Skip to content
/ cool-sharedservices-networking Public

Terraform code to create the COOL shared services networking infrastructure in AWS.

License

CC0-1.0 license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cisagov/cool-sharedservices-networking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,067 Commits
.github
.github
 
 
.ansible-lint
.ansible-lint
 
 
.bandit.yml
.bandit.yml
 
 
.flake8
.flake8
 
 
.gitignore
.gitignore
 
 
.isort.cfg
.isort.cfg
 
 
.mdl_config.yaml
.mdl_config.yaml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.prettierignore
.prettierignore
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
.yamllint
.yamllint
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
assume_role_policy_doc.tf
assume_role_policy_doc.tf
 
 
backend.tf
backend.tf
 
 
cloudwatch_agent_endpoint_client_sg.tf
cloudwatch_agent_endpoint_client_sg.tf
 
 
cloudwatch_agent_endpoint_sg.tf
cloudwatch_agent_endpoint_sg.tf
 
 
ec2_endpoint_client_sg.tf
ec2_endpoint_client_sg.tf
 
 
ec2_endpoint_sg.tf
ec2_endpoint_sg.tf
 
 
locals.tf
locals.tf
 
 
outputs.tf
outputs.tf
 
 
private_routing.tf
private_routing.tf
 
 
providers.tf
providers.tf
 
 
provisionnetworking_policy.tf
provisionnetworking_policy.tf
 
 
provisionnetworking_policy_attachment.tf
provisionnetworking_policy_attachment.tf
 
 
provisionprivatednsrecords_policy.tf
provisionprivatednsrecords_policy.tf
 
 
provisionprivatednsrecords_role.tf
provisionprivatednsrecords_role.tf
 
 
public_routing.tf
public_routing.tf
 
 
read_terraform_state_role.tf
read_terraform_state_role.tf
 
 
remote_states.tf
remote_states.tf
 
 
requirements-dev.txt
requirements-dev.txt
 
 
requirements-test.txt
requirements-test.txt
 
 
requirements.txt
requirements.txt
 
 
route53_zones.tf
route53_zones.tf
 
 
s3_endpoint_client_sg.tf
s3_endpoint_client_sg.tf
 
 
setup-env
setup-env
 
 
ssm_agent_endpoint_client_sg.tf
ssm_agent_endpoint_client_sg.tf
 
 
ssm_agent_endpoint_sg.tf
ssm_agent_endpoint_sg.tf
 
 
ssm_endpoint_client_sg.tf
ssm_endpoint_client_sg.tf
 
 
ssm_endpoint_sg.tf
ssm_endpoint_sg.tf
 
 
sts_endpoint_client_sg.tf
sts_endpoint_client_sg.tf
 
 
sts_endpoint_sg.tf
sts_endpoint_sg.tf
 
 
subnets.tf
subnets.tf
 
 
transitgateway.tf
transitgateway.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 
vpc.tf
vpc.tf
 
 
vpc_endpoints.tf
vpc_endpoints.tf
 
 
vpc_flow_logs.tf
vpc_flow_logs.tf
 
 

Repository files navigation

cool-sharedservices-networking

GitHub Build Status

This is a Terraform deployment for creating the VPC, public subnets, and private subnets for the COOL Shared Services account.

Since Terraform does not yet support depends_on for modules, we have no way to ensure that the ProvisionNetworking policy is attached to the ProvisionAccount role before Terraform attempts to instantiate the subnet modules. Therefore, in order to apply this Terraform code, one must run a targeted apply before running a full apply:

terraform apply -var-file=<workspace>.tfvars -target=aws_iam_role_policy_attachment.provisionnetworking_policy_attachment -target=aws_iam_policy.provisionnetworking_policy

At this point the ProvisionNetworking policy is attached to the ProvisionAccount role and you can run a full terraform apply.

Pre-requisites

  • Terraform installed on your system.
  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
  • Access to all of the Terraform remote states specified in remote_states.tf.

Requirements

Name Version
terraform ~> 1.1
aws ~> 4.9

Providers

Name Version
aws ~> 4.9
aws.organizationsreadonly ~> 4.9
aws.sharedservicesprovisionaccount ~> 4.9
terraform n/a

Modules

Name Source Version
private github.com/cisagov/distributed-subnets-tf-module n/a
public github.com/cisagov/distributed-subnets-tf-module n/a
read_terraform_state github.com/cisagov/terraform-state-read-role-tf-module n/a
vpc_flow_logs trussworks/vpc-flow-logs/aws ~>2.0

Resources

Name Type
aws_default_route_table.public resource
aws_ec2_transit_gateway.tgw resource
aws_ec2_transit_gateway_route.sharedservices_routes resource
aws_ec2_transit_gateway_route_table.tgw_attachments resource
aws_ec2_transit_gateway_vpc_attachment.tgw resource
aws_eip.nat_gw_eips resource
aws_iam_policy.provisionnetworking_policy resource
aws_iam_policy.provisionprivatednsrecords_policy resource
aws_iam_role.provisionprivatednsrecords_role resource
aws_iam_role_policy_attachment.provisionnetworking_policy_attachment resource
aws_iam_role_policy_attachment.provisionprivatednsrecords_policy_attachment resource
aws_internet_gateway.the_igw resource
aws_nat_gateway.nat_gws resource
aws_ram_principal_association.tgw resource
aws_ram_resource_association.tgw resource
aws_ram_resource_share.tgw resource
aws_route.cool_route resource
aws_route.cool_routes resource
aws_route.external_route resource
aws_route.external_routes resource
aws_route53_zone.private_subnet_private_reverse_zones resource
aws_route53_zone.private_zone resource
aws_route53_zone.public_subnet_private_reverse_zones resource
aws_route_table.private_route_tables resource
aws_route_table_association.private_route_table_associations resource
aws_security_group.cloudwatch_agent_endpoint resource
aws_security_group.cloudwatch_agent_endpoint_client resource
aws_security_group.ec2_endpoint resource
aws_security_group.ec2_endpoint_client resource
aws_security_group.s3_endpoint_client resource
aws_security_group.ssm_agent_endpoint resource
aws_security_group.ssm_agent_endpoint_client resource
aws_security_group.ssm_endpoint resource
aws_security_group.ssm_endpoint_client resource
aws_security_group.sts_endpoint resource
aws_security_group.sts_endpoint_client resource
aws_security_group_rule.egress_from_cloudwatch_agent_endpoint_client_to_cloudwatch_agent_endpoint_via_https resource
aws_security_group_rule.egress_from_ec2_endpoint_client_to_ec2_endpoint_via_https resource
aws_security_group_rule.egress_from_ssm_agent_endpoint_client_to_ssm_agent_endpoint_via_https resource
aws_security_group_rule.egress_from_ssm_endpoint_client_to_ssm_endpoint_via_https resource
aws_security_group_rule.egress_from_sts_endpoint_client_to_sts_endpoint_via_https resource
aws_security_group_rule.egress_to_s3_endpoint_via_https resource
aws_security_group_rule.ingress_from_cloudwatch_agent_endpoint_client_to_cloudwatch_agent_endpoint_via_https resource
aws_security_group_rule.ingress_from_ec2_endpoint_client_to_ec2_endpoint_via_https resource
aws_security_group_rule.ingress_from_ssm_agent_endpoint_client_to_ssm_agent_endpoint_via_https resource
aws_security_group_rule.ingress_from_ssm_endpoint_client_to_ssm_endpoint_via_https resource
aws_security_group_rule.ingress_from_sts_endpoint_client_to_sts_endpoint_via_https resource
aws_vpc.the_vpc resource
aws_vpc_dhcp_options.the_dhcp_options resource
aws_vpc_dhcp_options_association.the_dhcp_options_association resource
aws_vpc_endpoint.ec2 resource
aws_vpc_endpoint.ec2messages resource
aws_vpc_endpoint.kms resource
aws_vpc_endpoint.logs resource
aws_vpc_endpoint.monitoring resource
aws_vpc_endpoint.s3 resource
aws_vpc_endpoint.ssm resource
aws_vpc_endpoint.ssmmessages resource
aws_vpc_endpoint.sts resource
aws_vpc_endpoint_route_table_association.s3_private resource
aws_vpc_endpoint_route_table_association.s3_public resource
aws_vpc_endpoint_subnet_association.ec2 resource
aws_vpc_endpoint_subnet_association.ec2messages resource
aws_vpc_endpoint_subnet_association.kms resource
aws_vpc_endpoint_subnet_association.logs resource
aws_vpc_endpoint_subnet_association.monitoring resource
aws_vpc_endpoint_subnet_association.ssm resource
aws_vpc_endpoint_subnet_association.ssmmessages resource
aws_vpc_endpoint_subnet_association.sts resource
aws_caller_identity.current data source
aws_caller_identity.sharedservices data source
aws_iam_policy_document.assume_role_doc data source
aws_iam_policy_document.provisionnetworking_policy_doc data source
aws_iam_policy_document.provisionprivatednsrecords_policy_doc data source
aws_organizations_organization.cool data source
terraform_remote_state.master data source
terraform_remote_state.sharedservices data source
terraform_remote_state.terraform data source
terraform_remote_state.users data source

Inputs

Name Description Type Default Required
aws_region The AWS region where the shared services account is to be created (e.g. "us-east-1"). string "us-east-1" no
cool_cidr_block The overall CIDR block associated with the COOL (e.g. "10.128.0.0/9"). string n/a yes
cool_domain The domain where the COOL resources reside (e.g. "cool.cyber.dhs.gov"). string n/a yes
private_subnet_cidr_blocks The CIDR blocks corresponding to the private subnets to be associated with the VPC (e.g. ["10.10.0.0/24", "10.10.1.0/24"]). These must be /24 blocks, since we are using them to create reverse DNS zones. This list must be the same length as public_subnet_cidr_blocks, since each private subnet will be assigned a NAT gateway in a public subnet in the same Availability Zone. list(string) n/a yes
provisionaccount_role_name The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account. string "ProvisionAccount" no
provisionnetworking_policy_description The description to associate with the IAM policy that allows provisioning of the networking layer in the Shared Services account. string "Allows provisioning of the networking layer in the Shared Services account." no
provisionnetworking_policy_name The name to assign the IAM policy that allows provisioning of the networking layer in the Shared Services account. string "ProvisionNetworking" no
provisionprivatednsrecords_role_description The description to associate with the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision DNS records in private zones in the Shared Services account. string "Allows sufficient permissions to provision DNS records in private zones in the Shared Services account." no
provisionprivatednsrecords_role_name The name to assign the IAM role (as well as the corresponding policy) that allows sufficient permissions to provision DNS records in private zones in the Shared Services account. string "ProvisionPrivateDNSRecords" no
public_subnet_cidr_blocks The CIDR blocks corresponding to the public subnets to be associated with the VPC (e.g. ["10.10.0.0/24", "10.10.1.0/24"]). These must be /24 blocks, since we are using them to create reverse DNS zones. This list must be the same length as private_subnet_cidr_blocks, since each private subnet will be assigned a NAT gateway in a public subnet in the same Availability Zone. list(string) n/a yes
read_terraform_state_role_name The name to assign the IAM role (as well as the corresponding policy) that allows read-only access to the cool-sharedservices-networking state in the S3 bucket where Terraform state is stored. string "ReadSharedServicesNetworkingTerraformState" no
tags Tags to apply to all AWS resources created. map(string) {} no
transit_gateway_description The description to associate with the Transit Gateway in the Shared Services account that allows cross-VPC communication. string "The Transit Gateway in the Shared Services account that allows cross-VPC communication." no
vpc_cidr_block The overall CIDR block to be associated with the VPC (e.g. "10.10.0.0/16"). string n/a yes

Outputs

Name Description
cloudwatch_agent_endpoint_client_security_group A security group for any instances that run the AWS CloudWatch agent. This security group allows such instances to communicate with the VPC endpoints that are required by the AWS CloudWatch agent.
cool_cidr_block The overall CIDR block associated with the COOL.
default_route_table The default route table for the VPC, which is used by the public subnets.
ec2_endpoint_client_security_group A security group for any instances that wish to communicate with the EC2 VPC endpoint.
private_route_tables The route tables used by the private subnets in the VPC.
private_subnet_nat_gws The NAT gateways used in the private subnets in the VPC.
private_subnet_private_reverse_zones The private Route53 reverse zones for the private subnets in the VPC.
private_subnets The private subnets in the VPC.
private_zone The private Route53 zone for the VPC.
provision_private_dns_records_role The role that can provision DNS records in the private Route53 zone for the VPC.
public_subnet_private_reverse_zones The private Route53 reverse zones for the public subnets in the VPC.
public_subnets The public subnets in the VPC.
read_terraform_state The IAM policies and role that allow read-only access to the cool-sharedservices-networking state in the Terraform state bucket.
s3_endpoint_client_security_group A security group for any instances that wish to communicate with the S3 VPC endpoint.
ssm_agent_endpoint_client_security_group A security group for any instances that run the AWS SSM agent. This security group allows such instances to communicate with the VPC endpoints that are required by the AWS SSM agent.
ssm_endpoint_client_security_group A security group for any instances that wish to communicate with the SSM VPC endpoint.
sts_endpoint_client_security_group A security group for any instances that wish to communicate with the STS VPC endpoint.
transit_gateway The Transit Gateway that allows cross-VPC communication.
transit_gateway_attachment_route_tables Transit Gateway route tables for each of the accounts that are allowed to attach to the Transit Gateway. These route tables ensure that these accounts can communicate with the Shared Services account but are isolated from each other.
transit_gateway_principal_associations The RAM resource principal associations for the Transit Gateway that allows cross-VPC communication.
transit_gateway_ram_resource The RAM resource share associated with the Transit Gateway that allows cross-VPC communication.
transit_gateway_sharedservices_vpc_attachment The Transit Gateway attachment to the Shared Services VPC.
vpc The Shared Services VPC.
vpc_dhcp_options The DHCP options for the Shared Services VPC.
vpc_dhcp_options_association The DHCP options association for the Shared Services VPC.
vpc_endpoint_s3 The S3 gateway endpoint for the Shared Services VPC.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform code to create the COOL shared services networking infrastructure in AWS.

Resources

Readme

License

CC0-1.0 license

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 11

Languages