This module creates the necessary resources to store your Terraform code remotely in AWS.
FedRAMP Compliance: Moderate, High
- IAM AWS Accounts
- S3 for Terraform State
- DynamoDB for Terraform State
- KMS keys for DynamoDB and S3
- IAM roles for above resources
This module can be called as outlined below.
- Change directories to the
terraform-aws-securitycoredirectory. - From the
terraform-aws-security-coredirectory runterraform init. - Run
terraform planto review the resources being created. - If everything looks correct in the plan output, run
terraform apply.
Include example for how to call the module below with generic variables
provider "aws" {
features {}
}
module "security-core" {
source = "github.com/Coalfire-CF/terraform-aws-securitycore"
aws_region = "us-gov-west-1"
resource_prefix = var.resource_prefix
application_account_numbers = var.app_account_ids
account_number = data.aws_caller_identiy.mgmt_account.id
}No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| Name | Source | Version |
|---|---|---|
| dynamo_kms_key | github.com/Coalfire-CF/terraform-aws-kms | n/a |
| s3-tstate | github.com/Coalfire-CF/terraform-aws-s3 | n/a |
| s3_kms_key | github.com/Coalfire-CF/terraform-aws-kms | n/a |
| Name | Type |
|---|---|
| aws_dynamodb_table.dynamodb_ | resource |
| aws_iam_policy_document.s3_key | data source |
| aws_iam_policy_document.tfstate_bucket_policy | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_number | account number for the mgmt account | string |
n/a | yes |
| application_account_numbers | Account IDs for application accounts to be used in IAM | list(string) |
n/a | yes |
| aws_region | The AWS region to create things in | string |
n/a | yes |
| create_dynamo_kms_key | create KMS key for dynamodb | bool |
true |
no |
| create_s3_kms_key | create KMS key for S3 | bool |
true |
no |
| resource_prefix | The prefix for the s3 bucket names | string |
n/a | yes |
| Name | Description |
|---|---|
| dynamo_key_arn | The arn of the dynamo kms key |
| dynamo_key_id | The id of the dynamo key |
| dynamodb_table_name | n/a |
| s3_key_arn | The arn of the s3 kms key |
| s3_key_iam | The name of the terraform state bucket |
| s3_key_id | The id of the s3 key |
| tstate_bucket_name | The name of the terraform state bucket |
Relative or absolute link to contributing.md
Absolute link to any relevant Coalfire Pages
Copyright © 2023 Coalfire Systems Inc.
| Name | Version |
|---|---|
| terraform | >=1.5.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Source | Version |
|---|---|---|
| s3-tstate | github.com/Coalfire-CF/terraform-aws-s3 | v1.0.1 |
| Name | Type |
|---|---|
| aws_dynamodb_table.dynamodb_ | resource |
| aws_iam_policy_document.tfstate_bucket_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_account_numbers | Account IDs for application accounts to be used in IAM | list(string) |
n/a | yes |
| aws_region | The AWS region to create things in | string |
n/a | yes |
| dynamo_kms_key_arn | ARN for the CMK KMS key for DynamoDB | string |
n/a | yes |
| resource_prefix | The prefix for the s3 bucket names | string |
n/a | yes |
| s3_kms_key_arn | ARN for the CMK KMS key for S3 | string |
n/a | yes |
| Name | Description |
|---|---|
| dynamo_key_arn | The arn of the dynamo kms key |
| dynamo_key_id | The id of the dynamo key |
| dynamodb_table_name | n/a |
| s3_key_arn | The arn of the s3 kms key |
| s3_key_iam | The name of the terraform state bucket |
| s3_key_id | The id of the s3 key |
| tstate_bucket_name | The name of the terraform state bucket |