This is a Terraform project for creating AWS users that only have permission to view CloudWatch logs related to BOD 18-01 scanning.
- Terraform installed on your system.
- AWS CLI access configured for the appropriate account on your system.
- An accessible AWS S3 bucket to store Terraform state
(specified in
backend.tf
). - An accessible AWS DynamoDB database to store the Terraform state lock
(specified in
backend.tf
). - User accounts for all users must have been created previously. We recommend
using the
cisagov/cyhy-users-non-admin
repository to create users.
Create a terraform variables file to be used for your environment (e.g.
production.tfvars
), based on the variables listed in Inputs
below. Here is a sample of what that file might look like:
aws_region = "us-east-2"
usernames = ["firstname1.lastname1", "firstname2.lastname2"]
scan_types = ["pshtt", "trustymail"]
lambda_function_names = {
"pshtt" = "task_pshtt",
"trustymail" = "task_trustymail"
}
tags = {
Team = "CISA Development Team"
Application = "BOD 18-01 Scanning"
Workspace = "production"
}
-
Create a Terraform workspace (if you haven't already done so) by running:
terraform workspace new <workspace_name>`
-
Create a
<workspace_name>.tfvars
file with all of the required variables and any optional variables desired (see Inputs below for details). -
Run the command
terraform init
. -
Create the Terraform infrastructure by running the command:
terraform apply -var-file=<workspace_name>.tfvars
- Select the appropriate Terraform workspace by running
terraform workspace select <workspace_name>
. - Destroy the Terraform infrastructure in that workspace by running
terraform destroy -var-file=<workspace_name>.tfvars
.
Name | Version |
---|---|
terraform | ~> 1.1 |
aws | ~> 4.9 |
Name | Version |
---|---|
aws | ~> 4.9 |
No modules.
Name | Type |
---|---|
aws_iam_group.bod_log_watchers | resource |
aws_iam_group_policy_attachment.bodlambdalogreadaccess_policy_attachment | resource |
aws_iam_policy.bodlambdalogreadaccess_policy | resource |
aws_iam_user_group_membership.user | resource |
aws_caller_identity.current | data source |
aws_cloudwatch_log_group.bod_lambda_logs | data source |
aws_iam_policy_document.bodlambdalogreadaccess_policy_doc | data source |
aws_iam_user.users | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_availability_zone | The AWS availability zone to deploy into (e.g. a, b, c, etc.). | string |
"a" |
no |
aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
bod_lambdas | A map whose keys are the names of the BOD scan types and whose values are the names of the corresponding AWS Lambdas. Example: { "pshtt" = "task_pshtt" } | map(string) |
n/a | yes |
bod_log_watchers_group_name | The base name of the group to be created for BOD 18-01 Lambda log access users. Note that in production workspaces, '-production' is automatically appended this group name. In non-production workspaces, '-<workspace_name>' is automatically appended to this group name. | string |
"bod_log_watchers" |
no |
bodlambdalogreadaccess_policy_description | The description to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. | string |
"Allows read access to the BOD 18-01 Lambda logs." |
no |
bodlambdalogreadaccess_policy_name | The base name to associate with the IAM policy that allows read access to the BOD 18-01 Lambda logs. Note that in production workspaces, '-production' is automatically appended this policy name. In non-production workspaces, '-<workspace_name>' is automatically appended to this policy name. | string |
"BODLambdaLogReadAccess" |
no |
tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
users | A list of the usernames for the users that should be given access to the BOD 18-01 CloudWatch logs. Example: ["firstname1.lastname1", "firstname2.lastname2"] | list(string) |
n/a | yes |
No outputs.
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, this is only the main directory.
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.