + turbot_mod.aws-cloudtrail, + turbot_mod.aws-codebuild, + turbot_mod.aws-dms, + turbot_mod.aws-ec2, + turbot_mod.aws-elasticsearch, + turbot_mod.aws-guardduty, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-lambda, + turbot_mod.aws-rds, + turbot_mod.aws-redshift, + turbot_mod.aws-s3, + turbot_mod.aws-sagemaker, + turbot_mod.aws-ssm, + turbot_mod.aws-vpc-core, + turbot_mod.aws-vpc-internet, + turbot_mod.aws-vpc-security + ] + org = "turbot" + mod = "aws-pciv3-2-1" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-pciv3-2-1") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-polly +resource "turbot_mod" "aws-polly" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-polly" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-polly") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-qldb +resource "turbot_mod" "aws-qldb" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-qldb" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-qldb") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-quicksight +resource "turbot_mod" "aws-quicksight" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-quicksight" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-quicksight") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ram +resource "turbot_mod" "aws-ram" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ram" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ram") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-rds +resource "turbot_mod" "aws-rds" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-rds" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-rds") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-redshift +resource "turbot_mod" "aws-redshift" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-redshift" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-redshift") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-redshiftserverless +resource "turbot_mod" "aws-redshiftserverless" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-redshiftserverless" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-redshiftserverless") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-rekognition +resource "turbot_mod" "aws-rekognition" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-rekognition" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-rekognition") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-resourcegroups +resource "turbot_mod" "aws-resourcegroups" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-resourcegroups" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-resourcegroups") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-robomaker +resource "turbot_mod" "aws-robomaker" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-robomaker" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-robomaker") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-route53 +resource "turbot_mod" "aws-route53" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-route53" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-route53") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-route53domains +resource "turbot_mod" "aws-route53domains" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-route53domains" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-route53domains") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-route53recoverycontrolconfig +resource "turbot_mod" "aws-route53recoverycontrolconfig" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-route53recoverycontrolconfig" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-route53recoverycontrolconfig") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-route53recoveryreadiness +resource "turbot_mod" "aws-route53recoveryreadiness" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-route53recoveryreadiness" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-route53recoveryreadiness") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-route53resolver +resource "turbot_mod" "aws-route53resolver" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-route53resolver" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-route53resolver") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-s3 +resource "turbot_mod" "aws-s3" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-kms] + org = "turbot" + mod = "aws-s3" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-s3") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-s3multiregionaccesspoint +resource "turbot_mod" "aws-s3multiregionaccesspoint" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-s3] + org = "turbot" + mod = "aws-s3multiregionaccesspoint" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-s3multiregionaccesspoint") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-sagemaker +resource "turbot_mod" "aws-sagemaker" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-sagemaker" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-sagemaker") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-savingsplans +resource "turbot_mod" "aws-savingsplans" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-savingsplans" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-savingsplans") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-scheduler +resource "turbot_mod" "aws-scheduler" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-scheduler" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-scheduler") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-secretsmanager +resource "turbot_mod" "aws-secretsmanager" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-secretsmanager" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-secretsmanager") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-securityhub +resource "turbot_mod" "aws-securityhub" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-securityhub" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-securityhub") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-serverlessapplicationrepository +resource "turbot_mod" "aws-serverlessapplicationrepository" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-serverlessapplicationrepository" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-serverlessapplicationrepository") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-servermigration +resource "turbot_mod" "aws-servermigration" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-servermigration" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-servermigration") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-servicecatalog +resource "turbot_mod" "aws-servicecatalog" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-servicecatalog" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-servicecatalog") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-servicequotas +resource "turbot_mod" "aws-servicequotas" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-servicequotas" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-servicequotas") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ses +resource "turbot_mod" "aws-ses" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ses" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ses") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-shield +resource "turbot_mod" "aws-shield" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-shield" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-shield") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-signer +resource "turbot_mod" "aws-signer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-signer" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-signer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-simpledb +resource "turbot_mod" "aws-simpledb" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-simpledb" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-simpledb") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-snowball +resource "turbot_mod" "aws-snowball" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-snowball" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-snowball") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-sns +resource "turbot_mod" "aws-sns" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-sns" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-sns") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-sqs +resource "turbot_mod" "aws-sqs" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-sqs" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-sqs") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-ssm +resource "turbot_mod" "aws-ssm" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-ssm" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-ssm") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-stepfunctions +resource "turbot_mod" "aws-stepfunctions" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-stepfunctions" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-stepfunctions") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-storagegateway +resource "turbot_mod" "aws-storagegateway" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-storagegateway" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-storagegateway") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-swf +resource "turbot_mod" "aws-swf" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-swf" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-swf") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-tagging +resource "turbot_mod" "aws-tagging" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-tagging" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-tagging") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-textract +resource "turbot_mod" "aws-textract" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-textract" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-textract") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-transcribe +resource "turbot_mod" "aws-transcribe" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-transcribe" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-transcribe") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-transfer +resource "turbot_mod" "aws-transfer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-transfer" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-transfer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-translate +resource "turbot_mod" "aws-translate" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-translate" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-translate") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-trustedadvisor +resource "turbot_mod" "aws-trustedadvisor" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-trustedadvisor" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-trustedadvisor") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-vpc-connect +resource "turbot_mod" "aws-vpc-connect" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-vpc-core + ] + org = "turbot" + mod = "aws-vpc-connect" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-vpc-connect") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-vpc-core +resource "turbot_mod" "aws-vpc-core" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms + ] + org = "turbot" + mod = "aws-vpc-core" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-vpc-core") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-vpc-internet +resource "turbot_mod" "aws-vpc-internet" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-vpc-core + ] + org = "turbot" + mod = "aws-vpc-internet" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-vpc-internet") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-vpc-security +resource "turbot_mod" "aws-vpc-security" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.aws, + turbot_mod.aws-ec2, + turbot_mod.aws-iam, + turbot_mod.aws-kms, + turbot_mod.aws-vpc-core + ] + org = "turbot" + mod = "aws-vpc-security" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-vpc-security") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-vpclattice +resource "turbot_mod" "aws-vpclattice" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-vpclattice" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-vpclattice") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-waf +resource "turbot_mod" "aws-waf" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-waf" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-waf") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-wafregional +resource "turbot_mod" "aws-wafregional" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-wafregional" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-wafregional") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-wellarchitected +resource "turbot_mod" "aws-wellarchitected" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-wellarchitected" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-wellarchitected") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-wellarchitected-framework +resource "turbot_mod" "aws-wellarchitected-framework" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-wellarchitected] + org = "turbot" + mod = "aws-wellarchitected-framework" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-wellarchitected-framework") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-workdocs +resource "turbot_mod" "aws-workdocs" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-workdocs" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-workdocs") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-workspaces +resource "turbot_mod" "aws-workspaces" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-workspaces" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-workspaces") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/aws/mods/aws-xray +resource "turbot_mod" "aws-xray" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.aws, turbot_mod.aws-iam] + org = "turbot" + mod = "aws-xray" + version = ">=5.0.0" + count = contains(var.mod_list, "aws-xray") ? 1 : 0 +} diff --git a/baselines/aws/aws_mods/providers.tf b/baselines/aws/aws_mods/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/aws/aws_mods/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/aws/aws_mods/variables.tf b/baselines/aws/aws_mods/variables.tf new file mode 100644 index 000000000..309a71665 --- /dev/null +++ b/baselines/aws/aws_mods/variables.tf @@ -0,0 +1,4 @@ +variable "mod_list" { + type = list(string) + description = "The list of AWS Mods to install." +} diff --git a/baselines/aws/aws_permission/README.md b/baselines/aws/aws_permission/README.md deleted file mode 100644 index 8cc013ce4..000000000 --- a/baselines/aws/aws_permission/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# AWS Permission Baseline - -AWS Permission baseline provides a [terraform](https://www.terraform.io) configuration to assign AWS level permissions to a Turbot user. - -> Make sure you have a [local directory user](https://turbot-dev.com/v5/docs/api/terraform/resources/turbot_local_directory_user) available. - -## Prerequisites - -To run the AWS Permission baseline, you must have: - - - [Terraform](https://www.terraform.io) Version 12 - - [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - - [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - -## Running the Baseline - -To execute the AWS Permission baseline: - - - Go to the AWS permissions directory with `cd aws_permission` - - Update `default.tfvars` with appropriate values - - Run `terraform plan -var-file=default.tfvars` to review the plan for aws permissions - - Run `terraform apply -var-file=default.tfvars` to apply the changes \ No newline at end of file diff --git a/baselines/aws/aws_permission/default.tfvars b/baselines/aws/aws_permission/default.tfvars deleted file mode 100644 index f79a362d0..000000000 --- a/baselines/aws/aws_permission/default.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -local_directory_name = "" - -user_details = { - "" = "<(1)firstname lastname>" - "" = "<(2)firstname lastname>" -} -grant_scope_id = "tmod:@turbot/turbot#/" \ No newline at end of file diff --git a/baselines/aws/aws_permission/main.tf b/baselines/aws/aws_permission/main.tf deleted file mode 100644 index 79100a8ea..000000000 --- a/baselines/aws/aws_permission/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -resource "turbot_local_directory" "test_dir" { - parent = var.grant_scope_id - title = var.local_directory_name - description = "Enter the name for the local directory to be created:" - profile_id_template = "{{profile.email}}" -} - -resource "turbot_local_directory_user" "test_user" { - count = length(var.user_details) - title = var.user_details[keys(var.user_details)[count.index]] - email = keys(var.user_details)[count.index] - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id -} - -resource "turbot_profile" "test_user_profile" { - count = length(var.user_details) - title = turbot_local_directory_user.test_user[count.index].title - email = keys(var.user_details)[count.index] - status = "Active" - given_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[0] - family_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[1] - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id - profile_id = keys(var.user_details)[count.index] -} - -resource "turbot_grant" "test" { - count = length(var.user_details) - resource = var.grant_scope_id - type = "tmod:@turbot/aws#/permission/types/aws" - level = "tmod:@turbot/turbot-iam#/permission/levels/superuser" - identity = turbot_profile.test_user_profile[count.index].id -} - -resource "turbot_grant_activation" "activate_admin_grant" { - count = length(var.user_details) - resource = var.grant_scope_id - grant = turbot_grant.test[count.index].id -} diff --git a/baselines/aws/aws_permission/variables.tf b/baselines/aws/aws_permission/variables.tf deleted file mode 100644 index ff7a45d8d..000000000 --- a/baselines/aws/aws_permission/variables.tf +++ /dev/null @@ -1,16 +0,0 @@ -variable "local_directory_name" { - description = "Enter the name for the local directory to be created:" - type = string -} - -variable "user_details" { - description = "Enter the user details (``=``):" - type = map(string) -} - -# It is the turbot id of turbot folder or resource. -# The Admin and Owner grants will be activated at this level -variable "grant_scope_id" { - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/aws/aws_service_enabled/README.md b/baselines/aws/aws_service_enabled/README.md new file mode 100644 index 000000000..701d9e475 --- /dev/null +++ b/baselines/aws/aws_service_enabled/README.md @@ -0,0 +1,90 @@ +# AWS Service Enabled Policies + +The AWS Baseline Policies provide a minimal set of example policies and services to get started with AWS in Turbot Guardrails. These policies focus on enabling essential services and APIs. + +## Documentation + +- **[Review Policies Documentation →](https://hub.guardrails.turbot.com/mods/aws/policies)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) +- [Guardrails AWS mods](../aws_mods/) + +### Credentials + +To create AWS Service Enabled Baseline policy pack through Terraform: + +- Ensure you have `Turbot/Admin` permissions (or higher) in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +And then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `aws_service_enabled` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the Enabled policies in one of two ways, depending on your needs: + +#### 1. Using an Input Variable File + +By default, the `default.tfvars` file is configured to install all the Enabled policies for the mods necessary for CIS (Center for Internet Security) compliance. You can further customize this file to include additional services as needed provided the mods are installed prior. To apply the Enabled policies using this specific input variable file, run the following command: + +```sh +terraform apply --var-file=default.tfvars +``` + +#### 2. Without an Input Variable File + +If you choose not to use an input variable file, the command will install **all** available Enabled policies. Please ensure, you have installed the necessary mods for this. To proceed with this option, run: + +```sh +terraform apply +``` + +### Destroy + +You can destroy the mods in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the mods using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the mods without using an input variable file: + +```sh +terraform destroy +``` + +### Apply Policy Pack + +By default, this Policy Pack is attached to the Base Folder created as part of [Folder Hierarchy](../../guardrails/folder_hierarchy/). If you wish to attach to a different resource, then log into your Guardrails workspace and [attach the policy pack to a resource](https://turbot.com/guardrails/docs/guides/policy-packs#attach-a-policy-pack-to-a-resource). + +If this policy pack is attached to a Guardrails folder, its policies will be applied to all accounts and resources in that folder. The policy pack can also be attached to multiple resources. + +For more information, please see [Policy Packs](https://turbot.com/guardrails/docs/concepts/policy-packs). diff --git a/baselines/getting_started/aws/aws_baseline/demo.tfvars b/baselines/aws/aws_service_enabled/default.tfvars similarity index 61% rename from baselines/getting_started/aws/aws_baseline/demo.tfvars rename to baselines/aws/aws_service_enabled/default.tfvars index a04e567ae..e46892740 100644 --- a/baselines/getting_started/aws/aws_baseline/demo.tfvars +++ b/baselines/aws/aws_service_enabled/default.tfvars @@ -1,141 +1,158 @@ -# List of services to set as Enabled -# Note: there is no aws-neptune enabled policy -# Note: smaller subset to start with, enable more overtime -# See file, aws_service_enable.tf -enabled_policy_map = { - # aws-acm = "acmEnabled" - # aws-amplify = "amplifyEnabled" - # aws-apigateway = "apiGatewayEnabled" - # aws-appflow = "appFlowEnabled" - # aws-appmesh = "appMeshEnabled" - # aws-appstream = "appStreamEnabled" - # aws-appsync = "appSyncEnabled" - # aws-artifact = "artifactEnabled" - # aws-athena = "athenaEnabled" - # aws-backup = "backupEnabled" - # aws-batch = "batchEnabled" - # aws-chime = "chimeEnabled" - # aws-cloud9 = "cloud9Enabled" - # aws-cloudformation = "cloudFormationEnabled" - # aws-cloudfront = "cloudFrontEnabled" - # aws-cloudhsm = "cloudHsmEnabled" - # aws-cloudsearch = "cloudSearchEnabled" - aws-cloudtrail = "cloudTrailEnabled" - aws-cloudwatch = "cloudWatchEnabled" - # aws-codebuild = "codeBuildEnabled" - # aws-codecommit = "codeCommitEnabled" - # aws-codedeploy = "codeDeployEnabled" - # aws-codepipeline = "codePipelineEnabled" - # aws-codestar = "codeStarEnabled" - # aws-comprehend = "comprehendEnabled" - aws-config = "configEnabled" - # aws-datapipeline = "dataPipelineEnabled" - # aws-dax = "daxEnabled" - # aws-directoryservice = "directoryServiceEnabled" - # aws-dms = "dmsEnabled" - # aws-docdb = "docDbEnabled" - # aws-dynamodb = "dynamodbEnabled" - aws-ec2 = "ec2Enabled" - # aws-ecr = "ecrEnabled" - # aws-ecs = "ecsEnabled" - # aws-efs = "efsEnabled" - # aws-eks = "eksEnabled" - # aws-elasticache = "elastiCacheEnabled" - # aws-elasticbeanstalk = "elasticBeanstalkEnabled" - # aws-elasticsearch = "esEnabled" - # aws-elastictranscoder = "elasticTranscoderEnabled" - # aws-emr = "emrEnabled" - aws-events = "eventsEnabled" - # aws-fsx = "fsxEnabled" - # aws-gamelift = "gameLiftEnabled" - # aws-glacier = "glacierEnabled" - # aws-glue = "glueEnabled" - # aws-greengrass = "greengrassEnabled" - # aws-guardduty = "guardDutyEnabled" - # aws-health = "healthEnabled" - aws-iam = "iamEnabled" - # aws-inspector = "inspectorEnabled" - # aws-iot = "iotEnabled" - # aws-iot1click = "iot1ClickEnabled" - # aws-iotanalytics = "iotAnalyticsEnabled" - # aws-iotevents = "iotEventsEnabled" - # aws-iotsitewise = "iotSiteWiseEnabled" - # aws-iotthingsgraph = "iotThingsGraphEnabled" - # aws-kinesis = "kinesisEnabled" - aws-kms = "kmsEnabled" - aws-lambda = "lambdaEnabled" - # aws-lex = "lexEnabled" - # aws-lightsail = "lightsailEnabled" - aws-logs = "logsEnabled" - # aws-machinelearning = "machineLearningEnabled" - # aws-macie = "macieEnabled" - # aws-mediaconnect = "mediaConnectEnabled" - # aws-mediaconvert = "mediaConvertEnabled" - # aws-medialive = "mediaLiveEnabled" - # aws-mediapackage = "mediaPackageEnabled" - # aws-mediastore = "mediaStoreEnabled" - # aws-mediatailor = "mediaTailorEnabled" - # aws-mq = "mqEnabled" - # aws-msk = "mskEnabled" - # aws-outposts = "outpostsEnabled" - # aws-qldb = "qldbEnabled" - # aws-ram = "ramEnabled" - # aws-rds = "rdsEnabled" - # aws-redshift = "redshiftEnabled" - # aws-resourcegroups = "resourceGroupsEnabled" - # aws-robomaker = "roboMakerEnabled" - # aws-route53 = "route53Enabled" - # aws-route53domains = "route53DomainsEnabled" - # aws-route53resolver = "route53ResolverEnabled" - aws-s3 = "s3Enabled" - # aws-sagemaker = "sageMakerEnabled" - # aws-secretsmanager = "secretsManagerEnabled" - # aws-securityhub = "securityHubEnabled" - # aws-serverlessapplicationrepository = "serverlessApplicationRepositoryEnabled" - # aws-servermigration = "serverMigrationServiceEnabled" - # aws-servicecatalog = "serviceCatalogEnabled" - # aws-shield = "shieldEnabled" - # aws-simpledb = "simpleDbEnabled" - # aws-snowball = "snowballEnabled" - aws-sns = "snsEnabled" - # aws-sqs = "sqsEnabled" - # aws-ssm = "ssmEnabled" - # aws-stepfunctions = "stepFunctionsEnabled" - # aws-storagegateway = "storageGatewayEnabled" - # aws-swf = "swfEnabled" - # aws-textract = "textractEnabled" - # aws-transcribe = "transcribeEnabled" - # aws-transfer = "transferEnabled" - # aws-trustedadvisor = "trustedAdvisorEnabled" - aws-vpc-core = "vpcServiceEnabled" - # aws-waf = "wafEnabled" - # aws-wafregional = "wafRegionalEnabled" - # aws-wellarchitected = "wellarchitectedEnabled" - # aws-workdocs = "workDocsEnabled" - # aws-workspaces = "workSpacesEnabled" - # aws-xray = "xrayEnabled" -} - -# NOTE: For full list of values, which can be enabled for more than the default region. -# Look in variables.tf at the default value. -# This deafult value can be overridden. Uncomment the respective region list to enable Turbot Event Handlers. -# See this file, regions.tf -aws_account_default_regions = [ - "us-east-1", - "us-east-2", - # "us-east-2", - # "us-west-1", - # "us-west-2", - # "ap-northeast-1", - # "ap-northeast-2", - # "ap-south-1", - # "ap-southeast-1", - # "ap-southeast-2", - # "ca-central-1", - # "eu-central-1", - # "eu-north-1", - # "eu-west-1", - # "eu-west-2", - # "eu-west-3", - # "sa-east-1", -] \ No newline at end of file +# List of services to set as Enabled +enabled_policy_map = { + # aws-acm = "acmEnabled" + # aws-amplify = "amplifyEnabled" + # aws-apigateway = "apiGatewayEnabled" + # aws-appconfig = "appConfigEnabled" + # aws-appfabric = "appFabricEnabled" + # aws-appflow = "appFlowEnabled" + # aws-appmesh = "appMeshEnabled" + # aws-appstream = "appStreamEnabled" + # aws-appsync = "appSyncEnabled" + # aws-artifact = "artifactEnabled" + # aws-athena = "athenaEnabled" + # aws-auditmanager = "auditManagerEnabled" + # aws-backup = "backupEnabled" + # aws-batch = "batchEnabled" + # aws-bedrock = "bedrockEnabled" + # aws-billing = "billingEnabled" + # aws-braket = "braketEnabled" + # aws-chatbot = "chatbotEnabled" + # aws-chime = "chimeEnabled" + # aws-cleanrooms = "cleanRoomsEnabled" + # aws-cloud9 = "cloud9Enabled" + # aws-clouddirectory = "cloudDirectoryEnabled" + # aws-cloudformation = "cloudFormationEnabled" + # aws-cloudfront = "cloudFrontEnabled" + # aws-cloudhsm = "cloudHsmEnabled" + # aws-cloudmap = "cloudMapEnabled" + # aws-cloudsearch = "cloudSearchEnabled" + # aws-cloudshell = "cloudShellEnabled" + aws-cloudtrail = "cloudTrailEnabled" + aws-cloudwatch = "cloudWatchEnabled" + # aws-codebuild = "codeBuildEnabled" + # aws-codecommit = "codeCommitEnabled" + # aws-codedeploy = "codeDeployEnabled" + # aws-codepipeline = "codePipelineEnabled" + # aws-codestar = "codeStarEnabled" + # aws-codewhisperer = "codeWhispererEnabled" + # aws-cognito = "cognitoEnabled" + # aws-comprehend = "comprehendEnabled" + # aws-computeoptimizer = "computeOptimizerEnabled" + aws-config = "configEnabled" + # aws-connect = "connectEnabled" + # aws-datapipeline = "dataPipelineEnabled" + # aws-datasync = "datasyncEnabled" + # aws-dax = "daxEnabled" + # aws-devicefarm = "deviceFarmEnabled" + # aws-directconnect = "directConnectEnabled" + # aws-directoryservice = "directoryServiceEnabled" + # aws-dms = "dmsEnabled" + # aws-dynamodb = "dynamodbEnabled" + aws-ec2 = "ec2Enabled" + # aws-ec2imagebuilder = "ec2ImageBuilderEnabled" + # aws-ecr = "ecrEnabled" + # aws-ecs = "ecsEnabled" + aws-efs = "efsEnabled" + # aws-eks = "eksEnabled" + # aws-elasticache = "elastiCacheEnabled" + # aws-elasticbeanstalk = "elasticBeanstalkEnabled" + # aws-elasticinference = "elasticInferenceEnabled" + # aws-elasticsearch = "esEnabled" + # aws-elastictranscoder = "elasticTranscoderEnabled" + # aws-emr = "emrEnabled" + # aws-eventbridgepipes = "eventBridgePipesEnabled" + # aws-eventbridgescheduler = "eventBridgeSchedulerEnabled" + aws-events = "eventsEnabled" + # aws-fms = "fmsEnabled" + # aws-fsx = "fsxEnabled" + # aws-gamelift = "gameLiftEnabled" + # aws-glacier = "glacierEnabled" + # aws-globalaccelerator = "globalAcceleratorEnabled" + # aws-glue = "glueEnabled" + # aws-gluedatabrew = "glueDataBrewEnabled" + # aws-greengrass = "greengrassEnabled" + # aws-guardduty = "guardDutyEnabled" + # aws-health = "healthEnabled" + aws-iam = "iamEnabled" + # aws-inspector = "inspectorEnabled" + # aws-iot = "iotEnabled" + # aws-iot1click = "iot1ClickEnabled" + # aws-iotanalytics = "iotAnalyticsEnabled" + # aws-iotevents = "iotEventsEnabled" + # aws-iotsitewise = "iotSiteWiseEnabled" + # aws-iotthingsgraph = "iotThingsGraphEnabled" + # aws-kendra = "kendraEnabled" + # aws-kinesis = "kinesisEnabled" + aws-kms = "kmsEnabled" + # aws-lakeformation = "lakeFormationEnabled" + aws-lambda = "lambdaEnabled" + # aws-lex = "lexEnabled" + # aws-lightsail = "lightsailEnabled" + # aws-location = "locationEnabled" + aws-logs = "logsEnabled" + # aws-machinelearning = "machineLearningEnabled" + # aws-macie = "macieEnabled" + # aws-mediaconnect = "mediaConnectEnabled" + # aws-mediaconvert = "mediaConvertEnabled" + # aws-medialive = "mediaLiveEnabled" + # aws-mediapackage = "mediaPackageEnabled" + # aws-mediastore = "mediaStoreEnabled" + # aws-mediatailor = "mediaTailorEnabled" + # aws-mq = "mqEnabled" + # aws-msk = "mskEnabled" + # aws-mwaa = "mwaaEnabled" + # aws-omics = "omicsEnabled" + # aws-opensearch = "openSearchEnabled" + # aws-outposts = "outpostsEnabled" + # aws-polly = "pollyEnabled" + # aws-qldb = "qldbEnabled" + # aws-quicksight = "quickSightEnabled" + # aws-ram = "ramEnabled" + aws-rds = "rdsEnabled" + # aws-redshift = "redshiftEnabled" + # aws-redshiftserverless = "redshiftServerlessEnabled" + # aws-rekognition = "rekognitionEnabled" + # aws-resourcegroups = "resourceGroupsEnabled" + # aws-robomaker = "roboMakerEnabled" + # aws-route53 = "route53Enabled" + # aws-route53domains = "route53DomainsEnabled" + # aws-route53recoverycontrolconfig = "route53RecoveryControlConfigEnabled" + # aws-route53recoveryreadiness = "route53RecoveryReadinessEnabled" + # aws-route53resolver = "route53ResolverEnabled" + aws-s3 = "s3Enabled" + # aws-sagemaker = "sageMakerEnabled" + # aws-savingsplans = "savingsPlansEnabled" + # aws-scheduler = "schedulerEnabled" + # aws-secretsmanager = "secretsManagerEnabled" + aws-securityhub = "securityHubEnabled" + # aws-serverlessapplicationrepository = "serverlessApplicationRepositoryEnabled" + # aws-servermigration = "serverMigrationServiceEnabled" + # aws-servicecatalog = "serviceCatalogEnabled" + # aws-servicequotas = "serviceQuotasEnabled" + # aws-ses = "sesEnabled" + # aws-shield = "shieldEnabled" + # aws-signer = "signerEnabled" + # aws-simpledb = "simpleDbEnabled" + # aws-snowball = "snowballEnabled" + aws-sns = "snsEnabled" + # aws-sqs = "sqsEnabled" + # aws-ssm = "ssmEnabled" + # aws-stepfunctions = "stepFunctionsEnabled" + # aws-storagegateway = "storageGatewayEnabled" + # aws-swf = "swfEnabled" + # aws-tagging = "taggingEnabled" + # aws-textract = "textractEnabled" + # aws-transcribe = "transcribeEnabled" + # aws-transfer = "transferEnabled" + # aws-translate = "translateEnabled" + # aws-trustedadvisor = "trustedAdvisorEnabled" + aws-vpc-core = "vpcServiceEnabled" + # aws-vpclattice = "vpcLatticeEnabled" + # aws-waf = "wafEnabled" + # aws-wafregional = "wafRegionalEnabled" + # aws-wellarchitected = "wellarchitectedEnabled" + # aws-workdocs = "workDocsEnabled" + # aws-workspaces = "workSpacesEnabled" + # aws-xray = "xrayEnabled" +} diff --git a/baselines/aws/aws_service_enabled/main.tf b/baselines/aws/aws_service_enabled/main.tf new file mode 100644 index 000000000..f49d92a8f --- /dev/null +++ b/baselines/aws/aws_service_enabled/main.tf @@ -0,0 +1,22 @@ +# Create Baselines Policy Pack +resource "turbot_policy_pack" "aws_enabled_baseline_pack" { + parent = "tmod:@turbot/turbot#/" + title = "AWS Enabled Baseline Policies" +} + +# Enable all AWS Services +# Loop through var.service_status and set enable policies +resource "turbot_policy_setting" "aws_enable" { + for_each = var.enabled_policy_map + resource = turbot_policy_pack.aws_enabled_baseline_pack.id + type = "tmod:@turbot/${each.key}#/policy/types/${each.value}" + value = "Enabled" +} + +# Here the "resource" is the AKA of the [Base Folder](../../guardrails/folder_hierarchy/) to which you want to attached the Policy Pack. +# The base folder is created as part of script from [Base Folder](../../guardrails/folder_hierarchy/) +# The resource should be created first. +resource "turbot_policy_pack_attachment" "aws_enable_attachment" { + resource = "base_folder" + policy_pack = turbot_policy_pack.aws_enabled_baseline_pack.id +} diff --git a/baselines/aws/aws_service_enabled/providers.tf b/baselines/aws/aws_service_enabled/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/aws/aws_service_enabled/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/aws/aws_service_enabled/variables.tf b/baselines/aws/aws_service_enabled/variables.tf new file mode 100644 index 000000000..3555b7142 --- /dev/null +++ b/baselines/aws/aws_service_enabled/variables.tf @@ -0,0 +1,4 @@ +variable "enabled_policy_map" { + description = "Enter the list of services that you would like to Enable" + type = map(string) +} diff --git a/baselines/azure/azure-cis-v1-section5.2/README.md b/baselines/azure/azure-cis-v1-section5.2/README.md deleted file mode 100644 index 393e01690..000000000 --- a/baselines/azure/azure-cis-v1-section5.2/README.md +++ /dev/null @@ -1,54 +0,0 @@ -# Azure CIS V1 Section 5.2 Baseline - -This baseline applies the Azure CIS v1 section 5.2 recommended settings to Azure subscriptions - -## Prerequisites - -- Setup Turbot [credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) -- Installed [Terraform](https://www.terraform.io/downloads.html) -- Installed [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- resource_group_name -- scopes - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file=default.tfvars` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure-cis-v1-section5.2/default.tfvars b/baselines/azure/azure-cis-v1-section5.2/default.tfvars deleted file mode 100644 index 069c15282..000000000 --- a/baselines/azure/azure-cis-v1-section5.2/default.tfvars +++ /dev/null @@ -1,10 +0,0 @@ -# Required - The resource_group_name where resources will be created -resource_group_name = "" -# Examples for resource_group_name: -# resource_group_name = "default_rg" -# resource_group_name = "turbot_rg" - -# Required - A list of scope -scopes = [""] -# Examples for resource_group_name: -# scopes = ["/subscriptions/85d03036-00bf-41c0-a45a-5e4c210d81b5"] diff --git a/baselines/azure/azure-cis-v1-section5.2/main.tf b/baselines/azure/azure-cis-v1-section5.2/main.tf deleted file mode 100644 index 4e2f659f6..000000000 --- a/baselines/azure/azure-cis-v1-section5.2/main.tf +++ /dev/null @@ -1,130 +0,0 @@ -provider azurerm { - features {} -} - -# 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_1" { - name = "policy-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all policy attachments" - - criteria { - operation_name = "Microsoft.Authorization/policyassignments/write" - resource_type = "microsoft.authorization/policyassignments" - resource_provider = "microsoft.authorization/policyassignments" - category = "Administrative" - } -} - -# 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_2" { - name = "nsg-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Network/networkSecurityGroups/write" - resource_type = "microsoft.network/networksecuritygroups" - category = "Administrative" - } -} - -# 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_3" { - name = "nsg-delete-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Network/networkSecurityGroups/delete" - resource_type = "microsoft.network/networksecuritygroups" - category = "Administrative" - } -} - -# 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_4" { - name = "nsg-rules-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Network/networkSecurityGroups/securityRules/write" - resource_type = "microsoft.network/networkSecurityGroups/securityRules" - category = "Administrative" - } -} - -# 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_5" { - name = "nsg-rules-delete-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Network/networkSecurityGroups/securityRules/delete" - resource_type = "microsoft.network/networkSecurityGroups/securityRules" - category = "Administrative" - } -} - -# 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_6" { - name = "security-solutions-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Security/securitySolutions/write" - resource_type = "microsoft.security/securitySolutions" - category = "Administrative" - } -} - -# 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_7" { - name = "security-solutions-delete-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Security/securitySolutions/delete" - resource_type = "microsoft.security/securitySolutions" - category = "Administrative" - } -} - -# 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_8" { - name = "sql-servers-firewall-rules-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Sql/servers/firewallRules/write" - resource_type = "microsoft.sql/servers/firewallRules" - category = "Administrative" - } -} - -# 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored) -resource "azurerm_monitor_activity_log_alert" "setting_5_2_9" { - name = "security-policies-alert" - resource_group_name = var.resource_group_name - scopes = var.scopes - description = "This alert will monitor all nsgs" - - criteria { - operation_name = "Microsoft.Security/policies/write" - resource_type = "microsoft.security/policies" - category = "Administrative" - } -} diff --git a/baselines/azure/azure-cis-v1-section5.2/variables.tf b/baselines/azure/azure-cis-v1-section5.2/variables.tf deleted file mode 100644 index bd4289638..000000000 --- a/baselines/azure/azure-cis-v1-section5.2/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "resource_group_name" { - description = "Enter the resource_group_name where resources will be created" - type = string -} - -variable "scopes" { - description = "Enter a list of scope" - type = list(string) -} diff --git a/baselines/azure/azure-cis-v1/README.md b/baselines/azure/azure-cis-v1/README.md deleted file mode 100644 index 2bf12fba1..000000000 --- a/baselines/azure/azure-cis-v1/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# Azure CIS V1 Baseline - -Turbot CIS V1 baseline to configure CIS policies centrally. - -## Prerequisites - -- Setup Turbot [credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) -- Installed [Terraform](https://www.terraform.io/downloads.html) -- Installed [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- target_resource -- smart_folder_title -- folder_parent (Optional) -- cis_policy_setting (Optional) - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file=default.tfvars` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure-cis-v1/default.tfvars b/baselines/azure/azure-cis-v1/default.tfvars deleted file mode 100644 index f62a72bc4..000000000 --- a/baselines/azure/azure-cis-v1/default.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -target_resource = "" -# Examples for target_resource -# target_resource = "tmod:@turbot/turbot#/" -# target_resource = "187486019045335" - -smart_folder_title = "" - -# Optional - leaving unchanged will default to the Turbot level -# folder_parent = "" - -# Optional - leaving unchanged will use the default map which will set the controls to Skip -# cis_policy_setting = { -# r0104 = "Per AZURE > CIS v1 using attestation" -# } diff --git a/baselines/azure/azure-cis-v1/main.tf b/baselines/azure/azure-cis-v1/main.tf deleted file mode 100644 index 0fa7f7c09..000000000 --- a/baselines/azure/azure-cis-v1/main.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "turbot_smart_folder" "azure_folder" { - parent = var.folder_parent - title = var.smart_folder_title - description = "Folder to import the Azure Subscription:" -} - -resource "turbot_smart_folder_attachment" "azure_folder" { - resource = var.target_resource - smart_folder = turbot_smart_folder.azure_folder.id -} - -resource "turbot_policy_setting" "cis_policies" { - count = length(var.cis_policy_setting) - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure-cisv1#/policy/types/${element(keys(var.cis_policy_setting), count.index)}" - value = lookup(var.cis_policy_setting, "${element(keys(var.cis_policy_setting), count.index)}") -} diff --git a/baselines/azure/azure-cis-v1/variables.tf b/baselines/azure/azure-cis-v1/variables.tf deleted file mode 100644 index e22a8de1a..000000000 --- a/baselines/azure/azure-cis-v1/variables.tf +++ /dev/null @@ -1,130 +0,0 @@ -variable "target_resource" { - description = "Enter a target_resource to set the policies on a specific resource. This can be an AKA or resource id:" - type = string -} - -# The title of the smart folder -variable "smart_folder_title" { - description = "Folder to import the Azure Subscription:" - type = string -} - -# Defaults to the Turbot Resource level using the AKA which identifies the Turbot level. -variable "folder_parent" { - type = string - default = "tmod:@turbot/turbot#/" -} - -# Configure the value for the CIS policy. Depending on the policy there are a varying acceptable values. -variable "cis_policy_setting" { - description = "Choose the subset of CIS policies that should be configured. For possible values, you can use the GraphQL query `list-cis-policy-types-by-cloud-provider.graphql`" - type = map - - default = { - r0104 = "Per AZURE > CIS v1 using attestation" - r0105 = "Per AZURE > CIS v1 using attestation" - r0106 = "Per AZURE > CIS v1 using attestation" - r0107 = "Per AZURE > CIS v1 using attestation" - r0108 = "Per AZURE > CIS v1 using attestation" - r0109 = "Per AZURE > CIS v1 using attestation" - r0110 = "Per AZURE > CIS v1 using attestation" - r0111 = "Per AZURE > CIS v1 using attestation" - r0112 = "Per AZURE > CIS v1 using attestation" - r0113 = "Per AZURE > CIS v1 using attestation" - r0114 = "Per AZURE > CIS v1 using attestation" - r0115 = "Per AZURE > CIS v1 using attestation" - r0116 = "Per AZURE > CIS v1 using attestation" - r0117 = "Per AZURE > CIS v1 using attestation" - r0118 = "Per AZURE > CIS v1 using attestation" - r0119 = "Per AZURE > CIS v1 using attestation" - r0120 = "Per AZURE > CIS v1 using attestation" - r0121 = "Per AZURE > CIS v1 using attestation" - r0122 = "Per AZURE > CIS v1 using attestation" - r0201 = "Per Azure > CIS v1" - r0202 = "Per Azure > CIS v1" - r0203 = "Per Azure > CIS v1" - r0204 = "Per Azure > CIS v1" - r0205 = "Per Azure > CIS v1" - r0206 = "Per Azure > CIS v1" - r0207 = "Per Azure > CIS v1" - r0208 = "Per Azure > CIS v1" - r0209 = "Per Azure > CIS v1" - r0210 = "Per Azure > CIS v1" - r0211 = "Per Azure > CIS v1" - r0212 = "Per Azure > CIS v1" - r0213 = "Per Azure > CIS v1" - r0214 = "Per Azure > CIS v1" - r0215 = "Per Azure > CIS v1" - r0216 = "Per Azure > CIS v1" - r0217 = "Per Azure > CIS v1" - r0218 = "Per Azure > CIS v1" - r0219 = "Per Azure > CIS v1" - r0301 = "Per AZURE > CIS v1" - r0302 = "Per AZURE > CIS v1 using attestation" - r0303 = "Per Azure > CIS v1" - r0304 = "Per AZURE > CIS v1 using attestation" - r0305 = "Per AZURE > CIS v1 using attestation" - r0306 = "Per AZURE > CIS v1" - r0307 = "Per AZURE > CIS v1" - r0308 = "Per AZURE > CIS v1" - r0401 = "Per AZURE > CIS v1" - r0402 = "Per Azure > CIS v1" - r0403 = "Per AZURE > CIS v1" - r0404 = "Per AZURE > CIS v1" - r0405 = "Per Azure > CIS v1" - r0406 = "Per Azure > CIS v1" - r0407 = "Per AZURE > CIS v1" - r0408 = "Per Azure > CIS v1" - r0409 = "Per AZURE > CIS v1" - r0410 = "Per AZURE > CIS v1" - r0411 = "Per AZURE > CIS v1" - r0412 = "Per Azure > CIS v1" - r0413 = "Per AZURE > CIS v1" - r0414 = "Per Azure > CIS v1" - r0415 = "Per Azure > CIS v1" - r0416 = "Per Azure > CIS v1" - r0417 = "Per Azure > CIS v1" - r0418 = "Per Azure > CIS v1" - r050101 = "Per Azure > CIS v1" - r050102 = "Per Azure > CIS v1" - r050103 = "Per Azure > CIS v1" - r050104 = "Per Azure > CIS v1" - r050105 = "Per Azure > CIS v1" - r050106 = "Per Azure > CIS v1" - r050107 = "Per Azure > CIS v1" - r050201 = "Per Azure > CIS v1" - r050202 = "Per Azure > CIS v1" - r050203 = "Per Azure > CIS v1" - r050204 = "Per Azure > CIS v1" - r050205 = "Per Azure > CIS v1" - r050206 = "Per Azure > CIS v1" - r050207 = "Per Azure > CIS v1" - r050208 = "Per Azure > CIS v1" - r050209 = "Per Azure > CIS v1" - r0601 = "Per Azure > CIS v1" - r0602 = "Per Azure > CIS v1" - r0603 = "Per Azure > CIS v1" - r0604 = "Per Azure > CIS v1" - r0605 = "Per Azure > CIS v1" - r0701 = "Per Azure > CIS v1" - r0702 = "Per Azure > CIS v1" - r0703 = "Per Azure > CIS v1" - r0704 = "Per AZURE > CIS v1 using attestation" - r0705 = "Per AZURE > CIS v1 using attestation" - r0706 = "Per AZURE > CIS v1 using attestation" - r0801 = "Per Azure > CIS v1" - r0802 = "Per Azure > CIS v1" - r0803 = "Per AZURE > CIS v1 using attestation" - r0804 = "Per Azure > CIS v1" - r0805 = "Per AZURE > CIS v1" - r0901 = "Per AZURE > CIS v1" - r0902 = "Per AZURE > CIS v1" - r0903 = "Per AZURE > CIS v1" - r0904 = "Per AZURE > CIS v1" - r0905 = "Per Azure > CIS v1" - r0906 = "Per Azure > CIS v1" - r0907 = "Per Azure > CIS v1" - r0909 = "Per Azure > CIS v1" - r0910 = "Per AZURE > CIS v1" - } -} diff --git a/baselines/azure/azure_active_directory_import/README.md b/baselines/azure/azure_active_directory_import/README.md deleted file mode 100644 index b2a86672c..000000000 --- a/baselines/azure/azure_active_directory_import/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Azure Active Directory Import Baseline - -The Azure active directory import baseline terraform configuration lets you import an Azure active directory into your turbot environment, with the necessary roles and permissions. - -## Prerequisites - -To run the Azure active directory import baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- Terraform [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html) -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- azure_active_directory_id -- parent_resource -- azure_environment_type -- azure_client_id -- azure_tenant_id -- azure_client_secret - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file="default.tfvars"` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_active_directory_import/default.tfvars b/baselines/azure/azure_active_directory_import/default.tfvars deleted file mode 100644 index 930ea63a0..000000000 --- a/baselines/azure/azure_active_directory_import/default.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -azure_environment_type = "" - -azure_active_directory_id = "" - -parent_resource = "<15 digit tubot folder id under which the azure active directory to be imported>" - -azure_client_id = "" - -azure_tenant_id = "" - -azure_client_secret = "" \ No newline at end of file diff --git a/baselines/azure/azure_active_directory_import/main.tf b/baselines/azure/azure_active_directory_import/main.tf deleted file mode 100644 index 54d1b2ab3..000000000 --- a/baselines/azure/azure_active_directory_import/main.tf +++ /dev/null @@ -1,51 +0,0 @@ -provider azurerm { - version = "=2.0.0" - features {} - active_directory_id = var.azure_active_directory_id - client_id = var.azure_client_id - environment = "public" - tenant_id = var.azure_tenant_id - client_secret = var.azure_client_secret -} - -# Create the Azure > Active Directory resource in Turbot -resource "turbot_resource" "active_directory_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure-activedirectory#/resource/types/directory" - akas = ["azure:///directory/${var.azure_active_directory_id}"] - metadata = jsonencode({ - "azure" : { - "tenantId" : "${var.azure_tenant_id}" - } - }) - data = jsonencode({ - "id" : "${var.azure_active_directory_id}" - "tenantId": "${var.azure_tenant_id}" - }) -} - -# Set the credentials for the Active Directory via Turbot policies - -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.active_directory_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} - -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.active_directory_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_client_secret -} - -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.active_directory_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = var.azure_client_id -} - -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.active_directory_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = var.azure_tenant_id -} diff --git a/baselines/azure/azure_active_directory_import/variables.tf b/baselines/azure/azure_active_directory_import/variables.tf deleted file mode 100644 index 9ee3085f1..000000000 --- a/baselines/azure/azure_active_directory_import/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "azure_active_directory_id" { - description = "Enter the Azure Active Directory ID that you wish to import: " - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the active directory:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure Active Directory environment type ('Global Cloud' or 'US Government'):" - type = string -} - -variable "azure_client_id" { - description = "Enter the Azure Client ID: " - type = string -} - -variable "azure_tenant_id" { - description = "Enter the Azure Tenant ID: " - type = string -} - -variable "azure_client_secret" { - description = "Enter the Azure Client Secret Key: " - type = string -} diff --git a/baselines/azure/azure_eventing/README.md b/baselines/azure/azure_eventing/README.md deleted file mode 100644 index de56b3074..000000000 --- a/baselines/azure/azure_eventing/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# Azure Eventing Baseline - -Terraform script that creates a calculated policy which enables: - -- Event Polling -- Event Handling -- Resource Group creation for Event Handling - -## Prerequisites - -- Setup Turbot [credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) -- Installed [Terraform](https://www.terraform.io/downloads.html) -- Installed [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- An environment with `turbot`, `turbot-iam`, `azure` and `azure-monitor` mods installed as a minimum. - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- target_resource -- smart_folder_title -- folder_parent (Optional) - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file=default.tfvars` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_eventing/default.tfvars b/baselines/azure/azure_eventing/default.tfvars deleted file mode 100644 index da66cabbd..000000000 --- a/baselines/azure/azure_eventing/default.tfvars +++ /dev/null @@ -1,19 +0,0 @@ -# Required - Target resource to attach to smart folder -target_resource = "" -# Examples for target_resource -# target_resource = "tmod:@turbot/turbot#/" -# target_resource = "191238958290468" - -# Required - Target resource to attach to smart folder -# Setting to `true` will configure that the Event Poller to handle event routing. -# Setting to `false` will configure that the Event Handler to handle event routing. -enable_poller = true - -# Optional - Default value: "Azure - Event Router" -# smart_folder_title = "Custom Smart Folder Title" - -# Optional - Default value: "Contains the policy settings to configure the Azure Event Router" -# smart_folder_description = "Custom Description" - -# Optional - Default value: tmod:@turbot/turbot#/ -# smart_folder_parent_resource = "" diff --git a/baselines/azure/azure_eventing/main.tf b/baselines/azure/azure_eventing/main.tf deleted file mode 100644 index 217e4b2b1..000000000 --- a/baselines/azure/azure_eventing/main.tf +++ /dev/null @@ -1,42 +0,0 @@ -resource "turbot_smart_folder" "azure_folder" { - title = var.smart_folder_title - description = var.smart_folder_description - parent = var.smart_folder_parent_resource -} - -# Create Event through Event Poller -# Azure > Turbot > Event Poller -resource "turbot_policy_setting" "eventPoller" { - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure#/policy/types/eventPoller" - value = var.enable_poller ? "Enabled" : "Disabled" -} - -# Create the resource group for the event handler -# Azure > Turbot > Resource Group Handlers -resource "turbot_policy_setting" "resourceGroupStack" { - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure#/policy/types/resourceGroupStack" - value = var.enable_poller ? "Skip" : "Enforce: Configured" -} - -# Create Event through Event Handler -# Azure > Turbot > Event Handlers -resource "turbot_policy_setting" "eventHandlers" { - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure#/policy/types/eventHandlers" - value = var.enable_poller ? "Skip" : "Enforce: Configured" -} - -# Create the Resource Group and set the policy -# Azure > Turbot > Resource Group -resource "turbot_policy_setting" "turbotResourceGroup" { - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure#/policy/types/turbotResourceGroup" - value = var.enable_poller ? "Skip" : "Enforce: Configured" -} - -resource "turbot_smart_folder_attachment" "azure_folder" { - resource = var.target_resource - smart_folder = turbot_smart_folder.azure_folder.id -} diff --git a/baselines/azure/azure_eventing/variables.tf b/baselines/azure/azure_eventing/variables.tf deleted file mode 100644 index 96cb70633..000000000 --- a/baselines/azure/azure_eventing/variables.tf +++ /dev/null @@ -1,31 +0,0 @@ -variable "target_resource" { - description = "Enter the resource ID or AKA for the resource to apply the calculated policy" - type = string -} - -variable "enable_poller" { - description = <.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_management_group_import/default.tfvars b/baselines/azure/azure_management_group_import/default.tfvars deleted file mode 100644 index 4759f767d..000000000 --- a/baselines/azure/azure_management_group_import/default.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -azure_environment_type = "" - -azure_management_group_id = "" - -parent_resource = "<15 digit tubot folder id under which the azure management group to be imported>" - -azure_client_id = "" - -azure_tenant_id = "" - -azure_client_secret = "" \ No newline at end of file diff --git a/baselines/azure/azure_management_group_import/main.tf b/baselines/azure/azure_management_group_import/main.tf deleted file mode 100644 index 2791d8783..000000000 --- a/baselines/azure/azure_management_group_import/main.tf +++ /dev/null @@ -1,52 +0,0 @@ -provider azurerm { - version = "=2.0.0" - features {} - management_group_id = var.azure_management_group_id - client_id = var.azure_client_id - environment = "public" - tenant_id = var.azure_tenant_id - client_secret = var.azure_client_secret -} - -# Create the Azure > Management Group resource in Turbot -resource "turbot_resource" "management_group_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure#/resource/types/managementGroup" - akas = ["azure:///tenants/${var.azure_tenant_id}/microsoft.management/managementgroups/${var.azure_management_group_id}"] - metadata = jsonencode({ - "azure" : { - "tenantId" : "${var.azure_tenant_id}" - "managementGroupId" : "${var.azure_management_group_id}" - } - }) - data = jsonencode({ - "id" : "/providers/Microsoft.Management/managementGroups/${var.azure_management_group_id}" - "name" : "${var.azure_management_group_id}", - }) -} - -# Set the credentials for the Management Group via Turbot policies - -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.management_group_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} - -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.management_group_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_client_secret -} - -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.management_group_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = var.azure_client_id -} - -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.management_group_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = var.azure_tenant_id -} diff --git a/baselines/azure/azure_management_group_import/variables.tf b/baselines/azure/azure_management_group_import/variables.tf deleted file mode 100644 index 9e156fd20..000000000 --- a/baselines/azure/azure_management_group_import/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "azure_management_group_id" { - description = "Enter the Azure Management Group ID that you wish to import: " - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the management group:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure Management Group environment type ('Global Cloud' or 'US Government'):" - type = string -} - -variable "azure_client_id" { - description = "Enter the Azure Client ID: " - type = string -} - -variable "azure_tenant_id" { - description = "Enter the Azure Tenant ID: " - type = string -} - -variable "azure_client_secret" { - description = "Enter the Azure Client Secret Key: " - type = string -} diff --git a/baselines/azure/azure_mods/README.md b/baselines/azure/azure_mods/README.md new file mode 100644 index 000000000..3e409d836 --- /dev/null +++ b/baselines/azure/azure_mods/README.md @@ -0,0 +1,94 @@ +# Azure Mods Installation + +Turbot provides numerous Azure mods, covering a wide range of Azure resources with thousands of policies and controls. By default, mods are installed with the top Turbot resource as the parent, meaning administrators must have Turbot/Owner permissions at the Turbot resource level to install, uninstall, or update mods in the environment. + +## Documentation + +- **[Review Mods Documentation →](https://turbot.com/guardrails/docs/mods)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To install Azure mods using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `azure_mods` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the mods in one of two ways, depending on your needs: + +#### 1. Using an Input Variable File + +By default, the `default.tfvars` file is configured to install all the mods necessary for CIS (Center for Internet Security) compliance. You can further customize this file to include additional mods as needed. To apply the mods using this specific input variable file, run the following command: + +```sh +terraform apply --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +If you choose not to use an input variable file, the command will install **all** available AWS mods. To proceed with this option, run: + +```sh +terraform apply -parallelism=1 +``` + +### Destroy + +You can destroy the mods in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the mods using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the mods without using an input variable file: + +```sh +terraform destroy -parallelism=1 +``` + +## Commenting Strategy + +All Turbot policies used in the installation include links to the official Turbot Mods documentation. + +These links provide further details about: + +- The purpose of the policy +- Policy URI name +- Parent information +- Category information +- Target information +- All valid values diff --git a/baselines/azure/azure_mods/default.tfvars b/baselines/azure/azure_mods/default.tfvars new file mode 100644 index 000000000..b13fc2057 --- /dev/null +++ b/baselines/azure/azure_mods/default.tfvars @@ -0,0 +1,40 @@ +mod_list = [ + "azure", + "azure-activedirectory", + # "azure-aks", + # "azure-apimanagement", + # "azure-applicationgateway", + # "azure-applicationinsights", + "azure-appservice", + # "azure-automation", + # "azure-cisv1", + # "azure-cisv1-2", + "azure-cisv2-0", + "azure-compute", + "azure-cosmosdb", + # "azure-databricks", + # "azure-datafactory", + # "azure-dns", + # "azure-firewall", + # "azure-frontdoorservice", + "azure-iam", + "azure-keyvault", + "azure-loadbalancer", + # "azure-loganalytics", + "azure-monitor", + "azure-mysql", + "azure-network", + "azure-networkwatcher", + "azure-postgresql", + "azure-provider", + # "azure-recoveryservice", + # "azure-relay", + # "azure-searchmanagement", + "azure-securitycenter", + # "azure-servicebus", + # "azure-signalr", + "azure-sql", + # "azure-sqlvirtualmachine", + "azure-storage", + # "azure-synapseanalytics" +] diff --git a/baselines/azure/azure_mods/mod_install.tf b/baselines/azure/azure_mods/mod_install.tf new file mode 100644 index 000000000..0802bec4e --- /dev/null +++ b/baselines/azure/azure_mods/mod_install.tf @@ -0,0 +1,429 @@ +# https://hub.guardrails.turbot.com/mods/azure/mods/azure +resource "turbot_mod" "azure" { + parent = "tmod:@turbot/turbot#/" + org = "turbot" + mod = "azure" + version = ">=5.0.0" + count = contains(var.mod_list, "azure") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-activedirectory +resource "turbot_mod" "azure-activedirectory" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure] + org = "turbot" + mod = "azure-activedirectory" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-activedirectory") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-aks +resource "turbot_mod" "azure-aks" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-aks" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-aks") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-apimanagement +resource "turbot_mod" "azure-apimanagement" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-apimanagement" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-apimanagement") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-applicationgateway +resource "turbot_mod" "azure-applicationgateway" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-applicationgateway" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-applicationgateway") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-applicationinsights +resource "turbot_mod" "azure-applicationinsights" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-applicationinsights" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-applicationinsights") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-appservice +resource "turbot_mod" "azure-appservice" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-appservice" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-appservice") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-automation +resource "turbot_mod" "azure-automation" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-automation" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-automation") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-cisv1 +resource "turbot_mod" "azure-cisv1" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.azure, + turbot_mod.azure-iam, + turbot_mod.azure-appservice, + turbot_mod.azure-compute, + turbot_mod.azure-keyvault, + turbot_mod.azure-monitor, + turbot_mod.azure-mysql, + turbot_mod.azure-network, + turbot_mod.azure-provider, + turbot_mod.azure-securitycenter, + turbot_mod.azure-sql, + turbot_mod.azure-postgresql, + turbot_mod.azure-storage, + turbot_mod.azure-networkwatcher, + turbot_mod.azure-aks + ] + org = "turbot" + mod = "azure-cisv1" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-cisv1") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-cisv1-2 +resource "turbot_mod" "azure-cisv1-2" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.azure, + turbot_mod.azure-activedirectory, + turbot_mod.azure-aks, + turbot_mod.azure-appservice, + turbot_mod.azure-compute, + turbot_mod.azure-iam, + turbot_mod.azure-keyvault, + turbot_mod.azure-monitor, + turbot_mod.azure-mysql, + turbot_mod.azure-network, + turbot_mod.azure-networkwatcher, + turbot_mod.azure-postgresql, + turbot_mod.azure-provider, + turbot_mod.azure-securitycenter, + turbot_mod.azure-sql, + turbot_mod.azure-storage + ] + org = "turbot" + mod = "azure-cisv1-2" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-cisv1-2") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-cisv2-0 +resource "turbot_mod" "azure-cisv2-0" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.azure, + turbot_mod.azure-activedirectory, + turbot_mod.azure-appservice, + turbot_mod.azure-compute, + turbot_mod.azure-cosmosdb, + turbot_mod.azure-iam, + turbot_mod.azure-keyvault, + turbot_mod.azure-loadbalancer, + turbot_mod.azure-monitor, + turbot_mod.azure-mysql, + turbot_mod.azure-network, + turbot_mod.azure-networkwatcher, + turbot_mod.azure-postgresql, + turbot_mod.azure-provider, + turbot_mod.azure-securitycenter, + turbot_mod.azure-sql, + turbot_mod.azure-storage + ] + org = "turbot" + mod = "azure-cisv2-0" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-cisv2-0") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-compute +resource "turbot_mod" "azure-compute" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-compute" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-compute") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-cosmosdb +resource "turbot_mod" "azure-cosmosdb" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-cosmosdb" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-cosmosdb") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-databricks +resource "turbot_mod" "azure-databricks" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-databricks" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-databricks") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-datafactory +resource "turbot_mod" "azure-datafactory" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-datafactory" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-datafactory") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-dns +resource "turbot_mod" "azure-dns" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-dns" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-dns") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-firewall +resource "turbot_mod" "azure-firewall" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-firewall" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-firewall") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-frontdoorservice +resource "turbot_mod" "azure-frontdoorservice" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam] + org = "turbot" + mod = "azure-frontdoorservice" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-frontdoorservice") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-iam +resource "turbot_mod" "azure-iam" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-iam" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-iam") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-keyvault +resource "turbot_mod" "azure-keyvault" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-keyvault" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-keyvault") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-loadbalancer +resource "turbot_mod" "azure-loadbalancer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-loadbalancer" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-loadbalancer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-loganalytics +resource "turbot_mod" "azure-loganalytics" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-loganalytics" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-loganalytics") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-monitor +resource "turbot_mod" "azure-monitor" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-monitor" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-monitor") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-mysql +resource "turbot_mod" "azure-mysql" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-mysql" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-mysql") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-network +resource "turbot_mod" "azure-network" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-network" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-network") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-networkwatcher +resource "turbot_mod" "azure-networkwatcher" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-networkwatcher" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-networkwatcher") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-postgresql +resource "turbot_mod" "azure-postgresql" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-postgresql" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-postgresql") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-provider +resource "turbot_mod" "azure-provider" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure] + org = "turbot" + mod = "azure-provider" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-provider") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-recoveryservice +resource "turbot_mod" "azure-recoveryservice" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-recoveryservice" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-recoveryservice") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-relay +resource "turbot_mod" "azure-relay" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-relay" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-relay") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-searchmanagement +resource "turbot_mod" "azure-searchmanagement" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-searchmanagement" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-searchmanagement") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-securitycenter +resource "turbot_mod" "azure-securitycenter" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-securitycenter" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-securitycenter") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-servicebus +resource "turbot_mod" "azure-servicebus" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-servicebus" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-servicebus") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-signalr +resource "turbot_mod" "azure-signalr" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-signalr" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-signalr") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-sql +resource "turbot_mod" "azure-sql" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-sql" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-sql") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-sqlvirtualmachine +resource "turbot_mod" "azure-sqlvirtualmachine" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-sqlvirtualmachine" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-sqlvirtualmachine") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-storage +resource "turbot_mod" "azure-storage" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-storage" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-storage") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/azure/mods/azure-synapseanalytics +resource "turbot_mod" "azure-synapseanalytics" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.azure, turbot_mod.azure-iam, turbot_mod.azure-provider] + org = "turbot" + mod = "azure-synapseanalytics" + version = ">=5.0.0" + count = contains(var.mod_list, "azure-synapseanalytics") ? 1 : 0 +} diff --git a/baselines/azure/azure_mods/providers.tf b/baselines/azure/azure_mods/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/azure/azure_mods/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/azure/azure_mods/variables.tf b/baselines/azure/azure_mods/variables.tf new file mode 100644 index 000000000..d01cd3f34 --- /dev/null +++ b/baselines/azure/azure_mods/variables.tf @@ -0,0 +1,4 @@ +variable "mod_list" { + type = list(string) + description = "The list of Azure Mods to install." +} diff --git a/baselines/azure/azure_provider_registration/README.md b/baselines/azure/azure_provider_registration/README.md deleted file mode 100644 index 9008fce62..000000000 --- a/baselines/azure/azure_provider_registration/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Azure Provider Registration Baseline - -Turbot Azure Services baseline provides a Terraform configuration to registration status or check current registration status for Azure services in Turbot. - -**NOTE:** `provider_status` must match values found in the `provider_registration_map` map. - -**NOTE:** It is advised not to modify the `provider_registration_map` map. - -## Prerequisites - -- Setup Turbot [credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) -- Installed [Terraform](https://www.terraform.io/downloads.html) -- Installed [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- target_resource -- smart_folder_title -- folder_parent (Optional) -- provider_status (Optional) -- provider_registration_map (Optional) - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file=default.tfvars` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_provider_registration/default.tfvars b/baselines/azure/azure_provider_registration/default.tfvars deleted file mode 100644 index 28e7c1d2d..000000000 --- a/baselines/azure/azure_provider_registration/default.tfvars +++ /dev/null @@ -1,24 +0,0 @@ -target_resource = "" -# Examples for target_resource -# target_resource = "tmod:@turbot/turbot#/" -# target_resource = "187486019045335" - -smart_folder_title = "" - -# Optional - leaving unchanged will default to the Turbot level -# folder_parent = "" - -# Optional - leaving unchanged will use the default map which will set the controls to Skip -# provider_status = { -# ApiManagement = "Skip" -# Compute = "Check: Not Registered" -# ContainerService = "Check: Registered" -# Databricks = "Enforce: Not Registered" -# DataFactory = "Enforce: Registered" -# } - -# Optional - leaving unchanged will use the default map -# provider_registration_map = { -# ApiManagement = "apiManagementRegistered" -# Compute = "computeRegistered" -# } diff --git a/baselines/azure/azure_provider_registration/main.tf b/baselines/azure/azure_provider_registration/main.tf deleted file mode 100644 index 098d7640e..000000000 --- a/baselines/azure/azure_provider_registration/main.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "turbot_smart_folder" "azure_folder" { - parent = var.folder_parent - title = var.smart_folder_title - description = "Folder to import the Azure Subscription:" -} - -resource "turbot_smart_folder_attachment" "azure_folder" { - resource = var.target_resource - smart_folder = turbot_smart_folder.azure_folder.id -} - -resource "turbot_policy_setting" "provider_registration_enable" { - count = length(var.provider_status) - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/azure-provider#/policy/types/${lookup(var.provider_registration_map, "${element(keys(var.provider_status), count.index)}")}" - value = lookup(var.provider_status, "${element(keys(var.provider_status), count.index)}") -} diff --git a/baselines/azure/azure_provider_registration/variables.tf b/baselines/azure/azure_provider_registration/variables.tf deleted file mode 100644 index 9c7b1c116..000000000 --- a/baselines/azure/azure_provider_registration/variables.tf +++ /dev/null @@ -1,74 +0,0 @@ -variable "target_resource" { - description = "Enter a target_resource to set the policies on a specific resource. This can be an AKA or resource id:" - type = string -} - -variable "smart_folder_title" { - description = "Folder to import the Azure Subscription:" - type = string -} - -# Defaults to the Turbot Resource level using the AKA which identifies the Turbot level. -variable "folder_parent" { - type = string - default = "tmod:@turbot/turbot#/" -} - -# Enter the list of providers that you would like to "Skip", "Check: Not Registered", "Check: Registered", "Enforce: Not Registered" or "Enforce: Registered". -# Service names must match the "policy_map" below. -variable "provider_status" { - description = "Choose the subset of providers that should be configured. Possible values for each service are: [\"Skip\", \"Check: Not Registered\", \"Check: Registered\", \"Enforce: Not Registered\", \"Enforce: Registered\"]" - type = map - - default = { - ApiManagement = "Skip" - Compute = "Skip" - ContainerService = "Skip" - Databricks = "Skip" - DataFactory = "Skip" - DBforMySQL = "Skip" - DBforPostgreSQL = "Skip" - DocumentDB = "Skip" - DomainRegistration = "Skip" - Insights = "Skip" - KeyVault = "Skip" - Network = "Skip" - OperationalInsights = "Skip" - RecoveryServices = "Skip" - Resources = "Skip" - Search = "Skip" - Security = "Skip" - Sql = "Skip" - Storage = "Skip" - Web = "Skip" - } -} - -#This is a map of Turbot policy types to service names which should not be modified -variable "provider_registration_map" { - description = "A map of all the registered policies currently exposed by Turbot" - type = map - - default = { - ApiManagement = "apiManagementRegistered" - Compute = "computeRegistered" - ContainerService = "containerServiceRegistered" - Databricks = "databricksRegistered" - DataFactory = "dataFactoryRegistered" - DBforMySQL = "dbforMySqlRegistered" - DBforPostgreSQL = "dbForPostgreSqlRegistered" - DocumentDB = "documentDbRegistered" - DomainRegistration = "domainRegistrationRegistered" - Insights = "insightsRegistered" - KeyVault = "keyVaultRegistered" - Network = "networkRegistered" - OperationalInsights = "operationalInsightsRegistered" - RecoveryServices = "recoveryServicesRegistered" - Resources = "resourcesRegistered" - Search = "searchRegistered" - Security = "securityRegistered" - Sql = "sqlRegistered" - Storage = "storageRegistered" - Web = "webRegistered" - } -} diff --git a/baselines/azure/azure_service_enabled/README.md b/baselines/azure/azure_service_enabled/README.md new file mode 100644 index 000000000..1a9c08196 --- /dev/null +++ b/baselines/azure/azure_service_enabled/README.md @@ -0,0 +1,90 @@ +# Azure Service Enabled Policies + +The Azure Baseline Policies provide a minimal set of example policies and services to get started with Microsoft Azure in Turbot Guardrails. These policies focus on enabling essential services and APIs. + +## Documentation + +- **[Review Policies Documentation →](https://hub.guardrails.turbot.com/mods/azure/policies)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) +- [Guardrails Azure mods](../azure_mods/) + +### Credentials + +To create Azure Service Enabled Baseline policy pack through Terraform: + +- Ensure you have `Turbot/Admin` permissions (or higher) in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +And then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `azure_service_enabled` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the Enabled policies in one of two ways, depending on your needs: + +#### 1. Using an Input Variable File + +By default, the `default.tfvars` file is configured to install all the Enabled policies for the mods necessary for CIS (Center for Internet Security) compliance. You can further customize this file to include additional services as needed provided the mods are installed prior. To apply the Enabled policies using this specific input variable file, run the following command: + +```sh +terraform apply --var-file=default.tfvars +``` + +#### 2. Without an Input Variable File + +If you choose not to use an input variable file, the command will install **all** available Enabled policies. Please ensure, you have installed the necessary mods for this. To proceed with this option, run: + +```sh +terraform apply +``` + +### Destroy + +You can destroy the mods in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the mods using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the mods without using an input variable file: + +```sh +terraform destroy +``` + +### Apply Policy Pack + +By default, this Policy Pack is attached to the Base Folder created as part of [Folder Hierarchy](../../guardrails/folder_hierarchy/). If you wish to attach to a different resource, then log into your Guardrails workspace and [attach the policy pack to a resource](https://turbot.com/guardrails/docs/guides/policy-packs#attach-a-policy-pack-to-a-resource). + +If this policy pack is attached to a Guardrails folder, its policies will be applied to all accounts and resources in that folder. The policy pack can also be attached to multiple resources. + +For more information, please see [Policy Packs](https://turbot.com/guardrails/docs/concepts/policy-packs). diff --git a/baselines/azure/azure_service_enabled/default.tfvars b/baselines/azure/azure_service_enabled/default.tfvars new file mode 100644 index 000000000..74c283e1a --- /dev/null +++ b/baselines/azure/azure_service_enabled/default.tfvars @@ -0,0 +1,103 @@ +# Enter the list of providers that you would like to "Skip", "Check: Not Registered", "Check: Registered", "Enforce: Not Registered" or "Enforce: Registered". +# Service names must match the "policy_map" below. + +provider_status = { + # ApiManagement = "Enforce: Registered" + # Automation = "Enforce: Registered" + # Billing = "Enforce: Registered" + Compute = "Enforce: Registered" + # ContainerService = "Enforce: Registered" + # CostManagement = "Enforce: Registered" + DBforMySQL = "Enforce: Registered" + DBforPostgreSQL = "Enforce: Registered" + # DataFactory = "Enforce: Registered" + # DataLakeAnalytics = "Enforce: Registered" + # Databricks = "Enforce: Registered" + # DocumentDB = "Enforce: Registered" + # DomainRegistration = "Enforce: Registered" + # HDInsight = "Enforce: Registered" + # Insights = "Enforce: Registered" + KeyVault = "Enforce: Registered" + Network = "Enforce: Registered" + # OperationalInsights = "Enforce: Registered" + # RecoveryServices = "Enforce: Registered" + # Relay = "Enforce: Registered" + # Resources = "Enforce: Registered" + # Search = "Enforce: Registered" + Security = "Enforce: Registered" + # ServiceBus = "Enforce: Registered" + # SignalRService = "Enforce: Registered" + Sql = "Enforce: Registered" + # SqlVirtualMachine = "Enforce: Registered" + Storage = "Enforce: Registered" + # Synapse = "Enforce: Registered" + # Web = "Enforce: Registered" +} + +provider_registration_map = { + # ApiManagement = "apiManagementRegistered" + # Automation = "automationRegistered" + # Billing = "billingRegistered" + Compute = "computeRegistered" + # ContainerService = "containerServiceRegistered" + # CostManagement = "costManagementRegistered" + DBforMySQL = "dbforMySqlRegistered" + DBforPostgreSQL = "dbForPostgreSqlRegistered" + # DataFactory = "dataFactoryRegistered" + # DataLakeAnalytics = "dataLakeAnalyticsRegistered" + # Databricks = "databricksRegistered" + # DocumentDB = "documentDbRegistered" + # DomainRegistration = "domainRegistrationRegistered" + # HDInsight = "hdInsightRegistered" + # Insights = "insightsRegistered" + KeyVault = "keyVaultRegistered" + Network = "networkRegistered" + # OperationalInsights = "operationalInsightsRegistered" + # RecoveryServices = "recoveryServicesRegistered" + # Relay = "relayRegistered" + # Resources = "resourcesRegistered" + # Search = "searchRegistered" + Security = "securityRegistered" + # ServiceBus = "serviceBusRegistered" + # SignalRService = "signalRServiceRegistered" + Sql = "sqlRegistered" + # SqlVirtualMachine = "sqlVirtualMachineRegistered" + Storage = "storageRegistered" + # Synapse = "synapseRegistered" + # Web = "webRegistered" +} + +enabled_policy_map = { + # azure-aks = "aksEnabled" + # azure-apimanagement = "apiManagementEnabled" + # azure-applicationgateway = "applicationGatewayServiceEnabled" + # azure-applicationinsights = "applicationInsightsEnabled" + azure-appservice = "appServiceEnabled" + # azure-automation = "automationEnabled" + azure-compute = "computeEnabled" + azure-cosmosdb = "cosmosDbEnabled" + # azure-databricks = "databricksEnabled" + # azure-datafactory = "dataFactoryEnabled" + # azure-dns = "dnsEnabled" + # azure-firewall = "firewallServiceEnabled" + # azure-frontdoorservice = "frontDoorServiceEnabled" + azure-iam = "iamEnabled" + azure-keyvault = "keyVaultEnabled" + azure-loadbalancer = "loadBalancerServiceEnabled" + # azure-loganalytics = "logAnalyticsEnabled" + azure-monitor = "monitorEnabled" + azure-mysql = "mySqlEnabled" + azure-network = "networkEnabled" + azure-networkwatcher = "networkWatcherServiceEnabled" + azure-postgresql = "postgreSqlEnabled" + # azure-recoveryservice = "recoveryServiceEnabled" + # azure-relay = "relayEnabled" + # azure-searchmanagement = "searchManagementEnabled" + # azure-securitycenter = "securityCenterServiceEnabled" + # azure-servicebus = "serviceBusEnabled" + # azure-signalr = "signalRServiceEnabled" + azure-sql = "sqlEnabled" + # azure-sqlvirtualmachine = "sqlVirtualMachineServiceEnabled" + azure-storage = "storageEnabled" + # azure-synapseanalytics = "synapseAnalyticsEnabled" +} diff --git a/baselines/azure/azure_service_enabled/main.tf b/baselines/azure/azure_service_enabled/main.tf new file mode 100644 index 000000000..42fea1b98 --- /dev/null +++ b/baselines/azure/azure_service_enabled/main.tf @@ -0,0 +1,30 @@ +# Create Smart Folder +resource "turbot_policy_pack" "azure_enabled_baseline_pack" { + parent = "tmod:@turbot/turbot#/" + title = "Azure Enabled Baseline Policies" +} + +# Enable Provider +resource "turbot_policy_setting" "provider_registration_enable" { + count = length(var.provider_status) + resource = turbot_policy_pack.azure_enabled_baseline_pack.id + type = "tmod:@turbot/azure-provider#/policy/types/${lookup(var.provider_registration_map, "${element(keys(var.provider_status), count.index)}")}" + value = lookup(var.provider_status, "${element(keys(var.provider_status), count.index)}") +} + +# Enable Service +# Loop through var.service_status and set enable policies +resource "turbot_policy_setting" "azure_enable" { + for_each = var.enabled_policy_map + resource = turbot_policy_pack.azure_enabled_baseline_pack.id + type = "tmod:@turbot/${each.key}#/policy/types/${each.value}" + value = "Enabled" +} + +# Here the "resource" is the AKA of the [Base Folder](../../guardrails/folder_hierarchy/) to which you want to attached the Policy Pack. +# The base folder is created as part of script from [Base Folder](../../guardrails/folder_hierarchy/) +# The resource should be created first. +resource "turbot_policy_pack_attachment" "azure_enable_attachment" { + resource = "base_folder" + policy_pack = turbot_policy_pack.azure_enabled_baseline_pack.id +} diff --git a/baselines/azure/azure_service_enabled/providers.tf b/baselines/azure/azure_service_enabled/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/azure/azure_service_enabled/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/azure/azure_service_enabled/variables.tf b/baselines/azure/azure_service_enabled/variables.tf new file mode 100644 index 000000000..201636f17 --- /dev/null +++ b/baselines/azure/azure_service_enabled/variables.tf @@ -0,0 +1,22 @@ +variable "enabled_policy_map" { + description = "Enter the list of services that you would like to Enable" + type = map(string) +} + +variable "provider_status" { + description = <<-EOF + Choose the subset of providers that should be configured. + Possible values for each service are: + - "Skip" + - "Check: Not Registered" + - "Check: Registered" + - "Enforce: Not Registered" + - "Enforce: Registered" + EOF + type = map(string) +} + +variable "provider_registration_map" { + description = "A map of all the registered policies currently exposed by Turbot" + type = map(string) +} diff --git a/baselines/azure/azure_services/README.md b/baselines/azure/azure_services/README.md deleted file mode 100644 index 0d9724db1..000000000 --- a/baselines/azure/azure_services/README.md +++ /dev/null @@ -1,61 +0,0 @@ -# Azure Services Baseline - -Turbot Azure Services baseline provides a Terraform configuration to enable or disable Azure services in Turbot. - -**NOTE:** `service_status` must match values found in the `policy_map` map. - -**NOTE:** It is advised not to modify the `policy_map` map. - -## Prerequisites - -- Setup Turbot [credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) -- Installed [Terraform](https://www.terraform.io/downloads.html) -- Installed [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- target_resource -- smart_folder_title -- folder_parent (Optional) -- service_status (Optional) -- policy_map (Optional) - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file=default.tfvars` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_services/default.tfvars b/baselines/azure/azure_services/default.tfvars deleted file mode 100644 index ed96955a3..000000000 --- a/baselines/azure/azure_services/default.tfvars +++ /dev/null @@ -1,21 +0,0 @@ -target_resource = "" -# Examples for target_resource -# target_resource = "tmod:@turbot/turbot#/" -# target_resource = "187486019045335" - -smart_folder_title = "" - -# Optional - leaving unchanged will default to the Turbot level -# folder_parent = "" - -# Optional - leaving unchanged will use the default map which will set the controls to Enabled -# service_status = { -# azure-aks = "Enabled" -# azure-apimanagement = "Disable" -# } - -# Optional - leaving unchanged will use the default map -# provider_registration_map = { -# azure-aks = "aksEnabled" -# azure-apimanagement = "apiManagementEnabled" -# } diff --git a/baselines/azure/azure_services/main.tf b/baselines/azure/azure_services/main.tf deleted file mode 100644 index 6d61f4b4d..000000000 --- a/baselines/azure/azure_services/main.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "turbot_smart_folder" "azure_folder" { - parent = var.folder_parent - title = var.smart_folder_title - description = "Folder to import the Azure Subscription:" -} - -resource "turbot_smart_folder_attachment" "azure_folder" { - resource = var.target_resource - smart_folder = turbot_smart_folder.azure_folder.id -} - -resource "turbot_policy_setting" "azure_enable" { - count = length(var.service_status) - resource = turbot_smart_folder.azure_folder.id - type = "tmod:@turbot/${element(keys(var.service_status), count.index)}#/policy/types/${lookup(var.policy_map, "${element(keys(var.service_status), count.index)}")}" - value = lookup(var.service_status, "${element(keys(var.service_status), count.index)}") -} diff --git a/baselines/azure/azure_services/variables.tf b/baselines/azure/azure_services/variables.tf deleted file mode 100644 index ab824f2a4..000000000 --- a/baselines/azure/azure_services/variables.tf +++ /dev/null @@ -1,86 +0,0 @@ -variable "target_resource" { - description = "Enter a target_resource to set the policies on a specific resource. This can be an AKA or resource id:" - type = string -} - -variable "smart_folder_title" { - description = "Folder to import the Azure Subscription:" - type = string -} - -# Defaults to the Turbot Resource level using the AKA which identifies the Turbot level. -variable "folder_parent" { - type = string - default = "tmod:@turbot/turbot#/" -} - -# Enter the list of services that you would like to "Enable" or "Disable" -# Service names must match the key names for the "policy_map" below -variable "service_status" { - description = "Choose the subset of services that should be configured. Possible values for each service are: [\"Enabled\", \"Disabled\"]" - type = map - - default = { - azure-aks = "Enabled" - azure-apimanagement = "Enabled" - azure-applicationgateway = "Enabled" - azure-applicationinsights = "Enabled" - azure-appservice = "Enabled" - azure-compute = "Enabled" - azure-cosmosdb = "Enabled" - azure-databricks = "Enabled" - azure-datafactory = "Enabled" - azure-dns = "Enabled" - azure-firewall = "Enabled" - azure-frontdoorservice = "Enabled" - azure-iam = "Enabled" - azure-keyvault = "Enabled" - azure-loadbalancer = "Enabled" - azure-loganalytics = "Enabled" - azure-monitor = "Enabled" - azure-mysql = "Enabled" - azure-network = "Enabled" - azure-networkwatcher = "Enabled" - azure-postgresql = "Enabled" - azure-recoveryservice = "Enabled" - azure-searchmanagement = "Enabled" - azure-securitycenter = "Enabled" - azure-sql = "Enabled" - azure-storage = "Enabled" - } -} - -# This is a map of Turbot policy types to service names. It is advised not to modify the below list. -variable "policy_map" { - description = "A map of all the enabled policies currently exposed by Turbot" - type = map - - default = { - azure-aks = "aksEnabled" - azure-apimanagement = "apiManagementEnabled" - azure-applicationgateway = "applicationGatewayServiceEnabled" - azure-applicationinsights = "applicationInsightsEnabled" - azure-appservice = "appServiceEnabled" - azure-compute = "computeEnabled" - azure-cosmosdb = "cosmosDbEnabled" - azure-databricks = "databricksEnabled" - azure-datafactory = "dataFactoryEnabled" - azure-dns = "dnsEnabled" - azure-firewall = "firewallServiceEnabled" - azure-frontdoorservice = "frontDoorServiceEnabled" - azure-iam = "iamEnabled" - azure-keyvault = "keyVaultEnabled" - azure-loadbalancer = "loadBalancerServiceEnabled" - azure-loganalytics = "logAnalyticsEnabled" - azure-monitor = "monitorEnabled" - azure-mysql = "mySqlEnabled" - azure-network = "networkEnabled" - azure-networkwatcher = "networkWatcherServiceEnabled" - azure-postgresql = "postgreSqlEnabled" - azure-recoveryservice = "recoveryServiceEnabled" - azure-searchmanagement = "searchManagementEnabled" - azure-securitycenter = "securityCenterServiceEnabled" - azure-sql = "sqlEnabled" - azure-storage = "storageEnabled" - } -} diff --git a/baselines/azure/azure_sub_create_then_import/README.md b/baselines/azure/azure_sub_create_then_import/README.md deleted file mode 100644 index 08ed08d5c..000000000 --- a/baselines/azure/azure_sub_create_then_import/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Azure Subscription Import Baseline - -The Azure subscription import baseline terraform configuration lets you import an Azure subscription into your turbot environment, with the necessary roles and permissions. - -- It is recommended that you import accounts into Turbot Folders, as it provides greater flexibility and ease of management. -- Give the role a purposeful name such as `turbot-readonly` (read only) or `turbot-superuser` (for full access). -- By default, Turbot is installed with administrator access to enable full functionality. However, You may change this if required. - -## Prerequisites - -To run the Azure subscription import baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- Terraform [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html) -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- azure_app_password_expiration -- azure_app_name -- azure_app_password -- azure_environment_type -- azure_subscription_id -- parent_resource - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file="default.tfvars"` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_sub_create_then_import/default.tfvars b/baselines/azure/azure_sub_create_then_import/default.tfvars deleted file mode 100644 index c4543ba78..000000000 --- a/baselines/azure/azure_sub_create_then_import/default.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -azure_app_password_expiration = "<'YYYY-MM-DD'T'HH:MM:SS'Z>" - -azure_app_name = "" - -azure_app_password = "" - -azure_environment_type = "" - -azure_subscription_id = "" - -parent_resource = "<15 digit tubot folder id under which the aws account to be imported>" diff --git a/baselines/azure/azure_sub_create_then_import/main.tf b/baselines/azure/azure_sub_create_then_import/main.tf deleted file mode 100644 index c1b29b58e..000000000 --- a/baselines/azure/azure_sub_create_then_import/main.tf +++ /dev/null @@ -1,72 +0,0 @@ -provider azuread { - version = "~> 0.7" -} - -# Create the Azure AD App and Service Principal for Turbot to use, and set a password -resource "azuread_application" "turbot_azure_ad_app" { - name = var.azure_app_name -} - -resource "azuread_service_principal" "turbot_azure_ad_app_sp" { - application_id = azuread_application.turbot_azure_ad_app.application_id -} - -resource "azuread_service_principal_password" "turbot_azure_ad_app_sp_password" { - service_principal_id = azuread_service_principal.turbot_azure_ad_app_sp.id - value = var.azure_app_password - end_date = var.azure_app_password_expiration -} - -provider azurerm { - version = "=2.0.0" - features {} - subscription_id = var.azure_subscription_id -} - -# Grant "owner" to the service principal for turbot -resource "azurerm_role_assignment" "turbot_azuread_role_assignment" { - scope = "/subscriptions/${var.azure_subscription_id}" - role_definition_name = "Owner" - principal_id = azuread_service_principal.turbot_azure_ad_app_sp.id -} - -# Create the Azure > Subscription resource in Turbot -resource "turbot_resource" "subscription_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure#/resource/types/subscription" - metadata = jsonencode({ - "azure" : { - "subscriptionId" : "${var.azure_subscription_id}", - "tenantId" : "${data.azurerm_subscription.subscription_to_import.tenant_id}" - } - }) - data = jsonencode({ - "subscriptionId" : "${var.azure_subscription_id}" - }) -} - -# Set the credentials for the subscription via Turbot policies -# Azure > Environment -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} - -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_app_password -} - -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = azuread_application.turbot_azure_ad_app.application_id -} - -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = data.azurerm_subscription.subscription_to_import.tenant_id -} diff --git a/baselines/azure/azure_sub_create_then_import/outputs.tf b/baselines/azure/azure_sub_create_then_import/outputs.tf deleted file mode 100644 index de348a35f..000000000 --- a/baselines/azure/azure_sub_create_then_import/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -#### Get the subscription info - -data "azurerm_subscription" "subscription_to_import" { - subscription_id = "${var.azure_subscription_id}" -} - -output "subscription_display_name" { - value = "${data.azurerm_subscription.subscription_to_import.display_name}" -} - -output "tennant_id" { - value = "${data.azurerm_subscription.subscription_to_import.tenant_id}" -} diff --git a/baselines/azure/azure_sub_create_then_import/variables.tf b/baselines/azure/azure_sub_create_then_import/variables.tf deleted file mode 100644 index ddaba8143..000000000 --- a/baselines/azure/azure_sub_create_then_import/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "azure_subscription_id" { - description = "Enter the Azure Subscription ID that you wish to import: " - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the subscription:" - type = string -} - -variable "azure_app_password" { - description = "Enter an Azure AD app password:" - type = string -} - -variable "azure_app_password_expiration" { - description = "Enter an expiration date for the Azure AD app password:" - type = string -} - -variable "azure_app_name" { - description = "Enter the Azure AD app name:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure subscription environment type ('Global Cloud' or 'US Government'):" - type = string -} diff --git a/baselines/azure/azure_sub_create_then_import_ro/README.md b/baselines/azure/azure_sub_create_then_import_ro/README.md deleted file mode 100644 index ce721fd90..000000000 --- a/baselines/azure/azure_sub_create_then_import_ro/README.md +++ /dev/null @@ -1,66 +0,0 @@ -# Azure Subscription ReadOnly Import Baseline - -The Azure subscription read-only import baseline terraform configuration lets you import an Azure subscription into your turbot environment, with the azure event setup and read-only permissions. - -- It is recommended that you import accounts into Turbot Folders, as it provides greater flexibility and ease of management. -- Give the role a purposeful name such as `turbot-readonly` (read only) or `turbot-superuser` (for full access). -- By default, Turbot is installed with administrator access to enable full functionality. However, You may change this if required. - -## Prerequisites - -To run the Azure subscription read-only import baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- Terraform [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html) -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and Azure subscription - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- azure_app_password_expiration -- azure_app_name -- azure_app_password -- azure_environment_type -- azure_subscription_id -- parent_resource - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file="default.tfvars"` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` - diff --git a/baselines/azure/azure_sub_create_then_import_ro/default.tfvars b/baselines/azure/azure_sub_create_then_import_ro/default.tfvars deleted file mode 100644 index c4543ba78..000000000 --- a/baselines/azure/azure_sub_create_then_import_ro/default.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -azure_app_password_expiration = "<'YYYY-MM-DD'T'HH:MM:SS'Z>" - -azure_app_name = "" - -azure_app_password = "" - -azure_environment_type = "" - -azure_subscription_id = "" - -parent_resource = "<15 digit tubot folder id under which the aws account to be imported>" diff --git a/baselines/azure/azure_sub_create_then_import_ro/main.tf b/baselines/azure/azure_sub_create_then_import_ro/main.tf deleted file mode 100644 index 693783be2..000000000 --- a/baselines/azure/azure_sub_create_then_import_ro/main.tf +++ /dev/null @@ -1,117 +0,0 @@ -provider azuread { - version = "~> 0.7" -} - -#### Create the Azure AD App and Service Principal for Turbot to use, and set a password -resource "azuread_application" "turbot_azure_ad_app" { - name = var.azure_app_name -} - -resource "azuread_service_principal" "turbot_azure_ad_app_sp" { - application_id = azuread_application.turbot_azure_ad_app.application_id -} - -resource "azuread_service_principal_password" "turbot_azure_ad_app_sp_password" { - service_principal_id = azuread_service_principal.turbot_azure_ad_app_sp.id - value = var.azure_app_password - end_date = var.azure_app_password_expiration -} - -provider azurerm { - version = "=2.0.0" - features {} - subscription_id = var.azure_subscription_id -} - -resource "azurerm_role_definition" "event_handler_role" { - name = "Turbot/EventHandlerRole" - scope = "/subscriptions/${var.azure_subscription_id}" - description = "This is a custom role required by turbot to setup event handler to import subscription in read only mod." - - permissions { - actions = [ - "Microsoft.HDInsight/register/action", - "Microsoft.HDInsight/unregister/action", - "microsoft.insights/actiongroups/delete", - "microsoft.insights/actionGroups/write", - "Microsoft.Insights/ActivityLogAlerts/Activated/action", - "microsoft.insights/activityLogAlerts/delete", - "microsoft.insights/activityLogAlerts/write", - "Microsoft.Kusto/register/action", - "Microsoft.Kusto/unregister/action", - "Microsoft.Maps/register/action", - "Microsoft.Media/register/action", - "Microsoft.Media/unregister/action", - "microsoft.resources/register/action", - "Microsoft.Resources/subscriptions/resourcegroups/delete", - "Microsoft.Resources/subscriptions/resourcegroups/write", - "Microsoft.StreamAnalytics/register/action" - ] - not_actions = [] - data_actions = [] - not_data_actions = [] - } - - assignable_scopes = [ - "/subscriptions/${var.azure_subscription_id}" - ] -} - -#### Grant "owner" to the service principal for turbot -resource "azurerm_role_assignment" "turbot_azuread_role_assignment" { - scope = "/subscriptions/${var.azure_subscription_id}" - role_definition_name = "Reader" - principal_id = azuread_service_principal.turbot_azure_ad_app_sp.id -} - -#### Grant "owner" to the service principal for turbot -resource "azurerm_role_assignment" "turbot_events_role_assignment" { - depends_on = [azurerm_role_definition.event_handler_role] - scope = "/subscriptions/${var.azure_subscription_id}" - role_definition_name = "Turbot/EventHandlerRole" - principal_id = azuread_service_principal.turbot_azure_ad_app_sp.id -} - -#### Create the Azure > Subscription resource in Turbot -resource "turbot_resource" "subscription_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure#/resource/types/subscription" - metadata = jsonencode({ - "azure" : { - "subscriptionId" : "${var.azure_subscription_id}", - "tenantId" : "${data.azurerm_subscription.subscription_to_import.tenant_id}" - } - }) - data = jsonencode({ - "subscriptionId" : "${var.azure_subscription_id}" - }) -} - -#### Set the credentials for the subscription via Turbot policies -# Azure > Environment -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} - -# Azure > Client ID -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = azuread_application.turbot_azure_ad_app.application_id -} - -# Azure > Client Key -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_app_password -} - -# Azure > Tenant ID -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = data.azurerm_subscription.subscription_to_import.tenant_id -} diff --git a/baselines/azure/azure_sub_create_then_import_ro/outputs.tf b/baselines/azure/azure_sub_create_then_import_ro/outputs.tf deleted file mode 100644 index f31d605e2..000000000 --- a/baselines/azure/azure_sub_create_then_import_ro/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -#### Get the subscription info - -data "azurerm_subscription" "subscription_to_import" { - subscription_id = "${var.azure_subscription_id}" -} - -output "subscription_display_name" { - value = "${data.azurerm_subscription.subscription_to_import.display_name}" -} - -output "tenant_id" { - value = "${data.azurerm_subscription.subscription_to_import.tenant_id}" -} diff --git a/baselines/azure/azure_sub_create_then_import_ro/variables.tf b/baselines/azure/azure_sub_create_then_import_ro/variables.tf deleted file mode 100644 index ddaba8143..000000000 --- a/baselines/azure/azure_sub_create_then_import_ro/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "azure_subscription_id" { - description = "Enter the Azure Subscription ID that you wish to import: " - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the subscription:" - type = string -} - -variable "azure_app_password" { - description = "Enter an Azure AD app password:" - type = string -} - -variable "azure_app_password_expiration" { - description = "Enter an expiration date for the Azure AD app password:" - type = string -} - -variable "azure_app_name" { - description = "Enter the Azure AD app name:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure subscription environment type ('Global Cloud' or 'US Government'):" - type = string -} diff --git a/baselines/azure/azure_sub_import/README.md b/baselines/azure/azure_sub_import/README.md deleted file mode 100644 index ad5e407a7..000000000 --- a/baselines/azure/azure_sub_import/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# Azure Subscription Import Baseline - -The Azure subscription import baseline terraform configuration lets you import an Azure subscription into your turbot environment, with the necessary roles and permissions. - -- It is recommended that you import subscriptions into Turbot Folders, as it provides greater flexibility and ease of management. - -## Prerequisites - -To run the Azure subscription import baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- Terraform [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html) -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- azure_environment_type -- azure_subscription_id -- parent_resource -- azure_client_id -- azure_tenant_id -- azure_client_secret - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file="default.tfvars"` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_sub_import/default.tfvars b/baselines/azure/azure_sub_import/default.tfvars deleted file mode 100644 index 82925c854..000000000 --- a/baselines/azure/azure_sub_import/default.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -azure_environment_type = "" - -azure_subscription_id = "" - -parent_resource = "<15 digit tubot folder id under which the azure subscription to be imported>" - -azure_client_id = "" - -azure_tenant_id = "" - -azure_client_secret = "" \ No newline at end of file diff --git a/baselines/azure/azure_sub_import/main.tf b/baselines/azure/azure_sub_import/main.tf deleted file mode 100644 index 3545a4cb7..000000000 --- a/baselines/azure/azure_sub_import/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -provider azurerm { - version = "=2.0.0" - features {} - subscription_id = var.azure_subscription_id - client_id = var.azure_client_id - environment = "public" - tenant_id = var.azure_tenant_id - client_secret = var.azure_client_secret -} - -# Create the Azure > Subscription resource in Turbot -resource "turbot_resource" "subscription_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure#/resource/types/subscription" - metadata = jsonencode({ - "azure" : { - "subscriptionId" : "${var.azure_subscription_id}", - "tenantId" : "${data.azurerm_subscription.subscription_to_import.tenant_id}" - } - }) - data = jsonencode({ - "subscriptionId" : "${var.azure_subscription_id}" - }) -} - -# Set the credentials for the subscription via Turbot policies -# Azure > Environment -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} -# Azure > Client Key -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_client_secret -} -# Azure > Client ID -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = var.azure_client_id -} -# Azure > Tenant ID -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.subscription_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = data.azurerm_subscription.subscription_to_import.tenant_id -} diff --git a/baselines/azure/azure_sub_import/outputs.tf b/baselines/azure/azure_sub_import/outputs.tf deleted file mode 100644 index de348a35f..000000000 --- a/baselines/azure/azure_sub_import/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -#### Get the subscription info - -data "azurerm_subscription" "subscription_to_import" { - subscription_id = "${var.azure_subscription_id}" -} - -output "subscription_display_name" { - value = "${data.azurerm_subscription.subscription_to_import.display_name}" -} - -output "tennant_id" { - value = "${data.azurerm_subscription.subscription_to_import.tenant_id}" -} diff --git a/baselines/azure/azure_sub_import/variables.tf b/baselines/azure/azure_sub_import/variables.tf deleted file mode 100644 index a73404f7d..000000000 --- a/baselines/azure/azure_sub_import/variables.tf +++ /dev/null @@ -1,29 +0,0 @@ -variable "azure_subscription_id" { - description = "Enter the Azure Subscription ID that you wish to import: " - type = string -} - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the subscription:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure subscription environment type ('Global Cloud' or 'US Government'):" - type = string -} - -variable "azure_client_id" { - description = "Enter the Azure Client ID: " - type = string -} - -variable "azure_tenant_id" { - description = "Enter the Azure Tenant ID: " - type = string -} - -variable "azure_client_secret" { - description = "Enter the Azure Client Secret Key: " - type = string -} diff --git a/baselines/azure/azure_tenant_import/README.md b/baselines/azure/azure_tenant_import/README.md deleted file mode 100644 index 9fa5615d3..000000000 --- a/baselines/azure/azure_tenant_import/README.md +++ /dev/null @@ -1,60 +0,0 @@ -# Azure Tenant Import Baseline - -The Azure tenant import baseline terraform configuration lets you import an Azure tenant into your turbot environment, with the necessary roles and permissions. - -## Prerequisites - -To run the Azure tenant import baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- Terraform [Azure Provider](https://www.terraform.io/docs/providers/azurerm/index.html) -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace - -## Running the Baseline - -Scripts can be run in the folder that contains the script. - -### Configure the script - -Update default.tfvars or create a new Terraform configuration file. - -Variables that are exposed by this script are: - -- azure_environment_type -- parent_resource -- azure_client_id -- azure_tenant_id -- azure_client_secret - -Open the file `variables.tf` for further details. - -### Initialize Terraform - -If not previously run then initialize Terraform to get all necessary providers. - -Command: `terraform init` - -### Apply using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform apply -var-file="default.tfvars"` - -### Apply using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform apply -var-file=.tfvars` - -### Destroy using default configuration - -If seeking to apply the configuration using the configuration file `defaults.tfvars`. - -Command: `terraform destroy -var-file=default.tfvars` - -### Destroy using custom configuration - -If seeking to apply the configuration using a custom configuration file `.tfvars`. - -Command: `terraform destroy -var-file=.tfvars` diff --git a/baselines/azure/azure_tenant_import/default.tfvars b/baselines/azure/azure_tenant_import/default.tfvars deleted file mode 100644 index 92bab9949..000000000 --- a/baselines/azure/azure_tenant_import/default.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -azure_environment_type = "" - -parent_resource = "<15 digit tubot folder id under which the azure tenant to be imported>" - -azure_client_id = "" - -azure_tenant_id = "" - -azure_client_secret = "" \ No newline at end of file diff --git a/baselines/azure/azure_tenant_import/main.tf b/baselines/azure/azure_tenant_import/main.tf deleted file mode 100644 index 007d4feef..000000000 --- a/baselines/azure/azure_tenant_import/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -provider azurerm { - version = "=2.0.0" - features {} - client_id = var.azure_client_id - environment = "public" - tenant_id = var.azure_tenant_id - client_secret = var.azure_client_secret -} - -# Create the Azure > Tenant resource in Turbot -resource "turbot_resource" "tenant_resource" { - parent = var.parent_resource - type = "tmod:@turbot/azure#/resource/types/tenant" - akas = ["azure:///tenants/${var.azure_tenant_id}"] - metadata = jsonencode({ - "azure" : { - "tenantId" : "${var.azure_tenant_id}" - } - }) - data = jsonencode({ - "id" : "${var.azure_tenant_id}" - }) -} - -# Set the credentials for the Tenant via Turbot policies - -resource "turbot_policy_setting" "environment" { - resource = turbot_resource.tenant_resource.id - type = "tmod:@turbot/azure#/policy/types/environment" - value = var.azure_environment_type -} - -resource "turbot_policy_setting" "clientKey" { - resource = turbot_resource.tenant_resource.id - type = "tmod:@turbot/azure#/policy/types/clientKey" - value = var.azure_client_secret -} - -resource "turbot_policy_setting" "clientId" { - resource = turbot_resource.tenant_resource.id - type = "tmod:@turbot/azure#/policy/types/clientId" - value = var.azure_client_id -} - -resource "turbot_policy_setting" "tenantId" { - resource = turbot_resource.tenant_resource.id - type = "tmod:@turbot/azure#/policy/types/tenantId" - value = var.azure_tenant_id -} diff --git a/baselines/azure/azure_tenant_import/variables.tf b/baselines/azure/azure_tenant_import/variables.tf deleted file mode 100644 index 8b1bec3d6..000000000 --- a/baselines/azure/azure_tenant_import/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ - -variable "parent_resource" { - description = "Enter the Turbot Resource ID for the folder into which to import the tenant:" - type = string -} - -variable "azure_environment_type" { - description = "Enter the Azure tenant environment type ('Global Cloud' or 'US Government'):" - type = string -} - -variable "azure_client_id" { - description = "Enter the Azure Client ID: " - type = string -} - -variable "azure_tenant_id" { - description = "Enter the Azure Tenant ID: " - type = string -} - -variable "azure_client_secret" { - description = "Enter the Azure Client Secret Key: " - type = string -} diff --git a/baselines/gcp/gcp_mods/README.md b/baselines/gcp/gcp_mods/README.md new file mode 100644 index 000000000..57479a47b --- /dev/null +++ b/baselines/gcp/gcp_mods/README.md @@ -0,0 +1,94 @@ +# GCP Mods Installation + +Turbot provides numerous GCP mods, covering a wide range of GCP resources with thousands of policies and controls. By default, mods are installed with the top Turbot resource as the parent, meaning administrators must have Turbot/Owner permissions at the Turbot resource level to install, uninstall, or update mods in the environment. + +## Documentation + +- **[Review Mods Documentation →](https://turbot.com/guardrails/docs/mods)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To install GCP mods using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `gcp_mods` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the mods in one of two ways, depending on your needs: + +#### 1. Using an Input Variable File + +By default, the `default.tfvars` file is configured to install all the mods necessary for CIS (Center for Internet Security) compliance. You can further customize this file to include additional mods as needed. To apply the mods using this specific input variable file, run the following command: + +```sh +terraform apply --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +If you choose not to use an input variable file, the command will install **all** available AWS mods. To proceed with this option, run: + +```sh +terraform apply -parallelism=1 +``` + +### Destroy + +You can destroy the mods in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the mods using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the mods without using an input variable file: + +```sh +terraform destroy -parallelism=1 +``` + +## Commenting Strategy + +All Turbot policies used in the installation include links to the official Turbot Mods documentation. + +These links provide further details about: + +- The purpose of the policy +- Policy URI name +- Parent information +- Category information +- Target information +- All valid values diff --git a/baselines/gcp/gcp_mods/default.tfvars b/baselines/gcp/gcp_mods/default.tfvars new file mode 100644 index 000000000..eef03d05d --- /dev/null +++ b/baselines/gcp/gcp_mods/default.tfvars @@ -0,0 +1,36 @@ +mod_list = [ + "gcp", + "gcp-appengine", + "gcp-bigquery", + # "gcp-bigquerydatatransfer", + # "gcp-bigtable", + # "gcp-build", + # "gcp-cisv1", + "gcp-cisv2-0", + # "gcp-composer", + "gcp-computeengine", + # "gcp-datacatalog", + # "gcp-dataflow", + # "gcp-datapipeline", + "gcp-dataproc", + "gcp-dns", + # "gcp-firebase", + "gcp-functions", + "gcp-iam", + "gcp-kms", + # "gcp-kubernetesengine", + "gcp-logging", + # "gcp-memorystore", + "gcp-monitoring", + "gcp-network", + # "gcp-notebooks", + # "gcp-oauth", + "gcp-orgpolicy", + "gcp-pubsub", + # "gcp-run", + # "gcp-scheduler", + # "gcp-secretmanager", + # "gcp-spanner", + "gcp-sql", + "gcp-storage" +] diff --git a/baselines/gcp/gcp_mods/mod_install.tf b/baselines/gcp/gcp_mods/mod_install.tf new file mode 100644 index 000000000..59a2b633e --- /dev/null +++ b/baselines/gcp/gcp_mods/mod_install.tf @@ -0,0 +1,363 @@ +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp +resource "turbot_mod" "gcp" { + parent = "tmod:@turbot/turbot#/" + org = "turbot" + mod = "gcp" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-appengine +resource "turbot_mod" "gcp-appengine" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-appengine" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-appengine") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-bigquery +resource "turbot_mod" "gcp-bigquery" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-bigquery" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-bigquery") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-bigquerydatatransfer +resource "turbot_mod" "gcp-bigquerydatatransfer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-bigquerydatatransfer" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-bigquerydatatransfer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-bigtable +resource "turbot_mod" "gcp-bigtable" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-bigtable" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-bigtable") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-build +resource "turbot_mod" "gcp-build" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-build" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-build") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-cisv1 +resource "turbot_mod" "gcp-cisv1" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.gcp, + turbot_mod.gcp-iam, + turbot_mod.gcp-computeengine, + turbot_mod.gcp-dns, + turbot_mod.gcp-kms, + turbot_mod.gcp-logging, + turbot_mod.gcp-network, + turbot_mod.gcp-sql, + turbot_mod.gcp-storage + ] + org = "turbot" + mod = "gcp-cisv1" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-cisv1") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-cisv2-0 +resource "turbot_mod" "gcp-cisv2-0" { + parent = "tmod:@turbot/turbot#/" + depends_on = [ + turbot_mod.gcp, + turbot_mod.gcp-appengine, + turbot_mod.gcp-bigquery, + turbot_mod.gcp-computeengine, + turbot_mod.gcp-dataproc, + turbot_mod.gcp-dns, + turbot_mod.gcp-functions, + turbot_mod.gcp-iam, + turbot_mod.gcp-kms, + turbot_mod.gcp-logging, + turbot_mod.gcp-monitoring, + turbot_mod.gcp-network, + turbot_mod.gcp-sql, + turbot_mod.gcp-storage + ] + org = "turbot" + mod = "gcp-cisv2-0" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-cisv2-0") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-composer +resource "turbot_mod" "gcp-composer" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-composer" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-composer") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-computeengine +resource "turbot_mod" "gcp-computeengine" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-computeengine" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-computeengine") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-datacatalog +resource "turbot_mod" "gcp-datacatalog" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-datacatalog" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-datacatalog") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-dataflow +resource "turbot_mod" "gcp-dataflow" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-dataflow" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-dataflow") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-datapipeline +resource "turbot_mod" "gcp-datapipeline" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-datapipeline" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-datapipeline") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-dataproc +resource "turbot_mod" "gcp-dataproc" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-dataproc" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-dataproc") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-dns +resource "turbot_mod" "gcp-dns" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-dns" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-dns") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-firebase +resource "turbot_mod" "gcp-firebase" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-firebase" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-firebase") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-functions +resource "turbot_mod" "gcp-functions" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-functions" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-functions") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-iam +resource "turbot_mod" "gcp-iam" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp] + org = "turbot" + mod = "gcp-iam" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-iam") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-kms +resource "turbot_mod" "gcp-kms" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-kms" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-kms") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-kubernetesengine +resource "turbot_mod" "gcp-kubernetesengine" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-kubernetesengine" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-kubernetesengine") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-logging +resource "turbot_mod" "gcp-logging" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-logging" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-logging") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-memorystore +resource "turbot_mod" "gcp-memorystore" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-memorystore" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-memorystore") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-monitoring +resource "turbot_mod" "gcp-monitoring" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-monitoring" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-monitoring") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-network +resource "turbot_mod" "gcp-network" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-network" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-network") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-notebooks +resource "turbot_mod" "gcp-notebooks" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-notebooks" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-notebooks") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-oauth +resource "turbot_mod" "gcp-oauth" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-oauth" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-oauth") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-orgpolicy +resource "turbot_mod" "gcp-orgpolicy" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp] + org = "turbot" + mod = "gcp-orgpolicy" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-orgpolicy") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-pubsub +resource "turbot_mod" "gcp-pubsub" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-pubsub" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-pubsub") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-run +resource "turbot_mod" "gcp-run" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-run" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-run") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-scheduler +resource "turbot_mod" "gcp-scheduler" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-scheduler" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-scheduler") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-secretmanager +resource "turbot_mod" "gcp-secretmanager" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-secretmanager" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-secretmanager") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-spanner +resource "turbot_mod" "gcp-spanner" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-spanner" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-spanner") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-sql +resource "turbot_mod" "gcp-sql" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-sql" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-sql") ? 1 : 0 +} + +# https://hub.guardrails.turbot.com/mods/gcp/mods/gcp-storage +resource "turbot_mod" "gcp-storage" { + parent = "tmod:@turbot/turbot#/" + depends_on = [turbot_mod.gcp, turbot_mod.gcp-iam] + org = "turbot" + mod = "gcp-storage" + version = ">=5.0.0" + count = contains(var.mod_list, "gcp-storage") ? 1 : 0 +} diff --git a/baselines/gcp/gcp_mods/providers.tf b/baselines/gcp/gcp_mods/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/gcp/gcp_mods/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/gcp/gcp_mods/variables.tf b/baselines/gcp/gcp_mods/variables.tf new file mode 100644 index 000000000..563aa0c3b --- /dev/null +++ b/baselines/gcp/gcp_mods/variables.tf @@ -0,0 +1,4 @@ +variable "mod_list" { + type = list(string) + description = "The list of GCP Mods to install." +} diff --git a/baselines/gcp/gcp_permission/README.md b/baselines/gcp/gcp_permission/README.md deleted file mode 100644 index 463d7416d..000000000 --- a/baselines/gcp/gcp_permission/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# GCP Permission Baseline - -GCP Permission baseline provides a Terraform configuration to assign GCP level permissions to a Turbot user. - -> Make sure you have a [local directory user](https://turbot-dev.com/v5/docs/api/terraform/resources/turbot_local_directory_user) available. - -## Prerequisites - -To run the GCP Permission baseline, you must have: - - - [Terraform](https://www.terraform.io) Version 12 - - [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - - [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and AWS account - -## Running the Baseline - -To execute the AWS Permission baseline: - - - Go to the GCP permission directory with `cd gcp_permission` - - Update `default.tfvars` with appropriate values - - Run `terraform plan -var-file=default.tfvars` to review the changes to be applied - - Run `terraform apply -var-file=default.tfvars` to apply the changes \ No newline at end of file diff --git a/baselines/gcp/gcp_permission/default.tfvars b/baselines/gcp/gcp_permission/default.tfvars deleted file mode 100644 index 174a0799a..000000000 --- a/baselines/gcp/gcp_permission/default.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -local_directory_name = "" - -user_details = { - "" = "<(1)firstname lastname>" - "" = "<(2)firstname lastname>" -} -grant_scope_id = "tmod:@turbot/turbot#/" \ No newline at end of file diff --git a/baselines/gcp/gcp_permission/main.tf b/baselines/gcp/gcp_permission/main.tf deleted file mode 100644 index 1f33d8d58..000000000 --- a/baselines/gcp/gcp_permission/main.tf +++ /dev/null @@ -1,40 +0,0 @@ -resource "turbot_local_directory" "test_dir" { - parent = var.grant_scope_id - title = var.local_directory_name - description = "Enter the name for the local directory to be created:" - profile_id_template = "{{profile.email}}" -} - -resource "turbot_local_directory_user" "test_user" { - count = length(var.user_details) - title = var.user_details[keys(var.user_details)[count.index]] - email = keys(var.user_details)[count.index] - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id -} - -resource "turbot_profile" "test_user_profile" { - count = length(var.user_details) - title = turbot_local_directory_user.test_user[count.index].title - email = keys(var.user_details)[count.index] - status = "Active" - given_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[0] - family_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[1] - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id - profile_id = keys(var.user_details)[count.index] -} - -resource "turbot_grant" "test" { - count = length(var.user_details) - resource = var.grant_scope_id - type = "tmod:@turbot/gcp#/permission/types/gcp" - level = "tmod:@turbot/turbot-iam#/permission/levels/superuser" - identity = turbot_profile.test_user_profile[count.index].id -} - -resource "turbot_grant_activation" "activate_admin_grant" { - count = length(var.user_details) - resource = var.grant_scope_id - grant = turbot_grant.test[count.index].id -} \ No newline at end of file diff --git a/baselines/gcp/gcp_permission/variables.tf b/baselines/gcp/gcp_permission/variables.tf deleted file mode 100644 index 09fa868c0..000000000 --- a/baselines/gcp/gcp_permission/variables.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "local_directory_name" { - description = "Enter the name for the local directory to be created:" - type = string -} - -variable "user_details" { - type = map(string) -} - -# It should be the turbot id of turbot, folder or resource -# The Admin and Owner grants will be activated at this level -variable "grant_scope_id" { - type = string - default = "tmod:@turbot/turbot#/" -} \ No newline at end of file diff --git a/baselines/gcp/gcp_project_import/README.md b/baselines/gcp/gcp_project_import/README.md deleted file mode 100644 index 005680574..000000000 --- a/baselines/gcp/gcp_project_import/README.md +++ /dev/null @@ -1,29 +0,0 @@ -# GCP Project Import Baseline - -The GCP project import baseline terraform configuration lets you import GCP Project into turbot with the necessary roles and permissions. - - - It is recommended that you import accounts into Turbot Folders, as it provides greater flexibility and ease of management. - - Give the role a purposeful name such as `turbot-readonly` (read only) or `turbot-superuser` (for full access). - - By default, Turbot is installed with administrator access to enable full functionality. However, You may change this if required. - - -## Prerequisites - -To run the account import baseline, you must have: - - - [Terraform](https://www.terraform.io) Version 12 - - [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) - - Terraform [Google Cloud Platform Provider](https://www.terraform.io/docs/providers/google/index.html) - - [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) Configured to connect to your Turbot workspace and GCP project. - - CloudTrail set up in every region of your account. - - - -## Running the Baseline - -To run the gcp project import baseline: - - - Go to the gcp project import baseline directory in the repository with `cd gcp_project_import` - - Update `default.tfvars` with appropriate values - - Run `terraform plan -var-file=default.tfvars` and review the plan for import - - Run `terraform apply -var-file=default.tfvars` to import the account \ No newline at end of file diff --git a/baselines/gcp/gcp_project_import/default.tfvars b/baselines/gcp/gcp_project_import/default.tfvars deleted file mode 100755 index 9afc41614..000000000 --- a/baselines/gcp/gcp_project_import/default.tfvars +++ /dev/null @@ -1,35 +0,0 @@ -gcp_project_id = "" - -client_email = "" - -private_key = < Project resource in Turbot -resource "turbot_resource" "project_resource" { - parent = var.parent_resource - type = "tmod:@turbot/gcp#/resource/types/project" - metadata = jsonencode({ - "gcp" : { - "projectId" : var.gcp_project_id # This is the GCP project id for the account that will be imported, defined in the var file - } - }) - data = jsonencode({ - "projectId" : var.gcp_project_id # This is the GCP project id for the account that will be imported, defined in the var file - }) -} - -# policy to define client email of imported project -resource "turbot_policy_setting" "clientEmail" { - resource = turbot_resource.project_resource.id - type = "tmod:@turbot/gcp#/policy/types/clientEmail" - value = var.client_email -} - -# this is client_id in the pem that GCP gives you in your service account's JSON private key -resource "turbot_policy_setting" "privateKey" { - resource = turbot_resource.project_resource.id - type = "tmod:@turbot/gcp#/policy/types/privateKey" - value = var.private_key -} diff --git a/baselines/gcp/gcp_project_import/variables.tf b/baselines/gcp/gcp_project_import/variables.tf deleted file mode 100644 index d32ebcb85..000000000 --- a/baselines/gcp/gcp_project_import/variables.tf +++ /dev/null @@ -1,20 +0,0 @@ -variable "gcp_project_id" { - description = "Enter the GCP Project Id that you wish to import: Note that you must set your GCP credentials for this account either in your environment variables or default profile:" - type = string -} - -variable "client_email" { - description = "Enter the GCP service account email id: " - type = string -} - -variable "private_key" { - # description = "Enter the private key. (Must match pattern ^< Pub/Sub > API Enabled -resource "turbot_policy_setting" "pubsubApiEnabled" { - resource = turbot_smart_folder.gcp_folder.id - type = "tmod:@turbot/gcp-pubsub#/policy/types/pubsubApiEnabled" - value = "Enforce: Enabled" -} - -# Sets the policy Enable for API Enabled in Logging -# GCP > Logging > API Enabled -resource "turbot_policy_setting" "loggingApiEnabled" { - resource = turbot_smart_folder.gcp_folder.id - type = "tmod:@turbot/gcp-logging#/policy/types/loggingApiEnabled" - value = "Enforce: Enabled" -} - -# Sets the policy for Logging -# GCP > Turbot > Event Handlers > Logging -resource "turbot_policy_setting" "eventHandlersLogging" { - resource = turbot_smart_folder.gcp_folder.id - type = "tmod:@turbot/gcp#/policy/types/eventHandlersLogging" - value = "Enforce: Configured" -} - -# Sets the policy for Pub/Sub -# GCP > Turbot > Event Handlers > Pub/Sub -resource "turbot_policy_setting" "eventHandlersPubSub" { - resource = turbot_smart_folder.gcp_folder.id - type = "tmod:@turbot/gcp#/policy/types/eventHandlersPubSub" - value = "Enforce: Configured" -} \ No newline at end of file diff --git a/baselines/gcp/gcp_setup/variables.tf b/baselines/gcp/gcp_setup/variables.tf deleted file mode 100644 index 5dfa8109d..000000000 --- a/baselines/gcp/gcp_setup/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "smart_folder_title" { - description = "Enter Smart folder name for importing the gcp account:" - type = string -} - -variable "folder_parent" { - type = string - default = "tmod:@turbot/turbot#/" -} \ No newline at end of file diff --git a/baselines/getting_started/README.md b/baselines/getting_started/README.md deleted file mode 100644 index 313e57ad8..000000000 --- a/baselines/getting_started/README.md +++ /dev/null @@ -1,4 +0,0 @@ -# Getting started section - -This section gives a list of baselines which are suggested policies working together to achieve a larger objective. -The larger objective of the getting started section is for baselines for a freshly created workspace. diff --git a/baselines/getting_started/aws/aws_baseline/README.md b/baselines/getting_started/aws/aws_baseline/README.md deleted file mode 100644 index 14c196e2d..000000000 --- a/baselines/getting_started/aws/aws_baseline/README.md +++ /dev/null @@ -1,134 +0,0 @@ -# Baseline - AWS Baseline Policies - -AWS Baseline Policies focuses on base minimum set of example policies & services to start with. - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_baseline/aws_service_enable.tf b/baselines/getting_started/aws/aws_baseline/aws_service_enable.tf deleted file mode 100644 index 8c5d47e2b..000000000 --- a/baselines/getting_started/aws/aws_baseline/aws_service_enable.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Enable all AWS Services within the Variables file -# More Info: https://turbot.com/v5/docs/integrations/aws/services - -#Loop through var.service_status and set enable policies -resource "turbot_policy_setting" "aws_enable" { - for_each = var.enabled_policy_map - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/${each.key}#/policy/types/${each.value}" - value = "Enabled" -} diff --git a/baselines/getting_started/aws/aws_baseline/ec2_attribute_policies.tf b/baselines/getting_started/aws/aws_baseline/ec2_attribute_policies.tf deleted file mode 100644 index c1d989d62..000000000 --- a/baselines/getting_started/aws/aws_baseline/ec2_attribute_policies.tf +++ /dev/null @@ -1,8 +0,0 @@ -#Restrict Turbot to only describing DisableApiTermination on EC2 Instances. -resource "turbot_policy_setting" "aws_ec2_instance_cmdb_attributes" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceCmdbAttributes" - value = < CIS v1 -# https://turbot.com/v5/mods/turbot/aws-cisv1/inspect#/policy/types/cis -resource "turbot_policy_setting" "enable_cis_checks" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws-cisv1#/policy/types/cis" - value = "Check: Level 1 & Level 2 (Scored)" - # Skip - # Check: Level 1 (Scored) - # Check: Level 1 (Scored & Not Scored) - # Check: Level 1 & Level 2 (Scored) - # Check: Level 1 & Level 2 (Scored & Not Scored) -} - -# AWS > CIS v1 > Maximum Attestation Duration -# https://turbot.com/v5/mods/turbot/aws-cisv1/inspect#/policy/types/attestation -resource "turbot_policy_setting" "aws_cis_max_attestation_period" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws-cisv1#/policy/types/attestation" - value = "1 year" - # Skip - # 30 days - # 60 days - # 90 days - # 1 year - # 2 years - # 3 years -} diff --git a/baselines/getting_started/aws/aws_baseline/outputs.tf b/baselines/getting_started/aws/aws_baseline/outputs.tf deleted file mode 100644 index 4fee22792..000000000 --- a/baselines/getting_started/aws/aws_baseline/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "enabled_policy_map" { - value = var.enabled_policy_map -} - -output "aws_account_default_regions" { - value = var.aws_account_default_regions -} diff --git a/baselines/getting_started/aws/aws_baseline/providers.tf b/baselines/getting_started/aws/aws_baseline/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/aws/aws_baseline/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/aws/aws_baseline/real_time_events.tf b/baselines/getting_started/aws/aws_baseline/real_time_events.tf deleted file mode 100644 index 3038dce29..000000000 --- a/baselines/getting_started/aws/aws_baseline/real_time_events.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Create Event Handlers as per the Region Defaults - -# AWS > Turbot > Event Handlers -# More information: https://turbot.com/v5/docs/integrations/aws/event-handlers -resource "turbot_policy_setting" "eventHandlers" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws#/policy/types/eventHandlers" - value = "Enforce: Configured" -} diff --git a/baselines/getting_started/aws/aws_baseline/regions.tf b/baselines/getting_started/aws/aws_baseline/regions.tf deleted file mode 100644 index fa839203e..000000000 --- a/baselines/getting_started/aws/aws_baseline/regions.tf +++ /dev/null @@ -1,18 +0,0 @@ -# Limiting Turbot Event Handlers to specific regions. Default to us-east-1 only -# More Info: https://turbot.com/v5/docs/guides/regions#discovering-regions - -# Limit Available Regions -# "*" allows Turbot to run in all available regions. -# Other wildcarding is allowed e.g. us*, us-east-* -# Remove the comment next to the region to include additional regions to the scope -# Note: us-east-1 is required since it is an AWS global region for specific services - -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/regionsDefault -resource "turbot_policy_setting" "aws_account_available_regions" { - count = length(var.aws_account_default_regions) > 0 ? 1 : 0 - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws#/policy/types/regionsDefault" - value = <<-DEFAULTREGIONS - ${yamlencode([for region in var.aws_account_default_regions : region])} - DEFAULTREGIONS -} diff --git a/baselines/getting_started/aws/aws_baseline/smart_folder.tf b/baselines/getting_started/aws/aws_baseline/smart_folder.tf deleted file mode 100644 index 3b9f03712..000000000 --- a/baselines/getting_started/aws/aws_baseline/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_baseline" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_baseline/variables.tf b/baselines/getting_started/aws/aws_baseline/variables.tf deleted file mode 100644 index 9f4e2a31a..000000000 --- a/baselines/getting_started/aws/aws_baseline/variables.tf +++ /dev/null @@ -1,176 +0,0 @@ -# Baseline Configuration - -variable "enabled_policy_map" { - description = "List of services to set as Enabled" - type = map(string) - default = { - # aws-acm = "acmEnabled" - # aws-amplify = "amplifyEnabled" - # aws-apigateway = "apiGatewayEnabled" - # aws-appflow = "appFlowEnabled" - # aws-appmesh = "appMeshEnabled" - # aws-appstream = "appStreamEnabled" - # aws-appsync = "appSyncEnabled" - # aws-artifact = "artifactEnabled" - # aws-athena = "athenaEnabled" - # aws-backup = "backupEnabled" - # aws-batch = "batchEnabled" - # aws-chime = "chimeEnabled" - # aws-cloud9 = "cloud9Enabled" - # aws-cloudformation = "cloudFormationEnabled" - # aws-cloudfront = "cloudFrontEnabled" - # aws-cloudhsm = "cloudHsmEnabled" - # aws-cloudsearch = "cloudSearchEnabled" - aws-cloudtrail = "cloudTrailEnabled" - aws-cloudwatch = "cloudWatchEnabled" - # aws-codebuild = "codeBuildEnabled" - # aws-codecommit = "codeCommitEnabled" - # aws-codedeploy = "codeDeployEnabled" - # aws-codepipeline = "codePipelineEnabled" - # aws-codestar = "codeStarEnabled" - # aws-comprehend = "comprehendEnabled" - aws-config = "configEnabled" - # aws-datapipeline = "dataPipelineEnabled" - # aws-dax = "daxEnabled" - # aws-directoryservice = "directoryServiceEnabled" - # aws-dms = "dmsEnabled" - # aws-docdb = "docDbEnabled" - # aws-dynamodb = "dynamodbEnabled" - aws-ec2 = "ec2Enabled" - # aws-ecr = "ecrEnabled" - # aws-ecs = "ecsEnabled" - # aws-efs = "efsEnabled" - # aws-eks = "eksEnabled" - # aws-elasticache = "elastiCacheEnabled" - # aws-elasticbeanstalk = "elasticBeanstalkEnabled" - # aws-elasticsearch = "esEnabled" - # aws-elastictranscoder = "elasticTranscoderEnabled" - # aws-emr = "emrEnabled" - aws-events = "eventsEnabled" - # aws-fsx = "fsxEnabled" - # aws-gamelift = "gameLiftEnabled" - # aws-glacier = "glacierEnabled" - # aws-glue = "glueEnabled" - # aws-greengrass = "greengrassEnabled" - # aws-guardduty = "guardDutyEnabled" - # aws-health = "healthEnabled" - aws-iam = "iamEnabled" - # aws-inspector = "inspectorEnabled" - # aws-iot = "iotEnabled" - # aws-iot1click = "iot1ClickEnabled" - # aws-iotanalytics = "iotAnalyticsEnabled" - # aws-iotevents = "iotEventsEnabled" - # aws-iotsitewise = "iotSiteWiseEnabled" - # aws-iotthingsgraph = "iotThingsGraphEnabled" - # aws-kinesis = "kinesisEnabled" - aws-kms = "kmsEnabled" - aws-lambda = "lambdaEnabled" - # aws-lex = "lexEnabled" - # aws-lightsail = "lightsailEnabled" - aws-logs = "logsEnabled" - # aws-machinelearning = "machineLearningEnabled" - # aws-macie = "macieEnabled" - # aws-mediaconnect = "mediaConnectEnabled" - # aws-mediaconvert = "mediaConvertEnabled" - # aws-medialive = "mediaLiveEnabled" - # aws-mediapackage = "mediaPackageEnabled" - # aws-mediastore = "mediaStoreEnabled" - # aws-mediatailor = "mediaTailorEnabled" - # aws-mq = "mqEnabled" - # aws-msk = "mskEnabled" - # aws-outposts = "outpostsEnabled" - # aws-qldb = "qldbEnabled" - # aws-ram = "ramEnabled" - # aws-rds = "rdsEnabled" - # aws-redshift = "redshiftEnabled" - # aws-resourcegroups = "resourceGroupsEnabled" - # aws-robomaker = "roboMakerEnabled" - # aws-route53 = "route53Enabled" - # aws-route53domains = "route53DomainsEnabled" - # aws-route53resolver = "route53ResolverEnabled" - aws-s3 = "s3Enabled" - # aws-sagemaker = "sageMakerEnabled" - # aws-secretsmanager = "secretsManagerEnabled" - # aws-securityhub = "securityHubEnabled" - # aws-serverlessapplicationrepository = "serverlessApplicationRepositoryEnabled" - # aws-servermigration = "serverMigrationServiceEnabled" - # aws-servicecatalog = "serviceCatalogEnabled" - # aws-shield = "shieldEnabled" - # aws-simpledb = "simpleDbEnabled" - # aws-snowball = "snowballEnabled" - aws-sns = "snsEnabled" - # aws-sqs = "sqsEnabled" - # aws-ssm = "ssmEnabled" - # aws-stepfunctions = "stepFunctionsEnabled" - # aws-storagegateway = "storageGatewayEnabled" - # aws-swf = "swfEnabled" - # aws-textract = "textractEnabled" - # aws-transcribe = "transcribeEnabled" - # aws-transfer = "transferEnabled" - # aws-trustedadvisor = "trustedAdvisorEnabled" - aws-vpc-core = "vpcServiceEnabled" - # aws-waf = "wafEnabled" - # aws-wafregional = "wafRegionalEnabled" - # aws-wellarchitected = "wellarchitectedEnabled" - # aws-workdocs = "workDocsEnabled" - # aws-workspaces = "workSpacesEnabled" - # aws-xray = "xrayEnabled" - } -} - -# More Info: https://turbot.com/v5/docs/guides/regions#discovering-regions -variable "aws_account_default_regions" { - description = < VPC > Default VPC > Approved -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/defaultVpcApproved -resource "turbot_policy_setting" "defaultVpcApproved" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws-vpc-core#/policy/types/defaultVpcApproved" - value = "Check: Approved" -} - -# AWS > VPC > Default VPC > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/defaultVpcApprovedUsage -resource "turbot_policy_setting" "defaultVpcApprovedUsage" { - resource = turbot_smart_folder.aws_baseline.id - type = "tmod:@turbot/aws-vpc-core#/policy/types/defaultVpcApprovedUsage" - value = "Not approved" -} diff --git a/baselines/getting_started/aws/aws_check_cost_controls/README.md b/baselines/getting_started/aws/aws_check_cost_controls/README.md deleted file mode 100644 index 932741d4b..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/README.md +++ /dev/null @@ -1,133 +0,0 @@ -# Baseline - AWS Check Cost Controls - -This baseline will allow you to check the infrastructure over X days/unattached volumes and to set resource scheduling and make it inactive to reduce the cost. - -Few important links - -- [Budget Guardrails](https://turbot.com/v5/docs/concepts/guardrails/budget) -- [Scheduling in Turbot](https://turbot.com/v5/docs/concepts/guardrails/scheduling) -- [Active Guardrails](https://turbot.com/v5/docs/concepts/guardrails/active) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security & cost control features e.g. encryption standards, public access, cost control etc. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder).The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_cost_controls/aws_active.tf b/baselines/getting_started/aws/aws_check_cost_controls/aws_active.tf deleted file mode 100644 index 6ebd83c0c..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/aws_active.tf +++ /dev/null @@ -1,50 +0,0 @@ -# Simple cost control to check for aging infrastructure over X days -# Defaulting to 60 days as an example. -# Other use cases can be used for Last Modified, Attached, etc. -# More Info: https://turbot.com/v5/docs/concepts/guardrails/active - -# AWS > EC2 > Instance > Active -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceActive -# Loop through var.service_status to enable the Age policies -resource "turbot_policy_setting" "set_resource_active_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.aws_cost_controls.id - type = local.policy_map[each.key] - value = each.value -} - -# AWS > EC2 > Instance > Active > Age -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceActiveAge -resource "turbot_policy_setting" "set_resource_age_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.aws_cost_controls.id - type = local.policy_map_age[each.key] - value = "Force inactive if age > 60 days" - # Skip - # Force inactive if age > 1 day - # Force inactive if age > 3 days - # Force inactive if age > 7 days - # Force inactive if age > 14 days - # Force inactive if age > 30 days - # Force inactive if age > 60 days - # Force inactive if age > 90 days - # Force inactive if age > 180 days - # Force inactive if age > 365 days -} - -# AWS > EC2 > Volume > Active -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/volumeActive -# Specific EC2 Volume Active controls focused on unnatached vs Age -resource "turbot_policy_setting" "aws_ec2_volume_active" { - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-ec2#/policy/types/volumeActive" - value = "Check: Active" -} - -# AWS > EC2 > Volume > Active > Attached -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/volumeActiveAttached -resource "turbot_policy_setting" "aws_ec2_volume_active_attached" { - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-ec2#/policy/types/volumeActiveAttached" - value = "Force inactive if unattached" -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_cost_controls/demo.tfvars b/baselines/getting_started/aws/aws_check_cost_controls/demo.tfvars deleted file mode 100644 index 8633d0e36..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/demo.tfvars +++ /dev/null @@ -1,194 +0,0 @@ -# List of services and resources to be Check: Active. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have the related service mod installed - -# Acceptable Values: - # "Skip" - # "Check: Active" - # "Enforce: Delete inactive with 1 day warning" - # "Enforce: Delete inactive with 3 days warning" - # "Enforce: Delete inactive with 7 days warning" - # "Enforce: Delete inactive with 14 days warning" - # "Enforce: Delete inactive with 30 days warning" - # "Enforce: Delete inactive with 60 days warning" - # "Enforce: Delete inactive with 90 days warning" - # "Enforce: Delete inactive with 180 days warning" - # "Enforce: Delete inactive with 365 days warning" - - -resource_active = { - # aws-acm-certificate = "Check: Active" - # aws-mq-broker = "Check: Active" - # aws-mq-configuration = "Check: Active" - # aws-amplify-app = "Check: Active" - # aws-apigateway-api = "Check: Active" - # aws-apigateway-apiKey = "Check: Active" - # aws-apigateway-apiV2 = "Check: Active" - # aws-apigateway-authorizer = "Check: Active" - # aws-apigateway-authorizerV2 = "Check: Active" - # aws-apigateway-domainNameV2 = "Check: Active" - # aws-apigateway-stage = "Check: Active" - # aws-apigateway-stageV2 = "Check: Active" - # aws-apigateway-usagePlan = "Check: Active" - # aws-appmesh-mesh = "Check: Active" - # aws-athena-namedQuery = "Check: Active" - # aws-athena-workgroup = "Check: Active" - # aws-backup-backupPlan = "Check: Active" - # aws-backup-backupVault = "Check: Active" - # aws-batch-jobDefinition = "Check: Active" - # aws-cloudformation-stack = "Check: Active" - # aws-cloudformation-stackSet = "Check: Active" - # aws-cloudfront-cloudFrontOriginAccessIdentity = "Check: Active" - # aws-cloudfront-distribution = "Check: Active" - # aws-cloudfront-streamingDistribution = "Check: Active" - # aws-cloudsearch-domain = "Check: Active" - # aws-cloudtrail-trail = "Check: Active" - # aws-cloudwatch-alarm = "Check: Active" - # aws-codebuild-build = "Check: Active" - # aws-codebuild-project = "Check: Active" - # aws-codecommit-repository = "Check: Active" - # aws-config-configurationRecorder = "Check: Active" - # aws-config-deliveryChannel = "Check: Active" - # aws-config-rule = "Check: Active" - # aws-dax-cluster = "Check: Active" - # aws-directoryservice-directory = "Check: Active" - # aws-dms-endpoint = "Check: Active" - # aws-docdb-dbCluster = "Check: Active" - # aws-docdb-dbClusterParameterGroup = "Check: Active" - # aws-docdb-dbInstance = "Check: Active" - # aws-dynamodb-backup = "Check: Active" - # aws-dynamodb-globalTable = "Check: Active" - # aws-dynamodb-table = "Check: Active" - aws-ec2-ami = "Check: Active" - # aws-ec2-applicationLoadBalancer = "Check: Active" - # aws-ec2-autoScalingGroup = "Check: Active" - # aws-ec2-classicLoadBalancer = "Check: Active" - aws-ec2-instance = "Check: Active" - # aws-ec2-keyPair = "Check: Active" - # aws-ec2-launchConfiguration = "Check: Active" - # aws-ec2-launchTemplate = "Check: Active" - # aws-ec2-launchTemplateVersion = "Check: Active" - # aws-ec2-listenerRule = "Check: Active" - # aws-ec2-loadBalancerListener = "Check: Active" - # aws-ec2-networkInterface = "Check: Active" - # aws-ec2-networkLoadBalancer = "Check: Active" - aws-ec2-snapshot = "Check: Active" - # aws-ec2-targetGroup = "Check: Active" - ##Have Unattached Policy Set instead## aws-ec2-volume = "Check: Active" - # aws-ecr-repository = "Check: Active" - # aws-ecs-cluster = "Check: Active" - # aws-ecs-containerInstance = "Check: Active" - # aws-ecs-taskDefinition = "Check: Active" - # aws-efs-fileSystem = "Check: Active" - # aws-efs-mountTarget = "Check: Active" - # aws-eks-cluster = "Check: Active" - # aws-eks-nodeGroup = "Check: Active" - # aws-elasticbeanstalk-application = "Check: Active" - # aws-elasticbeanstalk-environment = "Check: Active" - # aws-elasticache-cacheCluster = "Check: Active" - # aws-elasticache-cacheParameterGroup = "Check: Active" - # aws-elasticache-replicationGroup = "Check: Active" - # aws-elasticache-snapshot = "Check: Active" - # aws-elasticsearch-domain = "Check: Active" - # aws-emr-cluster = "Check: Active" - # aws-emr-securityConfiguration = "Check: Active" - # aws-events-rule = "Check: Active" - # aws-events-target = "Check: Active" - # aws-fsx-backup = "Check: Active" - # aws-fsx-fileSystem = "Check: Active" - # aws-glacier-vault = "Check: Active" - # aws-glue-database = "Check: Active" - # aws-guardduty-detector = "Check: Active" - # aws-guardduty-ipSet = "Check: Active" - # aws-guardduty-threatIntelSet = "Check: Active" - # aws-iam-accessKey = "Check: Active" - # aws-iam-group = "Check: Active" - # aws-iam-iamPolicy = "Check: Active" - # aws-iam-role = "Check: Active" - # aws-iam-user = "Check: Active" - # aws-inspector-assessmentTarget = "Check: Active" - # aws-inspector-assessmentTemplate = "Check: Active" - # aws-kinesis-consumer = "Check: Active" - # aws-kinesis-stream = "Check: Active" - # aws-kms-key = "Check: Active" - aws-lambda-function = "Check: Active" - # aws-logs-logGroup = "Check: Active" - # aws-logs-logStream = "Check: Active" - # aws-logs-metricFilter = "Check: Active" - # aws-msk-cluster = "Check: Active" - # aws-neptune-dbCluster = "Check: Active" - # aws-neptune-dbInstance = "Check: Active" - # aws-qldb-ledger = "Check: Active" - # aws-rds-dbCluster = "Check: Active" - # aws-rds-dbClusterParameterGroup = "Check: Active" - # aws-rds-dbClusterSnapshotManual = "Check: Active" - # aws-rds-dbInstance = "Check: Active" - # aws-rds-dbParameterGroup = "Check: Active" - # aws-rds-dbSnapshotManual = "Check: Active" - # aws-rds-optionGroup = "Check: Active" - # aws-rds-subnetGroup = "Check: Active" - # aws-redshift-cluster = "Check: Active" - # aws-redshift-clusterParameterGroup = "Check: Active" - # aws-redshift-clusterSubnetGroup = "Check: Active" - # aws-redshift-clusterSnapshotManual = "Check: Active" - # aws-robomaker-fleet = "Check: Active" - # aws-robomaker-robot = "Check: Active" - # aws-robomaker-robotApplication = "Check: Active" - # aws-route53-hostedZone = "Check: Active" - # aws-route53resolver-resolverEndpoint = "Check: Active" - # aws-route53resolver-resolverRule = "Check: Active" - aws-s3-bucket = "Check: Active" - # aws-secretsmanager-secret = "Check: Active" - # aws-shield-protection = "Check: Active" - # aws-sns-subscription = "Check: Active" - # aws-sns-topic = "Check: Active" - # aws-sqs-queue = "Check: Active" - # aws-ssm-association = "Check: Active" - # aws-ssm-document = "Check: Active" - # aws-ssm-maintenanceWindow = "Check: Active" - # aws-ssm-ssmParameter = "Check: Active" - # aws-stepfunctions-stateMachine = "Check: Active" - # aws-swf-domain = "Check: Active" - # aws-vpc-connect-customerGateway = "Check: Active" - # aws-vpc-core-dhcpOptions = "Check: Active" - # aws-vpc-internet-egressOnlyInternetGateway = "Check: Active" - # aws-vpc-internet-elasticIp = "Check: Active" - # aws-vpc-internet-vpcEndpoint = "Check: Active" - # aws-vpc-internet-vpcEndpointService = "Check: Active" - # aws-vpc-security-flowLog = "Check: Active" - # aws-vpc-internet-internetGateway = "Check: Active" - # aws-vpc-internet-natGateway = "Check: Active" - # aws-vpc-security-networkAcl = "Check: Active" - # aws-vpc-connect-vpcPeeringConnection = "Check: Active" - # aws-vpc-core-routeTable = "Check: Active" - # aws-vpc-security-securityGroup = "Check: Active" - # aws-vpc-core-subnet = "Check: Active" - # aws-vpc-connect-transitGateway = "Check: Active" - # aws-vpc-connect-transitGatewayRouteTable = "Check: Active" - # aws-vpc-core-vpc = "Check: Active" - # aws-vpc-connect-vpnConnection = "Check: Active" - # aws-vpc-connect-vpnGateway = "Check: Active" - # aws-waf-ipSet = "Check: Active" - # aws-waf-ipSetV2Global = "Check: Active" - # aws-waf-ipSetV2Regional = "Check: Active" - # aws-waf-rateBasedRule = "Check: Active" - # aws-waf-regexPatternSetV2Global = "Check: Active" - # aws-waf-regexPatternSetV2Regional = "Check: Active" - # aws-waf-rule = "Check: Active" - # aws-waf-ruleGroupV2Global = "Check: Active" - # aws-waf-ruleGroupV2Regional = "Check: Active" - # aws-waf-webacl = "Check: Active" - # aws-waf-webAclV2Global = "Check: Active" - # aws-waf-webAclV2Regional = "Check: Active" - # aws-wafregional-rule = "Check: Active" - # aws-wellarchitected-workload = "Check: Active" -} -# See file schedules.tf -enable_rds_db_cluster_schedule_policies = false -enable_rds_cluster_schedule_tag_policies = false -enable_rds_db_instance_schedule_policies = false -enable_rds_db_instance_schedule_tag_policies = false -enable_redshift_cluster_schedule_policies = false -enable_redshift_cluster_schedule_tag_policies = false -enable_workspace_schedule_policies = false -enable_workspace_schedule_tag_policies = false \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_cost_controls/locals.tf b/baselines/getting_started/aws/aws_check_cost_controls/locals.tf deleted file mode 100644 index 625bbbaf9..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/locals.tf +++ /dev/null @@ -1,339 +0,0 @@ -locals { - -policy_map = { - aws-acm-certificate : "tmod:@turbot/aws-acm#/policy/types/certificateActive" - aws-mq-broker : "tmod:@turbot/aws-mq#/policy/types/brokerActive" - aws-mq-configuration : "tmod:@turbot/aws-mq#/policy/types/configurationActive" - aws-amplify-app : "tmod:@turbot/aws-amplify#/policy/types/appActive" - aws-apigateway-api : "tmod:@turbot/aws-apigateway#/policy/types/apiActive" - aws-apigateway-apiKey : "tmod:@turbot/aws-apigateway#/policy/types/apiKeyActive" - aws-apigateway-apiV2 : "tmod:@turbot/aws-apigateway#/policy/types/apiV2Active" - aws-apigateway-authorizer : "tmod:@turbot/aws-apigateway#/policy/types/authorizerActive" - aws-apigateway-authorizerV2 : "tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Active" - aws-apigateway-domainNameV2 : "tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Active" - aws-apigateway-stage : "tmod:@turbot/aws-apigateway#/policy/types/stageActive" - aws-apigateway-stageV2 : "tmod:@turbot/aws-apigateway#/policy/types/stageV2Active" - aws-apigateway-usagePlan : "tmod:@turbot/aws-apigateway#/policy/types/usagePlanActive" - aws-appmesh-mesh : "tmod:@turbot/aws-appmesh#/policy/types/meshActive" - aws-athena-namedQuery : "tmod:@turbot/aws-athena#/policy/types/namedQueryActive" - aws-athena-workgroup : "tmod:@turbot/aws-athena#/policy/types/workgroupActive" - aws-backup-backupPlan : "tmod:@turbot/aws-backup#/policy/types/backupPlanActive" - aws-backup-backupVault : "tmod:@turbot/aws-backup#/policy/types/backupVaultActive" - aws-batch-jobDefinition : "tmod:@turbot/aws-batch#/policy/types/jobDefinitionActive" - aws-cloudformation-stack : "tmod:@turbot/aws-cloudformation#/policy/types/stackActive" - aws-cloudformation-stackSet : "tmod:@turbot/aws-cloudformation#/policy/types/stackSetActive" - aws-cloudfront-cloudFrontOriginAccessIdentity : "tmod:@turbot/aws-cloudfront#/policy/types/cloudFrontOriginAccessIdentityActive" - aws-cloudfront-distribution : "tmod:@turbot/aws-cloudfront#/policy/types/distributionActive" - aws-cloudfront-streamingDistribution : "tmod:@turbot/aws-cloudfront#/policy/types/streamingDistributionActive" - aws-cloudsearch-domain : "tmod:@turbot/aws-cloudsearch#/policy/types/domainActive" - aws-cloudtrail-trail : "tmod:@turbot/aws-cloudtrail#/policy/types/trailActive" - aws-cloudwatch-alarm : "tmod:@turbot/aws-cloudwatch#/policy/types/alarmActive" - aws-codebuild-build : "tmod:@turbot/aws-codebuild#/policy/types/buildActive" - aws-codebuild-project : "tmod:@turbot/aws-codebuild#/policy/types/projectActive" - aws-codecommit-repository : "tmod:@turbot/aws-codecommit#/policy/types/repositoryActive" - aws-config-configurationRecorder : "tmod:@turbot/aws-config#/policy/types/configurationRecorderActive" - aws-config-deliveryChannel : "tmod:@turbot/aws-config#/policy/types/deliveryChannelActive" - aws-config-rule : "tmod:@turbot/aws-config#/policy/types/ruleActive" - aws-dax-cluster : "tmod:@turbot/aws-dax#/policy/types/clusterActive" - aws-directoryservice-directory : "tmod:@turbot/aws-directoryservice#/policy/types/directoryActive" - aws-dms-endpoint : "tmod:@turbot/aws-dms#/policy/types/endpointActive" - aws-docdb-dbCluster : "tmod:@turbot/aws-docdb#/policy/types/dbClusterActive" - aws-docdb-dbClusterParameterGroup : "tmod:@turbot/aws-docdb#/policy/types/dbClusterParameterGroupActive" - aws-docdb-dbInstance : "tmod:@turbot/aws-docdb#/policy/types/dbInstanceActive" - aws-dynamodb-backup : "tmod:@turbot/aws-dynamodb#/policy/types/backupActive" - aws-dynamodb-globalTable : "tmod:@turbot/aws-dynamodb#/policy/types/globalTableActive" - aws-dynamodb-table : "tmod:@turbot/aws-dynamodb#/policy/types/tableActive" - aws-ec2-ami : "tmod:@turbot/aws-ec2#/policy/types/amiActive" - aws-ec2-applicationLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActive" - aws-ec2-autoScalingGroup : "tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActive" - aws-ec2-classicLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActive" - aws-ec2-instance : "tmod:@turbot/aws-ec2#/policy/types/instanceActive" - aws-ec2-keyPair : "tmod:@turbot/aws-ec2#/policy/types/keyPairActive" - aws-ec2-launchConfiguration : "tmod:@turbot/aws-ec2#/policy/types/launchConfigurationActive" - aws-ec2-launchTemplate : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateActive" - aws-ec2-launchTemplateVersion : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionActive" - aws-ec2-listenerRule : "tmod:@turbot/aws-ec2#/policy/types/listenerRuleActive" - aws-ec2-loadBalancerListener : "tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerActive" - aws-ec2-networkInterface : "tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActive" - aws-ec2-networkLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActive" - aws-ec2-snapshot : "tmod:@turbot/aws-ec2#/policy/types/snapshotActive" - aws-ec2-targetGroup : "tmod:@turbot/aws-ec2#/policy/types/targetGroupActive" - aws-ec2-volume : "tmod:@turbot/aws-ec2#/policy/types/volumeActive" - aws-ecr-repository : "tmod:@turbot/aws-ecr#/policy/types/repositoryActive" - aws-ecs-cluster : "tmod:@turbot/aws-ecs#/policy/types/clusterActive" - aws-ecs-containerInstance : "tmod:@turbot/aws-ecs#/policy/types/containerInstanceActive" - aws-ecs-taskDefinition : "tmod:@turbot/aws-ecs#/policy/types/taskDefinitionActive" - aws-efs-fileSystem : "tmod:@turbot/aws-efs#/policy/types/fileSystemActive" - aws-efs-mountTarget : "tmod:@turbot/aws-efs#/policy/types/mountTargetActive" - aws-eks-cluster : "tmod:@turbot/aws-eks#/policy/types/clusterActive" - aws-eks-nodeGroup : "tmod:@turbot/aws-eks#/policy/types/nodeGroupActive" - aws-elasticbeanstalk-application : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/applicationActive" - aws-elasticbeanstalk-environment : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/environmentActive" - aws-elasticache-cacheCluster : "tmod:@turbot/aws-elasticache#/policy/types/cacheClusterActive" - aws-elasticache-cacheParameterGroup : "tmod:@turbot/aws-elasticache#/policy/types/cacheParameterGroupActive" - aws-elasticache-replicationGroup : "tmod:@turbot/aws-elasticache#/policy/types/replicationGroupActive" - aws-elasticache-snapshot : "tmod:@turbot/aws-elasticache#/policy/types/snapshotActive" - aws-elasticsearch-domain : "tmod:@turbot/aws-elasticsearch#/policy/types/domainActive" - aws-emr-cluster : "tmod:@turbot/aws-emr#/policy/types/clusterActive" - aws-emr-securityConfiguration : "tmod:@turbot/aws-emr#/policy/types/securityConfigurationActive" - aws-events-rule : "tmod:@turbot/aws-events#/policy/types/ruleActive" - aws-events-target : "tmod:@turbot/aws-events#/policy/types/targetActive" - aws-fsx-backup : "tmod:@turbot/aws-fsx#/policy/types/backupActive" - aws-fsx-fileSystem : "tmod:@turbot/aws-fsx#/policy/types/fileSystemActive" - aws-glacier-vault : "tmod:@turbot/aws-glacier#/policy/types/vaultActive" - aws-glue-database : "tmod:@turbot/aws-glue#/policy/types/databaseActive" - aws-guardduty-detector : "tmod:@turbot/aws-guardduty#/policy/types/detectorActive" - aws-guardduty-ipSet : "tmod:@turbot/aws-guardduty#/policy/types/ipSetActive" - aws-guardduty-threatIntelSet : "tmod:@turbot/aws-guardduty#/policy/types/threatIntelSetActive" - aws-iam-accessKey : "tmod:@turbot/aws-iam#/policy/types/accessKeyActive" - aws-iam-group : "tmod:@turbot/aws-iam#/policy/types/groupActive" - aws-iam-iamPolicy : "tmod:@turbot/aws-iam#/policy/types/iamPolicyActive" - aws-iam-role : "tmod:@turbot/aws-iam#/policy/types/roleActive" - aws-iam-user : "tmod:@turbot/aws-iam#/policy/types/userActive" - aws-inspector-assessmentTarget : "tmod:@turbot/aws-inspector#/policy/types/assessmentTargetActive" - aws-inspector-assessmentTemplate : "tmod:@turbot/aws-inspector#/policy/types/assessmentTemplateActive" - aws-kinesis-consumer : "tmod:@turbot/aws-kinesis#/policy/types/consumerActive" - aws-kinesis-stream : "tmod:@turbot/aws-kinesis#/policy/types/streamActive" - aws-kms-key : "tmod:@turbot/aws-kms#/policy/types/keyActive" - aws-lambda-function : "tmod:@turbot/aws-lambda#/policy/types/functionActive" - aws-logs-logGroup : "tmod:@turbot/aws-logs#/policy/types/logGroupActive" - aws-logs-logStream : "tmod:@turbot/aws-logs#/policy/types/logStreamActive" - aws-logs-metricFilter : "tmod:@turbot/aws-logs#/policy/types/metricFilterActive" - aws-msk-cluster : "tmod:@turbot/aws-msk#/policy/types/clusterActive" - aws-neptune-dbCluster : "tmod:@turbot/aws-neptune#/policy/types/dbClusterActive" - aws-neptune-dbInstance : "tmod:@turbot/aws-neptune#/policy/types/dbInstanceActive" - aws-qldb-ledger : "tmod:@turbot/aws-qldb#/policy/types/ledgerActive" - aws-rds-dbCluster : "tmod:@turbot/aws-rds#/policy/types/dbClusterActive" - aws-rds-dbClusterParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbClusterParameterGroupActive" - aws-rds-dbClusterSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualActive" - aws-rds-dbInstance : "tmod:@turbot/aws-rds#/policy/types/dbInstanceActive" - aws-rds-dbParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbParameterGroupActive" - aws-rds-dbSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualActive" - aws-rds-optionGroup : "tmod:@turbot/aws-rds#/policy/types/optionGroupActive" - aws-rds-subnetGroup : "tmod:@turbot/aws-rds#/policy/types/subnetGroupActive" - aws-redshift-cluster : "tmod:@turbot/aws-redshift#/policy/types/clusterActive" - aws-redshift-clusterParameterGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterParameterGroupActive" - aws-redshift-clusterSubnetGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterSubnetGroupActive" - aws-redshift-clusterSnapshotManual : "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualActive" - aws-robomaker-fleet : "tmod:@turbot/aws-robomaker#/policy/types/fleetActive" - aws-robomaker-robot : "tmod:@turbot/aws-robomaker#/policy/types/robotActive" - aws-robomaker-robotApplication : "tmod:@turbot/aws-robomaker#/policy/types/robotApplicationActive" - aws-route53-hostedZone : "tmod:@turbot/aws-route53#/policy/types/hostedZoneActive" - aws-route53resolver-resolverEndpoint : "tmod:@turbot/aws-route53resolver#/policy/types/resolverEndpointActive" - aws-route53resolver-resolverRule : "tmod:@turbot/aws-route53resolver#/policy/types/resolverRuleActive" - aws-s3-bucket : "tmod:@turbot/aws-s3#/policy/types/bucketActive" - aws-secretsmanager-secret : "tmod:@turbot/aws-secretsmanager#/policy/types/secretActive" - aws-shield-protection : "tmod:@turbot/aws-shield#/policy/types/protectionActive" - aws-sns-subscription : "tmod:@turbot/aws-sns#/policy/types/subscriptionActive" - aws-sns-topic : "tmod:@turbot/aws-sns#/policy/types/topicActive" - aws-sqs-queue : "tmod:@turbot/aws-sqs#/policy/types/queueActive" - aws-ssm-association : "tmod:@turbot/aws-ssm#/policy/types/associationActive" - aws-ssm-document : "tmod:@turbot/aws-ssm#/policy/types/documentActive" - aws-ssm-maintenanceWindow : "tmod:@turbot/aws-ssm#/policy/types/maintenanceWindowActive" - aws-ssm-ssmParameter : "tmod:@turbot/aws-ssm#/policy/types/ssmParameterActive" - aws-stepfunctions-stateMachine : "tmod:@turbot/aws-stepfunctions#/policy/types/stateMachineActive" - aws-swf-domain : "tmod:@turbot/aws-swf#/policy/types/domainActive" - aws-vpc-connect-customerGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActive" - aws-vpc-core-dhcpOptions : "tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsActive" - aws-vpc-internet-egressOnlyInternetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayActive" - aws-vpc-internet-elasticIp : "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActive" - aws-vpc-internet-vpcEndpoint : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointActive" - aws-vpc-internet-vpcEndpointService : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActive" - aws-vpc-security-flowLog : "tmod:@turbot/aws-vpc-security#/policy/types/flowLogActive" - aws-vpc-internet-internetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActive" - aws-vpc-internet-natGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActive" - aws-vpc-security-networkAcl : "tmod:@turbot/aws-vpc-security#/policy/types/networkAclActive" - aws-vpc-connect-vpcPeeringConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActive" - aws-vpc-core-routeTable : "tmod:@turbot/aws-vpc-core#/policy/types/routeTableActive" - aws-vpc-security-securityGroup : "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActive" - aws-vpc-core-subnet : "tmod:@turbot/aws-vpc-core#/policy/types/subnetActive" - aws-vpc-connect-transitGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActive" - aws-vpc-connect-transitGatewayRouteTable : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActive" - aws-vpc-core-vpc : "tmod:@turbot/aws-vpc-core#/policy/types/vpcActive" - aws-vpc-connect-vpnConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActive" - aws-vpc-connect-vpnGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActive" - aws-waf-ipSet : "tmod:@turbot/aws-waf#/policy/types/ipSetActive" - aws-waf-ipSetV2Global : "tmod:@turbot/aws-waf#/policy/types/ipSetV2GlobalActive" - aws-waf-ipSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/ipSetV2RegionalActive" - aws-waf-rateBasedRule : "tmod:@turbot/aws-waf#/policy/types/rateBasedRuleActive" - aws-waf-regexPatternSetV2Global : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2GlobalActive" - aws-waf-regexPatternSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2RegionalActive" - aws-waf-rule : "tmod:@turbot/aws-waf#/policy/types/ruleActive" - aws-waf-ruleGroupV2Global : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2GlobalActive" - aws-waf-ruleGroupV2Regional : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2RegionalActive" - aws-waf-webacl : "tmod:@turbot/aws-waf#/policy/types/webaclActive" - aws-waf-webAclV2Global : "tmod:@turbot/aws-waf#/policy/types/webAclV2GlobalActive" - aws-waf-webAclV2Regional : "tmod:@turbot/aws-waf#/policy/types/webAclV2RegionalActive" - aws-wafregional-rule : "tmod:@turbot/aws-wafregional#/policy/types/ruleActive" - aws-wellarchitected-workload : "tmod:@turbot/aws-wellarchitected#/policy/types/workloadActive" - } - -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map_age = { - aws-acm-certificate : "tmod:@turbot/aws-acm#/policy/types/certificateActiveAge" - aws-mq-broker : "tmod:@turbot/aws-mq#/policy/types/brokerActiveAge" - aws-mq-configuration : "tmod:@turbot/aws-mq#/policy/types/configurationActiveAge" - aws-amplify-app : "tmod:@turbot/aws-amplify#/policy/types/appActiveAge" - aws-apigateway-api : "tmod:@turbot/aws-apigateway#/policy/types/apiActiveAge" - aws-apigateway-apiKey : "tmod:@turbot/aws-apigateway#/policy/types/apiKeyActiveAge" - aws-apigateway-apiV2 : "tmod:@turbot/aws-apigateway#/policy/types/apiV2ActiveAge" - aws-apigateway-authorizer : "tmod:@turbot/aws-apigateway#/policy/types/authorizerActiveAge" - aws-apigateway-authorizerV2 : "tmod:@turbot/aws-apigateway#/policy/types/authorizerV2ActiveAge" - aws-apigateway-domainNameV2 : "tmod:@turbot/aws-apigateway#/policy/types/domainNameV2ActiveAge" - aws-apigateway-stage : "tmod:@turbot/aws-apigateway#/policy/types/stageActiveAge" - aws-apigateway-stageV2 : "tmod:@turbot/aws-apigateway#/policy/types/stageV2ActiveAge" - aws-apigateway-usagePlan : "tmod:@turbot/aws-apigateway#/policy/types/usagePlanActiveAge" - aws-appmesh-mesh : "tmod:@turbot/aws-appmesh#/policy/types/meshActiveAge" - aws-athena-namedQuery : "tmod:@turbot/aws-athena#/policy/types/namedQueryActiveAge" - aws-athena-workgroup : "tmod:@turbot/aws-athena#/policy/types/workgroupActiveAge" - aws-backup-backupPlan : "tmod:@turbot/aws-backup#/policy/types/backupPlanActiveAge" - aws-backup-backupVault : "tmod:@turbot/aws-backup#/policy/types/backupVaultActiveAge" - aws-batch-jobDefinition : "tmod:@turbot/aws-batch#/policy/types/jobDefinitionActiveAge" - aws-cloudformation-stack : "tmod:@turbot/aws-cloudformation#/policy/types/stackActiveAge" - aws-cloudformation-stackSet : "tmod:@turbot/aws-cloudformation#/policy/types/stackSetActiveAge" - aws-cloudfront-cloudFrontOriginAccessIdentity : "tmod:@turbot/aws-cloudfront#/policy/types/cloudFrontOriginAccessIdentityActiveAge" - aws-cloudfront-distribution : "tmod:@turbot/aws-cloudfront#/policy/types/distributionActiveAge" - aws-cloudfront-streamingDistribution : "tmod:@turbot/aws-cloudfront#/policy/types/streamingDistributionActiveAge" - aws-cloudsearch-domain : "tmod:@turbot/aws-cloudsearch#/policy/types/domainActiveAge" - aws-cloudtrail-trail : "tmod:@turbot/aws-cloudtrail#/policy/types/trailActiveAge" - aws-cloudwatch-alarm : "tmod:@turbot/aws-cloudwatch#/policy/types/alarmActiveAge" - aws-codebuild-build : "tmod:@turbot/aws-codebuild#/policy/types/buildActiveAge" - aws-codebuild-project : "tmod:@turbot/aws-codebuild#/policy/types/projectActiveAge" - aws-codecommit-repository : "tmod:@turbot/aws-codecommit#/policy/types/repositoryActiveAge" - aws-config-configurationRecorder : "tmod:@turbot/aws-config#/policy/types/configurationRecorderActiveAge" - aws-config-deliveryChannel : "tmod:@turbot/aws-config#/policy/types/deliveryChannelActiveAge" - aws-config-rule : "tmod:@turbot/aws-config#/policy/types/ruleActiveAge" - aws-dax-cluster : "tmod:@turbot/aws-dax#/policy/types/clusterActiveAge" - aws-directoryservice-directory : "tmod:@turbot/aws-directoryservice#/policy/types/directoryActiveAge" - aws-dms-endpoint : "tmod:@turbot/aws-dms#/policy/types/endpointActiveAge" - aws-docdb-dbCluster : "tmod:@turbot/aws-docdb#/policy/types/dbClusterActiveAge" - aws-docdb-dbClusterParameterGroup : "tmod:@turbot/aws-docdb#/policy/types/dbClusterParameterGroupActiveAge" - aws-docdb-dbInstance : "tmod:@turbot/aws-docdb#/policy/types/dbInstanceActiveAge" - aws-dynamodb-backup : "tmod:@turbot/aws-dynamodb#/policy/types/backupActiveAge" - aws-dynamodb-globalTable : "tmod:@turbot/aws-dynamodb#/policy/types/globalTableActiveAge" - aws-dynamodb-table : "tmod:@turbot/aws-dynamodb#/policy/types/tableActiveAge" - aws-ec2-ami : "tmod:@turbot/aws-ec2#/policy/types/amiActiveAge" - aws-ec2-applicationLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerActiveAge" - aws-ec2-autoScalingGroup : "tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupActiveAge" - aws-ec2-classicLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerActiveAge" - aws-ec2-instance : "tmod:@turbot/aws-ec2#/policy/types/instanceActiveAge" - aws-ec2-keyPair : "tmod:@turbot/aws-ec2#/policy/types/keyPairActiveAge" - aws-ec2-launchConfiguration : "tmod:@turbot/aws-ec2#/policy/types/launchConfigurationActiveAge" - aws-ec2-launchTemplate : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateActiveAge" - aws-ec2-launchTemplateVersion : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionActiveAge" - aws-ec2-listenerRule : "tmod:@turbot/aws-ec2#/policy/types/listenerRuleActiveAge" - aws-ec2-loadBalancerListener : "tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerActiveAge" - aws-ec2-networkInterface : "tmod:@turbot/aws-ec2#/policy/types/networkInterfaceActiveAge" - aws-ec2-networkLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerActiveAge" - aws-ec2-snapshot : "tmod:@turbot/aws-ec2#/policy/types/snapshotActiveAge" - aws-ec2-targetGroup : "tmod:@turbot/aws-ec2#/policy/types/targetGroupActiveAge" - aws-ec2-volume : "tmod:@turbot/aws-ec2#/policy/types/volumeActiveAge" - aws-ecr-repository : "tmod:@turbot/aws-ecr#/policy/types/repositoryActiveAge" - aws-ecs-cluster : "tmod:@turbot/aws-ecs#/policy/types/clusterActiveAge" - aws-ecs-containerInstance : "tmod:@turbot/aws-ecs#/policy/types/containerInstanceActiveAge" - aws-ecs-taskDefinition : "tmod:@turbot/aws-ecs#/policy/types/taskDefinitionActiveAge" - aws-efs-fileSystem : "tmod:@turbot/aws-efs#/policy/types/fileSystemActiveAge" - aws-efs-mountTarget : "tmod:@turbot/aws-efs#/policy/types/mountTargetActiveAge" - aws-eks-cluster : "tmod:@turbot/aws-eks#/policy/types/clusterActiveAge" - aws-eks-nodeGroup : "tmod:@turbot/aws-eks#/policy/types/nodeGroupActiveAge" - aws-elasticbeanstalk-application : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/applicationActiveAge" - aws-elasticbeanstalk-environment : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/environmentActiveAge" - aws-elasticache-cacheCluster : "tmod:@turbot/aws-elasticache#/policy/types/cacheClusterActiveAge" - aws-elasticache-cacheParameterGroup : "tmod:@turbot/aws-elasticache#/policy/types/cacheParameterGroupActiveAge" - aws-elasticache-replicationGroup : "tmod:@turbot/aws-elasticache#/policy/types/replicationGroupActiveAge" - aws-elasticache-snapshot : "tmod:@turbot/aws-elasticache#/policy/types/snapshotActiveAge" - aws-elasticsearch-domain : "tmod:@turbot/aws-elasticsearch#/policy/types/domainActiveAge" - aws-emr-cluster : "tmod:@turbot/aws-emr#/policy/types/clusterActiveAge" - aws-emr-securityConfiguration : "tmod:@turbot/aws-emr#/policy/types/securityConfigurationActiveAge" - aws-events-rule : "tmod:@turbot/aws-events#/policy/types/ruleActiveAge" - aws-events-target : "tmod:@turbot/aws-events#/policy/types/targetActiveAge" - aws-fsx-backup : "tmod:@turbot/aws-fsx#/policy/types/backupActiveAge" - aws-fsx-fileSystem : "tmod:@turbot/aws-fsx#/policy/types/fileSystemActiveAge" - aws-glacier-vault : "tmod:@turbot/aws-glacier#/policy/types/vaultActiveAge" - aws-glue-database : "tmod:@turbot/aws-glue#/policy/types/databaseActiveAge" - aws-guardduty-detector : "tmod:@turbot/aws-guardduty#/policy/types/detectorActiveAge" - aws-guardduty-ipSet : "tmod:@turbot/aws-guardduty#/policy/types/ipSetActiveAge" - aws-guardduty-threatIntelSet : "tmod:@turbot/aws-guardduty#/policy/types/threatIntelSetActiveAge" - aws-iam-accessKey : "tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge" - aws-iam-group : "tmod:@turbot/aws-iam#/policy/types/groupActiveAge" - aws-iam-iamPolicy : "tmod:@turbot/aws-iam#/policy/types/iamPolicyActiveAge" - aws-iam-role : "tmod:@turbot/aws-iam#/policy/types/roleActiveAge" - aws-iam-user : "tmod:@turbot/aws-iam#/policy/types/userActiveAge" - aws-inspector-assessmentTarget : "tmod:@turbot/aws-inspector#/policy/types/assessmentTargetActiveAge" - aws-inspector-assessmentTemplate : "tmod:@turbot/aws-inspector#/policy/types/assessmentTemplateActiveAge" - aws-kinesis-consumer : "tmod:@turbot/aws-kinesis#/policy/types/consumerActiveAge" - aws-kinesis-stream : "tmod:@turbot/aws-kinesis#/policy/types/streamActiveAge" - aws-kms-key : "tmod:@turbot/aws-kms#/policy/types/keyActiveAge" - aws-lambda-function : "tmod:@turbot/aws-lambda#/policy/types/functionActiveAge" - aws-logs-logGroup : "tmod:@turbot/aws-logs#/policy/types/logGroupActiveAge" - aws-logs-logStream : "tmod:@turbot/aws-logs#/policy/types/logStreamActiveAge" - aws-logs-metricFilter : "tmod:@turbot/aws-logs#/policy/types/metricFilterActiveAge" - aws-msk-cluster : "tmod:@turbot/aws-msk#/policy/types/clusterActiveAge" - aws-neptune-dbCluster : "tmod:@turbot/aws-neptune#/policy/types/dbClusterActiveAge" - aws-neptune-dbInstance : "tmod:@turbot/aws-neptune#/policy/types/dbInstanceActiveAge" - aws-qldb-ledger : "tmod:@turbot/aws-qldb#/policy/types/ledgerActiveAge" - aws-rds-dbCluster : "tmod:@turbot/aws-rds#/policy/types/dbClusterActiveAge" - aws-rds-dbClusterParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbClusterParameterGroupActiveAge" - aws-rds-dbClusterSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualActiveAge" - aws-rds-dbInstance : "tmod:@turbot/aws-rds#/policy/types/dbInstanceActiveAge" - aws-rds-dbParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbParameterGroupActiveAge" - aws-rds-dbSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualActiveAge" - aws-rds-optionGroup : "tmod:@turbot/aws-rds#/policy/types/optionGroupActiveAge" - aws-rds-subnetGroup : "tmod:@turbot/aws-rds#/policy/types/subnetGroupActiveAge" - aws-redshift-cluster : "tmod:@turbot/aws-redshift#/policy/types/clusterActiveAge" - aws-redshift-clusterParameterGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterParameterGroupActiveAge" - aws-redshift-clusterSubnetGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterSubnetGroupActiveAge" - aws-redshift-clusterSnapshotManual : "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualActiveAge" - aws-robomaker-fleet : "tmod:@turbot/aws-robomaker#/policy/types/fleetActiveAge" - aws-robomaker-robot : "tmod:@turbot/aws-robomaker#/policy/types/robotActiveAge" - aws-robomaker-robotApplication : "tmod:@turbot/aws-robomaker#/policy/types/robotApplicationActiveAge" - aws-route53-hostedZone : "tmod:@turbot/aws-route53#/policy/types/hostedZoneActiveAge" - aws-route53resolver-resolverEndpoint : "tmod:@turbot/aws-route53resolver#/policy/types/resolverEndpointActiveAge" - aws-route53resolver-resolverRule : "tmod:@turbot/aws-route53resolver#/policy/types/resolverRuleActiveAge" - aws-s3-bucket : "tmod:@turbot/aws-s3#/policy/types/bucketActiveAge" - aws-secretsmanager-secret : "tmod:@turbot/aws-secretsmanager#/policy/types/secretActiveAge" - aws-shield-protection : "tmod:@turbot/aws-shield#/policy/types/protectionActiveAge" - aws-sns-subscription : "tmod:@turbot/aws-sns#/policy/types/subscriptionActiveAge" - aws-sns-topic : "tmod:@turbot/aws-sns#/policy/types/topicActiveAge" - aws-sqs-queue : "tmod:@turbot/aws-sqs#/policy/types/queueActiveAge" - aws-ssm-association : "tmod:@turbot/aws-ssm#/policy/types/associationActiveAge" - aws-ssm-document : "tmod:@turbot/aws-ssm#/policy/types/documentActiveAge" - aws-ssm-maintenanceWindow : "tmod:@turbot/aws-ssm#/policy/types/maintenanceWindowActiveAge" - aws-ssm-ssmParameter : "tmod:@turbot/aws-ssm#/policy/types/ssmParameterActiveAge" - aws-stepfunctions-stateMachine : "tmod:@turbot/aws-stepfunctions#/policy/types/stateMachineActiveAge" - aws-swf-domain : "tmod:@turbot/aws-swf#/policy/types/domainActiveAge" - aws-vpc-connect-customerGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayActiveAge" - aws-vpc-core-dhcpOptions : "tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsActiveAge" - aws-vpc-internet-egressOnlyInternetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayActiveAge" - aws-vpc-internet-elasticIp : "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpActiveAge" - aws-vpc-internet-vpcEndpoint : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointActiveAge" - aws-vpc-internet-vpcEndpointService : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceActiveAge" - aws-vpc-security-flowLog : "tmod:@turbot/aws-vpc-security#/policy/types/flowLogActiveAge" - aws-vpc-internet-internetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayActiveAge" - aws-vpc-internet-natGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayActiveAge" - aws-vpc-security-networkAcl : "tmod:@turbot/aws-vpc-security#/policy/types/networkAclActiveAge" - aws-vpc-connect-vpcPeeringConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionActiveAge" - aws-vpc-core-routeTable : "tmod:@turbot/aws-vpc-core#/policy/types/routeTableActiveAge" - aws-vpc-security-securityGroup : "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupActiveAge" - aws-vpc-core-subnet : "tmod:@turbot/aws-vpc-core#/policy/types/subnetActiveAge" - aws-vpc-connect-transitGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayActiveAge" - aws-vpc-connect-transitGatewayRouteTable : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableActiveAge" - aws-vpc-core-vpc : "tmod:@turbot/aws-vpc-core#/policy/types/vpcActiveAge" - aws-vpc-connect-vpnConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionActiveAge" - aws-vpc-connect-vpnGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayActiveAge" - aws-waf-ipSet : "tmod:@turbot/aws-waf#/policy/types/ipSetActiveAge" - aws-waf-ipSetV2Global : "tmod:@turbot/aws-waf#/policy/types/ipSetV2GlobalActiveAge" - aws-waf-ipSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/ipSetV2RegionalActiveAge" - aws-waf-rateBasedRule : "tmod:@turbot/aws-waf#/policy/types/rateBasedRuleActiveAge" - aws-waf-regexPatternSetV2Global : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2GlobalActiveAge" - aws-waf-regexPatternSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2RegionalActiveAge" - aws-waf-rule : "tmod:@turbot/aws-waf#/policy/types/ruleActiveAge" - aws-waf-ruleGroupV2Global : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2GlobalActiveAge" - aws-waf-ruleGroupV2Regional : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2RegionalActiveAge" - aws-waf-webacl : "tmod:@turbot/aws-waf#/policy/types/webaclActiveAge" - aws-waf-webAclV2Global : "tmod:@turbot/aws-waf#/policy/types/webAclV2GlobalActiveAge" - aws-waf-webAclV2Regional : "tmod:@turbot/aws-waf#/policy/types/webAclV2RegionalActiveAge" - aws-wafregional-rule : "tmod:@turbot/aws-wafregional#/policy/types/ruleActiveAge" - aws-wellarchitected-workload : "tmod:@turbot/aws-wellarchitected#/policy/types/workloadActiveAge" - } -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_cost_controls/outputs.tf b/baselines/getting_started/aws/aws_check_cost_controls/outputs.tf deleted file mode 100644 index eac8f0ae6..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/outputs.tf +++ /dev/null @@ -1,53 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "resource_active" { - value = var.resource_active -} - -output "enable_rds_db_cluster_schedule_policies" { - value = var.enable_rds_db_cluster_schedule_policies -} - -output "enable_rds_cluster_schedule_tag_policies" { - value = var.enable_rds_cluster_schedule_tag_policies -} - -output "enable_rds_db_instance_schedule_policies" { - value = var.enable_rds_db_instance_schedule_policies -} - -output "enable_rds_db_instance_schedule_tag_policies" { - value = var.enable_rds_db_instance_schedule_tag_policies -} - -output "enable_redshift_cluster_schedule_policies" { - value = var.enable_redshift_cluster_schedule_policies -} - -output "enable_redshift_cluster_schedule_tag_policies" { - value = var.enable_redshift_cluster_schedule_tag_policies -} - -output "enable_workspace_schedule_policies" { - value = var.enable_redshift_cluster_schedule_policies -} - -output "enable_workspace_schedule_tag_policies" { - value = var.enable_redshift_cluster_schedule_tag_policies -} - - diff --git a/baselines/getting_started/aws/aws_check_cost_controls/providers.tf b/baselines/getting_started/aws/aws_check_cost_controls/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_cost_controls/schedules.tf b/baselines/getting_started/aws/aws_check_cost_controls/schedules.tf deleted file mode 100644 index 64b366f87..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/schedules.tf +++ /dev/null @@ -1,101 +0,0 @@ - -# Scheduling in Turbot - https://turbot.com/v5/docs/concepts/guardrails/scheduling - -# Setting Resource Schedules to start/stop based on schedule -# Set to Skip to avoid accidently Enforcement. - -# Policy Setting Options: -# Skip -# Enforce: Business hours (8:00am - 6:00pm on weekdays) -# Enforce: Extended business hours (7:00am - 11:00pm on weekdays) -# Enforce: Stop for night (stop at 10:00pm every day) -# Enforce: Stop for weekend (stop at 10:00pm on Friday) - -# AWS > EC2 > Instance > Schedule -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceSchedule -resource "turbot_policy_setting" "ec2_instance_schedule" { - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceSchedule" - value = "Skip" -} - -# AWS EC2 Instance Schedule Tag -# AWS > EC2 > Instance > Schedule -# https://turbot.com/v5/docs/concepts/guardrails/scheduling#scheduling-with-a-tag -resource "turbot_policy_setting" "aws_ec2_instance_schedule_tag" { -resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceScheduleTag" - value = "Skip" -} - -# AWS > RDS > DB Cluster > Schedule -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbClusterSchedule -resource "turbot_policy_setting" "aws_rds_db_cluster_schedule" { - count = var.enable_rds_db_cluster_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-rds#/policy/types/dbClusterSchedule" - value = "Skip" -} - -# AWS > RDS > DB Cluster > Schedule Tag -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbClusterScheduleTag -resource "turbot_policy_setting" "aws_rds_cluster_schedule_tag" { -count = var.enable_rds_cluster_schedule_tag_policies ? 1 : 0 -resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-rds#/policy/types/dbClusterScheduleTag" - value = "Skip" -} - -# AWS > RDS > DB Instance > Schedule -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/instanceSchedule -resource "turbot_policy_setting" "aws_rds_db_instance_schedule" { - count = var.enable_rds_db_instance_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-rds#/policy/types/instanceSchedule" - value = "Skip" -} - -# AWS > RDS > DB Instance > Schedule Tag -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/instanceScheduleTag -resource "turbot_policy_setting" "aws_rds_db_instance_schedule_tag" { -count = var.enable_rds_db_instance_schedule_tag_policies ? 1 : 0 -resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-rds#/policy/types/instanceScheduleTag" - value = "Skip" -} - -# AWS > Redshift > Cluster > Schedule -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterSchedule -resource "turbot_policy_setting" "aws_redshift_cluster_schedule" { - count = var.enable_redshift_cluster_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterSchedule" - value = "Skip" -} - -# AWS > Redshift > Cluster > Schedule Tag -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterScheduleTag -resource "turbot_policy_setting" "aws_redshift_cluster_schedule_tag" { - count = var.enable_redshift_cluster_schedule_tag_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterScheduleTag" - value = "Skip" -} - -# AWS > WorkSpaces > WorkSpace > Schedule -# https://turbot.com/v5/mods/turbot/aws-workspaces/inspect#/policy/types/workspaceSchedule -resource "turbot_policy_setting" "aws_workspace_schedule" { - count = var.enable_workspace_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-workspaces#/policy/types/workspaceSchedule" - value = "Skip" -} - -# AWS > WorkSpaces > WorkSpace > Schedule Tag -# https://turbot.com/v5/mods/turbot/aws-workspaces/inspect#/policy/types/workspaceScheduleTag -resource "turbot_policy_setting" "aws_workspace_schedule_tag" { - count = var.enable_workspace_schedule_tag_policies ? 1 : 0 - resource = turbot_smart_folder.aws_cost_controls.id - type = "tmod:@turbot/aws-workspaces#/policy/types/workspaceScheduleTag" - value = "Skip" -} diff --git a/baselines/getting_started/aws/aws_check_cost_controls/smart_folder.tf b/baselines/getting_started/aws/aws_check_cost_controls/smart_folder.tf deleted file mode 100644 index 8d9ca60a8..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_cost_controls" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_cost_controls/variables.tf b/baselines/getting_started/aws/aws_check_cost_controls/variables.tf deleted file mode 100644 index 68f7a4e4a..000000000 --- a/baselines/getting_started/aws/aws_check_cost_controls/variables.tf +++ /dev/null @@ -1,263 +0,0 @@ -variable "resource_active" { - description = < -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_encryption/backup_policies.tf b/baselines/getting_started/aws/aws_check_encryption/backup_policies.tf deleted file mode 100644 index 304349857..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/backup_policies.tf +++ /dev/null @@ -1,20 +0,0 @@ -## Ensure encryption on Backup Vault Resources -# Commented out since these services are not associated to the initial mod install list - -# AWS > Backup > Backup Vault > Approved -# https://turbot.com/v5/mods/turbot/aws-backup/inspect#/policy/types/backupVaultApproved -resource "turbot_policy_setting" "aws_backup_vault_approved" { - count = var.enable_backup_vault_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-backup#/policy/types/backupVaultApproved" - value = "Check: Approved" -} - -# AWS > Backup > Backup Vault > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-backup/inspect#/policy/types/backupVaultEncryptionAtRest -resource "turbot_policy_setting" "aws_backup_vault_encryption_at_rest" { - count = var.enable_backup_vault_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-backup#/policy/types/backupVaultEncryptionAtRest" - value = "AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/cloudtrail_policies.tf b/baselines/getting_started/aws/aws_check_encryption/cloudtrail_policies.tf deleted file mode 100644 index 5fac19cf8..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/cloudtrail_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > CloudTrail > Trail > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-cloudtrail/inspect#/policy/types/trailEncryptionAtRest -resource "turbot_policy_setting" "aws_cloudtrail_trail_encryption_at_rest" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-cloudtrail#/policy/types/trailEncryptionAtRest" - value = "Check: Customer managed key" - # Note: no Check: AWS managed key or higher available at the moment -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_encryption/demo.tfvars b/baselines/getting_started/aws/aws_check_encryption/demo.tfvars deleted file mode 100644 index 5ed0bbcfd..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/demo.tfvars +++ /dev/null @@ -1,32 +0,0 @@ -# See file, backup_policies.tf -enable_backup_vault_approved_policies = false -enable_backup_vault_encryption_policies = false - -# See file, dynamodb_policies.tf -enable_dynamodb_table_encryption_policies = false - -# See file, efs_policies.tf -enable_efs_filesystem_approved_policies = false -enable_efs_filesystem_encryption_policies = false - -# See file, elasticsearch_policies.tf -enable_elasticsearch_domain_approved_policies = false -enable_elasticsearch_domain_encryption_policies = false - -# See file, redshift_policies.tf -enable_redshift_cluster_encryption_policies = false - -# See file, rds_policies.tf -enable_rds_instance_approved_policies = false -enable_rds_instance_encryption_policies = false -enable_rds_manualsnapshot_approved_policies = false -enable_rds_manualsnapshot_encryption_policies = false - -# See file, ssm_policies.tf -enable_ssm_parameter_encryption_policies = false - -# See file, secretmanager_policies.tf -enable_secretmanager_secret_encryption_policies = false - -# See file, sqs_policies.tf -enable_sqs_queue_encryption_policies = false diff --git a/baselines/getting_started/aws/aws_check_encryption/dynamodb_policies.tf b/baselines/getting_started/aws/aws_check_encryption/dynamodb_policies.tf deleted file mode 100644 index ea9d07ef4..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/dynamodb_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > DynamoDB > Table > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-dynamodb/inspect#/policy/types/tableEncryptionAtRest -resource "turbot_policy_setting" "aws_dynamodb_table_encryption_at_rest" { - count = var.enable_dynamodb_table_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-dynamodb#/policy/types/tableEncryptionAtRest" - value = "Check: AWS managed key or higher" -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_encryption/ec2_policies.tf b/baselines/getting_started/aws/aws_check_encryption/ec2_policies.tf deleted file mode 100644 index c76348fd4..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/ec2_policies.tf +++ /dev/null @@ -1,70 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > EC2 > Instance > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceApproved -resource "turbot_policy_setting" "ec2_instance_approved" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceApproved" - value = "Check: Approved" -} -# AWS > EC2 > Instance > Approved > Root Volume Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/rootVolumeEncryptionAtRest -resource "turbot_policy_setting" "ec2_instance_root_volume_encryption" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/rootVolumeEncryptionAtRest" - value = "AWS managed key or higher" -} - -# Enable if you want to check for existence of a specific KMS key -# resource "turbot_policy_setting" "ec2_root_volume_encryption_kms_key" { -# resource = turbot_smart_folder.aws_encryption.id -# type = "tmod:@turbot/aws-ec2#/policy/types/rootVolumeEncryptionAtRestCustomerManagedKey" -# value = "arn:aws:kms:us-east-1:000000000000:alias/aws/ebs" ### key id, alias name or full ARN of alias/key -# } - -# AWS > EC2 > Volume > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/volumeApproved -resource "turbot_policy_setting" "ec2_volume_approved" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/volumeApproved" - value = "Check: Approved" -} - -# AWS > EC2 > Volume > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/volumeEncryptionAtRest -resource "turbot_policy_setting" "ec2_volume_encryption" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/volumeEncryptionAtRest" - value = "AWS managed key or higher" -} - -# Enable if you want to check for existence of a specific kms key -# resource "turbot_policy_setting" "ec2_volume_encryption_kms_key" { -# resource = turbot_smart_folder.aws_encryption.id -# type = "tmod:@turbot/aws-ec2#/policy/types/volumeEncryptionAtRestCustomerManagedKey" -# value = "arn:aws:kms:us-east-1:000000000000:alias/aws/ebs" ### key id, alias name or full ARN of alias/key -# } - -# AWS > EC2 > Snapshot > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/snapshotApproved -resource "turbot_policy_setting" "ec2_snapshot_approved" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/snapshotApproved" - value = "Check: Approved" -} - -# AWS > EC2 > Snapshot > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/snapshotEncryptionAtRest -resource "turbot_policy_setting" "ec2_snapshot_approved_encryption" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ec2#/policy/types/snapshotEncryptionAtRest" - value = "AWS managed key or higher" -} - -# Enable if you want to check for existance of a specific kms key - -# resource "turbot_policy_setting" "ec2_snapshot_encryption_kms_key" { -# resource = turbot_smart_folder.aws_encryption.id -# type = "tmod:@turbot/aws-ec2#/policy/types/snapshotEncryptionAtRestCustomerManagedKey" -# value = "arn:aws:kms:us-east-1:000000000000:alias/aws/ebs" ### key id, alias name or full ARN of alias/key -# } diff --git a/baselines/getting_started/aws/aws_check_encryption/efs_policies.tf b/baselines/getting_started/aws/aws_check_encryption/efs_policies.tf deleted file mode 100644 index 23ede10f2..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/efs_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > EFS > FileSystem > Approved -# https://turbot.com/v5/mods/turbot/aws-efs/inspect#/policy/types/fileSystemApproved -resource "turbot_policy_setting" "aws_efs_file_system_approved" { - count = var.enable_efs_filesystem_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-efs#/policy/types/fileSystemApproved" - value = "Check: Approved" -} - -# AWS > EFS > FileSystem > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-efs/inspect#/policy/types/fileSystemEncryptionAtRest -resource "turbot_policy_setting" "aws_efs_file_system_encryption_at_rest" { - count = var.enable_efs_filesystem_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-efs#/policy/types/fileSystemEncryptionAtRest" - value = "AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/elasticsearch_policies.tf b/baselines/getting_started/aws/aws_check_encryption/elasticsearch_policies.tf deleted file mode 100644 index 5d6a72282..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/elasticsearch_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > Elasticsearch > Domain > Approved -# https://turbot.com/v5/mods/turbot/aws-elasticsearch/inspect#/policy/types/domainApproved -resource "turbot_policy_setting" "aws_elasticsearch_approved" { - count = var.enable_elasticsearch_domain_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-elasticsearch#/policy/types/domainApproved" - value = "Check: Approved" -} - -# AWS > Elasticsearch > Domain > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-elasticsearch/inspect#/policy/types/domainEncryptionAtRest -resource "turbot_policy_setting" "aws_elasticsearch_encryption_at_rest" { - count = var.enable_elasticsearch_domain_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-elasticsearch#/policy/types/domainEncryptionAtRest" - value = "AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/kinesis_policies.tf b/baselines/getting_started/aws/aws_check_encryption/kinesis_policies.tf deleted file mode 100644 index 830bba9d5..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/kinesis_policies.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Policies delete unapproved Streams that are unencrypted -# Commented out since these services are not associated to the initial mod install list - - -# resource "turbot_policy_setting" "aws_kinesis_stream_approved" { -# resource = turbot_smart_folder.aws_encryption.id -# type = "tmod:@turbot/aws-kinesis#/policy/types/streamApproved" -# value = "Check: Approved" -# } - - -# resource "turbot_policy_setting" "aws_kinesis_approved_usage" { -# resource = turbot_smart_folder.aws_encryption.id -# type = "tmod:@turbot/aws-kinesis#/policy/types/streamApprovedUsage" -# template_input = <<-QUERY -# { -# stream { -# EncryptionType -# KeyId -# } -# } -# QUERY - -# # Nunjucks template evaluate metadata. -# template = <<-TEMPLATE -# {%- if $.stream.EncryptionType == "KMS" -%} -# "Approved" -# {%- else -%} -# "Not approved" -# {%- endif -%} -# TEMPLATE -# } diff --git a/baselines/getting_started/aws/aws_check_encryption/kms_policies.tf b/baselines/getting_started/aws/aws_check_encryption/kms_policies.tf deleted file mode 100644 index babfa3c67..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/kms_policies.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Related: KMS related to AWS CIS 2.08 Ensure rotation for customer created CMKs is enabled - -# AWS > KMS > Key > Rotation -# https://turbot.com/v5/mods/turbot/aws-kms/inspect#/policy/types/keyRotation -resource "turbot_policy_setting" "keyRotation" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-kms#/policy/types/keyRotation" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/lambda_policies.tf b/baselines/getting_started/aws/aws_check_encryption/lambda_policies.tf deleted file mode 100644 index d0f43316f..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/lambda_policies.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > Lambda > Function > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-lambda/inspect#/policy/types/functionEncryptionAtRest -resource "turbot_policy_setting" "lambda_function_ennvar_encryption_at_rest" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-lambda#/policy/types/functionEncryptionAtRest" - value = "Check: AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/logs_policies.tf b/baselines/getting_started/aws/aws_check_encryption/logs_policies.tf deleted file mode 100644 index 17b237e8d..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/logs_policies.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > Logs > Log Group > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-logs/inspect#/policy/types/logGroupEncryptionAtRest -resource "turbot_policy_setting" "cloudwatch_logs_encryption_at_rest" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-logs#/policy/types/logGroupEncryptionAtRest" - value = "Check: AWS SSE or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/outputs.tf b/baselines/getting_started/aws/aws_check_encryption/outputs.tf deleted file mode 100644 index f8dc61af7..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/outputs.tf +++ /dev/null @@ -1,75 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "enable_backup_vault_approved_policies" { - value = var.enable_backup_vault_approved_policies -} - -output "enable_backup_vault_encryption_policies" { - value = var.enable_backup_vault_encryption_policies -} - -output "enable_dynamodb_table_encryption_policies" { - value = var.enable_dynamodb_table_encryption_policies -} - -output "enable_efs_filesystem_approved_policies" { - value = var.enable_efs_filesystem_approved_policies -} - -output "enable_efs_filesystem_encryption_policies" { - value = var.enable_efs_filesystem_encryption_policies -} - -output "enable_elasticsearch_domain_approved_policies" { - value = var.enable_elasticsearch_domain_approved_policies -} - -output "enable_elasticsearch_domain_encryption_policies" { - value = var.enable_elasticsearch_domain_encryption_policies -} - -output "enable_redshift_cluster_encryption_policies" { - value = var.enable_redshift_cluster_encryption_policies -} - -output "enable_rds_instance_approved_policies" { - value = var.enable_rds_instance_approved_policies -} - -output "enable_rds_instance_encryption_policies" { - value = var.enable_rds_instance_encryption_policies -} - -output "enable_rds_manualsnapshot_approved_policies" { - value = var.enable_rds_manualsnapshot_approved_policies -} - -output "enable_rds_manualsnapshot_encryption_policies" { - value = var.enable_rds_manualsnapshot_encryption_policies -} - -output "enable_ssm_parameter_encryption_policies" { - value = var.enable_ssm_parameter_encryption_policies -} - -output "enable_secretmanager_secret_encryption_policies" { - value = var.enable_secretmanager_secret_encryption_policies -} - -output "enable_sqs_queue_encryption_policies" { - value = var.enable_sqs_queue_encryption_policies -} diff --git a/baselines/getting_started/aws/aws_check_encryption/providers.tf b/baselines/getting_started/aws/aws_check_encryption/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/aws/aws_check_encryption/rds_policies.tf b/baselines/getting_started/aws/aws_check_encryption/rds_policies.tf deleted file mode 100644 index 971cd68ed..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/rds_policies.tf +++ /dev/null @@ -1,37 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > RDS > DB Instance > Approved -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbInstanceApproved -resource "turbot_policy_setting" "db_instancce_approved" { - count = var.enable_rds_instance_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-rds#/policy/types/dbInstanceApproved" - value = "Check: Approved" -} -# AWS > RDS > DB Instance > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbInstanceEncryptionAtRest -resource "turbot_policy_setting" "db_instance_approved_encryption" { - count = var.enable_rds_instance_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-rds#/policy/types/dbInstanceEncryptionAtRest" - value = "AWS managed key or higher" -} - -# AWS > RDS > DB Snapshot [Manual] > Approved -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbSnapshotManualEncryptionAtRest -resource "turbot_policy_setting" "db_snapshot_approved" { - count = var.enable_rds_manualsnapshot_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualApproved" - value = "Check: Approved" -} - -# AWS > RDS > DB Instance > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbInstanceEncryptionAtRest -resource "turbot_policy_setting" "db_snapshot_approved_encryption" { - count = var.enable_rds_manualsnapshot_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualEncryptionAtRest" - value = "AWS managed key or higher" -} - diff --git a/baselines/getting_started/aws/aws_check_encryption/redshift_policies.tf b/baselines/getting_started/aws/aws_check_encryption/redshift_policies.tf deleted file mode 100644 index cb89b83c1..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/redshift_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > Redshift > Cluster > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterEncryptionAtRest -resource "turbot_policy_setting" "redshift_cluster_encryption_at_rest" { - count = var.enable_redshift_cluster_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterEncryptionAtRest" - value = "Check: AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/s3_policies.tf b/baselines/getting_started/aws/aws_check_encryption/s3_policies.tf deleted file mode 100644 index cdeee1084..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/s3_policies.tf +++ /dev/null @@ -1,20 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest -# Encryption in Transit Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-in-transit - -# Encryption at Rest and In Transit. Also in the Encryption Baseline - -# AWS > S3 > Bucket > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketEncryptionAtRest -resource "turbot_policy_setting" "s3_encryption_at_rest" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketEncryptionAtRest" - value = "Check: AWS SSE or higher" -} - -# AWS > S3 > Bucket > Encryption in Transit -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/encryptionInTransit -resource "turbot_policy_setting" "s3_encryption_in_transit" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-s3#/policy/types/encryptionInTransit" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/secretmanager_policies.tf b/baselines/getting_started/aws/aws_check_encryption/secretmanager_policies.tf deleted file mode 100644 index e5f06fa53..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/secretmanager_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > SSM > Parameter > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-ssm/inspect#/policy/types/ssmParameterEncryptionAtRest -resource "turbot_policy_setting" "secrets_manager_encryption_at_rest" { - count = var.enable_secretmanager_secret_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-secretsmanager#/policy/types/secretEncryptionAtRest" - value = "Check: AWS managed key or higher" -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_encryption/smart_folder.tf b/baselines/getting_started/aws/aws_check_encryption/smart_folder.tf deleted file mode 100644 index 714197787..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/smart_folder.tf +++ /dev/null @@ -1,6 +0,0 @@ - -resource "turbot_smart_folder" "aws_encryption" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_encryption/sns_policies.tf b/baselines/getting_started/aws/aws_check_encryption/sns_policies.tf deleted file mode 100644 index 8b266cb80..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/sns_policies.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > SNS > Topic > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-sns/inspect#/policy/types/topicEncryptionAtRest -resource "turbot_policy_setting" "aws_sns_topic_encrypted" { - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-sns#/policy/types/topicEncryptionAtRest" - value = "Check: AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/sqs_policies.tf b/baselines/getting_started/aws/aws_check_encryption/sqs_policies.tf deleted file mode 100644 index 3e2a0be81..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/sqs_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > SQS > Queue > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-sqs/inspect#/policy/types/queueEncryptionAtRest -resource "turbot_policy_setting" "aws_sqs_queue_encrypted" { - count = var.enable_sqs_queue_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-sqs#/policy/types/queueEncryptionAtRest" - value = "Check: AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/ssm_policies.tf b/baselines/getting_started/aws/aws_check_encryption/ssm_policies.tf deleted file mode 100644 index 42b3be0ca..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/ssm_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# AWS > SSM > Parameter > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-ssm/inspect#/policy/types/ssmParameterEncryptionAtRest -resource "turbot_policy_setting" "aws_ssm_param_encryption_at_rest" { - count = var.enable_ssm_parameter_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_encryption.id - type = "tmod:@turbot/aws-ssm#/policy/types/ssmParameterEncryptionAtRest" - value = "Check: AWS managed key or higher" -} diff --git a/baselines/getting_started/aws/aws_check_encryption/variables.tf b/baselines/getting_started/aws/aws_check_encryption/variables.tf deleted file mode 100644 index b1910b500..000000000 --- a/baselines/getting_started/aws/aws_check_encryption/variables.tf +++ /dev/null @@ -1,117 +0,0 @@ -# Baseline Configuration - -variable "enable_backup_vault_approved_policies" { - type = bool - description = "Enable the Backup Vault approved policies for baseline" - default = false -} - -variable "enable_backup_vault_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Backup Vault Resources, by default this is disabled" - default = false -} - -variable "enable_dynamodb_table_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on DynamoDB Table Resources, by default this is disabled" - default = false -} - -variable "enable_redshift_cluster_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Redshift Cluster Resources, by default this is disabled" - default = false -} - -variable "enable_ssm_parameter_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on SSM Parameter Resources, by default this is disabled" - default = false -} - -variable "enable_secretmanager_secret_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Secret Manager Secret Resources, by default this is disabled" - default = false -} - -variable "enable_rds_instance_approved_policies" { - type = bool - description = "Enable the RDS Instance approved policies for baseline" - default = false -} - -variable "enable_rds_instance_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on RDS Instance Resources, by default this is disabled" - default = false -} - -variable "enable_rds_manualsnapshot_approved_policies" { - type = bool - description = "Enable the RDS Instance approved policies for baseline" - default = false -} - -variable "enable_rds_manualsnapshot_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on RDS Manual Snapshot, by default this is disabled" - default = false -} - -variable "enable_efs_filesystem_approved_policies" { - type = bool - description = "Enable the EFS Filesystem approved policies for baseline" - default = false -} - -variable "enable_sqs_queue_encryption_policies" { - type = bool - description = "Enable the SQS Queue approved policies for baseline" - default = false -} - -variable "enable_efs_filesystem_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on EFS Filesystem Resources, by default this is disabled" - default = false -} - -variable "enable_elasticsearch_domain_approved_policies" { - type = bool - description = "Enable the Elasticsearch Domain approved policies for baseline" - default = false -} - -variable "enable_elasticsearch_domain_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Elasticsearch Domain Resources, by default this is disabled" - default = false -} - -# None - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "AWS Check Encryption Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the baseline AWS Check Encryption" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/aws/aws_check_iam/README.md b/baselines/getting_started/aws/aws_check_iam/README.md deleted file mode 100644 index 30760e6c8..000000000 --- a/baselines/getting_started/aws/aws_check_iam/README.md +++ /dev/null @@ -1,131 +0,0 @@ -# Baseline - AWS Check IAM Policies - -AWS Check IAM Policies focuses on enabling all IAM resources baseline policies. Some policies are enabled with industry standard best practices and some are enabled with check mode to validate. - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_iam/access_key_rotation.tf b/baselines/getting_started/aws/aws_check_iam/access_key_rotation.tf deleted file mode 100644 index 548f289ca..000000000 --- a/baselines/getting_started/aws/aws_check_iam/access_key_rotation.tf +++ /dev/null @@ -1,22 +0,0 @@ -# IAM users must rotate keys every 90 days -# Relates to AWS CIS 1.04 Ensure access keys are rotated every 90 days or less (Scored) - - -# AWS > IAM > Access Key > Active -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accessKeyActive -resource "turbot_policy_setting" "iam_user_access_key_active" { - count = var.enable_iam_user_access_key_active ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accessKeyActive" - value = "Check: Active" -} - - -# AWS > IAM > Access Key > Active > Age -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accessKeyActiveAge -resource "turbot_policy_setting" "iam_user_access_key_active_age" { - count = var.enable_iam_user_access_key_active_age ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accessKeyActiveAge" - value = "Force inactive if age > 90 days" -} diff --git a/baselines/getting_started/aws/aws_check_iam/account_password_policy.tf b/baselines/getting_started/aws/aws_check_iam/account_password_policy.tf deleted file mode 100644 index 6da90ca60..000000000 --- a/baselines/getting_started/aws/aws_check_iam/account_password_policy.tf +++ /dev/null @@ -1,73 +0,0 @@ -## IAM Account Password Policy CIS Controls - -#Enforces CIS 1.05 to 1.10 Account Password Policy Setting Conditions below -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettings -resource "turbot_policy_setting" "account_Password_PolicySettings" { - count = var.enable_account_password_policysettings ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettings" - value = "Check: Configured" -} - -#1.05 Ensure IAM password policy requires at least one uppercase letter (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsRequireUppercaseCharacters -resource "turbot_policy_setting" "account_Password_PolicySettings_RequireUppercaseCharacters" { - count = var.enable_account_password_policysettings_require_uppercasecharacters ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireUppercaseCharacters" - value = "Enabled" -} - -#1.06 Ensure IAM password policy require at least one lowercase letter (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsRequireLowercaseCharacters -resource "turbot_policy_setting" "account_Password_PolicySettings_RequireLowercaseCharacters" { - count = var.enable_account_password_policysettings_require_lowercasecharacters ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireLowercaseCharacters" - value = "Enabled" -} - -#1.07 Ensure IAM password policy require at least one symbol (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsRequireSymbols -resource "turbot_policy_setting" "account_Password_PolicySettings_RequireSymbols" { - count = var.enable_account_password_policysettings_requiresymbols ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireSymbols" - value = "Enabled" -} - -#1.08 Ensure IAM password policy require at least one number (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsRequireNumbers -resource "turbot_policy_setting" "account_Password_PolicySettings_RequireNumbers" { - count = var.enable_account_password_policysettings_requireNumbers ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsRequireNumbers" - value = "Enabled" -} - -#1.09 Ensure IAM password policy requires minimum length of 14 or greater (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsMinimumLength -resource "turbot_policy_setting" "account_Password_PolicySettings_MinimumLength" { - count = var.enable_account_password_policysettings_minimumLength ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMinimumLength" - value = "14" -} - -#1.10 Ensure IAM password policy prevents password reuse (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsReusePrevention -resource "turbot_policy_setting" "account_Password_PolicySettings_ReusePrevention" { - count = var.enable_account_password_policysettings_reuseprevention ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsReusePrevention" - value = "24" -} - -#1.11 Ensure IAM password policy expires passwords within 90 days or less (Scored) -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/accountPasswordPolicySettingsMaxAge -resource "turbot_policy_setting" "account_Password_PolicySettings_MaxAge" { - count = var.enable_account_password_policysettings_maxage ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/accountPasswordPolicySettingsMaxAge" - value = "90" -} diff --git a/baselines/getting_started/aws/aws_check_iam/demo.tfvars b/baselines/getting_started/aws/aws_check_iam/demo.tfvars deleted file mode 100644 index 37a73e340..000000000 --- a/baselines/getting_started/aws/aws_check_iam/demo.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -# See file, role_trust_policy.tf -trusted_accounts = [ - "{{ $.account.Id }}", # Self - current AWS Account - "287590803701", # Turbot SaaS US Prod - "255798382450", # Turbot SaaS EU Account - "525041748188", #Turbot SaaS Dev Account -] - -# See file, role_trust_policy.tf -enable_iam_role_policy_trusted_access = false -enable_iam_role_trusted_accounts = false diff --git a/baselines/getting_started/aws/aws_check_iam/deny_star_policy_stmt.tf b/baselines/getting_started/aws/aws_check_iam/deny_star_policy_stmt.tf deleted file mode 100644 index 3e7dae4fb..000000000 --- a/baselines/getting_started/aws/aws_check_iam/deny_star_policy_stmt.tf +++ /dev/null @@ -1,50 +0,0 @@ -# CHeck for * Access except for List/Get - -# AWS > IAM > Policy > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/iamPolicyApproved -resource "turbot_policy_setting" "iam_policy_approved" { - count = var.enable_iam_policy_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/iamPolicyApproved" - value = "Check: Approved" - ## "Enforce: Delete unapproved if new" -} - -# AWS > IAM > Policy > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/iamPolicyApprovedUsage -resource "turbot_policy_setting" "iam_policy_approved_statements" { - count = var.enable_iam_policy_approved_statements ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/iamPolicyApprovedUsage" - # GraphQL to pull policy Statements - template_input = <<-QUERY - { - policy: resource { - statements: get(path: "PolicyVersion.Document.Statement") - } - } -QUERY - - # Nunjucks template to set usage approval based on policy content - template = <<-TEMPLATE - {%- set anyStar = r/\*/g -%} - {%- set goodStar = r/(Get|List)\*/g -%} - {%- set approved = true -%} - {%- for statement in $.policy.statements -%} - {%- set actions_string = statement.Action | string -%} - {%- set actions = actions_string.split(",") -%} - {%- for action in actions -%} - {%- if anyStar.test(action) -%} - {%- if not goodStar.test(action) -%} - {%- set approved = false -%} - {%- endif -%} - {%- endif -%} - {%- endfor -%} - {%- endfor -%} - {%- if approved -%} - "Approved" - {%- else -%} - "Not approved" - {%- endif -%} -TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_iam/group_inline_star_policy_stmt.tf b/baselines/getting_started/aws/aws_check_iam/group_inline_star_policy_stmt.tf deleted file mode 100644 index b0ed7170c..000000000 --- a/baselines/getting_started/aws/aws_check_iam/group_inline_star_policy_stmt.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Check IAM Group inline policy for AdministratorAccess - -# AWS > IAM > Group > Inline Policy > Statements > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/groupInlinePolicyStatementsApproved -resource "turbot_policy_setting" "iam_group_inline_policy_approved" { - count = var.enable_iam_group_inline_policy_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApproved" - value = "Check: Approved" - ## "Enforce: Delete Unapproved" -} - -# AWS > IAM > Group > Inline Policy > Statements > Approved > Administrator Access -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/groupInlinePolicyStatementsApprovedAdminAccess -resource "turbot_policy_setting" "iam_group_inline_policy_approved_admin_access" { - count = var.enable_iam_group_inline_policy_approved_admin_access ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/groupInlinePolicyStatementsApprovedAdminAccess" - value = < IAM > Group > Policy Attachments > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/groupPolicyAttachmentsApproved -resource "turbot_policy_setting" "aws_iam_group_policy_attachement_approved" { - count = var.enable_aws_iam_group_policy_attachement_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApproved" - value = "Check: Approved" - ## "Enforce: Delete unapproved" -} - -# Identify policy names that are unapproved -# AWS > IAM > Group > Policy Attachments > Approved > Rules -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/groupPolicyAttachmentsApprovedRules -resource "turbot_policy_setting" "aws_iam_group_policy_attachement_rules" { - count = var.enable_aws_iam_group_policy_attachement_rules ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/groupPolicyAttachmentsApprovedRules" - value = <<-POLICY - REJECT $.PolicyName:/^.+FullAccess.*$/ - REJECT $.PolicyName:AdministratorAccess - APPROVE * - POLICY -} diff --git a/baselines/getting_started/aws/aws_check_iam/output.tf b/baselines/getting_started/aws/aws_check_iam/output.tf deleted file mode 100644 index 3ae38c74b..000000000 --- a/baselines/getting_started/aws/aws_check_iam/output.tf +++ /dev/null @@ -1,130 +0,0 @@ -output "enable_iam_user_access_key_active" { - value = var.enable_iam_user_access_key_active -} - -output "enable_iam_user_access_key_active_age" { - value = var.enable_iam_user_access_key_active_age -} - -output "enable_account_password_policysettings" { - value = var.enable_account_password_policysettings -} - -output "enable_account_password_policysettings_require_uppercasecharacters" { - value = var.enable_account_password_policysettings_require_uppercasecharacters -} - -output "enable_account_password_policysettings_require_lowercasecharacters" { - value = var.enable_account_password_policysettings_require_lowercasecharacters -} - -output "enable_account_password_policysettings_requiresymbols" { - value = var.enable_account_password_policysettings_requiresymbols -} - -output "enable_account_password_policysettings_requireNumbers" { - value = var.enable_account_password_policysettings_requireNumbers -} - -output "enable_account_password_policysettings_minimumLength" { - value = var.enable_account_password_policysettings_minimumLength -} - -output "enable_account_password_policysettings_reuseprevention" { - value = var.enable_account_password_policysettings_reuseprevention -} - -output "enable_account_password_policysettings_maxage" { - value = var.enable_account_password_policysettings_maxage -} - -output "enable_iam_policy_approved" { - value = var.enable_iam_policy_approved -} - -output "enable_iam_policy_approved_statements" { - value = var.enable_iam_policy_approved_statements -} - -output "enable_iam_group_inline_policy_approved" { - value = var.enable_iam_group_inline_policy_approved -} - -output "enable_iam_group_inline_policy_approved_admin_access" { - value = var.enable_iam_group_inline_policy_approved_admin_access -} - -output "enable_aws_iam_group_policy_attachement_approved" { - value = var.enable_aws_iam_group_policy_attachement_approved -} - -output "enable_aws_iam_group_policy_attachement_rules" { - value = var.enable_aws_iam_group_policy_attachement_rules -} - -output "enable_iam_role_inline_policy_approved" { - value = var.enable_iam_role_inline_policy_approved -} - -output "enable_iam_role_inline_policy_approved_admin_access" { - value = var.enable_iam_role_inline_policy_approved_admin_access -} - -output "enable_iam_role_policy_attachement_approved" { - value = var.enable_iam_role_policy_attachement_approved -} - -output "enable_iam_role_policy_attachement_rules" { - value = var.enable_iam_role_policy_attachement_rules -} - -output "enable_iam_role_policy_trusted_access" { - value = var.enable_iam_role_policy_trusted_access -} - -output "enable_iam_role_trusted_accounts" { - value = var.enable_iam_role_trusted_accounts -} - -output "enable_iam_user_inline_policy_approved" { - value = var.enable_iam_user_inline_policy_approved -} - -output "enable_iam_user_inline_policy_approved_admin_access" { - value = var.enable_iam_user_inline_policy_approved_admin_access -} - -output "enable_iam_user_mfa_approved" { - value = var.enable_iam_user_mfa_approved -} - -output "enable_iam_user_mfa_approved_usage" { - value = var.enable_iam_user_mfa_approved_usage -} - -output "enable_aws_iam_user_policy_attachement_approved" { - value = var.enable_aws_iam_user_policy_attachement_approved -} - -output "enable_aws_iam_user_policy_attachement_rules" { - value = var.enable_aws_iam_user_policy_attachement_rules -} - - -# Turbot profile and smart folder - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/aws/aws_check_iam/provider.tf b/baselines/getting_started/aws/aws_check_iam/provider.tf deleted file mode 100644 index 6c39803db..000000000 --- a/baselines/getting_started/aws/aws_check_iam/provider.tf +++ /dev/null @@ -1,13 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} - diff --git a/baselines/getting_started/aws/aws_check_iam/role_inline_star_policy_stmt.tf b/baselines/getting_started/aws/aws_check_iam/role_inline_star_policy_stmt.tf deleted file mode 100644 index cb1ac1a50..000000000 --- a/baselines/getting_started/aws/aws_check_iam/role_inline_star_policy_stmt.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Check IAM Role inline policy for AdministratorAccess - -# AWS > IAM > Role > Inline Policy > Statements > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/roleInlinePolicyStatementsApproved -resource "turbot_policy_setting" "iam_role_inline_policy_approved" { - count = var.enable_iam_role_inline_policy_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApproved" - value = "Check: Approved" - ## "Enforce: Delete Unapproved" -} - -# AWS > IAM > Role > Inline Policy > Statements > Approved > Administrator Access -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/roleInlinePolicyStatementsApprovedAdminAccess -resource "turbot_policy_setting" "iam_role_inline_policy_approved_admin_access" { - count = var.enable_iam_role_inline_policy_approved_admin_access ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/roleInlinePolicyStatementsApprovedAdminAccess" - value = < IAM > Role > Policy Attachments > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/rolePolicyAttachmentsApproved -resource "turbot_policy_setting" "iam_role_policy_attachement_approved" { - count = var.enable_iam_role_policy_attachement_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentsApproved" - value = "Check: Approved" - ## "Enforce: Delete unapproved" -} - -# Identify policy names that are unapproved -# AWS > IAM > Role > Policy Attachments > Approved > Rules -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/rolePolicyAttachmentsApprovedRules -resource "turbot_policy_setting" "iam_role_policy_attachement_rules" { - count = var.enable_iam_role_policy_attachement_rules ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/rolePolicyAttachmentsApprovedRules" - value = <<-POLICY - REJECT $.PolicyName:/^.+FullAccess.*$/ - REJECT $.PolicyName:AdministratorAccess - APPROVE * - POLICY -} diff --git a/baselines/getting_started/aws/aws_check_iam/role_trust_policy.tf b/baselines/getting_started/aws/aws_check_iam/role_trust_policy.tf deleted file mode 100644 index 1b49a0f6b..000000000 --- a/baselines/getting_started/aws/aws_check_iam/role_trust_policy.tf +++ /dev/null @@ -1,58 +0,0 @@ -# IAM Roles trusted only to Trusted Accounts defined in Public Access Baseline -# AWS > IAM > Role > Policy > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/rolePolicyTrustedAccess -resource "turbot_policy_setting" "iam_role_policy_trusted_access" { - count = var.enable_iam_role_policy_trusted_access ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedAccess" - value = "Check: Trusted Access" - ## "Enforce: Revoke untrusted access" -} - -# ## Already Set globally in the Public Access Smart Folder Baseline, commenting out incase needed to enable here -# #List of Trusted Accounts for cross-account roles -# AWS > IAM > Role > Policy > Trusted Access > Accounts -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/rolePolicyTrustedAccounts -resource "turbot_policy_setting" "iam_role_trusted_accounts" { - count = var.enable_iam_role_trusted_accounts ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/rolePolicyTrustedAccounts" - # GraphQL to pull current account info and list other accounts - template_input = <<-QUERY - { - account{ - Id - } - } -QUERY - - # set trustedAccounts from terraform.tfvars - template = <<-TEMPLATE - ${yamlencode([for account in var.trusted_accounts : account])} - TEMPLATE -} - -# AWS > IAM > Role > Trust Relationship Statements [Deprecated] > Approved [Deprecated] > Rules [Deprecated] -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/trustRelationshipStatementsApprovedRules -# resource "turbot_policy_setting" "iam_role_trusted_accounts_rules" { -# count = var.enable_iam_role_trusted_accounts_rules ? 1 : 0 -# resource = turbot_smart_folder.aws_iam.id -# type = "tmod:@turbot/aws-iam#/policy/types/trustRelationshipStatementsApprovedRules" -# value = <<-VALUE -# APPROVE $.AssumeRolePolicyDocument.Statement.*.Action:null -# APPROVE !$.AssumeRolePolicyDocument.Statement.*.Condition.StringEquals.'sts:ExternalId':null -# REJECT * -# VALUE -# } - - - -# Removing from standard baseline to simplify just for trusted access -# OCL Rules for approval -# List of Trusted Accounts for cross-account roles -# Stmt 1: APPROVE Trust Relationships without STS Assume Role -# Stmt 2: APPROVE Trust Relationships with STS AND External ID -# Stmt 3: REJECT all others - - - diff --git a/baselines/getting_started/aws/aws_check_iam/smart_folder.tf b/baselines/getting_started/aws/aws_check_iam/smart_folder.tf deleted file mode 100644 index a1cc4074c..000000000 --- a/baselines/getting_started/aws/aws_check_iam/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_iam" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_check_iam/user_inline_star_policy_stmt.tf b/baselines/getting_started/aws/aws_check_iam/user_inline_star_policy_stmt.tf deleted file mode 100644 index 91fa7b114..000000000 --- a/baselines/getting_started/aws/aws_check_iam/user_inline_star_policy_stmt.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Check IAM User inline policy for AdministratorAccess -# AWS > IAM > User > Inline Policy > Statements > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userInlinePolicyStatementsApproved - -resource "turbot_policy_setting" "iam_user_inline_policy_approved" { - count = var.enable_iam_user_inline_policy_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApproved" - value = "Check: Approved" - ## "Enforce: Delete Unapproved" -} - -# AWS > IAM > Role > Policy Attachments > Approved > Administrator Access -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userInlinePolicyStatementsApprovedAdminAccess -resource "turbot_policy_setting" "iam_user_inline_policy_approved_admin_access" { - count = var.enable_iam_user_inline_policy_approved_admin_access ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userInlinePolicyStatementsApprovedAdminAccess" - value = < IAM > User > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userApproved -resource "turbot_policy_setting" "iam_user_mfa_approved" { - count = var.enable_iam_user_mfa_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userApproved" - value = "Check: Approved" -} - -# AWS > IAM > User > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userApprovedUsage -resource "turbot_policy_setting" "iam_user_mfa_approved_usage" { - count = var.enable_iam_user_mfa_approved_usage ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userApprovedUsage" - # GraphQL to pull info from IAM User and MFA virtual keys - template_input = <<-QUERY - { - user{ - Arn - UserName - } - resources(filter:"resourceType:'tmod:@turbot/aws-iam#/resource/types/mfaVirtual'") { - items { - usertest: get(path:"User.UserName") - trunk { - title - } - } - } - } -QUERY - # Nunjucks template to set usage approval based on user and MFA key matching - template = <<-TEMPLATE - {%- set matches = false -%} - {%- for v in $.resources.items -%} - {%- if v.usertest == $.user.UserName -%} - {%- set matches = true -%} - {%- endif -%} - {%- endfor -%} - {%- if matches -%} - "Approved" - {%- else -%} - "Not approved" - {%- endif -%} -TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_iam/user_policy_attachment.tf b/baselines/getting_started/aws/aws_check_iam/user_policy_attachment.tf deleted file mode 100644 index a97338da5..000000000 --- a/baselines/getting_started/aws/aws_check_iam/user_policy_attachment.tf +++ /dev/null @@ -1,26 +0,0 @@ -# Check unapproved IAM User policy attachments based on name (e.g. FullAccess) - -## Set policy to check unapproved policy attachments -# AWS > IAM > User > Policy Attachments > Approved -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userPolicyAttachmentsApproved -resource "turbot_policy_setting" "aws_iam_user_policy_attachement_approved" { - count = var.enable_aws_iam_user_policy_attachement_approved ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentsApproved" - value = "Check: Approved" - ## "Enforce: Delete unapproved" -} - -# Identify policy names that are unapproved -# AWS > IAM > User > Policy Attachments > Approved > Rules -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/userPolicyAttachmentsApprovedRules -resource "turbot_policy_setting" "aws_iam_user_policy_attachement_rules" { - count = var.enable_aws_iam_user_policy_attachement_rules ? 1 : 0 - resource = turbot_smart_folder.aws_iam.id - type = "tmod:@turbot/aws-iam#/policy/types/userPolicyAttachmentsApprovedRules" - value = <<-POLICY - REJECT $.PolicyName:/^.+FullAccess.*$/ - REJECT $.PolicyName:AdministratorAccess - APPROVE * - POLICY -} diff --git a/baselines/getting_started/aws/aws_check_iam/variable.tf b/baselines/getting_started/aws/aws_check_iam/variable.tf deleted file mode 100644 index 8fb43d46c..000000000 --- a/baselines/getting_started/aws/aws_check_iam/variable.tf +++ /dev/null @@ -1,198 +0,0 @@ - -# Baseline Configuration -variable "trusted_accounts" { - type = list(string) - default = [] -} - -variable "enable_iam_user_access_key_active" { - type = bool - description = "Enable the IAM user access key policies for baseline" - default = true -} - -variable "enable_iam_user_access_key_active_age" { - type = bool - description = "Enable the IAM user access key age policies for baseline" - default = true -} - -variable "enable_account_password_policysettings" { - type = bool - description = "Enable the IAM user account password policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_require_uppercasecharacters" { - type = bool - description = "Enable the IAM user account password uppercase character policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_require_lowercasecharacters" { - type = bool - description = "Enable the IAM user account password lowercase character policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_requiresymbols" { - type = bool - description = "Enable the IAM user account password symbol setting policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_requireNumbers" { - type = bool - description = "Enable the IAM user account password number setting policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_minimumLength" { - type = bool - description = "Enable the IAM user account password number setting policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_reuseprevention" { - type = bool - description = "Enable the IAM user account password reuse setting policies for baseline" - default = true -} - -variable "enable_account_password_policysettings_maxage" { - type = bool - description = "Enable the IAM user account password maximum age setting policies for baseline" - default = true -} - -variable "enable_iam_policy_approved" { - type = bool - description = "Enable the IAM approved policies for baseline" - default = true -} - -variable "enable_iam_policy_approved_statements" { - type = bool - description = "Enable the IAM approved statement policies for baseline" - default = true -} - -variable "enable_iam_group_inline_policy_approved" { - type = bool - description = "Enable the IAM group inline policies for baseline" - default = true -} - -variable "enable_iam_group_inline_policy_approved_admin_access" { - type = bool - description = "Enable the IAM group inline admin access policies for baseline" - default = true -} - -variable "enable_aws_iam_group_policy_attachement_approved" { - type = bool - description = "Enable the IAM group attachment policies for baseline" - default = true -} - -variable "enable_aws_iam_group_policy_attachement_rules" { - type = bool - description = "Enable the IAM group attachment rules policies for baseline" - default = true -} - -variable "enable_iam_role_inline_policy_approved" { - type = bool - description = "Enable the IAM role inline policies for baseline" - default = true -} - -variable "enable_iam_role_inline_policy_approved_admin_access" { - type = bool - description = "Enable the IAM approved statement policies for baseline" - default = true -} - -variable "enable_iam_role_policy_attachement_approved" { - type = bool - description = "Enable the IAM role policy attachment for baseline" - default = true -} - -variable "enable_iam_role_policy_attachement_rules" { - type = bool - description = "Enable the IAM role policy attachment rules for baseline" - default = true -} - -variable "enable_iam_role_policy_trusted_access" { - type = bool - description = "Enable the IAM role policy trusted access for baseline" - default = false -} - -variable "enable_iam_role_trusted_accounts" { - type = bool - description = "Enable the IAM role policy trusted account for baseline" - default = false -} - -variable "enable_iam_user_inline_policy_approved" { - type = bool - description = "Enable the IAM user inline policy for baseline" - default = true -} - -variable "enable_iam_user_inline_policy_approved_admin_access" { - type = bool - description = "Enable the IAM user inline policy admin access for baseline" - default = true -} - -variable "enable_iam_user_mfa_approved" { - type = bool - description = "Enable the IAM user mfa approved policy for baseline" - default = true -} - -variable "enable_iam_user_mfa_approved_usage" { - type = bool - description = "Enable the IAM user mfa approved usage policy for baseline" - default = true -} - -variable "enable_aws_iam_user_policy_attachement_approved" { - type = bool - description = "Enable the IAM user approved policy attachment for baseline" - default = true -} - -variable "enable_aws_iam_user_policy_attachement_rules" { - type = bool - description = "Enable the IAM user policy attachment for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "AWS Check IAM Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the AWS check S3 baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/aws/aws_check_logging/README.md b/baselines/getting_started/aws/aws_check_logging/README.md deleted file mode 100644 index 6595d3af5..000000000 --- a/baselines/getting_started/aws/aws_check_logging/README.md +++ /dev/null @@ -1,137 +0,0 @@ -# Baseline - AWS Check Logging Policies - -AWS Check Logging Policies focuses on setting various logging policies in some most used services. - -Turbot AWS Logging Configurations to automatically setup Flow Logs, Config Recording, Global Trail. Optional if you are using Turbot to enforce the configuration - -More info - -- [Audit Logging Guardrails](https://turbot.com/v5/docs/concepts/guardrails/audit-logging) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_logging/cloudtrail_policies.tf b/baselines/getting_started/aws/aws_check_logging/cloudtrail_policies.tf deleted file mode 100644 index fcf1bbd31..000000000 --- a/baselines/getting_started/aws/aws_check_logging/cloudtrail_policies.tf +++ /dev/null @@ -1,54 +0,0 @@ -# AWS CloudTrail Global Trail can be setup by Turbot -# more info: https://turbot.com/v5/docs/integrations/aws/event-handlers#configuring-cloudtrail - -# You are not required to use the Turbot Audit Trail to configure CloudTrail in order to configure Turbot real time events -# But there must be a CloudTrail configured in each region. -# AWS > Turbot > Audit Trail - -# resource "turbot_policy_setting" "auditTrail" { -# resource = turbot_smart_folder.aws_logging.id -# type = "tmod:@turbot/aws#/policy/types/auditTrail" -# value = "Check: Configured" -# Skip -# Check: Configured -# Check: Not configured -# Enforce: Configured -# Enforce: Not configured -# } - -# CloudTrail Best Practices - -# Related to AWS CIS 2.02 Ensure CloudTrail log file validation is enabled (Scored) -# https://turbot.com/v5/mods/turbot/aws-cloudtrail/inspect#/policy/types/trailLogFileValidation -resource "turbot_policy_setting" "aws_cloudtrail_trail_log_validation" { - count = var.enable_cloudtrail_trail_log_validation ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-cloudtrail#/policy/types/trailLogFileValidation" - value = "Check: Enabled" -} - -# Trail Status Check -# https://turbot.com/v5/mods/turbot/aws-cloudtrail/inspect#/policy/types/trailStatus -resource "turbot_policy_setting" "aws_cloudtrail_trail_status" { - count = var.enable_cloudtrail_trail_status ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-cloudtrail#/policy/types/trailStatus" - value = "Check: No delivery errors" -} - -# Trail Encryption -# https://turbot.com/v5/mods/turbot/aws-cloudtrail/inspect#/policy/types/trailEncryptionAtRest -resource "turbot_policy_setting" "aws_cloudtrail_trail_encryption_at_rest" { - count = var.enable_cloudtrail_trail_encryption ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-cloudtrail#/policy/types/trailEncryptionAtRest" - value = "Check: Customer managed key" - # "Skip" - # "Check: None" - # "Check: None or higher" - # "Check: Customer managed key" - # "Check: Encryption at Rest > Customer Managed Key" - # "Enforce: None" - # "Enforce: Customer managed key" - # "Enforce: Encryption at Rest > Customer Managed Key" -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_logging/config_policies.tf b/baselines/getting_started/aws/aws_check_logging/config_policies.tf deleted file mode 100644 index 5a1b8f0ae..000000000 --- a/baselines/getting_started/aws/aws_check_logging/config_policies.tf +++ /dev/null @@ -1,18 +0,0 @@ -# AWS Config Recording setup by Turbot -# Commented out since it will always error without Turbot Enforcing its own configs -# 2.05 Ensure AWS Config is enabled in all regions (Scored) - -# AWS > Config > Configuration Recording -# https://turbot.com/v5/mods/turbot/aws-config/inspect#/policy/types/configurationRecording -resource "turbot_policy_setting" "configurationRecording" { - count = var.enable_configuration_recording ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-config#/policy/types/configurationRecording" - value = "Check: Configured" - # Skip - # Check: Configured - # Check: Not Configured - # Enforce: Configured - # Enforce: Not Configured -} - diff --git a/baselines/getting_started/aws/aws_check_logging/demo.tfvars b/baselines/getting_started/aws/aws_check_logging/demo.tfvars deleted file mode 100644 index f878aef70..000000000 --- a/baselines/getting_started/aws/aws_check_logging/demo.tfvars +++ /dev/null @@ -1,10 +0,0 @@ -# See file, redshift_cluster.tf -enable_redshift_cluster_access_logging = false -enable_redshift_cluster_user_logging = false -enable_aws_s3_bucket_access_logging = true - -# See file, config_policies.tf -enable_configuration_recording = false - -# See file, vpc_policies.tf -enable_aws_vpc_flowlogging = false \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_logging/loadbalancer_policies.tf b/baselines/getting_started/aws/aws_check_logging/loadbalancer_policies.tf deleted file mode 100644 index 6271ff468..000000000 --- a/baselines/getting_started/aws/aws_check_logging/loadbalancer_policies.tf +++ /dev/null @@ -1,26 +0,0 @@ -# Application Load Balancer (ALB) Access Logging Check -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/applicationLoadBalancerAccessLogging -resource "turbot_policy_setting" "aws_alb_access_logging" { - count = var.enable_alb_access_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerAccessLogging" - value = "Check: Enabled" -} - -# Classic Load Balancer (ELB) Access Logging Check -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/classicLoadBalancerAccessLogging -resource "turbot_policy_setting" "aws_elb_access_logging" { - count = var.enable_elb_access_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerAccessLogging" - value = "Check: Enabled" -} - -# Network Load Balancer (NLB) Access Logging Check -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/networkLoadBalancerAccessLogging -resource "turbot_policy_setting" "aws_nlb_access_logging" { - count = var.enable_nlb_access_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerAccessLogging" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_logging/output.tf b/baselines/getting_started/aws/aws_check_logging/output.tf deleted file mode 100644 index 67b510a33..000000000 --- a/baselines/getting_started/aws/aws_check_logging/output.tf +++ /dev/null @@ -1,61 +0,0 @@ -output "enable_cloudtrail_trail_log_validation" { - value = var.enable_cloudtrail_trail_log_validation -} - -output "enable_cloudtrail_trail_status" { - value = var.enable_cloudtrail_trail_status -} - -output "enable_cloudtrail_trail_encryption" { - value = var.enable_cloudtrail_trail_encryption -} - -output "enable_alb_access_logging" { - value = var.enable_alb_access_logging -} - -output "enable_elb_access_logging" { - value = var.enable_elb_access_logging -} - -output "enable_nlb_access_logging" { - value = var.enable_elb_access_logging -} - -output "enable_redshift_cluster_access_logging" { - value = var.enable_redshift_cluster_access_logging -} - -output "enable_redshift_cluster_user_logging" { - value = var.enable_redshift_cluster_user_logging -} - -output "enable_aws_s3_bucket_access_logging" { - value = var.enable_aws_s3_bucket_access_logging -} - -output "enable_configuration_recording" { - value = var.enable_configuration_recording -} - -output "enable_aws_vpc_flowlogging" { - value = var.enable_aws_vpc_flowlogging -} - -# Turbot profile and smart folder - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/aws/aws_check_logging/provider.tf b/baselines/getting_started/aws/aws_check_logging/provider.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/aws/aws_check_logging/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_logging/redshift_policies.tf b/baselines/getting_started/aws/aws_check_logging/redshift_policies.tf deleted file mode 100644 index bdfd27f4b..000000000 --- a/baselines/getting_started/aws/aws_check_logging/redshift_policies.tf +++ /dev/null @@ -1,29 +0,0 @@ -# AWS Logging Policies for various services -# More Info: https://turbot.com/v5/docs/concepts/guardrails/audit-logging - -# Policy Settings: -# Skip -# Check: Disabled -# Check: Enabled -# Check: Enabled to Audit Logging > Bucket -# Enforce: Disabled -# Enforce: Enabled to Audit Logging > Bucket - - -# AWS > Redshift > Cluster > Audit Logging -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterAuditLogging -resource "turbot_policy_setting" "aws_redshift_cluster_access_logging" { - count = var.enable_redshift_cluster_access_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterAuditLogging" - value = "Check: Enabled" -} - -# AWS > Redshift > Cluster > Audit Logging > User Activity Logging -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterAuditLoggingUserActivityLogging -resource "turbot_policy_setting" "aws_redshift_cluster_user_activity_logging" { - count = var.enable_redshift_cluster_user_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterAuditLoggingUserActivityLogging" - value = "Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_logging/s3_policies.tf b/baselines/getting_started/aws/aws_check_logging/s3_policies.tf deleted file mode 100644 index 38543ca90..000000000 --- a/baselines/getting_started/aws/aws_check_logging/s3_policies.tf +++ /dev/null @@ -1,9 +0,0 @@ -# S3 Bucket Access Logging Check -# AWS > S3 > Bucket > Access Logging -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketAccessLogging -resource "turbot_policy_setting" "aws_s3_bucket_access_logging" { - count = var.enable_aws_s3_bucket_access_logging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketAccessLogging" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_logging/smart_folder.tf b/baselines/getting_started/aws/aws_check_logging/smart_folder.tf deleted file mode 100644 index 851f85f27..000000000 --- a/baselines/getting_started/aws/aws_check_logging/smart_folder.tf +++ /dev/null @@ -1,6 +0,0 @@ - -resource "turbot_smart_folder" "aws_logging" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_logging/variable.tf b/baselines/getting_started/aws/aws_check_logging/variable.tf deleted file mode 100644 index 4d09ce329..000000000 --- a/baselines/getting_started/aws/aws_check_logging/variable.tf +++ /dev/null @@ -1,89 +0,0 @@ -variable "enable_configuration_recording" { - type = bool - description = "Enable the Configuration Recording policies for baseline" - default = false -} - -variable "enable_aws_vpc_flowlogging" { - type = bool - description = "Enable the Configuration Recording policies for baseline" - default = false -} - -variable "enable_cloudtrail_trail_log_validation" { - type = bool - description = "Enable the Cloudtrail logfile validation policies for baseline" - default = true -} - -variable "enable_cloudtrail_trail_status" { - type = bool - description = "Enable the Cloudtrail status policies for baseline" - default = true -} - -variable "enable_cloudtrail_trail_encryption" { - type = bool - description = "Enable the Cloudtrail trail encryption policies for baseline" - default = true -} - -variable "enable_alb_access_logging" { - type = bool - description = "Enable the Application loadbalancer access logging policies for baseline" - default = true -} - -variable "enable_elb_access_logging" { - type = bool - description = "Enable the Classic loadbalancer access logging policies for baseline" - default = true -} - -variable "enable_nlb_access_logging" { - type = bool - description = "Enable the Network loadbalancer access logging policies for baseline" - default = true -} - -variable "enable_redshift_cluster_access_logging" { - type = bool - description = "Enable the Redshift cluster access logging policies for baseline" - default = false -} - -variable "enable_redshift_cluster_user_logging" { - type = bool - description = "Enable the Redshift cluster access logging policies for baseline" - default = false -} - -variable "enable_aws_s3_bucket_access_logging" { - type = bool - description = "Enable the Redshift cluster access logging policies for baseline" - default = false -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "AWS Check Logging Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the AWS check logging baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/aws/aws_check_logging/vpc_policies.tf b/baselines/getting_started/aws/aws_check_logging/vpc_policies.tf deleted file mode 100644 index 169f05490..000000000 --- a/baselines/getting_started/aws/aws_check_logging/vpc_policies.tf +++ /dev/null @@ -1,17 +0,0 @@ -# AWS VPC Flow Logs Setup by Turbot -# Commented out since it will always error without Turbot Enforcing its own configs -# 2.09 Ensure VPC flow logging is enabled in all VPCs (Scored) - -# AWS > VPC > VPC > Flow Logging -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/vpcFlowLogging -resource "turbot_policy_setting" "vpcFlowLogging" { - count = var.enable_aws_vpc_flowlogging ? 1 : 0 - resource = turbot_smart_folder.aws_logging.id - type = "tmod:@turbot/aws-vpc-core#/policy/types/vpcFlowLogging" - value = "Check: Configured per `Flow Logging > *`" - # Skip - # Check: Configured per `Flow Logging > *` - # Check: Not configured - # Enforce: Configured per `Flow Logging > *` - # Enforce: Not configured` - } diff --git a/baselines/getting_started/aws/aws_check_public_access/README.md b/baselines/getting_started/aws/aws_check_public_access/README.md deleted file mode 100644 index ece47a261..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/README.md +++ /dev/null @@ -1,132 +0,0 @@ -# Baseline - AWS Check Public Access Policies - -AWS Check Public Access Policies focuses enabling some commonly used AWS resource public access status. - -More details on -- [Public Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/public-access) - -- [Trusted Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/trusted-access) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features e.g. various encryption, public access standards etc. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_public_access/apigateway_policies.tf b/baselines/getting_started/aws/aws_check_public_access/apigateway_policies.tf deleted file mode 100644 index 4991295b8..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/apigateway_policies.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Public Access Guardrails - https://turbot.com/v5/docs/concepts/guardrails/public-access - -# AWS > API Gateway > API > Approved -# https://turbot.com/v5/mods/turbot/aws-apigateway/inspect#/policy/types/apiApproved -resource "turbot_policy_setting" "aws_apigateway_api_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-apigateway#/policy/types/apiApproved" - value = "Check: Approved" -} - -# AWS > API Gateway > API > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-apigateway/inspect#/policy/types/apiApprovedUsage -resource "turbot_policy_setting" "aws_apigateway_api_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-apigateway#/policy/types/apiApprovedUsage" - template_input = < EC2 > Application Load Balancer > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/applicationLoadBalancerApproved -resource "turbot_policy_setting" "aws_ec2_alb_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApproved" - value = "Check: Approved" - #value = "Enforce: Delete unapproved if new" -} - -# AWS > EC2 > Application Load Balancer > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/applicationLoadBalancerApprovedUsage -resource "turbot_policy_setting" "aws_ec2_alb_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApprovedUsage" - # GraphQL to pull public scheme - template_input = <<-QUERY - { - resource { - scheme: get(path: "Scheme") - } - } - QUERY - - # Nunjucks template - template = <<-TEMPLATE - {%- if $.resource.scheme == "internal" -%} - Approved - {%- else -%} - Not approved - {%- endif -%} - TEMPLATE -} - -# Public Classic Load Balancer (ELB) -# AWS > EC2 > Classic Load Balancer > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/classicLoadBalancerApproved -resource "turbot_policy_setting" "aws_ec2_elb_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApproved" - value = "Check: Approved" - #value = "Enforce: Delete unapproved if new" -} - -# AWS > EC2 > Classic Load Balancer > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/classicLoadBalancerApprovedUsage -resource "turbot_policy_setting" "aws_ec2_elb_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApprovedUsage" - # GraphQL to pull public scheme - template_input = <<-QUERY - { - resource { - scheme: get(path: "Scheme") - } - } - QUERY - # Nunjucks template - template = <<-TEMPLATE - {%- if $.resource.scheme == "internal" -%} - Approved - {%- else -%} - Not approved - {%- endif -%} - TEMPLATE -} - -# Public Network Load Balancer (NLB) -# AWS > EC2 > Network Load Balancer > Approved -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/networkLoadBalancerApproved -resource "turbot_policy_setting" "aws_ec2_nlb_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApproved" - value = "Check: Approved" - #value = "Enforce: Delete unapproved if new" -} - -# AWS > EC2 > Network Load Balancer > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/networkLoadBalancerApprovedUsage -resource "turbot_policy_setting" "aws_ec2_nlb_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApprovedUsage" - # GraphQL to pull public scheme - template_input = <<-QUERY - { - resource { - scheme: get(path: "Scheme") - } - } - QUERY - # Nunjucks template - template = <<-TEMPLATE - {%- if $.resource.scheme == "internal" -%} - Approved - {%- else -%} - Not approved - {%- endif -%} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/ec2_policies.tf b/baselines/getting_started/aws/aws_check_public_access/ec2_policies.tf deleted file mode 100644 index a11dd7589..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/ec2_policies.tf +++ /dev/null @@ -1,115 +0,0 @@ -# Public Access Guardrails - https://turbot.com/v5/docs/concepts/guardrails/public-access - - -# AWS > EC2 > Instance > Approved > Public IP -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceApprovedPublicIp -resource "turbot_policy_setting" "aws_ec2_instance_approved_public_ip" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceApprovedPublicIp" - value = "Approved if not assigned" -} - -# EC2 Metadata security best practices is to enable v2 for session based authentication -# AWS > EC2 > Instance > Metadata Service -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceMetadataService -resource "turbot_policy_setting" "aws_ec2_instance_metadata_service" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceMetadataService" - value = "Check: Enabled for V2 only" -} - -# EC2 Metadata security best practices. -# 1 Hop limit ensures the packet is dropped leaving the EC2 instance -# AWS > EC2 > Instance > Metadata Service > HTTP Token Hop Limit -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceMetadataServiceTokenHopLimit -resource "turbot_policy_setting" "aws_ec2_instance_metadata_service_token_hop_limit" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/instanceMetadataServiceTokenHopLimit" - value = "1" -} - -# Restrict Public and Cross Account AMI Sharing - -# Check on shared AMI to untrusted AWS Account; Account Trust set in variables -# AWS > EC2 > AMI > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/amiTrustedAccess -resource "turbot_policy_setting" "aws_ec2_ami_trusted_access" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/amiTrustedAccess" - value = "Check: Trusted Access > Accounts" - #value = "Enforce: Trusted Access > Accounts" -} - -# Original Calc Policy on LaunchPermissions and Public -# resource "turbot_policy_setting" "aws_ec2_ami_approved_usage" { -# resource = turbot_smart_folder.aws_public_access.id -# type = "tmod:@turbot/aws-ec2#/policy/types/amiApprovedUsage" -# # GraphQL to pull policy Statements -# template_input = <<-QUERY -# { -# ami: resource { -# permissions: get(path: "LaunchPermissions") -# public: get(path: "Public") -# } -# } -# QUERY -# -# # Nunjucks template to set usage approval based on if the resource is shared to approved accounts. -# # set trustedAccounts in terraform.tfvars -# template = <<-TEMPLATE -# {%- set trustedAccounts = ${jsonencode([for account in var.trusted_accounts : account])} -%} -# {%- set approved = "Approved" -%} -# {%- for permission in $.ami.permissions -%} -# {%- if permission.UserId not in trustedAccounts -%} -# {%- set approved = "Not approved" -%} -# {%- endif -%} -# {%- endfor -%} -# {%- if $.resource.public -%} -# {%- set approved = "Not approved" -%} -# {%- endif -%} -# {{approved}} -# TEMPLATE -# } - -# Check for Cross Account EC2 Snapshot Sharing - -# AWS > EC2 > Snapshot > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/snapshotTrustedAccess -resource "turbot_policy_setting" "ec2_snapshot_trusted_access" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/snapshotTrustedAccess" - value = "Check: Trusted Access > Accounts" - #value = "Enforce: Trusted Access > Accounts" -} - -# Original Calc Policy on LaunchPermissions and Public -# AWS > EC2 > Snapshot > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/snapshotApprovedUsage -resource "turbot_policy_setting" "ec2_snapshot_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-ec2#/policy/types/snapshotApprovedUsage" - # GraphQL to pull metadata - template_input = <<-QUERY - { - snapshot: resource { - permissions: get(path: "snapshotAttributes.CreateVolumePermissions") - public: get(path: "Public") - } - } - QUERY - # Nunjucks template to set usage approval based on if the resource is shared to approved accounts. - # set trustedAccounts in demo.tfvars - template = <<-TEMPLATE - {%- set trustedAccounts = ${jsonencode([for account in var.trusted_accounts : account])} -%} - {%- set approved = "Approved" -%} - {%- for permission in $.snapshot.permissions -%} - {%- if permission.UserId not in trustedAccounts -%} - {%- set approved = "Not approved" -%} - {%- endif -%} - {%- endfor -%} - {%- if $.snapshot.public -%} - {%- set approved = "Not approved" -%} - {%- endif -%} - {{approved}} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/lambda_policies.tf b/baselines/getting_started/aws/aws_check_public_access/lambda_policies.tf deleted file mode 100644 index 5549e8c06..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/lambda_policies.tf +++ /dev/null @@ -1,35 +0,0 @@ -# Check if Lambda Functions are not in VPC -# Set policy to check unapproved Functions - -# AWS > Lambda > Function > Approved -# https://turbot.com/v5/mods/turbot/aws-lambda/inspect#/policy/types/functionApproved -resource "turbot_policy_setting" "aws_lambda_function_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-lambda#/policy/types/functionApproved" - value = "Check: Approved" -} - -# Calculated policy to check if VpcConfig details are defined on the Function -# If there are no VpcConfig details, the Function is not within a VPC -# AWS > Lambda > Function > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-lambda/inspect#/policy/types/functionApprovedUsage -resource "turbot_policy_setting" "aws_lambda_function_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-lambda#/policy/types/functionApprovedUsage" - template_input = <<-QUERY - { - resource{ - object - } - } - QUERY - - # Nunjucks template evaluate metadata. - template = <<-TEMPLATE - {% if 'VpcConfig' in $.resource.object %} - Approved - {% else %} - Not approved - {% endif %} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/output.tf b/baselines/getting_started/aws/aws_check_public_access/output.tf deleted file mode 100644 index 14638172c..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/output.tf +++ /dev/null @@ -1,39 +0,0 @@ -output "trusted_accounts" { - value = var.trusted_accounts -} - -output "enable_aws_redshift_cluster_public" { - value = var.enable_aws_redshift_cluster_public -} - -output "enable_aws_rds_db_instance_public" { - value = var.enable_aws_rds_db_instance_public -} - -output "enable_aws_redshift_cluster_snapshot_manual_trusted_access" { - value = var.enable_aws_redshift_cluster_snapshot_manual_trusted_access -} - -output "enable_aws_rds_db_snapshot_manual_trusted_access" { - value = var.enable_aws_rds_db_snapshot_manual_trusted_access -} - -output "enable_aws_rds_db_cluster_snapshot_manual_trusted_access" { - value = var.enable_aws_rds_db_cluster_snapshot_manual_trusted_access -} - -output "enable_aws_route53_hostedzone_approved" { - value = var.enable_aws_route53_hostedzone_approved -} - -output "enable_aws_route53_hostedzone_approved_usage" { - value = var.enable_aws_route53_hostedzone_approved_usage -} - -output "enable_aws_sqs_queue_trusted_access" { - value = var.enable_aws_sqs_queue_trusted_access -} - -output "enable_aws_trusted_accounts_template" { - value = var.enable_aws_trusted_accounts_template -} diff --git a/baselines/getting_started/aws/aws_check_public_access/provider.tf b/baselines/getting_started/aws/aws_check_public_access/provider.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/aws/aws_check_public_access/rds_policies.tf b/baselines/getting_started/aws/aws_check_public_access/rds_policies.tf deleted file mode 100644 index ccb2f7009..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/rds_policies.tf +++ /dev/null @@ -1,78 +0,0 @@ -# Public Access Guardrails - https://turbot.com/v5/docs/concepts/guardrails/public-access -# Check for RDS Instance, Redshift Cluster Public Access, and Cross Account DB Snapshot Sharing - -# AWS > Redshift > Cluster > Cluster Publicly Accessible -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterPubliclyAccessible -resource "turbot_policy_setting" "aws_redshift_cluster_public" { - count = var.enable_aws_redshift_cluster_public ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterPubliclyAccessible" - value = "Check: Cluster is not publicly accessible" -} - -# AWS > RDS > DB Instance > DB Instance Publicly Accessible -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbInstancePubliclyAccessible -resource "turbot_policy_setting" "aws_rds_db_instance_public" { - count = var.enable_aws_rds_db_instance_public ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-rds#/policy/types/dbInstancePubliclyAccessible" - value = "Check: DB Instance is not publicly accessible" -} - -# AWS > Redshift > Manual Cluster Snapshot > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-redshift/inspect#/policy/types/clusterSnapshotManualTrustedAccess -resource "turbot_policy_setting" "aws_redshift_cluster_snapshot_manual_trusted_access" { - count = var.enable_aws_redshift_cluster_snapshot_manual_trusted_access ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualTrustedAccess" - value = "Check: Trusted Access > Accounts" -} - -# AWS > RDS > DB Snapshot [Manual] > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbSnapshotManualTrustedAccess -resource "turbot_policy_setting" "aws_rds_db_snapshot_manual_trusted_access" { - count = var.enable_aws_rds_db_snapshot_manual_trusted_access ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualTrustedAccess" - value = "Check: Trusted Access > Accounts" -} - -# AWS > RDS > DB Cluster Snapshot [Manual] > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-rds/inspect#/policy/types/dbClusterSnapshotManualTrustedAccess -resource "turbot_policy_setting" "aws_rds_db_cluster_snapshot_manual_trusted_access" { - count = var.enable_aws_rds_db_cluster_snapshot_manual_trusted_access ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualTrustedAccess" - value = "Check: Trusted Access > Accounts" -} - -## Older Calc policy example for RDS DB Snapshot Public - -# Check public RDS DB Snapshot accessibility -# resource "turbot_policy_setting" "aws_rds_snapshot_approved" { -# resource = turbot_smart_folder.aws_public_access.id -# type = "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualApproved" -# value = "Check: Approved" -# } - -# Check public RDS DB Snapshot accessibility usage conditions -# resource "turbot_policy_setting" "aws_rds_snapshot_approved_usage" { -# resource = turbot_smart_folder.aws_public_access.id -# type = "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualApprovedUsage" -# # GraphQL to get metadata -# template_input = <<-QUERY -# { -# resource { -# public: get(path: "Public") -# } -# } -# QUERY -# # Nunjucks template evaluate metadata. -# template = <<-TEMPLATE -# {%- if $.resource.public -%} -# Not approved -# {%- else -%} -# Approved -# {%- endif -%} -# TEMPLATE -# } diff --git a/baselines/getting_started/aws/aws_check_public_access/route53_policies.tf b/baselines/getting_started/aws/aws_check_public_access/route53_policies.tf deleted file mode 100644 index 830005049..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/route53_policies.tf +++ /dev/null @@ -1,40 +0,0 @@ -# Check Public Route53 Hosted Zone. Check for VPC Configurations -# Commented out since these services are not associated to the initial mod install list - -# Check on Route53 Hosted Zone that is not internal by evaluating VPC Configurations - -# AWS > Route 53 > Hosted Zone > Approved -# https://turbot.com/v5/mods/turbot/aws-route53/inspect#/policy/types/hostedZoneApproved -resource "turbot_policy_setting" "aws_route53_hostedzone_approved" { - count = var.enable_aws_route53_hostedzone_approved ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-route53#/policy/types/hostedZoneApproved" - value = "Check: Approved" - #value = "Enforce: Delete unapproved if new" -} - -# AWS > Route 53 > Hosted Zone > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-route53/inspect#/policy/types/hostedZoneApprovedUsage -resource "turbot_policy_setting" "aws_route53_hostedzone_approved_usage" { - count = var.enable_aws_route53_hostedzone_approved_usage ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-route53#/policy/types/hostedZoneApprovedUsage" - # GraphQL to pull VPC info on the hosted zone - template_input = <<-QUERY - { - hostedZone { - VPCs { - VPCId - } - } - } - QUERY - # Nunjucks template - template = <<-TEMPLATE - {%- if $.hostedZone.VPCs.VPCId == null -%} - "Approved" - {%- else -%} - "Not approved" - {%- endif -%} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/s3_policies.tf b/baselines/getting_started/aws/aws_check_public_access/s3_policies.tf deleted file mode 100644 index e09809c78..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/s3_policies.tf +++ /dev/null @@ -1,51 +0,0 @@ -# S3 Bucket level shouldn't be public or shared with unauthorized accounts -# Also set in the S3 Baseline as well. -# Note: this is for the Bucket level; another setting is for the Account level - -# Set policy to check public access block settings -# AWS > S3 > Bucket > Public Access Block -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3BucketPublicAccessBlock -resource "turbot_policy_setting" "aws_s3_public_access_block" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlock" - value = "Check: Per `Public Access Block > Settings`" -} - -## Set policy to apply public access block settings -# AWS > S3 > Bucket > Public Access Block > Settings -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3BucketPublicAccessBlockSettings -resource "turbot_policy_setting" "aws_s3_public_access_block_settings" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlockSettings" - value = <<-VALUE - - Block Public ACLs - - Block Public Bucket Policies - - Ignore Public ACLs - - Restrict Public Bucket Policies - VALUE -} - -# S3 Account level shouldn't be public or shared with unauthorized accounts -# Also set in the S3 Baseline as well. -# Note: this is for the Account level; another setting is for the Bucket level - -# AWS > S3 > Account > Public Access Block -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3AccountPublicAccessBlock -resource "turbot_policy_setting" "aws_s3_account_public_access_block" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlock" - value = "Check: Per `Public Access Block > Settings`" -} - -# AWS > S3 > Account > Public Access Block > Settings -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3AccountPublicAccessBlockSettings -resource "turbot_policy_setting" "aws_s3_account_public_access_block_settings" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlockSettings" - value = <<-VALUE - - Block Public ACLs - - Block Public Bucket Policies - - Ignore Public ACLs - - Restrict Public Bucket Policies - VALUE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/smart_folder.tf b/baselines/getting_started/aws/aws_check_public_access/smart_folder.tf deleted file mode 100644 index 91c4ea730..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_public_access" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_check_public_access/sns_policies.tf b/baselines/getting_started/aws/aws_check_public_access/sns_policies.tf deleted file mode 100644 index 2bb21018c..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/sns_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Trusted Access Guardrails - https://turbot.com/v5/docs/concepts/guardrails/trusted-access - -# Restrict Public and Cross Account SNS Topics -# Assumes the default set of Trusted Accounts already set in this baseline. - -# AWS > SNS > Topic > Policy > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-sns/inspect#/policy/types/topicPolicyTrustedAccess -resource "turbot_policy_setting" "aws_sns_topic_trusted_access" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-sns#/policy/types/topicPolicyTrustedAccess" - value = "Check: Trusted Access" - #value = "Enforce: Revoke untrusted access" -} - -## tmod:@turbot/aws-sns#/policy/types/topicPolicyTrustedAccounts already inherits from: -## tmod:@turbot/aws-sns#/policy/types/snsPolicyTrustedAccounts already inherits from: -## tmod:@turbot/aws#/policy/types/trustedAccounts is the global list set in this baseline - -## Note: SNS Trusted Access also accepts default Organization Restrictions, Identity Providers, and Services diff --git a/baselines/getting_started/aws/aws_check_public_access/sqs_policies.tf b/baselines/getting_started/aws/aws_check_public_access/sqs_policies.tf deleted file mode 100644 index 5f18fc607..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/sqs_policies.tf +++ /dev/null @@ -1,18 +0,0 @@ -# Restrict Public and Cross Account SQS Queues -# Assumes the default set of Trusted Accounts already set in this baseline. - -# AWS > SQS > Queue > Policy > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-sqs/inspect#/policy/types/queuePolicyTrustedAccess -resource "turbot_policy_setting" "aws_sqs_queue_trusted_access" { - count = var.enable_aws_sqs_queue_trusted_access ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-sqs#/policy/types/queuePolicyTrustedAccess" - value = "Check: Trusted Access" - #value = "Enforce: Revoke untrusted access" -} - -## tmod:@turbot/aws-sqs#/policy/types/queuePolicyTrustedAccounts already inherits from: -## tmod:@turbot/aws-sqs#/policy/types/sqsPolicyTrustedAccounts already inherits from: -## tmod:@turbot/aws#/policy/types/trustedAccounts is the global list set in this baseline - -## Note: SQS Trusted Access also accepts default Organization Restrictions, Identity Providers and Services diff --git a/baselines/getting_started/aws/aws_check_public_access/trusted_account_template.tf b/baselines/getting_started/aws/aws_check_public_access/trusted_account_template.tf deleted file mode 100644 index ddfba8b40..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/trusted_account_template.tf +++ /dev/null @@ -1,24 +0,0 @@ -# Trusted Access Guardrails - https://turbot.com/v5/docs/concepts/guardrails/trusted-access - -# Trusted Account Template - sets the global template for all services, pulls trusted list from tfvars file -# Individual services can have their own set of trusted accounts as well - -# AWS > Account > Trusted Accounts [Default] -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/trustedAccounts -resource "turbot_policy_setting" "aws_trusted_accounts_template" { - count = var.enable_aws_trusted_accounts_template ? 1 : 0 - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws#/policy/types/trustedAccounts" - template_input = <<-QUERY - { - account{ - Id - } - } - QUERY - - # set trustedAccounts from demo.tfvars - template = <<-TEMPLATE - ${yamlencode([for account in var.trusted_accounts : account])} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/variable.tf b/baselines/getting_started/aws/aws_check_public_access/variable.tf deleted file mode 100644 index 54d6ff31f..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/variable.tf +++ /dev/null @@ -1,83 +0,0 @@ -# Baseline Configuration -variable "trusted_accounts" { - type = list(string) - default = [] -} - -variable "enable_aws_redshift_cluster_public" { - type = bool - description = "Enable the Redshift cluster public access policies for baseline" - default = false -} - -variable "enable_aws_rds_db_instance_public" { - type = bool - description = "Enable the RDS DB instance public access policies for baseline" - default = false -} - -variable "enable_aws_redshift_cluster_snapshot_manual_trusted_access" { - type = bool - description = "Enable the Redshift cluster manual snapshot trusted access policies for baseline" - default = false -} - -variable "enable_aws_rds_db_snapshot_manual_trusted_access" { - type = bool - description = "Enable the RDS DB manual snapshot trusted access policies for baseline" - default = false -} - -variable "enable_aws_rds_db_cluster_snapshot_manual_trusted_access" { - type = bool - description = "Enable the RDS DB cluster manual snapshot trusted access policies for baseline" - default = false -} - -variable "enable_aws_route53_hostedzone_approved" { - type = bool - description = "Enable the Route53 hostedzone approved policies for baseline" - default = false -} - -variable "enable_aws_route53_hostedzone_approved_usage" { - type = bool - description = "Enable the Route53 hostedzone approved usage policies for baseline" - default = false -} - -variable "enable_aws_sqs_queue_trusted_access" { - type = bool - description = "Enable the SQS queue trusted access policies for baseline" - default = false -} - -variable "enable_aws_trusted_accounts_template" { - type = bool - description = "Enable the AWS trusted account policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "AWS Check Public Access Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the AWS check S3 baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/aws/aws_check_public_access/vpc_core_policies.tf b/baselines/getting_started/aws/aws_check_public_access/vpc_core_policies.tf deleted file mode 100644 index 91230f1ce..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/vpc_core_policies.tf +++ /dev/null @@ -1,34 +0,0 @@ -# Subnets should not allow automatic public IP assignment - -# AWS > VPC > Subnet > Approved -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/subnetApproved -resource "turbot_policy_setting" "aws_vpc_subnet_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-core#/policy/types/subnetApproved" - value = "Check: Approved" -} - - -# AWS > VPC > Subnet > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/subnetApprovedUsage -resource "turbot_policy_setting" "aws_vpc_subnet_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-core#/policy/types/subnetApprovedUsage" - # GraphQL to pull resource metadata - template_input = <<-QUERY - { - resource { - publicIp: get(path: "MapPublicIpOnLaunch") - } - } - QUERY - - # Nunjucks template evaluate metadata. - template = <<-TEMPLATE - {%- if $.resource.publicIp -%} - Not approved - {%- else -%} - Approved - {%- endif -%} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_public_access/vpc_internet_policies.tf b/baselines/getting_started/aws/aws_check_public_access/vpc_internet_policies.tf deleted file mode 100644 index 504755de0..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/vpc_internet_policies.tf +++ /dev/null @@ -1,36 +0,0 @@ -# No Elastic IPs (EIPs) should exist in the account, unless approved for use - -# AWS > VPC > Elastic IP > Approved -# https://turbot.com/v5/mods/turbot/aws-vpc-internet/inspect#/policy/types/elasticIpApproved -resource "turbot_policy_setting" "aws_vpc_elastic_ip_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApproved" - value = "Check: Approved" -} - -# AWS > VPC > Elastic IP > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-vpc-internet/inspect#/policy/types/elasticIpApprovedUsage -resource "turbot_policy_setting" "aws_vpc_elastic_ip_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApprovedUsage" - value = "Not approved" -} - -# No IGWs should exist in the account, unless approved for use - -# AWS > VPC > Internet Gateway > Approved -# https://turbot.com/v5/mods/turbot/aws-vpc-internet/inspect#/policy/types/internetGatewayApproved -resource "turbot_policy_setting" "aws_vpc_igw_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApproved" - value = "Check: Approved" - # value = "Enforce: Detach and delete unapproved if new" -} - -# AWS > VPC > Internet Gateway > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-vpc-internet/inspect#/policy/types/internetGatewayApprovedUsage -resource "turbot_policy_setting" "aws_vpc_igw_approved_usage" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApprovedUsage" - value = "Not approved" -} diff --git a/baselines/getting_started/aws/aws_check_public_access/vpc_security_policies.tf b/baselines/getting_started/aws/aws_check_public_access/vpc_security_policies.tf deleted file mode 100644 index 3ba6b07ff..000000000 --- a/baselines/getting_started/aws/aws_check_public_access/vpc_security_policies.tf +++ /dev/null @@ -1,46 +0,0 @@ -# AWS > VPC > Security Group > Ingress Rules > Approved > Rules - https://turbot.com/v5/docs/guides/managing-policies/OCL#aws--vpc--security-group--ingress-rules--approved--rules -# OCL - https://turbot.com/v5/docs/reference/ocl - -# Approve / Reject Security Group Ingress/Egress Rules - -# AWS > VPC > Security Group > Ingress Rules > Approved -# https://turbot.com/v5/mods/turbot/aws-vpc-security/inspect#/policy/types/securityGroupIngressRulesApproved -resource "turbot_policy_setting" "aws_vpc_security_group_ingress_rule_approved" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApproved" - value = "Check: Approved" - # "Skip" - # "Check: Approved" - # "Enforce: Delete unapproved" -} - -# Example of a friendly Security Group Ingress policy to set approved CIDR Ranges -# Example is of internal IP ranges, RFC 1918 - -# AWS > VPC > Security Group > Ingress Rules > Approved > CIDR Ranges -# https://turbot.com/v5/mods/turbot/aws-vpc-security/inspect#/policy/types/securityGroupIngressRulesApprovedCidrRanges -resource "turbot_policy_setting" "aws_vpc_security_group_ingress_rule_approved_cidr_ranges" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedCidrRanges" - value = <<-VALUE - # RFC 1918 - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - VALUE -} - -# Mostly used are the Rules. This provides an APPROVE REJECT syntax for granular policies -# Below REJECTS Port 22 and 3389 from IPv4 & V6 0.0.0.0/0 and ::/0. APPROVES everything else -# Example below aligns to AWS CIS 4.01 and 4.02 - -# AWS > VPC > Security Group > Ingress Rules > Approved > Rules -# https://turbot.com/v5/mods/turbot/aws-vpc-security/inspect#/policy/types/securityGroupIngressRulesApprovedRules -resource "turbot_policy_setting" "security_Group_IngressRules_ApprovedRules" { - resource = turbot_smart_folder.aws_public_access.id - type = "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules" - value = < Account > Approved Regions [Default]` policy contains a list of AWS regions in which -cloud resources are approved for use. - -The policy `AWS > Account > Regions` contains a list of AWS region where a resource can be recorded (discovered). - -If the [AWS Baseline](../aws_baseline/) has only one region enabled then the approving regions policy will not be -effective as Turbot will only discovers resources for that one region. - -This baseline needs to be considered carefully in conjunction with the `AWS > Account > Regions` policy set in -the [AWS Baseline](../aws_baseline/). - -Turbot also supports AWS Lockdown / Boundary policies to limit access to regions which are not part of this baseline. - -The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings -created by other baselines. - -This baseline will not attach to a resource and will need to be done manually using the Turbot UI. - -## Important - -Running the baseline without an input variable file assumes that you have **ALL** AWS mods installed. -To limit the baseline, look at the example input variable file [demo.tfvars](demo.tfvars). - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Deploying demo example - -The demo baseline expects that the following mods are installed: - -- aws_lambda -- aws_ec2 -- aws_s3 -- aws-vpc-core -- aws-vpc-connect -- aws-vpc-internet -- aws-vpc-security - -To run the baseline: - -1. Navigate to the folder of the baseline -2. Initialise Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -TODO: Omero clean up -From the workspace root folder using the the terminal, to apply the install the demo run the following commands: - -```shell -cd ./baselines/getting_started/aws/aws_check_encryption -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files are defined in the [variables.tf](variables.tf) file. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Initialise baseline - -If not previously run, initialise Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` - -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply - ``` - -This may prompt the user applying the baseline to enter values for variables that do not have default values. - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_regions/approved_regions_policies.tf b/baselines/getting_started/aws/aws_check_regions/approved_regions_policies.tf deleted file mode 100644 index bfdb3746a..000000000 --- a/baselines/getting_started/aws/aws_check_regions/approved_regions_policies.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Approved Regions is a list of AWS regions in which cloud resources are approved for use. -# Only effective when the AWS > Account > Regions policies has multiple regions. -# The regions policy contains a list of AWS regions in which resources can are recorded, - -# AWS > Account > Approved Regions [Default] -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/approvedRegionsDefault -resource "turbot_policy_setting" "aws_account_approved_regions" { - count = length(var.resource_approved_regions) > 0 ? 1 : 0 - resource = turbot_smart_folder.aws_regions.id - type = "tmod:@turbot/aws#/policy/types/approvedRegionsDefault" - value = <<-ALLOWEDREGIONS - ${yamlencode([for region in var.resource_approved_regions_region_list : region])} - ALLOWEDREGIONS -} - -## Sets approved region policy for each resource type in the resource_approved_regions map. - -# AWS > **Service** > **Resource** > Approved -# Example policy: https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceApproved -resource "turbot_policy_setting" "set_resource_approved_regions_policies" { - for_each = var.resource_approved_regions - resource = turbot_smart_folder.aws_regions.id - type = local.policy_map[each.key] - value = each.value -} diff --git a/baselines/getting_started/aws/aws_check_regions/demo.tfvars b/baselines/getting_started/aws/aws_check_regions/demo.tfvars deleted file mode 100644 index 8d9f11f3a..000000000 --- a/baselines/getting_started/aws/aws_check_regions/demo.tfvars +++ /dev/null @@ -1,25 +0,0 @@ -# List of services and resources to be Check: Approved. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have the related service mod installed - -# NOTE: For full list of values, look in variables.tf at the default value -resource_approved_regions = { - aws-ec2-ami = "Check: Approved" - aws-ec2-applicationLoadBalancer = "Check: Approved" - aws-ec2-classicLoadBalancer = "Check: Approved" - aws-ec2-instance = "Check: Approved" - aws-ec2-keyPair = "Check: Approved" - aws-ec2-networkLoadBalancer = "Check: Approved" - aws-ec2-snapshot = "Check: Approved" - aws-ec2-volume = "Check: Approved" - aws-lambda-function = "Check: Approved" - aws-s3-bucket = "Check: Approved" - aws-vpc-security-securityGroup = "Check: Approved" - aws-vpc-core-vpc = "Check: Approved" -} - -# NOTE: For full list of values, look in variables.tf at the default value -resource_approved_regions_region_list = [ - "us-east-1", - "us-east-2", -] diff --git a/baselines/getting_started/aws/aws_check_regions/locals.tf b/baselines/getting_started/aws/aws_check_regions/locals.tf deleted file mode 100644 index 964076294..000000000 --- a/baselines/getting_started/aws/aws_check_regions/locals.tf +++ /dev/null @@ -1,151 +0,0 @@ -locals { - policy_map = { - aws-acm-certificate : "tmod:@turbot/aws-acm#/policy/types/certificateApproved" - aws-mq-broker : "tmod:@turbot/aws-mq#/policy/types/brokerApproved" - aws-mq-configuration : "tmod:@turbot/aws-mq#/policy/types/configurationApproved" - aws-amplify-app : "tmod:@turbot/aws-amplify#/policy/types/appApproved" - aws-apigateway-api : "tmod:@turbot/aws-apigateway#/policy/types/apiApproved" - aws-apigateway-apiKey : "tmod:@turbot/aws-apigateway#/policy/types/apiKeyApproved" - aws-apigateway-apiV2 : "tmod:@turbot/aws-apigateway#/policy/types/apiV2Approved" - aws-apigateway-authorizer : "tmod:@turbot/aws-apigateway#/policy/types/authorizerApproved" - aws-apigateway-authorizerV2 : "tmod:@turbot/aws-apigateway#/policy/types/authorizerV2Approved" - aws-apigateway-domainNameV2 : "tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Approved" - aws-apigateway-stage : "tmod:@turbot/aws-apigateway#/policy/types/stageApproved" - aws-apigateway-stageV2 : "tmod:@turbot/aws-apigateway#/policy/types/stageV2Approved" - aws-apigateway-usagePlan : "tmod:@turbot/aws-apigateway#/policy/types/usagePlanApproved" - aws-appmesh-mesh : "tmod:@turbot/aws-appmesh#/policy/types/meshApproved" - aws-athena-namedQuery : "tmod:@turbot/aws-athena#/policy/types/namedQueryApproved" - aws-athena-workgroup : "tmod:@turbot/aws-athena#/policy/types/workgroupApproved" - aws-backup-backupPlan : "tmod:@turbot/aws-backup#/policy/types/backupPlanApproved" - aws-backup-backupVault : "tmod:@turbot/aws-backup#/policy/types/backupVaultApproved" - aws-batch-jobDefinition : "tmod:@turbot/aws-batch#/policy/types/jobDefinitionApproved" - aws-cloudformation-stack : "tmod:@turbot/aws-cloudformation#/policy/types/stackApproved" - aws-cloudformation-stackSet : "tmod:@turbot/aws-cloudformation#/policy/types/stackSetApproved" - aws-cloudsearch-domain : "tmod:@turbot/aws-cloudsearch#/policy/types/domainApproved" - aws-cloudtrail-trail : "tmod:@turbot/aws-cloudtrail#/policy/types/trailApproved" - aws-cloudwatch-alarm : "tmod:@turbot/aws-cloudwatch#/policy/types/alarmApproved" - aws-codebuild-build : "tmod:@turbot/aws-codebuild#/policy/types/buildApproved" - aws-codebuild-project : "tmod:@turbot/aws-codebuild#/policy/types/projectApproved" - aws-codecommit-repository : "tmod:@turbot/aws-codecommit#/policy/types/repositoryApproved" - aws-config-configurationRecorder : "tmod:@turbot/aws-config#/policy/types/configurationRecorderApproved" - aws-config-deliveryChannel : "tmod:@turbot/aws-config#/policy/types/deliveryChannelApproved" - aws-config-rule : "tmod:@turbot/aws-config#/policy/types/ruleApproved" - aws-dax-cluster : "tmod:@turbot/aws-dax#/policy/types/clusterApproved" - aws-directoryservice-directory : "tmod:@turbot/aws-directoryservice#/policy/types/directoryApproved" - aws-dms-endpoint : "tmod:@turbot/aws-dms#/policy/types/endpointApproved" - aws-docdb-dbCluster : "tmod:@turbot/aws-docdb#/policy/types/dbClusterApproved" - aws-docdb-dbClusterParameterGroup : "tmod:@turbot/aws-docdb#/policy/types/dbClusterParameterGroupApproved" - aws-docdb-dbInstance : "tmod:@turbot/aws-docdb#/policy/types/dbInstanceApproved" - aws-dynamodb-backup : "tmod:@turbot/aws-dynamodb#/policy/types/backupApproved" - aws-dynamodb-table : "tmod:@turbot/aws-dynamodb#/policy/types/tableApproved" - aws-ec2-ami : "tmod:@turbot/aws-ec2#/policy/types/amiApproved" - aws-ec2-applicationLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerApproved" - aws-ec2-autoScalingGroup : "tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupApproved" - aws-ec2-classicLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerApproved" - aws-ec2-instance : "tmod:@turbot/aws-ec2#/policy/types/instanceApproved" - aws-ec2-keyPair : "tmod:@turbot/aws-ec2#/policy/types/keyPairApproved" - aws-ec2-launchConfiguration : "tmod:@turbot/aws-ec2#/policy/types/launchConfigurationApproved" - aws-ec2-launchTemplate : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateApproved" - aws-ec2-launchTemplateVersion : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateVersionApproved" - aws-ec2-listenerRule : "tmod:@turbot/aws-ec2#/policy/types/listenerRuleApproved" - aws-ec2-loadBalancerListener : "tmod:@turbot/aws-ec2#/policy/types/loadBalancerListenerApproved" - aws-ec2-networkInterface : "tmod:@turbot/aws-ec2#/policy/types/networkInterfaceApproved" - aws-ec2-networkLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerApproved" - aws-ec2-snapshot : "tmod:@turbot/aws-ec2#/policy/types/snapshotApproved" - aws-ec2-targetGroup : "tmod:@turbot/aws-ec2#/policy/types/targetGroupApproved" - aws-ec2-volume : "tmod:@turbot/aws-ec2#/policy/types/volumeApproved" - aws-ecr-repository : "tmod:@turbot/aws-ecr#/policy/types/repositoryApproved" - aws-ecs-cluster : "tmod:@turbot/aws-ecs#/policy/types/clusterApproved" - aws-ecs-containerInstance : "tmod:@turbot/aws-ecs#/policy/types/containerInstanceApproved" - aws-ecs-taskDefinition : "tmod:@turbot/aws-ecs#/policy/types/taskDefinitionApproved" - aws-efs-fileSystem : "tmod:@turbot/aws-efs#/policy/types/fileSystemApproved" - aws-efs-mountTarget : "tmod:@turbot/aws-efs#/policy/types/mountTargetApproved" - aws-eks-cluster : "tmod:@turbot/aws-eks#/policy/types/clusterApproved" - aws-eks-nodeGroup : "tmod:@turbot/aws-eks#/policy/types/nodeGroupApproved" - aws-elasticbeanstalk-application : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/applicationApproved" - aws-elasticbeanstalk-environment : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/environmentApproved" - aws-elasticache-cacheCluster : "tmod:@turbot/aws-elasticache#/policy/types/cacheClusterApproved" - aws-elasticache-cacheParameterGroup : "tmod:@turbot/aws-elasticache#/policy/types/cacheParameterGroupApproved" - aws-elasticache-replicationGroup : "tmod:@turbot/aws-elasticache#/policy/types/replicationGroupApproved" - aws-elasticache-snapshot : "tmod:@turbot/aws-elasticache#/policy/types/snapshotApproved" - aws-elasticsearch-domain : "tmod:@turbot/aws-elasticsearch#/policy/types/domainApproved" - aws-emr-cluster : "tmod:@turbot/aws-emr#/policy/types/clusterApproved" - aws-emr-securityConfiguration : "tmod:@turbot/aws-emr#/policy/types/securityConfigurationApproved" - aws-events-rule : "tmod:@turbot/aws-events#/policy/types/ruleApproved" - aws-events-target : "tmod:@turbot/aws-events#/policy/types/targetApproved" - aws-fsx-backup : "tmod:@turbot/aws-fsx#/policy/types/backupApproved" - aws-fsx-fileSystem : "tmod:@turbot/aws-fsx#/policy/types/fileSystemApproved" - aws-glacier-vault : "tmod:@turbot/aws-glacier#/policy/types/vaultApproved" - aws-glue-database : "tmod:@turbot/aws-glue#/policy/types/databaseApproved" - aws-guardduty-detector : "tmod:@turbot/aws-guardduty#/policy/types/detectorApproved" - aws-guardduty-ipSet : "tmod:@turbot/aws-guardduty#/policy/types/ipSetApproved" - aws-guardduty-threatIntelSet : "tmod:@turbot/aws-guardduty#/policy/types/threatIntelSetApproved" - aws-inspector-assessmentTarget : "tmod:@turbot/aws-inspector#/policy/types/assessmentTargetApproved" - aws-inspector-assessmentTemplate : "tmod:@turbot/aws-inspector#/policy/types/assessmentTemplateApproved" - aws-kinesis-consumer : "tmod:@turbot/aws-kinesis#/policy/types/consumerApproved" - aws-kinesis-stream : "tmod:@turbot/aws-kinesis#/policy/types/streamApproved" - aws-kms-key : "tmod:@turbot/aws-kms#/policy/types/keyApproved" - aws-lambda-function : "tmod:@turbot/aws-lambda#/policy/types/functionApproved" - aws-logs-logGroup : "tmod:@turbot/aws-logs#/policy/types/logGroupApproved" - aws-logs-logStream : "tmod:@turbot/aws-logs#/policy/types/logStreamApproved" - aws-logs-metricFilter : "tmod:@turbot/aws-logs#/policy/types/metricFilterApproved" - aws-msk-cluster : "tmod:@turbot/aws-msk#/policy/types/clusterApproved" - aws-neptune-dbCluster : "tmod:@turbot/aws-neptune#/policy/types/dbClusterApproved" - aws-neptune-dbInstance : "tmod:@turbot/aws-neptune#/policy/types/dbInstanceApproved" - aws-qldb-ledger : "tmod:@turbot/aws-qldb#/policy/types/ledgerApproved" - aws-rds-dbCluster : "tmod:@turbot/aws-rds#/policy/types/dbClusterApproved" - aws-rds-dbClusterParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbClusterParameterGroupApproved" - aws-rds-dbClusterSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualApproved" - aws-rds-dbInstance : "tmod:@turbot/aws-rds#/policy/types/dbInstanceApproved" - aws-rds-dbParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbParameterGroupApproved" - aws-rds-dbSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualApproved" - aws-rds-optionGroup : "tmod:@turbot/aws-rds#/policy/types/optionGroupApproved" - aws-rds-subnetGroup : "tmod:@turbot/aws-rds#/policy/types/subnetGroupApproved" - aws-redshift-cluster : "tmod:@turbot/aws-redshift#/policy/types/clusterApproved" - aws-redshift-clusterParameterGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterParameterGroupApproved" - aws-redshift-clusterSubnetGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterSubnetGroupApproved" - aws-redshift-clusterSnapshotManual : "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualApproved" - aws-robomaker-fleet : "tmod:@turbot/aws-robomaker#/policy/types/fleetApproved" - aws-robomaker-robot : "tmod:@turbot/aws-robomaker#/policy/types/robotApproved" - aws-robomaker-robotApplication : "tmod:@turbot/aws-robomaker#/policy/types/robotApplicationApproved" - aws-route53resolver-resolverEndpoint : "tmod:@turbot/aws-route53resolver#/policy/types/resolverEndpointApproved" - aws-route53resolver-resolverRule : "tmod:@turbot/aws-route53resolver#/policy/types/resolverRuleApproved" - aws-s3-bucket : "tmod:@turbot/aws-s3#/policy/types/bucketApproved" - aws-secretsmanager-secret : "tmod:@turbot/aws-secretsmanager#/policy/types/secretApproved" - aws-securityhub-hub : "tmod:@turbot/aws-securityhub#/policy/types/hubApproved" - aws-sns-subscription : "tmod:@turbot/aws-sns#/policy/types/subscriptionApproved" - aws-sns-topic : "tmod:@turbot/aws-sns#/policy/types/topicApproved" - aws-sqs-queue : "tmod:@turbot/aws-sqs#/policy/types/queueApproved" - aws-ssm-association : "tmod:@turbot/aws-ssm#/policy/types/associationApproved" - aws-ssm-document : "tmod:@turbot/aws-ssm#/policy/types/documentApproved" - aws-ssm-maintenanceWindow : "tmod:@turbot/aws-ssm#/policy/types/maintenanceWindowApproved" - aws-ssm-ssmParameter : "tmod:@turbot/aws-ssm#/policy/types/ssmParameterApproved" - aws-stepfunctions-stateMachine : "tmod:@turbot/aws-stepfunctions#/policy/types/stateMachineApproved" - aws-swf-domain : "tmod:@turbot/aws-swf#/policy/types/domainApproved" - aws-vpc-connect-customerGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayApproved" - aws-vpc-core-dhcpOptions : "tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsApproved" - aws-vpc-internet-egressOnlyInternetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayApproved" - aws-vpc-internet-elasticIp : "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpApproved" - aws-vpc-internet-vpcEndpoint : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointApproved" - aws-vpc-internet-vpcEndpointService : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceApproved" - aws-vpc-security-flowLog : "tmod:@turbot/aws-vpc-security#/policy/types/flowLogApproved" - aws-vpc-internet-internetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayApproved" - aws-vpc-internet-natGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayApproved" - aws-vpc-security-networkAcl : "tmod:@turbot/aws-vpc-security#/policy/types/networkAclApproved" - aws-vpc-connect-vpcPeeringConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionApproved" - aws-vpc-core-routeTable : "tmod:@turbot/aws-vpc-core#/policy/types/routeTableApproved" - aws-vpc-security-securityGroup : "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupApproved" - aws-vpc-core-subnet : "tmod:@turbot/aws-vpc-core#/policy/types/subnetApproved" - aws-vpc-connect-transitGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayApproved" - aws-vpc-connect-transitGatewayRouteTable : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableApproved" - aws-vpc-core-vpc : "tmod:@turbot/aws-vpc-core#/policy/types/vpcApproved" - aws-vpc-connect-vpnConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionApproved" - aws-vpc-connect-vpnGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayApproved" - aws-waf-ipSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/ipSetV2RegionalApproved" - aws-waf-regexPatternSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2RegionalApproved" - aws-waf-ruleGroupV2Regional : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2RegionalApproved" - aws-waf-webAclV2Regional : "tmod:@turbot/aws-waf#/policy/types/webAclV2RegionalApproved" - aws-wafregional-rule : "tmod:@turbot/aws-wafregional#/policy/types/ruleApproved" - aws-wellarchitected-workload : "tmod:@turbot/aws-wellarchitected#/policy/types/workloadApproved" - } -} diff --git a/baselines/getting_started/aws/aws_check_regions/outputs.tf b/baselines/getting_started/aws/aws_check_regions/outputs.tf deleted file mode 100644 index 98b1c4e85..000000000 --- a/baselines/getting_started/aws/aws_check_regions/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "resource_approved_regions" { - value = var.resource_approved_regions -} - -output "resource_approved_regions_region_list" { - value = var.resource_approved_regions_region_list -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/aws/aws_check_regions/providers.tf b/baselines/getting_started/aws/aws_check_regions/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/aws/aws_check_regions/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/aws/aws_check_regions/smart_folder.tf b/baselines/getting_started/aws/aws_check_regions/smart_folder.tf deleted file mode 100644 index 2359e6547..000000000 --- a/baselines/getting_started/aws/aws_check_regions/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_regions" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_check_regions/variables.tf b/baselines/getting_started/aws/aws_check_regions/variables.tf deleted file mode 100644 index 850c0d7cc..000000000 --- a/baselines/getting_started/aws/aws_check_regions/variables.tf +++ /dev/null @@ -1,224 +0,0 @@ -# Baseline Configuration - -variable "resource_approved_regions" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_s3/demo.tfvars b/baselines/getting_started/aws/aws_check_s3/demo.tfvars deleted file mode 100644 index a45c205c2..000000000 --- a/baselines/getting_started/aws/aws_check_s3/demo.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -# List of trusted accounts for cross account access -# More Info: https://turbot.com/v5/docs/concepts/guardrails/trusted-access -trusted_accounts = [ - "{{ $.account.Id }}", # Self - current AWS Account - "287590803701", # Turbot SaaS US Prod - "255798382450", # Turbot SaaS EU Account -] - -# Uses the more complex calculated policy for the version control. -# See file, s3_versioning_policies.tf -use_simple_s3_bucket_versioning = false diff --git a/baselines/getting_started/aws/aws_check_s3/outputs.tf b/baselines/getting_started/aws/aws_check_s3/outputs.tf deleted file mode 100644 index cd437fe7f..000000000 --- a/baselines/getting_started/aws/aws_check_s3/outputs.tf +++ /dev/null @@ -1,59 +0,0 @@ -output "trusted_accounts" { - value = var.trusted_accounts -} - -output "enable_s3_access_logging_policies" { - value = var.enable_s3_access_logging_policies -} - -output "enable_s3_active_policies" { - value = var.enable_s3_active_policies -} - -output "enable_s3_approved_policies" { - value = var.enable_s3_approved_policies -} - -output "enable_s3_enabled_policies" { - value = var.enable_s3_enabled_policies -} - -output "enable_s3_encryption_policies" { - value = var.enable_s3_encryption_policies -} - -output "enable_s3_permission_policies" { - value = var.enable_s3_permission_policies -} - -output "enable_s3_public_access_policies" { - value = var.enable_s3_public_access_policies -} - -output "enable_s3_tag_policies" { - value = var.enable_s3_tag_policies -} - -output "enable_s3_trusted_access_policies" { - value = var.enable_s3_trusted_access_policies -} - -output "use_simple_s3_bucket_versioning" { - value = var.use_simple_s3_bucket_versioning -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/aws/aws_check_s3/providers.tf b/baselines/getting_started/aws/aws_check_s3/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/aws/aws_check_s3/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_access_logging_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_access_logging_policies.tf deleted file mode 100644 index 887c8b4bf..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_access_logging_policies.tf +++ /dev/null @@ -1,8 +0,0 @@ -# AWS > S3 > Bucket > Access Logging -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketAccessLogging -resource "turbot_policy_setting" "aws_s3_bucket_access_logging" { - count = var.enable_s3_access_logging_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketAccessLogging" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_active_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_active_policies.tf deleted file mode 100644 index fbfe22018..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_active_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Active Guardrails - https://turbot.com/v5/docs/concepts/guardrails/active - -# AWS > S3 > Bucket > Active -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketActive -resource "turbot_policy_setting" "aws_s3_bucket_active" { - count = var.enable_s3_active_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketActive" - value = "Check: Active" -} - -# AWS > S3 > Bucket > Active > Age -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketActiveAge -resource "turbot_policy_setting" "aws_s3_bucket_active_age" { - count = var.enable_s3_active_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketActiveAge" - value = "Force inactive if age > 60 days" -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_approved_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_approved_policies.tf deleted file mode 100644 index fd9c31db0..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_approved_policies.tf +++ /dev/null @@ -1,34 +0,0 @@ -# Approved Guardrails -# https://turbot.com/v5/docs/concepts/guardrails/approved - -# Simple policy to check if S3 is Approved for Usage -- can adjust for testing per bucket -# Will inherit the Approved Regions list if using the Approved Regions baseline or can keep the Regions setting below. - -# AWS > S3 > Bucket > Approved -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketApproved -resource "turbot_policy_setting" "aws_s3_bucket_approved" { - count = var.enable_s3_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketApproved" - value = "Check: Approved" -} - -# AWS > S3 > Bucket > Approved > Usage -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketApprovedUsage -resource "turbot_policy_setting" "aws_s3_bucket_approved_usage" { - count = var.enable_s3_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketApprovedUsage" - value = "Approved" -} - -# AWS > S3 > Bucket > Approved > Regions -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketApprovedRegions -resource "turbot_policy_setting" "aws_s3_bucket_approved_regions" { - count = var.enable_s3_approved_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketApprovedRegions" - value = < S3 > Enabled -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3Enabled -resource "turbot_policy_setting" "aws_s3_s3_enabled" { - count = var.enable_s3_enabled_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3Enabled" - value = "Enabled" -} - -# AWS > S3 > API Enabled -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3ApiEnabled -resource "turbot_policy_setting" "aws_s3_s3_api_enabled" { - count = var.enable_s3_enabled_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3ApiEnabled" - value = "Enabled" -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_encryption_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_encryption_policies.tf deleted file mode 100644 index 0800444fb..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_encryption_policies.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Encryption at Rest Guardrails -# https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# Encryption in Transit Guardrails -# https://turbot.com/v5/docs/concepts/guardrails/encryption-in-transit - -# Encryption at Rest and In Transit. Also in the Encryption Baseline - -# AWS > S3 > Bucket > Encryption in Transit -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/encryptionInTransit -resource "turbot_policy_setting" "aws_s3_encryption_in_transit" { - count = var.enable_s3_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/encryptionInTransit" - value = "Check: Enabled" -} - -# AWS > S3 > Bucket > Encryption at Rest -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketEncryptionAtRest -resource "turbot_policy_setting" "aws_s3_bucket_encryption_at_rest" { - count = var.enable_s3_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketEncryptionAtRest" - value = "Check: AWS SSE or higher" -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_permission_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_permission_policies.tf deleted file mode 100644 index 1601727d6..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_permission_policies.tf +++ /dev/null @@ -1,54 +0,0 @@ -# This is an example of IAM Lockdown Permissions and Turbot AWS RBAC that can be set -# Assumes your use of Turbot AWS RBAC; setting these policies will only set conditions, nothing will action or check. -# If you are not using Turbot AWS RBAC controls you can ignore this part of the baseline - -# AWS > S3 > Permissions > Levels -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3PermissionsLevels -resource "turbot_policy_setting" "aws_s3_s3_permissions_levels" { - count = var.enable_s3_permission_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevels" - value = < S3 > Permissions > Levels > Cross Replication Administration -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3PermissionsLevelsCrossReplicationAdministration -resource "turbot_policy_setting" "aws_s3_s3_permissions_levels_cross_replication_administration" { - count = var.enable_s3_permission_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsCrossReplicationAdministration" - value = "None" -} - -# AWS > S3 > Permissions > Levels > CORS Administration -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3PermissionsLevelsCorsAdministration -resource "turbot_policy_setting" "aws_s3_s3_permissions_levels_cors_administration" { - count = var.enable_s3_permission_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsCorsAdministration" - value = "None" -} - -# AWS > S3 > Permissions > Levels > ACL Administration -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3PermissionsLevelsAclAdministration -resource "turbot_policy_setting" "aws_s3_s3_permissions_levels_acl_administration" { - count = var.enable_s3_permission_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsAclAdministration" - value = "None" -} - -# AWS > S3 > Permissions > Levels > Access Logging Administration -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3PermissionsLevelsAccessLoggingAdministration -resource "turbot_policy_setting" "aws_s3_s3_permissions_levels_access_logging_administration" { - count = var.enable_s3_permission_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3PermissionsLevelsAccessLoggingAdministration" - value = "None" -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_public_access_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_public_access_policies.tf deleted file mode 100644 index 1ee5b1a22..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_public_access_policies.tf +++ /dev/null @@ -1,52 +0,0 @@ -# Public Access Guardrails -# https://turbot.com/v5/docs/concepts/guardrails/public-access - -### S3 Account Level Public Access Block Policies ### - -# AWS > S3 > Account > Public Access Block -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3AccountPublicAccessBlock -resource "turbot_policy_setting" "aws_s3_s3_account_public_access_block" { - count = var.enable_s3_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlock" - value = "Check: Per `Public Access Block > Settings`" -} - -# AWS > S3 > Account > Public Access Block > Settings -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3AccountPublicAccessBlockSettings -resource "turbot_policy_setting" "aws_s3_s3_account_public_access_block_settings" { - count = var.enable_s3_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3AccountPublicAccessBlockSettings" - value = < S3 > Bucket > Public Access Block -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3BucketPublicAccessBlock -resource "turbot_policy_setting" "aws_s3_s3_bucket_public_access_block" { - count = var.enable_s3_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlock" - value = "Check: Per `Public Access Block > Settings`" -} - -# AWS > S3 > Bucket > Public Access Block > Settings -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/s3BucketPublicAccessBlockSettings -resource "turbot_policy_setting" "aws_s3_s3_bucket_public_access_block_settings" { - count = var.enable_s3_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/s3BucketPublicAccessBlockSettings" - value = < S3 > Bucket > Tags -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketTags -resource "turbot_policy_setting" "aws_s3_bucket_tags" { - count = var.enable_s3_tag_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketTags" - value = "Check: Tags are correct" -} - -# AWS > S3 > Bucket > Tags > Template -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketTagsTemplate -resource "turbot_policy_setting" "aws_s3_bucket_tags_template" { - count = var.enable_s3_tag_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketTagsTemplate" - template_input = <<-QUERY - { - resource { - turbot { - title - tags - } - creator: notifications(filter: "sort:version_id limit:1") { - items { - actor { - alternatePersona - identity { - turbot { - title - } - } - } - turbot { - createTimestamp - } - } - } - } - } - QUERY - # Nunjucks template to set tags and check for tag validity. - template = <<-TEMPLATE - # Bring in environment metadata / attributes - Name: "{{ $.resource.turbot.title }}" - # Enforce selection of values, set to "Non-Compliant" if out of bounds - Environment: "{% if $.resource.turbot.tags['Environment'] in ['Dev', 'QA', 'Prod', 'Temp'] %}{{ $.resource.turbot.tags['Environment'] }}{% else %}Non-Compliant Tag{% endif %}" - # Actor who created the resource - CreatedByActor: "{% if $.resource.creator.items[0].actor.identity.turbot.title == 'Unidentified Identity' %}{{ $.resource.creator.items[0].actor.alternatePersona }}{% else %}{{ $.resource.creator.items[0].actor.identity.turbot.title }}{% endif %}" - # Creation Timestamp - CreatedByTime: "{{ $.resource.creator.items[0].turbot.createTimestamp }}" - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_trusted_access_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_trusted_access_policies.tf deleted file mode 100644 index 9a88b2ba9..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_trusted_access_policies.tf +++ /dev/null @@ -1,38 +0,0 @@ -# Trusted Access Guardrails -# https://turbot.com/v5/docs/concepts/guardrails/trusted-access - -# Trusted Accounts Access controls -# Will inherit the trusted accounts from Public Access baseline or from what is set in this baseline - -# AWS > S3 > Bucket > Policy > Trusted Access -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketPolicyTrustedAccess -resource "turbot_policy_setting" "aws_s3_bucket_policy_trusted_access" { - count = var.enable_s3_trusted_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedAccess" - value = "Check: Trusted Access" -} - -# Trusted account calculated policy sets the global template for S3 Buckets specifically. -# It will add trusted accounts which are provided externally by the user of the Terraform script. -# The global template from the Public Access baseline can be used as well. - -# AWS > S3 > Bucket > Policy > Trusted Access > Accounts -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketPolicyTrustedAccounts -resource "turbot_policy_setting" "aws_s3_trusted_accounts_template" { - count = var.enable_s3_trusted_access_policies ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketPolicyTrustedAccounts" - template_input = <<-QUERY - { - account { - Id - } - } - QUERY - - # set trustedAccounts from terraform.tfvars - template = <<-TEMPLATE - ${yamlencode([for account in var.trusted_accounts : account])} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_s3/s3_versioning_policies.tf b/baselines/getting_started/aws/aws_check_s3/s3_versioning_policies.tf deleted file mode 100644 index 5f1f1dbf8..000000000 --- a/baselines/getting_started/aws/aws_check_s3/s3_versioning_policies.tf +++ /dev/null @@ -1,49 +0,0 @@ -# Simple Policy setting for bucket versioning. - -# This is the default version policy that will be created when applying the Terraform configuration as -# use_simple_s3_bucket_versioning defaults to true. - -# AWS > S3 > Bucket > Versioning -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketVersioning -resource "turbot_policy_setting" "aws_s3_bucket_versioning_simple" { - count = var.use_simple_s3_bucket_versioning ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketVersioning" - value = "Check: Enabled" -} - -# Using a calculated policy here as an example for getting started with calculated policies -# Shows an example of setting different checks based on naming syntax and tag key:value pair - -# To enable this policy set the variable use_simple_s3_bucket_versioning to false which will not apply the simple -# versioning version. - -# AWS > S3 > Bucket > Versioning -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketVersioning -resource "turbot_policy_setting" "aws_s3_bucket_versioning" { - count = var.use_simple_s3_bucket_versioning ? 1 : 0 - resource = turbot_smart_folder.aws_all_s3.id - type = "tmod:@turbot/aws-s3#/policy/types/bucketVersioning" - template_input = <<-QUERY - { - bucket { - Name - turbot { - tags - } - } - } - QUERY - - # Nunjucks template evaluate metadata. - template = <<-TEMPLATE - {%- set result = "Check: Enabled" -%} - {%- set regExp = r/turbot-demo.*/g -%} - - {%- if regExp.test($.bucket.Name) or $.bucket.turbot.tags.Test == "Temp"-%} - {%- set result = "Check: Disabled" -%} - {%- endif -%} - - {{ result }} - TEMPLATE -} diff --git a/baselines/getting_started/aws/aws_check_s3/smart_folder.tf b/baselines/getting_started/aws/aws_check_s3/smart_folder.tf deleted file mode 100644 index 9c0609692..000000000 --- a/baselines/getting_started/aws/aws_check_s3/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_all_s3" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_check_s3/variables.tf b/baselines/getting_started/aws/aws_check_s3/variables.tf deleted file mode 100644 index bd4151427..000000000 --- a/baselines/getting_started/aws/aws_check_s3/variables.tf +++ /dev/null @@ -1,90 +0,0 @@ -# Baseline Configuration -variable "trusted_accounts" { - type = list(string) - default = [] -} - -variable "enable_s3_access_logging_policies" { - type = bool - description = "Enable the S3 access logging policies for baseline" - default = true -} - -variable "enable_s3_active_policies" { - type = bool - description = "Enable the S3 active policies for baseline" - default = true -} - -variable "enable_s3_approved_policies" { - type = bool - description = "Enable the S3 approved policies for baseline" - default = true -} - -variable "enable_s3_enabled_policies" { - type = bool - description = "Enable the S3 enabled policies for baseline" - default = true -} - -variable "enable_s3_encryption_policies" { - type = bool - description = "Enable the S3 encryption policies for baseline" - default = true -} - -variable "enable_s3_permission_policies" { - type = bool - description = "Enable the S3 permission policies for baseline" - default = true -} - -variable "enable_s3_public_access_policies" { - type = bool - description = "Enable the S3 public access policies for baseline" - default = true -} - -variable "enable_s3_tag_policies" { - type = bool - description = "Enable the S3 tag policies for baseline" - default = true -} - -variable "enable_s3_trusted_access_policies" { - type = bool - description = "Enable the S3 trusted access policies for baseline" - default = true -} - -variable "use_simple_s3_bucket_versioning" { - type = bool - description = "Enable the S3 versioning policies for baseline" - default = true -} - - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "AWS Check S3 Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the AWS check S3 baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/aws/aws_check_stack/README.md b/baselines/getting_started/aws/aws_check_stack/README.md deleted file mode 100644 index dc918d5ec..000000000 --- a/baselines/getting_started/aws/aws_check_stack/README.md +++ /dev/null @@ -1,137 +0,0 @@ -# Baseline - AWS Check Stack - -AWS Check Stack will allow you to set policy to deploy AWS Account IAM Stack , Terraform version for you source and also to apply the Stack Source policy. - -More info - -- [Stacks and the Configured Guardrails](https://turbot.com/v5/docs/concepts/guardrails/configured) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_stack/aws_account_iam_stack_policies.tf b/baselines/getting_started/aws/aws_check_stack/aws_account_iam_stack_policies.tf deleted file mode 100644 index 0a24e4f7c..000000000 --- a/baselines/getting_started/aws/aws_check_stack/aws_account_iam_stack_policies.tf +++ /dev/null @@ -1,40 +0,0 @@ -# AWS > Account > Stack -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/accountStack -resource "turbot_policy_setting" "aws_account_iam_stack" { - count = var.aws_account_iam_stack ? 1 : 0 - resource = turbot_smart_folder.aws_stack.id - type = "tmod:@turbot/aws#/policy/types/accountStack" - value = "Check: Configured" - #value = "Enforce: Configured" -} - -# AWS > Account > Stack > Terraform Version -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/accountStackTerraformVersion -resource "turbot_policy_setting" "aws_account_iam_stack_tfversion" { - count = var.aws_account_iam_stack_tfversion ? 1 : 0 - resource = turbot_smart_folder.aws_stack.id - type = "tmod:@turbot/aws#/policy/types/accountStackTerraformVersion" - value = "0.13.*" -} - -# AWS > Account > Stack > Source -# https://turbot.com/v5/mods/turbot/aws/inspect#/policy/types/accountStackSource -resource "turbot_policy_setting" "aws_account_iam_stack_source" { - count = var.aws_account_iam_stack_source ? 1 : 0 - resource = turbot_smart_folder.aws_stack.id - type = "tmod:@turbot/aws#/policy/types/accountStackSource" - value = <<-SOURCE - ${file("./tf_includes/sourcestack_policies.tf")} - SOURCE -} - -# AWS > Turbot > Permissions > Custom Levels [Account] -# https://turbot.com/v5/mods/turbot/aws-iam/inspect#/policy/types/permissionsCustomLevelsAccount -resource "turbot_policy_setting" "aws_iam_permissions_custom_levels_account" { - count = var.aws_iam_permissions_custom_levels_account ? 1 : 0 - resource = turbot_smart_folder.aws_stack.id - type = "tmod:@turbot/aws-iam#/policy/types/permissionsCustomLevelsAccount" - value = < -terraform init -terraform apply --var-file demo.tfvars -``` - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_check_tagging/aws_tagging.tf b/baselines/getting_started/aws/aws_check_tagging/aws_tagging.tf deleted file mode 100644 index e48b51f92..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/aws_tagging.tf +++ /dev/null @@ -1,81 +0,0 @@ -# More Info: https://turbot.com/v5/docs/concepts/guardrails/tagging - -# AWS > EC2 > Instance > Tags -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/instanceTags -# AWS > EC2 > Snapshot > Tags -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/snapshotTags -# AWS > EC2 > Volume > Tags -# https://turbot.com/v5/mods/turbot/aws-ec2/inspect#/policy/types/volumeTags -# AWS > Lambda > Function > Tags -# https://turbot.com/v5/mods/turbot/aws-lambda/inspect#/policy/types/functionTags -# AWS > S3 > Bucket > Tags -# https://turbot.com/v5/mods/turbot/aws-s3/inspect#/policy/types/bucketTags -# AWS > VPC > Security Group > Tags -# https://turbot.com/v5/mods/turbot/aws-vpc-security/inspect#/policy/types/securityGroupTags -# AWS > VPC > VPC > Tags -# https://turbot.com/v5/mods/turbot/aws-vpc-core/inspect#/policy/types/vpcTags - -resource "turbot_policy_setting" "set_resource_tag_policies" { - for_each = var.resource_tags - resource = turbot_smart_folder.aws_tagging.id - type = local.policy_map[each.key] - value = each.value -} - -## Sets the default tag template for all resources. -resource "turbot_policy_setting" "default_tag_template" { - for_each = var.resource_tags - resource = turbot_smart_folder.aws_tagging.id - type = local.policy_map_template[each.key] - # GraphQL to pull metadata - template_input = <<-QUERY - { - resource { - turbot { - title - tags - } - creator: notifications(filter: "sort:version_id limit:1") { - items { - actor { - alternatePersona - identity { - turbot { - title - } - } - } - turbot { - createTimestamp - } - } - } - } - } - QUERY - # Nunjucks template to set tags and check for tag validity. - template = <<-TEMPLATE - # Bring in environment metadata / attributes - Name: "{{ $.resource.turbot.title }}" - # Enforce selection of values, set to "Non-Compliant" if out of bounds - Environment: "{% if $.resource.turbot.tags['Environment'] in ['Dev', 'QA', 'Prod', 'Temp'] %}{{ $.resource.turbot.tags['Environment'] }}{% else %}Non-Compliant Tag{% endif %}" - # Actor who created the resource - CreatedByActor: "{% if $.resource.creator.items[0].actor.identity.turbot.title == 'Unidentified Identity' %}{{ $.resource.creator.items[0].actor.alternatePersona }}{% else %}{{ $.resource.creator.items[0].actor.identity.turbot.title }}{% endif %}" - # Creation Timestamp - CreatedByTime: "{{ $.resource.creator.items[0].turbot.createTimestamp }}" - TEMPLATE -} - -# Missing Tag on folder use case: -## {%- set missingTag = "__MissingTag__" -%} -## {%- set required_tags = ${jsonencode([for tag_name in var.required_tags : tag_name])} -%} -## # If Resource has a required tag, will accept the resource tag, else will tag with Folder tag value. -## {%- for tag_name in required_tags %} -## {%- if tag_name in $.resource.turbot.tags %} -## {{tag_name}}: "{{ $.resource.turbot.tags[tag_name] }}" -## {%- elif tag_name in $.folder.turbot.tags %} -## {{tag_name}}: "{{ $.folder.turbot.tags[tag_name] }}" -## {%- else %} -## {{tag_name}}: {{missingTag}} -## {%- endif %} -## {%- endfor %} diff --git a/baselines/getting_started/aws/aws_check_tagging/demo.tfvars b/baselines/getting_started/aws/aws_check_tagging/demo.tfvars deleted file mode 100644 index 4dc869ea4..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/demo.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -resource_tags = { - aws-ec2-instance = "Check: Tags are correct" - aws-ec2-snapshot = "Check: Tags are correct" - aws-ec2-volume = "Check: Tags are correct" - aws-lambda-function = "Check: Tags are correct" - aws-s3-bucket = "Check: Tags are correct" - aws-vpc-security-securityGroup = "Check: Tags are correct" - aws-vpc-core-vpc = "Check: Tags are correct" -} diff --git a/baselines/getting_started/aws/aws_check_tagging/locals.tf b/baselines/getting_started/aws/aws_check_tagging/locals.tf deleted file mode 100644 index 48d246565..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/locals.tf +++ /dev/null @@ -1,268 +0,0 @@ -locals { - # Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope - policy_map = { - aws-acm-certificate : "tmod:@turbot/aws-acm#/policy/types/certificateTags" - aws-mq-broker : "tmod:@turbot/aws-mq#/policy/types/brokerTags" - aws-mq-configuration : "tmod:@turbot/aws-mq#/policy/types/configurationTags" - aws-amplify-app : "tmod:@turbot/aws-amplify#/policy/types/appTags" - aws-apigateway-api : "tmod:@turbot/aws-apigateway#/policy/types/apiTags" - aws-apigateway-apiKey : "tmod:@turbot/aws-apigateway#/policy/types/apiKeyTags" - aws-apigateway-apiV2 : "tmod:@turbot/aws-apigateway#/policy/types/apiV2Tags" - aws-apigateway-domainNameV2 : "tmod:@turbot/aws-apigateway#/policy/types/domainNameV2Tags" - aws-apigateway-stage : "tmod:@turbot/aws-apigateway#/policy/types/stageTags" - aws-apigateway-stageV2 : "tmod:@turbot/aws-apigateway#/policy/types/stageV2Tags" - aws-apigateway-usagePlan : "tmod:@turbot/aws-apigateway#/policy/types/usagePlanTags" - aws-appmesh-mesh : "tmod:@turbot/aws-appmesh#/policy/types/meshTags" - aws-athena-namedQuery : "tmod:@turbot/aws-athena#/policy/types/namedQueryTags" - aws-athena-workgroup : "tmod:@turbot/aws-athena#/policy/types/workgroupTags" - aws-backup-backupPlan : "tmod:@turbot/aws-backup#/policy/types/backupPlanTags" - aws-backup-backupVault : "tmod:@turbot/aws-backup#/policy/types/backupVaultTags" - aws-cloudformation-stack : "tmod:@turbot/aws-cloudformation#/policy/types/stackTags" - aws-cloudformation-stackSet : "tmod:@turbot/aws-cloudformation#/policy/types/stackSetTags" - aws-cloudfront-distribution : "tmod:@turbot/aws-cloudfront#/policy/types/distributionTags" - aws-cloudfront-streamingDistribution : "tmod:@turbot/aws-cloudfront#/policy/types/streamingDistributionTags" - aws-cloudtrail-trail : "tmod:@turbot/aws-cloudtrail#/policy/types/trailTags" - aws-cloudwatch-alarm : "tmod:@turbot/aws-cloudwatch#/policy/types/alarmTags" - aws-codebuild-project : "tmod:@turbot/aws-codebuild#/policy/types/projectTags" - aws-codecommit-repository : "tmod:@turbot/aws-codecommit#/policy/types/repositoryTags" - aws-config-rule : "tmod:@turbot/aws-config#/policy/types/ruleTags" - aws-dax-cluster : "tmod:@turbot/aws-dax#/policy/types/clusterTags" - aws-directoryservice-directory : "tmod:@turbot/aws-directoryservice#/policy/types/directoryTags" - aws-dms-endpoint : "tmod:@turbot/aws-dms#/policy/types/endpointTags" - aws-docdb-dbCluster : "tmod:@turbot/aws-docdb#/policy/types/dbClusterTags" - aws-docdb-dbClusterParameterGroup : "tmod:@turbot/aws-docdb#/policy/types/dbClusterParameterGroupTags" - aws-docdb-dbInstance : "tmod:@turbot/aws-docdb#/policy/types/dbInstanceTags" - aws-dynamodb-table : "tmod:@turbot/aws-dynamodb#/policy/types/tableTags" - aws-ec2-ami : "tmod:@turbot/aws-ec2#/policy/types/amiTags" - aws-ec2-applicationLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTags" - aws-ec2-autoScalingGroup : "tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTags" - aws-ec2-classicLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTags" - aws-ec2-instance : "tmod:@turbot/aws-ec2#/policy/types/instanceTags" - aws-ec2-keyPair : "tmod:@turbot/aws-ec2#/policy/types/keyPairTags" - aws-ec2-launchTemplate : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateTags" - aws-ec2-networkInterface : "tmod:@turbot/aws-ec2#/policy/types/networkInterfaceTags" - aws-ec2-networkLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerTags" - aws-ec2-snapshot : "tmod:@turbot/aws-ec2#/policy/types/snapshotTags" - aws-ec2-targetGroup : "tmod:@turbot/aws-ec2#/policy/types/targetGroupTags" - aws-ec2-volume : "tmod:@turbot/aws-ec2#/policy/types/volumeTags" - aws-ecr-repository : "tmod:@turbot/aws-ecr#/policy/types/repositoryTags" - aws-ecs-cluster : "tmod:@turbot/aws-ecs#/policy/types/clusterTags" - aws-ecs-taskDefinition : "tmod:@turbot/aws-ecs#/policy/types/taskDefinitionTags" - aws-efs-fileSystem : "tmod:@turbot/aws-efs#/policy/types/fileSystemTags" - aws-eks-cluster : "tmod:@turbot/aws-eks#/policy/types/clusterTags" - aws-eks-nodeGroup : "tmod:@turbot/aws-eks#/policy/types/nodeGroupTags" - aws-elasticbeanstalk-application : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/applicationTags" - aws-elasticbeanstalk-environment : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/environmentTags" - aws-elasticache-cacheCluster : "tmod:@turbot/aws-elasticache#/policy/types/cacheClusterTags" - aws-elasticache-snapshot : "tmod:@turbot/aws-elasticache#/policy/types/snapshotTags" - aws-elasticsearch-domain : "tmod:@turbot/aws-elasticsearch#/policy/types/domainTags" - aws-emr-cluster : "tmod:@turbot/aws-emr#/policy/types/clusterTags" - aws-fsx-backup : "tmod:@turbot/aws-fsx#/policy/types/backupTags" - aws-fsx-fileSystem : "tmod:@turbot/aws-fsx#/policy/types/fileSystemTags" - aws-glacier-vault : "tmod:@turbot/aws-glacier#/policy/types/vaultTags" - aws-guardduty-detector : "tmod:@turbot/aws-guardduty#/policy/types/detectorTags" - aws-guardduty-ipSet : "tmod:@turbot/aws-guardduty#/policy/types/ipSetTags" - aws-guardduty-threatIntelSet : "tmod:@turbot/aws-guardduty#/policy/types/threatIntelSetTags" - aws-iam-role : "tmod:@turbot/aws-iam#/policy/types/roleTags" - aws-iam-user : "tmod:@turbot/aws-iam#/policy/types/userTags" - aws-inspector-assessmentTemplate : "tmod:@turbot/aws-inspector#/policy/types/assessmentTemplateTags" - aws-kinesis-stream : "tmod:@turbot/aws-kinesis#/policy/types/streamTags" - aws-kms-key : "tmod:@turbot/aws-kms#/policy/types/keyTags" - aws-lambda-function : "tmod:@turbot/aws-lambda#/policy/types/functionTags" - aws-logs-logGroup : "tmod:@turbot/aws-logs#/policy/types/logGroupTags" - aws-msk-cluster : "tmod:@turbot/aws-msk#/policy/types/clusterTags" - aws-neptune-dbCluster : "tmod:@turbot/aws-neptune#/policy/types/dbClusterTags" - aws-neptune-dbInstance : "tmod:@turbot/aws-neptune#/policy/types/dbInstanceTags" - aws-qldb-ledger : "tmod:@turbot/aws-qldb#/policy/types/ledgerTags" - aws-rds-dbCluster : "tmod:@turbot/aws-rds#/policy/types/dbClusterTags" - aws-rds-dbClusterParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbClusterParameterGroupTags" - aws-rds-dbClusterSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualTags" - aws-rds-dbInstance : "tmod:@turbot/aws-rds#/policy/types/dbInstanceTags" - aws-rds-dbParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbParameterGroupTags" - aws-rds-dbSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualTags" - aws-rds-optionGroup : "tmod:@turbot/aws-rds#/policy/types/optionGroupTags" - aws-rds-subnetGroup : "tmod:@turbot/aws-rds#/policy/types/subnetGroupTags" - aws-redshift-cluster : "tmod:@turbot/aws-redshift#/policy/types/clusterTags" - aws-redshift-clusterParameterGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterParameterGroupTags" - aws-redshift-clusterSubnetGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterSubnetGroupTags" - aws-redshift-clusterSnapshotManual : "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualTags" - aws-robomaker-fleet : "tmod:@turbot/aws-robomaker#/policy/types/fleetTags" - aws-robomaker-robot : "tmod:@turbot/aws-robomaker#/policy/types/robotTags" - aws-robomaker-robotApplication : "tmod:@turbot/aws-robomaker#/policy/types/robotApplicationTags" - aws-route53-hostedZone : "tmod:@turbot/aws-route53#/policy/types/hostedZoneTags" - aws-route53resolver-resolverEndpoint : "tmod:@turbot/aws-route53resolver#/policy/types/resolverEndpointTags" - aws-route53resolver-resolverRule : "tmod:@turbot/aws-route53resolver#/policy/types/resolverRuleTags" - aws-s3-bucket : "tmod:@turbot/aws-s3#/policy/types/bucketTags" - aws-secretsmanager-secret : "tmod:@turbot/aws-secretsmanager#/policy/types/secretTags" - aws-securityhub-hub : "tmod:@turbot/aws-securityhub#/policy/types/hubTags" - aws-sns-topic : "tmod:@turbot/aws-sns#/policy/types/topicTags" - aws-sqs-queue : "tmod:@turbot/aws-sqs#/policy/types/queueTags" - aws-ssm-document : "tmod:@turbot/aws-ssm#/policy/types/documentTags" - aws-ssm-maintenanceWindow : "tmod:@turbot/aws-ssm#/policy/types/maintenanceWindowTags" - aws-ssm-ssmParameter : "tmod:@turbot/aws-ssm#/policy/types/ssmParameterTags" - aws-stepfunctions-stateMachine : "tmod:@turbot/aws-stepfunctions#/policy/types/stateMachineTags" - aws-swf-domain : "tmod:@turbot/aws-swf#/policy/types/domainTags" - aws-vpc-connect-customerGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTags" - aws-vpc-core-dhcpOptions : "tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsTags" - aws-vpc-internet-egressOnlyInternetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayTags" - aws-vpc-internet-elasticIp : "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpTags" - aws-vpc-internet-vpcEndpoint : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointTags" - aws-vpc-internet-vpcEndpointService : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceTags" - aws-vpc-security-flowLog : "tmod:@turbot/aws-vpc-security#/policy/types/flowLogTags" - aws-vpc-internet-internetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayTags" - aws-vpc-internet-natGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayTags" - aws-vpc-security-networkAcl : "tmod:@turbot/aws-vpc-security#/policy/types/networkAclTags" - aws-vpc-connect-vpcPeeringConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTags" - aws-vpc-core-routeTable : "tmod:@turbot/aws-vpc-core#/policy/types/routeTableTags" - aws-vpc-security-securityGroup : "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTags" - aws-vpc-core-subnet : "tmod:@turbot/aws-vpc-core#/policy/types/subnetTags" - aws-vpc-connect-transitGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTags" - aws-vpc-connect-transitGatewayRouteTable : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTags" - aws-vpc-core-vpc : "tmod:@turbot/aws-vpc-core#/policy/types/vpcTags" - aws-vpc-connect-vpnConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTags" - aws-vpc-connect-vpnGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayTags" - aws-waf-ipSetV2Global : "tmod:@turbot/aws-waf#/policy/types/ipSetV2GlobalTags" - aws-waf-ipSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/ipSetV2RegionalTags" - aws-waf-regexPatternSetV2Global : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2GlobalTags" - aws-waf-regexPatternSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2RegionalTags" - aws-waf-ruleGroupV2Global : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2GlobalTags" - aws-waf-ruleGroupV2Regional : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2RegionalTags" - aws-waf-webacl : "tmod:@turbot/aws-waf#/policy/types/webaclTags" - aws-waf-webAclV2Global : "tmod:@turbot/aws-waf#/policy/types/webAclV2GlobalTags" - aws-waf-webAclV2Regional : "tmod:@turbot/aws-waf#/policy/types/webAclV2RegionalTags" - } - - # Mapping of resource name to resource tag map policy - # Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope - policy_map_template = { - aws-acm-certificate : "tmod:@turbot/aws-acm#/policy/types/certificateTagsTemplate" - aws-mq-broker : "tmod:@turbot/aws-mq#/policy/types/brokerTagsTemplate" - aws-mq-configuration : "tmod:@turbot/aws-mq#/policy/types/configurationTagsTemplate" - aws-amplify-app : "tmod:@turbot/aws-amplify#/policy/types/appTagsTemplate" - aws-apigateway-api : "tmod:@turbot/aws-apigateway#/policy/types/apiTagsTemplate" - aws-apigateway-apiKey : "tmod:@turbot/aws-apigateway#/policy/types/apiKeyTagsTemplate" - aws-apigateway-apiV2 : "tmod:@turbot/aws-apigateway#/policy/types/apiV2TagsTemplate" - aws-apigateway-domainNameV2 : "tmod:@turbot/aws-apigateway#/policy/types/domainNameV2TagsTemplate" - aws-apigateway-stage : "tmod:@turbot/aws-apigateway#/policy/types/stageTagsTemplate" - aws-apigateway-stageV2 : "tmod:@turbot/aws-apigateway#/policy/types/stageV2TagsTemplate" - aws-apigateway-usagePlan : "tmod:@turbot/aws-apigateway#/policy/types/usagePlanTagsTemplate" - aws-appmesh-mesh : "tmod:@turbot/aws-appmesh#/policy/types/meshTagsTemplate" - aws-athena-namedQuery : "tmod:@turbot/aws-athena#/policy/types/namedQueryTagsTemplate" - aws-athena-workgroup : "tmod:@turbot/aws-athena#/policy/types/workgroupTagsTemplate" - aws-backup-backupPlan : "tmod:@turbot/aws-backup#/policy/types/backupPlanTagsTemplate" - aws-backup-backupVault : "tmod:@turbot/aws-backup#/policy/types/backupVaultTagsTemplate" - aws-cloudformation-stack : "tmod:@turbot/aws-cloudformation#/policy/types/stackTagsTemplate" - aws-cloudformation-stackSet : "tmod:@turbot/aws-cloudformation#/policy/types/stackSetTagsTemplate" - aws-cloudfront-distribution : "tmod:@turbot/aws-cloudfront#/policy/types/distributionTagsTemplate" - aws-cloudfront-streamingDistribution : "tmod:@turbot/aws-cloudfront#/policy/types/streamingDistributionTagsTemplate" - aws-cloudtrail-trail : "tmod:@turbot/aws-cloudtrail#/policy/types/trailTagsTemplate" - aws-cloudwatch-alarm : "tmod:@turbot/aws-cloudwatch#/policy/types/alarmTagsTemplate" - aws-codebuild-project : "tmod:@turbot/aws-codebuild#/policy/types/projectTagsTemplate" - aws-codecommit-repository : "tmod:@turbot/aws-codecommit#/policy/types/repositoryTagsTemplate" - aws-config-rule : "tmod:@turbot/aws-config#/policy/types/ruleTagsTemplate" - aws-dax-cluster : "tmod:@turbot/aws-dax#/policy/types/clusterTagsTemplate" - aws-directoryservice-directory : "tmod:@turbot/aws-directoryservice#/policy/types/directoryTagsTemplate" - aws-dms-endpoint : "tmod:@turbot/aws-dms#/policy/types/endpointTagsTemplate" - aws-docdb-dbCluster : "tmod:@turbot/aws-docdb#/policy/types/dbClusterTagsTemplate" - aws-docdb-dbClusterParameterGroup : "tmod:@turbot/aws-docdb#/policy/types/dbClusterParameterGroupTagsTemplate" - aws-docdb-dbInstance : "tmod:@turbot/aws-docdb#/policy/types/dbInstanceTagsTemplate" - aws-dynamodb-table : "tmod:@turbot/aws-dynamodb#/policy/types/tableTagsTemplate" - aws-ec2-ami : "tmod:@turbot/aws-ec2#/policy/types/amiTagsTemplate" - aws-ec2-applicationLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/applicationLoadBalancerTagsTemplate" - aws-ec2-autoScalingGroup : "tmod:@turbot/aws-ec2#/policy/types/autoScalingGroupTagsTemplate" - aws-ec2-classicLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/classicLoadBalancerTagsTemplate" - aws-ec2-instance : "tmod:@turbot/aws-ec2#/policy/types/instanceTagsTemplate" - aws-ec2-keyPair : "tmod:@turbot/aws-ec2#/policy/types/keyPairTagsTemplate" - aws-ec2-launchTemplate : "tmod:@turbot/aws-ec2#/policy/types/launchTemplateTagsTemplate" - aws-ec2-networkInterface : "tmod:@turbot/aws-ec2#/policy/types/networkInterfaceTagsTemplate" - aws-ec2-networkLoadBalancer : "tmod:@turbot/aws-ec2#/policy/types/networkLoadBalancerTagsTemplate" - aws-ec2-snapshot : "tmod:@turbot/aws-ec2#/policy/types/snapshotTagsTemplate" - aws-ec2-targetGroup : "tmod:@turbot/aws-ec2#/policy/types/targetGroupTagsTemplate" - aws-ec2-volume : "tmod:@turbot/aws-ec2#/policy/types/volumeTagsTemplate" - aws-ecr-repository : "tmod:@turbot/aws-ecr#/policy/types/repositoryTagsTemplate" - aws-ecs-cluster : "tmod:@turbot/aws-ecs#/policy/types/clusterTagsTemplate" - aws-ecs-taskDefinition : "tmod:@turbot/aws-ecs#/policy/types/taskDefinitionTagsTemplate" - aws-efs-fileSystem : "tmod:@turbot/aws-efs#/policy/types/fileSystemTagsTemplate" - aws-eks-cluster : "tmod:@turbot/aws-eks#/policy/types/clusterTagsTemplate" - aws-eks-nodeGroup : "tmod:@turbot/aws-eks#/policy/types/nodeGroupTagsTemplate" - aws-elasticbeanstalk-application : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/applicationTagsTemplate" - aws-elasticbeanstalk-environment : "tmod:@turbot/aws-elasticbeanstalk#/policy/types/environmentTagsTemplate" - aws-elasticache-cacheCluster : "tmod:@turbot/aws-elasticache#/policy/types/cacheClusterTagsTemplate" - aws-elasticache-snapshot : "tmod:@turbot/aws-elasticache#/policy/types/snapshotTagsTemplate" - aws-elasticsearch-domain : "tmod:@turbot/aws-elasticsearch#/policy/types/domainTagsTemplate" - aws-emr-cluster : "tmod:@turbot/aws-emr#/policy/types/clusterTagsTemplate" - aws-fsx-backup : "tmod:@turbot/aws-fsx#/policy/types/backupTagsTemplate" - aws-fsx-fileSystem : "tmod:@turbot/aws-fsx#/policy/types/fileSystemTagsTemplate" - aws-glacier-vault : "tmod:@turbot/aws-glacier#/policy/types/vaultTagsTemplate" - aws-guardduty-detector : "tmod:@turbot/aws-guardduty#/policy/types/detectorTagsTemplate" - aws-guardduty-ipSet : "tmod:@turbot/aws-guardduty#/policy/types/ipSetTagsTemplate" - aws-guardduty-threatIntelSet : "tmod:@turbot/aws-guardduty#/policy/types/threatIntelSetTagsTemplate" - aws-iam-role : "tmod:@turbot/aws-iam#/policy/types/roleTagsTemplate" - aws-iam-user : "tmod:@turbot/aws-iam#/policy/types/userTagsTemplate" - aws-inspector-assessmentTemplate : "tmod:@turbot/aws-inspector#/policy/types/assessmentTemplateTagsTemplate" - aws-kinesis-stream : "tmod:@turbot/aws-kinesis#/policy/types/streamTagsTemplate" - aws-kms-key : "tmod:@turbot/aws-kms#/policy/types/keyTagsTemplate" - aws-lambda-function : "tmod:@turbot/aws-lambda#/policy/types/functionTagsTemplate" - aws-logs-logGroup : "tmod:@turbot/aws-logs#/policy/types/logGroupTagsTemplate" - aws-msk-cluster : "tmod:@turbot/aws-msk#/policy/types/clusterTagsTemplate" - aws-neptune-dbCluster : "tmod:@turbot/aws-neptune#/policy/types/dbClusterTagsTemplate" - aws-neptune-dbInstance : "tmod:@turbot/aws-neptune#/policy/types/dbInstanceTagsTemplate" - aws-qldb-ledger : "tmod:@turbot/aws-qldb#/policy/types/ledgerTagsTemplate" - aws-rds-dbCluster : "tmod:@turbot/aws-rds#/policy/types/dbClusterTagsTemplate" - aws-rds-dbClusterParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbClusterParameterGroupTagsTemplate" - aws-rds-dbClusterSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbClusterSnapshotManualTagsTemplate" - aws-rds-dbInstance : "tmod:@turbot/aws-rds#/policy/types/dbInstanceTagsTemplate" - aws-rds-dbParameterGroup : "tmod:@turbot/aws-rds#/policy/types/dbParameterGroupTagsTemplate" - aws-rds-dbSnapshotManual : "tmod:@turbot/aws-rds#/policy/types/dbSnapshotManualTagsTemplate" - aws-rds-optionGroup : "tmod:@turbot/aws-rds#/policy/types/optionGroupTagsTemplate" - aws-rds-subnetGroup : "tmod:@turbot/aws-rds#/policy/types/subnetGroupTagsTemplate" - aws-redshift-cluster : "tmod:@turbot/aws-redshift#/policy/types/clusterTagsTemplate" - aws-redshift-clusterParameterGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterParameterGroupTagsTemplate" - aws-redshift-clusterSubnetGroup : "tmod:@turbot/aws-redshift#/policy/types/clusterSubnetGroupTagsTemplate" - aws-redshift-clusterSnapshotManual : "tmod:@turbot/aws-redshift#/policy/types/clusterSnapshotManualTagsTemplate" - aws-robomaker-fleet : "tmod:@turbot/aws-robomaker#/policy/types/fleetTagsTemplate" - aws-robomaker-robot : "tmod:@turbot/aws-robomaker#/policy/types/robotTagsTemplate" - aws-robomaker-robotApplication : "tmod:@turbot/aws-robomaker#/policy/types/robotApplicationTagsTemplate" - aws-route53-hostedZone : "tmod:@turbot/aws-route53#/policy/types/hostedZoneTagsTemplate" - aws-route53resolver-resolverEndpoint : "tmod:@turbot/aws-route53resolver#/policy/types/resolverEndpointTagsTemplate" - aws-route53resolver-resolverRule : "tmod:@turbot/aws-route53resolver#/policy/types/resolverRuleTagsTemplate" - aws-s3-bucket : "tmod:@turbot/aws-s3#/policy/types/bucketTagsTemplate" - aws-secretsmanager-secret : "tmod:@turbot/aws-secretsmanager#/policy/types/secretTagsTemplate" - aws-securityhub-hub : "tmod:@turbot/aws-securityhub#/policy/types/hubTagsTemplate" - aws-sns-topic : "tmod:@turbot/aws-sns#/policy/types/topicTagsTemplate" - aws-sqs-queue : "tmod:@turbot/aws-sqs#/policy/types/queueTagsTemplate" - aws-ssm-document : "tmod:@turbot/aws-ssm#/policy/types/documentTagsTemplate" - aws-ssm-maintenanceWindow : "tmod:@turbot/aws-ssm#/policy/types/maintenanceWindowTagsTemplate" - aws-ssm-ssmParameter : "tmod:@turbot/aws-ssm#/policy/types/ssmParameterTagsTemplate" - aws-stepfunctions-stateMachine : "tmod:@turbot/aws-stepfunctions#/policy/types/stateMachineTagsTemplate" - aws-swf-domain : "tmod:@turbot/aws-swf#/policy/types/domainTagsTemplate" - aws-vpc-connect-customerGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/customerGatewayTagsTemplate" - aws-vpc-core-dhcpOptions : "tmod:@turbot/aws-vpc-core#/policy/types/dhcpOptionsTagsTemplate" - aws-vpc-internet-egressOnlyInternetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/egressOnlyInternetGatewayTagsTemplate" - aws-vpc-internet-elasticIp : "tmod:@turbot/aws-vpc-internet#/policy/types/elasticIpTagsTemplate" - aws-vpc-internet-vpcEndpoint : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointTagsTemplate" - aws-vpc-internet-vpcEndpointService : "tmod:@turbot/aws-vpc-internet#/policy/types/vpcEndpointServiceTagsTemplate" - aws-vpc-security-flowLog : "tmod:@turbot/aws-vpc-security#/policy/types/flowLogTagsTemplate" - aws-vpc-internet-internetGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/internetGatewayTagsTemplate" - aws-vpc-internet-natGateway : "tmod:@turbot/aws-vpc-internet#/policy/types/natGatewayTagsTemplate" - aws-vpc-security-networkAcl : "tmod:@turbot/aws-vpc-security#/policy/types/networkAclTagsTemplate" - aws-vpc-connect-vpcPeeringConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpcPeeringConnectionTagsTemplate" - aws-vpc-core-routeTable : "tmod:@turbot/aws-vpc-core#/policy/types/routeTableTagsTemplate" - aws-vpc-security-securityGroup : "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupTagsTemplate" - aws-vpc-core-subnet : "tmod:@turbot/aws-vpc-core#/policy/types/subnetTagsTemplate" - aws-vpc-connect-transitGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayTagsTemplate" - aws-vpc-connect-transitGatewayRouteTable : "tmod:@turbot/aws-vpc-connect#/policy/types/transitGatewayRouteTableTagsTemplate" - aws-vpc-core-vpc : "tmod:@turbot/aws-vpc-core#/policy/types/vpcTagsTemplate" - aws-vpc-connect-vpnConnection : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnConnectionTagsTemplate" - aws-vpc-connect-vpnGateway : "tmod:@turbot/aws-vpc-connect#/policy/types/vpnGatewayTagsTemplate" - aws-waf-ipSetV2Global : "tmod:@turbot/aws-waf#/policy/types/ipSetV2GlobalTagsTemplate" - aws-waf-ipSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/ipSetV2RegionalTagsTemplate" - aws-waf-regexPatternSetV2Global : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2GlobalTagsTemplate" - aws-waf-regexPatternSetV2Regional : "tmod:@turbot/aws-waf#/policy/types/regexPatternSetV2RegionalTagsTemplate" - aws-waf-ruleGroupV2Global : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2GlobalTagsTemplate" - aws-waf-ruleGroupV2Regional : "tmod:@turbot/aws-waf#/policy/types/ruleGroupV2RegionalTagsTemplate" - aws-waf-webacl : "tmod:@turbot/aws-waf#/policy/types/webaclTagsTemplate" - aws-waf-webAclV2Global : "tmod:@turbot/aws-waf#/policy/types/webAclV2GlobalTagsTemplate" - aws-waf-webAclV2Regional : "tmod:@turbot/aws-waf#/policy/types/webAclV2RegionalTagsTemplate" - } -} diff --git a/baselines/getting_started/aws/aws_check_tagging/outputs.tf b/baselines/getting_started/aws/aws_check_tagging/outputs.tf deleted file mode 100644 index 57c5d3e66..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "resource_tags" { - value = var.resource_tags -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_tagging/providers.tf b/baselines/getting_started/aws/aws_check_tagging/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_check_tagging/smart_folder.tf b/baselines/getting_started/aws/aws_check_tagging/smart_folder.tf deleted file mode 100644 index d8fd5b3a3..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "aws_tagging" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/aws/aws_check_tagging/variables.tf b/baselines/getting_started/aws/aws_check_tagging/variables.tf deleted file mode 100644 index 53e22684c..000000000 --- a/baselines/getting_started/aws/aws_check_tagging/variables.tf +++ /dev/null @@ -1,182 +0,0 @@ -# Baseline Configuration - -variable "resource_tags" { -description = < -``` - -### Deploying demo example - -1. Navigate to the aws_mods folder. -2. Initialize Terraform -3. Apply the installation using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This script comes with an example input variable file called [demo.tfvars](demo.tfvars). - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply installation using input variable files - -If seeking to apply the installation using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply installation without input variable file - -The installation can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -### Destroy installation without input variable file - -If seeking to apply the installation without using an input variable file. - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the installation configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the installation will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/aws/aws_mods/demo.tfvars b/baselines/getting_started/aws/aws_mods/demo.tfvars deleted file mode 100644 index d34cad7cc..000000000 --- a/baselines/getting_started/aws/aws_mods/demo.tfvars +++ /dev/null @@ -1,19 +0,0 @@ -mod_list = [ - "aws", - "aws-cisv1", - "aws-cloudtrail", - "aws-cloudwatch", - "aws-config", - "aws-ec2", - "aws-events", - "aws-iam", - "aws-kms", - "aws-lambda", - "aws-logs", - "aws-s3", - "aws-sns", - "aws-vpc-core", - "aws-vpc-connect", - "aws-vpc-internet", - "aws-vpc-security" -] \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_mods/mod_install.tf b/baselines/getting_started/aws/aws_mods/mod_install.tf deleted file mode 100644 index 3c9654b5d..000000000 --- a/baselines/getting_started/aws/aws_mods/mod_install.tf +++ /dev/null @@ -1,1222 +0,0 @@ -# https://turbot.com/v5/mods/turbot/aws -resource "turbot_mod" "aws" { - parent = "tmod:@turbot/turbot#/" - org = "turbot" - mod = "aws" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-acm -resource "turbot_mod" "aws-acm" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-acm" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-acm") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-amplify -resource "turbot_mod" "aws-amplify" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-amplify" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-amplify") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-apigateway -resource "turbot_mod" "aws-apigateway" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-apigateway" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-apigateway") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-appflow -resource "turbot_mod" "aws-appflow" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-appflow" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-appflow") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-appmesh -resource "turbot_mod" "aws-appmesh" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-appmesh" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-appmesh") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-appstream -resource "turbot_mod" "aws-appstream" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-appstream" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-appstream") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-appsync -resource "turbot_mod" "aws-appsync" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-appsync" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-appsync") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-artifact -resource "turbot_mod" "aws-artifact" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-artifact" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-artifact") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-athena -resource "turbot_mod" "aws-athena" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-athena" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-athena") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-backup -resource "turbot_mod" "aws-backup" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-backup" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-backup") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-batch -resource "turbot_mod" "aws-batch" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-batch" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-batch") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-chime -resource "turbot_mod" "aws-chime" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-chime" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-chime") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cisv1 -resource "turbot_mod" "aws-cisv1" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ - turbot_mod.aws, - turbot_mod.aws-cloudtrail, - turbot_mod.aws-cloudwatch, - turbot_mod.aws-config, - turbot_mod.aws-ec2, - turbot_mod.aws-iam, - turbot_mod.aws-kms, - turbot_mod.aws-logs, - turbot_mod.aws-sns, - turbot_mod.aws-vpc-core, - turbot_mod.aws-vpc-security - ] - org = "turbot" - mod = "aws-cisv1" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cisv1") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloud9 -resource "turbot_mod" "aws-cloud9" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-cloud9" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloud9") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudformation -resource "turbot_mod" "aws-cloudformation" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-cloudformation" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudformation") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudfront -resource "turbot_mod" "aws-cloudfront" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-cloudfront" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudfront") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudhsm -resource "turbot_mod" "aws-cloudhsm" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-cloudhsm" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudhsm") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudsearch -resource "turbot_mod" "aws-cloudsearch" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-cloudsearch" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudsearch") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudtrail -resource "turbot_mod" "aws-cloudtrail" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-cloudtrail" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudtrail") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-cloudwatch -resource "turbot_mod" "aws-cloudwatch" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-cloudwatch" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-cloudwatch") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-codebuild -resource "turbot_mod" "aws-codebuild" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-codebuild" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-codebuild") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-codecommit -resource "turbot_mod" "aws-codecommit" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-codecommit" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-codecommit") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-codedeploy -resource "turbot_mod" "aws-codedeploy" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-codedeploy" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-codedeploy") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-codepipeline -resource "turbot_mod" "aws-codepipeline" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-codepipeline" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-codepipeline") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-codestar -resource "turbot_mod" "aws-codestar" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-codestar" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-codestar") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-comprehend -resource "turbot_mod" "aws-comprehend" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-comprehend" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-comprehend") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-config -resource "turbot_mod" "aws-config" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-config" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-config") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-datapipeline -resource "turbot_mod" "aws-datapipeline" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-datapipeline" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-datapipeline") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-dax -resource "turbot_mod" "aws-dax" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-dax" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-dax") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-directoryservice -resource "turbot_mod" "aws-directoryservice" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-directoryservice" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-directoryservice") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-dms -resource "turbot_mod" "aws-dms" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-dms" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-dms") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-docdb -resource "turbot_mod" "aws-docdb" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-rds] - org = "turbot" - mod = "aws-docdb" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-docdb") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-dynamodb -resource "turbot_mod" "aws-dynamodb" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-dynamodb" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-dynamodb") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ec2 -resource "turbot_mod" "aws-ec2" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-kms] - org = "turbot" - mod = "aws-ec2" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ec2") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ecr -resource "turbot_mod" "aws-ecr" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-ecr" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ecr") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ecs -resource "turbot_mod" "aws-ecs" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-ecs" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ecs") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-efs -resource "turbot_mod" "aws-efs" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-efs" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-efs") ? 1 : 0 -} -# https://turbot.com/v5/mods/turbot/aws-eks -resource "turbot_mod" "aws-eks" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-eks" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-eks") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-elasticache -resource "turbot_mod" "aws-elasticache" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-elasticache" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-elasticache") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-elasticbeanstalk -resource "turbot_mod" "aws-elasticbeanstalk" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-elasticbeanstalk" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-elasticbeanstalk") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-elasticsearch -resource "turbot_mod" "aws-elasticsearch" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-elasticsearch" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-elasticsearch") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-elastictranscoder -resource "turbot_mod" "aws-elastictranscoder" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-elastictranscoder" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-elastictranscoder") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-emr -resource "turbot_mod" "aws-emr" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-emr" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-emr") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-events -resource "turbot_mod" "aws-events" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-events" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-events") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-fsx -resource "turbot_mod" "aws-fsx" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-fsx" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-fsx") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-gamelift -resource "turbot_mod" "aws-gamelift" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-gamelift" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-gamelift") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-glacier -resource "turbot_mod" "aws-glacier" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-glacier" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-glacier") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-glue -resource "turbot_mod" "aws-glue" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-glue" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-glue") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-greengrass -resource "turbot_mod" "aws-greengrass" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-greengrass" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-greengrass") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-guardduty -resource "turbot_mod" "aws-guardduty" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-guardduty" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-guardduty") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-health -resource "turbot_mod" "aws-health" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-health" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-health") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iam -resource "turbot_mod" "aws-iam" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws] - org = "turbot" - mod = "aws-iam" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iam") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-inspector -resource "turbot_mod" "aws-inspector" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-inspector" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-inspector") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iot -resource "turbot_mod" "aws-iot" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iot" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iot") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iot1click -resource "turbot_mod" "aws-iot1click" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iot1click" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iot1click") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iotanalytics -resource "turbot_mod" "aws-iotanalytics" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iotanalytics" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iotanalytics") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iotevents -resource "turbot_mod" "aws-iotevents" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iotevents" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iotevents") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iotsitewise -resource "turbot_mod" "aws-iotsitewise" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iotsitewise" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iotsitewise") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-iotthingsgraph -resource "turbot_mod" "aws-iotthingsgraph" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-iotthingsgraph" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-iotthingsgraph") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-kinesis -resource "turbot_mod" "aws-kinesis" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-kinesis" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-kinesis") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-kms -resource "turbot_mod" "aws-kms" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-kms" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-kms") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-lambda -resource "turbot_mod" "aws-lambda" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-lambda" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-lambda") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-lex -resource "turbot_mod" "aws-lex" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-lex" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-lex") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-lightsail -resource "turbot_mod" "aws-lightsail" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-lightsail" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-lightsail") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-logs -resource "turbot_mod" "aws-logs" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-logs" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-logs") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-machinelearning -resource "turbot_mod" "aws-machinelearning" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-machinelearning" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-machinelearning") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-macie -resource "turbot_mod" "aws-macie" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-macie" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-macie") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mediaconnect -resource "turbot_mod" "aws-mediaconnect" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mediaconnect" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mediaconnect") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mediaconvert -resource "turbot_mod" "aws-mediaconvert" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mediaconvert" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mediaconvert") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-medialive -resource "turbot_mod" "aws-medialive" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-medialive" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-medialive") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mediapackage -resource "turbot_mod" "aws-mediapackage" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mediapackage" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mediapackage") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mediastore -resource "turbot_mod" "aws-mediastore" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mediastore" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mediastore") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mediatailor -resource "turbot_mod" "aws-mediatailor" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mediatailor" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mediatailor") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-mq -resource "turbot_mod" "aws-mq" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-mq" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-mq") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-msk -resource "turbot_mod" "aws-msk" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-msk" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-msk") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-neptune -resource "turbot_mod" "aws-neptune" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-rds] - org = "turbot" - mod = "aws-neptune" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-neptune") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-outposts -resource "turbot_mod" "aws-outposts" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-rds] - org = "turbot" - mod = "aws-outposts" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-outposts") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-qldb -resource "turbot_mod" "aws-qldb" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-qldb" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-qldb") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-quicksight -resource "turbot_mod" "aws-quicksight" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-quicksight" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-quicksight") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ram -resource "turbot_mod" "aws-ram" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-ram" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ram") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-rds -resource "turbot_mod" "aws-rds" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-rds" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-rds") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-redshift -resource "turbot_mod" "aws-redshift" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-ec2] - org = "turbot" - mod = "aws-redshift" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-redshift") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-resourcegroups -resource "turbot_mod" "aws-resourcegroups" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-ec2] - org = "turbot" - mod = "aws-resourcegroups" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-resourcegroups") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-robomaker -resource "turbot_mod" "aws-robomaker" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-robomaker" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-robomaker") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-route53 -resource "turbot_mod" "aws-route53" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-route53" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-route53") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-route53domains -resource "turbot_mod" "aws-route53domains" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-route53domains" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-route53domains") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-route53resolver -resource "turbot_mod" "aws-route53resolver" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-route53resolver" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-route53resolver") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-s3 -resource "turbot_mod" "aws-s3" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-kms] - org = "turbot" - mod = "aws-s3" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-s3") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-sagemaker -resource "turbot_mod" "aws-sagemaker" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-sagemaker" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-sagemaker") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-secretsmanager -resource "turbot_mod" "aws-secretsmanager" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-secretsmanager" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-secretsmanager") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-securityhub -resource "turbot_mod" "aws-securityhub" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-securityhub" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-securityhub") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-serverlessapplicationrepository -resource "turbot_mod" "aws-serverlessapplicationrepository" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-serverlessapplicationrepository" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-serverlessapplicationrepository") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-servermigration -resource "turbot_mod" "aws-servermigration" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-servermigration" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-servermigration") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-servicecatalog -resource "turbot_mod" "aws-servicecatalog" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-servicecatalog" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-servicecatalog") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ses -resource "turbot_mod" "aws-ses" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-ses" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ses") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-shield -resource "turbot_mod" "aws-shield" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-shield" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-shield") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-simpledb -resource "turbot_mod" "aws-simpledb" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-simpledb" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-simpledb") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-snowball -resource "turbot_mod" "aws-snowball" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-snowball" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-snowball") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-sns -resource "turbot_mod" "aws-sns" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam] - org = "turbot" - mod = "aws-sns" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-sns") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-sqs -resource "turbot_mod" "aws-sqs" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-sqs" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-sqs") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-ssm -resource "turbot_mod" "aws-ssm" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-ssm" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-ssm") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-stepfunctions -resource "turbot_mod" "aws-stepfunctions" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-stepfunctions" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-stepfunctions") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-storagegateway -resource "turbot_mod" "aws-storagegateway" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-storagegateway" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-storagegateway") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-swf -resource "turbot_mod" "aws-swf" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-swf" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-swf") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-textract -resource "turbot_mod" "aws-textract" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-textract" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-textract") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-transcribe -resource "turbot_mod" "aws-transcribe" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-transcribe" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-transcribe") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-transfer -resource "turbot_mod" "aws-transfer" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-transfer" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-transfer") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-trustedadvisor -resource "turbot_mod" "aws-trustedadvisor" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-trustedadvisor" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-trustedadvisor") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-vpc-connect -resource "turbot_mod" "aws-vpc-connect" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ - turbot_mod.aws, - turbot_mod.aws-ec2, - turbot_mod.aws-iam, - turbot_mod.aws-kms, - turbot_mod.aws-vpc-core - ] - org = "turbot" - mod = "aws-vpc-connect" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-vpc-connect") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-vpc-core -resource "turbot_mod" "aws-vpc-core" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ - turbot_mod.aws, - turbot_mod.aws-ec2, - turbot_mod.aws-iam, - turbot_mod.aws-kms - ] - org = "turbot" - mod = "aws-vpc-core" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-vpc-core") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-vpc-internet -resource "turbot_mod" "aws-vpc-internet" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ - turbot_mod.aws, - turbot_mod.aws-ec2, - turbot_mod.aws-iam, - turbot_mod.aws-kms, - turbot_mod.aws-vpc-core - ] - org = "turbot" - mod = "aws-vpc-internet" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-vpc-internet") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-vpc-security -resource "turbot_mod" "aws-vpc-security" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ - turbot_mod.aws, - turbot_mod.aws-ec2, - turbot_mod.aws-iam, - turbot_mod.aws-kms, - turbot_mod.aws-vpc-core - ] - org = "turbot" - mod = "aws-vpc-security" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-vpc-security") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-waf -resource "turbot_mod" "aws-waf" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-cisv1] - org = "turbot" - mod = "aws-waf" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-waf") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-wafregional -resource "turbot_mod" "aws-wafregional" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-wafregional" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-wafregional") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-wellarchitected -resource "turbot_mod" "aws-wellarchitected" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-wellarchitected" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-wellarchitected") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-workspaces -resource "turbot_mod" "aws-workspaces" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-workspaces" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-workspaces") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-workdocs -resource "turbot_mod" "aws-workdocs" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-workdocs" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-workdocs") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/aws-xray -resource "turbot_mod" "aws-xray" { - parent = "tmod:@turbot/turbot#/" - depends_on = [turbot_mod.aws, turbot_mod.aws-iam, turbot_mod.aws-waf] - org = "turbot" - mod = "aws-xray" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "aws-xray") ? 1 : 0 -} diff --git a/baselines/getting_started/aws/aws_mods/outputs.tf b/baselines/getting_started/aws/aws_mods/outputs.tf deleted file mode 100644 index 276afe05a..000000000 --- a/baselines/getting_started/aws/aws_mods/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "mod_list" { - value = var.mod_list -} - -output "turbot_profile" { - value = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_mods/providers.tf b/baselines/getting_started/aws/aws_mods/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/aws/aws_mods/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/aws/aws_mods/variables.tf b/baselines/getting_started/aws/aws_mods/variables.tf deleted file mode 100644 index 90607f168..000000000 --- a/baselines/getting_started/aws/aws_mods/variables.tf +++ /dev/null @@ -1,144 +0,0 @@ -variable "mod_list" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -`Prefer this baseline script to run with demo.tfvar file to avoid providing provider_status, provider_registration_map, enabled_policy_map` - -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/azure/azure_baseline/azure_provider_enable.tf b/baselines/getting_started/azure/azure_baseline/azure_provider_enable.tf deleted file mode 100644 index 49ef5085d..000000000 --- a/baselines/getting_started/azure/azure_baseline/azure_provider_enable.tf +++ /dev/null @@ -1,9 +0,0 @@ -# Enable all Azure Services Providers within the Variables file -# More Info: https://turbot.com/v5/docs/integrations/azure/services#registering-service-providers - -resource "turbot_policy_setting" "provider_registration_enable" { - for_each = var.provider_status - resource = turbot_smart_folder.azure_baseline.id - type = var.provider_registration_map[each.key] - value = each.value -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_baseline/azure_service_enable.tf b/baselines/getting_started/azure/azure_baseline/azure_service_enable.tf deleted file mode 100644 index 1cdf9c415..000000000 --- a/baselines/getting_started/azure/azure_baseline/azure_service_enable.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Enable all Azure Services within the Variables file -# More Info: https://turbot.com/v5/docs/integrations/azure/services#enabling-services - -#Loop through var.service_status and set enable policies -resource "turbot_policy_setting" "azure_enable" { - for_each = var.enabled_policy_map - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/${each.key}#/policy/types/${each.value}" - value = "Enabled" -} diff --git a/baselines/getting_started/azure/azure_baseline/demo.tfvars b/baselines/getting_started/azure/azure_baseline/demo.tfvars deleted file mode 100644 index 12c59bfdf..000000000 --- a/baselines/getting_started/azure/azure_baseline/demo.tfvars +++ /dev/null @@ -1,90 +0,0 @@ -# List of services and providers to set as Enabled -# Enabling all by default, can comment out the providers and services to reduce scope -# Make sure you have the mods installed if enabling / registering. The default mod install baseline assumes all - -# For Providers, change the options per service; assuming enforce to ensure API access is possible: - # "Skip" - # "Check: Not Registered" - # "Check: Registered" - # "Enforce: Not Registered" - # "Enforce: Registered" - -provider_status = { - ApiManagement = "Enforce: Registered" - Compute = "Enforce: Registered" - ContainerService = "Enforce: Registered" - Databricks = "Enforce: Registered" - DataFactory = "Enforce: Registered" - DBforMySQL = "Enforce: Registered" - DBforPostgreSQL = "Enforce: Registered" - DocumentDB = "Enforce: Registered" - DomainRegistration = "Enforce: Registered" - Insights = "Enforce: Registered" - KeyVault = "Enforce: Registered" - Network = "Enforce: Registered" - OperationalInsights = "Enforce: Registered" - RecoveryServices = "Enforce: Registered" - Resources = "Enforce: Registered" - Search = "Enforce: Registered" - Security = "Enforce: Registered" - ServiceBus = "Enforce: Registered" - Sql = "Enforce: Registered" - Storage = "Enforce: Registered" - Synapse = "Enforce: Registered" - Web = "Enforce: Registered" -} - -provider_registration_map = { - ApiManagement = "tmod:@turbot/azure-provider#/policy/types/apiManagementRegistered" - Compute = "tmod:@turbot/azure-provider#/policy/types/computeRegistered" - ContainerService = "tmod:@turbot/azure-provider#/policy/types/containerServiceRegistered" - Databricks = "tmod:@turbot/azure-provider#/policy/types/databricksRegistered" - DataFactory = "tmod:@turbot/azure-provider#/policy/types/dataFactoryRegistered" - DBforMySQL = "tmod:@turbot/azure-provider#/policy/types/dbforMySqlRegistered" - DBforPostgreSQL = "tmod:@turbot/azure-provider#/policy/types/dbForPostgreSqlRegistered" - DocumentDB = "tmod:@turbot/azure-provider#/policy/types/documentDbRegistered" - DomainRegistration = "tmod:@turbot/azure-provider#/policy/types/domainRegistrationRegistered" - Insights = "tmod:@turbot/azure-provider#/policy/types/insightsRegistered" - KeyVault = "tmod:@turbot/azure-provider#/policy/types/keyVaultRegistered" - Network = "tmod:@turbot/azure-provider#/policy/types/networkRegistered" - OperationalInsights = "tmod:@turbot/azure-provider#/policy/types/operationalInsightsRegistered" - RecoveryServices = "tmod:@turbot/azure-provider#/policy/types/recoveryServicesRegistered" - Resources = "tmod:@turbot/azure-provider#/policy/types/resourcesRegistered" - Search = "tmod:@turbot/azure-provider#/policy/types/searchRegistered" - Security = "tmod:@turbot/azure-provider#/policy/types/securityRegistered" - Sql = "tmod:@turbot/azure-provider#/policy/types/sqlRegistered" - ServiceBus = "tmod:@turbot/azure-provider#/policy/types/serviceBusRegistered" - Storage = "tmod:@turbot/azure-provider#/policy/types/storageRegistered" - Synapse = "tmod:@turbot/azure-provider#/policy/types/synapseRegistered" - Web = "tmod:@turbot/azure-provider#/policy/types/webRegistered" -} - -enabled_policy_map = { - azure-aks = "aksEnabled" - azure-apimanagement = "apiManagementEnabled" - azure-applicationgateway = "applicationGatewayServiceEnabled" - azure-applicationinsights = "applicationInsightsEnabled" - azure-appservice = "appServiceEnabled" - azure-compute = "computeEnabled" - azure-cosmosdb = "cosmosDbEnabled" - azure-databricks = "databricksEnabled" - azure-datafactory = "dataFactoryEnabled" - azure-dns = "dnsEnabled" - azure-firewall = "firewallServiceEnabled" - azure-frontdoorservice = "frontDoorServiceEnabled" - azure-iam = "iamEnabled" - azure-keyvault = "keyVaultEnabled" - azure-loadbalancer = "loadBalancerServiceEnabled" - azure-loganalytics = "logAnalyticsEnabled" - azure-monitor = "monitorEnabled" - azure-mysql = "mySqlEnabled" - azure-network = "networkEnabled" - azure-networkwatcher = "networkWatcherServiceEnabled" - azure-postgresql = "postgreSqlEnabled" - azure-recoveryservice = "recoveryServiceEnabled" - azure-searchmanagement = "searchManagementEnabled" - azure-securitycenter = "securityCenterServiceEnabled" - azure-sql = "sqlEnabled" - azure-storage = "storageEnabled" - azure-synapseanalytics = "synapseAnalyticsEnabled" -} diff --git a/baselines/getting_started/azure/azure_baseline/enable_cis.tf b/baselines/getting_started/azure/azure_baseline/enable_cis.tf deleted file mode 100644 index 40b51cecd..000000000 --- a/baselines/getting_started/azure/azure_baseline/enable_cis.tf +++ /dev/null @@ -1,31 +0,0 @@ -# Enabled CIS Checks and setting the default attestation to 1 year - -# Azure > CIS v1 -# https://turbot.com/v5/mods/turbot/azure-cisv1/inspect#/policy/types/cis -resource "turbot_policy_setting" "enable_cis_checks" { - count = var.enable_cis_checks_policies ? 1 : 0 - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/azure-cisv1#/policy/types/cis" - value = "Check: Level 1 & Level 2 (Scored)" - # Skip - # Check: Level 1 (Scored) - # Check: Level 1 (Scored & Not Scored) - # Check: Level 1 & Level 2 (Scored) - # Check: Level 1 & Level 2 (Scored & Not Scored) -} - -# Azure > CIS v1 > Maximum Attestation Duration -# https://turbot.com/v5/mods/turbot/azure-cisv1/inspect#/policy/types/attestation -resource "turbot_policy_setting" "azure_cis_max_attestation_period" { - count = var.enable_azure_cis_max_attestation_period_policies ? 1 : 0 - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/azure-cisv1#/policy/types/attestation" - value = "1 year" - # Skip - # 30 days - # 60 days - # 90 days - # 1 year - # 2 years - # 3 years -} diff --git a/baselines/getting_started/azure/azure_baseline/event_polling.tf b/baselines/getting_started/azure/azure_baseline/event_polling.tf deleted file mode 100644 index e5aa820e1..000000000 --- a/baselines/getting_started/azure/azure_baseline/event_polling.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Create Event Pollers per subscription -# Note: You can consider event handlers, however for getting started, event pollers are the simplest setup -# More Info: https://turbot.com/v5/docs/integrations/azure/real-time-events/event-pollers - -# Azure > Turbot > Event Poller -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/eventPoller -resource "turbot_policy_setting" "azure_event_polling" { - count = var.enable_azure_event_polling ? 1 : 0 - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/azure#/policy/types/eventPoller" - value = "Enabled" -} - -# Azure > Turbot > Event Poller > Interval -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/eventPollerInterval -resource "turbot_policy_setting" "azure_event_polling_interval" { - count = var.enable_azure_event_polling_interval ? 1 : 0 - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/azure#/policy/types/eventPollerInterval" - value = "Every 1 minute" -} - -# Azure > Turbot > Event Poller > Window -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/eventPollerWindow -resource "turbot_policy_setting" "azure_event_polling_window" { - count = var.enable_azure_event_polling_window ? 1 : 0 - resource = turbot_smart_folder.azure_baseline.id - type = "tmod:@turbot/azure#/policy/types/eventPollerWindow" - value = "10 minutes" -} diff --git a/baselines/getting_started/azure/azure_baseline/outputs.tf b/baselines/getting_started/azure/azure_baseline/outputs.tf deleted file mode 100644 index 0fd12c7eb..000000000 --- a/baselines/getting_started/azure/azure_baseline/outputs.tf +++ /dev/null @@ -1,47 +0,0 @@ -output "provider_status" { - value = var.provider_status -} - -output "provider_registration_map" { - value = var.provider_registration_map -} - -output "enabled_policy_map" { - value = var.enabled_policy_map -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "enable_cis_checks_policies" { - value = var.enable_cis_checks_policies -} - -output "enable_azure_cis_max_attestation_period_policies" { - value = var.enable_azure_cis_max_attestation_period_policies -} - -output "enable_azure_event_polling" { - value = var.enable_azure_event_polling -} - -output "enable_azure_event_polling_interval" { - value = var.enable_azure_event_polling_interval -} - -output "enable_azure_event_polling_window" { - value = var.enable_azure_event_polling_window -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_baseline/providers.tf b/baselines/getting_started/azure/azure_baseline/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/azure/azure_baseline/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/azure/azure_baseline/smart_folder.tf b/baselines/getting_started/azure/azure_baseline/smart_folder.tf deleted file mode 100644 index c77ad691c..000000000 --- a/baselines/getting_started/azure/azure_baseline/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_baseline" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/azure/azure_baseline/variables.tf b/baselines/getting_started/azure/azure_baseline/variables.tf deleted file mode 100644 index f94fdc89b..000000000 --- a/baselines/getting_started/azure/azure_baseline/variables.tf +++ /dev/null @@ -1,70 +0,0 @@ -# Baseline Configuration - -variable "provider_status" { - description = "Choose the subset of providers that should be configured. Possible values for each service are: [\"Skip\", \"Check: Not Registered\", \"Check: Registered\", \"Enforce: Not Registered\", \"Enforce: Registered\"]" - type = map -} - -variable "provider_registration_map" { - description = "A map of all the registered policies currently exposed by Turbot" - type = map -} - -variable "enabled_policy_map" { - description = "Enter the list of services that you would like to Enable" - type = map -} - -variable "enable_cis_checks_policies" { - type = bool - description = "Enable the Azure CIS check policies for baseline" - default = true -} - -variable "enable_azure_cis_max_attestation_period_policies" { - type = bool - description = "Enable the Azure CIS Max Attestation policies for baseline" - default = true -} - -variable "enable_azure_event_polling" { - type = bool - description = "Enable the Azure Event polling policies for baseline" - default = true -} - -variable "enable_azure_event_polling_interval" { - type = bool - description = "Enable the Azure Event polling interval policies for baseline" - default = true -} - -variable "enable_azure_event_polling_window" { - type = bool - description = "Enable the Azure Event polling windows policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "Azure Baseline Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the Azure baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/README.md b/baselines/getting_started/azure/azure_check_cost_controls/README.md deleted file mode 100644 index cdb023823..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/README.md +++ /dev/null @@ -1,141 +0,0 @@ -# Baseline - Azure Check Cost Control Policies - -This baseline will allow you to check the infrastructure over X days/unattached volumes and to set resource scheduling and make it inactive to reduce the cost. - -Few important links - -- [Budget Guardrails](https://turbot.com/v5/docs/concepts/guardrails/budget) -- [Scheduling in Turbot](https://turbot.com/v5/docs/concepts/guardrails/scheduling) -- [Active Guardrails](https://turbot.com/v5/docs/concepts/guardrails/active) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default variable file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destroy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/azure/azure_check_cost_controls/active_policies.tf b/baselines/getting_started/azure/azure_check_cost_controls/active_policies.tf deleted file mode 100644 index 18405714e..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/active_policies.tf +++ /dev/null @@ -1,48 +0,0 @@ -# Simple cost control to check for aging infrastructure over X days -# Defaulting to 60 days as an example. -# Other use cases can be used for Last Modified, Attached, etc. -# More Info: https://turbot.com/v5/docs/concepts/guardrails/active - -# Azure > Compute > Virtual Machine > Active -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/virtualMachineActive -resource "turbot_policy_setting" "set_resource_active_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.azure_cost_controls.id - type = local.policy_map[each.key] - value = each.value -} - -# Azure > Compute > Virtual Machine > Active > Age -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/virtualMachineActiveAge -resource "turbot_policy_setting" "set_resource_age_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.azure_cost_controls.id - type = local.policy_map_age[each.key] - value = "Force inactive if age > 60 days" - # Skip - # Force inactive if age > 1 day - # Force inactive if age > 3 days - # Force inactive if age > 7 days - # Force inactive if age > 14 days - # Force inactive if age > 30 days - # Force inactive if age > 60 days - # Force inactive if age > 90 days - # Force inactive if age > 180 days - # Force inactive if age > 365 days -} - -# Azure > Compute > Disk > Active -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/diskActive -resource "turbot_policy_setting" "azure_disk_active" { - resource = turbot_smart_folder.azure_cost_controls.id - type = "tmod:@turbot/azure-compute#/policy/types/diskActive" - value = "Check: Active" -} - -# Azure > Compute > Disk > Active > Attached -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/diskActiveAttached -resource "turbot_policy_setting" "azure_disk_active_attached" { - resource = turbot_smart_folder.azure_cost_controls.id - type = "tmod:@turbot/azure-compute#/policy/types/diskActiveAttached" - value = "Force inactive if unattached" -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/demo.tfvars b/baselines/getting_started/azure/azure_check_cost_controls/demo.tfvars deleted file mode 100644 index e8d2d99eb..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/demo.tfvars +++ /dev/null @@ -1,81 +0,0 @@ -# List of services and resources to be Check: Approved. -# You can remove the comment per row to include the resource type. Make sure you have the related service mod installed - -# Acceptable Values: - # "Skip" - # "Check: Active" - # "Enforce: Delete inactive with 1 day warning" - # "Enforce: Delete inactive with 3 days warning" - # "Enforce: Delete inactive with 7 days warning" - # "Enforce: Delete inactive with 14 days warning" - # "Enforce: Delete inactive with 30 days warning" - # "Enforce: Delete inactive with 60 days warning" - # "Enforce: Delete inactive with 90 days warning" - # "Enforce: Delete inactive with 180 days warning" - # "Enforce: Delete inactive with 365 days warning" - -resource_active = { - azure-aks-managedCluster = "Check: Active" - # azure-applicationgateway-applicationGateway = "Check: Active" - # azure-applicationinsights-applicationInsight = "Check: Active" - # azure-apimanagement-apiManagementService = "Check: Active" - # azure-appservice-appServicePlan = "Check: Active" - # azure-appservice-functionApp = "Check: Active" - # azure-appservice-webApp = "Check: Active" - # azure-compute-availabilitySet = "Check: Active" - ##Have Unattached Policy Set instead##azure-compute-disk = "Check: Active" - # azure-compute-diskEncryptionSet = "Check: Active" - azure-compute-image = "Check: Active" - azure-compute-snapshot = "Check: Active" - azure-compute-virtualMachine = "Check: Active" - azure-cosmosdb-databaseAccount = "Check: Active" - # azure-cosmosdb-mongoDbCollection = "Check: Active" - azure-cosmosdb-mongoDbDatabase = "Check: Active" - azure-cosmosdb-sqlContainer = "Check: Active" - azure-cosmosdb-sqlDatabase = "Check: Active" - azure-databricks-databricksWorkspace = "Check: Active" - # azure-datafactory-dataset = "Check: Active" - # azure-datafactory-factory = "Check: Active" - # azure-datafactory-pipeline = "Check: Active" - # azure-dns-recordSet = "Check: Active" - # azure-dns-zone = "Check: Active" - # azure-firewall-firewall = "Check: Active" - # azure-frontdoorservice-frontDoor = "Check: Active" - # azure-iam-roleAssignment = "Check: Active" - # azure-iam-roleDefinition = "Check: Active" - # azure-keyvault-key = "Check: Active" - # azure-keyvault-secret = "Check: Active" - # azure-keyvault-vault = "Check: Active" - # azure-loadbalancer-loadBalancer = "Check: Active" - # azure-loganalytics-logAnalyticsWorkspace = "Check: Active" - # azure-monitor-actionGroup = "Check: Active" - # azure-monitor-alerts = "Check: Active" - # azure-monitor-logProfile = "Check: Active" - azure-mysql-server = "Check: Active" - # azure-network-applicationSecurityGroup = "Check: Active" - # azure-network-networkInterface = "Check: Active" - # azure-network-networkSecurityGroup = "Check: Active" - # azure-network-publicIpAddress = "Check: Active" - # azure-network-routeTable = "Check: Active" - # azure-network-subnet = "Check: Active" - # azure-network-virtualNetwork = "Check: Active" - # azure-networkwatcher-flowLog = "Check: Active" - # azure-networkwatcher-networkWatcher = "Check: Active" - azure-postgresql-database = "Check: Active" - azure-postgresql-server = "Check: Active" - # azure-recoveryservice-vault = "Check: Active" - # azure-searchmanagement-searchService = "Check: Active" - azure-sql-database = "Check: Active" - # azure-sql-elasticPool = "Check: Active" - azure-sql-server = "Check: Active" - azure-storage-container = "Check: Active" - azure-storage-fileShare = "Check: Active" - azure-storage-storageAccount = "Check: Active" - # azure-synapseanalytics-sqlPool = "Check: Active" - azure-synapseanalytics-synapseWorkspace = "Check: Active" -} - -# See file schedules_policies.tf -# The variable with value false, as this is not part of initial recommended policy. -# You can enable it by changing the value to true. -azure_vm_instance_schedule_tag_policies = false diff --git a/baselines/getting_started/azure/azure_check_cost_controls/locals.tf b/baselines/getting_started/azure/azure_check_cost_controls/locals.tf deleted file mode 100644 index 7fa38de06..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/locals.tf +++ /dev/null @@ -1,124 +0,0 @@ -locals { - - policy_map = { - azure-aks-managedCluster : "tmod:@turbot/azure-aks#/policy/types/managedClusterActive" - azure-apimanagement-apiManagementService : "tmod:@turbot/azure-apimanagement#/policy/types/apiManagementServiceActive" - azure-applicationgateway-applicationGateway : "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayActive" - azure-applicationinsights-applicationInsight : "tmod:@turbot/azure-applicationinsights#/policy/types/applicationInsightActive" - azure-appservice-appServicePlan : "tmod:@turbot/azure-appservice#/policy/types/appServicePlanActive" - azure-appservice-functionApp : "tmod:@turbot/azure-appservice#/policy/types/functionAppActive" - azure-appservice-webApp : "tmod:@turbot/azure-appservice#/policy/types/webAppActive" - azure-compute-availabilitySet : "tmod:@turbot/azure-compute#/policy/types/availabilitySetActive" - azure-compute-disk : "tmod:@turbot/azure-compute#/policy/types/diskActive" - azure-compute-diskEncryptionSet : "tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetActive" - azure-compute-image : "tmod:@turbot/azure-compute#/policy/types/imageActive" - azure-compute-snapshot : "tmod:@turbot/azure-compute#/policy/types/snapshotActive" - azure-compute-virtualMachine : "tmod:@turbot/azure-compute#/policy/types/virtualMachineActive" - azure-cosmosdb-databaseAccount : "tmod:@turbot/azure-cosmosdb#/policy/types/databaseAccountActive" - azure-cosmosdb-mongoDbCollection : "tmod:@turbot/azure-cosmosdb#/policy/types/mongoDbCollectionActive" - azure-cosmosdb-mongoDbDatabase : "tmod:@turbot/azure-cosmosdb#/policy/types/mongoDbDatabaseActive" - azure-cosmosdb-sqlContainer : "tmod:@turbot/azure-cosmosdb#/policy/types/sqlContainerActive" - azure-cosmosdb-sqlDatabase : "tmod:@turbot/azure-cosmosdb#/policy/types/sqlDatabaseActive" - azure-databricks-databricksWorkspace : "tmod:@turbot/azure-databricks#/policy/types/databricksWorkspaceActive" - azure-datafactory-dataset : "tmod:@turbot/azure-datafactory#/policy/types/datasetActive" - azure-datafactory-factory : "tmod:@turbot/azure-datafactory#/policy/types/factoryActive" - azure-datafactory-pipeline : "tmod:@turbot/azure-datafactory#/policy/types/pipelineActive" - azure-dns-recordSet : "tmod:@turbot/azure-dns#/policy/types/recordSetActive" - azure-dns-zone : "tmod:@turbot/azure-dns#/policy/types/zoneActive" - azure-firewall-firewall : "tmod:@turbot/azure-firewall#/policy/types/firewallActive" - azure-frontdoorservice-frontDoor : "tmod:@turbot/azure-frontdoorservice#/policy/types/frontDoorActive" - azure-iam-roleAssignment : "tmod:@turbot/azure-iam#/policy/types/roleAssignmentActive" - azure-iam-roleDefinition : "tmod:@turbot/azure-iam#/policy/types/roleDefinitionActive" - azure-keyvault-key : "tmod:@turbot/azure-keyvault#/policy/types/keyActive" - azure-keyvault-secret : "tmod:@turbot/azure-keyvault#/policy/types/secretActive" - azure-keyvault-vault : "tmod:@turbot/azure-keyvault#/policy/types/vaultActive" - azure-loadbalancer-loadBalancer : "tmod:@turbot/azure-loadbalancer#/policy/types/loadBalancerActive" - azure-loganalytics-logAnalyticsWorkspace : "tmod:@turbot/azure-loganalytics#/policy/types/logAnalyticsWorkspaceActive" - azure-monitor-actionGroup : "tmod:@turbot/azure-monitor#/policy/types/actionGroupActive" - azure-monitor-alerts : "tmod:@turbot/azure-monitor#/policy/types/alertsActive" - azure-monitor-logProfile : "tmod:@turbot/azure-monitor#/policy/types/logProfileActive" - azure-mysql-server : "tmod:@turbot/azure-mysql#/policy/types/serverActive" - azure-network-applicationSecurityGroup : "tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupActive" - azure-network-networkInterface : "tmod:@turbot/azure-network#/policy/types/networkInterfaceActive" - azure-network-networkSecurityGroup : "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupActive" - azure-network-publicIpAddress : "tmod:@turbot/azure-network#/policy/types/publicIpAddressActive" - azure-network-routeTable : "tmod:@turbot/azure-network#/policy/types/routeTableActive" - azure-network-subnet : "tmod:@turbot/azure-network#/policy/types/subnetActive" - azure-network-virtualNetwork : "tmod:@turbot/azure-network#/policy/types/virtualNetworkActive" - azure-networkwatcher-flowLog : "tmod:@turbot/azure-networkwatcher#/policy/types/flowLogActive" - azure-networkwatcher-networkWatcher : "tmod:@turbot/azure-networkwatcher#/policy/types/networkWatcherActive" - azure-postgresql-database : "tmod:@turbot/azure-postgresql#/policy/types/databaseActive" - azure-postgresql-server : "tmod:@turbot/azure-postgresql#/policy/types/serverActive" - azure-recoveryservice-vault : "tmod:@turbot/azure-recoveryservice#/policy/types/vaultActive" - azure-searchmanagement-searchService : "tmod:@turbot/azure-searchmanagement#/policy/types/searchServiceActive" - azure-sql-database : "tmod:@turbot/azure-sql#/policy/types/databaseActive" - azure-sql-elasticPool : "tmod:@turbot/azure-sql#/policy/types/elasticPoolActive" - azure-sql-server : "tmod:@turbot/azure-sql#/policy/types/serverActive" - azure-storage-container : "tmod:@turbot/azure-storage#/policy/types/containerActive" - azure-storage-fileShare : "tmod:@turbot/azure-storage#/policy/types/fileShareActive" - azure-storage-storageAccount : "tmod:@turbot/azure-storage#/policy/types/storageAccountActive" - azure-synapseanalytics-sqlPool : "tmod:@turbot/azure-synapseanalytics#/policy/types/sqlPoolActive" - azure-synapseanalytics-synapseWorkspace : "tmod:@turbot/azure-synapseanalytics#/policy/types/synapseWorkspaceActive" - } - - policy_map_age = { - azure-aks-managedCluster : "tmod:@turbot/azure-aks#/policy/types/managedClusterActiveAge" - azure-apimanagement-apiManagementService : "tmod:@turbot/azure-apimanagement#/policy/types/apiManagementServiceActiveAge" - azure-applicationgateway-applicationGateway : "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayActiveAge" - azure-applicationinsights-applicationInsight : "tmod:@turbot/azure-applicationinsights#/policy/types/applicationInsightActiveAge" - azure-appservice-appServicePlan : "tmod:@turbot/azure-appservice#/policy/types/appServicePlanActiveAge" - azure-appservice-functionApp : "tmod:@turbot/azure-appservice#/policy/types/functionAppActiveAge" - azure-appservice-webApp : "tmod:@turbot/azure-appservice#/policy/types/webAppActiveAge" - azure-compute-availabilitySet : "tmod:@turbot/azure-compute#/policy/types/availabilitySetActiveAge" - azure-compute-disk : "tmod:@turbot/azure-compute#/policy/types/diskActiveAge" - azure-compute-diskEncryptionSet : "tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetActiveAge" - azure-compute-image : "tmod:@turbot/azure-compute#/policy/types/imageActiveAge" - azure-compute-snapshot : "tmod:@turbot/azure-compute#/policy/types/snapshotActiveAge" - azure-compute-virtualMachine : "tmod:@turbot/azure-compute#/policy/types/virtualMachineActiveAge" - azure-cosmosdb-databaseAccount : "tmod:@turbot/azure-cosmosdb#/policy/types/databaseAccountActiveAge" - azure-cosmosdb-mongoDbCollection : "tmod:@turbot/azure-cosmosdb#/policy/types/mongoDbCollectionActiveAge" - azure-cosmosdb-mongoDbDatabase : "tmod:@turbot/azure-cosmosdb#/policy/types/mongoDbDatabaseActiveAge" - azure-cosmosdb-sqlContainer : "tmod:@turbot/azure-cosmosdb#/policy/types/sqlContainerActiveAge" - azure-cosmosdb-sqlDatabase : "tmod:@turbot/azure-cosmosdb#/policy/types/sqlDatabaseActiveAge" - azure-databricks-databricksWorkspace : "tmod:@turbot/azure-databricks#/policy/types/databricksWorkspaceActiveAge" - azure-datafactory-dataset : "tmod:@turbot/azure-datafactory#/policy/types/datasetActiveAge" - azure-datafactory-factory : "tmod:@turbot/azure-datafactory#/policy/types/factoryActiveAge" - azure-datafactory-pipeline : "tmod:@turbot/azure-datafactory#/policy/types/pipelineActiveAge" - azure-dns-recordSet : "tmod:@turbot/azure-dns#/policy/types/recordSetActiveAge" - azure-dns-zone : "tmod:@turbot/azure-dns#/policy/types/zoneActiveAge" - azure-firewall-firewall : "tmod:@turbot/azure-firewall#/policy/types/firewallActiveAge" - azure-frontdoorservice-frontDoor : "tmod:@turbot/azure-frontdoorservice#/policy/types/frontDoorActiveAge" - azure-iam-roleAssignment : "tmod:@turbot/azure-iam#/policy/types/roleAssignmentActiveAge" - azure-iam-roleDefinition : "tmod:@turbot/azure-iam#/policy/types/roleDefinitionActiveAge" - azure-keyvault-key : "tmod:@turbot/azure-keyvault#/policy/types/keyActiveAge" - azure-keyvault-secret : "tmod:@turbot/azure-keyvault#/policy/types/secretActiveAge" - azure-keyvault-vault : "tmod:@turbot/azure-keyvault#/policy/types/vaultActiveAge" - azure-loadbalancer-loadBalancer : "tmod:@turbot/azure-loadbalancer#/policy/types/loadBalancerActiveAge" - azure-loganalytics-logAnalyticsWorkspace : "tmod:@turbot/azure-loganalytics#/policy/types/logAnalyticsWorkspaceActiveAge" - azure-monitor-actionGroup : "tmod:@turbot/azure-monitor#/policy/types/actionGroupActiveAge" - azure-monitor-alerts : "tmod:@turbot/azure-monitor#/policy/types/alertsActiveAge" - azure-monitor-logProfile : "tmod:@turbot/azure-monitor#/policy/types/logProfileActiveAge" - azure-mysql-server : "tmod:@turbot/azure-mysql#/policy/types/serverActiveAge" - azure-network-applicationSecurityGroup : "tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupActiveAge" - azure-network-networkInterface : "tmod:@turbot/azure-network#/policy/types/networkInterfaceActiveAge" - azure-network-networkSecurityGroup : "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupActiveAge" - azure-network-publicIpAddress : "tmod:@turbot/azure-network#/policy/types/publicIpAddressActiveAge" - azure-network-routeTable : "tmod:@turbot/azure-network#/policy/types/routeTableActiveAge" - azure-network-subnet : "tmod:@turbot/azure-network#/policy/types/subnetActiveAge" - azure-network-virtualNetwork : "tmod:@turbot/azure-network#/policy/types/virtualNetworkActiveAge" - azure-networkwatcher-flowLog : "tmod:@turbot/azure-networkwatcher#/policy/types/flowLogActiveAge" - azure-networkwatcher-networkWatcher : "tmod:@turbot/azure-networkwatcher#/policy/types/networkWatcherActiveAge" - azure-postgresql-database : "tmod:@turbot/azure-postgresql#/policy/types/databaseActiveAge" - azure-postgresql-server : "tmod:@turbot/azure-postgresql#/policy/types/serverActiveAge" - azure-recoveryservice-vault : "tmod:@turbot/azure-recoveryservice#/policy/types/vaultActiveAge" - azure-searchmanagement-searchService : "tmod:@turbot/azure-searchmanagement#/policy/types/searchServiceActiveAge" - azure-sql-database : "tmod:@turbot/azure-sql#/policy/types/databaseActiveAge" - azure-sql-elasticPool : "tmod:@turbot/azure-sql#/policy/types/elasticPoolActiveAge" - azure-sql-server : "tmod:@turbot/azure-sql#/policy/types/serverActiveAge" - azure-storage-container : "tmod:@turbot/azure-storage#/policy/types/containerActiveAge" - azure-storage-fileShare : "tmod:@turbot/azure-storage#/policy/types/fileShareActiveAge" - azure-storage-storageAccount : "tmod:@turbot/azure-storage#/policy/types/storageAccountActiveAge" - azure-synapseanalytics-sqlPool : "tmod:@turbot/azure-synapseanalytics#/policy/types/sqlPoolActiveAge" - azure-synapseanalytics-synapseWorkspace : "tmod:@turbot/azure-synapseanalytics#/policy/types/synapseWorkspaceActiveAge" - } -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_cost_controls/outputs.tf b/baselines/getting_started/azure/azure_check_cost_controls/outputs.tf deleted file mode 100644 index d26172796..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/outputs.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "resource_active" { - value = var.resource_active -} - -output "azure_vm_instance_schedule_policies" { - value = var.azure_vm_instance_schedule_policies -} - -output "azure_vm_instance_schedule_tag_policies" { - value = var.azure_vm_instance_schedule_tag_policies -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/providers.tf b/baselines/getting_started/azure/azure_check_cost_controls/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/schedules_policies.tf b/baselines/getting_started/azure/azure_check_cost_controls/schedules_policies.tf deleted file mode 100644 index e3529e561..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/schedules_policies.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Setting Resource Schedules to start/stop based on schedule -# Set to Skip to avoid accidently Enforcement. -# More Info: https://turbot.com/v5/docs/concepts/guardrails/scheduling - - -# Policy Setting Options: -# Skip -# Enforce: Business hours (8:00am - 6:00pm on weekdays) -# Enforce: Extended business hours (7:00am - 11:00pm on weekdays) -# Enforce: Stop for night (stop at 10:00pm every day) -# Enforce: Stop for weekend (stop at 10:00pm on Friday) - -# Azure > Compute > Virtual Machine > Schedule -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/virtualMachineSchedule -resource "turbot_policy_setting" "vm_instance_schedule" { - count = var.azure_vm_instance_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.azure_cost_controls.id - type = "tmod:@turbot/azure-compute#/policy/types/virtualMachineSchedule" - value = "Skip" -} - -# Azure > Compute > Virtual Machine > Schedule Tag -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/virtualMachineScheduleTag -resource "turbot_policy_setting" "vm_instance_schedule_tag" { - count = var.azure_vm_instance_schedule_tag_policies ? 1 : 0 - resource = turbot_smart_folder.azure_cost_controls.id - type = "tmod:@turbot/azure-compute#/policy/types/virtualMachineScheduleTag" - value = "Skip" - # "Enforce: Schedule per turbot_custom_schedule tag" -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/smartfolder.tf b/baselines/getting_started/azure/azure_check_cost_controls/smartfolder.tf deleted file mode 100644 index ff1e80219..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_cost_controls" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_cost_controls/storage_tier_policies.tf b/baselines/getting_started/azure/azure_check_cost_controls/storage_tier_policies.tf deleted file mode 100644 index 58df97745..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/storage_tier_policies.tf +++ /dev/null @@ -1,7 +0,0 @@ -# Check for Storage access tier to be cool for a cost savings - -resource "turbot_policy_setting" "azure_storage_access_tier" { - resource = turbot_smart_folder.azure_cost_controls.id - type = "tmod:@turbot/azure-storage#/policy/types/storageAccountAccessTier" - value = "Check: Cool" -} diff --git a/baselines/getting_started/azure/azure_check_cost_controls/variables.tf b/baselines/getting_started/azure/azure_check_cost_controls/variables.tf deleted file mode 100644 index 6a4643f1c..000000000 --- a/baselines/getting_started/azure/azure_check_cost_controls/variables.tf +++ /dev/null @@ -1,116 +0,0 @@ -variable "resource_active" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/azure/azure_check_encryption/appservice_policies.tf b/baselines/getting_started/azure/azure_check_encryption/appservice_policies.tf deleted file mode 100644 index 0e5bd8ba6..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/appservice_policies.tf +++ /dev/null @@ -1,45 +0,0 @@ -# Note: App Service Approved > Usage is validated for httpsOnly for securing the custom domain. - -# Azure > App Service > Function App > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-appservice/inspect#/policy/types/functionAppApprovedUsage -resource "turbot_policy_setting" "azure_appservice_function_app_approved_usage" { - count = var.appservice_function_app_approved_usage_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-appservice#/policy/types/functionAppApprovedUsage" - template_input = < App Service > Web App > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-appservice/inspect#/policy/types/webAppApprovedUsage -resource "turbot_policy_setting" "azure_appservice_web_app_approved_usage" { - count = var.azure_appservice_web_app_approved_usage_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-appservice#/policy/types/webAppApprovedUsage" - template_input = < Compute > Disk > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-compute/inspect#/policy/types/diskApprovedUsage -resource "turbot_policy_setting" "azure_compute_disk_approved_usage" { - count = var.azure_compute_disk_approved_usage_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-compute#/policy/types/diskApprovedUsage" - template_input = < MySQL > Server > Encryption in Transit -# https://turbot.com/v5/mods/turbot/azure-mysql/inspect#/policy/types/serverEncryptionInTransit -resource "turbot_policy_setting" "azure_mysql_server_encryption_in_transit" { - count = var.azure_mysql_server_encryption_in_transit_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-mysql#/policy/types/serverEncryptionInTransit" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/azure/azure_check_encryption/outputs.tf b/baselines/getting_started/azure/azure_check_encryption/outputs.tf deleted file mode 100644 index 5cd4b98e6..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/outputs.tf +++ /dev/null @@ -1,52 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "appservice_function_app_approved_usage_policies" { - value = var.appservice_function_app_approved_usage_policies -} - -output "azure_appservice_web_app_approved_usage_policies" { - value = var.azure_appservice_web_app_approved_usage_policies -} - -output "azure_compute_disk_approved_usage_policies" { - value = var.azure_compute_disk_approved_usage_policies -} - -output "azure_mysql_server_encryption_in_transit_policies" { - value = var.azure_mysql_server_encryption_in_transit_policies -} - -output "azure_postgresql_server_encryption_in_transit_policies" { - value = var.azure_postgresql_server_encryption_in_transit_policies -} - -output "azure_sql_database_encryption_at_rest_policies" { - value = var.azure_sql_database_encryption_at_rest_policies -} - -output "azure_storage_storage_account_encryption_in_transit_policies" { - value = var.azure_storage_storage_account_encryption_in_transit_policies -} - -output "azure_storage_storage_account_approved_usage_policies" { - value = var.azure_storage_storage_account_approved_usage_policies -} - - - - - diff --git a/baselines/getting_started/azure/azure_check_encryption/postgresql_policies.tf b/baselines/getting_started/azure/azure_check_encryption/postgresql_policies.tf deleted file mode 100644 index fa3db8177..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/postgresql_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption in Transit Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-in-transit - -# Azure > PostgreSQL > Server > Encryption in Transit -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverEncryptionInTransit -resource "turbot_policy_setting" "azure_postgresql_server_encryption_in_transit" { - count = var.azure_postgresql_server_encryption_in_transit_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverEncryptionInTransit" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/azure/azure_check_encryption/providers.tf b/baselines/getting_started/azure/azure_check_encryption/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/azure/azure_check_encryption/smart_folder.tf b/baselines/getting_started/azure/azure_check_encryption/smart_folder.tf deleted file mode 100644 index 0e0ad7792..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_encryption" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/azure/azure_check_encryption/sql_policies.tf b/baselines/getting_started/azure/azure_check_encryption/sql_policies.tf deleted file mode 100644 index b01ac646f..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/sql_policies.tf +++ /dev/null @@ -1,10 +0,0 @@ -# Encryption at Rest Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest - -# Azure > SQL > Database > Encryption at Rest -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/databaseEncryptionAtRest -resource "turbot_policy_setting" "azure_sql_database_encryption_at_rest" { - count = var.azure_sql_database_encryption_at_rest_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-sql#/policy/types/databaseEncryptionAtRest" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/azure/azure_check_encryption/storage_policies.tf b/baselines/getting_started/azure/azure_check_encryption/storage_policies.tf deleted file mode 100644 index e1c13c308..000000000 --- a/baselines/getting_started/azure/azure_check_encryption/storage_policies.tf +++ /dev/null @@ -1,36 +0,0 @@ -# Encryption in Transit Guardrails - https://turbot.com/v5/docs/concepts/guardrails/encryption-in-transit - -# Azure > Storage > Storage Account > Encryption in Transit -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/storageAccountEncryptionInTransit -resource "turbot_policy_setting" "azure_storage_storage_account_encryption_in_transit" { - count = var.azure_storage_storage_account_encryption_in_transit_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-storage#/policy/types/storageAccountEncryptionInTransit" - value = "Check: Enabled" -} - -# Azure > Storage > Storage Account > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/storageAccountApprovedUsage -resource "turbot_policy_setting" "azure_storage_storage_account_approved_usage" { - count = var.azure_storage_storage_account_approved_usage_policies ? 1 : 0 - resource = turbot_smart_folder.azure_encryption.id - type = "tmod:@turbot/azure-storage#/policy/types/storageAccountApprovedUsage" - template_input = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default variable file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destroy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_logging/db_threat_protection_policies.tf b/baselines/getting_started/azure/azure_check_logging/db_threat_protection_policies.tf deleted file mode 100644 index ee4020940..000000000 --- a/baselines/getting_started/azure/azure_check_logging/db_threat_protection_policies.tf +++ /dev/null @@ -1,32 +0,0 @@ -## Azure > SQL > Server > Advanced Data Security > Threat Protection > Types -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/serverThreatProtection -resource "turbot_policy_setting" "azure_sql_server_threat_protection_types" { - count = var.azure_sql_server_threat_protection_types_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/serverThreatProtectionTypes" - value = < SQL > Database > Advanced Data Security > Threat Protection > Types -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/databaseThreatProtection -resource "turbot_policy_setting" "azure_sql_database_threat_protection_types" { - count = var.azure_sql_database_threat_protection_types_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/databaseThreatProtectionTypes" - value = < PostgreSQL > Server > Audit Logging -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLogging -resource "turbot_policy_setting" "azure_postgresql_server_auditing" { - count = var.azure_postgresql_server_auditing_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLogging" - value = "Check: Audit Logging > *" -} - -# Azure > PostgreSQL > Server > Audit Logging > Log Checkpoints -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLoggingLogCheckpoints -resource "turbot_policy_setting" "azure_postgresql_server_auditing_checkpoints" { - count = var.azure_postgresql_server_auditing_checkpoints_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLoggingLogCheckpoints" - value = "On" -} - -# Azure > PostgreSQL > Server > Audit Logging > Log Connections -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLoggingLogConnections -resource "turbot_policy_setting" "azure_postgresql_server_auditing_connections" { - count = var.azure_postgresql_server_auditing_connections_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLoggingLogConnections" - value = "On" -} - -# Azure > PostgreSQL > Server > Audit Logging > Log Disconnections -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLoggingLogDisconnections -resource "turbot_policy_setting" "azure_postgresql_server_auditing_disconnections" { - count = var.azure_postgresql_server_auditing_disconnections_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLoggingLogDisconnections" - value = "On" -} - -# Azure > PostgreSQL > Server > Audit Logging > Log Duration -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLoggingLogDuration -resource "turbot_policy_setting" "azure_postgresql_server_auditing_duration" { - count = var.azure_postgresql_server_auditing_duration_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLoggingLogDuration" - value = "On" -} - -# Azure > PostgreSQL > Server > Audit Logging > Log Retention Days -# https://turbot.com/v5/mods/turbot/azure-postgresql/inspect#/policy/types/serverAuditLoggingLogRetentionDays -resource "turbot_policy_setting" "azure_postgresql_server_auditing_duration_days" { - count = var.azure_postgresql_server_auditing_duration_days_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-postgresql#/policy/types/serverAuditLoggingLogRetentionDays" - value = ">= 1 Day" -} diff --git a/baselines/getting_started/azure/azure_check_logging/providers.tf b/baselines/getting_started/azure/azure_check_logging/providers.tf deleted file mode 100644 index db6e1f7b4..000000000 --- a/baselines/getting_started/azure/azure_check_logging/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_logging/smartfolder.tf b/baselines/getting_started/azure/azure_check_logging/smartfolder.tf deleted file mode 100644 index b7b920390..000000000 --- a/baselines/getting_started/azure/azure_check_logging/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_logging" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_logging/sql_logging_policies.tf b/baselines/getting_started/azure/azure_check_logging/sql_logging_policies.tf deleted file mode 100644 index f23296f03..000000000 --- a/baselines/getting_started/azure/azure_check_logging/sql_logging_policies.tf +++ /dev/null @@ -1,35 +0,0 @@ -# Azure > SQL > Server > Auditing -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/serverAuditing -resource "turbot_policy_setting" "azure_sql_server_auditing" { - count = var.azure_sql_server_auditing_policies ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/serverAuditing" - value = "Check: Enabled" -} - -# Azure > SQL > Server > Advanced Data Security -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/serverDataSecurity -resource "turbot_policy_setting" "azure_sql_server_data_security" { - count = var.azure_sql_server_data_security_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/serverDataSecurity" - value = "Check: Enabled" -} - -# Azure > SQL > Database > Auditing -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/databaseAuditing -resource "turbot_policy_setting" "azure_sql_database_auditing" { - count = var.azure_sql_database_auditing_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/databaseAuditing" - value = "Check: Enabled" -} - -# Azure > SQL > Database > Advanced Data Security -# https://turbot.com/v5/mods/turbot/azure-sql/inspect#/policy/types/databaseDataSecurity -resource "turbot_policy_setting" "azure_sql_database_data_security" { - count = var.azure_sql_database_data_security_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-sql#/policy/types/databaseDataSecurity" - value = "Check: Enabled" -} diff --git a/baselines/getting_started/azure/azure_check_logging/storage_logging_policies.tf b/baselines/getting_started/azure/azure_check_logging/storage_logging_policies.tf deleted file mode 100644 index 41e03fd7d..000000000 --- a/baselines/getting_started/azure/azure_check_logging/storage_logging_policies.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Azure > Storage > Storage Account > Queue > Logging -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/queueServiceLogging -resource "turbot_policy_setting" "azure_storage_queue_service_logging" { - count = var.azure_storage_queue_service_logging_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-storage#/policy/types/queueServiceLogging" - value = "Check: Per Logging > Properties" -} - -# Azure > Storage > Storage Account > Queue > Logging > Properties -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/queueServiceLoggingProperties -resource "turbot_policy_setting" "azure_storage_queue_service_logging_properties" { - count = var.azure_storage_queue_service_logging_properties_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-storage#/policy/types/queueServiceLoggingProperties" - value = < Storage > Storage Account > Queue > Logging > Properties > Retention Days -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/queueServiceLoggingPropertiesRetentionDays -resource "turbot_policy_setting" "azure_storage_queue_service_logging_properties_retention_days" { - count = var.azure_storage_queue_service_logging_properties_retention_days_polices ? 1 : 0 - resource = turbot_smart_folder.azure_logging.id - type = "tmod:@turbot/azure-storage#/policy/types/queueServiceLoggingPropertiesRetentionDays" - value = 7 -} diff --git a/baselines/getting_started/azure/azure_check_logging/variables.tf b/baselines/getting_started/azure/azure_check_logging/variables.tf deleted file mode 100644 index 6248be468..000000000 --- a/baselines/getting_started/azure/azure_check_logging/variables.tf +++ /dev/null @@ -1,115 +0,0 @@ -# Baseline Configuration - -variable "azure_sql_server_auditing_policies" { - type = bool - description = "Azure Sql server auditing policies for baseline" - default = true -} - -variable "azure_sql_server_data_security_polices" { - type = bool - description = "Azure Sql server data security policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_disconnections_polices" { - type = bool - description = "Azure Postgresql server auditing disconnections policies for baseline" - default = true -} - -variable "azure_sql_database_auditing_polices" { - type = bool - description = "Azure Sql database auditing policies for baseline" - default = true -} - -variable "azure_sql_database_data_security_polices" { - type = bool - description = "Azure Sql database data security policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_polices" { - type = bool - description = "Azure Postgresql server auditing policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_checkpoints_polices" { - type = bool - description = "Azure Postgresql server auditing checkpoints policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_connections_polices" { - type = bool - description = "Azure Postgresql server auditing connections policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_duration_polices" { - type = bool - description = "Azure Postgresql server auditing duration policies for baseline" - default = true -} - -variable "azure_postgresql_server_auditing_duration_days_polices" { - type = bool - description = "Azure postgresql server auditing duration policies for baseline" - default = true -} - -variable "azure_sql_server_threat_protection_types_polices" { - type = bool - description = "Azure Sql server threat protection types policies for baseline" - default = true -} - -variable "azure_sql_database_threat_protection_types_polices" { - type = bool - description = "Azure Sql database threat protection types policies for baseline" - default = true -} - -variable "azure_storage_queue_service_logging_polices" { - type = bool - description = "Azure storage queue service logging policies for baseline" - default = true -} - -variable "azure_storage_queue_service_logging_properties_polices" { - type = bool - description = "Azure storage queue service logging properties policies for baseline" - default = true -} - -variable "azure_storage_queue_service_logging_properties_retention_days_polices" { - type = bool - description = "Azure storage queue service logging properties retention days policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "Azure Check Logging Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the Azure check logging baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/azure/azure_check_public_access/README.md b/baselines/getting_started/azure/azure_check_public_access/README.md deleted file mode 100644 index 9e2e502c4..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/README.md +++ /dev/null @@ -1,144 +0,0 @@ -# Baseline - Azure Check Public Access Policies - -Azure Check Public Access Policies focuses enabling some commonly used Azure resource public access status. - -More info - -- [Public Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/public-access) - -- [Trusted Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/trusted-access) - -- [Sample OCL Implementation Example](https://turbot.com/v5/docs/guides/managing-policies/OCL) - -- [Object Control List (OCL)](https://turbot.com/v5/docs/reference/ocl) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/azure/azure_check_public_access/applicationgateway_policies.tf b/baselines/getting_started/azure/azure_check_public_access/applicationgateway_policies.tf deleted file mode 100644 index 875b11d4a..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/applicationgateway_policies.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Azure > Application Gateway Service > Application Gateway > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-applicationgateway/inspect#/policy/types/applicationGatewayApprovedUsage -resource "turbot_policy_setting" "azure_applicationgateway_application_gateway_approved_usage" { - count = var.enable_application_gateway_approved_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayApprovedUsage" - template_input = < Network > Network Security Group > Ingress Rules > Approved -# https://turbot.com/v5/mods/turbot/azure-network/inspect#/policy/types/networkSecurityGroupIngressRulesApproved -resource "turbot_policy_setting" "azure_network_network_security_group_ingress_rules_approved" { - count = var.enable_network_security_group_ingress_rules_approved_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApproved" - value = "Check: Approved" - # "Skip" - # "Check: Approved" - # "Enforce: Delete unapproved" -} - -# Azure > Network > Network Security Group > Ingress Rules > Approved > Rules -# https://turbot.com/v5/mods/turbot/azure-network/inspect#/policy/types/networkSecurityGroupIngressRulesApprovedRules -resource "turbot_policy_setting" "azure_network_network_security_group_ingress_rules_approved_rules" { - count = var.enable_network_security_group_ingress_rules_approved_rules_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedRules" - value = < Network > Public IP Address > Approved > Usage -# https://turbot.com/v5/mods/turbot/azure-network/inspect#/policy/types/publicIpAddressApprovedUsage -resource "turbot_policy_setting" "azure_network_public_ip_address_approved_usage" { - count = var.enable_network_public_ip_address_approved_usage_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-network#/policy/types/publicIpAddressApprovedUsage" - value = "Not approved" -} diff --git a/baselines/getting_started/azure/azure_check_public_access/outputs.tf b/baselines/getting_started/azure/azure_check_public_access/outputs.tf deleted file mode 100644 index 123414951..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/outputs.tf +++ /dev/null @@ -1,39 +0,0 @@ -output "enable_application_gateway_approved_policies" { - value = var.enable_application_gateway_approved_policies -} - -output "enable_network_security_group_ingress_rules_approved_policies" { - value = var.enable_network_security_group_ingress_rules_approved_policies -} - -output "enable_network_security_group_ingress_rules_approved_rules_policies" { - value = var.enable_network_security_group_ingress_rules_approved_rules_policies -} - -output "enable_network_public_ip_address_approved_usage_policies" { - value = var.enable_network_public_ip_address_approved_usage_policies -} - -output "enable_storage_account_public_access_policies" { - value = var.enable_storage_account_public_access_policies -} - -output "enable_azure_storage_container_public_access_policies" { - value = var.enable_azure_storage_container_public_access_policies -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/azure/azure_check_public_access/providers.tf b/baselines/getting_started/azure/azure_check_public_access/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/azure/azure_check_public_access/smart_folder.tf b/baselines/getting_started/azure/azure_check_public_access/smart_folder.tf deleted file mode 100644 index fd2d32645..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_public_access" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/azure/azure_check_public_access/storage_policies.tf b/baselines/getting_started/azure/azure_check_public_access/storage_policies.tf deleted file mode 100644 index 5c150b3bd..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/storage_policies.tf +++ /dev/null @@ -1,20 +0,0 @@ -# Azure > Storage > Storage Account > Public Access -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/storageAccountPublicAccess -resource "turbot_policy_setting" "azure_storage_account_public_access" { - count = var.enable_storage_account_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-storage#/policy/types/storageAccountPublicAccess" - value = "Check: Enabled" -} - -# Azure > Storage > Container > Public Access Level -# https://turbot.com/v5/mods/turbot/azure-storage/inspect#/policy/types/containerPublicAccessLevel -resource "turbot_policy_setting" "azure_storage_container_public_access" { - count = var.enable_azure_storage_container_public_access_policies ? 1 : 0 - resource = turbot_smart_folder.azure_public_access.id - type = "tmod:@turbot/azure-storage#/policy/types/containerPublicAccessLevel" - value = "Check: Private (No anonymous access)" - # "Check: Blob (Anonymous read access for blobs only)" - # "Check: Container (Anonymous read access for containers and blobs)" - # "Check: Private (No anonymous access)" -} diff --git a/baselines/getting_started/azure/azure_check_public_access/variables.tf b/baselines/getting_started/azure/azure_check_public_access/variables.tf deleted file mode 100644 index e63e8c3aa..000000000 --- a/baselines/getting_started/azure/azure_check_public_access/variables.tf +++ /dev/null @@ -1,60 +0,0 @@ -# Baseline Configuration -variable "enable_application_gateway_approved_policies" { - type = bool - description = "Enable the Application Gateway approved policies for baseline" - default = true -} - -variable "enable_network_security_group_ingress_rules_approved_policies" { - type = bool - description = "Enable the Azure Network Security Group Ingress approved policies for baseline" - default = true -} - -variable "enable_network_security_group_ingress_rules_approved_rules_policies" { - type = bool - description = "Enable the Azure Network Security Group Ingress Rule approved policies for baseline" - default = true -} - -variable "enable_network_public_ip_address_approved_usage_policies" { - type = bool - description = "Enable the Azure Network Public IP Address approved usage policies for baseline" - default = true -} - -variable "enable_storage_account_public_access_policies" { - type = bool - description = "Enable the Azure Storage Account Public Access policies for baseline" - default = true -} - -variable "enable_azure_storage_container_public_access_policies" { - type = bool - description = "Enable the Azure Storage Container Public Access policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "Azure Check Public Access Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the Azure Public Access checks" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/azure/azure_check_regions/README.md b/baselines/getting_started/azure/azure_check_regions/README.md deleted file mode 100644 index 1b66d6993..000000000 --- a/baselines/getting_started/azure/azure_check_regions/README.md +++ /dev/null @@ -1,187 +0,0 @@ -# Baseline - Azure Check Regions - -This baseline will allow you to discover resources in multiple regions and not approve usage of resource that are not -in an allowable region. - -This baseline is only effective when the account regions policies have multiple regions set. - -The account approved regions `Azure > Subscription > Approved Regions [Default]` policy contains a list of Azure regions in which -cloud resources are approved for use. - -The policy `Azure > Subscription > Regions [Default]` contains a list of Azure region where a resource can be recorded (discovered). - -If the [Azure Baseline](../azure_baseline/) has only one region enabled then the approving regions policy will not be -effective as Turbot will only discovers resources for that one region. - -This baseline needs to be considered carefully in conjunction with the `Azure > Subscription > Regions [Default]` policy set in -the [Azure Baseline](../azure_baseline/). - -Turbot also supports Azure Lockdown / Boundary policies to limit access to regions which are not part of this baseline. - -The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings -created by other baselines. - -This baseline will not attach to a resource and will need to be done manually using the Turbot UI. - -More Info - -- [Approved Regions](https://turbot.com/v5/docs/guides/regions#approved-regions) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -The demo baseline expects that the following mods are installed: - -- azure-akz -- azure-apimanagement -- azure-application -- azure-appservice -- azure-compute -- azure-cosmosdb -- azure-databricks -- azure-datafactory -- azure-firewall -- azure-keyvault -- azure-loganalytics -- azure-loadbalancer -- azure-mysql-server -- azure-network -- azure-networkwatcher -- azure-postgresql -- azure-recoveryservice -- azure-searchmanagement -- azure-sql -- azure-storage -- azure-synapseanalytics - -To run the baseline: - -1. Navigate to the folder of the baseline -2. Initialise Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -TODO: Omero clean up -From the workspace root folder using the the terminal, to apply the install the demo run the following commands: - -```shell -cd ./baselines/getting_started/Azure/Azure_check_encryption -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_regions/approved_regions_policies.tf b/baselines/getting_started/azure/azure_check_regions/approved_regions_policies.tf deleted file mode 100644 index 1b7955966..000000000 --- a/baselines/getting_started/azure/azure_check_regions/approved_regions_policies.tf +++ /dev/null @@ -1,21 +0,0 @@ -# Approved Regions cloud resources are allowed to reside in. Starting with eastus and eastus2 - -# Azure > Subscription > Approved Regions [Default -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/approvedRegionsDefault -resource "turbot_policy_setting" "azure_approved_regions" { - resource = turbot_smart_folder.azure_regions.id - type = "tmod:@turbot/azure#/policy/types/approvedRegionsDefault" - value = <<-ALLOWEDREGIONS - ${yamlencode([for region in var.resource_approved_regions_region_list : region])} - ALLOWEDREGIONS -} - -# Azure > Subscription > Regions [Default] -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/regionsDefault -## Sets approved region policy for each resource type in the resource_approved_regions map. -resource "turbot_policy_setting" "set_resource_approved_regions_policies" { - for_each = var.resource_approved_regions - resource = turbot_smart_folder.azure_regions.id - type = local.policy_map[each.key] - value = each.value -} diff --git a/baselines/getting_started/azure/azure_check_regions/demo.tfvars b/baselines/getting_started/azure/azure_check_regions/demo.tfvars deleted file mode 100644 index aaaef2a6c..000000000 --- a/baselines/getting_started/azure/azure_check_regions/demo.tfvars +++ /dev/null @@ -1,54 +0,0 @@ -# List of services and resources to be Check: Approved. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have the related service mod installed - -# Acceptable Values: -# "Skip" -# "Check: Approved" -# "Enforce: Delete unapproved if new" - -resource_approved_regions = { - azure-aks-managed-cluster = "Check: Approved" - azure-apimanagement-service = "Check: Approved" - azure-application-gateway = "Check: Approved" - azure-application-insights-insight = "Check: Approved" - azure-appservice-plan = "Check: Approved" - azure-appservice-function-app = "Check: Approved" - azure-compute-availability-set = "Check: Approved" - azure-compute-disk = "Check: Approved" - azure-compute-disk-encryption-set = "Check: Approved" - azure-compute-image = "Check: Approved" - azure-compute-snapshot = "Check: Approved" - azure-compute-virtual-machine = "Check: Approved" - azure-cosmosdb-database = "Check: Approved" - azure-databricks-workspace = "Check: Approved" - azure-datafactory-factory = "Check: Approved" - azure-firewall = "Check: Approved" - azure-keyvault-key = "Check: Approved" - azure-keyvault-secret = "Check: Approved" - azure-keyvault-vault = "Check: Approved" - azure-loganalytics-workspace = "Check: Approved" - azure-loadbalancer = "Check: Approved" - azure-mysql-server = "Check: Approved" - azure-network-application-security-group = "Check: Approved" - azure-network-network-interface = "Check: Approved" - azure-network-network-security-groups = "Check: Approved" - azure-network-public-ip-address = "Check: Approved" - azure-network-route-table = "Check: Approved" - azure-network-virtual-network = "Check: Approved" - azure-networkwatcher = "Check: Approved" - azure-postgresql-server = "Check: Approved" - azure-recoveryservice-vault = "Check: Approved" - azure-searchmanagement-search-service = "Check: Approved" - azure-sql-database = "Check: Approved" - azure-sql-elastic-pool = "Check: Approved" - azure-sql-server = "Check: Approved" - azure-storage-storage-account = "Check: Approved" - azure-synapseanalytics-workspace = "Check: Approved" -} - -# NOTE: For full list of values, look in variables.tf at the default value -resource_approved_regions_region_list = [ - "eastus", - "eastus2" -] diff --git a/baselines/getting_started/azure/azure_check_regions/locals.tf b/baselines/getting_started/azure/azure_check_regions/locals.tf deleted file mode 100644 index 5b9af3ec7..000000000 --- a/baselines/getting_started/azure/azure_check_regions/locals.tf +++ /dev/null @@ -1,41 +0,0 @@ -locals { - policy_map = { - azure-aks-managed-cluster : "tmod:@turbot/azure-aks#/policy/types/managedClusterApproved" - azure-apimanagement-service : "tmod:@turbot/azure-apimanagement#/policy/types/apiManagementServiceApproved" - azure-application-gateway : "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayApproved" - azure-application-insights-insight : "tmod:@turbot/azure-applicationinsights#/policy/types/applicationInsightApproved" - azure-appservice-plan : "tmod:@turbot/azure-appservice#/policy/types/appServicePlanApproved" - azure-appservice-function-app : "tmod:@turbot/azure-appservice#/policy/types/functionAppApproved" - azure-compute-availability-set : "tmod:@turbot/azure-compute#/policy/types/availabilitySetApproved" - azure-compute-disk : "tmod:@turbot/azure-compute#/policy/types/diskApproved" - azure-compute-disk-encryption-set : "tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetApproved" - azure-compute-image : "tmod:@turbot/azure-compute#/policy/types/imageApproved" - azure-compute-snapshot : "tmod:@turbot/azure-compute#/policy/types/snapshotApproved" - azure-compute-virtual-machine : "tmod:@turbot/azure-compute#/policy/types/virtualMachineApproved" - azure-cosmosdb-database : "tmod:@turbot/azure-cosmosdb#/policy/types/databaseAccountApproved" - azure-databricks-workspace : "tmod:@turbot/azure-databricks#/policy/types/databricksWorkspaceApproved" - azure-datafactory-factory : "tmod:@turbot/azure-datafactory#/policy/types/factoryApproved" - azure-firewall : "tmod:@turbot/azure-firewall#/policy/types/firewallApproved" - azure-keyvault-key : "tmod:@turbot/azure-keyvault#/policy/types/keyApproved" - azure-keyvault-secret : "tmod:@turbot/azure-keyvault#/policy/types/secretApproved" - azure-keyvault-vault : "tmod:@turbot/azure-keyvault#/policy/types/vaultApproved" - azure-loadbalancer : "tmod:@turbot/azure-loadbalancer#/policy/types/loadBalancerApproved" - azure-loganalytics-workspace : "tmod:@turbot/azure-loganalytics#/policy/types/logAnalyticsWorkspaceApproved" - azure-mysql-server : "tmod:@turbot/azure-mysql#/policy/types/serverApproved" - azure-network-application-security-group : "tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupApproved" - azure-network-network-interface : "tmod:@turbot/azure-network#/policy/types/networkInterfaceApproved" - azure-network-network-security-groups : "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupApproved" - azure-network-public-ip-address : "tmod:@turbot/azure-network#/policy/types/publicIpAddressApproved" - azure-network-route-table : "tmod:@turbot/azure-network#/policy/types/routeTableApproved" - azure-network-virtual-network : "tmod:@turbot/azure-network#/policy/types/virtualNetworkApproved" - azure-networkwatcher : "tmod:@turbot/azure-networkwatcher#/policy/types/networkWatcherApproved" - azure-postgresql-server : "tmod:@turbot/azure-postgresql#/policy/types/serverApproved" - azure-recoveryservice-vault : "tmod:@turbot/azure-recoveryservice#/policy/types/vaultApproved" - azure-searchmanagement-search-service : "tmod:@turbot/azure-searchmanagement#/policy/types/searchServiceApproved" - azure-sql-database : "tmod:@turbot/azure-sql#/policy/types/databaseApproved" - azure-sql-elastic-pool : "tmod:@turbot/azure-sql#/policy/types/elasticPoolApproved" - azure-sql-server : "tmod:@turbot/azure-sql#/policy/types/serverApproved" - azure-storage-storage-account : "tmod:@turbot/azure-storage#/policy/types/storageAccountApproved" - azure-synapseanalytics-workspace : "tmod:@turbot/azure-synapseanalytics#/policy/types/synapseWorkspaceApproved" - } -} diff --git a/baselines/getting_started/azure/azure_check_regions/outputs.tf b/baselines/getting_started/azure/azure_check_regions/outputs.tf deleted file mode 100644 index 98b1c4e85..000000000 --- a/baselines/getting_started/azure/azure_check_regions/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -output "resource_approved_regions" { - value = var.resource_approved_regions -} - -output "resource_approved_regions_region_list" { - value = var.resource_approved_regions_region_list -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/azure/azure_check_regions/providers.tf b/baselines/getting_started/azure/azure_check_regions/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/azure/azure_check_regions/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/azure/azure_check_regions/smart_folder.tf b/baselines/getting_started/azure/azure_check_regions/smart_folder.tf deleted file mode 100644 index 7f54ab648..000000000 --- a/baselines/getting_started/azure/azure_check_regions/smart_folder.tf +++ /dev/null @@ -1,6 +0,0 @@ - -resource "turbot_smart_folder" "azure_regions" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_regions/vaiables.tf b/baselines/getting_started/azure/azure_check_regions/vaiables.tf deleted file mode 100644 index 1d1cb9379..000000000 --- a/baselines/getting_started/azure/azure_check_regions/vaiables.tf +++ /dev/null @@ -1,131 +0,0 @@ -# Baseline Configuration - -variable "resource_approved_regions" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default variable file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destroy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/outputs.tf b/baselines/getting_started/azure/azure_check_stack/outputs.tf deleted file mode 100644 index 77584c214..000000000 --- a/baselines/getting_started/azure/azure_check_stack/outputs.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "azure_subscription_monitor_stack_policies" { - value = var.azure_subscription_monitor_stack_policies -} - -output "azure_subscription_monitor_stack_tfversion_policies" { - value = var.azure_subscription_monitor_stack_tfversion_policies -} - -output "azure_subscription_monitor_stack_source_policies" { - value = var.azure_subscription_monitor_stack_source_policies -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/providers.tf b/baselines/getting_started/azure/azure_check_stack/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/azure/azure_check_stack/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/smartfolder.tf b/baselines/getting_started/azure/azure_check_stack/smartfolder.tf deleted file mode 100644 index 52e652e2f..000000000 --- a/baselines/getting_started/azure/azure_check_stack/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_stack" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/sub_monitor_stack_policies.tf b/baselines/getting_started/azure/azure_check_stack/sub_monitor_stack_policies.tf deleted file mode 100644 index 755c5080c..000000000 --- a/baselines/getting_started/azure/azure_check_stack/sub_monitor_stack_policies.tf +++ /dev/null @@ -1,33 +0,0 @@ -## Set policy to deploy example Azure Subscription Stack - -# Azure > Subscription > Stack -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/subscriptionStack -resource "turbot_policy_setting" "azure_subscription_monitor_stack" { - count = var.azure_subscription_monitor_stack_policies ? 1 : 0 - resource = turbot_smart_folder.azure_stack.id - type = "tmod:@turbot/azure#/policy/types/subscriptionStack" - value = "Check: Configured" - #value = "Enforce: Configured" -} - -# Azure > Subscription > Stack > Terraform Version -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/subscriptionStackTerraformVersion -# Sets the Terraform version for your Source -resource "turbot_policy_setting" "azure_subscription_monitor_stack_tfversion" { - count = var.azure_subscription_monitor_stack_tfversion_policies ? 1 : 0 - resource = turbot_smart_folder.azure_stack.id - type = "tmod:@turbot/azure#/policy/types/subscriptionStackTerraformVersion" - value = "0.13.*" -} - -# Azure > Subscription > Stack > Source -# https://turbot.com/v5/mods/turbot/azure/inspect#/policy/types/subscriptionStackSource -## Set policy to apply the Stack Source policy, the TF file source -resource "turbot_policy_setting" "azure_subscription_monitor_stack_source" { - count = var.azure_subscription_monitor_stack_source_policies ? 1 : 0 - resource = turbot_smart_folder.azure_stack.id - type = "tmod:@turbot/azure#/policy/types/subscriptionStackSource" - value = <<-SOURCE - ${file("./tf_includes/sourcestack_policies.tf")} - SOURCE -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/tf_includes/sourcestack_policies.tf b/baselines/getting_started/azure/azure_check_stack/tf_includes/sourcestack_policies.tf deleted file mode 100644 index ebaed3693..000000000 --- a/baselines/getting_started/azure/azure_check_stack/tf_includes/sourcestack_policies.tf +++ /dev/null @@ -1,36 +0,0 @@ -resource "azurerm_resource_group" "demo_rg" { - name = "turbot_stack_demo" - location = "East US" - - tags = { - environment = "demo" - } -} - -resource "azurerm_monitor_action_group" "demo_rg" { - name = "turbot_monitor_action_group_demo" - resource_group_name = "${azurerm_resource_group.demo_rg.name}" - short_name = "eventHandler" - tags = { - environment = "demo" - } - } - resource "azurerm_monitor_activity_log_alert" "turbot_azure_event_handler_activity_Log_Alert" { - name = "turbot_monitor_log_alert_demo" - resource_group_name = "${azurerm_resource_group.demo_rg.name}" - scopes = ["${azurerm_resource_group.demo_rg.id}"] - - criteria { - category = "Administrative" - status = "Succeeded" - level = "Informational" - } - - tags = { - environment = "demo" - } - - action { - action_group_id = "${azurerm_monitor_action_group.demo_rg.id}" - } - } \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_stack/variables.tf b/baselines/getting_started/azure/azure_check_stack/variables.tf deleted file mode 100644 index 80574f40d..000000000 --- a/baselines/getting_started/azure/azure_check_stack/variables.tf +++ /dev/null @@ -1,43 +0,0 @@ -# Baseline configuration - -variable "azure_subscription_monitor_stack_policies" { - type = bool - description = "Azure subscription monitor stack policies for baseline" - default = true -} - -variable "azure_subscription_monitor_stack_tfversion_policies" { - type = bool - description = "Azure subscription monitor stack TFversion policies for baseline" - default = true -} - -variable "azure_subscription_monitor_stack_source_policies" { - type = bool - description = "Azure subscription monitor stack source policies for baseline" - default = true -} - -# Smartfolder configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "Azure Stack Example Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the Azure Stack baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_tagging/README.md b/baselines/getting_started/azure/azure_check_tagging/README.md deleted file mode 100644 index cfa8ab268..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/README.md +++ /dev/null @@ -1,138 +0,0 @@ -# Baseline - Azure Check Tagging - -This baseline will allow you to check for adherence to the tagging templates, make sure that the Tag Templates are updated with the specific use case to validate. - -More info - -- [Tags in Turbot](https://turbot.com/v5/docs/concepts/guardrails/tagging) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/azure/azure_check_tagging/demo.tfvars b/baselines/getting_started/azure/azure_check_tagging/demo.tfvars deleted file mode 100644 index 777a55b27..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/demo.tfvars +++ /dev/null @@ -1,56 +0,0 @@ -# List of services and resources to be Check: Tags are correct. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have that related service mod install - -# Acceptable Values: -# "Skip" -# "Check: Tags are correct" -# "Enforce: Set tags" - -### These tags must exist for Missing Tag use case if enabled -### required_tags = [ -### "Owner", -### "Contact", -### "Cost Center", -### "Project ID", -### "Department", -### ] - -resource_tags = { - azure-aks-managed-cluster = "Check: Tags are correct" - # azure-apimanagement-service = "Check: Tags are correct" - # azure-application-gateway = "Check: Tags are correct" - # azure-application-insights-insight = "Check: Tags are correct" - # azure-compute-availability-set = "Check: Tags are correct" - # azure-compute-disk = "Check: Tags are correct" - # azure-compute-disk-encryption-set = "Check: Tags are correct" - # azure-compute-image = "Check: Tags are correct" - # azure-compute-snapshot = "Check: Tags are correct" - azure-compute-virtual-machine = "Check: Tags are correct" - azure-cosmosdb-database = "Check: Tags are correct" - # azure-databricks-workspace = "Check: Tags are correct" - # azure-datafactory-factory = "Check: Tags are correct" - # azure-dns-record-set = "Check: Tags are correct" - # azure-dns-zone = "Check: Tags are correct" - # azure-firewall = "Check: Tags are correct" - # azure-keyvault-vault = "Check: Tags are correct" - # azure-loadbalancer = "Check: Tags are correct" - azure-mysql-server = "Check: Tags are correct" - azure-network-application-security-group = "Check: Tags are correct" - # azure-network-network-interface = "Check: Tags are correct" - # azure-network-network-security-groups = "Check: Tags are correct" - # azure-network-public-ip-address = "Check: Tags are correct" - # azure-network-route-table = "Check: Tags are correct" - # azure-network-virtual-network = "Check: Tags are correct" - # azure-networkwatcher = "Check: Tags are correct" - azure-postgresql-server = "Check: Tags are correct" - # azure-recoveryservice-vault = "Check: Tags are correct" - azure-resourcegroup = "Check: Tags are correct" - # azure-searchmanagement-search-service = "Check: Tags are correct" - azure-sql-database = "Check: Tags are correct" - # azure-sql-elastic-pool = "Check: Tags are correct" - azure-sql-server = "Check: Tags are correct" - azure-storage-storage-account = "Check: Tags are correct" - # azure-synapseanalytics-sql-pool = "Check: Tags are correct" - azure-synapseanalytics-workspace = "Check: Tags are correct" -} diff --git a/baselines/getting_started/azure/azure_check_tagging/locals.tf b/baselines/getting_started/azure/azure_check_tagging/locals.tf deleted file mode 100644 index e54cbfc03..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/locals.tf +++ /dev/null @@ -1,84 +0,0 @@ -locals { - - # Mapping of resource name for the policy - # Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope - policy_map = { - azure-aks-managed-cluster : "tmod:@turbot/azure-aks#/policy/types/managedClusterTags" - azure-apimanagement-service : "tmod:@turbot/azure-apimanagement#/policy/types/apiManagementServiceTags" - azure-application-gateway : "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayTags" - azure-application-insights-insight : "tmod:@turbot/azure-applicationinsights#/policy/types/applicationInsightTags" - azure-compute-availability-set : "tmod:@turbot/azure-compute#/policy/types/availabilitySetTags" - azure-compute-disk : "tmod:@turbot/azure-compute#/policy/types/diskTags" - azure-compute-disk-encryption-set : "tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetTags" - azure-compute-image : "tmod:@turbot/azure-compute#/policy/types/imageTags" - azure-compute-snapshot : "tmod:@turbot/azure-compute#/policy/types/snapshotTags" - azure-compute-virtual-machine : "tmod:@turbot/azure-compute#/policy/types/virtualMachineTags" - azure-cosmosdb-database : "tmod:@turbot/azure-cosmosdb#/policy/types/databaseAccountTags" - azure-databricks-workspace : "tmod:@turbot/azure-databricks#/policy/types/databricksWorkspaceTags" - azure-datafactory-factory : "tmod:@turbot/azure-datafactory#/policy/types/factoryTags" - azure-dns-record-set : "tmod:@turbot/azure-dns#/policy/types/recordSetTags" - azure-dns-zone : "tmod:@turbot/azure-dns#/policy/types/zoneTags" - azure-firewall : "tmod:@turbot/azure-firewall#/policy/types/firewallTags" - azure-keyvault-vault : "tmod:@turbot/azure-keyvault#/policy/types/vaultTags" - azure-loadbalancer : "tmod:@turbot/azure-loadbalancer#/policy/types/loadBalancerTags" - azure-mysql-server : "tmod:@turbot/azure-mysql#/policy/types/serverTags" - azure-network-application-security-group : "tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupTags" - azure-network-network-interface : "tmod:@turbot/azure-network#/policy/types/networkInterfaceTags" - azure-network-network-security-groups : "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupTags" - azure-network-public-ip-address : "tmod:@turbot/azure-network#/policy/types/publicIpAddressTags" - azure-network-route-table : "tmod:@turbot/azure-network#/policy/types/routeTableTags" - azure-network-virtual-network : "tmod:@turbot/azure-network#/policy/types/virtualNetworkTags" - azure-networkwatcher : "tmod:@turbot/azure-networkwatcher#/policy/types/networkWatcherTags" - azure-postgresql-server : "tmod:@turbot/azure-postgresql#/policy/types/serverTags" - azure-recoveryservice-vault : "tmod:@turbot/azure-recoveryservice#/policy/types/vaultTags" - azure-resourcegroup : "tmod:@turbot/azure#/policy/types/resourceGroupTags" - azure-searchmanagement-search-service : "tmod:@turbot/azure-searchmanagement#/policy/types/searchServiceTags" - azure-sql-database : "tmod:@turbot/azure-sql#/policy/types/databaseTags" - azure-sql-elastic-pool : "tmod:@turbot/azure-sql#/policy/types/elasticPoolTags" - azure-sql-server : "tmod:@turbot/azure-sql#/policy/types/serverTags" - azure-storage-storage-account : "tmod:@turbot/azure-storage#/policy/types/storageAccountTags" - azure-synapseanalytics-sql-pool : "tmod:@turbot/azure-synapseanalytics#/policy/types/sqlPoolTags" - azure-synapseanalytics-workspace : "tmod:@turbot/azure-synapseanalytics#/policy/types/synapseWorkspaceTags" - } - - # Mapping of resource name to the policy map - # Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope - policy_map_template = { - azure-aks-managed-cluster : "tmod:@turbot/azure-aks#/policy/types/managedClusterTagsTemplate" - azure-apimanagement-service : "tmod:@turbot/azure-apimanagement#/policy/types/apiManagementServiceTagsTemplate" - azure-application-gateway : "tmod:@turbot/azure-applicationgateway#/policy/types/applicationGatewayTagsTemplate" - azure-application-insights-insight : "tmod:@turbot/azure-applicationinsights#/policy/types/applicationInsightTagsTemplate" - azure-compute-availability-set : "tmod:@turbot/azure-compute#/policy/types/availabilitySetTagsTemplate" - azure-compute-disk : "tmod:@turbot/azure-compute#/policy/types/diskTagsTemplate" - azure-compute-disk-encryption-set : "tmod:@turbot/azure-compute#/policy/types/diskEncryptionSetTagsTemplate" - azure-compute-image : "tmod:@turbot/azure-compute#/policy/types/imageTagsTemplate" - azure-compute-snapshot : "tmod:@turbot/azure-compute#/policy/types/snapshotTagsTemplate" - azure-compute-virtual-machine : "tmod:@turbot/azure-compute#/policy/types/virtualMachineTagsTemplate" - azure-cosmosdb-database : "tmod:@turbot/azure-cosmosdb#/policy/types/databaseAccountTagsTemplate" - azure-databricks-workspace : "tmod:@turbot/azure-databricks#/policy/types/databricksWorkspaceTagsTemplate" - azure-datafactory-factory : "tmod:@turbot/azure-datafactory#/policy/types/factoryTagsTemplate" - azure-dns-record-set : "tmod:@turbot/azure-dns#/policy/types/recordSetTagsTemplate" - azure-dns-zone : "tmod:@turbot/azure-dns#/policy/types/zoneTagsTemplate" - azure-firewall : "tmod:@turbot/azure-firewall#/policy/types/firewallTagsTemplate" - azure-keyvault-vault : "tmod:@turbot/azure-keyvault#/policy/types/vaultTagsTemplate" - azure-loadbalancer : "tmod:@turbot/azure-loadbalancer#/policy/types/loadBalancerTagsTemplate" - azure-mysql-server : "tmod:@turbot/azure-mysql#/policy/types/serverTagsTemplate" - azure-network-application-security-group : "tmod:@turbot/azure-network#/policy/types/applicationSecurityGroupTagsTemplate" - azure-network-network-interface : "tmod:@turbot/azure-network#/policy/types/networkInterfaceTagsTemplate" - azure-network-network-security-groups : "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupTagsTemplate" - azure-network-public-ip-address : "tmod:@turbot/azure-network#/policy/types/publicIpAddressTagsTemplate" - azure-network-route-table : "tmod:@turbot/azure-network#/policy/types/routeTableTagsTemplate" - azure-network-virtual-network : "tmod:@turbot/azure-network#/policy/types/virtualNetworkTagsTemplate" - azure-networkwatcher : "tmod:@turbot/azure-networkwatcher#/policy/types/networkWatcherTagsTemplate" - azure-postgresql-server : "tmod:@turbot/azure-postgresql#/policy/types/serverTagsTemplate" - azure-recoveryservice-vault : "tmod:@turbot/azure-recoveryservice#/policy/types/vaultTagsTemplate" - azure-resourcegroup : "tmod:@turbot/azure#/policy/types/resourceGroupTagsTemplate" - azure-searchmanagement-search-service : "tmod:@turbot/azure-searchmanagement#/policy/types/searchServiceTagsTemplate" - azure-sql-database : "tmod:@turbot/azure-sql#/policy/types/databaseTagsTemplate" - azure-sql-elastic-pool : "tmod:@turbot/azure-sql#/policy/types/elasticPoolTagsTemplate" - azure-sql-server : "tmod:@turbot/azure-sql#/policy/types/serverTagsTemplate" - azure-storage-storage-account : "tmod:@turbot/azure-storage#/policy/types/storageAccountTagsTemplate" - azure-synapseanalytics-sql-pool : "tmod:@turbot/azure-synapseanalytics#/policy/types/sqlPoolTagsTemplate" - azure-synapseanalytics-workspace : "tmod:@turbot/azure-synapseanalytics#/policy/types/synapseWorkspaceTagsTemplate" - } -} diff --git a/baselines/getting_started/azure/azure_check_tagging/outputs.tf b/baselines/getting_started/azure/azure_check_tagging/outputs.tf deleted file mode 100644 index 7dc826d3c..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "resource_tags" { - value = var.resource_tags -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_tagging/providers.tf b/baselines/getting_started/azure/azure_check_tagging/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_tagging/smartfolder.tf b/baselines/getting_started/azure/azure_check_tagging/smartfolder.tf deleted file mode 100644 index a08bfb5ad..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "azure_tagging" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_check_tagging/tagging_policies.tf b/baselines/getting_started/azure/azure_check_tagging/tagging_policies.tf deleted file mode 100644 index a18c396a6..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/tagging_policies.tf +++ /dev/null @@ -1,73 +0,0 @@ -# Simple tagging controls to check for adhernece to the tagging template example -# Tag template should be updated per your specific use case -# More Info: https://turbot.com/v5/docs/concepts/guardrails/tagging - - -# -## Sets tagging policy for each resource type in the resource_tags map. -resource "turbot_policy_setting" "set_resource_tag_policies" { - for_each = var.resource_tags - resource = turbot_smart_folder.azure_tagging.id - type = local.policy_map[each.key] - value = each.value -} - -## Sets the default tag template for all resources. -resource "turbot_policy_setting" "default_tag_template" { - for_each = var.resource_tags - resource = turbot_smart_folder.azure_tagging.id - type = local.policy_map_template[each.key] - # GraphQL to pull metadata - template_input = <<-QUERY - { - resource { - turbot { - title - tags - } - creator: notifications(filter: "sort:version_id limit:1") { - items { - actor { - alternatePersona - identity { - turbot { - title - } - } - } - turbot { - createTimestamp - } - } - } - } - } - QUERY - - # Nunjucks template to set tags and check for tag validity. - template = <<-TEMPLATE - # Bring in environment metadata / attributes - Name: "{{ $.resource.turbot.title }}" - # Enforce selection of values, set to "Non-Compliant" if out of bounds - Environment: "{% if $.resource.turbot.tags['Environment'] in ['Dev', 'QA', 'Prod', 'Temp'] %}{{ $.resource.turbot.tags['Environment'] }}{% else %}Non-Compliant Tag{% endif %}" - # Actor who created the resource - CreatedByActor: "{% if $.resource.creator.items[0].actor.identity.turbot.title == 'Unidentified Identity' %}{{ $.resource.creator.items[0].actor.alternatePersona }}{% else %}{{ $.resource.creator.items[0].actor.identity.turbot.title }}{% endif %}" - # Creation Timestamp - CreatedByTime: "{{ $.resource.creator.items[0].turbot.createTimestamp }}" - TEMPLATE -} - -## Missing Tag on folder use case: -## {%- set missingTag = "__MissingTag__" -%} -# {%- set required_tags = ${jsonencode([for tag_name in var.required_tags : tag_name])} -%} -# # If Resource has a required tag, will accept the resource tag, else will tag with Folder tag value. -# {%- for tag_name in required_tags %} -# {%- if tag_name in $.resource.turbot.tags %} -# {{tag_name}}: "{{ $.resource.turbot.tags[tag_name] }}" -# {%- elif tag_name in $.folder.turbot.tags %} -# {{tag_name}}: "{{ $.folder.turbot.tags[tag_name] }}" -# {%- else %} -# {{tag_name}}: {{missingTag}} -# {%- endif %} -# {%- endfor %} - diff --git a/baselines/getting_started/azure/azure_check_tagging/variables.tf b/baselines/getting_started/azure/azure_check_tagging/variables.tf deleted file mode 100644 index 07b9b296b..000000000 --- a/baselines/getting_started/azure/azure_check_tagging/variables.tf +++ /dev/null @@ -1,92 +0,0 @@ -variable "resource_tags" { - description = < -``` - -### Apply installation - -The installation can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -### Destroy installation - -If seeking to apply the installation without using an input variable file. - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -## Commenting strategy - -All Turbot policies used by the installation will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_mods/mod_install.tf b/baselines/getting_started/azure/azure_mods/mod_install.tf deleted file mode 100644 index bcc79dc21..000000000 --- a/baselines/getting_started/azure/azure_mods/mod_install.tf +++ /dev/null @@ -1,308 +0,0 @@ -# https://turbot.com/v5/mods/turbot/azure -resource "turbot_mod" "azure" { - parent = "tmod:@turbot/turbot#/" - org = "turbot" - mod = "azure" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-provider -resource "turbot_mod" "azure-provider" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure"] - org = "turbot" - mod = "azure-provider" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-provider") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-iam -resource "turbot_mod" "azure-iam" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure"] - org = "turbot" - mod = "azure-iam" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-iam") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-activedirectory -resource "turbot_mod" "azure-activedirectory" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure"] - org = "turbot" - mod = "azure-activedirectory" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-activedirectory") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-aks -resource "turbot_mod" "azure-aks" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-aks" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-aks") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-apimanagement -resource "turbot_mod" "azure-apimanagement" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-apimanagement" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-apimanagement") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-applicationgateway -resource "turbot_mod" "azure-applicationgateway" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-applicationgateway" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-applicationgateway") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-applicationinsights -resource "turbot_mod" "azure-applicationinsights" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-applicationinsights" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-applicationinsights") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-appservice -resource "turbot_mod" "azure-appservice" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-appservice" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-appservice") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-compute -resource "turbot_mod" "azure-compute" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-compute" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-compute") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-cosmosdb -resource "turbot_mod" "azure-cosmosdb" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-cosmosdb" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-cosmosdb") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-databricks -resource "turbot_mod" "azure-databricks" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-databricks" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-databricks") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-datafactory -resource "turbot_mod" "azure-datafactory" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-datafactory" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-datafactory") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-dns -resource "turbot_mod" "azure-dns" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-dns" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-dns") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-firewall -resource "turbot_mod" "azure-firewall" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-firewall" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-firewall") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-frontdoorservice -resource "turbot_mod" "azure-frontdoorservice" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam"] - org = "turbot" - mod = "azure-frontdoorservice" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-frontdoorservice") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-loadbalancer -resource "turbot_mod" "azure-loadbalancer" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-loadbalancer" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-loadbalancer") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-loganalytics -resource "turbot_mod" "azure-loganalytics" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-loganalytics" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-loganalytics") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-monitor -resource "turbot_mod" "azure-monitor" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-monitor" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-monitor") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-mysql -resource "turbot_mod" "azure-mysql" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-mysql" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-mysql") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-network -resource "turbot_mod" "azure-network" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-network" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-network") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-postgresql -resource "turbot_mod" "azure-postgresql" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-postgresql" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-postgresql") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-recoveryservice -resource "turbot_mod" "azure-recoveryservice" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-recoveryservice" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-recoveryservice") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-searchmanagement -resource "turbot_mod" "azure-searchmanagement" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-searchmanagement" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-searchmanagement") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-securitycenter -resource "turbot_mod" "azure-securitycenter" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-securitycenter" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-securitycenter") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-sql -resource "turbot_mod" "azure-sql" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-sql" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-sql") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-storage -resource "turbot_mod" "azure-storage" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-storage" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-storage") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-synapseanalytics -resource "turbot_mod" "azure-synapseanalytics" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-synapseanalytics" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-synapseanalytics") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-keyvault -resource "turbot_mod" "azure-keyvault" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-keyvault" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-keyvault") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-networkwatcher -resource "turbot_mod" "azure-networkwatcher" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-provider"] - org = "turbot" - mod = "azure-networkwatcher" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-networkwatcher") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/azure-cisv1 -resource "turbot_mod" "azure-cisv1" { - parent = "tmod:@turbot/turbot#/" - depends_on = [ "turbot_mod.azure", "turbot_mod.azure-iam", "turbot_mod.azure-appservice", "turbot_mod.azure-compute", "turbot_mod.azure-keyvault", "turbot_mod.azure-monitor", "turbot_mod.azure-mysql", "turbot_mod.azure-network", "turbot_mod.azure-provider", "turbot_mod.azure-securitycenter", "turbot_mod.azure-sql", "turbot_mod.azure-postgresql", "turbot_mod.azure-storage", "turbot_mod.azure-networkwatcher", "turbot_mod.azure-aks"] - org = "turbot" - mod = "azure-cisv1" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "azure-cisv1") ? 1 : 0 -} diff --git a/baselines/getting_started/azure/azure_mods/outputs.tf b/baselines/getting_started/azure/azure_mods/outputs.tf deleted file mode 100644 index 276afe05a..000000000 --- a/baselines/getting_started/azure/azure_mods/outputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "mod_list" { - value = var.mod_list -} - -output "turbot_profile" { - value = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_mods/providers.tf b/baselines/getting_started/azure/azure_mods/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/azure/azure_mods/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/azure/azure_mods/variables.tf b/baselines/getting_started/azure/azure_mods/variables.tf deleted file mode 100644 index 4cf20fa51..000000000 --- a/baselines/getting_started/azure/azure_mods/variables.tf +++ /dev/null @@ -1,41 +0,0 @@ -variable "mod_list" { - type = "list" - default = [ - "azure", - "azure-activedirectory", - "azure-aks", - "azure-apimanagement", - "azure-applicationgateway", - "azure-applicationinsights", - "azure-appservice", - "azure-cisv1", - "azure-compute", - "azure-cosmosdb", - "azure-databricks", - "azure-datafactory", - "azure-dns", - "azure-firewall", - "azure-frontdoorservice", - "azure-iam", - "azure-keyvault", - "azure-loadbalancer", - "azure-loganalytics", - "azure-monitor", - "azure-mysql", - "azure-network", - "azure-networkwatcher", - "azure-postgresql", - "azure-provider", - "azure-recoveryservice", - "azure-searchmanagement", - "azure-securitycenter", - "azure-sql", - "azure-storage", - "azure-synapseanalytics" - ] -} - -variable "turbot_profile" { - type = string - description = "Turbot profile for the workspace where this terraform code will be executed" -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_baseline/README.md b/baselines/getting_started/gcp/gcp_baseline/README.md deleted file mode 100644 index c118ceff4..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/README.md +++ /dev/null @@ -1,154 +0,0 @@ -# Baseline - GCP Baseline - -GCP Baseline Policies focuses on base minimum set of example policies & services to start with such as - -- Sevice Enablement -- Service API Enablement -- Event Polling -- Enable CIS - -This baseline turns on GCP services that are provided by an input variable file. -If none are provided then all services will be enabled. -Enabling / disabling a service consists of enabling / disabling the service and API access to that service. -The variable to use is `service_status`. - -The baseline will configure GCP to use polling unless specified to use event handling in the input variable file. -The variable to use is `use_event_polling`. - -Additionally the baseline will enable CIS and set attestation of CIS to be a year. -Currently there is no variable to control this behavior. - -## Important - -Running the baseline without an input variable file assumes that you have **ALL** GCP mods installed. -To limit the baseline, look at the example input variable file [demo.tfvars](demo.tfvars). - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Deploying demo example - -The demo baseline expects that the following mods are installed: - -- gcp-iam -- gcp-pubsub -- gcp-storage -- gcp-logging - -To run the baseline: - -1. Navigate to the folder of the baseline -2. Initialise Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** - -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files are defined in the [variables.tf](variables.tf) file. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Initialise baseline - -If not previously run, initialise Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` - -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply - ``` - -This may prompt the user applying the baseline to enter values for variables that do not have default values. - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_baseline/demo.tfvars b/baselines/getting_started/gcp/gcp_baseline/demo.tfvars deleted file mode 100644 index 0486df201..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/demo.tfvars +++ /dev/null @@ -1,17 +0,0 @@ -# List of services and providers to set as Enabled -# Enabling all by default, can comment out the services and APIs to reduce scope -# Make sure you have the mods installed if enabling / registering. The default mod install baseline assumes all - -# For Service Status, change the options per service: -# "Enabled" -# "Disabled" - -service_status = { - gcp-iam = "Enabled" - gcp-logging = "Enabled" ### Enabled in Real-Time events if turned on - gcp-pubsub = "Enabled" ### Enabled in Real-Time events if turned on - gcp-storage = "Enabled" -} - -# Set up the demo to use event handling -use_event_polling = false diff --git a/baselines/getting_started/gcp/gcp_baseline/enable_cis_policies.tf b/baselines/getting_started/gcp/gcp_baseline/enable_cis_policies.tf deleted file mode 100644 index ef4035570..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/enable_cis_policies.tf +++ /dev/null @@ -1,17 +0,0 @@ -# Enabled CIS Checks and setting the default attestation to 1 year - -# GCP > CIS v1 -# https://turbot.com/v5/mods/turbot/gcp-cisv1/inspect#/policy/types/cis -resource "turbot_policy_setting" "enable_cis_checks" { - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp-cisv1#/policy/types/cis" - value = "Check: Level 1 & Level 2 (Scored)" -} - -# GCP > CIS v1 > Maximum Attestation Duration -# https://turbot.com/v5/mods/turbot/gcp-cisv1/inspect#/policy/types/attestation -resource "turbot_policy_setting" "gcp_cis_max_attestation_period" { - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp-cisv1#/policy/types/attestation" - value = "1 year" -} diff --git a/baselines/getting_started/gcp/gcp_baseline/enable_policies.tf b/baselines/getting_started/gcp/gcp_baseline/enable_policies.tf deleted file mode 100644 index 1667e371e..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/enable_policies.tf +++ /dev/null @@ -1,22 +0,0 @@ -# Enabling GCP Services in Turbot -# https://turbot.com/v5/docs/integrations/gcp/services - -# Loop through var.service_status and set enable policies - -# GCP > **Service** > Enabled -# Example policy: https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/iamEnabled -resource "turbot_policy_setting" "gcp_enable" { - for_each = var.service_status - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/${each.key}#/policy/types/${local.policy_map[each.key]}" - value = each.value -} - -# GCP > **Service** > API Enabled -# Example policy: https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/iamApiEnabled -resource "turbot_policy_setting" "gcp_api_enable" { - for_each = var.service_status - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/${each.key}#/policy/types/${local.api_policy_map[each.key]}" - value = "Enforce: ${each.value}" -} diff --git a/baselines/getting_started/gcp/gcp_baseline/event_poller_policies.tf b/baselines/getting_started/gcp/gcp_baseline/event_poller_policies.tf deleted file mode 100644 index e1d563843..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/event_poller_policies.tf +++ /dev/null @@ -1,77 +0,0 @@ -# GCP Real-Time Events(Pollers) -# https://turbot.com/v5/docs/integrations/gcp/real-time-events - -# Configuring Real-Time Event Handlers -# https://turbot.com/v5/docs/integrations/gcp/real-time-events/event-handlers - -# Create Event Pollers per Project -# Note: Setting variable `use_event_polling` to false will cause the baseline to use event handlers -# by default the baseline will use event pollers are they are the simplest setup. - -# GCP > Turbot > Event Poller -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/eventPoller -resource "turbot_policy_setting" "gcp_event_polling" { - count = var.use_event_polling ? 1 : 0 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp#/policy/types/eventPoller" - value = "Enabled" -} - -# GCP > Turbot > Event Poller > Interval -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/eventPollerInterval -resource "turbot_policy_setting" "gcp_event_polling_interval" { - count = var.use_event_polling ? 1 : 0 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp#/policy/types/eventPollerInterval" - value = "Every 1 minute" -} - -# GCP > Turbot > Event Poller > Window -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/eventPollerWindow -resource "turbot_policy_setting" "gcp_event_polling_window" { - count = var.use_event_polling ? 1 : 0 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp#/policy/types/eventPollerWindow" - value = "10 minutes" -} - -# Sets the policy for Logging - -# GCP > Turbot > Event Handlers > Logging -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/eventHandlersLogging -resource "turbot_policy_setting" "event_handlers_logging" { - count = var.use_event_polling ? 0 : 1 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp#/policy/types/eventHandlersLogging" - value = "Enforce: Configured" -} - -# Sets the policy for Pub/Sub -# GCP > Turbot > Event Handlers > Pub/Sub -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/eventHandlersPubSub -resource "turbot_policy_setting" "event_handlers_pub_sub" { - count = var.use_event_polling ? 0 : 1 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp#/policy/types/eventHandlersPubSub" - value = "Enforce: Configured" -} - -# Sets the policy Enable for API Enabled in Pub/Sub -# GCP > Pub/Sub > API Enabled -# https://turbot.com/v5/mods/turbot/gcp-pubsub/inspect#/policy/types/pubsubApiEnabled -resource "turbot_policy_setting" "pub_sub_api_enabled" { - count = var.use_event_polling ? 0 : 1 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp-pubsub#/policy/types/pubsubApiEnabled" - value = "Enforce: Enabled" -} - -# Sets the policy Enable for API Enabled in Logging -# GCP > Logging > API Enabled -# https://turbot.com/v5/mods/turbot/gcp-logging/inspect#/policy/types/loggingApiEnabled -resource "turbot_policy_setting" "logging_api_enabled" { - count = var.use_event_polling ? 0 : 1 - resource = turbot_smart_folder.gcp_baseline.id - type = "tmod:@turbot/gcp-logging#/policy/types/loggingApiEnabled" - value = "Enforce: Enabled" -} diff --git a/baselines/getting_started/gcp/gcp_baseline/locals.tf b/baselines/getting_started/gcp/gcp_baseline/locals.tf deleted file mode 100644 index 6543c4d81..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/locals.tf +++ /dev/null @@ -1,58 +0,0 @@ - -locals { - policy_map = { - gcp-appengine = "appEngineEnabled" - gcp-bigquery = "bigQueryEnabled" - gcp-bigtable = "bigtableEnabled" - gcp-build = "buildServiceEnabled" - gcp-composer = "composerEnabled" - gcp-computeengine = "computeEngineEnabled" - gcp-datacatalog = "dataCatalogEnabled" - gcp-dataflow = "dataflowEnabled" - gcp-dataproc = "dataprocEnabled" - gcp-dns = "dnsEnabled" - gcp-functions = "functionsEnabled" - gcp-iam = "iamEnabled" - gcp-kms = "kmsEnabled" - gcp-kubernetesengine = "kubernetesEngineEnabled" - gcp-logging = "loggingEnabled" - gcp-memorystore = "memorystoreEnabled" - gcp-monitoring = "monitoringEnabled" - gcp-network = "networkServiceEnabled" - gcp-notebooks = "notebooksEnabled" - gcp-pubsub = "pubsubEnabled" - gcp-scheduler = "schedulerEnabled" - gcp-spanner = "spannerEnabled" - gcp-sql = "sqlEnabled" - gcp-storage = "storageEnabled" - ##gcp-orgpolicy = "" ## Note: OrgPolicy does not have an Enabled - } - - api_policy_map = { - gcp-appengine = "appEngineApiEnabled" - gcp-bigquery = "bigQueryApiEnabled" - gcp-bigtable = "bigtableApiEnabled" - gcp-build = "buildServiceApiEnabled" - gcp-composer = "composerApiEnabled" - gcp-computeengine = "computeEngineApiEnabled" - gcp-datacatalog = "dataCatalogApiEnabled" - gcp-dataflow = "dataflowApiEnabled" - gcp-dataproc = "dataprocApiEnabled" - gcp-dns = "dnsApiEnabled" - gcp-functions = "functionsApiEnabled" - gcp-iam = "iamApiEnabled" - gcp-kms = "kmsApiEnabled" - gcp-kubernetesengine = "kubernetesEngineApiEnabled" - gcp-logging = "loggingApiEnabled" - gcp-memorystore = "memorystoreApiEnabled" - gcp-monitoring = "monitoringApiEnabled" - gcp-network = "networkServiceApiEnabled" - gcp-notebooks = "notebooksApiEnabled" - gcp-pubsub = "pubsubApiEnabled" - gcp-scheduler = "schedulerApiEnabled" - gcp-spanner = "spannerApiEnabled" - gcp-sql = "sqlApiEnabled" - gcp-storage = "storageApiEnabled" - ##gcp-orgpolicy = "" ## Note: OrgPolicy does not have an API Enabled - } -} diff --git a/baselines/getting_started/gcp/gcp_baseline/outputs.tf b/baselines/getting_started/gcp/gcp_baseline/outputs.tf deleted file mode 100644 index 5f3d803e1..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/outputs.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Baseline Configuration - -output "service_status" { - value = var.service_status -} - -output "use_event_polling" { - value = var.use_event_polling -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/gcp/gcp_baseline/providers.tf b/baselines/getting_started/gcp/gcp_baseline/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/gcp/gcp_baseline/regions.tf b/baselines/getting_started/gcp/gcp_baseline/regions.tf deleted file mode 100644 index ff13c84b2..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/regions.tf +++ /dev/null @@ -1,52 +0,0 @@ -# Commented out as the initial baseline assumes event polling vs event handlers in each region. -# If using Turbot Event Handlers, this baseline would be relevant if reducing Turbot Event Handlers to specific regions only -# Default to us and global regions only -# More Info: https://turbot.com/v5/docs/guides/regions#discovering-regions - -# Limit Available Regions -# "*" allows Turbot to run in all available regions. -# Other wildcarding is allowed e.g. us*, us-east-* -# Remove the comment next to the region to include additional regions to the scope -# Note: global is required since the global region is used for specific services - - -#resource "turbot_policy_setting" "gcp_project_available_regions" { -# resource = turbot_smart_folder.gcp_baseline.id -# type = "tmod:@turbot/gcp#/policy/types/RegionsDefault" -# value = <<-REGIONS -# # - asia-east1 -# # - asia-east2 -# # - asia-northeast1 -# # - asia-northeast2 -# # - asia-northeast3 -# # - asia-south1 -# # - asia-southeast1 -# # - australia-southeast1 -# # - europe-north1 -# # - europe-west1 -# # - europe-west2 -# # - europe-west3 -# # - europe-west4 -# # - europe-west6 -# # - northamerica-northeast1 -# # - southamerica-east1 -# - us-central1 -# - us-east1 -# - us-east4 -# - us-west1 -# - us-west2 -# - us-west3 -# # - asia -# # - eu -# # - eur3 -# # - eur4 -# # - nam-eur-asia1 -# # - nam3 -# # - nam4 -# # - nam5 -# # - nam6 -# - us -# - global -# REGIONS -#} - diff --git a/baselines/getting_started/gcp/gcp_baseline/smart_folder.tf b/baselines/getting_started/gcp/gcp_baseline/smart_folder.tf deleted file mode 100644 index f0b38a5b7..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/smart_folder.tf +++ /dev/null @@ -1,6 +0,0 @@ -resource "turbot_smart_folder" "gcp_baseline" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} - diff --git a/baselines/getting_started/gcp/gcp_baseline/variables.tf b/baselines/getting_started/gcp/gcp_baseline/variables.tf deleted file mode 100644 index 981e187e1..000000000 --- a/baselines/getting_started/gcp/gcp_baseline/variables.tf +++ /dev/null @@ -1,37 +0,0 @@ -# Baseline Configuration - -variable "service_status" { - description = "Choose the subset of services that should be configured. Possible values for each service are: [\"Enabled\", \"Disabled\"]" - type = map(any) -} - -variable "use_event_polling" { - description = "GCP events will be retrieved by polling set to true or using an event handler if set to false." - default = true -} - - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Check Baseline Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the GCP baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} - diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/README.md b/baselines/getting_started/gcp/gcp_check_cost_controls/README.md deleted file mode 100644 index b73183a29..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/README.md +++ /dev/null @@ -1,140 +0,0 @@ -# Baseline - GCP Check Cost Controls - -This baseline will allow you to check the infrastructure over X days/unattached volumes and to set resource scheduling and make it inactive to reduce the cost. - -Few important links - -- [Budget Guardrails](https://turbot.com/v5/docs/concepts/guardrails/budget) -- [Scheduling in Turbot](https://turbot.com/v5/docs/concepts/guardrails/scheduling) -- [Active Guardrails](https://turbot.com/v5/docs/concepts/guardrails/active) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default variable file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destroy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/active_policies.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/active_policies.tf deleted file mode 100644 index 84077aa47..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/active_policies.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Simple cost control to check for aging infrastructure over X days -# Defaulting to 60 days as an example. -# Other use cases can be used for Last Modified, Attached, etc. -# More Info: https://turbot.com/v5/docs/concepts/guardrails/active - -# GCP > **Service** > **Resource** > Active -# Example policy: https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceActive -resource "turbot_policy_setting" "set_resource_active_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.gcp_cost_controls.id - type = local.policy_map[each.key] - value = each.value -} - -# GCP > **Service** > **Resource** > Active > Age -# Example policy: https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceActiveAge -resource "turbot_policy_setting" "set_resource_age_policies" { - for_each = var.resource_active - resource = turbot_smart_folder.gcp_cost_controls.id - type = local.policy_map_age[each.key] - value = "Force inactive if age > 60 days" - # Skip - # Force inactive if age > 1 day - # Force inactive if age > 3 days - # Force inactive if age > 7 days - # Force inactive if age > 14 days - # Force inactive if age > 30 days - # Force inactive if age > 60 days - # Force inactive if age > 90 days - # Force inactive if age > 180 days - # Force inactive if age > 365 days -} diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_active_policies.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_active_policies.tf deleted file mode 100644 index d99825803..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_active_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# More Info: https://turbot.com/v5/docs/concepts/guardrails/active - -# GCP > Compute Engine > Disk > Active -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/diskActive -resource "turbot_policy_setting" "gcp_computeengine_disk_active" { - count = var.enable_compute_engine_active_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/diskActive" - value = "Check: Active" -} - -# GCP > Compute Engine > Disk > Active > Attached -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/diskActiveAttached -resource "turbot_policy_setting" "gcp_computeengine_disk_active_attached" { - count = var.enable_compute_engine_active_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/diskActiveAttached" - value = "Force inactive if unattached" -} diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_schedule_policies.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_schedule_policies.tf deleted file mode 100644 index c4dbee2df..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/compute_engine_schedule_policies.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Setting Resource Schedules to start/stop based on schedule -# Set to Skip to avoid accidently Enforcement. -# More Info: https://turbot.com/v5/docs/concepts/guardrails/scheduling - - -# Policy Setting Options: -# Skip -# Enforce: Business hours (8:00am - 6:00pm on weekdays) -# Enforce: Extended business hours (7:00am - 11:00pm on weekdays) -# Enforce: Stop for night (stop at 10:00pm every day) -# Enforce: Stop for weekend (stop at 10:00pm on Friday) - -## Compute Engine Instance Instances -# GCP > Compute Engine > Instance > Schedule -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceSchedule -resource "turbot_policy_setting" "gcp_computeengine_instance_schedule" { - count = var.enable_compute_engine_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceSchedule" - value = "Skip" -} - -# GCP > Compute Engine > Instance > Schedule > Tag -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceScheduleTag -# # Schedule Tag Option, more information https://turbot.com/v5/docs/concepts/guardrails/scheduling#scheduling-with-a-tag -resource "turbot_policy_setting" "gcp_computeengine_instance_schedule_tag" { - count = var.enable_compute_engine_schedule_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceScheduleTag" - value = "Skip" - # "Enforce: Schedule per turbot_custom_schedule tag" -} diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/demo.tfvars b/baselines/getting_started/gcp/gcp_check_cost_controls/demo.tfvars deleted file mode 100644 index e0a759dad..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/demo.tfvars +++ /dev/null @@ -1,96 +0,0 @@ -# List of services and resources to be Check: Approved. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have the related service mod installed - -# Acceptable Values: - # "Skip" - # "Check: Active" - # "Enforce: Delete inactive with 1 day warning" - # "Enforce: Delete inactive with 3 days warning" - # "Enforce: Delete inactive with 7 days warning" - # "Enforce: Delete inactive with 14 days warning" - # "Enforce: Delete inactive with 30 days warning" - # "Enforce: Delete inactive with 60 days warning" - # "Enforce: Delete inactive with 90 days warning" - # "Enforce: Delete inactive with 180 days warning" - # "Enforce: Delete inactive with 365 days warning" - -resource_active = { - # gcp-bigquery-dataset = "Check: Active" - # gcp-bigquery-table = "Check: Active" - # gcp-bigtable-cluster = "Check: Active" - # gcp-bigtable-instance = "Check: Active" - # gcp-bigtable-table = "Check: Active" - # gcp-composer-environment = "Check: Active" - ##Have Unattached Policy Set instead## gcp-computeengine-disk = "Check: Active" - # gcp-computeengine-healthCheck = "Check: Active" - # gcp-computeengine-httpHealthCheck = "Check: Active" - # gcp-computeengine-httpsHealthCheck = "Check: Active" - gcp-computeengine-image = "Check: Active" - gcp-computeengine-instance = "Check: Active" - # gcp-computeengine-instanceTemplate = "Check: Active" - # gcp-computeengine-nodeGroup = "Check: Active" - # gcp-computeengine-nodeTemplate = "Check: Active" - gcp-computeengine-regionDisk = "Check: Active" - # gcp-computeengine-regionHealthCheck = "Check: Active" - gcp-computeengine-snapshot = "Check: Active" - # gcp-dataflow-job = "Check: Active" - # gcp-dataproc-cluster = "Check: Active" - # gcp-dataproc-job = "Check: Active" - # gcp-dataproc-workflowTemplate = "Check: Active" - # gcp-dns-managedZone = "Check: Active" - gcp-functions-function = "Check: Active" - # gcp-iam-projectUser = "Check: Active" - # gcp-iam-projectUserAdminActivity = "Check: Active" - # gcp-iam-serviceAccount = "Check: Active" - # gcp-iam-serviceAccountKey = "Check: Active" - gcp-kubernetesengine-regionCluster = "Check: Active" - # gcp-kubernetesengine-regionNodePool = "Check: Active" - gcp-kubernetesengine-zoneCluster = "Check: Active" - # gcp-kubernetesengine-zoneNodePool = "Check: Active" - # gcp-logging-exclusion = "Check: Active" - # gcp-logging-metric = "Check: Active" - # gcp-logging-sink = "Check: Active" - # gcp-monitoring-alertPolicy = "Check: Active" - # gcp-monitoring-group = "Check: Active" - # gcp-monitoring-notificationChannel = "Check: Active" - # gcp-network-address = "Check: Active" - # gcp-network-backendBucket = "Check: Active" - # gcp-network-backendService = "Check: Active" - # gcp-network-firewall = "Check: Active" - # gcp-network-forwardingRule = "Check: Active" - # gcp-network-globalAddress = "Check: Active" - # gcp-network-globalForwardingRule = "Check: Active" - # gcp-network-interconnect = "Check: Active" - # gcp-network-network = "Check: Active" - # gcp-network-packetMirroring = "Check: Active" - # gcp-network-regionBackendService = "Check: Active" - # gcp-network-regionSslCertificate = "Check: Active" - # gcp-network-regionTargetHttpsProxy = "Check: Active" - # gcp-network-regionUrlMap = "Check: Active" - # gcp-network-route = "Check: Active" - # gcp-network-router = "Check: Active" - # gcp-network-sslCertificate = "Check: Active" - # gcp-network-sslPolicy = "Check: Active" - # gcp-network-subnetwork = "Check: Active" - # gcp-network-targetHttpsProxy = "Check: Active" - # gcp-network-targetPool = "Check: Active" - # gcp-network-targetSslProxy = "Check: Active" - # gcp-network-targetTcpProxy = "Check: Active" - # gcp-network-targetVpnGateway = "Check: Active" - # gcp-network-urlMap = "Check: Active" - # gcp-network-vpnTunnel = "Check: Active" - # gcp-pubsub-snapshot = "Check: Active" - # gcp-pubsub-subscription = "Check: Active" - # gcp-pubsub-topic = "Check: Active" - # gcp-scheduler-job = "Check: Active" - # gcp-spanner-instance = "Check: Active" - gcp-sql-backup = "Check: Active" - gcp-sql-database = "Check: Active" - gcp-sql-instance = "Check: Active" - gcp-storage-bucket = "Check: Active" - # gcp-storage-object = "Check: Active" # turned off by default to reduce noise -} - -# See file schedules_policies.tf -gcp_computeengine_instance_schedule_tag_policies = false diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/locals.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/locals.tf deleted file mode 100644 index 381f2a32c..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/locals.tf +++ /dev/null @@ -1,158 +0,0 @@ -locals { - -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map = { - gcp-bigquery-dataset : "tmod:@turbot/gcp-bigquery#/policy/types/datasetActive" - gcp-bigquery-table : "tmod:@turbot/gcp-bigquery#/policy/types/tableActive" - gcp-bigtable-cluster : "tmod:@turbot/gcp-bigtable#/policy/types/clusterActive" - gcp-bigtable-instance : "tmod:@turbot/gcp-bigtable#/policy/types/instanceActive" - gcp-bigtable-table : "tmod:@turbot/gcp-bigtable#/policy/types/tableActive" - gcp-composer-environment : "tmod:@turbot/gcp-composer#/policy/types/environmentActive" - gcp-computeengine-disk : "tmod:@turbot/gcp-computeengine#/policy/types/diskActive" - gcp-computeengine-healthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/healthCheckActive" - gcp-computeengine-httpHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/httpHealthCheckActive" - gcp-computeengine-httpsHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/httpsHealthCheckActive" - gcp-computeengine-image : "tmod:@turbot/gcp-computeengine#/policy/types/imageActive" - gcp-computeengine-instance : "tmod:@turbot/gcp-computeengine#/policy/types/instanceActive" - gcp-computeengine-instanceTemplate : "tmod:@turbot/gcp-computeengine#/policy/types/instanceTemplateActive" - gcp-computeengine-nodeGroup : "tmod:@turbot/gcp-computeengine#/policy/types/nodeGroupActive" - gcp-computeengine-nodeTemplate : "tmod:@turbot/gcp-computeengine#/policy/types/nodeTemplateActive" - gcp-computeengine-regionDisk : "tmod:@turbot/gcp-computeengine#/policy/types/regionDiskActive" - gcp-computeengine-regionHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/regionHealthCheckActive" - gcp-computeengine-snapshot : "tmod:@turbot/gcp-computeengine#/policy/types/snapshotActive" - gcp-dataflow-job : "tmod:@turbot/gcp-dataflow#/policy/types/jobActive" - gcp-dataproc-cluster : "tmod:@turbot/gcp-dataproc#/policy/types/clusterActive" - gcp-dataproc-job : "tmod:@turbot/gcp-dataproc#/policy/types/jobActive" - gcp-dataproc-workflowTemplate : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplateActive" - gcp-dns-managedZone : "tmod:@turbot/gcp-dns#/policy/types/managedZoneActive" - gcp-functions-function : "tmod:@turbot/gcp-functions#/policy/types/functionActive" - gcp-iam-projectUser : "tmod:@turbot/gcp-iam#/policy/types/projectUserActive" - gcp-iam-projectUserAdminActivity : "tmod:@turbot/gcp-iam#/policy/types/projectUserActiveAdminActivity" - gcp-iam-serviceAccount : "tmod:@turbot/gcp-iam#/policy/types/serviceAccountActive" - gcp-iam-serviceAccountKey : "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActive" - gcp-kubernetesengine-regionCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterActive" - gcp-kubernetesengine-regionNodePool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionNodePoolActive" - gcp-kubernetesengine-zoneCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterActive" - gcp-kubernetesengine-zoneNodePool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneNodePoolActive" - gcp-logging-exclusion : "tmod:@turbot/gcp-logging#/policy/types/exclusionActive" - gcp-logging-metric : "tmod:@turbot/gcp-logging#/policy/types/metricActive" - gcp-logging-sink : "tmod:@turbot/gcp-logging#/policy/types/sinkActive" - gcp-monitoring-alertPolicy : "tmod:@turbot/gcp-monitoring#/policy/types/alertPolicyActive" - gcp-monitoring-group : "tmod:@turbot/gcp-monitoring#/policy/types/groupActive" - gcp-monitoring-notificationChannel : "tmod:@turbot/gcp-monitoring#/policy/types/notificationChannelActive" - gcp-network-address : "tmod:@turbot/gcp-network#/policy/types/addressActive" - gcp-network-backendBucket : "tmod:@turbot/gcp-network#/policy/types/backendBucketActive" - gcp-network-backendService : "tmod:@turbot/gcp-network#/policy/types/backendServiceActive" - gcp-network-firewall : "tmod:@turbot/gcp-network#/policy/types/firewallActive" - gcp-network-forwardingRule : "tmod:@turbot/gcp-network#/policy/types/forwardingRuleActive" - gcp-network-globalAddress : "tmod:@turbot/gcp-network#/policy/types/globalAddressActive" - gcp-network-globalForwardingRule : "tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActive" - gcp-network-interconnect : "tmod:@turbot/gcp-network#/policy/types/interconnectActive" - gcp-network-network : "tmod:@turbot/gcp-network#/policy/types/networkActive" - gcp-network-packetMirroring : "tmod:@turbot/gcp-network#/policy/types/packetMirroringActive" - gcp-network-regionBackendService : "tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActive" - gcp-network-regionSslCertificate : "tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActive" - gcp-network-regionTargetHttpsProxy : "tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActive" - gcp-network-regionUrlMap : "tmod:@turbot/gcp-network#/policy/types/regionUrlMapActive" - gcp-network-route : "tmod:@turbot/gcp-network#/policy/types/routeActive" - gcp-network-router : "tmod:@turbot/gcp-network#/policy/types/routerActive" - gcp-network-sslCertificate : "tmod:@turbot/gcp-network#/policy/types/sslCertificateActive" - gcp-network-sslPolicy : "tmod:@turbot/gcp-network#/policy/types/sslPolicyActive" - gcp-network-subnetwork : "tmod:@turbot/gcp-network#/policy/types/subnetworkActive" - gcp-network-targetHttpsProxy : "tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActive" - gcp-network-targetPool : "tmod:@turbot/gcp-network#/policy/types/targetPoolActive" - gcp-network-targetSslProxy : "tmod:@turbot/gcp-network#/policy/types/targetSslProxyActive" - gcp-network-targetTcpProxy : "tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActive" - gcp-network-targetVpnGateway : "tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActive" - gcp-network-urlMap : "tmod:@turbot/gcp-network#/policy/types/urlMapActive" - gcp-network-vpnTunnel : "tmod:@turbot/gcp-network#/policy/types/vpnTunnelActive" - gcp-pubsub-snapshot : "tmod:@turbot/gcp-pubsub#/policy/types/snapshotActive" - gcp-pubsub-subscription : "tmod:@turbot/gcp-pubsub#/policy/types/subscriptionActive" - gcp-pubsub-topic : "tmod:@turbot/gcp-pubsub#/policy/types/topicActive" - gcp-scheduler-job : "tmod:@turbot/gcp-scheduler#/policy/types/jobActive" - gcp-spanner-instance : "tmod:@turbot/gcp-spanner#/policy/types/instanceActive" - gcp-sql-backup : "tmod:@turbot/gcp-sql#/policy/types/backupActive" - gcp-sql-database : "tmod:@turbot/gcp-sql#/policy/types/databaseActive" - gcp-sql-instance : "tmod:@turbot/gcp-sql#/policy/types/instanceActive" - gcp-storage-bucket : "tmod:@turbot/gcp-storage#/policy/types/bucketActive" - gcp-storage-object : "tmod:@turbot/gcp-storage#/policy/types/objectActive" - } - -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map_age = { - gcp-bigquery-dataset : "tmod:@turbot/gcp-bigquery#/policy/types/datasetActiveAge" - gcp-bigquery-table : "tmod:@turbot/gcp-bigquery#/policy/types/tableActiveAge" - gcp-bigtable-cluster : "tmod:@turbot/gcp-bigtable#/policy/types/clusterActiveAge" - gcp-bigtable-instance : "tmod:@turbot/gcp-bigtable#/policy/types/instanceActiveAge" - gcp-bigtable-table : "tmod:@turbot/gcp-bigtable#/policy/types/tableActiveAge" - gcp-composer-environment : "tmod:@turbot/gcp-composer#/policy/types/environmentActiveAge" - gcp-computeengine-disk : "tmod:@turbot/gcp-computeengine#/policy/types/diskActiveAge" - gcp-computeengine-healthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/healthCheckActiveAge" - gcp-computeengine-httpHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/httpHealthCheckActiveAge" - gcp-computeengine-httpsHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/httpsHealthCheckActiveAge" - gcp-computeengine-image : "tmod:@turbot/gcp-computeengine#/policy/types/imageActiveAge" - gcp-computeengine-instance : "tmod:@turbot/gcp-computeengine#/policy/types/instanceActiveAge" - gcp-computeengine-instanceTemplate : "tmod:@turbot/gcp-computeengine#/policy/types/instanceTemplateActiveAge" - gcp-computeengine-nodeGroup : "tmod:@turbot/gcp-computeengine#/policy/types/nodeGroupActiveAge" - gcp-computeengine-nodeTemplate : "tmod:@turbot/gcp-computeengine#/policy/types/nodeTemplateActiveAge" - gcp-computeengine-regionDisk : "tmod:@turbot/gcp-computeengine#/policy/types/regionDiskActiveAge" - gcp-computeengine-regionHealthCheck : "tmod:@turbot/gcp-computeengine#/policy/types/regionHealthCheckActiveAge" - gcp-computeengine-snapshot : "tmod:@turbot/gcp-computeengine#/policy/types/snapshotActiveAge" - gcp-dataflow-job : "tmod:@turbot/gcp-dataflow#/policy/types/jobActiveAge" - gcp-dataproc-cluster : "tmod:@turbot/gcp-dataproc#/policy/types/clusterActiveAge" - gcp-dataproc-job : "tmod:@turbot/gcp-dataproc#/policy/types/jobActiveAge" - gcp-dataproc-workflowTemplate : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplateActiveAge" - gcp-dns-managedZone : "tmod:@turbot/gcp-dns#/policy/types/managedZoneActiveAge" - gcp-functions-function : "tmod:@turbot/gcp-functions#/policy/types/functionActiveAge" - gcp-iam-projectUser : "tmod:@turbot/gcp-iam#/policy/types/projectUserActiveAge" - gcp-iam-projectUserAdminActivity : "tmod:@turbot/gcp-iam#/policy/types/projectUserActiveAgeAdminActivity" - gcp-iam-serviceAccount : "tmod:@turbot/gcp-iam#/policy/types/serviceAccountActiveAge" - gcp-iam-serviceAccountKey : "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActiveAge" - gcp-kubernetesengine-regionCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterActiveAge" - gcp-kubernetesengine-regionNodePool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionNodePoolActiveAge" - gcp-kubernetesengine-zoneCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterActiveAge" - gcp-kubernetesengine-zoneNodePool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneNodePoolActiveAge" - gcp-logging-exclusion : "tmod:@turbot/gcp-logging#/policy/types/exclusionActiveAge" - gcp-logging-metric : "tmod:@turbot/gcp-logging#/policy/types/metricActiveAge" - gcp-logging-sink : "tmod:@turbot/gcp-logging#/policy/types/sinkActiveAge" - gcp-monitoring-alertPolicy : "tmod:@turbot/gcp-monitoring#/policy/types/alertPolicyActiveAge" - gcp-monitoring-group : "tmod:@turbot/gcp-monitoring#/policy/types/groupActiveAge" - gcp-monitoring-notificationChannel : "tmod:@turbot/gcp-monitoring#/policy/types/notificationChannelActiveAge" - gcp-network-address : "tmod:@turbot/gcp-network#/policy/types/addressActiveAge" - gcp-network-backendBucket : "tmod:@turbot/gcp-network#/policy/types/backendBucketActiveAge" - gcp-network-backendService : "tmod:@turbot/gcp-network#/policy/types/backendServiceActiveAge" - gcp-network-firewall : "tmod:@turbot/gcp-network#/policy/types/firewallActiveAge" - gcp-network-forwardingRule : "tmod:@turbot/gcp-network#/policy/types/forwardingRuleActiveAge" - gcp-network-globalAddress : "tmod:@turbot/gcp-network#/policy/types/globalAddressActiveAge" - gcp-network-globalForwardingRule : "tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleActiveAge" - gcp-network-interconnect : "tmod:@turbot/gcp-network#/policy/types/interconnectActiveAge" - gcp-network-network : "tmod:@turbot/gcp-network#/policy/types/networkActiveAge" - gcp-network-packetMirroring : "tmod:@turbot/gcp-network#/policy/types/packetMirroringActiveAge" - gcp-network-regionBackendService : "tmod:@turbot/gcp-network#/policy/types/regionBackendServiceActiveAge" - gcp-network-regionSslCertificate : "tmod:@turbot/gcp-network#/policy/types/regionSslCertificateActiveAge" - gcp-network-regionTargetHttpsProxy : "tmod:@turbot/gcp-network#/policy/types/regionTargetHttpsProxyActiveAge" - gcp-network-regionUrlMap : "tmod:@turbot/gcp-network#/policy/types/regionUrlMapActiveAge" - gcp-network-route : "tmod:@turbot/gcp-network#/policy/types/routeActiveAge" - gcp-network-router : "tmod:@turbot/gcp-network#/policy/types/routerActiveAge" - gcp-network-sslCertificate : "tmod:@turbot/gcp-network#/policy/types/sslCertificateActiveAge" - gcp-network-sslPolicy : "tmod:@turbot/gcp-network#/policy/types/sslPolicyActiveAge" - gcp-network-subnetwork : "tmod:@turbot/gcp-network#/policy/types/subnetworkActiveAge" - gcp-network-targetHttpsProxy : "tmod:@turbot/gcp-network#/policy/types/targetHttpsProxyActiveAge" - gcp-network-targetPool : "tmod:@turbot/gcp-network#/policy/types/targetPoolActiveAge" - gcp-network-targetSslProxy : "tmod:@turbot/gcp-network#/policy/types/targetSslProxyActiveAge" - gcp-network-targetTcpProxy : "tmod:@turbot/gcp-network#/policy/types/targetTcpProxyActiveAge" - gcp-network-targetVpnGateway : "tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayActiveAge" - gcp-network-urlMap : "tmod:@turbot/gcp-network#/policy/types/urlMapActiveAge" - gcp-network-vpnTunnel : "tmod:@turbot/gcp-network#/policy/types/vpnTunnelActiveAge" - gcp-pubsub-snapshot : "tmod:@turbot/gcp-pubsub#/policy/types/snapshotActiveAge" - gcp-pubsub-subscription : "tmod:@turbot/gcp-pubsub#/policy/types/subscriptionActiveAge" - gcp-pubsub-topic : "tmod:@turbot/gcp-pubsub#/policy/types/topicActiveAge" - gcp-scheduler-job : "tmod:@turbot/gcp-scheduler#/policy/types/jobActiveAge" - gcp-spanner-instance : "tmod:@turbot/gcp-spanner#/policy/types/instanceActiveAge" - gcp-sql-backup : "tmod:@turbot/gcp-sql#/policy/types/backupActiveAge" - gcp-sql-database : "tmod:@turbot/gcp-sql#/policy/types/databaseActiveAge" - gcp-sql-instance : "tmod:@turbot/gcp-sql#/policy/types/instanceActiveAge" - gcp-storage-bucket : "tmod:@turbot/gcp-storage#/policy/types/bucketActiveAge" - gcp-storage-object : "tmod:@turbot/gcp-storage#/policy/types/objectActiveAge" - } -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/network_approved_policies.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/network_approved_policies.tf deleted file mode 100644 index 08df92728..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/network_approved_policies.tf +++ /dev/null @@ -1,27 +0,0 @@ -# Check for GCP Address Network Service tiers for cost savings -# Note: GCP Address Approved may already be set by another baseline -# Since the baselines are set in seperate Smart Folders there will not be a conflict - -# GCP > Network > Address > Approved -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/addressApproved -resource "turbot_policy_setting" "gcp_network_address_approved" { - count = var.enable_network_approved_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-network#/policy/types/addressApproved" - value = "Check: Approved" - # Skip - # Check: Approved - # Enforce: Delete unapproved if new -} - -# GCP > Network > Address > Approved > Network Tier -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/addressApprovedNetworkTier -resource "turbot_policy_setting" "gcp_address_approved_network_tier" { - count = var.enable_network_approved_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_cost_controls.id - type = "tmod:@turbot/gcp-network#/policy/types/addressApprovedNetworkTier" - value = "Approved if standard" - # Skip - # Approved if standard - # Approved if premium -} diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/outputs.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/outputs.tf deleted file mode 100644 index 6b949c37e..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/outputs.tf +++ /dev/null @@ -1,31 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "resource_active" { - value = var.resource_active -} - -output "enable_compute_engine_active_policies" { - value = var.enable_compute_engine_active_policies -} - -output "enable_network_approved_policies" { - value = var.enable_network_approved_policies -} - -output "enable_compute_engine_schedule_policies" { - value = var.enable_compute_engine_schedule_policies -} diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/providers.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/providers.tf deleted file mode 100644 index db6e1f7b4..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/smart_folder.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/smart_folder.tf deleted file mode 100644 index f45916c78..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_cost_controls" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_cost_controls/variables.tf b/baselines/getting_started/gcp/gcp_check_cost_controls/variables.tf deleted file mode 100644 index 32b9944d9..000000000 --- a/baselines/getting_started/gcp/gcp_check_cost_controls/variables.tf +++ /dev/null @@ -1,142 +0,0 @@ -# Required - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -# Optional - -variable "resource_active" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_encryption/bigquery_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/bigquery_encryption_policies.tf deleted file mode 100644 index 0ce95c750..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/bigquery_encryption_policies.tf +++ /dev/null @@ -1,49 +0,0 @@ -### Big Query Dataset Unencrypted -# GCP > BigQuery > Dataset > Approved -# https://turbot.com/v5/mods/turbot/gcp-bigquery/inspect#/policy/types/datasetApproved -resource "turbot_policy_setting" "gcp_bigquery_dataset_approved" { - count = var.enable_bigquery_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-bigquery#/policy/types/datasetApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > BigQuery > Dataset > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-bigquery/inspect#/policy/types/datasetApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_bigquery_dataset_approved_encryption_at_rest" { - count = var.enable_bigquery_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-bigquery#/policy/types/datasetApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} - -# GCP > BigQuery > Table > Approved -# https://turbot.com/v5/mods/turbot/gcp-bigquery/inspect#/policy/types/tableApproved -### Big Query Table Unencrypted -resource "turbot_policy_setting" "gcp_bigquery_table_approved" { - count = var.enable_bigquery_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-bigquery#/policy/types/tableApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > BigQuery > Table > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-bigquery/inspect#/policy/types/tableApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_bigquery_table_approved_encryption_at_rest" { - count = var.enable_bigquery_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-bigquery#/policy/types/tableApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/compute_engine_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/compute_engine_encryption_policies.tf deleted file mode 100644 index 541199b40..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/compute_engine_encryption_policies.tf +++ /dev/null @@ -1,49 +0,0 @@ -# Compute Engine Disk Unencrypted - -# GCP > Compute Engine > Disk > Approved -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/diskApproved -resource "turbot_policy_setting" "gcp_computeengine_disk_approved" { - count = var.enable_compute_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/diskApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Compute Engine > Disk > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/diskApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_computeengine_disk_approved_encryption_at_rest" { - count = var.enable_compute_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/diskApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} - -# GCP > Compute Engine > Image > Approved -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/imageApproved -resource "turbot_policy_setting" "gcp_computeengine_image_approved" { - count = var.enable_compute_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/imageApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Compute Engine > Image > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/imageApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_computeengine_image_approved_encryption_at_rest" { - count = var.enable_compute_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/imageApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/dataflow_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/dataflow_encryption_policies.tf deleted file mode 100644 index f556522a0..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/dataflow_encryption_policies.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Dataflow Jobs Unencrypted - -# GCP > Dataflow > Job > Approved -# https://turbot.com/v5/mods/turbot/gcp-dataflow/inspect#/policy/types/jobApproved -resource "turbot_policy_setting" "gcp_dataflow_job_approved" { - count = var.enable_dataflow_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-dataflow#/policy/types/jobApproved" - value = "Check: Approved" - # No Enforcement alternative available -} - -# GCP > Dataflow > Job > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-dataflow/inspect#/policy/types/jobApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_dataflow_job_approved_encryption_at_rest" { - count = var.enable_dataflow_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-dataflow#/policy/types/jobApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/dataproc_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/dataproc_encryption_policies.tf deleted file mode 100644 index 20c4e985a..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/dataproc_encryption_policies.tf +++ /dev/null @@ -1,25 +0,0 @@ -# Dataproc Cluster Unencrypted - -# GCP > Dataproc > Cluster > Approved -# https://turbot.com/v5/mods/turbot/gcp-dataproc/inspect#/policy/types/clusterApproved -resource "turbot_policy_setting" "gcp_dataproc_cluster_approved" { - count = var.enable_dataproc_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-dataproc#/policy/types/clusterApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Dataproc > Cluster > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-dataproc/inspect#/policy/types/clusterApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_dataproc_cluster_approved_encryption_at_rest" { - count = var.enable_dataproc_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-dataproc#/policy/types/clusterApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/kubernetes_engine_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/kubernetes_engine_encryption_policies.tf deleted file mode 100644 index 2dfd04492..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/kubernetes_engine_encryption_policies.tf +++ /dev/null @@ -1,50 +0,0 @@ -# Kubernetes Engine Region Cluster Unencrypted - -# GCP > Kubernetes Engine > Region Cluster > Approved -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine/inspect#/policy/types/regionClusterApproved -resource "turbot_policy_setting" "gcp_kubernetesengine_region_cluster_approved" { - count = var.enable_kubernetes_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Kubernetes Engine > Region Cluster > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine/inspect#/policy/types/regionClusterApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_kubernetesengine_region_cluster_approved_encryption_at_rest" { - count = var.enable_kubernetes_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} - -### Kubernetes Engine Zone Cluster Unencrypted -# GCP > Kubernetes Engine > Zone Cluster > Approved -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine/inspect#/policy/types/zoneClusterApproved -resource "turbot_policy_setting" "gcp_kubernetesengine_zone_cluster_approved" { - count = var.enable_kubernetes_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Kubernetes Engine > Zone Cluster > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine/inspect#/policy/types/zoneClusterApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_kubernetesengine_zone_cluster_approved_encryption_at_rest" { - count = var.enable_kubernetes_engine_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/outputs.tf b/baselines/getting_started/gcp/gcp_check_encryption/outputs.tf deleted file mode 100644 index 65f9aef84..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/outputs.tf +++ /dev/null @@ -1,67 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "enable_bigquery_dataset_approved_policies" { - value = var.enable_bigquery_dataset_approved_policies -} - -output "enable_bigquery_encryption_policies" { - value = var.enable_bigquery_encryption_policies -} - -output "enable_computeengine_image_approved_policies" { - value = var.enable_computeengine_image_approved_policies -} - -output "enable_compute_engine_encryption_policies" { - value = var.enable_compute_engine_encryption_policies -} - -output "enable_dataflow_job_approved_policies" { - value = var.enable_dataflow_job_approved_policies -} - -output "enable_dataflow_encryption_policies" { - value = var.enable_dataflow_encryption_policies -} - -output "enable_dataproc_cluster_approved_policies" { - value = var.enable_dataproc_cluster_approved_policies -} - -output "enable_dataproc_encryption_policies" { - value = var.enable_dataproc_encryption_policies -} - -output "enable_kubernetesengine_region_cluster_approved_policies" { - value = var.enable_kubernetesengine_region_cluster_approved_policies -} - -output "enable_kubernetes_engine_encryption_policies" { - value = var.enable_kubernetes_engine_encryption_policies -} - -output "enable_pubsub_topic_approved_policies" { - value = var.enable_pubsub_topic_approved_policies -} - -output "enable_pub_sub_encryption_policies" { - value = var.enable_pub_sub_encryption_policies -} - -output "enable_storage_encryption_policies" { - value = var.enable_storage_encryption_policies -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/providers.tf b/baselines/getting_started/gcp/gcp_check_encryption/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_encryption/pub_sub_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/pub_sub_encryption_policies.tf deleted file mode 100644 index 3480e8fb9..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/pub_sub_encryption_policies.tf +++ /dev/null @@ -1,24 +0,0 @@ -### Pub/Sub Topic Unencrypted -# GCP > Pub/Sub > Topic > Approved -# https://turbot.com/v5/mods/turbot/gcp-pubsub/inspect#/policy/types/topicApproved -resource "turbot_policy_setting" "gcp_pubsub_topic_approved" { - count = var.enable_pub_sub_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-pubsub#/policy/types/topicApproved" - value = "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -# GCP > Pub/Sub > Topic > Approved > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-pubsub/inspect#/policy/types/topicApprovedEncryptionAtRest -resource "turbot_policy_setting" "gcp_pubsub_topic_approved_encryption_at_rest" { - count = var.enable_pub_sub_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-pubsub#/policy/types/topicApprovedEncryptionAtRest" - value = "Google managed key" - # "Google managed key" - # "Google managed key or higher" - # "Customer managed key" - # "Customer managed key or higher" - # "Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/smartfolder.tf b/baselines/getting_started/gcp/gcp_check_encryption/smartfolder.tf deleted file mode 100644 index 7a09143c5..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_encryption" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/storage_encryption_policies.tf b/baselines/getting_started/gcp/gcp_check_encryption/storage_encryption_policies.tf deleted file mode 100644 index 93f790935..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/storage_encryption_policies.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Storage Bucket Unencrypted -- can be repaired without having to terminate the resource (direct policy vs under Approved) - -# GCP > Storage > Bucket > Encryption at Rest -# https://turbot.com/v5/mods/turbot/gcp-storage/inspect#/policy/types/bucketEncryptionAtRest -resource "turbot_policy_setting" "gcp_storage_bucket_encryption_at_rest" { - count = var.enable_storage_encryption_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_encryption.id - type = "tmod:@turbot/gcp-storage#/policy/types/bucketEncryptionAtRest" - value = "Check: Google managed key" - # "Skip", - # "Check: Google managed key", - # "Check: Google managed key or higher", - # "Check: Customer managed key", - # "Check: Encryption at Rest > Customer Managed Key", - # "Enforce: Google managed key", - # "Enforce: Google managed key or higher", - # "Enforce: Customer managed key", - # "Enforce: Encryption at Rest > Customer Managed Key" -} diff --git a/baselines/getting_started/gcp/gcp_check_encryption/variables.tf b/baselines/getting_started/gcp/gcp_check_encryption/variables.tf deleted file mode 100644 index 4e2015939..000000000 --- a/baselines/getting_started/gcp/gcp_check_encryption/variables.tf +++ /dev/null @@ -1,103 +0,0 @@ -# Baseline Configuration - -variable "enable_bigquery_dataset_approved_policies" { - type = bool - description = "Enable the Bigquery Dataset approved policies for baseline" - default = true -} - -variable "enable_bigquery_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Bigquery Resources" - default = true -} - -variable "enable_computeengine_image_approved_policies" { - type = bool - description = "Enable the Compute Engine Image approved policies for baseline" - default = true -} - -variable "enable_compute_engine_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Compute Engine Resources" - default = true -} - -variable "enable_dataflow_job_approved_policies" { - type = bool - description = "Enable the Dataflow Job approved policies for baseline" - default = true -} - -variable "enable_dataflow_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Dataflow resources" - default = true -} - -variable "enable_dataproc_cluster_approved_policies" { - type = bool - description = "Enable the Dataproc Cluster approved policies for baseline" - default = true -} - -variable "enable_dataproc_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Dataproc resources" - default = true -} - -variable "enable_kubernetesengine_region_cluster_approved_policies" { - type = bool - description = "Enable the Kubernetes Engine Region Cluster approved policies for baseline" - default = true -} - -variable "enable_kubernetes_engine_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Kubernetes Engine resources" - default = true -} - -variable "enable_pubsub_topic_approved_policies" { - type = bool - description = "Enable the PubSub Topic approved policies for baseline" - default = true -} - -variable "enable_pub_sub_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on PubSub resources" - default = true -} - -variable "enable_storage_encryption_policies" { - type = bool - description = "Enabling will ensure encryption on Storage resources" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Check Encryption Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the GCP Check Encryption" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/gcp/gcp_check_iam/README.md b/baselines/getting_started/gcp/gcp_check_iam/README.md deleted file mode 100644 index 5e2f843d5..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/README.md +++ /dev/null @@ -1,134 +0,0 @@ -# Baseline - GCP Check IAM Policies - -GCP Check IAM Policies focuses on enabling all IAM resources baseline policies. Some policies are enabled with industry standard best practices and some are enabled with check mode to validate. - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_iam/demo.tfvars b/baselines/getting_started/gcp/gcp_check_iam/demo.tfvars deleted file mode 100644 index 19ac07472..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/demo.tfvars +++ /dev/null @@ -1,11 +0,0 @@ -# This file contains policies which are not decided to enable part of initial baseline policies. -# If you want to enable them, change the vale to true and execute terraform apply by passing the demo.tfvar file. -# See README for more details. - -# See file service_account_key_policies.tf -enable_service_account_key_policies = false - -enable_service_account_key_approved_policies = false - -# See file service_account_policy_trust_policies.tf -enable_service_account_trusted_access_policies = false diff --git a/baselines/getting_started/gcp/gcp_check_iam/outputs.tf b/baselines/getting_started/gcp/gcp_check_iam/outputs.tf deleted file mode 100644 index 4f7a66b23..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/outputs.tf +++ /dev/null @@ -1,31 +0,0 @@ -# Baseline configuration - -output "enable_service_account_key_active_policies" { - value = var.enable_service_account_key_active_policies -} - -output "enable_service_account_key_approved_policies" { - value = var.enable_service_account_key_approved_policies -} - -output "enable_service_account_policy_trusted_domains_policies" { - value = var.enable_service_account_trusted_access_policies -} - -# Turbot profile and smart folder - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/gcp/gcp_check_iam/providers.tf b/baselines/getting_started/gcp/gcp_check_iam/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_iam/service_account_key_active_policies.tf b/baselines/getting_started/gcp/gcp_check_iam/service_account_key_active_policies.tf deleted file mode 100644 index 85698bcc9..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/service_account_key_active_policies.tf +++ /dev/null @@ -1,38 +0,0 @@ -# GCP > IAM > Service Account Key > Active -# https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountKeyActive -resource "turbot_policy_setting" "service_account_key_active" { - count = var.enable_service_account_key_active_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActive" - value = "Check: Active" - # "Skip" - # "Check: Active" - # "Enforce: Delete inactive with 1 day warning" - # "Enforce: Delete inactive with 3 days warning" - # "Enforce: Delete inactive with 7 days warning" - # "Enforce: Delete inactive with 14 days warning" - # "Enforce: Delete inactive with 30 days warning" - # "Enforce: Delete inactive with 60 days warning" - # "Enforce: Delete inactive with 90 days warning" - # "Enforce: Delete inactive with 180 days warning" - # "Enforce: Delete inactive with 365 days warning" -} - -# GCP > IAM > Service Account Key > Active > Age -# https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountKeyActiveAge -resource "turbot_policy_setting" "service_account_key_active_age" { - count = var.enable_service_account_key_active_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyActiveAge" - value = "Force inactive if age > 90 days" - # "Skip" - # "Force inactive if age > 1 day" - # "Force inactive if age > 3 days" - # "Force inactive if age > 7 days" - # "Force inactive if age > 14 days" - # "Force inactive if age > 30 days" - # "Force inactive if age > 60 days" - # "Force inactive if age > 90 days" - # "Force inactive if age > 180 days" - # "Force inactive if age > 365 days" -} diff --git a/baselines/getting_started/gcp/gcp_check_iam/service_account_key_approved_policies.tf.tf b/baselines/getting_started/gcp/gcp_check_iam/service_account_key_approved_policies.tf.tf deleted file mode 100644 index 9b2ed4783..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/service_account_key_approved_policies.tf.tf +++ /dev/null @@ -1,24 +0,0 @@ -# GCP > IAM > Service Account Key > Approved -# https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountKeyApproved -# Alternative is to mark Service Account Keys unapproved -resource "turbot_policy_setting" "service_account_key_approved" { - count = var.enable_service_account_key_approved_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyApproved" - value = "Check: Approved" - # "Skip" - # "Check: Approved" - # "Enforce: Delete unapproved if new" -} - -## GCP > IAM > Service Account Key > Approved > Usage -## https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountKeyApprovedUsage -resource "turbot_policy_setting" "service_account_key_approved_usage" { - count = var.enable_service_account_key_approved_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountKeyApprovedUsage" - value = "Not approved" - # "Not approved" - # "Approved" - # "Approved if GCP > IAM > Enabled" -} diff --git a/baselines/getting_started/gcp/gcp_check_iam/service_account_trust_access_policies.tf b/baselines/getting_started/gcp/gcp_check_iam/service_account_trust_access_policies.tf deleted file mode 100644 index ea9cf6efb..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/service_account_trust_access_policies.tf +++ /dev/null @@ -1,28 +0,0 @@ -# IAM Service Account Policy Trusted Access only trusts specific domains. -# Trusted Domains are defined in Public Access Baseline. - -# GCP > IAM > Service Account > Policy > Trusted Access -# https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountPolicyTrustedAccess -resource "turbot_policy_setting" "iam_service_account_policy_trusted_access" { - count = var.enable_service_account_trusted_access_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedAccess" - value = "Check: Trusted Access > *" - # Enforce: Trusted Access > *" -} - -# # Already Set globally in the Public Access Smart Folder Baseline, commenting out incase needed to enable here -# # List of Trusted Domains -# Could also consider Trusted Groups, Service Accounts, and Users - -# GCP > IAM > Service Account > Policy > Trusted Access > Domains -# https://turbot.com/v5/mods/turbot/gcp-iam/inspect#/policy/types/serviceAccountPolicyTrustedDomains -resource "turbot_policy_setting" "iam_service_account_policy_trusted_domains" { - count = var.enable_service_account_trusted_access_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_iam.id - type = "tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedDomains" - value = <<-EOT - - "*" # allows all, adjust for specific domains (e.g. turbot.com) - - "turbot.com" -EOT -} diff --git a/baselines/getting_started/gcp/gcp_check_iam/smart_folder.tf b/baselines/getting_started/gcp/gcp_check_iam/smart_folder.tf deleted file mode 100644 index 1bf8a0987..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/smart_folder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_iam" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_iam/variables.tf b/baselines/getting_started/gcp/gcp_check_iam/variables.tf deleted file mode 100644 index b1211af9d..000000000 --- a/baselines/getting_started/gcp/gcp_check_iam/variables.tf +++ /dev/null @@ -1,43 +0,0 @@ -# Baseline Configuration - -variable "enable_service_account_key_active_policies" { - type = bool - description = "Enable the IAM user access service account key active policies for baseline" - default = true -} - -variable "enable_service_account_key_approved_policies" { - type = bool - description = "Enable the IAM user access service account key approved policies for baseline" - default = true -} - -variable "enable_service_account_trusted_access_policies" { - type = bool - description = "Enable the IAM Service Account Trusted policies for baseline" - default = false -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Check IAM Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the GCP Check IAM baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/gcp/gcp_check_labeling/README.md b/baselines/getting_started/gcp/gcp_check_labeling/README.md deleted file mode 100644 index 49c475577..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/README.md +++ /dev/null @@ -1,139 +0,0 @@ -# Baseline - GCP Check Tagging - -This baseline will allow you to check for adhernece to the labeling templates, make sure that the Tag Templates are updated with the specific use case to validate. - -More info - -- [Tags in Turbot](https://turbot.com/v5/docs/concepts/guardrails/tagging) - - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_labeling/demo.tfvars b/baselines/getting_started/gcp/gcp_check_labeling/demo.tfvars deleted file mode 100644 index 0a8d77036..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/demo.tfvars +++ /dev/null @@ -1,36 +0,0 @@ -# List of services and resources to be Check: Labels are correct. -# Started with a few resource types to get started aligned with the initial mods installed -# You can remove the comment per row to include the resource type. Make sure you have that related service mod install - -# Acceptable Values: -# "Skip" -# "Check: Labels are correct -# "Enforce: Set labels" - -resource_tags = { - # gcp-project = "Check: Labels are correct" - # gcp-bigquery-dataset = "Check: Labels are correct" - gcp-bigquery-table = "Check: Labels are correct" - # gcp-bigtable-instance = "Check: Labels are correct" - # gcp-composer-environment = "Check: Labels are correct" - gcp-computeengine-disk = "Check: Labels are correct" - # gcp-computeengine-image = "Check: Labels are correct" - gcp-computeengine-instance = "Check: Labels are correct" - # gcp-computeengine-regionDisk = "Check: Labels are correct" - gcp-computeengine-snapshot = "Check: Labels are correct" - # gcp-dataproc-cluster = "Check: Labels are correct" - # gcp-dataproc-job = "Check: Labels are correct" - # gcp-dataproc-workflowTemplate = "Check: Labels are correct" - # gcp-dns-managedZone = "Check: Labels are correct" - # gcp-kms-cryptoKey = "Check: Labels are correct" - # gcp-kubernetesengine-regionCluster = "Check: Labels are correct" - # gcp-kubernetesengine-zoneCluster = "Check: Labels are correct" - # gcp-network-forwardingRule = "Check: Labels are correct" - # gcp-network-globalForwardingRule = "Check: Labels are correct" - # gcp-network-vpnTunnel = "Check: Labels are correct" - # gcp-pubsub-snapshot = "Check: Labels are correct" - # gcp-pubsub-subscription = "Check: Labels are correct" - # gcp-spanner-instance = "Check: Labels are correct" - gcp-sql-instance = "Check: Labels are correct" - gcp-storage-bucket = "Check: Labels are correct" -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/labeling_policies.tf b/baselines/getting_started/gcp/gcp_check_labeling/labeling_policies.tf deleted file mode 100644 index c35a34d21..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/labeling_policies.tf +++ /dev/null @@ -1,59 +0,0 @@ -# Simple labeling/tagging controls to check for adhernece to the tagging template example -# Tag template should be updated per your specific use case -# More Info: https://turbot.com/v5/docs/concepts/guardrails/tagging - -## Sets tagging policy for each resource type in the resource_tags map. -# GCP > Project > Labels -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/projectLabels -resource "turbot_policy_setting" "set_resource_tag_policies" { - for_each = var.resource_tags - resource = turbot_smart_folder.gcp_labeling.id - type = local.policy_map[each.key] - value = each.value -} - -## Sets the default tag template for all resources. -# GCP > Project > Labels > Template -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/projectLabelsTemplate -resource "turbot_policy_setting" "default_tag_template" { - for_each = var.resource_tags - resource = turbot_smart_folder.gcp_labeling.id - type = local.policy_map_template[each.key] - # GraphQL to pull metadata - template_input = <<-QUERY - { - resource { - turbot { - title - tags - } - creator: notifications(filter: "sort:version_id limit:1") { - items { - actor { - alternatePersona - identity { - turbot { - title - } - } - } - turbot { - createTimestamp - } - } - } - } - } - QUERY - - # Nunjucks template to set tags and check for tag validity. - template = <<-TEMPLATE -# Actor who created the resource -{%- set owner = $.resource.creator.items[0].actor.identity.turbot.title -%} -created_by: "{{ owner | lower | replace(" ", "_") }}" - -# Creation Timestamp -{%- set create_time = $.resource.creator.items[0].turbot.createTimestamp -%} -created_time: "{{ create_time | lower | replace(".", "_") | replace(":", "-") }}" - TEMPLATE -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/locals.tf b/baselines/getting_started/gcp/gcp_check_labeling/locals.tf deleted file mode 100644 index 452815021..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/locals.tf +++ /dev/null @@ -1,61 +0,0 @@ -locals { -# Mapping of resource name for the policy -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map = { - gcp-project : "tmod:@turbot/gcp#/policy/types/projectLabels" - gcp-bigquery-dataset : "tmod:@turbot/gcp-bigquery#/policy/types/datasetLabels" - gcp-bigquery-table : "tmod:@turbot/gcp-bigquery#/policy/types/tableLabels" - gcp-bigtable-instance : "tmod:@turbot/gcp-bigtable#/policy/types/instanceLabels" - gcp-composer-environment : "tmod:@turbot/gcp-composer#/policy/types/environmentLabels" - gcp-computeengine-disk : "tmod:@turbot/gcp-computeengine#/policy/types/diskLabels" - gcp-computeengine-image : "tmod:@turbot/gcp-computeengine#/policy/types/imageLabels" - gcp-computeengine-instance : "tmod:@turbot/gcp-computeengine#/policy/types/instanceLabels" - gcp-computeengine-regionDisk : "tmod:@turbot/gcp-computeengine#/policy/types/regionDiskLabels" - gcp-computeengine-snapshot : "tmod:@turbot/gcp-computeengine#/policy/types/snapshotLabels" - gcp-dataproc-cluster : "tmod:@turbot/gcp-dataproc#/policy/types/clusterLabels" - gcp-dataproc-job : "tmod:@turbot/gcp-dataproc#/policy/types/jobLabels" - gcp-dataproc-workflowTemplate : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplateLabels" - gcp-dns-managedZone : "tmod:@turbot/gcp-dns#/policy/types/managedZoneLabels" - gcp-kms-cryptoKey : "tmod:@turbot/gcp-kms#/policy/types/cryptoKeyLabels" - gcp-kubernetesengine-regionCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterLabels" - gcp-kubernetesengine-zoneCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterLabels" - gcp-network-forwardingRule : "tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabels" - gcp-network-globalForwardingRule : "tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabels" - gcp-network-vpnTunnel : "tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabels" - gcp-pubsub-snapshot : "tmod:@turbot/gcp-pubsub#/policy/types/snapshotLabels" - gcp-pubsub-subscription : "tmod:@turbot/gcp-pubsub#/policy/types/subscriptionLabels" - gcp-spanner-instance : "tmod:@turbot/gcp-spanner#/policy/types/instanceLabels" - gcp-sql-instance : "tmod:@turbot/gcp-sql#/policy/types/instanceLabels" - gcp-storage-bucket : "tmod:@turbot/gcp-storage#/policy/types/bucketLabels" - } - -# Mapping of resource name to the policy map -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map_template = { - gcp-project : "tmod:@turbot/gcp#/policy/types/projectLabelsTemplate" - gcp-bigquery-dataset : "tmod:@turbot/gcp-bigquery#/policy/types/datasetLabelsTemplate" - gcp-bigquery-table : "tmod:@turbot/gcp-bigquery#/policy/types/tableLabelsTemplate" - gcp-bigtable-instance : "tmod:@turbot/gcp-bigtable#/policy/types/instanceLabelsTemplate" - gcp-composer-environment : "tmod:@turbot/gcp-composer#/policy/types/environmentLabelsTemplate" - gcp-computeengine-disk : "tmod:@turbot/gcp-computeengine#/policy/types/diskLabelsTemplate" - gcp-computeengine-image : "tmod:@turbot/gcp-computeengine#/policy/types/imageLabelsTemplate" - gcp-computeengine-instance : "tmod:@turbot/gcp-computeengine#/policy/types/instanceLabelsTemplate" - gcp-computeengine-regionDisk : "tmod:@turbot/gcp-computeengine#/policy/types/regionDiskLabelsTemplate" - gcp-computeengine-snapshot : "tmod:@turbot/gcp-computeengine#/policy/types/snapshotLabelsTemplate" - gcp-dataproc-cluster : "tmod:@turbot/gcp-dataproc#/policy/types/clusterLabelsTemplate" - gcp-dataproc-job : "tmod:@turbot/gcp-dataproc#/policy/types/jobLabelsTemplate" - gcp-dataproc-workflowTemplate : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplateLabelsTemplate" - gcp-dns-managedZone : "tmod:@turbot/gcp-dns#/policy/types/managedZoneLabelsTemplate" - gcp-kms-cryptoKey : "tmod:@turbot/gcp-kms#/policy/types/cryptoKeyLabelsTemplate" - gcp-kubernetesengine-regionCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterLabelsTemplate" - gcp-kubernetesengine-zoneCluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterLabelsTemplate" - gcp-network-forwardingRule : "tmod:@turbot/gcp-network#/policy/types/forwardingRuleLabelsTemplate" - gcp-network-globalForwardingRule : "tmod:@turbot/gcp-network#/policy/types/globalForwardingRuleLabelsTemplate" - gcp-network-vpnTunnel : "tmod:@turbot/gcp-network#/policy/types/vpnTunnelLabelsTemplate" - gcp-pubsub-snapshot : "tmod:@turbot/gcp-pubsub#/policy/types/snapshotLabelsTemplate" - gcp-pubsub-subscription : "tmod:@turbot/gcp-pubsub#/policy/types/subscriptionLabelsTemplate" - gcp-spanner-instance : "tmod:@turbot/gcp-spanner#/policy/types/instanceLabelsTemplate" - gcp-sql-instance : "tmod:@turbot/gcp-sql#/policy/types/instanceLabelsTemplate" - gcp-storage-bucket : "tmod:@turbot/gcp-storage#/policy/types/bucketLabelsTemplate" - } -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/outputs.tf b/baselines/getting_started/gcp/gcp_check_labeling/outputs.tf deleted file mode 100644 index 8d4e68480..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "resource_tags" { - value = var.resource_tags -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/providers.tf b/baselines/getting_started/gcp/gcp_check_labeling/providers.tf deleted file mode 100644 index db6e1f7b4..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/smartfolder.tf b/baselines/getting_started/gcp/gcp_check_labeling/smartfolder.tf deleted file mode 100644 index 703b3a7ad..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_labeling" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_labeling/vaiables.tf b/baselines/getting_started/gcp/gcp_check_labeling/vaiables.tf deleted file mode 100644 index 26ed5eee2..000000000 --- a/baselines/getting_started/gcp/gcp_check_labeling/vaiables.tf +++ /dev/null @@ -1,73 +0,0 @@ -# Baseline Configuration - -variable "resource_tags" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_logging/kubernetes_engine_policies.tf b/baselines/getting_started/gcp/gcp_check_logging/kubernetes_engine_policies.tf deleted file mode 100644 index 9219ef69b..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/kubernetes_engine_policies.tf +++ /dev/null @@ -1,13 +0,0 @@ -# GCP > Kubernetes Engine > Region Cluster > Logging -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine/inspect#/policy/types/regionClusterLogging -resource "turbot_policy_setting" "gcp_kubernetes_engine_region_cluster_logging" { - count = var.enable_kubernetes_engine_region_cluster_logging_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterLogging" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} diff --git a/baselines/getting_started/gcp/gcp_check_logging/network_logging_policies.tf b/baselines/getting_started/gcp/gcp_check_logging/network_logging_policies.tf deleted file mode 100644 index 1d25e4d35..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/network_logging_policies.tf +++ /dev/null @@ -1,62 +0,0 @@ -# GCP > Network > Firewall > Logging -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/firewallLogging -resource "turbot_policy_setting" "gcp_network_firewall_logging" { - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-network#/policy/types/firewallLogging" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} - -# GCP > Network > Backend Service > Logging -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/regionBackendServiceLogging -resource "turbot_policy_setting" "gcp_network_backend_service_logging" { - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-network#/policy/types/backendServiceLogging" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} - -# GCP > Network > Backend Service > Logging > Sample Rate -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/regionBackendServiceLoggingSampleRate -# Sampling rate of requests to the load balancer -# Where 1 means all logged requests are reported -# Where 0 means no logged requests are reported -resource "turbot_policy_setting" "gcp_network_backend_service_logging_sammple_rate" { - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-network#/policy/types/backendServiceLoggingSampleRate" - value = "1" -} - -# GCP > Network > Region Backend Service > Logging -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/regionBackendServiceLogging -resource "turbot_policy_setting" "gcp_network_region_backend_service_logging" { - count = var.enable_network_region_backend_service_logging_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLogging" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} - -# GCP > Network > Region Backend Service > Logging > Sample Rate -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/regionBackendServiceLoggingSampleRate -# Sampling rate of requests to the load balancer -# Where 1 means all logged requests are reported -# Where 0 means no logged requests are reported -resource "turbot_policy_setting" "gcp_network_region_backend_service_logging_sammple_rate" { - count = var.enable_network_region_backend_service_logging_sammple_rate_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-network#/policy/types/regionBackendServiceLoggingSampleRate" - value = "1" -} diff --git a/baselines/getting_started/gcp/gcp_check_logging/outputs.tf b/baselines/getting_started/gcp/gcp_check_logging/outputs.tf deleted file mode 100644 index 41634e99a..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/outputs.tf +++ /dev/null @@ -1,31 +0,0 @@ -output "enable_kubernetes_engine_region_cluster_logging_policies" { - value = var.enable_kubernetes_engine_region_cluster_logging_policies -} - -output "enable_instance_binary_log_policies" { - value = var.enable_instance_binary_log_policies -} - -output "enable_network_region_backend_service_logging_policies" { - value = var.enable_network_region_backend_service_logging_policies -} - -output "enable_network_region_backend_service_logging_sammple_rate_policies" { - value = var.enable_network_region_backend_service_logging_sammple_rate_policies -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/gcp/gcp_check_logging/providers.tf b/baselines/getting_started/gcp/gcp_check_logging/providers.tf deleted file mode 100644 index 7205cf6a7..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/gcp/gcp_check_logging/smartfolder.tf b/baselines/getting_started/gcp/gcp_check_logging/smartfolder.tf deleted file mode 100644 index 6c7fcd04e..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_logging" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_logging/sql_policies.tf b/baselines/getting_started/gcp/gcp_check_logging/sql_policies.tf deleted file mode 100644 index 6d965096c..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/sql_policies.tf +++ /dev/null @@ -1,13 +0,0 @@ -# GCP > SQL > Instance > Binary Log -# https://turbot.com/v5/mods/turbot/gcp-sql/inspect#/control/types/binaryLogEnabled -resource "turbot_policy_setting" "gcp_instance_binary_log" { - count = var.enable_instance_binary_log_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_logging.id - type = "tmod:@turbot/gcp-sql#/policy/types/binaryLogEnabled" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} diff --git a/baselines/getting_started/gcp/gcp_check_logging/variables.tf b/baselines/getting_started/gcp/gcp_check_logging/variables.tf deleted file mode 100644 index d20b24766..000000000 --- a/baselines/getting_started/gcp/gcp_check_logging/variables.tf +++ /dev/null @@ -1,49 +0,0 @@ -# Baseline Configuration - -variable "enable_kubernetes_engine_region_cluster_logging_policies" { - type = bool - description = "Enable the Kubernetes Engine Region Cluster policies for baseline" - default = true -} - -variable "enable_instance_binary_log_policies" { - type = bool - description = "Enable the Instatnce Binary Log policies for baseline" - default = true -} - -variable "enable_network_region_backend_service_logging_policies" { - type = bool - description = "Enable the Network Region Backend Service Logging policies for baseline" - default = true -} - -variable "enable_network_region_backend_service_logging_sammple_rate_policies" { - type = bool - description = "Enable the Network Region Backend Service Logging Sample Rate policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Check Logging Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the GCP check logging baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/getting_started/gcp/gcp_check_public_access/README.md b/baselines/getting_started/gcp/gcp_check_public_access/README.md deleted file mode 100644 index 7e0a48937..000000000 --- a/baselines/getting_started/gcp/gcp_check_public_access/README.md +++ /dev/null @@ -1,143 +0,0 @@ -# Baseline - GCP Check Public Access - -GCP Check Public Access Policies focuses enabling some commonly used GCP resource public access status. - -More details on -- [Public Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/public-access) - -- [Trusted Access Guardrails](https://turbot.com/v5/docs/concepts/guardrails/trusted-access) - -- [Sample OCL Implementation Example](https://turbot.com/v5/docs/guides/managing-policies/OCL) - -- [Object Control List (OCL)](https://turbot.com/v5/docs/reference/ocl) - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_public_access/compute_engine_policies.tf b/baselines/getting_started/gcp/gcp_check_public_access/compute_engine_policies.tf deleted file mode 100644 index ddee2b6d6..000000000 --- a/baselines/getting_started/gcp/gcp_check_public_access/compute_engine_policies.tf +++ /dev/null @@ -1,39 +0,0 @@ -# GCP > Compute Engine > Instance > Block Project Wide SSH Keys -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceBlockProjectWideSshKeys -resource "turbot_policy_setting" "instance_block_project_wide_ssh_keys" { - count = var.enable_compute_engine_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceBlockProjectWideSshKeys" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} - -# GCP > Compute Engine > Instance > External IP Addresses -# https://turbot.com/v5/mods/turbot/gcp-computeenginxe/inspect#/policy/types/instanceExternalIpAddresses -resource "turbot_policy_setting" "instance_external_ip_addresses" { - count = var.enable_compute_engine_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceExternalIpAddresses" - value = "Check: None" - # "Skip" - # "Check: None" - # "Enforce: None" -} - -# GCP > Compute Engine > Instance > Serial Port Access -# https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/policy/types/instanceSerialPortAccess -resource "turbot_policy_setting" "instance_serial_port_access" { - count = var.enable_compute_engine_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp-computeengine#/policy/types/instanceSerialPortAccess" - value = "Check: Enabled" - # "Skip" - # "Check: Disabled" - # "Check: Enabled" - # "Enforce: Disabled" - # "Enforce: Enabled" -} diff --git a/baselines/getting_started/gcp/gcp_check_public_access/locals.tf b/baselines/getting_started/gcp/gcp_check_public_access/locals.tf deleted file mode 100644 index 1f65ecb66..000000000 --- a/baselines/getting_started/gcp/gcp_check_public_access/locals.tf +++ /dev/null @@ -1,24 +0,0 @@ -locals { - policy_map = { - "gcp-bigtable-instance" : "tmod:@turbot/gcp-bigtable#/policy/types/instancePolicyTrustedAccess" - "gcp-computeengine-disk" : "tmod:@turbot/gcp-computeengine#/policy/types/diskPolicyTrustedAccess" - "gcp-computeengine-image" : "tmod:@turbot/gcp-computeengine#/policy/types/imagePolicyTrustedAccess" - "gcp-computeengine-instance" : "tmod:@turbot/gcp-computeengine#/policy/types/instancePolicyTrustedAccess" - "gcp-computeengine-instanceTemplate" : "tmod:@turbot/gcp-computeengine#/policy/types/instanceTemplatePolicyTrustedAccess" - "gcp-computeengine-nodeGroup" : "tmod:@turbot/gcp-computeengine#/policy/types/nodeGroupPolicyTrustedAccess" - "gcp-computeengine-nodeTemplate" : "tmod:@turbot/gcp-computeengine#/policy/types/nodeTemplatePolicyTrustedAccess" - "gcp-dataproc-cluster" : "tmod:@turbot/gcp-dataproc#/policy/types/clusterPolicyTrustedAccess" - "gcp-dataproc-job" : "tmod:@turbot/gcp-dataproc#/policy/types/jobPolicyTrustedAccess" - "gcp-dataproc-workflowTemplate" : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplatePolicyTrustedAccess" - "gcp-functions-function" : "tmod:@turbot/gcp-functions#/policy/types/functionPolicyTrustedAccess" - "gcp-iam-projectIam" : "tmod:@turbot/gcp-iam#/policy/types/projectIamPolicyTrustedAccess" - "gcp-iam-serviceAccountPolicy" : "tmod:@turbot/gcp-iam#/policy/types/serviceAccountPolicyTrustedAccess" - "gcp-kms-cryptoKey" : "tmod:@turbot/gcp-kms#/policy/types/cryptoKeyPolicyTrustedAccess" - "gcp-kms-keyRing" : "tmod:@turbot/gcp-kms#/policy/types/keyRingPolicyTrustedAccess" - "gcp-network-subnetwork" : "tmod:@turbot/gcp-network#/policy/types/subnetworkPolicyTrustedAccess" - "gcp-pubsub-subscription" : "tmod:@turbot/gcp-pubsub#/policy/types/subscriptionPolicyTrustedAccess" - "gcp-pubsub-topic" : "tmod:@turbot/gcp-pubsub#/policy/types/topicPolicyTrustedAccess" - "gcp-spanner-instance" : "tmod:@turbot/gcp-spanner#/policy/types/instancePolicyTrustedAccess" - "gcp-storage-bucket" : "tmod:@turbot/gcp-storage#/policy/types/bucketPolicyTrustedAccess" - } -} diff --git a/baselines/getting_started/gcp/gcp_check_public_access/network_policies.tf b/baselines/getting_started/gcp/gcp_check_public_access/network_policies.tf deleted file mode 100644 index eae7c9492..000000000 --- a/baselines/getting_started/gcp/gcp_check_public_access/network_policies.tf +++ /dev/null @@ -1,29 +0,0 @@ -# Approve / Reject Security Group Ingress Rules -# Can also apply to Egress rules, focus of baseline is on inbound -# Examples are just a starting point, -# More Info: https://turbot.com/v5/docs/guides/managing-policies/OCL -# More Info on OCL: https://turbot.com/v5/docs/reference/ocl - -# GCP > Network > Firewall > Ingress Rules > Approved -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/firewallIngressRulesApproved -resource "turbot_policy_setting" "gcp_network_firewall_ingress_rules_approved" { - count = var.enable_network_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApproved" - value = "Check: Approved" - # "Skip" - # "Check: Approved" - # "Enforce: Delete unapproved" -} - -# GCP > Network > Firewall > Ingress Rules > Approved > Rules -# https://turbot.com/v5/mods/turbot/gcp-network/inspect#/policy/types/firewallIngressRulesApprovedRules -resource "turbot_policy_setting" "gcp_network_firewall_ingress_rules_approved_rules" { - count = var.enable_network_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp-network#/policy/types/firewallIngressRulesApprovedRules" - value = < Project > Trusted Domains [Default] -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/trustedDomains -resource "turbot_policy_setting" "project_trusted_domains_template" { - resource = turbot_smart_folder.gcp_public_access.id - type = "tmod:@turbot/gcp#/policy/types/trustedDomains" - value = <<-EOT - - "*" # allows all, adjust for specific domains (e.g. gmail.com, turbot.com) - - "turbot.com" #example of setting a specific domain -EOT -} - -#Loop through var.service_status and set enable policies -# GCP > **Service** > **Resource** > Policy > Trusted Access -# Example policy: https://turbot.com/v5/mods/turbot/gcp-computeengine/inspect#/control/types/diskPolicyTrustedAccess -resource "turbot_policy_setting" "gcp_service_trusted_access" { - for_each = local.policy_map - resource = turbot_smart_folder.gcp_public_access.id - type = each.value - value = "Check: Trusted Access > *" -} diff --git a/baselines/getting_started/gcp/gcp_check_public_access/variables.tf b/baselines/getting_started/gcp/gcp_check_public_access/variables.tf deleted file mode 100644 index 047f21dec..000000000 --- a/baselines/getting_started/gcp/gcp_check_public_access/variables.tf +++ /dev/null @@ -1,52 +0,0 @@ -# Baseline Configuration - -variable "enable_compute_engine_policies" { - type = bool - description = "Enable Compute Engine public access policies for the baseline" - default = true -} - -variable "enable_network_policies" { - type = bool - description = "Enable GCP Network public access policies for baseline" - default = true -} - -# Optional Common Baseline Configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Check Public Access Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for GCP Check Public Access baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} - -variable "instance_serial_port_access" { - type = string - default = "Check: Enabled" -} - -variable "gcp_network_firewall_ingress_rules_approved" { - type = string - default = "Check: Approved" -} - -variable "gcp_service_trusted_access" { - type = string - default = "Check: Trusted Access > *" -} diff --git a/baselines/getting_started/gcp/gcp_check_regions/README.md b/baselines/getting_started/gcp/gcp_check_regions/README.md deleted file mode 100644 index aabbaa142..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/README.md +++ /dev/null @@ -1,188 +0,0 @@ -# Baseline - GCP Check Regions - -This baseline will allow you to discover resources in multiple regions and not approve usage of resource that are not in an allowable region. - -This baseline is only effective when the account regions policies have multiple regions set. - -The account approved regions `GCP > Account > Approved Regions [Default]` policy contains a list of GCP regions in which cloud resources are approved for use. - -If the [GCP Baseline](../gcp_baseline/) has only one region enabled then the approving regions policy will not be -effective as Turbot will only discovers resources for that one region. - -Turbot also supports GCP Lockdown / Boundary policies to limit access to regions which are not part of this baseline. - -More Info - -- [Approved Regions](https://turbot.com/v5/docs/guides/regions#approved-regions) - - -## Overview - -Baseline policies are initial set of policies recommended to start with while using Turbot. These policies mostly focuses on enabling services, frequently used policies to run in check mode & enabling security features such as various encryption standards. Baseline TF scripts allows you to toggle the value to apply or ignore. See the below sections for more information. - -Some of these policies overlap with other set of baselines. Hence Turbot provided set of baseline TF files are executed in separate [Smart Folder](https://turbot.com/v5/docs/getting-started/smart_folder). The advantage of setting up of each baseline in their own Smart Folder prevents conflicting with the policy settings created by other baseline scripts. - -This baseline will not attach to a resource by default. This needs to be done manually using the Turbot UI. - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -## Applying baseline - -The baseline is defined by a set of files which together define the configuration of the baseline. - -### Initialize baseline - -If not previously run, Initialize Terraform to get all necessary providers for the baseline. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform init - ``` -### Profile name as input - -The baseline example set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Deploying demo example - -The demo baseline expects that the following mods are installed: - - - gcp-bigtable-cluster - - gcp-composer-environment - - gcp-computeengine-disk - - gcp-computeengine-instance - - gcp-computeengine-node-group - - gcp-computeengine-node-template - - gcp-computeengine-region-disk - - gcp-computeengine-region-health-check - - gcp-dataflow-job - - gcp-dataproc-cluster - - gcp-dataproc-job - - gcp-dataproc-workflowtemplate - - gcp-functions-function - - gcp-kms-cryptokey - - gcp-kubernetesengine-region-cluster - - gcp-kubernetesengine-region-node-pool - - gcp-kubernetesengine-zone-cluster - - gcp-kubernetesengine-zone-node-pool - - gcp-network-address - - gcp-network-forwarding-rule - - gcp-network-router - - gcp-network-region-backend-service - - gcp-network-region-url-map - - gcp-network-subnetwork - - gcp-network-target-pool - - gcp-network-target-vpn-gateway - - gcp-network-vpn-tunnel - - gcp-scheduler-job - - gcp-spanner-instance - - gcp-sql-backup - - gcp-sql-database - - gcp-sql-instance - - gcp-storage-bucket - -To run the baseline: - -1. Navigate to the folder of the baseline -2. Initialise Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` - -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. - -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/gcp/gcp_check_regions/approved_regions_policies.tf b/baselines/getting_started/gcp/gcp_check_regions/approved_regions_policies.tf deleted file mode 100644 index cf7495597..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/approved_regions_policies.tf +++ /dev/null @@ -1,50 +0,0 @@ -# Approved Regions cloud resources are allowed to reside in. Starting with us regions and global -# GCP > Project > Approved Regions [Default]P -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/approvedRegionsDefault -resource "turbot_policy_setting" "gcp_project_approved_regions" { - resource = turbot_smart_folder.gcp_regions.id - type = "tmod:@turbot/gcp#/policy/types/approvedRegionsDefault" - value = <<-ALLOWEDREGIONS - # - asia-east1 - # - asia-east2 - # - asia-northeast1 - # - asia-northeast2 - # - asia-northeast3 - # - asia-south1 - # - asia-southeast1 - # - australia-southeast1 - # - europe-north1 - # - europe-west1 - # - europe-west2 - # - europe-west3 - # - europe-west4 - # - europe-west6 - # - northamerica-northeast1 - # - southamerica-east1 - - us-central1 - - us-east1 - - us-east4 - - us-west1 - - us-west2 - - us-west3 - # - asia - # - eu - # - eur3 - # - eur4 - # - nam-eur-asia1 - # - nam3 - # - nam4 - # - nam5 - # - nam6 - - us - - global - ALLOWEDREGIONS -} - -## Sets approved region policy for each resource type in the resource_approved_regions map. -resource "turbot_policy_setting" "set_resource_approved_regions_policies" { - for_each = var.resource_approved_regions - resource = turbot_smart_folder.gcp_regions.id - type = local.policy_map[each.key] - value = each.value -} diff --git a/baselines/getting_started/gcp/gcp_check_regions/demo.tfvars b/baselines/getting_started/gcp/gcp_check_regions/demo.tfvars deleted file mode 100644 index 40be3cc9d..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/demo.tfvars +++ /dev/null @@ -1,73 +0,0 @@ -# List of services and resources to be Check: Approved. -# Started with a few resource types to get started aligned with the initial mods installed -# You can comment per row to exclude the resource type. For any included, make sure you have that related service mod install -# See notes per row for nuance conditions for specific service policy settings - -# Acceptable Values: -# "Skip" -# "Check: Approved" -# "Enforce: Delete unapproved if new" - -resource_approved_regions = { - gcp-bigtable-cluster = "Check: Approved" - gcp-composer-environment = "Check: Approved" - gcp-computeengine-disk = "Check: Approved" - gcp-computeengine-instance = "Check: Approved" # note: "Enforce: Stop unapproved", "Enforce: Stop unapproved if new", "Enforce: Delete unapproved if new" - gcp-computeengine-node-group = "Check: Approved" - gcp-computeengine-node-template = "Check: Approved" - gcp-computeengine-region-disk = "Check: Approved" - gcp-computeengine-region-health-check = "Check: Approved" - gcp-dataflow-job = "Check: Approved" # note: does not have an enforce value - gcp-dataproc-cluster = "Check: Approved" - gcp-dataproc-job = "Check: Approved" - gcp-dataproc-workflowtemplate = "Check: Approved" - gcp-functions-function = "Check: Approved" - gcp-kms-cryptokey = "Check: Approved" # note: does not have an enforce value - gcp-kubernetesengine-region-cluster = "Check: Approved" - gcp-kubernetesengine-region-node-pool = "Check: Approved" - gcp-kubernetesengine-zone-cluster = "Check: Approved" - gcp-kubernetesengine-zone-node-pool = "Check: Approved" - gcp-network-address = "Check: Approved" - gcp-network-forwarding-rule = "Check: Approved" - gcp-network-router = "Check: Approved" - gcp-network-region-backend-service = "Check: Approved" - gcp-network-region-url-map = "Check: Approved" - gcp-network-subnetwork = "Check: Approved" - gcp-network-target-pool = "Check: Approved" - gcp-network-target-vpn-gateway = "Check: Approved" - gcp-network-vpn-tunnel = "Check: Approved" - gcp-scheduler-job = "Check: Approved" # note: does not have an enforce value - gcp-spanner-instance = "Check: Approved" - gcp-sql-backup = "Check: Approved" - gcp-sql-database = "Check: Approved" - gcp-sql-instance = "Check: Approved" - gcp-storage-bucket = "Check: Approved" - # gcp-storage-object = "Check: Approved" # turned off by default to reduce noise -} - -# For reference, resources that do not reside in a specific region, therefore cannot limit which regions the resource resides in: - # gcp-appengine - # gcp-bigquery-dataset - # gcp-bigquery-table - # gcp-build - # gcp-datacatalog - # gcp-dns-managed-zone - # gcp-iam-login-names - # gcp-iam-member - # gcp-iam-project-role - # gcp-iam-project-user - # gcp-iam-service-account - # gcp-iam-service-account-key - # gcp-logging-exclusion - # gcp-logging-metric - # gcp-logging-sink - # gcp-memorystore - # gcp-monitoring-alert-policy - # gcp-monitoring-group - # gcp-monitoring-notification-channel - # gcp-notebooks - # gcp-orgpolicy - # gcp-pubsub-snapshot - # gcp-pubsub-subscription - # gcp-pubsub- - \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_regions/locals.tf b/baselines/getting_started/gcp/gcp_check_regions/locals.tf deleted file mode 100644 index e28b034df..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/locals.tf +++ /dev/null @@ -1,40 +0,0 @@ -locals { -## Mapping of resource name to resource tag policy -# Note: the resource map above dictates the applicable use of each line item below. You do not need to comment out these items to reduce scope -policy_map = { - gcp-bigtable-cluster : "tmod:@turbot/gcp-bigtable#/policy/types/clusterApproved" - gcp-composer-environment : "tmod:@turbot/gcp-composer#/policy/types/environmentApproved" - gcp-computeengine-disk : "tmod:@turbot/gcp-computeengine#/policy/types/diskApproved" - gcp-computeengine-instance : "tmod:@turbot/gcp-computeengine#/policy/types/instanceApproved" - gcp-computeengine-node-group : "tmod:@turbot/gcp-computeengine#/policy/types/nodeGroupApproved" - gcp-computeengine-node-template : "tmod:@turbot/gcp-computeengine#/policy/types/nodeTemplateApproved" - gcp-computeengine-region-disk : "tmod:@turbot/gcp-computeengine#/policy/types/regionDiskApproved" - gcp-computeengine-region-health-check : "tmod:@turbot/gcp-computeengine#/policy/types/regionHealthCheckApproved" - gcp-dataflow-job : "tmod:@turbot/gcp-dataflow#/policy/types/jobApproved" - gcp-dataproc-cluster : "tmod:@turbot/gcp-dataproc#/policy/types/clusterApproved" - gcp-dataproc-job : "tmod:@turbot/gcp-dataproc#/policy/types/jobApproved" - gcp-dataproc-workflowtemplate : "tmod:@turbot/gcp-dataproc#/policy/types/workflowTemplateApproved" - gcp-functions-function : "tmod:@turbot/gcp-functions#/policy/types/functionApproved" - gcp-kms-cryptokey : "tmod:@turbot/gcp-kms#/policy/types/cryptoKeyApproved" - gcp-kubernetesengine-region-cluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionClusterApproved" - gcp-kubernetesengine-region-node-pool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/regionNodePoolApproved" - gcp-kubernetesengine-zone-cluster : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneClusterApproved" - gcp-kubernetesengine-zone-node-pool : "tmod:@turbot/gcp-kubernetesengine#/policy/types/zoneNodePoolApproved" - gcp-network-address : "tmod:@turbot/gcp-network#/policy/types/addressApproved" - gcp-network-forwarding-rule : "tmod:@turbot/gcp-network#/policy/types/forwardingRuleApproved" - gcp-network-region-backend-service : "tmod:@turbot/gcp-network#/policy/types/regionBackendServiceApproved" - gcp-network-region-url-map : "tmod:@turbot/gcp-network#/policy/types/regionUrlMapApproved" - gcp-network-router : "tmod:@turbot/gcp-network#/policy/types/routerApproved" - gcp-network-subnetwork : "tmod:@turbot/gcp-network#/policy/types/subnetworkApproved" - gcp-network-target-pool : "tmod:@turbot/gcp-network#/policy/types/targetPoolApproved" - gcp-network-target-vpn-gateway : "tmod:@turbot/gcp-network#/policy/types/targetVpnGatewayApproved" - gcp-network-vpn-tunnel : "tmod:@turbot/gcp-network#/policy/types/vpnTunnelApproved" - gcp-scheduler-job : "tmod:@turbot/gcp-scheduler#/policy/types/jobApproved" - gcp-spanner-instance : "tmod:@turbot/gcp-spanner#/policy/types/instanceApproved" - gcp-sql-backup : "tmod:@turbot/gcp-sql#/policy/types/backupApproved" - gcp-sql-database : "tmod:@turbot/gcp-sql#/policy/types/databaseApproved" - gcp-sql-instance : "tmod:@turbot/gcp-sql#/policy/types/instanceApproved" - gcp-storage-bucket : "tmod:@turbot/gcp-storage#/policy/types/bucketApproved" - gcp-storage-object : "tmod:@turbot/gcp-storage#/policy/types/objectApproved" - } -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_regions/outputs.tf b/baselines/getting_started/gcp/gcp_check_regions/outputs.tf deleted file mode 100644 index 587f6db19..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "resource_approved_regions" { - value = var.resource_approved_regions -} - -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} diff --git a/baselines/getting_started/gcp/gcp_check_regions/providers.tf b/baselines/getting_started/gcp/gcp_check_regions/providers.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_regions/smartfolder.tf b/baselines/getting_started/gcp/gcp_check_regions/smartfolder.tf deleted file mode 100644 index 857b4c5fe..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_regions" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_regions/variables.tf b/baselines/getting_started/gcp/gcp_check_regions/variables.tf deleted file mode 100644 index ae49de00e..000000000 --- a/baselines/getting_started/gcp/gcp_check_regions/variables.tf +++ /dev/null @@ -1,80 +0,0 @@ -# Baseline Configuration -variable "resource_approved_regions" { - description = < -``` - -### Deploying demo example - -1. Navigate to the folder of the baseline -2. Initialize Terraform -3. Apply the baseline using the demo input variable file [demo.tfvars](demo.tfvars) - -On the terminal this will look like: - -```shell -cd -terraform init -terraform apply --var-file demo.tfvars -``` -**Note** -- Most of the variables in demo.tfvars are marked as `false`, as they are not part of required initial policies. This can be made `true` based on need. -- Some of the baseline scripts may not have the `demo.tfvars`, you may execute only with default varialble file. - -### Input variable files - -Input variable files allow for the user to configure configuration definitions for multiple environments in different files. - -This baseline comes with an example input variable file called [demo.tfvars](demo.tfvars). - -It will be used to define which parts of the baseline to apply and which to ignore. - -The variables that can be overwritten by the input variable files i.e. [demo.tfvars](demo.tfvars) are defined in the [variables.tf](variables.tf) file. - -Further details found in official [Terraform documentation](https://www.terraform.io/docs/language/values/variables.html). - -### Apply baseline using input variable files - -If seeking to apply the baseline using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform apply --var-file=demo.tfvars - ``` -### Apply baseline without input variable file - -The baseline can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -`This may prompt the user applying the baseline to enter values for variables that do not have default values.` - -### Destroy baseline without input variable file - -If seeking to apply the baseline without using an input variable file. - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -### Destroy using input variable files - -If seeking to destoy the baseline configuration using an input variable file such as [demo.tfvars](demo.tfvars). - -1. Navigate to the folder containing the baseline configuration. -2. Run the command: - - ```shell - terraform destroy --var-file=demo.tfvars - ``` - -## Commenting strategy - -All Turbot policies used by the baselines will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_stack/outputs.tf b/baselines/getting_started/gcp/gcp_check_stack/outputs.tf deleted file mode 100644 index 2c48a0db7..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/outputs.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} - -output "smart_folder_name" { - value = var.smart_folder_name -} - -output "smart_folder_description" { - value = var.smart_folder_description -} - -output "smart_folder_parent_resource" { - value = var.smart_folder_parent_resource -} - -output "gcp_project_pubsub_stack_policies" { - value = var.gcp_project_pubsub_stack_policies -} - -output "gcp_project_pubsub_stack_tfversion_policies" { - value = var.gcp_project_pubsub_stack_tfversion_policies -} - -output "gcp_project_pubsub_stack_source_policies" { - value = var.gcp_project_pubsub_stack_source_policies -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_stack/project_stack_policies.tf b/baselines/getting_started/gcp/gcp_check_stack/project_stack_policies.tf deleted file mode 100644 index a72f475bc..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/project_stack_policies.tf +++ /dev/null @@ -1,32 +0,0 @@ -## Set policy to deploy example GCP Project Stack -# GCP > Project > Stack -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/projectStack -resource "turbot_policy_setting" "gcp_project_pubsub_stack" { - count = var.gcp_project_pubsub_stack_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_stack.id - type = "tmod:@turbot/gcp#/policy/types/projectStack" - value = "Check: Configured" - # "Enforce: Configured" -} - -# Sets the Terraform version for your Source -# GCP > Project > Stack > Terraform Version -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/projectStackTerraformVersion -resource "turbot_policy_setting" "gcp_project_pubsub_stack_tfversion" { - count = var.gcp_project_pubsub_stack_tfversion_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_stack.id - type = "tmod:@turbot/gcp#/policy/types/projectStackTerraformVersion" - value = "0.12.*" -} - -## Set policy to apply the Stack Source policy, the TF file source -# GCP > Project > Stack > Source -# https://turbot.com/v5/mods/turbot/gcp/inspect#/policy/types/projectStackSource -resource "turbot_policy_setting" "gcp_project_pubsub_stack_source" { - count = var.gcp_project_pubsub_stack_source_policies ? 1 : 0 - resource = turbot_smart_folder.gcp_stack.id - type = "tmod:@turbot/gcp#/policy/types/projectStackSource" - value = <<-SOURCE - ${file("./tf_includes/sourcestack_policies.tf")} - SOURCE -} diff --git a/baselines/getting_started/gcp/gcp_check_stack/providers.tf b/baselines/getting_started/gcp/gcp_check_stack/providers.tf deleted file mode 100644 index 0353d61cb..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/providers.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} diff --git a/baselines/getting_started/gcp/gcp_check_stack/smartfolder.tf b/baselines/getting_started/gcp/gcp_check_stack/smartfolder.tf deleted file mode 100644 index 97dcb1f11..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/smartfolder.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "turbot_smart_folder" "gcp_stack" { - parent = var.smart_folder_parent_resource - title = var.smart_folder_name - description = var.smart_folder_description -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_check_stack/tf_includes/sourcestack_policies.tf b/baselines/getting_started/gcp/gcp_check_stack/tf_includes/sourcestack_policies.tf deleted file mode 100644 index cd52106f8..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/tf_includes/sourcestack_policies.tf +++ /dev/null @@ -1,21 +0,0 @@ -resource "google_pubsub_topic" "turbot_test_demo" { - name = "turbot_test_demo_topic" -} - -resource "google_pubsub_subscription" "turbot_test_demo" { - name = "turbot_test_demo_subscription" - topic = google_pubsub_topic.turbot_test_demo.name - message_retention_duration = "1000s" - retain_acked_messages = true - ack_deadline_seconds = 20 - - expiration_policy { - ttl = "300000.5s" - } -} - -resource "google_pubsub_topic_iam_member" "pubsubpublisher" { - topic = google_pubsub_topic.turbot_test_demo.name - role = "roles/pubsub.publisher" - member = "allAuthenticatedUsers" -} diff --git a/baselines/getting_started/gcp/gcp_check_stack/variables.tf b/baselines/getting_started/gcp/gcp_check_stack/variables.tf deleted file mode 100644 index bb83324e1..000000000 --- a/baselines/getting_started/gcp/gcp_check_stack/variables.tf +++ /dev/null @@ -1,42 +0,0 @@ -# Smartfolder configuration - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -variable "smart_folder_name" { - description = "Smart folder name for the baseline" - type = string - default = "GCP Stack Example Policies" -} - -variable "smart_folder_description" { - description = "Enter a description for the smart folder" - type = string - default = "Defines sets of policies for the GCP Stack baseline" -} - -variable "smart_folder_parent_resource" { - description = "Enter the resource ID or AKA for the parent of the smart folder" - type = string - default = "tmod:@turbot/turbot#/" -} - -# Baseline configuration -variable "gcp_project_pubsub_stack_policies" { - type = bool - description = "Enable the GCP Project PubSub Stack policies for baseline" - default = true -} - -variable "gcp_project_pubsub_stack_tfversion_policies" { - type = bool - description = "Enable the GCP Project PubSub Stack TFversion policies for baseline" - default = true -} - -variable "gcp_project_pubsub_stack_source_policies" { - type = bool - description = "Enable the GCP Project PubSub Stack Source policies for baseline" - default = true -} diff --git a/baselines/getting_started/gcp/gcp_mods/README.md b/baselines/getting_started/gcp/gcp_mods/README.md deleted file mode 100644 index 75c9317bc..000000000 --- a/baselines/getting_started/gcp/gcp_mods/README.md +++ /dev/null @@ -1,70 +0,0 @@ -# GCP - Mods install - -Turbot provides dozens of GCP mods, covering hundreds of GCP resources, with thousands of policies and controls. By definition, mods are installed with the top Turbot resource as the parent. This means that administrators must be at the Turbot resource level with Turbot/Owner permissions to make modifications, installing, uninstalling, or updating, to mods in the environment. - -More information can be found [here](https://turbot.com/v5/docs/mods) - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -### Initialize - -1. Navigate to the gcp_mods folder. -2. Run the command: - - ```shell - terraform init - ``` - -### Profile name as input - -This set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Apply installation - -The installation can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -### Destroy installation - -If seeking to apply the installation without using an input variable file. - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -## Commenting strategy - -All Turbot policies used by the installation will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_mods/mod_install.tf b/baselines/getting_started/gcp/gcp_mods/mod_install.tf deleted file mode 100644 index b397f8516..000000000 --- a/baselines/getting_started/gcp/gcp_mods/mod_install.tf +++ /dev/null @@ -1,268 +0,0 @@ -# https://turbot.com/v5/mods/turbot/gcp -resource "turbot_mod" "gcp" { - parent = "tmod:@turbot/turbot#/" - org = "turbot" - mod = "gcp" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-iam -resource "turbot_mod" "gcp-iam" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp"] - org = "turbot" - mod = "gcp-iam" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-iam") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-appengine -resource "turbot_mod" "gcp-appengine" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-appengine" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-appengine") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-bigquery -resource "turbot_mod" "gcp-bigquery" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-bigquery" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-bigquery") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-bigtable -resource "turbot_mod" "gcp-bigtable" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-bigtable" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-bigtable") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-build -resource "turbot_mod" "gcp-build" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-build" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-build") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-composer -resource "turbot_mod" "gcp-composer" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-composer" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-composer") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-computeengine -resource "turbot_mod" "gcp-computeengine" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-computeengine" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-computeengine") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-datacatalog -resource "turbot_mod" "gcp-datacatalog" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-datacatalog" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-datacatalog") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-dataflow -resource "turbot_mod" "gcp-dataflow" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-dataflow" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-dataflow") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-dataproc -resource "turbot_mod" "gcp-dataproc" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-dataproc" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-dataproc") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-dns -resource "turbot_mod" "gcp-dns" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-dns" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-dns") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-functions -resource "turbot_mod" "gcp-functions" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-functions" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-functions") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-kms -resource "turbot_mod" "gcp-kms" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-kms" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-kms") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-kubernetesengine -resource "turbot_mod" "gcp-kubernetesengine" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-kubernetesengine" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-kubernetesengine") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-logging -resource "turbot_mod" "gcp-logging" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-logging" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-logging") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-memorystore -resource "turbot_mod" "gcp-memorystore" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-memorystore" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-memorystore") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-monitoring -resource "turbot_mod" "gcp-monitoring" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-monitoring" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-monitoring") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-network -resource "turbot_mod" "gcp-network" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-network" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-network") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-notebooks -resource "turbot_mod" "gcp-notebooks" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp"] - org = "turbot" - mod = "gcp-notebooks" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-notebooks") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-orgpolicy -resource "turbot_mod" "gcp-orgpolicy" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-orgpolicy" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-orgpolicy") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-pubsub -resource "turbot_mod" "gcp-pubsub" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-pubsub" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-pubsub") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-scheduler -resource "turbot_mod" "gcp-scheduler" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-scheduler" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-scheduler") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-spanner -resource "turbot_mod" "gcp-spanner" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-spanner" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-spanner") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-sql -resource "turbot_mod" "gcp-sql" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-sql" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-sql") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-storage -resource "turbot_mod" "gcp-storage" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam"] - org = "turbot" - mod = "gcp-storage" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-storage") ? 1 : 0 -} - -# https://turbot.com/v5/mods/turbot/gcp-cisv1 -resource "turbot_mod" "gcp-cisv1" { - parent = "tmod:@turbot/turbot#/" - depends_on = ["turbot_mod.gcp", "turbot_mod.gcp-iam", "turbot_mod.cis", "turbot_mod.gcp-computeengine", "turbot_mod.gcp-dns", "turbot_mod.gcp-kms", "turbot_mod.gcp-logging", "turbot_mod.gcp-network", "turbot_mod.gcp-sql", "turbot_mod.gcp-storage"] - org = "turbot" - mod = "gcp-cisv1" - version = ">=5.0.0-beta.1" - count = contains(var.mod_list, "gcp-cisv1") ? 1 : 0 -} diff --git a/baselines/getting_started/gcp/gcp_mods/ouputs.tf b/baselines/getting_started/gcp/gcp_mods/ouputs.tf deleted file mode 100644 index 0196cf2ec..000000000 --- a/baselines/getting_started/gcp/gcp_mods/ouputs.tf +++ /dev/null @@ -1,7 +0,0 @@ -output "mod_list" { - value = var.mod_list -} - -output "turbot_profile" { - value = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_mods/provider.tf b/baselines/getting_started/gcp/gcp_mods/provider.tf deleted file mode 100644 index db6e1f7b4..000000000 --- a/baselines/getting_started/gcp/gcp_mods/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/gcp/gcp_mods/variables.tf b/baselines/getting_started/gcp/gcp_mods/variables.tf deleted file mode 100644 index 6f34b7fb2..000000000 --- a/baselines/getting_started/gcp/gcp_mods/variables.tf +++ /dev/null @@ -1,32 +0,0 @@ -variable "mod_list" { - type = "list" - default = [ - "gcp", - "gcp-appengine", - "gcp-bigquery", - "gcp-bigtable", - "gcp-build", - "gcp-cisv1", - "gcp-composer", - "gcp-computeengine", - "gcp-datacatalog", - "gcp-dataflow", - "gcp-dataproc", - "gcp-dns", - "gcp-functions", - "gcp-iam", - "gcp-kms", - "gcp-kubernetesengine", - "gcp-logging", - "gcp-memorystore", - "gcp-monitoring", - "gcp-network", - "gcp-notebooks", - "gcp-orgpolicy", - "gcp-pubsub", - "gcp-scheduler", - "gcp-spanner", - "gcp-sql", - "gcp-storage" - ] -} \ No newline at end of file diff --git a/baselines/getting_started/turbot/cis_mod/README.md b/baselines/getting_started/turbot/cis_mod/README.md deleted file mode 100644 index dc215443b..000000000 --- a/baselines/getting_started/turbot/cis_mod/README.md +++ /dev/null @@ -1,70 +0,0 @@ -# CIS - Mods install - -Turbot provides CIS mod, covering CIS policies and controls definition, mods are installed with the top Turbot resource as the parent. This means that administrators must be at the Turbot resource level with Turbot/Owner permissions to make modifications, installing, uninstalling, or updating, to mods in the environment. - -More information can be found [here](https://turbot.com/v5/docs/mods) - -## Requirements - -- Terraform v0.13 or greater installed -- Valid Turbot configuration credentials - -For further information on configuring Turbot credentials can be found [here](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials). - -### Initialize - -1. Navigate to the cis_mod folder. -2. Run the command: - - ```shell - terraform init - ``` - -### Profile name as input - -This set requires you to provide `turbot_profile` name as input. This is to help in case you are having more profiles than only `default`. In case it's default, specify name as default. - -```shell -var.turbot_profile - Enter profile matching your turbot cli credentials. - Enter a value: -``` - -### Apply installation - -The installation can be applied without an input variable file. - -1. By this time Terraform initialization is done as mentioned above. -3. Prefer to check the outcome by running the Terraform plan -3. Apply the Terraform -4. Run the command: - -```shell -cd -terraform plan -terraform apply -``` - -### Destroy installation - -If seeking to apply the installation without using an input variable file. - -1. Navigate to the folder containing the installation configuration. -2. Run the command: - - ```shell - terraform destroy - ``` - -## Commenting strategy - -All Turbot policies used by the installation will have a link to the official Turbot Mods documentation. - -Opening the links will give you further details about: - -- The purpose of the policy -- Policy URI name -- Parent information -- Category information -- Target information -- All valid values diff --git a/baselines/getting_started/turbot/cis_mod/outputs.tf b/baselines/getting_started/turbot/cis_mod/outputs.tf deleted file mode 100644 index 35dbdb780..000000000 --- a/baselines/getting_started/turbot/cis_mod/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "turbot_profile" { - value = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/turbot/cis_mod/provider.tf b/baselines/getting_started/turbot/cis_mod/provider.tf deleted file mode 100644 index 715fb0f92..000000000 --- a/baselines/getting_started/turbot/cis_mod/provider.tf +++ /dev/null @@ -1,12 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} \ No newline at end of file diff --git a/baselines/getting_started/turbot/cis_mod/variables.tf b/baselines/getting_started/turbot/cis_mod/variables.tf deleted file mode 100644 index c2f147861..000000000 --- a/baselines/getting_started/turbot/cis_mod/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "turbot_profile" { - type = string - description = "Turbot profile for the workspace where this terraform code will be executed" -} \ No newline at end of file diff --git a/baselines/getting_started/turbot/smart_retention/README.md b/baselines/getting_started/turbot/smart_retention/README.md deleted file mode 100644 index 4d050381a..000000000 --- a/baselines/getting_started/turbot/smart_retention/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Smart Retention Baseline - -Stale data from processes and deleted resources can accumulate over time. Turbot Enterprise 5.23.0 introduced Smart Retention that will clean up this unwanted data. Please refer to [Turbot > Workspace > Retention](https://turbot.com/v5/mods/turbot/turbot/inspect#/policy/types/retention) for more information. - -## Pre-requisites - -To run the local directory baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) configured to connect to your Turbot workspace - -## Running the Baseline - -To execute the baseline you must run terraform and specify the local directory name you wish to create and list of users you want to grant Turbot/Owner and Turbot/Admin role. - -To run the mod install baseline: - -- Go to the AWS permissions directory with `cd local_directory` -- Update `default.tfvars` with appropriate values -- Run `terraform plan -var-file=default.tfvars` to review the plan for aws permissions -- Run `terraform apply -var-file=default.tfvars` to apply the changes diff --git a/baselines/getting_started/turbot/smart_retention/default.tfvars b/baselines/getting_started/turbot/smart_retention/default.tfvars deleted file mode 100644 index 6a737d7fc..000000000 --- a/baselines/getting_started/turbot/smart_retention/default.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -min_retention = 14 -max_retention = 365 -debug_logs = 14 -enforce_smart_retention = true -purge_limit = 30 diff --git a/baselines/getting_started/turbot/smart_retention/main.tf b/baselines/getting_started/turbot/smart_retention/main.tf deleted file mode 100644 index b49673bdd..000000000 --- a/baselines/getting_started/turbot/smart_retention/main.tf +++ /dev/null @@ -1,43 +0,0 @@ -// https://turbot.com/v5/mods/turbot/turbot/inspect#/policy/types/retention -resource "turbot_policy_setting" "turbot_smart_retention" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot#/policy/types/retention" - value = "Enforce: Enable purging via Smart Retention" - //Skip - //Check: Preview purging via Smart Retention - //Enforce: Enable purging via Smart Retention -} - -resource "turbot_policy_setting" "sr_debug_log_retention" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot#/policy/types/debugLogRetention" - value = var.debug_logs - //Minimum value: 1 - //Default: 14 -} - -resource "turbot_policy_setting" "sr_max_retention" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot#/policy/types/maximumRetention" - value = var.max_retention - // minimum: 1, - // default: 365, -} - -// https://turbot.com/v5/mods/turbot/turbot/inspect#/policy/types/minimumRetention -resource "turbot_policy_setting" "sr_min_retention" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot#/policy/types/minimumRetention" - value = var.min_retention - // minimum: 1, - // default: 7, -} - -// https://turbot.com/v5/mods/turbot/turbot/inspect#/policy/types/resourcePurgeLimit -resource "turbot_policy_setting" "sr_purge_limit" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot#/policy/types/resourcePurgeLimit" - value = var.purge_limit - // minimum: 1 - // default: 30 -} diff --git a/baselines/getting_started/turbot/smart_retention/variables.tf b/baselines/getting_started/turbot/smart_retention/variables.tf deleted file mode 100644 index 57b1b3f37..000000000 --- a/baselines/getting_started/turbot/smart_retention/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -variable "enforce_smart_retention" { - description = "Enter the name for the local directory to be created:" - type = bool - default = true -} - -variable "min_retention" { - type = number - default = 14 -} - -variable "max_retention" { - type = number - default = 365 -} - -variable "purge_limit" { - type = number - default = 30 -} - -variable "debug_logs" { - type = number - default = 14 -} diff --git a/baselines/getting_started/turbot/turbot_profiles/main.tf b/baselines/getting_started/turbot/turbot_profiles/main.tf deleted file mode 100644 index 47376f929..000000000 --- a/baselines/getting_started/turbot/turbot_profiles/main.tf +++ /dev/null @@ -1,23 +0,0 @@ -# Adding additional Profiles to the Turbot.com Directory -# This baseline is specifically to create profiles in an exisiting turbot.com -# Will grant the Turbot/Owner role to each profile at the Turbot root level -# Will activate each Turbot/Owner grant to each profile - -variable "turbot_profile" { - description = "Enter profile matching your turbot cli credentials." -} - -provider "turbot" { - profile = var.turbot_profile -} - -## Vars to Map resources to tag -variable "directory_id" { - description = "Directory ID where profiles are created" - type = string -} - -variable "user_profile" { - description = "Map of the list of turbot.com profileIds. Update in terraform.tfvars" - type = map -} diff --git a/baselines/getting_started/turbot/turbot_profiles/turbot_profiles.tf b/baselines/getting_started/turbot/turbot_profiles/turbot_profiles.tf deleted file mode 100644 index e7d903b7b..000000000 --- a/baselines/getting_started/turbot/turbot_profiles/turbot_profiles.tf +++ /dev/null @@ -1,29 +0,0 @@ -# Creates profiles in an exisiting turbot.com defined in terraform.tfvars -# Will grant the Turbot/Owner role to each profile at the Turbot root level -# Will activate each Turbot/Owner grant to each profile - -resource "turbot_profile" "create_profile" { - for_each = var.user_profile - parent = var.directory_id - email = each.value.email - title = each.value.name - display_name = each.value.name - given_name = element(split(" ", each.value.name), 0) - family_name = element(split(" ", each.value.name), 1) - status = "Active" - profile_id = each.key -} - -resource "turbot_grant" "profile_grant_turbot_owner" { - for_each = var.user_profile - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot-iam#/permission/types/turbot" - level = "tmod:@turbot/turbot-iam#/permission/levels/owner" - identity = turbot_profile.create_profile[each.key].id -} - -resource "turbot_grant_activation" "activate_turbot_owner_grant" { - for_each = var.user_profile - resource = "tmod:@turbot/turbot#/" - grant = turbot_grant.profile_grant_turbot_owner[each.key].id -} diff --git a/baselines/getting_started/turbot/turbot_profiles/versions.tf b/baselines/getting_started/turbot/turbot_profiles/versions.tf deleted file mode 100644 index 24d2520c8..000000000 --- a/baselines/getting_started/turbot/turbot_profiles/versions.tf +++ /dev/null @@ -1,8 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - } - required_version = ">= 0.13" -} diff --git a/baselines/guardrails/folder_hierarchy/README.md b/baselines/guardrails/folder_hierarchy/README.md new file mode 100644 index 000000000..dd816b243 --- /dev/null +++ b/baselines/guardrails/folder_hierarchy/README.md @@ -0,0 +1,79 @@ +# Folder Hierarchy Installation + +This script sets up a foundational folder hierarchy within Turbot Guardrails to organize your cloud resources across AWS, Azure, and GCP. By default, it creates a base folder for your workspace and subfolders for AWS, Azure, and GCP resources. This structure helps in managing policies, controls, and resources more efficiently within your Turbot environment. + +## Documentation + +- **[Review Folder Hierarchy Documentation →](https://turbot.com/guardrails/docs/concepts/resources/hierarchy)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To create a folder hierarchy using Terraform: + +- Ensure you have `Turbot/Admin` permissions (or higher) in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `folder_hierarchy` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the folder hierarchy configuration: + +```sh +terraform apply +``` + +### Destroy + +You can destroy the folder hierarchy setup in one of two ways: + +```sh +terraform destroy +``` + +## Folder Hierarchy Structure + +The following folder structure will be created within your Turbot environment: + +``` +Turbot/ +└── Company/ + │ + ├── AWS/ + │ + ├── Azure/ + │ + └── GCP/ +``` + +- **Base Folder (`Company`)**: The root folder for your workspace. Example: Acme +- **AWS**: A subfolder dedicated to organizing AWS resources. +- **Azure**: A subfolder dedicated to organizing Azure resources. +- **GCP**: A subfolder dedicated to organizing GCP resources. + +This structure helps keep your cloud resources organized, allowing for easy management and application of policies across different cloud providers. diff --git a/baselines/guardrails/folder_hierarchy/main.tf b/baselines/guardrails/folder_hierarchy/main.tf new file mode 100644 index 000000000..2ee613503 --- /dev/null +++ b/baselines/guardrails/folder_hierarchy/main.tf @@ -0,0 +1,28 @@ +# Base folder (Turbot > workspacename) +resource "turbot_folder" "workspace_base_folder" { + parent = "tmod:@turbot/turbot#/" + title = var.base_folder_name + description = "Base folder for the Workspace" + akas = ["base_folder"] +} + +# AWS Base folder (Turbot > workspacename > AWS) +resource "turbot_folder" "aws_base_folder" { + parent = turbot_folder.workspace_base_folder.id + title = "AWS" + description = "Base folder for AWS Resources" +} + +# Azure Base folder (Turbot > workspacename > Azure) +resource "turbot_folder" "azure_base_folder" { + parent = turbot_folder.workspace_base_folder.id + title = "Azure" + description = "Base folder for Azure Resources" +} + +# GCP Base folder (Turbot > workspacename > GCP) +resource "turbot_folder" "gcp_base_folder" { + parent = turbot_folder.workspace_base_folder.id + title = "GCP" + description = "Base folder for GCP Resources" +} diff --git a/baselines/guardrails/folder_hierarchy/providers.tf b/baselines/guardrails/folder_hierarchy/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/guardrails/folder_hierarchy/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/guardrails/folder_hierarchy/variables.tf b/baselines/guardrails/folder_hierarchy/variables.tf new file mode 100644 index 000000000..8c40a35fa --- /dev/null +++ b/baselines/guardrails/folder_hierarchy/variables.tf @@ -0,0 +1,4 @@ +variable "base_folder_name" { + description = "The name of the Base folder `Turbot > BaseFolder`. The base for the rest of the folder hierarchy where the accounts will be imported." + type = string +} diff --git a/baselines/guardrails/guardrails_mods/README.md b/baselines/guardrails/guardrails_mods/README.md new file mode 100644 index 000000000..762136a2e --- /dev/null +++ b/baselines/guardrails/guardrails_mods/README.md @@ -0,0 +1,106 @@ +# Guardrails Mods Installation + +Turbot Guardrails provides a set of mods that enforce best practices, security controls, and compliance frameworks across your cloud environment. This README guides you through the process of installing Guardrails mods using Terraform. The example provided installs the CIS (Center for Internet Security) mod, which is designed to help you achieve and maintain CIS compliance across your resources. + +## Documentation + +- **[Review Guardrails Mods Documentation →](https://hub.guardrails.turbot.com/mods/turbot/mods/cis)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To install Guardrails mods using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `guardrails_mods` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the Guardrails mod: + +#### 1. Using an Input Variable File (If Applicable) + +If you have customized a `default.tfvars` file with specific parameters for the CIS mod or additional mods, you can apply the configuration as follows: + +```sh +terraform apply --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +To install the guardrails mods mod without using an input variable file, run: + +```sh +terraform apply -parallelism=1 +``` + +### Destroy + +You can remove the Guardrails mod in one of two ways: + +#### 1. Using an Input Variable File + +Run the following command to destroy the Guardrails mod configuration using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars -parallelism=1 +``` + +#### 2. Without an Input Variable File + +Run the following command to destroy the Guardrails mod configuration without using an input variable file: + +```sh +terraform destroy -parallelism=1 +``` + +## Overview of Guardrails Mods Configuration + +This setup installs the CIS mod within your Turbot Guardrails environment: + +### 1. CIS Mod Installation + +- **Mod**: `turbot_mod.cis` +- **Description**: This mod applies CIS (Center for Internet Security) benchmarks to your cloud resources, ensuring they meet rigorous security and compliance standards. +- **Version**: `>=5.0.0` + +This mod helps you automate compliance with the CIS benchmarks, providing continuous monitoring and enforcement across your AWS environment. + +## Commenting Strategy + +All Turbot policies and mods include links to the official Turbot Mods documentation. + +These links provide further details about: + +- The purpose of the policy or mod +- Policy URI name or Mod details +- Parent information +- Category information +- Target information +- All valid values diff --git a/baselines/getting_started/turbot/cis_mod/mod_install.tf b/baselines/guardrails/guardrails_mods/mod_install.tf similarity index 69% rename from baselines/getting_started/turbot/cis_mod/mod_install.tf rename to baselines/guardrails/guardrails_mods/mod_install.tf index 1903be46b..81acf8812 100644 --- a/baselines/getting_started/turbot/cis_mod/mod_install.tf +++ b/baselines/guardrails/guardrails_mods/mod_install.tf @@ -1,4 +1,4 @@ -# https://turbot.com/v5/mods/turbot/cis +# https://hub.guardrails.turbot.com/mods/turbot/mods/cis resource "turbot_mod" "cis" { parent = "tmod:@turbot/turbot#/" org = "turbot" diff --git a/baselines/guardrails/guardrails_mods/providers.tf b/baselines/guardrails/guardrails_mods/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/guardrails/guardrails_mods/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/guardrails/local_directory/README.md b/baselines/guardrails/local_directory/README.md new file mode 100644 index 000000000..c682e5892 --- /dev/null +++ b/baselines/guardrails/local_directory/README.md @@ -0,0 +1,77 @@ +# Local Directory Installation + +This script sets up a local directory "Turbot Support Team Login" within Turbot Guardrails and creates two users: **Guardrails Admin** and **Guardrails Support**. The Guardrails Admin user is granted `Turbot/Owner` permissions, and the Guardrails Support user is granted `Turbot/Operator` permissions. These roles ensure that the necessary administrative and support tasks can be performed within the Turbot environment. + +## Documentation + +- **[Review Local Directory Documentation →](https://turbot.com/guardrails/docs/guides/directories/local)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To create a local directory and users using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `local_directory` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the configuration to set up the local directory and users: + +```sh +terraform apply +``` + +### Destroy + +You can remove the local directory setup in one of two ways: + +```sh +terraform destroy +``` + +## Overview of Local Directory Configuration + +This setup creates a local directory within Turbot Guardrails and adds two users with distinct roles: + +### 1. Guardrails Admin + +- **User Details**: + - Email: `admin@turbot.com` + - Role: Guardrails Admin +- **Permissions**: Granted `Turbot/Owner` permissions, enabling full control over the Turbot environment. + +### 2. Guardrails Support + +- **User Details**: + - Email: `support@turbot.com` + - Role: Guardrails Support +- **Permissions**: Granted `Turbot/Operator` permissions, allowing for operational tasks within the Turbot environment. + +This structure ensures that both administrative and support functions are covered with appropriate access levels. diff --git a/baselines/guardrails/local_directory/main.tf b/baselines/guardrails/local_directory/main.tf new file mode 100644 index 000000000..473945a2b --- /dev/null +++ b/baselines/guardrails/local_directory/main.tf @@ -0,0 +1,81 @@ +# Turbot Local Directory Creation +resource "turbot_local_directory" "local_dir" { + profile_id_template = "turbot.local.{{profile.email}}" + title = "Turbot Support Team Login" + parent = "tmod:@turbot/turbot#/" + description = "Turbot Support Team Login" +} + +# User Creation +resource "turbot_local_directory_user" "support_user" { + title = "Guardrails Support" + email = "support@turbot.com" + display_name = "Guardrails Support" + given_name = "Guardrails" + family_name = "Support" + parent = turbot_local_directory.local_dir.id +} + +# Profile Creation +resource "turbot_profile" "support_user_profile" { + title = "Guardrails Support" + email = "support@turbot.com" + status = "Active" + given_name = "Guardrails" + family_name = "Support" + display_name = "Guardrails Support" + parent = turbot_local_directory.local_dir.id + profile_id = "turbot.local.support@turbot.com" +} + +# Grant Creation +resource "turbot_grant" "support_user_grant_turbot_operator" { + depends_on = [turbot_profile.support_user_profile] + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot-iam#/permission/types/turbot" + level = "tmod:@turbot/turbot-iam#/permission/levels/operator" + identity = turbot_profile.support_user_profile.id +} + +# Grant Activation +resource "turbot_grant_activation" "support_user_owner_activation" { + resource = "tmod:@turbot/turbot#/" + grant = turbot_grant.support_user_grant_turbot_operator.id +} + +# User Creation +resource "turbot_local_directory_user" "guardrails_admin" { + title = "Guardrails Admin" + email = "admin@turbot.com" + display_name = "Guardrails Admin" + given_name = "Guardrails" + family_name = "Admin" + parent = turbot_local_directory.local_dir.id +} + +# Profile Creation +resource "turbot_profile" "guardrails_admin_profile" { + title = "Guardrails Admin" + email = "admin@turbot.com" + status = "Active" + given_name = "Guardrails" + family_name = "Admin" + display_name = "Guardrails Admin" + parent = turbot_local_directory.local_dir.id + profile_id = "turbot.local.admin@turbot.com" +} + +# Grant Creation +resource "turbot_grant" "guardrails_admin_grant_turbot_owner" { + depends_on = [turbot_profile.guardrails_admin_profile] + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot-iam#/permission/types/turbot" + level = "tmod:@turbot/turbot-iam#/permission/levels/owner" + identity = turbot_profile.guardrails_admin_profile.id +} + +# Grant Activation +resource "turbot_grant_activation" "guardrails_admin_owner_activation" { + resource = "tmod:@turbot/turbot#/" + grant = turbot_grant.guardrails_admin_grant_turbot_owner.id +} diff --git a/baselines/guardrails/local_directory/providers.tf b/baselines/guardrails/local_directory/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/guardrails/local_directory/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/guardrails/turbot_profiles/README.md b/baselines/guardrails/turbot_profiles/README.md new file mode 100644 index 000000000..ca486cc00 --- /dev/null +++ b/baselines/guardrails/turbot_profiles/README.md @@ -0,0 +1,94 @@ +# Turbot Directory Installation + +This script sets up a new Turbot.com directory within Turbot Guardrails and adds additional profiles with `Turbot/Owner` permissions at the root level. This allows designated users to have full administrative access to the Turbot environment through the new SAML-integrated directory. + +## Documentation + +- **[Review Turbot Directory Documentation →](https://turbot.com/guardrails/docs/guides/directories/local#create-a-turbot-directory)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To create a Turbot.com directory and configure profiles using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `turbot_directory` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the configuration to set up the Turbot directory and profiles: + +The `default.tfvars` file should be customized with the list of profiles to be created. Apply the configuration as follows: + +```sh +terraform apply --var-file=default.tfvars +``` + +### Destroy + +You can remove the Turbot directory and profiles setup in one of two ways: + +Run the following command to destroy the Turbot directory configuration using a specific input variable file: + +```sh +terraform destroy --var-file=default.tfvars +``` + +## Overview of Turbot Directory Configuration + +This setup creates a new Turbot.com directory and configures profiles with `Turbot/Owner` permissions: + +### 1. Directory Creation + +- **Directory**: The script creates a new Turbot.com directory for SAML authentication. This allows users to log in to Turbot workspaces through the new directory. + +### 2. Profile Creation + +- **Profiles**: Profiles are created based on the entries in the `default.tfvars` file. Each profile is configured with: + - **Name**: Full name of the user (e.g., "First Last"). + - **Email**: The email address associated with the Turbot.com account. + +### 3. Permissions + +- **Turbot/Owner Role**: Each profile is granted `Turbot/Owner` permissions, providing full administrative access to the Turbot environment. +- **Grant Activation**: The owner grants are activated for each profile, ensuring they have the necessary permissions to manage the Turbot environment. + +## Example `default.tfvars` Configuration + +Here's an example configuration in the `default.tfvars` file: + +```hcl +user_profile = { + "profileId1" = { name = "First Last", email = "email@email.com" }, + "profileId2" = { name = "First Last", email = "email@email.com" }, + "profileId3" = { name = "First Last", email = "email@email.com" } +} +``` + +Update this file with the list of profiles to be added. diff --git a/baselines/getting_started/turbot/turbot_profiles/demo.tfvars b/baselines/guardrails/turbot_profiles/default.tfvars similarity index 77% rename from baselines/getting_started/turbot/turbot_profiles/demo.tfvars rename to baselines/guardrails/turbot_profiles/default.tfvars index 06d05d9b3..7d6e7e16d 100644 --- a/baselines/getting_started/turbot/turbot_profiles/demo.tfvars +++ b/baselines/guardrails/turbot_profiles/default.tfvars @@ -1,8 +1,3 @@ -# Exisiting directory id which profiles are being created in -# e.g. "123456789012345" -directory_id = "123456789012345" # replace with the Directory Id you are using - - # Update this profile list to add in profiles into the directory # For a turbot.com directory, the profileId would be the turbot.com username # Name is the Full Name, the profile logic just assumes a First and Last Name separated by a space @@ -12,4 +7,4 @@ user_profile = { "profileId1" = { name = "First Last", email = "email@email.com" }, "profileId2" = { name = "First Last", email = "email@email.com" }, "profileId3" = { name = "First Last", email = "email@email.com" } -} \ No newline at end of file +} diff --git a/baselines/guardrails/turbot_profiles/main.tf b/baselines/guardrails/turbot_profiles/main.tf new file mode 100644 index 000000000..bc37d3ae4 --- /dev/null +++ b/baselines/guardrails/turbot_profiles/main.tf @@ -0,0 +1,37 @@ +# Directory Creation +resource "turbot_turbot_directory" "turbot_dir" { + parent = "tmod:@turbot/turbot#/" + title = "Turbot SAML" + description = "Allow login through turbot directory to turbot workspaces." + profile_id_template = "turbot.directory.{{profile.$source.name}}" + server = "turbot.com" +} + +# Creates profiles defined in terraform.tfvars +# Will grant the Turbot/Owner role to each profile at the Turbot root level +# Will activate each Turbot/Owner grant to each profile +resource "turbot_profile" "create_profile" { + for_each = var.user_profile + parent = turbot_turbot_directory.turbot_dir.id + email = each.value.email + title = each.value.name + display_name = each.value.name + given_name = element(split(" ", each.value.name), 0) + family_name = element(split(" ", each.value.name), 1) + status = "Active" + profile_id = "turbot.directory.${each.key}" +} + +resource "turbot_grant" "profile_grant_turbot_owner" { + for_each = var.user_profile + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot-iam#/permission/types/turbot" + level = "tmod:@turbot/turbot-iam#/permission/levels/owner" + identity = turbot_profile.create_profile[each.key].id +} + +resource "turbot_grant_activation" "activate_turbot_owner_grant" { + for_each = var.user_profile + resource = "tmod:@turbot/turbot#/" + grant = turbot_grant.profile_grant_turbot_owner[each.key].id +} diff --git a/baselines/guardrails/turbot_profiles/providers.tf b/baselines/guardrails/turbot_profiles/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/guardrails/turbot_profiles/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/guardrails/turbot_profiles/variables.tf b/baselines/guardrails/turbot_profiles/variables.tf new file mode 100644 index 000000000..a8c29e786 --- /dev/null +++ b/baselines/guardrails/turbot_profiles/variables.tf @@ -0,0 +1,4 @@ +variable "user_profile" { + description = "Map of the list of turbot.com profileIds. Update in default.tfvars" + type = map(any) +} diff --git a/baselines/guardrails/workspace_settings/README.md b/baselines/guardrails/workspace_settings/README.md new file mode 100644 index 000000000..f935eae45 --- /dev/null +++ b/baselines/guardrails/workspace_settings/README.md @@ -0,0 +1,109 @@ +# Workspace Settings Installation + +This script configures essential workspace settings within Turbot Guardrails, covering policies related to quick actions, retention, resource limits, Terraform versioning, and mod updates. These settings ensure that your Turbot environment is managed efficiently and adheres to your organization's best practices. + +## Documentation + +- **[Review Workspace Settings Documentation →](https://hub.guardrails.turbot.com/mods/turbot/policies)** + +## Getting Started + +### Requirements + +- [Terraform](https://developer.hashicorp.com/terraform/install) + +### Credentials + +To apply workspace settings using Terraform: + +- Ensure you have `Turbot/Owner` permissions in Guardrails. +- [Create access keys](https://turbot.com/guardrails/docs/guides/iam/access-keys#generate-a-new-guardrails-api-access-key) in Guardrails. + +Then set your credentials: + +```sh +export TURBOT_WORKSPACE=myworkspace.acme.com +export TURBOT_ACCESS_KEY=acce6ac5-access-key-here +export TURBOT_SECRET_KEY=a8af61ec-secret-key-here +``` + +Please see [Turbot Guardrails Provider authentication](https://registry.terraform.io/providers/turbot/turbot/latest/docs#authentication) for additional authentication methods. + +## Usage + +### Initialize Terraform + +1. Navigate to the `workspace_settings` folder. +2. Run the command: + +```sh +terraform init +``` + +### Install + +After initializing Terraform, you can apply the configuration to set up the workspace settings: + +```sh +terraform apply +``` + +### Destroy + +You can remove the workspace settings configuration: + +```sh +terraform destroy +``` + +## Overview of Workspace Settings + +This setup configures the following key policies within your Turbot workspace: + +### 1. Quick Actions Enabled + +- **Policy**: `turbot_quick_actions_enabled` +- **Description**: Enables or disables quick actions in the Turbot console. +- **Setting**: `"Enabled"` + +### 2. Retention Policy + +- **Policy**: `turbot_retention` +- **Description**: Enforces smart retention policies for resource data within Turbot. +- **Setting**: `"Enforce: Enable purging via Smart Retention"` + +### 3. Maximum Retention + +- **Policy**: `turbot_maximum_retention` +- **Description**: Sets the maximum retention period for resource data in days. +- **Setting**: `90 days` + +### 4. Resource Purge Limit + +- **Policy**: `turbot_resource_purge_limit` +- **Description**: Sets the limit on the number of resources that can be purged at once. +- **Setting**: `500 resources` + +### 5. Stack Terraform Version + +- **Policy**: `turbot_stack_terraform_version` +- **Description**: Specifies the Terraform version to be used for stack deployments. +- **Setting**: `"0.15.*"` + +### 6. Mod Auto-Update + +- **Policy**: `turbot_mod_auto_update` +- **Description**: Controls the automatic update of mods within the defined change window. +- **Setting**: `"Enforce within Mod Change Window"` + +### 7. Mod Change Window Schedule + +- **Policy**: `turbot_mod_change_window_schedule` +- **Description**: Defines the schedule for when mod updates can occur. +- **Setting**: + ```yaml + - name: Weekly + description: 'Weekly, Saturday 09:00 AM to Saturday 09:00 PM UTC' + cron: '0 9 * * SAT' + duration: 12 hours + ``` diff --git a/baselines/guardrails/workspace_settings/main.tf b/baselines/guardrails/workspace_settings/main.tf new file mode 100644 index 000000000..b499ace29 --- /dev/null +++ b/baselines/guardrails/workspace_settings/main.tf @@ -0,0 +1,62 @@ +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/quickActionsEnabled +resource "turbot_policy_setting" "turbot_quick_actions_enabled" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/quickActionsEnabled" + value = "Enabled" + # Enabled + # Disabled +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/retention +resource "turbot_policy_setting" "turbot_retention" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/retention" + value = "Enforce: Enable purging via Smart Retention" + # Skip + # Check: Preview purging via Smart Retention + # Enforce: Enable purging via Smart Retention +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/maximumRetention +resource "turbot_policy_setting" "turbot_maximum_retention" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/maximumRetention" + value = 90 + # Minimum: 1 + # Default: 365 +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/resourcePurgeLimit +resource "turbot_policy_setting" "turbot_resource_purge_limit" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/resourcePurgeLimit" + value = 500 + # Minimum: 1 + # Default: 30 +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/stackTerraformVersion +resource "turbot_policy_setting" "turbot_stack_terraform_version" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/stackTerraformVersion" + value = "0.15.*" +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/modAutoUpdate +resource "turbot_policy_setting" "turbot_mod_auto_update" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/modAutoUpdate" + value = "Enforce within Mod Change Window" +} + +# https://hub.guardrails.turbot.com/mods/turbot/policies/turbot/modChangeWindowSchedule +resource "turbot_policy_setting" "turbot_mod_change_window_schedule" { + resource = "tmod:@turbot/turbot#/" + type = "tmod:@turbot/turbot#/policy/types/modChangeWindowSchedule" + value = <<-EOT + - name: Weekly + description: 'Weekly, Saturday 09:00 AM to Saturday 09:00 PM UTC' + cron: '0 9 * * SAT' + duration: 12 + EOT +} diff --git a/baselines/guardrails/workspace_settings/providers.tf b/baselines/guardrails/workspace_settings/providers.tf new file mode 100644 index 000000000..3ede1821a --- /dev/null +++ b/baselines/guardrails/workspace_settings/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + turbot = { + source = "turbot/turbot" + version = ">= 1.11.0" + } + } +} + +provider "turbot" { +} diff --git a/baselines/mappings/README.md b/baselines/mappings/README.md deleted file mode 100644 index 8785d530e..000000000 --- a/baselines/mappings/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Mappings - -Turbot Control Mappings provide guidance of linking Turbot features to common control frameworks. Mappings are provided in markdown to collaborate through our TDK. Turbot has csv/xlsx versions as well. As our mappings grow, we will continue to add policy baselines and reports supporting them. Please feel free to contribute through the TDK or reach out to connect@turbot.com to collaborate. - -## Current Mappings - -| Mappings | Path | Description | -| --------------------------- | ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | -| SOC2 | [SOC2](./soc2) | SOC2 Trust Criteria + COSO Principles | - diff --git a/baselines/mappings/soc2/soc2-turbot-mapping.md b/baselines/mappings/soc2/soc2-turbot-mapping.md deleted file mode 100644 index 62df04ec5..000000000 --- a/baselines/mappings/soc2/soc2-turbot-mapping.md +++ /dev/null @@ -1,41 +0,0 @@ -# SOC2 Mapping - -There are 33 primary SOC2 controls, while many are satisfied by organizational policies & procedures, 60% are technical controls which require ongoing evidence your organization is in adherence. Below is a full mapping to SOC2 Controls, COSO Principles, and Turbot Features - -## Current Mappings - -| Category | SOC2 TSC Ref. # | COSO Principle | Criteria Summary | Turbot Feature Mapping | Control Example | -|-|-|-|-|-|-| -| Control Environment | CC1.1 | COSO Principle 1 | The entity demonstrates a commitment to integrity and ethical values. | Non Technical Control - Internal Organizational Procedure | e.g. Code of Conduct Policy | -| Control Environment | CC1.2 | COSO Principle 2 | The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. | Non Technical Control - Internal Organizational Procedure | e.g. Org Chart, Roles & Responsibilities | -| Control Environment | CC1.3 | COSO Principle 3 | Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. | Non Technical Control - Internal Organizational Procedure | e.g. Org Chart, Roles & Responsibilities | -| Control Environment | CC1.4 | COSO Principle 4 | The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | Non Technical Control - Internal Organizational Procedure | e.g. HR hire processes, job descriptions, background checks | -| Control Environment | CC1.5 | COSO Principle 5 | The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | Non Technical Control - Internal Organizational Procedure | e.g. security awareness training, performance evaluation | -| Communication & Information | CC2.1 | COSO Principle 13 | The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | [Turbot Cloud](https://turbot.com/v5) for continuous security monitoring | e.g. Turbot as a platform provides the mechanism for continuous governance, security, and compliance monitoring | -| Communication & Information | CC2.2 | COSO Principle 14 | The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | Non Technical Control - Internal Organizational Procedure | e.g. Acceptable Use Policy | -| Communication & Information | CC2.3 | COSO Principle 15 | The entity communicates with external parties regarding matters affecting the functioning of internal control. | Non Technical Control - [Turbot Privacy Policy](https://turbot.com/legal/privacy), [Turbot Master Subscription Agreement (MSA)](https://turbot.com/legal/msa) | e.g. Vendor agreements | -| Risk Assessment | CC3.1 | COSO Principle 6 | The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register | -| Risk Assessment | CC3.2 | COSO Principle 7 | The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register | -| Risk Assessment | CC3.3 | COSO Principle 8 | The entity considers the potential for fraud in assessing risks to the achievement of objectives. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register | -| Risk Assessment | CC3.4 | COSO Principle 9 | The entity identifies and assesses changes that could significantly impact the system of internal control. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register | -| Monitoring Activities | CC4.1 | COSO Principle 16 | The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. | [Turbot Stacks](https://turbot.com/v5/docs/concepts/guardrails/configured); [Turbot Active](https://turbot.com/v5/docs/concepts/guardrails/active); [Turbot Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) Controls | e.g. Core infrastructure components managing customer data are deployed with Turbot Stacks for continuous configuration management, any configuration drift will be set back to desired state automatically. Other configurations are ensured through Turbot policies e.g. AWS > RDS > DB Instance > Active > Last Modified, AWS > RDS > DB Instance > Approved > Usage (checking on Status) | -| Monitoring Activities | CC4.2 | COSO Principle 17 | The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. | [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) + [Turbot Notifications](https://turbot.com/v5/docs/concepts/notifications) | e.g. Turbot controls in check mode provide instant awareness when changes are OK or in ALARM. Turbot controls in enforce mode provide instant awareness + immediate remediation back to a compliant state. Notifications are visualized in the console, queried through the API or streamed out to various communication endpoints (e.g. Slack, Teams, JIRA, ServiceNow) | -| Control Activities | CC5.1 | COSO Principle 10 | The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register | -| Control Activities | CC5.2 | COSO Principle 11 | The entity also selects and develops general control activities over technology to support the achievement of objectives. | [Turbot Policy](https://turbot.com/v5/docs/concepts/policies) + [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. policy settings provide the objectives, controls test/audit for compliance. AWS > ECR > Repository > Approved > Usage (image scanning use); results of Approved or Not approved usage based on condition | -| Control Activities | CC5.3 | COSO Principle 12 | The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. | [Turbot Policy](https://turbot.com/v5/docs/concepts/policies) + [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. policy settings provide the objectives, controls test/audit for compliance. | -| Logical & Physical Access Controls | CC6.1 | | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | [Turbot Permission Management](https://turbot.com/v5/docs/concepts/iam/permissions) + [RBAC time based grants](https://turbot.com/v5/docs/integrations/aws/permissions), Turbot IAM [Roles, Users, Groups, Policies] [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) | e.g. Turbot's Permission management features provide capabilities for managing authentication of users, as well as authorization to cloud services and resources. Turbot integrates with the company directory to associate time based, role based access controls (RBAC) to specific resources. Additional controls to expire profiles, access keys, passwords, policy attachments, etc provide over permissive access into critical environments. e.g. AWS > IAM > Access Key > Active (enforce 90 days expiration); AWS > IAM > Role > Policy Attachments > Approved (ensure no changes to permissions occur); AWS > IAM > User > Approved (ensure user has MFA associated). | -| Logical & Physical Access Controls | CC6.2 | | Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized. | [Turbot Permission Management](https://turbot.com/v5/docs/concepts/iam/permissions) + [RBAC time based grants](https://turbot.com/v5/docs/integrations/aws/permissions)| e.g. expiration of granted permissions provides protection for time limited access, along with directory integration will sync to block profiles no longer available to access the system | -| Logical & Physical Access Controls | CC6.3 | | The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives. | [Turbot Permission Management](https://turbot.com/v5/docs/concepts/iam/permissions) + [RBAC time based grants](https://turbot.com/v5/docs/integrations/aws/permissions), Turbot IAM [Roles, Users, Groups, Policies] [Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) | e.g. activation of granted permissions provides the mechanism to pre-approve on time limited duration, coupled with time limited activation of those permissions provides a process to limit access in time of need and periodic review of permissions granted | -| Logical & Physical Access Controls | CC6.4 | | The entity restricts physical access to facilities and protected information assets (for example, data center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives. | [Inherited Control from Cloud Provider](https://aws.amazon.com/compliance/soc-faqs/) | e.g. Physical Security controls are the responsibility of the Cloud Provider; inherited control | -| Logical & Physical Access Controls | CC6.5 | | The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives. | [Turbot Active](https://turbot.com/v5/docs/concepts/guardrails/active) Controls | e.g. lifecycle policies can be set on data retention of volumes, snapshots, etc. AWS > EC2 > Snapshots > Active > Age (delete after x days) | -| Logical & Physical Access Controls | CC6.6 | | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | [Turbot Lockdown](https://turbot.com/v5/docs/integrations/aws/permissions#lockdown-and-boundary-policies) Policies + [Turbot Trusted Access](https://turbot.com/v5/docs/concepts/guardrails/trusted-access) Policies + Turbot Networking Policies | e.g. Turbot Lockdown policies provide preventative controls to block high risk or unapproved actions from occurring e.g. AWS > Turbot > Permissions > Lockdown > Region Boundary (block actions in unapproved regions), AWS > S3 > Permissions > Levels > ACL Administration (set to disable). Turbot Trusted Access Policies define whom and what you trust and enforce those limitations on your cloud resources e.g. {Provider} > {Service} > {Resource} > Policy > Trusted Access to Accounts, Orgs, Identity Providers, Services, etc. Additional controls for networking to prevent public routing, firewall rules exposing public ingress; AWS > VPC > Security Group > Ingress Rules > Approved (approve/reject criteria for ports, CIDRs, bitmask, etc.) | -| Logical & Physical Access Controls | CC6.7 | | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. | [Turbot Encryption at Rest](https://turbot.com/v5/docs/concepts/guardrails/encryption-at-rest) and [Encryption in Transit](https://turbot.com/v5/docs/concepts/guardrails/encryption-in-transit) Policies | e.g. Turbot encryption policies can be set to ensure encryption in transit or at rest are configured; AWS > S3 > Bucket > Encryption In Transit (set to enable), AWS > S3 > Bucket > Encryption at Rest (set to at least SSE enabled) | -| Logical & Physical Access Controls | CC6.8 | | The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives. | [Turbot Approved](https://turbot.com/v5/docs/concepts/guardrails/approved) | e.g. Checking for vulnerabilities on container images; AWS > ECR > Repository > Approved > Usage (imaging scanning use); results of Approved or Not approved usage based on condition | -| System Operations | CC7.1 | | To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. | [Turbot Reporting](https://turbot.com/v5/docs/guides/console#reports-dashboard) | e.g. Turbot Reporting provides awareness of control alarms status, resource activity changes, etc | -| System Operations | CC7.2 | | The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events. | [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. controls test/audit for compliance providing an alarm status for whether the policy is being adhered to. Controls are reported for review, or Turbot is set to enforce immediately to close any known incidents | -| System Operations | CC7.3 | | The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. | [Turbot Policy](https://turbot.com/v5/docs/concepts/policies) + [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. periodic review of control health and activities provides feedback for ongoing improvement on policy settings | -| System Operations | CC7.4 | | The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. | [Turbot Policy](https://turbot.com/v5/docs/concepts/policies) + [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. Turbot controls in check mode provide instant awareness when changes are OK or in ALARM. Turbot controls in enforce mode provide instant awareness + immediate remediation back to a compliant state. This will ensure issues are closed within SLA. | -| System Operations | CC7.5 | | The entity identifies, develops, and implements activities to recover from identified security incidents. | [Turbot Policy](https://turbot.com/v5/docs/concepts/policies) + [Turbot Controls](https://turbot.com/v5/docs/concepts/controls) | e.g. policies for HA, redundancy, backups can be set to ensure fault tolerance is in place. | -| Change Management | CC8.1 | | The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. | [Turbot Notifications](https://turbot.com/v5/docs/concepts/notifications) | e.g. any changes in Turbot, AWS, Azure and GCP are captured in the audit trail. Versioning of Turbot configurations occurs through the company version control system | -| Risk Mitigation | CC9.1 | | The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. | Non Technical Control - Internal Organizational Procedure | e.g. Risk assessment program, policies, register; Business Continuity Plan | -| Risk Mitigation | CC9.2 | | The entity assesses and manages risks associated with vendors and business partners. | Non Technical Control - Internal Organizational Procedure | e.g. Vendor management policy | \ No newline at end of file diff --git a/baselines/notifications/security-hub/README.md b/baselines/notifications/security-hub/README.md deleted file mode 100644 index 3be519e6f..000000000 --- a/baselines/notifications/security-hub/README.md +++ /dev/null @@ -1,236 +0,0 @@ -# Turbot Firehouse to Security Hub - -Security Hub gives account owners and engineers a single point of contact to view their security and compliance posture. Architects and engineers without access to the Turbot console can use this integration to receive up-to-date information about Turbot controls for their account. - -## Required Reading -- [Firehose Guide](https://turbot.com/v5/docs/guides/firehose): Provides an overview of what kind of information Turbot can deliver overall. This integration is restricted to `control_updated` notifications. - -## Architecture -The next few sections describe the overall architecture and components of the Turbot+SecurityHub Integration. - -### Services Used - -- Turbot -- Turbot Firehose -- SNS -- SQS -- Lambda -- Elasticache Memcached -- Cloudwatch Logs -- VPC - -### Connectivity Requirements - -The Security Hub Lambda must be able to talk to the following services: -- AWS Security Hub Regional Endpoints -- Memcached (inside VPC) -- SNS -- SQS -- STS - -Customers are free to use a VPC with NAT/IGWs or transit gateways. Either approach that has internet access will -work. The provided Terraform will create a new VPC with NAT/IGWs. - - -### Client -> Server Relationships -- Firehose SNS Topic -> SQS -- SQS -> Security Hub Lambda -- Security Hub Lambda -> Memcached -- Security Hub Lambda -> Cloudwatch Logs -- Security Hub Lambda -> Security Hub API Endpoints -- Security Hub Lambda -> STS API Endpoints - - -### Data Flow for a Notification - -1. AWS Managed Account -- (events) -> Turbot (Controls are updated here) -2. Turbot -- (`control_udpated` notifications as defined by Watches) -> Turbot Firehose mod -3. Turbot Firehose mod --> Firehose SNS topic -4. Firehose SNS topic --> Security Hub Queue -5. Security Hub Queue --> Security Hub Lambda -6. Security Hub Lambda -- (data transform to ASFF formatting) --> Security Hub - -### Fatal Errors - -There are a number of circumstances where this integration will discard a notification. The below conditions are -considered as terminal errors. **Any finding that encounters one of the below problems will be discarded.** - -- *Access Denied* to the target account. Typically, this is when the integration cannot assume into the specified role. -- *Invalid Access* to the target account. If Security Hub is not enabled for this account, then findings cannot be - submitted. -- *Turbot Findings are not enabled*. This happens when Security Hub is enabled, but Turbot findings are not enabled. - This integration will not submit findings into the `default` product. - -## Limitations of this Integration - -- The Turbot firehose is an event-based stream of data. As events flow into Turbot, notifications flow out through the - Firehose. If Turbot doesn't receive an event, the Firehose will never emit a notification. The implication is that - very old alarms on unchanged resources will not appear in Security Hub. Controls resulting from updated resources or - new policy settings will appear in Security Hub. Customers wishing a snapshot view of all controls should investigate - a batch-processing approach using the Turbot GraphQL API. -- Turbot Firehose emits a `control_updated` notification only when a control changes state. If a resource is updated, - but the control still stays in alarm, then no control notification will be generated. - - `ok` to `alarm`: A `control_updated` notification will be generated. - - `alarm` to `alarm`: No notification will be generated. -- Security Hub is focused exclusively on security findings. It is not a CMDB. As such, the Turbot+SecurityHub - integration will only process `control_updated` notifications. All other notification types will be discarded. -- All Security Hub findings will expire after 90 days. This integration will not refresh those findings. -- Security Hub Insights are not addressed. -- This integration will not enable/disable Turbot findings in Security Hub. - -### Where to Deploy - -Any account can host the Security Hub integration if it meets the following requirements: -- Assume permissions into a role in each managed account to import and update findings. -- Access to the SQS queue feed by the Firehose SNS topic. - -*Enterprise customers*: It is most convenient to deploy this integration, and the Turbot Firehose in the Turbot Master account. -The `turbot_superuser` role that Turbot uses to manage an account can be reused for importing Security Hub findings. - -*SaaS customers*: Deploying this integration will have to be done in a separate account. Customers can choose between -creating a new Security Hub specific role or reusing the `turbot_superuser` role. Either approach is valid and depends -on each customer's individual situation. Deploying in the same account as the Firehose SNS is most convenient. - -### Role Configuration in Managed Accounts -A role must exist in each managed account with sufficient permissions to import and update findings in Security Hub. -The role must also allow `sts:AssumeRole` by the Security Hub integration lambda. This integration assumes a uniform role name for all managed accounts. The specified role is appended to the arn, like so: `arn:aws:iam::{account_id}:role/{role_id}`. - -Note: For customers with multiple Turbot environments hosted in separate accounts, it is possible, perhaps desirable, to send all Security Hub findings through a single integration point. Such a configuration is supported with the requirement that cross-account access be granted to the integration. Assuming the reuse of the `turbot_superuser` role, cross-account access is typically only granted to a single Turbot Master account. If this integration is servicing multiple Turbot Masters, the `turbot_superuser` role would require additional trust configuration. - -Below are the minimum permissions required to work with findings in Security Hub. - -```json -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "SecurityHub Submission Permissions", - "Effect": "Allow", - "Action": [ - "securityhub:UpdateFindings", - "securityhub:GetFindings", - "securityhub:BatchUpdateFindings", - "securityhub:BatchImportFindings" - ], - "Resource": "*" - }, - { - "Sid": "Assume Role", - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::{account_hosting_sechub_integration}:root" - ] - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "{somecleverexternalidgoeshere}" - } - } - } - ] -} -``` -External IDs are recommended but not required. Customers are free to make the Principal more specific. The above policy tries to strike a balance between usability and security, emphasizing ease of setup. - -## Installation - -The provided terraform assumes that no configuration of any kind has been done for Firehose or the SecurityHub -integration. It also assumes that no infrastructure of any kind has been deployed in the AWS account (ie, no VPC, no -subnets, etc) that will host the Turbot+SecurityHub integration. As such, customers with a configured Firehose and network infrastructure will need to adapt the Terraform to their environment. - -### Permissions Required for Integration Deployment -The user or role that deploys should have read/write permissions to the following AWS services: -- IAM - - Create User: Required for firehose configuration - - Create Role: Required for Security Hub Lambda configuration - - Create/Attach policy -- SNS -- SQS -- VPC -- Elasticache (memcached) -- Lambda -- Cloudwatch Logs - -The user that deploys should have read/write permissions to the target Turbot workspace: -- Turbot/Admin: Required to set the Firehose policies and create the watch. - -### Watches - -The default watch included in this integration looks for all `control_updated` notifications from AWS, Azure, GCP and Turbot. The -integration will filter out notifications for non-AWS platforms. For additional information about creating -Watches, see the [Turbot Notifications Guide](https://turbot.com/v5/docs/guides/firehose). - -If using multiple watches in a single workspace, ensure that each watch is performing as expected. Avoid duplication in watches where possible. - -From `create-watch-mutation-input.json`, we see the watch definition. - -```json -{ - "input": { - "resource": "tmod:@turbot/turbot#/", - "action": "tmod:@turbot/firehose-aws-sns#/action/types/router", - "filters": [ - "level:self,descendant notificationType:control_updated" - ] - } -} -``` - -### Deployment Instructions -The provided terraform utilizes AWS and Turbot credentials. Ensure that Python 3.7+, the AWS CLI and Turbot CLI tools are installed. The following steps were tested on a Linux workstation using Python 3.7 and 3.8. - -1. Configure your aws cli credentials -```shell -aws configure -``` - -2. Configure your Turbot API credentials according to the [directions](https://turbot.com/v5/docs/guides/iam/access-keys) -```shell -turbot configure --profile {profile} -``` - -3. Adapt the provided terraform to meet environmental needs. - -4. Initialize Terraform -```shell -terraform init -``` - -5. Create and populate a `.tfvars` file with the appropriate values. - -6. Generate a TF plan -```shell -terraform plan -var-file={environment}.tfvars -``` -Check the plan to ensure proper deployment. - -7. Deploy -```shell -terraform apply -var-file={environment}.tfvars -``` -The default TF will deploy the AWS resources then set the appropriate Turbot policies. - -8. Test the setup by altering controls in Turbot then checking in Security Hub for the findings to arrive. Be aware there will be some latency between when Turbot updates a control and when it shows up in Security Hub. In quiet environments, latency of 30 to 90 seconds is normal. High load on Turbot may introduce additional delay in delivery of Firehose notifications. - -### Deploying Updated Lambda code -Should you need to update the Lambda code but leave all other infrastructure intact, you can deploy a code update using the AWS CLI. From the [AWS Lambda Docs](https://docs.aws.amazon.com/lambda/latest/dg/python-package-update.html), use the following to update the Lambda code with whatever changes you've made. -```shell -package-lambda.sh -aws lambda update-function-code --function-name turbot-firehose-to-sec-hub-write-to-security-hub --zip-file fileb://deployment-package.zip -``` - - -### Decommission - -1. Destroy the TF setup -```shell -terraform destroy -var-file={environment}.tfvars -``` - -## Monitoring -Watch the Cloudwatch logs and Function Monitoring for the integration lambda `turbot-firehose-to-sec-hub-write-to-security-hub`. - -## Troubleshooting -Refer to the [Data Flow Path](#data-flow-for-a-notification) to track down which part of the path has broken down. diff --git a/baselines/notifications/security-hub/aws_elasticache.tf b/baselines/notifications/security-hub/aws_elasticache.tf deleted file mode 100644 index 69453cb92..000000000 --- a/baselines/notifications/security-hub/aws_elasticache.tf +++ /dev/null @@ -1,25 +0,0 @@ -resource "aws_elasticache_cluster" "latest_notification_cache" { - depends_on = [aws_vpc.main_vpc] - count = var.enabled_caching ? 1 : 0 - cluster_id = "turbot-firehose-to-sec-hub-latest-cache" - az_mode = "single-az" - engine = "memcached" - node_type = "cache.t3.micro" - num_cache_nodes = 1 - parameter_group_name = "default.memcached1.6" - port = 11211 - subnet_group_name = aws_elasticache_subnet_group.latest_notification_cache[0].name - security_group_ids = [aws_security_group.allow_memcached_to_lambda[0].id] - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-latest-cache" - } -} - -resource "aws_elasticache_subnet_group" "latest_notification_cache" { - count = var.enabled_caching ? 1 : 0 - name = "turbot-firehose-to-sec-hub-subnet-group" - subnet_ids = [aws_subnet.private[0].id] -} diff --git a/baselines/notifications/security-hub/aws_iam.tf b/baselines/notifications/security-hub/aws_iam.tf deleted file mode 100644 index 2978d69ed..000000000 --- a/baselines/notifications/security-hub/aws_iam.tf +++ /dev/null @@ -1,191 +0,0 @@ -data "aws_caller_identity" "current_identity" {} - -data "aws_iam_policy_document" "sns_topic_policy" { - statement { - actions = [ - "SNS:Subscribe", - "SNS:SetTopicAttributes", - "SNS:RemovePermission", - "SNS:Receive", - "SNS:Publish", - "SNS:ListSubscriptionsByTopic", - "SNS:GetTopicAttributes", - "SNS:DeleteTopic", - "SNS:AddPermission", - ] - - condition { - test = "StringEquals" - variable = "AWS:SourceOwner" - - values = [data.aws_caller_identity.current_identity.account_id] - } - - effect = "Allow" - - principals { - type = "AWS" - identifiers = ["*"] - } - - resources = [aws_sns_topic.turbot_firehose_user_sns_topic.arn] - } -} - -resource "aws_iam_user" "turbot_firehose_user" { - name = "turbot-firehose-to-sec-hub-user" - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_iam_user_policy" "turbot_firehose_user_sns_permission" { - name = "turbot-firehose-to-sec-hub-notification-topic-sns-permissions" - user = aws_iam_user.turbot_firehose_user.name - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "sns:Publish", - "sns:DeleteTopic", - "sns:CreateTopic", - "sns:SetTopicAttributes", - "sns:Subscribe", - "sns:ConfirmSubscription" - ], - "Resource": "${aws_sns_topic.turbot_firehose_user_sns_topic.arn}" - } - ] - } - EOF -} - -resource "aws_iam_role" "turbot_firehose_lamdba_role" { - name = "turbot-firehose-to-sec-hub-lamdba-role" - assume_role_policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - }, - "Effect": "Allow" - } - ] - } - EOF - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_iam_role_policy" "turbot_firehose_lamdba_role_ec2_permissions" { - name = "ec2-permissions" - role = aws_iam_role.turbot_firehose_lamdba_role.id - - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:DescribeNetworkInterfaces", - "ec2:DeleteNetworkInterface", - "ec2:AssignPrivateIpAddresses", - "ec2:UnassignPrivateIpAddresses" - ], - "Resource": "*" - } - ] - } - EOF -} - -resource "aws_iam_role_policy" "turbot_firehose_lamdba_role_sqs_permissions" { - name = "sqs-permissions" - role = aws_iam_role.turbot_firehose_lamdba_role.id - - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "sqs:DeleteMessage", - "sqs:ReceiveMessage", - "sqs:GetQueueAttributes" - ], - "Resource": "${aws_sqs_queue.turbot_firehose_notification_queue.arn}" - } - ] - } - EOF -} - -resource "aws_iam_role_policy" "turbot_firehose_lamdba_role_security_hub_permissions" { - name = "security-hub-permissions" - role = aws_iam_role.turbot_firehose_lamdba_role.id - - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "securityhub:GetFindings", - "securityhub:BatchUpdateFindings", - "securityhub:BatchImportFindings" - ], - "Resource": [ - "arn:aws:securityhub:${var.aws_region}:${local.account_id}:hub/default", - "arn:aws:securityhub:${var.aws_region}:${local.account_id}:product/${local.account_id}/default" - ] - } - ] - } - EOF -} - -resource "aws_iam_role_policy" "turbot_firehose_lamdba_role_cloudwatch_permissions" { - name = "cloudwatch-permissions" - role = aws_iam_role.turbot_firehose_lamdba_role.id - - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "logs:CreateLogGroup", - "Resource": "arn:aws:logs:${var.aws_region}:${local.account_id}:*" - }, - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:${var.aws_region}:${local.account_id}:log-group:/aws/lambda/${local.function_name}:*" - ] - } - ] - } - EOF -} - -resource "aws_iam_access_key" "turbot_firehose_user_access_key" { - user = aws_iam_user.turbot_firehose_user.name -} diff --git a/baselines/notifications/security-hub/aws_lambda.tf b/baselines/notifications/security-hub/aws_lambda.tf deleted file mode 100644 index 31b44dd1d..000000000 --- a/baselines/notifications/security-hub/aws_lambda.tf +++ /dev/null @@ -1,65 +0,0 @@ -resource "null_resource" "create_package" { - count = var.rebuild ? 1 : 0 - # Get notified on all the actions taken by Turbot for the resources at Turbot Root level and its descendant, which have turbot.tag as `Environment:Development`. - provisioner "local-exec" { - command = "./package-lambda.sh" - } -} - -resource "aws_lambda_function" "lambda_function_for_cache" { - count = var.enabled_caching ? 1 : 0 - depends_on = [null_resource.create_package] - role = aws_iam_role.turbot_firehose_lamdba_role.arn - handler = "lambda_function.lambda_handler" - runtime = "python3.7" - filename = "deployment-package.zip" - function_name = "turbot-firehose-to-sec-hub-write-to-security-hub" - source_code_hash = base64sha256("deployment-package.zip") - description = "Transform notifications from Turbot to finding for SecurityHub" - - vpc_config { - # Every subnet should be able to reach an EFS mount target in the same Availability Zone. Cross-AZ mounts are not permitted. - subnet_ids = [aws_subnet.private[0].id] - security_group_ids = [ - aws_security_group.allow_memcached_to_lambda[0].id, - aws_security_group.permit_internet[0].id - ] - } - - environment { - variables = local.environment_variables - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_lambda_function" "lambda_function_no_cache" { - count = var.enabled_caching ? 0 : 1 - depends_on = [null_resource.create_package] - role = aws_iam_role.turbot_firehose_lamdba_role.arn - handler = "lambda_function.lambda_handler" - runtime = "python3.7" - filename = "deployment-package.zip" - function_name = "turbot-firehose-to-sec-hub-write-to-security-hub" - source_code_hash = base64sha256("deployment-package.zip") - description = "Transform notifications from Turbot to finding for SecurityHub" - - environment { - variables = local.environment_variables - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_lambda_event_source_mapping" "mapping" { - event_source_arn = aws_sqs_queue.turbot_firehose_notification_queue.arn - function_name = local.function_arn - maximum_batching_window_in_seconds = var.batch_window - batch_size = var.batch_size -} diff --git a/baselines/notifications/security-hub/aws_sns.tf b/baselines/notifications/security-hub/aws_sns.tf deleted file mode 100644 index d32cdab66..000000000 --- a/baselines/notifications/security-hub/aws_sns.tf +++ /dev/null @@ -1,19 +0,0 @@ -resource "aws_sns_topic" "turbot_firehose_user_sns_topic" { - name = "turbot-firehose-to-sec-hub-user-sns-topic" - display_name = "Turbot to Security Hub" - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_sns_topic_policy" "default" { - arn = aws_sns_topic.turbot_firehose_user_sns_topic.arn - policy = data.aws_iam_policy_document.sns_topic_policy.json -} - -resource "aws_sns_topic_subscription" "user_updates_sqs_target" { - topic_arn = aws_sns_topic.turbot_firehose_user_sns_topic.arn - protocol = "sqs" - endpoint = aws_sqs_queue.turbot_firehose_notification_queue.arn -} diff --git a/baselines/notifications/security-hub/aws_sqs.tf b/baselines/notifications/security-hub/aws_sqs.tf deleted file mode 100644 index e4e14cd50..000000000 --- a/baselines/notifications/security-hub/aws_sqs.tf +++ /dev/null @@ -1,35 +0,0 @@ -resource "aws_sqs_queue" "turbot_firehose_notification_queue" { - name = "turbot-firehose-to-sec-hub-notification-queue" - message_retention_seconds = 86400 - receive_wait_time_seconds = 20 - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - } -} - -resource "aws_sqs_queue_policy" "turbot_firehose_notification_queue_policy" { - queue_url = aws_sqs_queue.turbot_firehose_notification_queue.id - - policy = <<-POLICY - { - "Version": "2008-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "sns.amazonaws.com" - }, - "Action": "sqs:SendMessage", - "Resource": "${aws_sqs_queue.turbot_firehose_notification_queue.arn}", - "Condition": { - "ArnEquals": { - "aws:SourceArn": "${aws_sns_topic.turbot_firehose_user_sns_topic.arn}" - } - } - } - ] - } - POLICY -} diff --git a/baselines/notifications/security-hub/aws_vpc.tf b/baselines/notifications/security-hub/aws_vpc.tf deleted file mode 100644 index a1a354687..000000000 --- a/baselines/notifications/security-hub/aws_vpc.tf +++ /dev/null @@ -1,165 +0,0 @@ -output "create_or_use" { - value = var.enabled_caching ? "Caching will be installed on a new VPC" : "No caching will be installed" -} - -resource "aws_vpc" "main_vpc" { - count = var.enabled_caching ? 1 : 0 - cidr_block = "192.0.0.0/26" - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier", - "Name" = "turbot-firehose-to-sec-hub-vpc" - } -} - -resource "aws_subnet" "public" { - count = var.enabled_caching ? 1 : 0 - vpc_id = aws_vpc.main_vpc[0].id - cidr_block = "192.0.0.16/28" - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-public-subnet" - } -} - -resource "aws_subnet" "private" { - count = var.enabled_caching ? 1 : 0 - vpc_id = aws_vpc.main_vpc[0].id - cidr_block = "192.0.0.0/28" - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-private-subnet" - } -} - -resource "aws_internet_gateway" "security_hub_traffic" { - count = var.enabled_caching ? 1 : 0 - vpc_id = aws_vpc.main_vpc[0].id - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-private-igw" - } -} - -resource "aws_nat_gateway" "security_hub_traffic" { - count = var.enabled_caching ? 1 : 0 - depends_on = [aws_internet_gateway.security_hub_traffic] - allocation_id = aws_eip.security_hub_traffic[0].id - subnet_id = aws_subnet.public[0].id - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-private-nat" - } -} - -resource "aws_eip" "security_hub_traffic" { - count = var.enabled_caching ? 1 : 0 - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-communication-ip" - } -} - -resource "aws_route_table_association" "public" { - count = var.enabled_caching ? 1 : 0 - subnet_id = aws_subnet.public[0].id - route_table_id = aws_route_table.public[0].id -} - -resource "aws_route_table_association" "private" { - count = var.enabled_caching ? 1 : 0 - subnet_id = aws_subnet.private[0].id - route_table_id = aws_route_table.private[0].id -} - -resource "aws_route_table" "private" { - count = var.enabled_caching ? 1 : 0 - vpc_id = aws_vpc.main_vpc[0].id - - route { - cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.security_hub_traffic[0].id - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-private-route-table" - } -} - -resource "aws_route_table" "public" { - count = var.enabled_caching ? 1 : 0 - vpc_id = aws_vpc.main_vpc[0].id - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.security_hub_traffic[0].id - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier" - "Name" = "turbot-firehose-to-sec-hub-public-route-table" - } -} - -resource "aws_security_group" "allow_memcached_to_lambda" { - count = var.enabled_caching ? 1 : 0 - name = "turbot-firehose-to-sec-hub-allow-memcached" - description = "Allows communication to memcached from Lambda" - vpc_id = aws_vpc.main_vpc[0].id - - ingress { - description = "Communication to memcached" - from_port = 11211 - to_port = 11211 - protocol = "tcp" - cidr_blocks = [aws_vpc.main_vpc[0].cidr_block] - } - - egress { - description = "Communication from memcached" - from_port = 11211 - to_port = 11211 - protocol = "tcp" - cidr_blocks = [aws_vpc.main_vpc[0].cidr_block] - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier", - "Name" = "turbot-firehose-to-sec-hub-allow-memcached" - } -} - -resource "aws_security_group" "permit_internet" { - count = var.enabled_caching ? 1 : 0 - name = "turbot-firehose-to-sec-hub-permit-internet" - description = "Allows communication to the internet" - vpc_id = aws_vpc.main_vpc[0].id - - egress { - description = "Communication to internet" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = { - "Company" = "Turbot" - "Product" = "SecurityHubNotifier", - "Name" = "turbot-firehose-to-sec-hub-permit-all" - } -} diff --git a/baselines/notifications/security-hub/create-watch-mutation-input.json b/baselines/notifications/security-hub/create-watch-mutation-input.json deleted file mode 100644 index ae1cfbf6c..000000000 --- a/baselines/notifications/security-hub/create-watch-mutation-input.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "input": { - "resource": "tmod:@turbot/turbot#/", - "action": "tmod:@turbot/firehose-aws-sns#/action/types/router", - "filters": ["level:self,descendant notificationType:control_updated"] - } -} diff --git a/baselines/notifications/security-hub/create-watch-mutation.graphql b/baselines/notifications/security-hub/create-watch-mutation.graphql deleted file mode 100644 index 4f662b83a..000000000 --- a/baselines/notifications/security-hub/create-watch-mutation.graphql +++ /dev/null @@ -1,10 +0,0 @@ -mutation CreateWatch($input: CreateWatchInput!) { - createWatch(input: $input) { - filters - handler - turbot { - id - resourceId - } - } -} diff --git a/baselines/notifications/security-hub/demo-disable-caching.tfvars b/baselines/notifications/security-hub/demo-disable-caching.tfvars deleted file mode 100644 index 5b8e61e6a..000000000 --- a/baselines/notifications/security-hub/demo-disable-caching.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -aws_profile = "default" -aws_region = "us-east-1" -enabled_caching = false diff --git a/baselines/notifications/security-hub/demo-enable-caching.tfvars b/baselines/notifications/security-hub/demo-enable-caching.tfvars deleted file mode 100644 index 713889c30..000000000 --- a/baselines/notifications/security-hub/demo-enable-caching.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -aws_profile = "default" -# TODO -# aws_region = "us-east-1" -aws_region = "eu-west-2" -rebuild = true diff --git a/baselines/notifications/security-hub/demo.tfvars b/baselines/notifications/security-hub/demo.tfvars deleted file mode 100644 index bb891daf4..000000000 --- a/baselines/notifications/security-hub/demo.tfvars +++ /dev/null @@ -1 +0,0 @@ -aws_region = "us-east-1" diff --git a/baselines/notifications/security-hub/deployment-package.zip b/baselines/notifications/security-hub/deployment-package.zip deleted file mode 100644 index 7db0afc8f..000000000 Binary files a/baselines/notifications/security-hub/deployment-package.zip and /dev/null differ diff --git a/baselines/notifications/security-hub/lambda_function.py b/baselines/notifications/security-hub/lambda_function.py deleted file mode 100644 index a6d93a410..000000000 --- a/baselines/notifications/security-hub/lambda_function.py +++ /dev/null @@ -1,91 +0,0 @@ -import datetime as dt -from botocore.exceptions import ClientError -from logic import Cache, RawRecordProcessor, SecurityHub - - -def find_existing_findings_map(security_hub, cache_client, ids): - cache_found_id_map, cache_missed_id_list = cache_client.get_findings(ids) - sec_hub_found_id_map = security_hub.get_findings(cache_missed_id_list) - - return {**cache_found_id_map, **sec_hub_found_id_map} - - -def get_account_id_and_region(context): - lambda_function_arn = context.invoked_function_arn.split(":") - region = lambda_function_arn[3] - account_id = lambda_function_arn[4] - return account_id, region - - -def lambda_handler(event, context): - try: - cache = Cache.create() - raw_record_processor = RawRecordProcessor(event['Records']) - - account_record_collection = raw_record_processor.create_account_record_collection() - - partial_failure = False - - # Create all the sec hub sessions here - for account_id in account_record_collection: - try: - print(f"[INFO] Started - Update findings for account {account_id}") - - # NOTE: We have a problem here, we are creating a new session but is this session in the correct region? - security_hub = SecurityHub.create(cache, account_id) - records = account_record_collection.get_records(account_id) - ids = list(records.keys()) - - existing_findings_map = find_existing_findings_map(security_hub, cache, ids) - - for key in records: - record = records[key] - - notification_update_timestamp = record.updated_timestamp - - if key in existing_findings_map: - # Check if findings is more recent, if not then ignore - existing_finding_update_timestamp = existing_findings_map[key] - - existing_finding_dt = dt.datetime.fromisoformat(existing_finding_update_timestamp[:-1]) - notification_dt = dt.datetime.fromisoformat(notification_update_timestamp[:-1]) - - if notification_dt < existing_finding_dt: - print( - f"[INFO] Ingoring record - More recent update - {key} - {notification_update_timestamp}") - continue - - if record.control_state == "alarm": - security_hub.reopen_finding(record) - else: - security_hub.resolve_finding(record) - else: - # A notification that has resolved but not been recorded - if record.control_state in ["ok", "skipped", "tbd"]: - print(f"[INFO] Ignoring record - record is in a healthy state - {key}") - continue - - print(f"[INFO] Create record - {key} - {notification_update_timestamp}") - security_hub.insert_finding(record) - - print(f"[INFO] Completed - Update findings for account {account_id}") - - partial_failure = partial_failure | security_hub.process_findings() - except ClientError as e: - if e.response['Error']['Code'] == 'InvalidAccessException': - print( - f"[WARN] Security Hub is not enabled for {account_id}. Will discard findings for this account.") - elif e.response['Error']['Code'] == 'AccessDenied': - print( - f"[WARN] Access denied to account {account_id}. Will discard findings for this account.") - else: - raise - - if partial_failure == True: - raise RuntimeError("Partial batch handled - retry") - - print("[INFO] Completed - No Errors") - except Exception as e: - print(f'[ERROR] Exception: {str(e)}') - print("[ERROR] Completed - With Errors") - raise diff --git a/baselines/notifications/security-hub/launch.py b/baselines/notifications/security-hub/launch.py deleted file mode 100644 index 4efc90a21..000000000 --- a/baselines/notifications/security-hub/launch.py +++ /dev/null @@ -1,126 +0,0 @@ -import lambda_function - -# event = { -# "Records": [ -# { -# "messageId": "1f6fd4df-5b11-4d11-acf6-957b6e99fa6e", -# "receiptHandle": "AQEBfcsRZ9mv0NoPLwd2Jdhtok3Kf1Dae0jzYo9k1lu0wRlZUZJ7siZt6ffv3/+xA5gH70/8GvOzYLHwNtbmPdt5mcT/mXIXvb2rAH1AYZAIfkI0iVEfGHEOxhaxHhbKNQk2KBHY1cJNojTzhMJi5DDiY0twE3/1cN+tOJZr0OKl2Ai8Hw51UzmV4cWrGqI1Hijsuz05rTfOGWUY4IN8Olw9WI44Nu/qeNrNJHwJlbGV6AKv55/JzDDUxkiCuXEZSPVnSVvWFJZnDpkwudvMC6gJ80G6DCJfOIU4QiqwootN1C0tvvqslO0yhr9BdXzxzZlyMpSbq33ObJLqFR2pKbDw/ftZAkPsRQlXtXXI+EapImMA494WIkYM4467dPIZInfXmaZnloTQNBhZuejqGazRB8fskGU5ynRsi5o8Zvsla08=", -# "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"cb145d6d-93e3-55d0-943a-05f3edaeaa77\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"1000000\\\",\\\"controlOldVersionId\\\":\\\"216036333047576\\\",\\\"controlNewVersionId\\\":\\\"216036336629722\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:24.987Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"alarm\\\",\\\"reason\\\":\\\"Approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"1\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"688720832404\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"alarm\\\",\\\"turbot\\\":{\\\"id\\\":\\\"1000000\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:29.844Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"tXPOjoPlElJtiKWX5EIXMwLs7JRXKnj+xj1n4KL19w2tbgqbzmvV+ncRAogYoxdhI72oFvo1vaz2edOBB8O/9l9+8TvlLwx3MXw3fJidwOA6cXJMpux9ah+Fs/D137ebg7W24ibChWb+4CLDDAIyQUn5b1dtwdkN9ayein6uwIF7Bxr+N9M35homuEkDAZyVjvAPGd5TIn/EB+5WdLxa9UxpVHaTvJDXMvfjopdV37YzYgjYqupIhGmjRfE7JjXPqgnrONdoVQdbPxulQTKe1L4B0DsH1xORMSl+ZjLa2WacMLRIMJfFxM5qRcK/QJ6uhLpt+XUuDdqZSqirq4/0WQ==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", -# "attributes": { -# "ApproximateReceiveCount": "1", -# "SentTimestamp": "1613003789875", -# "SenderId": "AIDAIVEA3AGEU7NF6DRAG", -# "ApproximateFirstReceiveTimestamp": "1613003789876" -# }, -# "messageAttributes": {}, -# "md5OfMessageAttributes": None, -# "md5OfBody": "2e8279f5dd14f0c58de655e94a1ab551", -# "eventSource": "aws:sqs", -# "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", -# "awsRegion": "eu-west-2" -# } -# ] -# } - -event = { - "Records": [ - { - "messageId": "7df58378-3163-4b8b-b077-3de9131349ed", - "receiptHandle": "AQEBukY2yqFumYbmEAqev46naZH819Xr2SJY0+Ne+Umh1KIXAjavY5Mbe9i4f9DNjB69HpMpnxLxFIkSjZGhQwnM2nIIXiC4reyJdxpo/HmvkXO9LhS4orX5o+XbaSRLmuTij693/finqbP1na9qvvaS4vsifEetRsKykbReSEhD/O3Cn/gxOe2CofBHEkgWX9+0jh4omEXoIhwZNmAtyCjSRfHM+0bycXnJhjyBA8re3lywt+ZRs4G3sHdm6vAVwgLDujUC8Lr8jZJw7HzWP7E3PXruO+XBeW6+5UCAmbNYneWjk+CKe9mFfo9nNa7V8rQ+O8OyqgmQ/ybsJJ3cdiMknm4vIHAdVmYhT4GdMnFUxIj5KB0+5Z/Vyq+zYnpn+DW+epc3JkVfPyIO/0fBaOMt+1a5UtfzkOJ/ydqqQSeUeMU=", - "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"9b2c3e73-ac08-569b-83ed-66edd243057e\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"21212\\\",\\\"controlOldVersionId\\\":\\\"216036328690947\\\",\\\"controlNewVersionId\\\":\\\"216036333047576\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:21.489Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"alarm\\\",\\\"reason\\\":\\\"Not approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Not approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Not approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"12121212\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"210125595713\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"ok\\\",\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:27.806Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"jltPaywEJtOXY3DFqyZc5I4Xud2sSUbaRlzmDtw/VoO0lFOtyJpPFICOjkZ1diEhByS0cFXToMELtQ9JUGdzcPqATkWbouVA5CtldP1uqBctRpI6UhWkwq33LEmkP798j6IfwPevNa7r5EiITPlBogkbtung5OYOSMKGgQtsW713mBDgMkKXDypb75y/teYBIjiNRjcnodb2TLYFz2aaOjm7yGQgGiRq8hQPTjxSeR1k3KwinH+a6+rhFx/rTymCLeY8CCqidgjiFP61FOv7l4SOIbaqj1HbaiTWk1rl1exIYMtSpGLQz00lA1HwGiE2mG7iPEBTDvIbv5p7IqMRCw==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", - "attributes": { - "ApproximateReceiveCount": "1", - "SentTimestamp": "1613003787831", - "SenderId": "AIDAIVEA3AGEU7NF6DRAG", - "ApproximateFirstReceiveTimestamp": "1613003787832" - }, - "messageAttributes": {}, - "md5OfMessageAttributes": None, - "md5OfBody": "497fbcfef2d2b1aa318975f4d5d6628c", - "eventSource": "aws:sqs", - "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", - "awsRegion": "eu-west-2" - }, - { - "messageId": "a93fef48-d66b-443c-bb03-6a01032258fa", - "receiptHandle": "AQEBh8u2Gu6qE/2GQA2NiDIPLgKvbPoTtfOU429sFRm/wODF+8ZEb8QR3Cl86l2SD66wdTXHewS8N7TTwU0uKLo3aXEHdlGQrV68x0C88PVQZ0eunaEsBrjxYqe2fN5uPsxuwFXvF8Kw05mehePKu5Z9e/vYiTWUEsAGMZ7OCQ1ZiEUKUHLLKOX4tpX5mXxTaJsau+BQLxNz2wA50taYuBPm8UxbPo8kjSiKuAKDJ5SRY0DudJZjtsJP+Dh05+IpptNXC1ZVuDBScO5G+b/O3MRo4b1qYF9iLT4YFXY9LZExc7xbF7FC1lQ2E+5aZ/7eL7ZBK/pkQ1NFVADNXYc2opgjnWQqw/zr8W6vkXM/Pr0A+lMQ2vbf7L3oCNLuPMsMmYegdR2rYAUNoytBUg9PzFjsz6HqLlcP3CxPc68OcAM/+9s=", - "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"0363b33e-e862-5424-bb9a-eba0962e6f00\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"21214\\\",\\\"controlOldVersionId\\\":\\\"216036317180248\\\",\\\"controlNewVersionId\\\":\\\"216036328690947\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:17.236Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"ok\\\",\\\"reason\\\":\\\"Approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"210125595713\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"alarm\\\",\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:28.017Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"rqLLoN4vVAbX5XCz2YOxKVIx8HUBZJDFcs3zHHE+kDtKlA2jpPo87swuUgn8d2s2JBgnwRDAzjjWCFtHUtvW0uIHHmEFGchM0f4c3nN+5DBYs9axrpTmX/WRd3klr5ejOQKGyFfR85qj+BfWeMPtIjx0AEhaL06T+Mvhs6ASXuihcqgUbXiT280Xmd6K5POYq6oZ2dLk2H7Gwf8XvRl3gRgA0ETTjiDsPDIgCWixbHyVJQfyOa0KyeRtvBdZhTf4beblo6SYkKC4KVGqYMvlgZz1l4VYxH+GqcXA52zstXW0RTb4+TKsu+E4VB4MHpHOlmG4SNKq4QHUexDdOrjDWg==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", - "attributes": { - "ApproximateReceiveCount": "1", - "SentTimestamp": "1613003788047", - "SenderId": "AIDAIVEA3AGEU7NF6DRAG", - "ApproximateFirstReceiveTimestamp": "1613003788048" - }, - "messageAttributes": {}, - "md5OfMessageAttributes": None, - "md5OfBody": "f6a2486aaa3b534c1b2602c595e3e02d", - "eventSource": "aws:sqs", - "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", - "awsRegion": "eu-west-2" - }, - { - "messageId": "8ea8ffb7-aaae-429f-96f8-ea1851a6e913", - "receiptHandle": "AQEBcmDgMgSuhmp0ZOopycdusSdBtMjW/Y0wzDLSSfunnFpGQ4qVOrv9twvW6hjwpikfaSsAigdMfGxkLYmHxTvCkePH55ct8nSFa/Y/ARabd81MX63Zz7CrB0F/aigxDMr04/fYOPLGOTU6ikJgfxGqPq7LykoSWE5uzU5Yn4YgfWv+ODOgH8kF/jaYRXROF1HvwUwijNv7bQbqg53J6f1rewahEEI90DvUSwF7TYjFbgR644qMQCQJmYHpI8mFKe5hsNlpQwtxE3dgVlevwPlNQfxcGic0JA/iIsu3Zgr6ywJoy56rXoQO+APlgfU55o91T9+6mHUxOctsDAbEFCjZqoAjOX/AQnPmpm4QnfXVM/BW3qu1LAZ4b+enVvfwoNBNxHmcGgjK5GMXVdjXdUazvTfd4CHjBrgIu+ECF81h6A8=", - "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"bd8b6d21-6b79-57b3-a66b-35bf153581b7\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"21397\\\",\\\"controlOldVersionId\\\":\\\"216036328690947\\\",\\\"controlNewVersionId\\\":\\\"216036333047576\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:21.489Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"alarm\\\",\\\"reason\\\":\\\"Not approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Not approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Not approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"210125595713\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"ok\\\",\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:28.808Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"sjqj3IEDmz2UYnJr92fsurNTttLO1LEl1tqqeb40CbiN+L0D4Ft60Bz4J2GO1NGWu6nexBTsPs0PA9x7EVZTucZjkDcDR8gRrLJ1Jwkv86ojp0n5Ruu5zg+a4pVNZan6vrbAuUUtz48hh2YAGxSWKtAglT+3waBB+QvuYYRwrFvwPCkCrx7amfFPmCsKYdnUMBgYVG6bdxGwKGlhPfgOh5fOxn4POfQLX1YdDNcYSuOqq3xMn1GaZ8uoIPIi8e1R9tlXCCjvx0bB6/VlWWfe0supG62Hj9O/qy/IARfj4Ae5/FM/0BEYFUKUg43uevOtWPlsh3KxixoOhrsfvh6n4Q==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", - "attributes": { - "ApproximateReceiveCount": "1", - "SentTimestamp": "1613003788832", - "SenderId": "AIDAIVEA3AGEU7NF6DRAG", - "ApproximateFirstReceiveTimestamp": "1613003788833" - }, - "messageAttributes": {}, - "md5OfMessageAttributes": None, - "md5OfBody": "ec171637d6f30f8a7da63afabec428fa", - "eventSource": "aws:sqs", - "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", - "awsRegion": "eu-west-2" - }, - { - "messageId": "5f6ed1c4-8d50-47f7-802c-994d52f82550", - "receiptHandle": "AQEBsUVoPOzW5KaHW1k9vLppGaJ0HcXjDro5QHeHij6fOxilvbGYok3a+3BcrhOlgDuRzYplNZcj3sy8zZPvUNwT5/Gr5gNa3YGi1Dl8l6di+3HU9u9FX8lrlZ7I1EEc+lIOUuE6o5cbgqlR2mYW0UAQooWs/YqKZorsECHzSTS2Jve+d5WQs1mQAgQEpzU+lx8sLzWnKnl60GvCSGeixywv+w9ddJvHHyCcG+j4rAG3rmAcCoeXb5FgE54xa5EwHLQuU5WcWHUPM0NNlXuH3uJOBBozA3Kk/NQQzJE6hiX+6gLKJB3xx8cdHnecPclFQK9wiDqgS9pFZ1wDxzTc6hy7i15uYlDZYZNeMTqklZMBtaWPb5hugOjy4gjdh4m/rlj5ATfi2scKGu2cB8Xfw0ezDHzjjwlp+71EtVmLJ+vcJEY=", - "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"1c700edf-e1cf-5381-a621-56419f828b41\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"213971925119603\\\",\\\"controlOldVersionId\\\":\\\"216036333047576\\\",\\\"controlNewVersionId\\\":\\\"216036336629722\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:24.987Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"ok\\\",\\\"reason\\\":\\\"Approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"210125595713\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"alarm\\\",\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:29.800Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"jwL93HhFs8S8tP+NAS61W2bkH2HVerh71gXCPVvTfb5WA55GnL6n1xVXg2Yu3vS9Eh6l+c1fuMvGkc0bmJcw4/XFoSQAx8BtbtCPGX+qiu9bawJu01Pdpvd9T7BYBXOEF2OeVHDz1ulL+tpI5/LIv/TGieZNgLcFZJBsiOkaDyQptFPPnBKXRQnLIy7sBSdlNQBgYTOFcORZth8lKZYlNPXS/ciSeh85QEQWhkWQzcI4u4p+2Z7OA3dyDAO1+MoRljKV5Y7wVCm0MsYlrPfJghFjoDsOLtZfvo0CO+ewLJLknQ4y4tjzqJ4yTyIJhAWwCcP3zAbC8NA87FEgn4KrTQ==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", - "attributes": { - "ApproximateReceiveCount": "1", - "SentTimestamp": "1613003789825", - "SenderId": "AIDAIVEA3AGEU7NF6DRAG", - "ApproximateFirstReceiveTimestamp": "1613003789826" - }, - "messageAttributes": {}, - "md5OfMessageAttributes": None, - "md5OfBody": "221ce000191dd0d02c15917f65cedccc", - "eventSource": "aws:sqs", - "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", - "awsRegion": "eu-west-2" - }, - { - "messageId": "1f6fd4df-5b11-4d11-acf6-957b6e99fa6e", - "receiptHandle": "AQEBfcsRZ9mv0NoPLwd2Jdhtok3Kf1Dae0jzYo9k1lu0wRlZUZJ7siZt6ffv3/+xA5gH70/8GvOzYLHwNtbmPdt5mcT/mXIXvb2rAH1AYZAIfkI0iVEfGHEOxhaxHhbKNQk2KBHY1cJNojTzhMJi5DDiY0twE3/1cN+tOJZr0OKl2Ai8Hw51UzmV4cWrGqI1Hijsuz05rTfOGWUY4IN8Olw9WI44Nu/qeNrNJHwJlbGV6AKv55/JzDDUxkiCuXEZSPVnSVvWFJZnDpkwudvMC6gJ80G6DCJfOIU4QiqwootN1C0tvvqslO0yhr9BdXzxzZlyMpSbq33ObJLqFR2pKbDw/ftZAkPsRQlXtXXI+EapImMA494WIkYM4467dPIZInfXmaZnloTQNBhZuejqGazRB8fskGU5ynRsi5o8Zvsla08=", - "body": "{\n \"Type\" : \"Notification\",\n \"MessageId\" : \"cb145d6d-93e3-55d0-943a-05f3edaeaa77\",\n \"TopicArn\" : \"arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic\",\n \"Subject\" : \"[punisher-turbot] Control Approved updated by Turbot Identity\",\n \"Message\" : \"{\\\"notificationType\\\":\\\"control_updated\\\",\\\"actor\\\":{\\\"identity\\\":{\\\"picture\\\":\\\"https://www.gravatar.com/avatar/cb9ff8606c24daf9cda1d82615bd7a8e\\\",\\\"turbot\\\":{\\\"title\\\":\\\"Turbot Identity\\\",\\\"id\\\":\\\"173249891011852\\\"}}},\\\"turbot\\\":{\\\"type\\\":null,\\\"controlId\\\":\\\"213971925119603\\\",\\\"controlOldVersionId\\\":\\\"216036333047576\\\",\\\"controlNewVersionId\\\":\\\"216036336629722\\\",\\\"createTimestamp\\\":\\\"2021-02-11T00:36:24.987Z\\\"},\\\"control\\\":{\\\"state\\\":\\\"ok\\\",\\\"reason\\\":\\\"Approved\\\",\\\"details\\\":[{\\\"key\\\":\\\"Usage\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Regions\\\",\\\"value\\\":\\\"Approved\\\"},{\\\"key\\\":\\\"Budget\\\",\\\"value\\\":\\\"Skipped\\\"},{\\\"key\\\":\\\"RESULT\\\",\\\"value\\\":\\\"Approved\\\"}],\\\"type\\\":{\\\"trunk\\\":{\\\"title\\\":\\\"AWS > S3 > Bucket > Approved\\\"}},\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"},\\\"resource\\\":{\\\"akas\\\":[\\\"arn:aws:s3:::raj-switch-role-bucket\\\"],\\\"metadata\\\":{\\\"aws\\\":{\\\"accountId\\\":\\\"210125595713\\\",\\\"partition\\\":\\\"aws\\\",\\\"regionName\\\":\\\"us-east-2\\\"},\\\"createTimestamp\\\":\\\"2021-01-18T16:35:52.000Z\\\"},\\\"title\\\":null,\\\"turbot\\\":{\\\"id\\\":\\\"213971924734526\\\"}}},\\\"oldControl\\\":{\\\"state\\\":\\\"alarm\\\",\\\"turbot\\\":{\\\"id\\\":\\\"213971925119603\\\"}}}\",\n \"Timestamp\" : \"2021-02-11T00:36:29.844Z\",\n \"SignatureVersion\" : \"1\",\n \"Signature\" : \"tXPOjoPlElJtiKWX5EIXMwLs7JRXKnj+xj1n4KL19w2tbgqbzmvV+ncRAogYoxdhI72oFvo1vaz2edOBB8O/9l9+8TvlLwx3MXw3fJidwOA6cXJMpux9ah+Fs/D137ebg7W24ibChWb+4CLDDAIyQUn5b1dtwdkN9ayein6uwIF7Bxr+N9M35homuEkDAZyVjvAPGd5TIn/EB+5WdLxa9UxpVHaTvJDXMvfjopdV37YzYgjYqupIhGmjRfE7JjXPqgnrONdoVQdbPxulQTKe1L4B0DsH1xORMSl+ZjLa2WacMLRIMJfFxM5qRcK/QJ6uhLpt+XUuDdqZSqirq4/0WQ==\",\n \"SigningCertURL\" : \"https://sns.eu-west-2.amazonaws.com/SimpleNotificationService-010a507c1833636cd94bdb98bd93083a.pem\",\n \"UnsubscribeURL\" : \"https://sns.eu-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:eu-west-2:210125595713:turbot-firehose-user-sns-topic:a036479e-e982-4824-ad26-96f36636a384\"\n}", - "attributes": { - "ApproximateReceiveCount": "1", - "SentTimestamp": "1613003789875", - "SenderId": "AIDAIVEA3AGEU7NF6DRAG", - "ApproximateFirstReceiveTimestamp": "1613003789876" - }, - "messageAttributes": {}, - "md5OfMessageAttributes": None, - "md5OfBody": "2e8279f5dd14f0c58de655e94a1ab551", - "eventSource": "aws:sqs", - "eventSourceARN": "arn:aws:sqs:eu-west-2:210125595713:turbot-firehose-notification-queue", - "awsRegion": "eu-west-2" - } - ] - - -} - - -class Context: - def __init__(self) -> None: - self.invoked_function_arn = "arn:aws:lambda:eu-west-2:210125595713:function:LambdaFunctionName" - pass - - -context = Context() - -lambda_function.lambda_handler(event, context) diff --git a/baselines/notifications/security-hub/locals.tf b/baselines/notifications/security-hub/locals.tf deleted file mode 100644 index e4a0f8837..000000000 --- a/baselines/notifications/security-hub/locals.tf +++ /dev/null @@ -1,11 +0,0 @@ -locals { - access_key = aws_iam_access_key.turbot_firehose_user_access_key.id - secret_access_key = aws_iam_access_key.turbot_firehose_user_access_key.secret - account_id = data.aws_caller_identity.current_identity.account_id - function_name = var.enabled_caching ? aws_lambda_function.lambda_function_for_cache[0].function_name : aws_lambda_function.lambda_function_no_cache[0].function_name - function_arn = var.enabled_caching ? aws_lambda_function.lambda_function_for_cache[0].arn : aws_lambda_function.lambda_function_no_cache[0].arn - environment_variables = var.enabled_caching ? { - SECURITY_HUB_PRODUCT_ARN = "arn:aws:securityhub:${var.aws_region}:${local.account_id}:product/${local.account_id}/default" - MEMCACHED_CONFIGURATION_ENDPOINT = aws_elasticache_cluster.latest_notification_cache[0].configuration_endpoint - } : { SECURITY_HUB_PRODUCT_ARN = "arn:aws:securityhub:${var.aws_region}:${local.account_id}:product/${local.account_id}/default" } -} diff --git a/baselines/notifications/security-hub/logic/__init__.py b/baselines/notifications/security-hub/logic/__init__.py deleted file mode 100644 index 74c9db7bf..000000000 --- a/baselines/notifications/security-hub/logic/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -from .security_hub import SecurityHub -from .raw_record_processor import RawRecordProcessor -from .cache import Cache diff --git a/baselines/notifications/security-hub/logic/account_record_collection.py b/baselines/notifications/security-hub/logic/account_record_collection.py deleted file mode 100644 index 9c4ebf483..000000000 --- a/baselines/notifications/security-hub/logic/account_record_collection.py +++ /dev/null @@ -1,58 +0,0 @@ -class AccountRecordCollection: - def __init__(self) -> None: - self.accounts = {} - self.record_count = 0 - pass - - def __iter__(self): - self.index = 0 - self.account_keys = list(self.accounts.keys()) - self.account_keys_len = len(self.account_keys) - return self - - def __next__(self): - index = self.index - self.index += 1 - - if self.index > self.account_keys_len: - raise StopIteration - - account_id = self.account_keys[index] - return account_id - - def add_record(self, account_id, finding_id, record): - if not account_id: - raise ValueError("Parameter `account_id` for method `AccountRecordCollection.add_record` is missing") - - if not finding_id: - raise ValueError("Parameter `finding_id` for method `AccountRecordCollection.add_record` is missing") - - if not record: - raise ValueError("Parameter `record` for method `AccountRecordCollection.add_record` is missing") - - if account_id in self.accounts: - if finding_id not in self.accounts[account_id]: - self.record_count += 1 - - self.accounts[account_id][finding_id] = record - else: - self.record_count += 1 - self.accounts[account_id] = {finding_id: record} - - def get_account_record(self, account_id, finding_id): - if account_id in self.accounts and finding_id in self.accounts[account_id]: - return self.accounts[account_id][finding_id] - - return None - - def get_record_count(self): - return self.record_count - - def get_accounts_list(self): - return list(self.accounts.keys()) - - def get_records(self, account_id): - if account_id in self.accounts: - return self.accounts[account_id] - - return [] diff --git a/baselines/notifications/security-hub/logic/cache.py b/baselines/notifications/security-hub/logic/cache.py deleted file mode 100644 index d31dd99a5..000000000 --- a/baselines/notifications/security-hub/logic/cache.py +++ /dev/null @@ -1,67 +0,0 @@ -import os -from pymemcache.client.base import Client - - -class Cache: - def __init__(self, client) -> None: - if client: - self.__get_findings_strategy = self.__get_findings_cache_strategy - self.__get_strategy = self.__get_cache_strategy - self.__set_strategy = self.__set_cache_strategy - else: - self.__get_findings_strategy = self.__get_findings_no_cache_strategy - self.__get_strategy = self.__get_no_cache_strategy - self.__set_strategy = self.__set_no_cache_strategy - - self.client = client - - @staticmethod - def create(): - endpoint = os.getenv("MEMCACHED_CONFIGURATION_ENDPOINT") - client = None - if endpoint: - client = Client(endpoint) - - return Cache(client) - - def get(self, key): - return self.__get_strategy(key) - - def set(self, key, value): - return self.__set_strategy(key, value) - - def get_findings(self, ids): - return self.__get_findings_strategy(ids) - - def __get_no_cache_strategy(self, key): - return None - - def __set_no_cache_strategy(self, key, value): - return None - - def __get_cache_strategy(self, key): - value = self.client.get(key) - if value: - return value.decode("UTF-8") - - return None - - def __set_cache_strategy(self, key, value): - return self.client.set(key, value) - - def __get_findings_cache_strategy(self, ids): - cache_found_id_map = {} - cache_missed_id_list = [] - - for id in ids: - last_updated_ts = self.client.get(id) - if last_updated_ts == None: - cache_missed_id_list.append(id) - else: - print(f"[INFO] Cache found id - {id} - {last_updated_ts}") - cache_found_id_map[id] = last_updated_ts.decode("UTF-8") - - return cache_found_id_map, cache_missed_id_list - - def __get_findings_no_cache_strategy(self, ids): - return {}, ids diff --git a/baselines/notifications/security-hub/logic/raw_record_processor.py b/baselines/notifications/security-hub/logic/raw_record_processor.py deleted file mode 100644 index a47de2b09..000000000 --- a/baselines/notifications/security-hub/logic/raw_record_processor.py +++ /dev/null @@ -1,120 +0,0 @@ -import json -import datetime as dt -from .record import Record -from .account_record_collection import AccountRecordCollection - - -class RawRecordProcessor: - def __init__(self, raw_records) -> None: - self.raw_records = raw_records - - def create_account_record_collection(self): - print("[INFO] Started - Create account record collection") - print(f"[INFO] Number of raw records received: {len(self.raw_records)}") - - account_record_collection = AccountRecordCollection() - - for raw_record in self.raw_records: - json_body = json.loads(raw_record['body']) - notification = json.loads(json_body['Message']) - - control = notification["control"] - control_id = control["turbot"]["id"] - - new_record_timestamp = notification["turbot"]["createTimestamp"] - print(f"[INFO] Processing raw record") - - notification_type = notification["notificationType"] - if notification_type != "control_updated": - print( - f"[INFO] Ignore record - Notification type `{notification_type}` is not handled currently") - continue - - resource_metadata = control["resource"]["metadata"] - if "aws" not in resource_metadata: - print(f"[INFO] Ignore record - Cloud provider not AWS") - continue - - account_id = resource_metadata["aws"]["accountId"] - - if "regionName" in resource_metadata["aws"]: - region = resource_metadata["aws"]["regionName"] - else: - region = "global" - - finding_id = self.__create_finding_id(control_id, account_id, region) - - previous_record = account_record_collection.get_account_record(account_id, finding_id) - - if previous_record: - previous_record_timestamp = previous_record.updated_timestamp - - previous_record_dt = dt.datetime.fromisoformat(previous_record_timestamp[:-1]) - new_record_dt = dt.datetime.fromisoformat(new_record_timestamp[:-1]) - - if previous_record_dt <= new_record_dt: - account_record_collection.add_record( - account_id, finding_id, self.__create_record(finding_id, notification)) - print(f"[INFO] Updated existing entry in sorted records - {finding_id} - {new_record_timestamp}") - else: - print( - f"[INFO] Ignore record - {finding_id} - More recent update `{previous_record_timestamp}` exists compared to record `{new_record_timestamp}`") - else: - account_record_collection.add_record( - account_id, finding_id, self.__create_record(finding_id, notification)) - print(f"[INFO] Created new entry in sorted records - {finding_id} - {new_record_timestamp}") - - print(f"[INFO] Process record count: {account_record_collection.get_record_count()}") - print("[INFO] Completed - Create account record collection") - - return account_record_collection - - def __create_record(self, id, notification): - record = {} - - control_type = notification["control"]["type"]["trunk"]["title"] - aws_metadata = notification["control"]["resource"]["metadata"]["aws"] - control_reason = notification["control"]["reason"] - - record["id"] = id - record["control_type"] = control_type - - partition = aws_metadata["partition"] if "partition" in aws_metadata else None - region_name = aws_metadata["regionName"] if "regionName" in aws_metadata else None - description = control_reason if control_reason else "No reason given" - title = "" - - control_state = notification["control"]["state"] - if control_state == "ok": - old_control_state = notification["oldControl"]["state"] - title = f"{old_control_state.capitalize()} - {control_type}" - else: - title = f"{control_state.capitalize()} - {control_type}" - - tags = {} - if "tags" in notification["control"]["resource"]["turbot"]: - tags = notification["control"]["resource"]["turbot"]["tags"] - - # TODO: Remove - tags = { - "including-tags": "hey-its-a-tag", - "itau-hyphens-in-key": "Hyphens make nunjucks complicated" - } - - return Record( - id, - control_type, - aws_metadata["accountId"], - notification["turbot"]["createTimestamp"], - partition, - region_name, - notification["control"]["resource"]["turbot"]["id"], - title, - description, - notification["control"]["resource"]["akas"], - control_state, - tags - ) - - def __create_finding_id(self, control_id, account_id, region): - return f"arn:aws:securityhub:{region}:{account_id}:turbot/{control_id}" diff --git a/baselines/notifications/security-hub/logic/record.py b/baselines/notifications/security-hub/logic/record.py deleted file mode 100644 index 0b6ca1bbe..000000000 --- a/baselines/notifications/security-hub/logic/record.py +++ /dev/null @@ -1,14 +0,0 @@ -class Record: - def __init__(self, id, control_type, account_id, updated_timestamp, partition, region_name, resource_id, title, description, akas, control_state, tags) -> None: - self.id = id - self.control_type = control_type - self.account_id = account_id - self.updated_timestamp = updated_timestamp - self.partition = partition - self.region_name = region_name - self.resource_id = resource_id - self.title = title - self.description = description - self.akas = akas - self.control_state = control_state - self.tags = tags diff --git a/baselines/notifications/security-hub/logic/security_hub.py b/baselines/notifications/security-hub/logic/security_hub.py deleted file mode 100644 index f9fa28407..000000000 --- a/baselines/notifications/security-hub/logic/security_hub.py +++ /dev/null @@ -1,299 +0,0 @@ -import time -import os -import boto3 -import datetime as dt - - -class SecurityHub: - def __init__(self, client, cache, product_arn) -> None: - if not client: - raise ValueError("Parameter `client` for class `SecurityHub` is missing") - if not cache: - raise ValueError("Parameter `cache` for class `SecurityHub` is missing") - if not client: - raise ValueError("Parameter `product_arn` for class `SecurityHub` is missing") - - self.client = client - self.product_arn = product_arn - self.cache = cache - self.insert_findings = [] - self.reopen_findings = {} - self.resolve_findings = {} - - @staticmethod - def create(cache, account_id): - start_time = time.perf_counter() - print(f"[INFO] Started - Security Hub create client") - product_arn = os.getenv("SECURITY_HUB_PRODUCT_ARN") - if product_arn is None: - raise RuntimeError("Environment variable `SECURITY_HUB_PRODUCT_ARN` is missing") - - role = os.getenv("SECURITY_HUB_ROLE") - external_id = os.getenv("SECURITY_HUB_EXTERNAL_ID") - - if role: - role_arn = f"arn:aws:iam::{account_id}:role/{role}" - - sts_connection = boto3.client('sts') - if external_id: - acct_b = sts_connection.assume_role( - RoleArn=role_arn, - ExternalId=external_id, - RoleSessionName="Turbot_Security_Hub_Integration" - ) - else: - acct_b = sts_connection.assume_role( - RoleArn=role_arn, - RoleSessionName="Turbot_Security_Hub_Integration" - ) - - access_key_id = acct_b['Credentials']['AccessKeyId'] - secret_access_key = acct_b['Credentials']['SecretAccessKey'] - session_token = acct_b['Credentials']['SessionToken'] - else: - access_key_id = os.getenv("AWS_ACCESS_KEY_ID") - secret_access_key = os.getenv("AWS_SECRET_ACCESS_KEY") - session_token = os.getenv("AWS_SESSION_TOKEN") - - aws_client = boto3.client( - 'securityhub', - aws_access_key_id=access_key_id, - aws_secret_access_key=secret_access_key, - aws_session_token=session_token, - ) - - end_time = time.perf_counter() - print(f"[INFO] Completed - Security Hub create client - {end_time - start_time:0.4f} seconds") - return SecurityHub(aws_client, cache, product_arn) - - def get_findings(self, ids): - start_time = time.perf_counter() - print(f"[INFO] Started - Get findings") - batch_size = 20 - cache_found_id_map = {} - - for index in range(0, len(ids), batch_size): - filter = {"Id": []} - for id in ids[index:index+batch_size]: - entry = { - "Value": f"{id}", - "Comparison": "EQUALS" - } - - filter["Id"].append(entry) - - response = self.client.get_findings(Filters=filter) - findings = response["Findings"] - print(f"[INFO] Get Findings API result: {findings}") - - map_findings = {findings[i]["Id"]: findings[i]["UpdatedAt"] for i in range(0, len(findings))} - cache_found_id_map = {**cache_found_id_map, **map_findings} - - end_time = time.perf_counter() - print(f"[INFO] Completed - Get findings - {end_time - start_time:0.4f} seconds") - - return cache_found_id_map - - def process_findings(self): - # We need to update when we want to resolve a resolved finding - partial_failure = False - if len(self.insert_findings): - partial_failure = partial_failure | self.__batch_import_findings() - - print(f"[INFO] Importing {len(self.insert_findings)} findings") - - if len(self.reopen_findings): - partial_failure = partial_failure | self.__batch_reopen_findings() - - print(f"[INFO] Reopened {len(self.reopen_findings)} findings") - - if len(self.resolve_findings): - partial_failure = partial_failure | self.__batch_resolve_findings() - - print(f"[INFO] Resolved {len(self.resolve_findings)} findings") - - return partial_failure - - def reopen_finding(self, record): - if not record: - raise ValueError("Parameter `record` for class `SecurityHub` is missing") - - self.reopen_findings[record.id] = record.updated_timestamp - print(f"[INFO] Adding record to reopen findings queue - {record.id} - {record.updated_timestamp}") - - self.insert_finding(record) - - def resolve_finding(self, record): - if not record: - raise ValueError("Parameter `record` for class `SecurityHub` is missing") - - self.reopen_findings[record.id] = record.updated_timestamp - print(f"[INFO] Adding record to resolved findings queue - {record.id} - {record.updated_timestamp}") - - self.insert_finding(record) - - def insert_finding(self, record): - if not record: - raise ValueError("Parameter `record` for class `SecurityHub` is missing") - - finding = self.__create_insert_finding(record) - - self.insert_findings.append(finding) - print(f"[INFO] Adding record to insert findings queue - {record.id} - {record.updated_timestamp}") - - def __create_update_finding(self, id): - finding = { - "Id": id, - "ProductArn": self.product_arn - } - - return finding - - def __create_insert_finding(self, record): - print("[INFO] Starting - Create finding") - # Common format - finding = { - "SchemaVersion": "2018-10-08", - "Severity": { - "Label": "HIGH", - "Product": 80 - }, - "Compliance": { - "Status": "WARNING" - }, - "Types": ["Software and Configuration Checks/Governance/Out of Compliance"] - } - - # Get update time - update_time = dt.datetime.utcnow() - update_time = update_time.isoformat() - - finding["Id"] = record.id - finding["ProductArn"] = self.product_arn - finding["AwsAccountId"] = record.account_id - finding["CreatedAt"] = record.updated_timestamp - finding["UpdatedAt"] = record.updated_timestamp - finding["Description"] = record.description - finding["Title"] = record.title - - resources = [] - - for aka in record.akas: - - resource_aka = { - "Type": "Resource AKA", - "Id": aka, - "Tags": record.tags - } - - if record.partition: - resource_aka["Partition"] = record.partition - - if record.region_name: - resource_aka["Region"] = record.region_name - - resources.append(resource_aka) - - resource_id = { - "Type": "Resource ID", - "Id": record.resource_id - } - resources.append(resource_id) - - finding["Resources"] = resources - - generator_id = record.control_type.replace(" > ", "-").lower() - finding["GeneratorId"] = f"arn:aws:securityhub:::ruleset/turbot/{generator_id}" - - print(f"[INFO] Completed - Create finding - {finding}") - - return finding - - def __batch_import_findings(self): - start_time = time.perf_counter() - print(f"[INFO] Started - Batch import findings") - response = self.client.batch_import_findings(Findings=self.insert_findings) - - # update cache - for finding in self.insert_findings: - self.cache.set(finding["Id"], finding["UpdatedAt"]) - print(f"[INFO] Cache update - {finding['Id']} - {finding['UpdatedAt']}") - pass - - failed_count = response["FailedCount"] - handled_count = 0 - - # Is this an account that is not managed by Sec Hub? - for failed_finding in response["FailedFindings"]: - if failed_finding["ErrorCode"] == "InvalidAccess": - print(f"[WARN] Finding will not be processed - {failed_finding['ErrorMessage']}") - handled_count += 1 - else: - print(f"[WARN] Finding failed - will retry - {failed_finding}") - - end_time = time.perf_counter() - if failed_count - handled_count > 0: - print(f"[WARN] Completed with errors - Batch import findings - {end_time - start_time:0.4f} seconds") - return True - - print(f"[INFO] Completed - Batch import findings - {end_time - start_time:0.4f} seconds") - return False - - def __batch_update_findings(self, findings, status): - start_time = time.perf_counter() - status_lower = status.lower() - print(f"[INFO] Started - Batch update findings with status {status_lower}") - - workflow = {"Status": status.upper()} - batch = [] - - for id in self.reopen_findings: - cached_date = self.cache.get(id) - if cached_date == None: - batch.append(self.__create_update_finding(id)) - print(f"[INFO] Update finding with status {status_lower} - {id} - {findings[id]}") - else: - print(f"[INFO] Found cached entry - {id} - {cached_date}") - - findings_timestamp = dt.datetime.fromisoformat(findings[id][:-1]) - cache_findings_timestamp = dt.datetime.fromisoformat(cached_date[:-1]) - - if cache_findings_timestamp <= findings_timestamp: - batch.append(self.__create_update_finding(id)) - print(f"[INFO] Update finding with status {status_lower} - {id} - {findings[id]}") - else: - print( - f"[INFO] Ignore finding with status {status_lower} - {id} - Cache date {cached_date} is more recent than finding {findings[id]}") - - failed_count = 0 - handled_count = 0 - - if len(batch): - response = self.client.batch_update_findings(FindingIdentifiers=batch, Workflow=workflow) - - failed_count = len(response["UnprocessedFindings"]) - - # Is this an account that is not managed by Sec Hub? - for unprocessed_finding in response["UnprocessedFindings"]: - if unprocessed_finding["ErrorCode"] == "FindingNotFound": - print( - f"[WARN] Batch update failed - Finding not found - {unprocessed_finding} - {unprocessed_finding['ErrorMessage']}") - handled_count += 1 - else: - print(f"[WARN] Batch update failed - Will retry - {unprocessed_finding}") - - end_time = time.perf_counter() - if failed_count - handled_count > 0: - print( - f"[WARN] Completed with errors - Batch update findings with status {status_lower} - {end_time - start_time:0.4f} seconds") - return True - - print( - f"[INFO] Completed - Batch update findings with status {status_lower} - {end_time - start_time:0.4f} seconds") - return False - - def __batch_reopen_findings(self): - return self.__batch_update_findings(self.reopen_findings, "new") - - def __batch_resolve_findings(self): - return self.__batch_update_findings(self.reopen_findings, "resolved") diff --git a/baselines/notifications/security-hub/package-lambda.sh b/baselines/notifications/security-hub/package-lambda.sh deleted file mode 100755 index 6229dd570..000000000 --- a/baselines/notifications/security-hub/package-lambda.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash - -python3 -m venv .packaging -source .packaging/bin/activate -pip3 install pymemcache -deactivate - -rm deployment-package.zip -cd .packaging/lib/python3.8/site-packages -zip -r ../../../../deployment-package.zip . -cd - -zip -g deployment-package.zip lambda_function.py logic/* -rm -rf .packaging \ No newline at end of file diff --git a/baselines/notifications/security-hub/providers.tf b/baselines/notifications/security-hub/providers.tf deleted file mode 100644 index 44ee59dd0..000000000 --- a/baselines/notifications/security-hub/providers.tf +++ /dev/null @@ -1,21 +0,0 @@ -terraform { - required_providers { - turbot = { - source = "turbot/turbot" - } - aws = { - source = "hashicorp/aws" - version = "~> 3.0" - } - } - required_version = ">= 0.13" -} - -provider "turbot" { - profile = var.turbot_profile -} - -provider "aws" { - profile = var.aws_profile - region = var.aws_region -} diff --git a/baselines/notifications/security-hub/requirements.txt b/baselines/notifications/security-hub/requirements.txt deleted file mode 100644 index 5e428d9f5..000000000 --- a/baselines/notifications/security-hub/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -boto3==1.17.3 -pymemcache==3.4.0 \ No newline at end of file diff --git a/baselines/notifications/security-hub/turbot_policies.tf b/baselines/notifications/security-hub/turbot_policies.tf deleted file mode 100644 index b2516b224..000000000 --- a/baselines/notifications/security-hub/turbot_policies.tf +++ /dev/null @@ -1,91 +0,0 @@ -# Turbot > Firehose > AWS SNS > Notification Template > Control Updated -# https://turbot.com/v5/mods/turbot/firehose-aws-sns/inspect#/policy/types/notificationTemplateControlUpdated -resource "turbot_policy_setting" "firehose_aws_sns_notification_template_control_updated" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/firehose-aws-sns#/policy/types/notificationTemplateControlUpdated" - value = <<-EOT - {% input %} - query notificationGet($id: ID!) { - notification(id: $id) { - notificationType - actor { - identity { - picture - turbot { - title - id - } - } - } - turbot { - type - controlId - controlOldVersionId - controlNewVersionId - createTimestamp - } - control { - state - reason - details - type { - trunk { - title - } - } - turbot { - id - } - resource { - akas - metadata - title - turbot { - id - } - } - } - oldControl { - state - turbot { - id - } - } - } - } - {% endinput %} - - notification: {{ $.notification | dump | safe }} - EOT -} - -# Turbot > Firehose > AWS SNS > Notification Access Key -# https://turbot.com/v5/mods/turbot/firehose-aws-sns/inspect#/policy/types/notificationAccessKey -resource "turbot_policy_setting" "firehose_aws_sns_notification_access_key" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/firehose-aws-sns#/policy/types/notificationAccessKey" - value = local.access_key -} - -# Turbot > Firehose > AWS SNS > Notification Secret Key -# https://turbot.com/v5/mods/turbot/firehose-aws-sns/inspect#/policy/types/notificationSecretKey -resource "turbot_policy_setting" "firehose_aws_sns_notification_secret_key" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/firehose-aws-sns#/policy/types/notificationSecretKey" - value = local.secret_access_key -} - -# Turbot > Firehose > AWS SNS > Notification Topic -# https://turbot.com/v5/mods/turbot/firehose-aws-sns/inspect#/policy/types/notificationTopic -resource "turbot_policy_setting" "firehose_aws_sns_notification_topic" { - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/firehose-aws-sns#/policy/types/notificationTopic" - value = aws_sns_topic.turbot_firehose_user_sns_topic.arn -} - -resource "null_resource" "turbot_mutation_example" { - # Get notified on all the actions taken by Turbot for the resources at Turbot Root level and its descendant, which have turbot.tag as `Environment:Development`. - provisioner "local-exec" { - command = "turbot graphql --query create-watch-mutation.graphql --variables create-watch-mutation-input.json --profile ${var.turbot_profile}" - } -} diff --git a/baselines/notifications/security-hub/variables.tf b/baselines/notifications/security-hub/variables.tf deleted file mode 100644 index 3f769e6e2..000000000 --- a/baselines/notifications/security-hub/variables.tf +++ /dev/null @@ -1,45 +0,0 @@ -variable "aws_profile" { - description = "AWS profile used to install the SecurityHub baseline on the account managed by the profile" - type = string -} - -variable "aws_region" { - description = "Configures which AWS region SecurityHub baseline resources are created" - type = string -} - -variable "enabled_caching" { - type = bool - description = <<-DESC - If the variable is set to false then the script installs the notification queue only and Lambda handler only. - If the variable is set to trye then the script installs the notification queue, Lambda handler only and memcache to - cache the last results to manage network race conditions. - DESC - default = true -} - -variable "batch_size" { - description = "Maximum notification batch size to process to SecurityHub findings" - default = "100" -} - -variable "batch_window" { - description = "Maximum notification batch waiting winding to collect notification in order to process to SecurityHub findings" - default = "30" -} - -variable "turbot_profile" { - description = "Turbot profile used to install policies for a workspace managed by the profile" - type = string - default = "default" -} - -variable "rebuild" { - description = <<-DESC - This setting will rebuild the deployment package to be uploaded to lambda and requires bash. - - Useful in development phase. - DESC - type = bool - default = false -} diff --git a/baselines/turbot/example_folder_hierarchy/README.md b/baselines/turbot/example_folder_hierarchy/README.md deleted file mode 100644 index d05d753a6..000000000 --- a/baselines/turbot/example_folder_hierarchy/README.md +++ /dev/null @@ -1,32 +0,0 @@ -# Example Folder Hierarchy - -This Terraform package demonstrates an example folder hierarchy that might exist in a real environment. - -A total of seven folders are created: - -* ACME - * Prod - * Prod IT - * Prod Apps - * Dev - * Dev IT - * Dev Apps - -## Pre-requisites - -To run the example folder hierarchy, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) configured to connect to your Turbot workspace - -## Running the Baseline - -To execute the baseline, simply navigate to the example_folder_hierarchy folder using your command line tool of choice, and execute! - -To run the mod install baseline: - -- Go to the directory using the command line tool of choice `cd example_folder_hierarchy`. -- Update `default.tfvars` with appropriate values. If you are simply looking to test, these values can be left default. -- Run `terraform plan -var-file=default.tfvars` to review the plan for aws permissions. -- Run `terraform apply -var-file=default.tfvars` to apply the changes. diff --git a/baselines/turbot/example_folder_hierarchy/default.tfvars b/baselines/turbot/example_folder_hierarchy/default.tfvars deleted file mode 100644 index 6d0b8ff6d..000000000 --- a/baselines/turbot/example_folder_hierarchy/default.tfvars +++ /dev/null @@ -1,41 +0,0 @@ -# Optional - top_folder_title default value: "ACME" -# top_folder_title = "Custom Smart Folder Title" - -# Optional - top_folder_description default value: "Top level folder for ACME" -# top_folder_description = "Custom Smart Folder Title" - -# Optional - top_dev_title default value: "Dev" -# top_dev_title = "Custom Smart Folder Title" - -# Optional - top_dev_description default value: "Description for top level Dev folder" -# top_dev_description = "Custom Smart Folder Title" - -# Optional - top_prod_title default value: "Prod" -# top_prod_title = "Custom Smart Folder Title" - -# Optional - top_prod_description default value: "Top level folder for Prod environment" -# top_prod_description = "Custom Smart Folder Title" - -# Optional - dev_it_title default value: "Dev IT" -# dev_it_title = "Custom Smart Folder Title" - -# Optional - dev_it_description default value: "Dev IT folder" -# dev_it_description = "Custom Smart Folder Title" - -# Optional - dev_apps_title default value: "Dev Apps" -# dev_apps_title = "Custom Smart Folder Title" - -# Optional - dev_apps_description default value: "Dev Apps folder" -# dev_apps_description = "Custom Smart Folder Title" - -# Optional - prod_it_title default value: "Prod IT" -# prod_it_title = "Custom Smart Folder Title" - -# Optional - prod_it_description default value: "Prod IT folder" -# prod_it_description = "Custom Smart Folder Title" - -# Optional - prod_apps_title default value: "Prod Apps" -# prod_apps_title = "Custom Smart Folder Title" - -# Optional - prod_apps_description default value: "Prod Apps folder" -# prod_apps_description = "Custom Smart Folder Title" \ No newline at end of file diff --git a/baselines/turbot/example_folder_hierarchy/main.tf b/baselines/turbot/example_folder_hierarchy/main.tf deleted file mode 100644 index 730e86d5f..000000000 --- a/baselines/turbot/example_folder_hierarchy/main.tf +++ /dev/null @@ -1,49 +0,0 @@ -# Initalize the Turbot provider -provider turbot {} - -# Top level folder -resource "turbot_folder" "acme" { - parent = "tmod:@turbot/turbot#" - title = var.top_folder_title - description = var.top_folder_description -} - -# Top level Dev folder, acme folder is parent -resource "turbot_folder" "top_dev" { - parent = turbot_folder.acme.id - title = var.top_dev_title - description = var.top_dev_folder_description -} - -# Top level Prod folder, acme folder is parent -resource "turbot_folder" "top_prod" { - parent = turbot_folder.acme.id - title = var.top_prod_title - description = var.top_prod_folder_description -} - -# Example business units within Dev. Each business unit gets it's own folder. -resource "turbot_folder" "dev_it" { - parent = turbot_folder.top_dev.id - title = var.dev_it_title - description = var.dev_it_description -} - -resource "turbot_folder" "dev_apps" { - parent = turbot_folder.top_dev.id - title = var.dev_apps_title - description = var.dev_apps_description -} - -# Example business units within Prod. Each business unit gets it's own folder. -resource "turbot_folder" "prod_it" { - parent = turbot_folder.top_prod.id - title = var.prod_it_title - description = var.prod_it_description -} - -resource "turbot_folder" "prod_apps" { - parent = turbot_folder.top_prod.id - title = var.prod_apps_title - description = var.prod_apps_description -} \ No newline at end of file diff --git a/baselines/turbot/example_folder_hierarchy/variables.tf b/baselines/turbot/example_folder_hierarchy/variables.tf deleted file mode 100644 index e79e12dca..000000000 --- a/baselines/turbot/example_folder_hierarchy/variables.tf +++ /dev/null @@ -1,89 +0,0 @@ -variable "top_folder" { - description = "Parent resource for the top level folder, ACME" - type = string - default = "tmod:@turbot/turbot#/" -} - -variable "top_folder_title" { - description = "Title of top level folder." - type = string - default = "ACME" -} - -variable "top_folder_description" { - description = "Description of the top level folder" - type = string - default = "Top level folder for ACME" -} - -variable "top_dev_title" { - description = "Title for top level Dev folder" - type = string - default = "Dev" -} - -variable "top_dev_folder_description" { - description = "Description for top level Dev folder" - type = string - default = "Top level folder for Dev environment" -} - -variable "top_prod_title" { - description = "Title for the top level Prod folder" - type = string - default = "Prod" -} - -variable "top_prod_folder_description" { - description = "Description for the top level Prod folder" - type = string - default = "Top level folder for Prod environment" -} - -variable "dev_it_title" { - description = "Title for Dev IT folder" - type = string - default = "Dev IT" -} - -variable "dev_it_description" { - description = "Description for Dev IT folder" - type = string - default = "Dev IT folder" -} - -variable "dev_apps_title" { - description = "Description for Dev Apps folder" - type = string - default = "Dev Apps" -} - -variable "dev_apps_description" { - description = "Description for Dev Apps folder" - type = string - default = "Dev Apps folder" -} - -variable "prod_it_title" { - description = "Title for Prod IT folder" - type = string - default = "Prod IT" -} - -variable "prod_it_description" { - description = "Description for Prod IT folder" - type = string - default = "Prod IT folder" -} - -variable "prod_apps_title" { - description = "Description for Prod Apps folder" - type = string - default = "Prod Apps" -} - -variable "prod_apps_description" { - description = "Description for Prod Apps folder" - type = string - default = "Prod Apps folder" -} \ No newline at end of file diff --git a/baselines/turbot/local_directory/README.md b/baselines/turbot/local_directory/README.md deleted file mode 100644 index 3061b0e92..000000000 --- a/baselines/turbot/local_directory/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Local Directory Baseline - -The Turbot local directory baseline provides a terraform configuration that allows creation of a local directory and grant Turbot/Owner and Turbot/Admin to users based on the required configurations. - -## Pre-requisites - -To run the local directory baseline, you must have: - -- [Terraform](https://www.terraform.io) Version 12 -- [Turbot Terraform Provider](https://github.com/turbotio/terraform-provider-turbot) -- [Credentials](https://turbot.com/v5/docs/reference/cli/installation#setup-your-turbot-credentials) configured to connect to your Turbot workspace - -## Running the Baseline - -To execute the baseline you must run terraform and specify the local directory name you wish to create and list of users you want to grant Turbot/Owner and Turbot/Admin role. - -To run the mod install baseline: - -- Go to the AWS permissions directory with `cd local_directory` -- Update `default.tfvars` with appropriate values -- Run `terraform plan -var-file=default.tfvars` to review the plan for aws permissions -- Run `terraform apply -var-file=default.tfvars` to apply the changes diff --git a/baselines/turbot/local_directory/default.tfvars b/baselines/turbot/local_directory/default.tfvars deleted file mode 100644 index 25eedae60..000000000 --- a/baselines/turbot/local_directory/default.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -local_directory_name = "Test Local Directory" - -user_details = { - "user1@test.com" = "User One" - "user2@test.com" = "User Two" -} diff --git a/baselines/turbot/local_directory/main.tf b/baselines/turbot/local_directory/main.tf deleted file mode 100644 index ecb0e268f..000000000 --- a/baselines/turbot/local_directory/main.tf +++ /dev/null @@ -1,67 +0,0 @@ -########## Local Directory Creation ########## -resource "turbot_local_directory" "test_dir" { - parent = "tmod:@turbot/turbot#/" - title = var.local_directory_name - description = var.local_directory_name - profile_id_template = "{{profile.email}}" -} - - -########## User Creation ########## -resource "turbot_local_directory_user" "create_user" { - count = length(var.user_details) - title = var.user_details[keys(var.user_details)[count.index]] - email = lower(keys(var.user_details)[count.index]) - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id -} - -########## User Profile Creation ########## -resource "turbot_profile" "create_user_profile" { - count = length(var.user_details) - title = turbot_local_directory_user.create_user[count.index].title - email = lower(keys(var.user_details)[count.index]) - status = "Active" - given_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[0] - family_name = split(" ", var.user_details[keys(var.user_details)[count.index]])[1] - display_name = var.user_details[keys(var.user_details)[count.index]] - parent = turbot_local_directory.test_dir.id - profile_id = keys(var.user_details)[count.index] -} - -########## Grant Creation ########## - -# Create Turbot/Admin grant -resource "turbot_grant" "grant_admin" { - count = length(var.user_details) - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot-iam#/permission/types/turbot" - level = "tmod:@turbot/turbot-iam#/permission/levels/admin" - identity = turbot_profile.create_user_profile[count.index].id -} - -# Create Turbot/Owner grant -resource "turbot_grant" "grant_owner" { - count = length(var.user_details) - resource = "tmod:@turbot/turbot#/" - type = "tmod:@turbot/turbot-iam#/permission/types/turbot" - level = "tmod:@turbot/turbot-iam#/permission/levels/owner" - identity = turbot_profile.create_user_profile[count.index].id -} - -########## Grant Activation ########## - -# Activate Turbot/Admin grant -resource "turbot_grant_activation" "activate_admin_grant" { - count = length(var.user_details) - resource = var.grant_scope_id - grant = turbot_grant.grant_admin[count.index].id -} - -# Activate Turbot/Owner grant -resource "turbot_grant_activation" "activate_owner_grant" { - count = length(var.user_details) - resource = var.grant_scope_id - grant = turbot_grant.grant_owner[count.index].id -} - diff --git a/baselines/turbot/local_directory/variables.tf b/baselines/turbot/local_directory/variables.tf deleted file mode 100644 index 8ffec2404..000000000 --- a/baselines/turbot/local_directory/variables.tf +++ /dev/null @@ -1,17 +0,0 @@ -variable "local_directory_name" { - description = "Enter the name for the local directory to be created:" - type = string -} - -variable "user_details" { - description = "Enter the user details (``=``):" - type = map(string) -} - -# It is the turbot id of turbot folder or resource. -# The Admin and Owner grants will be activated at this level -# "tmod:@turbot/turbot#/" is the aka of Turbot level -variable "grant_scope_id" { - type = string - default = "tmod:@turbot/turbot#/" -} diff --git a/baselines/turbot/test/main.tf b/baselines/turbot/test/main.tf deleted file mode 100644 index 64b47aecc..000000000 --- a/baselines/turbot/test/main.tf +++ /dev/null @@ -1,38 +0,0 @@ -## Create Smart Folder -provider "turbot" { - profile = "demo" -} - -resource "turbot_smart_folder" "folder_test" { - parent = "tmod:@turbot/turbot#/" - title = "AAA SF test" - description = "Test" -} - -# Smart Folder Attachments -resource "turbot_smart_folder_attachment" "attachment_test" { - # PUNISHER - # resource = "188739281797066" # Actual resource - # resource = "188716601440372" # punisher-aaa - # resource = "187486019045335" # folder expediators - # DEMO - # resource = "185847359853835" # dboeke key pair - # resource = "165045201235611" # AWS for Dave - resource = "165043304546839" # Folder Dave - smart_folder = turbot_smart_folder.folder_test.id -} - -# Check only guardrail -# AWS > ec2 > AMI > Approved -resource "turbot_policy_setting" "policy_test_1" { - resource = turbot_smart_folder.folder_test.id - type = "tmod:@turbot/aws-ec2#/policy/types/keyPairActive" - value = "Check: Active" -} - -# resource "turbot_policy_setting" "policy_test_2" { -# resource = turbot_smart_folder.folder_test.id -# type = "tmod:@turbot/aws-ec2#/policy/types/keyPairActiveLastModified" -# value = "Force active if last modified <= 365 days" -# } -