From 1475066f797b8af98fa33d66d9a4434dcc000964 Mon Sep 17 00:00:00 2001 From: Script47 Date: Thu, 20 Feb 2025 00:03:52 +0000 Subject: [PATCH 1/4] feat(guardrails): add module - default EBS encryption - account wide S3 block public access - IAM password policy --- guardrails/README.md | 0 guardrails/ebs.tf | 3 +++ guardrails/iam.tf | 1 + guardrails/s3.tf | 6 ++++++ guardrails/variables.tf | 29 +++++++++++++++++++++++++++++ 5 files changed, 39 insertions(+) create mode 100644 guardrails/README.md create mode 100644 guardrails/ebs.tf create mode 100644 guardrails/iam.tf create mode 100644 guardrails/s3.tf create mode 100644 guardrails/variables.tf diff --git a/guardrails/README.md b/guardrails/README.md new file mode 100644 index 0000000..e69de29 diff --git a/guardrails/ebs.tf b/guardrails/ebs.tf new file mode 100644 index 0000000..d6c301a --- /dev/null +++ b/guardrails/ebs.tf @@ -0,0 +1,3 @@ +resource "aws_ebs_encryption_by_default" "this" { + enabled = var.ebs.encrypted +} \ No newline at end of file diff --git a/guardrails/iam.tf b/guardrails/iam.tf new file mode 100644 index 0000000..10198d3 --- /dev/null +++ b/guardrails/iam.tf @@ -0,0 +1 @@ +# aws_iam_account_password_policy \ No newline at end of file diff --git a/guardrails/s3.tf b/guardrails/s3.tf new file mode 100644 index 0000000..b5c86c2 --- /dev/null +++ b/guardrails/s3.tf @@ -0,0 +1,6 @@ +resource "aws_s3_account_public_access_block" "this" { + block_public_acls = var.s3.block_public_acls + block_public_policy = var.s3.block_public_policy + ignore_public_acls = var.s3.ignore_public_acls + restrict_public_buckets = var.s3.restrict_public_buckets +} diff --git a/guardrails/variables.tf b/guardrails/variables.tf new file mode 100644 index 0000000..3bd3cff --- /dev/null +++ b/guardrails/variables.tf @@ -0,0 +1,29 @@ +variable "ebs" { + type = object({ + encrypted = optional(bool, true) + }) + default = {} +} + +variable "s3" { + type = object({ + block_public_acls = optional(bool, true) + block_public_policy = optional(bool, true) + ignore_public_acls = optional(bool, true) + restrict_public_buckets = optional(bool, true) + }) + default = {} +} + +# variable "iam" { +# type = object({ +# password_policy = optional(object({ +# allow_password_change = optional(bool, true) + # reuse_prevention = optional(bool, true) +# hard_expiry = optional(bool, false) +# max_password_age = optional(number, null) + # min_length = optional(number, 8) + +# }), {}) +# }) +# } \ No newline at end of file From 54afb7cb661ff8f399e7e044258465a9e8002a2b Mon Sep 17 00:00:00 2001 From: Script47 Date: Sat, 10 Jan 2026 10:37:18 +0000 Subject: [PATCH 2/4] feat(guardrails): add module --- guardrails/README.md | 39 ++++++++++++++++++++++++++++++++++++++ guardrails/iam.tf | 15 ++++++++++++++- guardrails/providers.tf | 10 ++++++++++ guardrails/s3.tf | 10 ++++++---- guardrails/variables.tf | 42 ++++++++++++++++++++++++++--------------- 5 files changed, 96 insertions(+), 20 deletions(-) create mode 100644 guardrails/providers.tf diff --git a/guardrails/README.md b/guardrails/README.md index e69de29..5743330 100644 --- a/guardrails/README.md +++ b/guardrails/README.md @@ -0,0 +1,39 @@ +# Guardrails + +## About + +This module allows you to setup default guardrails to harden your AWS account with the following features: + +- EBS encryption by default +- S3 account wide public block access +- IAM account password policy + +## Usage + +See `variables.tf` for the full argument reference. + +```hcl +module "guardrails" { + source = "github.com/script47/aws-tf-modules/guardrails" + + ebs = { + encrypted = true + } + + s3 = { + public_access_block = { + enabled = true + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + } + } + + iam = { + password_policy = { + + } + } +} +``` diff --git a/guardrails/iam.tf b/guardrails/iam.tf index 10198d3..2b1f78e 100644 --- a/guardrails/iam.tf +++ b/guardrails/iam.tf @@ -1 +1,14 @@ -# aws_iam_account_password_policy \ No newline at end of file +resource "aws_iam_account_password_policy" "this" { + count = var.iam.password_policy.enabled ? 1 : 0 + + allow_users_to_change_password = var.iam.password_policy.allow_users_to_change_password + password_reuse_prevention = var.iam.password_policy.password_reuse_prevention + hard_expiry = var.iam.password_policy.hard_expiry + max_password_age = var.iam.password_policy.max_password_age + minimum_password_length = var.iam.password_policy.minimum_password_length + + require_lowercase_characters = var.iam.password_policy.require_lowercase_characters + require_uppercase_characters = var.iam.password_policy.require_uppercase_characters + require_numbers = var.iam.password_policy.require_numbers + require_symbols = var.iam.password_policy.require_symbols +} \ No newline at end of file diff --git a/guardrails/providers.tf b/guardrails/providers.tf new file mode 100644 index 0000000..9213c51 --- /dev/null +++ b/guardrails/providers.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.13" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 6" + } + } +} \ No newline at end of file diff --git a/guardrails/s3.tf b/guardrails/s3.tf index b5c86c2..f1aede1 100644 --- a/guardrails/s3.tf +++ b/guardrails/s3.tf @@ -1,6 +1,8 @@ resource "aws_s3_account_public_access_block" "this" { - block_public_acls = var.s3.block_public_acls - block_public_policy = var.s3.block_public_policy - ignore_public_acls = var.s3.ignore_public_acls - restrict_public_buckets = var.s3.restrict_public_buckets + count = var.s3.public_access_block.enabled + + block_public_acls = var.s3.public_access_block.block_public_acls + block_public_policy = var.s3.public_access_block.block_public_policy + ignore_public_acls = var.s3.public_access_block.ignore_public_acls + restrict_public_buckets = var.s3.public_access_block.restrict_public_buckets } diff --git a/guardrails/variables.tf b/guardrails/variables.tf index 3bd3cff..923f9a3 100644 --- a/guardrails/variables.tf +++ b/guardrails/variables.tf @@ -1,4 +1,5 @@ variable "ebs" { + description = "EBS account-level config" type = object({ encrypted = optional(bool, true) }) @@ -6,24 +7,35 @@ variable "ebs" { } variable "s3" { + description = "S3 account-level config" type = object({ - block_public_acls = optional(bool, true) - block_public_policy = optional(bool, true) - ignore_public_acls = optional(bool, true) - restrict_public_buckets = optional(bool, true) + public_access_block = optional(object({ + enabled = optional(bool, true) + block_public_acls = optional(bool, true) + block_public_policy = optional(bool, true) + ignore_public_acls = optional(bool, true) + restrict_public_buckets = optional(bool, true) + }), {}) }) default = {} } -# variable "iam" { -# type = object({ -# password_policy = optional(object({ -# allow_password_change = optional(bool, true) - # reuse_prevention = optional(bool, true) -# hard_expiry = optional(bool, false) -# max_password_age = optional(number, null) - # min_length = optional(number, 8) +variable "iam" { + description = "IAM account-level config" + type = object({ + password_policy = optional(object({ + enabled = optional(bool, true) + allow_users_to_change_password = optional(bool, true) + password_reuse_prevention = optional(number, 0) + hard_expiry = optional(bool, false) + max_password_age = optional(number, null) + minimum_password_length = optional(number, 12) -# }), {}) -# }) -# } \ No newline at end of file + require_lowercase_characters = optional(bool, true) + require_uppercase_characters = optional(bool, true) + require_numbers = optional(bool, true) + require_symbols = optional(bool, true) + }), {}) + }) + default = {} +} From db6484e4b3c472b1364a06d7e70ee545c0cdd21c Mon Sep 17 00:00:00 2001 From: Script47 Date: Sat, 10 Jan 2026 13:37:04 +0000 Subject: [PATCH 3/4] chore(guardrails): update docs --- guardrails/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/guardrails/README.md b/guardrails/README.md index 5743330..7cefee6 100644 --- a/guardrails/README.md +++ b/guardrails/README.md @@ -32,7 +32,17 @@ module "guardrails" { iam = { password_policy = { - + enabled = true + allow_users_to_change_password = true + password_reuse_prevention = 0 + hard_expiry = false + max_password_age = null + minimum_password_length = 12 + + require_lowercase_characters = true + require_uppercase_characters = true + require_numbers = true + require_symbols = true } } } From e9240e70ebbdda6d81557bd1ac8c15a1b850cf02 Mon Sep 17 00:00:00 2001 From: Script47 Date: Sat, 10 Jan 2026 13:39:24 +0000 Subject: [PATCH 4/4] chore: update readme headings --- github-oidc-iam-role/README.md | 2 -- github-oidc-provider/README.md | 2 -- guardrails/README.md | 2 -- lambda-function/README.md | 2 -- lambda-layer/README.md | 2 -- ses-domain-identity/README.md | 2 -- sqs/README.md | 2 -- static-site/README.md | 2 -- 8 files changed, 16 deletions(-) diff --git a/github-oidc-iam-role/README.md b/github-oidc-iam-role/README.md index 5127027..c686fb2 100644 --- a/github-oidc-iam-role/README.md +++ b/github-oidc-iam-role/README.md @@ -1,7 +1,5 @@ # GitHub OIDC IAM Role -## About - This module allows you to setup an IAM role for GitHub OIDC. - IAM role with trust policy with `sub` pattern restrictions diff --git a/github-oidc-provider/README.md b/github-oidc-provider/README.md index b91b1c0..5b547bb 100644 --- a/github-oidc-provider/README.md +++ b/github-oidc-provider/README.md @@ -1,7 +1,5 @@ # GitHub OIDC Provider -## About - This module allows you to setup the provider for GitHub OIDC. ## Usage diff --git a/guardrails/README.md b/guardrails/README.md index 7cefee6..adb4daf 100644 --- a/guardrails/README.md +++ b/guardrails/README.md @@ -1,7 +1,5 @@ # Guardrails -## About - This module allows you to setup default guardrails to harden your AWS account with the following features: - EBS encryption by default diff --git a/lambda-function/README.md b/lambda-function/README.md index 7d31a1a..e5f2957 100644 --- a/lambda-function/README.md +++ b/lambda-function/README.md @@ -1,7 +1,5 @@ # Lambda Function -## About - This module allows you to setup a Lambda function. ## Usage diff --git a/lambda-layer/README.md b/lambda-layer/README.md index 608c262..beef180 100644 --- a/lambda-layer/README.md +++ b/lambda-layer/README.md @@ -1,7 +1,5 @@ # Lambda Layer -## About - This module allows you to setup a Lambda layer. ## Usage diff --git a/ses-domain-identity/README.md b/ses-domain-identity/README.md index d0456df..db8ceff 100644 --- a/ses-domain-identity/README.md +++ b/ses-domain-identity/README.md @@ -1,7 +1,5 @@ # SES Domain Identity -## About - This module allows you to setup domain identification for SES with the following features: - Domain verification diff --git a/sqs/README.md b/sqs/README.md index 70b9d32..c78c690 100644 --- a/sqs/README.md +++ b/sqs/README.md @@ -1,7 +1,5 @@ # SQS -## About - This module allows you to setup an SQS queue: - Server-side encryption enabled by default (AWS-SSE) diff --git a/static-site/README.md b/static-site/README.md index 12d1d3b..e21edea 100644 --- a/static-site/README.md +++ b/static-site/README.md @@ -1,7 +1,5 @@ # Static Site -## About - This module allows you to setup a static site with the following features: - S3 bucket for static content (secure, private access only via CloudFront OAC)