Alphabetize

cisagov · May 9, 2024 · d840212 · d840212
1 parent 683da20
commit d840212
Show file tree

Hide file tree

Showing 55 changed files with 364 additions and 419 deletions.
diff --git a/audit/backend.tf b/audit/backend.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    encrypt        = true
     bucket         = "cisa-cool-terraform-state"
     dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-accounts/audit.tfstate"
     profile        = "cool-terraform-backend"
     region         = "us-east-1"
-    key            = "cool-accounts/audit.tfstate"
   }
 }
diff --git a/audit/outputs.tf b/audit/outputs.tf
@@ -1,9 +1,9 @@
 output "cw_alarm_sns_topic" {
-  value       = module.cw_alarm_sns.sns_topic
   description = "The SNS topic to which a message is sent when a CloudWatch alarm is triggered."
+  value       = module.cw_alarm_sns.sns_topic
 }
 
 output "provisionaccount_role" {
-  value       = module.provisionaccount.provisionaccount_role
   description = "The IAM role that allows sufficient permissions to provision all AWS resources in the Audit account."
+  value       = module.provisionaccount.provisionaccount_role
 }
diff --git a/audit/user-group-mod-notification.tf b/audit/user-group-mod-notification.tf
@@ -13,8 +13,8 @@ data "aws_iam_policy_document" "sns_topic_access_policy_doc" {
     ]
 
     principals {
-      type        = "Service"
       identifiers = ["events.amazonaws.com"]
+      type        = "Service"
     }
 
     resources = [

diff --git a/audit/variables.tf b/audit/variables.tf
@@ -5,25 +5,25 @@
 # ------------------------------------------------------------------------------
 
 variable "aws_region" {
-  type        = string
-  description = "The AWS region where the non-global resources for the Audit account are to be provisioned (e.g. \"us-east-1\")."
   default     = "us-east-1"
+  description = "The AWS region where the non-global resources for the Audit account are to be provisioned (e.g. \"us-east-1\")."
+  type        = string
 }
 
 variable "provisionaccount_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the Audit account."
   default     = "Allows sufficient permissions to provision all AWS resources in the Audit account."
+  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the Audit account."
+  type        = string
 }
 
 variable "provisionaccount_role_name" {
-  type        = string
-  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the Audit account."
   default     = "ProvisionAccount"
+  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the Audit account."
+  type        = string
 }
 
 variable "tags" {
-  type        = map(string)
-  description = "Tags to apply to all AWS resources created."
   default     = {}
+  description = "Tags to apply to all AWS resources created."
+  type        = map(string)
 }
diff --git a/dns/assume_role_policy_doc.tf b/dns/assume_role_policy_doc.tf
@@ -11,10 +11,10 @@ data "aws_iam_policy_document" "assume_role_doc" {
     ]
 
     principals {
-      type = "AWS"
       identifiers = [
         "arn:aws:iam::${local.users_account_id}:root",
       ]
+      type = "AWS"
     }
   }
 }
diff --git a/dns/backend.tf b/dns/backend.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    encrypt        = true
     bucket         = "cisa-cool-terraform-state"
     dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-accounts/dns.tfstate"
     profile        = "cool-terraform-backend"
     region         = "us-east-1"
-    key            = "cool-accounts/dns.tfstate"
   }
 }
diff --git a/dns/user-group-mod-notification.tf b/dns/user-group-mod-notification.tf
@@ -13,8 +13,8 @@ data "aws_iam_policy_document" "sns_topic_access_policy_doc" {
     ]
 
     principals {
-      type        = "Service"
       identifiers = ["events.amazonaws.com"]
+      type        = "Service"
     }
 
     resources = [

diff --git a/dns/variables.tf b/dns/variables.tf
@@ -5,61 +5,61 @@
 # ------------------------------------------------------------------------------
 
 variable "aws_region" {
-  type        = string
-  description = "The AWS region where the non-global resources for the DNS account are to be provisioned (e.g. \"us-east-1\")."
   default     = "us-east-1"
+  description = "The AWS region where the non-global resources for the DNS account are to be provisioned (e.g. \"us-east-1\")."
+  type        = string
 }
 
 variable "provisionaccount_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the DNS account."
   default     = "Allows sufficient permissions to provision all AWS resources in the DNS account."
+  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the DNS account."
+  type        = string
 }
 
 variable "provisionaccount_role_name" {
-  type        = string
-  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the DNS account."
   default     = "ProvisionAccount"
+  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the DNS account."
+  type        = string
 }
 
 variable "provisionpublishegressip_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision all resources related to the publish-egress-ip Lambda in the DNS account."
   default     = "Allows sufficient permissions to provision all resources related to the publish-egress-ip Lambda in the DNS account."
+  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision all resources related to the publish-egress-ip Lambda in the DNS account."
+  type        = string
 }
 
 variable "provisionpublishegressip_role_name" {
-  type        = string
-  description = "The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision all resources related to the publish-egress-ip Lambda in the DNS account."
   default     = "ProvisionPublishEgressIP"
+  description = "The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision all resources related to the publish-egress-ip Lambda in the DNS account."
+  type        = string
 }
 
 variable "provisionroute53_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision Route 53 in the DNS account."
   default     = "Allows sufficient permissions to provision Route 53 in the DNS account."
+  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision Route 53 in the DNS account."
+  type        = string
 }
 
 variable "provisionroute53_role_name" {
-  type        = string
-  description = "The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision Route 53 in the DNS account."
   default     = "ProvisionRoute53"
+  description = "The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision Route 53 in the DNS account."
+  type        = string
 }
 
 variable "publishegressip_lambda_name" {
-  type        = string
-  description = "The name of the Lambda function used in cisagov/publish-egress-ip-terraform.  This name is used to specify resource constraints in the role/policy specified in var.provisionpublishegressip_role_name."
   default     = "publish-egress-ip"
+  description = "The name of the Lambda function used in cisagov/publish-egress-ip-terraform.  This name is used to specify resource constraints in the role/policy specified in var.provisionpublishegressip_role_name."
+  type        = string
 }
 
 variable "publishegressip_role_name" {
-  type        = string
-  description = "The name of the IAM role (meant to be used in cisagov/publish-egress-ip-terraform) that is allowed to be created by the role/policy specified in var.provisionpublishegressip_role_name."
   default     = "PublishEgressIPLambda"
+  description = "The name of the IAM role (meant to be used in cisagov/publish-egress-ip-terraform) that is allowed to be created by the role/policy specified in var.provisionpublishegressip_role_name."
+  type        = string
 }
 
 variable "tags" {
-  type        = map(string)
-  description = "Tags to apply to all AWS resources created."
   default     = {}
+  description = "Tags to apply to all AWS resources created."
+  type        = map(string)
 }
diff --git a/dynamic/assume_role_policy_dns_doc.tf b/dynamic/assume_role_policy_dns_doc.tf
@@ -11,10 +11,10 @@ data "aws_iam_policy_document" "assume_role_dns_doc" {
     ]
 
     principals {
-      type = "AWS"
       identifiers = [
         "arn:aws:iam::${local.dns_account_id}:root",
       ]
+      type = "AWS"
     }
   }
 }
diff --git a/dynamic/backend.tf b/dynamic/backend.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    encrypt        = true
     bucket         = "cisa-cool-terraform-state"
     dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-accounts/dynamic.tfstate"
     profile        = "cool-terraform-backend"
     region         = "us-east-1"
-    key            = "cool-accounts/dynamic.tfstate"
   }
 }
diff --git a/dynamic/outputs.tf b/dynamic/outputs.tf
@@ -1,14 +1,14 @@
 output "cw_alarm_sns_topic" {
-  value       = module.cw_alarm_sns.sns_topic
   description = "The SNS topic to which a message is sent when a CloudWatch alarm is triggered."
+  value       = module.cw_alarm_sns.sns_topic
 }
 
 output "ec2readonly_role" {
-  value       = aws_iam_role.ec2readonly_role
   description = "The IAM role that allows read access to some EC2 attributes in the dynamic account."
+  value       = aws_iam_role.ec2readonly_role
 }
 
 output "provisionaccount_role" {
-  value       = module.provisionaccount.provisionaccount_role
   description = "The IAM role that allows sufficient permissions to provision all AWS resources in the dynamic account."
+  value       = module.provisionaccount.provisionaccount_role
 }
diff --git a/dynamic/user-group-mod-notification.tf b/dynamic/user-group-mod-notification.tf
@@ -13,8 +13,8 @@ data "aws_iam_policy_document" "sns_topic_access_policy_doc" {
     ]
 
     principals {
-      type        = "Service"
       identifiers = ["events.amazonaws.com"]
+      type        = "Service"
     }
 
     resources = [

diff --git a/dynamic/variables.tf b/dynamic/variables.tf
@@ -5,8 +5,8 @@
 # ------------------------------------------------------------------------------
 
 variable "dynamic_account_name" {
-  type        = string
   description = "The name of the dynamic account to be provisioned."
+  type        = string
 }
 
 # ------------------------------------------------------------------------------
@@ -16,37 +16,37 @@ variable "dynamic_account_name" {
 # ------------------------------------------------------------------------------
 
 variable "aws_region" {
-  type        = string
-  description = "The AWS region where the non-global resources for the dynamic account are to be provisioned (e.g. \"us-east-1\")."
   default     = "us-east-1"
+  description = "The AWS region where the non-global resources for the dynamic account are to be provisioned (e.g. \"us-east-1\")."
+  type        = string
 }
 
 variable "ec2readonly_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows read access to some EC2 attributes in the dynamic account."
   default     = "Allows read access to some EC2 attributes in the dynamic account."
+  description = "The description to associate with the IAM role (as well as the corresponding policy) that allows read access to some EC2 attributes in the dynamic account."
+  type        = string
 }
 
 variable "ec2readonly_role_name" {
-  type        = string
-  description = "The name to assign the IAM role (as well as the corresponding policy) that allows read access to some EC2 attributes in the dynamic account."
   default     = "EC2ReadOnly"
+  description = "The name to assign the IAM role (as well as the corresponding policy) that allows read access to some EC2 attributes in the dynamic account."
+  type        = string
 }
 
 variable "provisionaccount_role_description" {
-  type        = string
-  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the dynamic account."
   default     = "Allows sufficient permissions to provision all AWS resources in the dynamic account."
+  description = "The description to associate with the IAM role that allows sufficient permissions to provision all AWS resources in the dynamic account."
+  type        = string
 }
 
 variable "provisionaccount_role_name" {
-  type        = string
-  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the dynamic account."
   default     = "ProvisionAccount"
+  description = "The name to assign the IAM role that allows sufficient permissions to provision all AWS resources in the dynamic account."
+  type        = string
 }
 
 variable "tags" {
-  type        = map(string)
-  description = "Tags to apply to all AWS resources created."
   default     = {}
+  description = "Tags to apply to all AWS resources created."
+  type        = map(string)
 }
diff --git a/images/ami_build_public_acl_rules.tf b/images/ami_build_public_acl_rules.tf
@@ -1,37 +1,37 @@
 # Allow ingress from anywhere via ssh
 resource "aws_network_acl_rule" "ami_build_public_ingress_from_anywhere_via_ssh" {
-  network_acl_id = aws_network_acl.ami_build_public.id
+  cidr_block     = "0.0.0.0/0"
   egress         = false
+  from_port      = 22
+  network_acl_id = aws_network_acl.ami_build_public.id
   protocol       = "tcp"
-  rule_number    = "100"
   rule_action    = "allow"
-  cidr_block     = "0.0.0.0/0"
-  from_port      = 22
+  rule_number    = "100"
   to_port        = 22
 }
 
 # Allow ingress from anywhere via ephemeral ports
 resource "aws_network_acl_rule" "ami_build_public_ingress_from_anywhere_via_ephemeral_ports" {
   count = length(local.tcp_and_udp)
 
-  network_acl_id = aws_network_acl.ami_build_public.id
+  cidr_block     = "0.0.0.0/0"
   egress         = false
+  from_port      = 1024
+  network_acl_id = aws_network_acl.ami_build_public.id
   protocol       = local.tcp_and_udp[count.index]
-  rule_number    = 120 + count.index
   rule_action    = "allow"
-  cidr_block     = "0.0.0.0/0"
-  from_port      = 1024
+  rule_number    = 120 + count.index
   to_port        = 65535
 }
 
 # Allow egress to anywhere via any protocol and port
 resource "aws_network_acl_rule" "ami_build_public_egress_to_anywhere_via_any_port" {
-  network_acl_id = aws_network_acl.ami_build_public.id
+  cidr_block     = "0.0.0.0/0"
   egress         = true
+  from_port      = 0
+  network_acl_id = aws_network_acl.ami_build_public.id
   protocol       = "-1"
-  rule_number    = 140
   rule_action    = "allow"
-  cidr_block     = "0.0.0.0/0"
-  from_port      = 0
+  rule_number    = 140
   to_port        = 0
 }
diff --git a/images/ami_build_vpc.tf b/images/ami_build_vpc.tf
@@ -19,20 +19,18 @@ resource "aws_subnet" "ami_build_public" {
   ]
 
   cidr_block = var.ami_build_cidr
-  vpc_id     = aws_vpc.ami_build.id
-
   tags = {
     Name = "AMI Build"
   }
+  vpc_id = aws_vpc.ami_build.id
 }
 
 # The internet gateway for the AMI build VPC
 resource "aws_internet_gateway" "ami_build" {
-  vpc_id = aws_vpc.ami_build.id
-
   tags = {
     Name = "AMI Build"
   }
+  vpc_id = aws_vpc.ami_build.id
 }
 
 # Default route table for AMI build VPC, which routes all
@@ -47,21 +45,20 @@ resource "aws_default_route_table" "ami_build" {
 
 # Default route: Route all external traffic through the internet gateway
 resource "aws_route" "external_traffic_through_internet_gateway" {
-  route_table_id         = aws_default_route_table.ami_build.id
   destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.ami_build.id
+  route_table_id         = aws_default_route_table.ami_build.id
 }
 
 # ACL for the public subnet of the AMI build VPC
 resource "aws_network_acl" "ami_build_public" {
-  vpc_id = aws_vpc.ami_build.id
   subnet_ids = [
     aws_subnet.ami_build_public.id,
   ]
-
   tags = {
     Name = "AMI Build"
   }
+  vpc_id = aws_vpc.ami_build.id
 }
 
 # NOTE: No security group is needed for the AMI build instance, since