terrafying-components 1.12.1 → 1.12.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a0c3fe68e1dde335fa98c0e4d561f36b909af087483353d11151a456b0075690
-  data.tar.gz: a41736c0c84a9a8c1dd7a4229c969f39675e9db25f134116504aa4d9536eb89e
+  metadata.gz: 3ee4ef1e375d1463668c95f8020490686c1e066a1e3ae8adf145fd31bff0d383
+  data.tar.gz: 825119c10b497586f15f81017da4168b4bdac7e46951f726baad037c3c1ee75e
 SHA512:
-  metadata.gz: 4a4f7b750449923b7610ee3fd2f81b081e790cc7a1439a268e6fa06f28aeaea02d82a3a7787eddd875d1e9d88bacb97533adcf94b4d375247592ce52806e7d93
-  data.tar.gz: a70f5caf4309663a5bcdb2418e17219209478befa9af0ab2c6e8c1d0328f7ccc61b4380d2da717d01a1ae7b35f65c858620fae678b077be155137463f0da5739
+  metadata.gz: bbad728eb96c2d90c52ecce53870dee22a4035d6f491e7b25270f79ebc06e9d34bc8c57d30bfa488742f97104e6408a39726aad02dc034a4f753680d89ca913e
+  data.tar.gz: b7903fbac4e3fde558751ba49033251ca5389e091708dde92729b44248454fc066e609bc3b8ae6115da4a4113348580d1c2942f0951cccf3035585217fb64f71

data/lib/terrafying/components/security.rb

@@ -2,6 +2,8 @@
 
 require 'terrafying/components/security/config'
 require 'terrafying/components/security/config_aggregator'
+require 'terrafying/components/security/iam'
 require 'terrafying/components/security/pagerduty_topic'
 require 'terrafying/components/security/store'
 require 'terrafying/components/security/trail'
+require 'terrafying/components/security/vpc'

data/lib/terrafying/components/security/iam.rb

@@ -0,0 +1,58 @@
+
+require 'terrafying'
+
+module Terrafying
+
+  module Components
+
+    module Security
+
+      class IAM < Terrafying::Context
+
+        def self.create(*args)
+          IAM.new.create(*args)
+        end
+
+        def create(
+              support_assume_policy:
+            )
+
+          # 1.5	Ensure IAM password policy requires at least one uppercase letter
+          # 1.6	Ensure IAM password policy require at least one lowercase letter
+          # 1.7	Ensure IAM password policy require at least one symbol
+          # 1.8	Ensure IAM password policy require at least one number
+          # 1.9	Ensure IAM password policy requires minimum length of 14 or greater
+          # 1.10	Ensure IAM password policy prevents password reuse
+          # 1.11	Ensure IAM password policy expires passwords within 90 days or less
+          resource :aws_iam_account_password_policy, "strict", {
+                     require_uppercase_characters: true,
+                     require_lowercase_characters: true,
+                     require_symbols: true,
+                     require_numbers: true,
+                     minimum_password_length: 14,
+                     allow_users_to_change_password: true,
+                     password_reuse_prevention: true,
+                     max_password_age: 90,
+                   }
+
+          # 1.20	Ensure a support role has been created to manage incidents with AWS Support
+          support_role = resource :aws_iam_role, "support", {
+                                    name: "support",
+                                    assume_role_policy: support_assume_policy,
+                                  }
+
+          resource :aws_iam_role_policy_attachment, "support_policy", {
+                     role: support_role,
+                     policy_arn: "arn:aws:iam::aws:policy/AWSSupportAccess",
+                   }
+
+          self
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/security/store.rb

@@ -10,7 +10,7 @@ module Terrafying
 
       class Store < Terrafying::Context
 
-        attr_reader :name, :key_arn
+        attr_reader :name, :arn, :key_arn
 
         def self.create(*args)
           Store.new.create(*args)
@@ -54,6 +54,8 @@ module Terrafying
                                }
                              }
 
+          @arn = @bucket["arn"]
+
           self
         end
 

data/lib/terrafying/components/security/vpc.rb

@@ -0,0 +1,110 @@
+
+require 'terrafying'
+
+module Terrafying
+
+  module Components
+
+    module Security
+
+      class VPC < Terrafying::Context
+
+        def self.create(*args)
+          VPC.new.create(*args)
+        end
+
+        def self.bucket_statements(bucket_name)
+          [
+            {
+              Sid: "FlowLogsAclCheck",
+              Effect: "Allow",
+              Principal: {
+                Service: "delivery.logs.amazonaws.com"
+              },
+              Action: "s3:GetBucketAcl",
+              Resource: "arn:aws:s3:::#{bucket_name}"
+            },
+            {
+              Sid: "FlowLogsWrite",
+              Effect: "Allow",
+              Principal: {
+                Service: "delivery.logs.amazonaws.com"
+              },
+              Action: "s3:PutObject",
+              Resource: "arn:aws:s3:::#{bucket_name}/flow-logs/*",
+              Condition: {
+                StringEquals: {
+                  "s3:x-amz-acl" => "bucket-owner-full-control"
+                }
+              }
+            }
+          ]
+        end
+
+        def self.key_statements
+          [
+            {
+              Sid: "Allow Flow logs to encrypt logs",
+              Effect: "Allow",
+              Principal: {"Service": ["delivery.logs.amazonaws.com"]},
+              Action: "kms:GenerateDataKey*",
+              Resource: "*",
+            },
+          ]
+        end
+
+
+        def create(
+              region:,
+              provider:,
+              store:
+            )
+
+          ident = tf_safe("default-vpc-#{region}")
+
+          default_vpc = resource :aws_default_vpc, ident, {
+                                   provider: provider,
+                                   tags: { Name: "Default VPC" },
+                                 }
+
+          resource :aws_default_route_table, ident, {
+                     provider: provider,
+                     default_route_table_id: default_vpc["default_route_table_id"],
+                     tags: { Name: "Default Route Table" },
+                   }
+
+          resource :aws_default_network_acl, ident, {
+                     provider: provider,
+                     lifecycle: {
+                       ignore_changes: [ "subnet_ids"],
+                     },
+
+                     default_network_acl_id: default_vpc["default_network_acl_id"],
+
+                     tags: { Name: "Default Network ACL" },
+                   }
+
+          resource :aws_default_security_group, ident, {
+                     provider: provider,
+                     vpc_id: default_vpc["id"],
+                     tags: { Name: "Default Security Group" },
+                   }
+
+          resource :aws_flow_log, ident, {
+                     provider: provider,
+                     vpc_id: default_vpc["id"],
+                     traffic_type: "ALL",
+                     log_destination: "#{store.arn}/flow-logs/",
+                     log_destination_type: "s3",
+                   }
+
+          self
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/terrafying/components/version.rb

@@ -2,6 +2,6 @@
 
 module Terrafying
   module Components
-    VERSION = '1.12.1'
+    VERSION = '1.12.2'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terrafying-components
 version: !ruby/object:Gem::Version
-  version: 1.12.1
+  version: 1.12.2
 platform: ruby
 authors:
 - uSwitch Limited
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-23 00:00:00.000000000 Z
+date: 2019-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -118,9 +118,11 @@ files:
 - lib/terrafying/components/security.rb
 - lib/terrafying/components/security/config.rb
 - lib/terrafying/components/security/config_aggregator.rb
+- lib/terrafying/components/security/iam.rb
 - lib/terrafying/components/security/pagerduty_topic.rb
 - lib/terrafying/components/security/store.rb
 - lib/terrafying/components/security/trail.rb
+- lib/terrafying/components/security/vpc.rb
 - lib/terrafying/components/selfsignedca.rb
 - lib/terrafying/components/service.rb
 - lib/terrafying/components/staticset.rb