icdev 0.0.3__py3-none-any.whl

tools/devsecops/zta_terraform_generator.py

@@ -0,0 +1,1301 @@
+#!/usr/bin/env python3
+# CUI // SP-CTI
+# CONTROLLED UNCLASSIFIED INFORMATION // SPECIFIED / CONTROLLED TECHNICAL INFORMATION
+# Authorized for: Internal project use only
+# Generator: SPARKPILOT DevSecOps/ZTA Agent
+# Region: us-gov-west-1
+"""Generate ZTA-specific Terraform modules for AWS GovCloud security services.
+
+Produces GuardDuty, Security Hub, WAF, AWS Config, and VPC Flow Log modules
+under {project_path}/terraform/zta/ — all with CUI // SP-CTI header comments.
+
+Pattern mirrors tools/infra/terraform_generator.py (Jinja2 template + fallback,
+_render, _write helpers).
+"""
+
+import argparse
+import json
+import sys
+from datetime import datetime, timezone
+from pathlib import Path
+
+BASE_DIR = Path(__file__).resolve().parent.parent.parent
+
+REGION = "us-gov-west-1"
+
+# ---------------------------------------------------------------------------
+# Jinja2 fallback: try import, else use str.replace
+# ---------------------------------------------------------------------------
+try:
+    from jinja2 import Template as Jinja2Template
+
+    def _render(template_str: str, ctx: dict) -> str:
+        return Jinja2Template(template_str).render(**ctx)
+
+except ImportError:
+
+    def _render(template_str: str, ctx: dict) -> str:
+        """Minimal fallback — replaces {{ var }} with ctx[var]."""
+        result = template_str
+        for key, val in ctx.items():
+            result = result.replace("{{ " + key + " }}", str(val))
+            result = result.replace("{{" + key + "}}", str(val))
+        return result
+
+
+# ---------------------------------------------------------------------------
+# Shared helpers
+# ---------------------------------------------------------------------------
+
+def _zta_file_header(module_name: str) -> str:
+    """Return the standard CUI // SP-CTI HCL file header for a ZTA module."""
+    return (
+        f"# CUI // SP-CTI\n"
+        f"# ZTA Security Module: {module_name}\n"
+        f"# Generated by SPARKPILOT DevSecOps/ZTA Agent\n"
+        f"# Region: {REGION}\n"
+        f"# Generated: {datetime.now(timezone.utc).isoformat()}Z\n"
+    )
+
+
+def _write(path: Path, content: str) -> Path:
+    """Create parent directories and write content to path."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(content, encoding="utf-8")
+    return path
+
+
+def _zta_dir(project_path: str) -> Path:
+    """Return the canonical ZTA Terraform output directory."""
+    return Path(project_path) / "terraform" / "zta"
+
+
+# ---------------------------------------------------------------------------
+# 1. GuardDuty
+# ---------------------------------------------------------------------------
+
+def _guardduty_hcl(header: str, config: dict) -> str:
+    project_name = config.get("project_name", "sparkpilot")
+    env = config.get("environment", "dev")
+    sns_email = config.get("sns_email", "security@agency.gov")
+    return f"""{header}
+# ------------------------------------------------------------------------------
+# GuardDuty — Threat Detection
+# Satisfies: NIST 800-53 SI-3, SI-4, IR-6
+# ------------------------------------------------------------------------------
+
+resource "aws_guardduty_detector" "this" {{
+  enable = true
+
+  datasources {{
+    s3_logs {{
+      enable = true
+    }}
+    kubernetes {{
+      audit_logs {{
+        enable = true
+      }}
+    }}
+    malware_protection {{
+      scan_ec2_instance_with_findings {{
+        ebs_volumes {{
+          enable = true
+        }}
+      }}
+    }}
+  }}
+
+  finding_publishing_frequency = "FIFTEEN_MINUTES"
+
+  tags = {{
+    Name           = "{project_name}-{env}-guardduty"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+    Environment    = "{env}"
+  }}
+}}
+
+# SNS topic for GuardDuty findings notifications
+resource "aws_sns_topic" "guardduty_findings" {{
+  name              = "{project_name}-{env}-guardduty-findings"
+  kms_master_key_id = "alias/aws/sns"
+
+  tags = {{
+    Name           = "{project_name}-{env}-guardduty-sns"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_sns_topic_subscription" "guardduty_email" {{
+  topic_arn = aws_sns_topic.guardduty_findings.arn
+  protocol  = "email"
+  endpoint  = "{sns_email}"
+}}
+
+# CloudWatch Event rule to forward HIGH/CRITICAL findings to SNS
+resource "aws_cloudwatch_event_rule" "guardduty_findings" {{
+  name        = "{project_name}-{env}-guardduty-findings"
+  description = "Route GuardDuty HIGH and CRITICAL findings to SNS"
+
+  event_pattern = jsonencode({{
+    source      = ["aws.guardduty"]
+    detail-type = ["GuardDuty Finding"]
+    detail = {{
+      severity = [{{
+        numeric = [">=", 7]
+      }}]
+    }}
+  }})
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_cloudwatch_event_target" "guardduty_sns" {{
+  rule      = aws_cloudwatch_event_rule.guardduty_findings.name
+  target_id = "GuardDutyToSNS"
+  arn       = aws_sns_topic.guardduty_findings.arn
+}}
+
+# Allow EventBridge to publish to SNS
+resource "aws_sns_topic_policy" "guardduty_findings" {{
+  arn = aws_sns_topic.guardduty_findings.arn
+
+  policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [
+      {{
+        Sid    = "AllowEventBridgePublish"
+        Effect = "Allow"
+        Principal = {{
+          Service = "events.amazonaws.com"
+        }}
+        Action   = "SNS:Publish"
+        Resource = aws_sns_topic.guardduty_findings.arn
+      }}
+    ]
+  }})
+}}
+
+output "guardduty_detector_id" {{
+  description = "GuardDuty Detector ID"
+  value       = aws_guardduty_detector.this.id
+}}
+
+output "guardduty_findings_topic_arn" {{
+  description = "SNS topic ARN for GuardDuty findings"
+  value       = aws_sns_topic.guardduty_findings.arn
+}}
+"""
+
+
+def generate_guardduty(project_path: str, config: dict = None) -> dict:
+    """Generate AWS GuardDuty Terraform module for ZTA threat detection.
+
+    Enables GuardDuty detector with S3/EKS audit log and malware-protection
+    data sources, plus an SNS topic for HIGH/CRITICAL finding alerts.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict (project_name, environment, sns_email).
+
+    Returns:
+        dict with keys:
+            tf_content (str): Generated HCL string.
+            module (str): "guardduty".
+            files (list[str]): Paths of written files.
+    """
+    cfg = config or {}
+    module_name = "guardduty"
+    header = _zta_file_header(module_name)
+    hcl = _guardduty_hcl(header, cfg)
+
+    out_dir = _zta_dir(project_path) / module_name
+    tf_file = _write(out_dir / "main.tf", hcl)
+
+    return {
+        "tf_content": hcl,
+        "module": module_name,
+        "files": [str(tf_file)],
+    }
+
+
+# ---------------------------------------------------------------------------
+# 2. Security Hub
+# ---------------------------------------------------------------------------
+
+def _security_hub_hcl(header: str, config: dict) -> str:
+    project_name = config.get("project_name", "sparkpilot")
+    env = config.get("environment", "dev")
+    return f"""{header}
+# ------------------------------------------------------------------------------
+# Security Hub — Centralized Security Findings Aggregation
+# Satisfies: NIST 800-53 CA-7, RA-5, SI-4
+# ------------------------------------------------------------------------------
+
+resource "aws_securityhub_account" "this" {{
+  enable_default_standards = false
+  auto_enable_controls     = true
+  control_finding_generator = "SECURITY_CONTROL"
+}}
+
+# CIS AWS Foundations Benchmark v1.4.0
+resource "aws_securityhub_standards_subscription" "cis" {{
+  standards_arn = "arn:aws-us-gov:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.4.0"
+  depends_on    = [aws_securityhub_account.this]
+}}
+
+# PCI DSS v3.2.1
+resource "aws_securityhub_standards_subscription" "pci_dss" {{
+  standards_arn = "arn:aws-us-gov:securityhub:us-gov-west-1::standards/pci-dss/v/3.2.1"
+  depends_on    = [aws_securityhub_account.this]
+}}
+
+# AWS Foundational Security Best Practices
+resource "aws_securityhub_standards_subscription" "fsbp" {{
+  standards_arn = "arn:aws-us-gov:securityhub:us-gov-west-1::standards/aws-foundational-security-best-practices/v/1.0.0"
+  depends_on    = [aws_securityhub_account.this]
+}}
+
+# NIST SP 800-53 Rev 5
+resource "aws_securityhub_standards_subscription" "nist" {{
+  standards_arn = "arn:aws-us-gov:securityhub:us-gov-west-1::standards/nist-800-53/v/5.0.0"
+  depends_on    = [aws_securityhub_account.this]
+}}
+
+# Aggregation region — us-gov-west-1 is the home region
+resource "aws_securityhub_finding_aggregator" "this" {{
+  linking_mode = "ALL_REGIONS"
+  depends_on   = [aws_securityhub_account.this]
+}}
+
+# CloudWatch Event rule for CRITICAL Security Hub findings
+resource "aws_cloudwatch_event_rule" "securityhub_critical" {{
+  name        = "{project_name}-{env}-securityhub-critical"
+  description = "Route CRITICAL Security Hub findings to SIEM"
+
+  event_pattern = jsonencode({{
+    source      = ["aws.securityhub"]
+    detail-type = ["Security Hub Findings - Imported"]
+    detail = {{
+      findings = {{
+        Severity = {{
+          Label = ["CRITICAL", "HIGH"]
+        }}
+        Workflow = {{
+          Status = ["NEW"]
+        }}
+        RecordState = ["ACTIVE"]
+      }}
+    }}
+  }})
+
+  tags = {{
+    Name           = "{project_name}-{env}-securityhub-events"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+output "securityhub_account_id" {{
+  description = "Security Hub account ID"
+  value       = aws_securityhub_account.this.id
+}}
+
+output "securityhub_aggregator_arn" {{
+  description = "Security Hub finding aggregator ARN"
+  value       = aws_securityhub_finding_aggregator.this.id
+}}
+"""
+
+
+def generate_security_hub(project_path: str, config: dict = None) -> dict:
+    """Generate AWS Security Hub Terraform module.
+
+    Enables Security Hub with CIS, PCI DSS, FSBP, and NIST 800-53 standards,
+    plus cross-region aggregation anchored in us-gov-west-1.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict (project_name, environment).
+
+    Returns:
+        dict with keys tf_content, module: "security_hub", files.
+    """
+    cfg = config or {}
+    module_name = "security_hub"
+    header = _zta_file_header(module_name)
+    hcl = _security_hub_hcl(header, cfg)
+
+    out_dir = _zta_dir(project_path) / module_name
+    tf_file = _write(out_dir / "main.tf", hcl)
+
+    return {
+        "tf_content": hcl,
+        "module": module_name,
+        "files": [str(tf_file)],
+    }
+
+
+# ---------------------------------------------------------------------------
+# 3. WAF
+# ---------------------------------------------------------------------------
+
+def _waf_hcl(header: str, config: dict) -> str:
+    project_name = config.get("project_name", "sparkpilot")
+    env = config.get("environment", "dev")
+    rate_limit = config.get("rate_limit_requests", 2000)
+    return f"""{header}
+# ------------------------------------------------------------------------------
+# AWS WAF v2 — Web Application Firewall
+# Satisfies: NIST 800-53 SC-7, SI-10, SI-3
+# ------------------------------------------------------------------------------
+
+resource "aws_wafv2_web_acl" "this" {{
+  name        = "{project_name}-{env}-waf-acl"
+  description = "ZTA WAF WebACL — managed rule groups + rate limiting"
+  scope       = "REGIONAL"
+
+  default_action {{
+    allow {{}}
+  }}
+
+  # Rule 1: AWS Managed Common Rule Set (OWASP Top 10)
+  rule {{
+    name     = "AWSManagedRulesCommonRuleSet"
+    priority = 10
+
+    override_action {{
+      none {{}}
+    }}
+
+    statement {{
+      managed_rule_group_statement {{
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }}
+    }}
+
+    visibility_config {{
+      cloudwatch_metrics_enabled = true
+      metric_name                = "{project_name}-{env}-CommonRuleSet"
+      sampled_requests_enabled   = true
+    }}
+  }}
+
+  # Rule 2: Known Bad Inputs (Log4j, SSRF, etc.)
+  rule {{
+    name     = "AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 20
+
+    override_action {{
+      none {{}}
+    }}
+
+    statement {{
+      managed_rule_group_statement {{
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }}
+    }}
+
+    visibility_config {{
+      cloudwatch_metrics_enabled = true
+      metric_name                = "{project_name}-{env}-KnownBadInputs"
+      sampled_requests_enabled   = true
+    }}
+  }}
+
+  # Rule 3: SQL Injection (AWSManagedRulesSQLiRuleSet)
+  rule {{
+    name     = "AWSManagedRulesSQLiRuleSet"
+    priority = 30
+
+    override_action {{
+      none {{}}
+    }}
+
+    statement {{
+      managed_rule_group_statement {{
+        name        = "AWSManagedRulesSQLiRuleSet"
+        vendor_name = "AWS"
+      }}
+    }}
+
+    visibility_config {{
+      cloudwatch_metrics_enabled = true
+      metric_name                = "{project_name}-{env}-SQLiRuleSet"
+      sampled_requests_enabled   = true
+    }}
+  }}
+
+  # Rule 4: Linux OS Rule Set
+  rule {{
+    name     = "AWSManagedRulesLinuxRuleSet"
+    priority = 40
+
+    override_action {{
+      none {{}}
+    }}
+
+    statement {{
+      managed_rule_group_statement {{
+        name        = "AWSManagedRulesLinuxRuleSet"
+        vendor_name = "AWS"
+      }}
+    }}
+
+    visibility_config {{
+      cloudwatch_metrics_enabled = true
+      metric_name                = "{project_name}-{env}-LinuxRuleSet"
+      sampled_requests_enabled   = true
+    }}
+  }}
+
+  # Rule 5: IP Rate Limiting — block IPs exceeding threshold in 5 minutes
+  rule {{
+    name     = "RateLimitPerIP"
+    priority = 50
+
+    action {{
+      block {{
+        custom_response {{
+          response_code = 429
+          response_header {{
+            name  = "Retry-After"
+            value = "300"
+          }}
+        }}
+      }}
+    }}
+
+    statement {{
+      rate_based_statement {{
+        limit              = {rate_limit}
+        aggregate_key_type = "IP"
+      }}
+    }}
+
+    visibility_config {{
+      cloudwatch_metrics_enabled = true
+      metric_name                = "{project_name}-{env}-RateLimit"
+      sampled_requests_enabled   = true
+    }}
+  }}
+
+  visibility_config {{
+    cloudwatch_metrics_enabled = true
+    metric_name                = "{project_name}-{env}-WAF"
+    sampled_requests_enabled   = true
+  }}
+
+  tags = {{
+    Name           = "{project_name}-{env}-waf-acl"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+    Environment    = "{env}"
+  }}
+}}
+
+# WAF logging to S3 (mandatory for STIG compliance)
+resource "aws_wafv2_web_acl_logging_configuration" "this" {{
+  log_destination_configs = [aws_cloudwatch_log_group.waf.arn]
+  resource_arn            = aws_wafv2_web_acl.this.arn
+
+  logging_filter {{
+    default_behavior = "KEEP"
+
+    filter {{
+      behavior = "KEEP"
+      condition {{
+        action_condition {{
+          action = "BLOCK"
+        }}
+      }}
+      requirement = "MEETS_ANY"
+    }}
+  }}
+}}
+
+resource "aws_cloudwatch_log_group" "waf" {{
+  # WAF log group name MUST start with "aws-waf-logs-"
+  name              = "aws-waf-logs-{project_name}-{env}"
+  retention_in_days = 365
+  kms_key_id        = var.kms_key_arn
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+variable "kms_key_arn" {{
+  description = "KMS key ARN for WAF log group encryption (leave empty to use default)"
+  type        = string
+  default     = null
+}}
+
+output "waf_web_acl_arn" {{
+  description = "ARN of the WAF WebACL (associate with ALB/API Gateway)"
+  value       = aws_wafv2_web_acl.this.arn
+}}
+
+output "waf_web_acl_id" {{
+  description = "ID of the WAF WebACL"
+  value       = aws_wafv2_web_acl.this.id
+}}
+
+output "waf_log_group_name" {{
+  description = "CloudWatch log group name for WAF logs"
+  value       = aws_cloudwatch_log_group.waf.name
+}}
+"""
+
+
+def generate_waf(project_path: str, config: dict = None) -> dict:
+    """Generate AWS WAF v2 Terraform module.
+
+    Creates a WebACL with AWS managed rule groups (Common, KnownBadInputs,
+    SQLi, Linux) and IP-based rate limiting with CloudWatch logging.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict (project_name, environment,
+                rate_limit_requests).
+
+    Returns:
+        dict with keys tf_content, module: "waf", files.
+    """
+    cfg = config or {}
+    module_name = "waf"
+    header = _zta_file_header(module_name)
+    hcl = _waf_hcl(header, cfg)
+
+    out_dir = _zta_dir(project_path) / module_name
+    tf_file = _write(out_dir / "main.tf", hcl)
+
+    return {
+        "tf_content": hcl,
+        "module": module_name,
+        "files": [str(tf_file)],
+    }
+
+
+# ---------------------------------------------------------------------------
+# 4. AWS Config Rules
+# ---------------------------------------------------------------------------
+
+def _config_rules_hcl(header: str, config: dict) -> str:
+    project_name = config.get("project_name", "sparkpilot")
+    env = config.get("environment", "dev")
+    config_bucket = config.get("config_s3_bucket", f"{project_name}-{env}-config-logs")
+    return f"""{header}
+# ------------------------------------------------------------------------------
+# AWS Config — Continuous Configuration Compliance Recording
+# Satisfies: NIST 800-53 CM-6, CM-7, CM-8, AU-2
+# ------------------------------------------------------------------------------
+
+data "aws_caller_identity" "current" {{}}
+data "aws_region" "current" {{}}
+
+# S3 bucket for Config delivery
+resource "aws_s3_bucket" "config_logs" {{
+  bucket        = "{config_bucket}"
+  force_destroy = false
+
+  tags = {{
+    Name           = "{config_bucket}"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_s3_bucket_versioning" "config_logs" {{
+  bucket = aws_s3_bucket.config_logs.id
+  versioning_configuration {{
+    status = "Enabled"
+  }}
+}}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "config_logs" {{
+  bucket = aws_s3_bucket.config_logs.id
+  rule {{
+    apply_server_side_encryption_by_default {{
+      sse_algorithm = "AES256"
+    }}
+  }}
+}}
+
+resource "aws_s3_bucket_public_access_block" "config_logs" {{
+  bucket                  = aws_s3_bucket.config_logs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}}
+
+resource "aws_s3_bucket_policy" "config_logs" {{
+  bucket = aws_s3_bucket.config_logs.id
+
+  policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [
+      {{
+        Sid    = "AWSConfigBucketPermissionsCheck"
+        Effect = "Allow"
+        Principal = {{
+          Service = "config.amazonaws.com"
+        }}
+        Action   = "s3:GetBucketAcl"
+        Resource = aws_s3_bucket.config_logs.arn
+        Condition = {{
+          StringEquals = {{
+            "AWS:SourceAccount" = data.aws_caller_identity.current.account_id
+          }}
+        }}
+      }},
+      {{
+        Sid    = "AWSConfigBucketDelivery"
+        Effect = "Allow"
+        Principal = {{
+          Service = "config.amazonaws.com"
+        }}
+        Action   = "s3:PutObject"
+        Resource = "${{aws_s3_bucket.config_logs.arn}}/AWSLogs/${{data.aws_caller_identity.current.account_id}}/Config/*"
+        Condition = {{
+          StringEquals = {{
+            "s3:x-amz-acl"    = "bucket-owner-full-control"
+            "AWS:SourceAccount" = data.aws_caller_identity.current.account_id
+          }}
+        }}
+      }}
+    ]
+  }})
+}}
+
+# IAM role for Config recorder
+resource "aws_iam_role" "config" {{
+  name = "{project_name}-{env}-config-role"
+
+  assume_role_policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [{{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = {{ Service = "config.amazonaws.com" }}
+    }}]
+  }})
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_iam_role_policy_attachment" "config_managed" {{
+  role       = aws_iam_role.config.name
+  policy_arn = "arn:aws-us-gov:iam::aws:policy/service-role/AWS_ConfigRole"
+}}
+
+# Config recorder — record all resource types
+resource "aws_config_configuration_recorder" "this" {{
+  name     = "{project_name}-{env}-config-recorder"
+  role_arn = aws_iam_role.config.arn
+
+  recording_group {{
+    all_supported                 = true
+    include_global_resource_types = true
+  }}
+}}
+
+# Config delivery channel
+resource "aws_config_delivery_channel" "this" {{
+  name           = "{project_name}-{env}-config-delivery"
+  s3_bucket_name = aws_s3_bucket.config_logs.bucket
+
+  snapshot_delivery_properties {{
+    delivery_frequency = "TwentyFour_Hours"
+  }}
+
+  depends_on = [aws_config_configuration_recorder.this]
+}}
+
+# Enable the recorder
+resource "aws_config_configuration_recorder_status" "this" {{
+  name       = aws_config_configuration_recorder.this.name
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.this]
+}}
+
+# --------------- Managed Config Rules ---------------
+
+# EBS volumes must be encrypted
+resource "aws_config_config_rule" "ebs_encryption" {{
+  name        = "{project_name}-{env}-ebs-encrypted-volumes"
+  description = "Checks that EBS volumes are encrypted"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "ENCRYPTED_VOLUMES"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+# S3 buckets must have server-side encryption enabled
+resource "aws_config_config_rule" "s3_encryption" {{
+  name        = "{project_name}-{env}-s3-default-encryption-kms"
+  description = "Checks that S3 buckets have default encryption enabled"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "S3_DEFAULT_ENCRYPTION_KMS"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+# CloudTrail must be enabled
+resource "aws_config_config_rule" "cloudtrail_enabled" {{
+  name        = "{project_name}-{env}-cloudtrail-enabled"
+  description = "Checks that CloudTrail is enabled and logging to S3"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "CLOUD_TRAIL_ENABLED"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+# VPC Flow Logs must be enabled
+resource "aws_config_config_rule" "vpc_flow_logs" {{
+  name        = "{project_name}-{env}-vpc-flow-logs-enabled"
+  description = "Checks that VPC Flow Logs are enabled for each VPC"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "VPC_FLOW_LOGS_ENABLED"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+# Root account MFA must be enabled
+resource "aws_config_config_rule" "root_mfa" {{
+  name        = "{project_name}-{env}-root-account-mfa-enabled"
+  description = "Checks that the root account has MFA enabled"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+# GuardDuty must be enabled
+resource "aws_config_config_rule" "guardduty_enabled" {{
+  name        = "{project_name}-{env}-guardduty-enabled-centralized"
+  description = "Checks that GuardDuty is enabled"
+
+  source {{
+    owner             = "AWS"
+    source_identifier = "GUARDDUTY_ENABLED_CENTRALIZED"
+  }}
+
+  depends_on = [aws_config_configuration_recorder_status.this]
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+output "config_recorder_name" {{
+  description = "AWS Config recorder name"
+  value       = aws_config_configuration_recorder.this.name
+}}
+
+output "config_s3_bucket" {{
+  description = "S3 bucket name for Config log delivery"
+  value       = aws_s3_bucket.config_logs.bucket
+}}
+
+output "config_role_arn" {{
+  description = "IAM role ARN used by Config recorder"
+  value       = aws_iam_role.config.arn
+}}
+"""
+
+
+def generate_config_rules(project_path: str, config: dict = None) -> dict:
+    """Generate AWS Config Terraform module.
+
+    Deploys Config recorder, S3 delivery channel, and managed rules covering
+    encryption, logging, MFA, and GuardDuty enablement.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict (project_name, environment,
+                config_s3_bucket).
+
+    Returns:
+        dict with keys tf_content, module: "config_rules", files.
+    """
+    cfg = config or {}
+    module_name = "config_rules"
+    header = _zta_file_header(module_name)
+    hcl = _config_rules_hcl(header, cfg)
+
+    out_dir = _zta_dir(project_path) / module_name
+    tf_file = _write(out_dir / "main.tf", hcl)
+
+    return {
+        "tf_content": hcl,
+        "module": module_name,
+        "files": [str(tf_file)],
+    }
+
+
+# ---------------------------------------------------------------------------
+# 5. VPC Flow Logs
+# ---------------------------------------------------------------------------
+
+def _vpc_flow_logs_hcl(header: str, config: dict) -> str:
+    project_name = config.get("project_name", "sparkpilot")
+    env = config.get("environment", "dev")
+    retention_days = config.get("flow_log_retention_days", 365)
+    archive_bucket = config.get("flow_log_s3_bucket", f"{project_name}-{env}-flow-logs-archive")
+    return f"""{header}
+# ------------------------------------------------------------------------------
+# Enhanced VPC Flow Logs — CloudWatch + S3 Archival
+# Satisfies: NIST 800-53 AU-2, AU-3, AU-9, AU-12, SI-4
+# ------------------------------------------------------------------------------
+
+variable "vpc_id" {{
+  description = "ID of the VPC to enable flow logs for"
+  type        = string
+}}
+
+# CloudWatch log group for near-real-time flow log analysis
+resource "aws_cloudwatch_log_group" "flow_logs" {{
+  name              = "/aws/vpc/{project_name}-{env}/flow-logs"
+  retention_in_days = {retention_days}
+  kms_key_id        = var.flow_log_kms_key_arn
+
+  tags = {{
+    Name           = "{project_name}-{env}-vpc-flow-logs"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+variable "flow_log_kms_key_arn" {{
+  description = "KMS key ARN to encrypt CloudWatch log group (optional)"
+  type        = string
+  default     = null
+}}
+
+# IAM role for VPC Flow Logs → CloudWatch
+resource "aws_iam_role" "flow_logs" {{
+  name = "{project_name}-{env}-vpc-flow-logs-role"
+
+  assume_role_policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [{{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = {{ Service = "vpc-flow-logs.amazonaws.com" }}
+    }}]
+  }})
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_iam_role_policy" "flow_logs" {{
+  name = "{project_name}-{env}-vpc-flow-logs-policy"
+  role = aws_iam_role.flow_logs.id
+
+  policy = jsonencode({{
+    Version = "2012-10-17"
+    Statement = [{{
+      Effect = "Allow"
+      Action = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams"
+      ]
+      Resource = "*"
+    }}]
+  }})
+}}
+
+# Flow logs → CloudWatch (near-real-time SIEM feed)
+resource "aws_flow_log" "cloudwatch" {{
+  vpc_id               = var.vpc_id
+  traffic_type         = "ALL"
+  log_destination_type = "cloud-watch-logs"
+  log_destination      = aws_cloudwatch_log_group.flow_logs.arn
+  iam_role_arn         = aws_iam_role.flow_logs.arn
+
+  # Enhanced metadata fields (VPC Flow Logs v5)
+  log_format = "${{version}} ${{account-id}} ${{interface-id}} ${{srcaddr}} ${{dstaddr}} ${{srcport}} ${{dstport}} ${{protocol}} ${{packets}} ${{bytes}} ${{windowstart}} ${{windowend}} ${{action}} ${{log-status}} ${{vpc-id}} ${{subnet-id}} ${{instance-id}} ${{tcp-flags}} ${{type}} ${{pkt-srcaddr}} ${{pkt-dstaddr}} ${{region}} ${{az-id}} ${{sublocation-type}} ${{sublocation-id}} ${{pkt-src-aws-service}} ${{pkt-dst-aws-service}} ${{flow-direction}} ${{traffic-path}}"
+
+  tags = {{
+    Name           = "{project_name}-{env}-flow-log-cw"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+    Destination    = "cloudwatch"
+  }}
+}}
+
+# S3 bucket for long-term archival (NIST AU-9 archival requirement)
+resource "aws_s3_bucket" "flow_logs_archive" {{
+  bucket        = "{archive_bucket}"
+  force_destroy = false
+
+  tags = {{
+    Name           = "{archive_bucket}"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+resource "aws_s3_bucket_versioning" "flow_logs_archive" {{
+  bucket = aws_s3_bucket.flow_logs_archive.id
+  versioning_configuration {{
+    status = "Enabled"
+  }}
+}}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "flow_logs_archive" {{
+  bucket = aws_s3_bucket.flow_logs_archive.id
+  rule {{
+    apply_server_side_encryption_by_default {{
+      sse_algorithm = "AES256"
+    }}
+  }}
+}}
+
+resource "aws_s3_bucket_public_access_block" "flow_logs_archive" {{
+  bucket                  = aws_s3_bucket.flow_logs_archive.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}}
+
+# Lifecycle: transition to Glacier after 90 days, expire after 7 years
+resource "aws_s3_bucket_lifecycle_configuration" "flow_logs_archive" {{
+  bucket = aws_s3_bucket.flow_logs_archive.id
+
+  rule {{
+    id     = "archive-flow-logs"
+    status = "Enabled"
+
+    transition {{
+      days          = 90
+      storage_class = "GLACIER"
+    }}
+
+    expiration {{
+      days = 2555
+    }}
+  }}
+}}
+
+# Flow logs → S3 (long-term archival)
+resource "aws_flow_log" "s3" {{
+  vpc_id               = var.vpc_id
+  traffic_type         = "ALL"
+  log_destination_type = "s3"
+  log_destination      = aws_s3_bucket.flow_logs_archive.arn
+
+  destination_options {{
+    file_format                = "parquet"
+    hive_compatible_partitions = true
+    per_hour_partition         = true
+  }}
+
+  tags = {{
+    Name           = "{project_name}-{env}-flow-log-s3"
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+    Destination    = "s3"
+  }}
+}}
+
+# CloudWatch metric filter: flag rejected traffic spikes
+resource "aws_cloudwatch_metric_filter" "rejected_traffic" {{
+  name           = "{project_name}-{env}-rejected-traffic"
+  log_group_name = aws_cloudwatch_log_group.flow_logs.name
+  pattern        = "[version, account_id, interface_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, windowstart, windowend, action = REJECT, log_status]"
+
+  metric_transformation {{
+    name          = "RejectedPackets"
+    namespace     = "ICDev/VPCFlowLogs"
+    value         = "1"
+    default_value = "0"
+    unit          = "Count"
+  }}
+}}
+
+resource "aws_cloudwatch_metric_alarm" "rejected_traffic_spike" {{
+  alarm_name          = "{project_name}-{env}-rejected-traffic-spike"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "RejectedPackets"
+  namespace           = "ICDev/VPCFlowLogs"
+  period              = 300
+  statistic           = "Sum"
+  threshold           = 1000
+  alarm_description   = "Unusually high rejected packet count — possible port scan or DDoS"
+  treat_missing_data  = "notBreaching"
+
+  tags = {{
+    Classification = "CUI"
+    ManagedBy      = "sparkpilot"
+    Component      = "zta-security"
+  }}
+}}
+
+output "flow_log_cloudwatch_id" {{
+  description = "Flow log ID for CloudWatch destination"
+  value       = aws_flow_log.cloudwatch.id
+}}
+
+output "flow_log_s3_id" {{
+  description = "Flow log ID for S3 archival destination"
+  value       = aws_flow_log.s3.id
+}}
+
+output "flow_log_group_name" {{
+  description = "CloudWatch log group name for VPC flow logs"
+  value       = aws_cloudwatch_log_group.flow_logs.name
+}}
+
+output "flow_log_archive_bucket" {{
+  description = "S3 bucket name for long-term flow log archival"
+  value       = aws_s3_bucket.flow_logs_archive.bucket
+}}
+"""
+
+
+def generate_vpc_flow_logs(project_path: str, config: dict = None) -> dict:
+    """Generate enhanced VPC Flow Logs Terraform module.
+
+    Deploys dual-destination flow logs (CloudWatch for near-real-time +
+    S3 Parquet for long-term archival), metric filter for rejected traffic,
+    and a CloudWatch alarm for traffic spikes.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict (project_name, environment,
+                flow_log_retention_days, flow_log_s3_bucket).
+
+    Returns:
+        dict with keys tf_content, module: "vpc_flow_logs", files.
+    """
+    cfg = config or {}
+    module_name = "vpc_flow_logs"
+    header = _zta_file_header(module_name)
+    hcl = _vpc_flow_logs_hcl(header, cfg)
+
+    out_dir = _zta_dir(project_path) / module_name
+    tf_file = _write(out_dir / "main.tf", hcl)
+
+    return {
+        "tf_content": hcl,
+        "module": module_name,
+        "files": [str(tf_file)],
+    }
+
+
+# ---------------------------------------------------------------------------
+# 6. Generate All
+# ---------------------------------------------------------------------------
+
+_MODULE_GENERATORS = {
+    "guardduty": generate_guardduty,
+    "security_hub": generate_security_hub,
+    "waf": generate_waf,
+    "config_rules": generate_config_rules,
+    "vpc_flow_logs": generate_vpc_flow_logs,
+}
+
+
+def generate_all(project_path: str, config: dict = None) -> dict:
+    """Generate all ZTA security Terraform modules.
+
+    Calls all five individual generators and aggregates their output into a
+    single result dict.
+
+    Args:
+        project_path: Target project directory.
+        config: Optional configuration dict shared across all modules.
+
+    Returns:
+        dict with keys:
+            modules (dict[str, dict]): Per-module results keyed by module name.
+            files (list[str]): Flat list of all generated file paths.
+    """
+    cfg = config or {}
+    results: dict = {"modules": {}, "files": []}
+
+    for module_name, generator in _MODULE_GENERATORS.items():
+        module_result = generator(project_path, cfg)
+        results["modules"][module_name] = module_result
+        results["files"].extend(module_result.get("files", []))
+
+    return results
+
+
+# ---------------------------------------------------------------------------
+# CLI
+# ---------------------------------------------------------------------------
+
+def _human_output(result: dict, modules_requested: list) -> None:
+    """Print a human-readable summary to stdout."""
+    all_files: list = result.get("files", [])
+
+    # Colour codes (gracefully ignored on non-ANSI terminals)
+    GREEN = "\033[32m"
+    CYAN = "\033[36m"
+    BOLD = "\033[1m"
+    RESET = "\033[0m"
+
+    print(f"\n{BOLD}ZTA Terraform Generator — AWS GovCloud ({REGION}){RESET}")
+    print(f"Modules requested : {', '.join(modules_requested)}")
+    print(f"Files generated   : {len(all_files)}\n")
+
+    for f in all_files:
+        print(f"  {GREEN}+{RESET} {CYAN}{f}{RESET}")
+
+    print(f"\n{BOLD}[OK]{RESET} ZTA modules written successfully.\n")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate ZTA-specific Terraform modules for AWS GovCloud security services."
+    )
+    parser.add_argument(
+        "--project-path",
+        required=True,
+        help="Target project directory (terraform/zta/ will be created inside it)",
+    )
+    parser.add_argument(
+        "--modules",
+        default="all",
+        help=(
+            "Comma-separated modules to generate, or 'all'. "
+            "Choices: all, guardduty, security_hub, waf, config_rules, vpc_flow_logs"
+        ),
+    )
+    # Shared config overrides
+    parser.add_argument("--project-name", default="sparkpilot", help="Project name for resource naming")
+    parser.add_argument(
+        "--environment",
+        default="dev",
+        choices=["dev", "staging", "prod"],
+        help="Deployment environment",
+    )
+    parser.add_argument("--sns-email", default="security@agency.gov", help="Email for GuardDuty SNS alerts")
+    parser.add_argument("--rate-limit", type=int, default=2000, help="WAF IP rate limit (requests per 5 min)")
+    parser.add_argument("--json", action="store_true", dest="json_output", help="Output JSON result")
+    parser.add_argument("--human", action="store_true", help="Output human-readable summary (default when --json not set)")
+    args = parser.parse_args()
+
+    config = {
+        "project_name": args.project_name,
+        "environment": args.environment,
+        "sns_email": args.sns_email,
+        "rate_limit_requests": args.rate_limit,
+    }
+
+    requested_raw = [m.strip().lower() for m in args.modules.split(",")]
+    use_all = "all" in requested_raw
+
+    if use_all:
+        modules_to_run = list(_MODULE_GENERATORS.keys())
+        result = generate_all(args.project_path, config)
+    else:
+        modules_to_run = []
+        result = {"modules": {}, "files": []}
+        for mod in requested_raw:
+            if mod not in _MODULE_GENERATORS:
+                print(f"[WARN] Unknown module '{mod}' — skipping.", file=sys.stderr)
+                continue
+            modules_to_run.append(mod)
+            mod_result = _MODULE_GENERATORS[mod](args.project_path, config)
+            result["modules"][mod] = mod_result
+            result["files"].extend(mod_result.get("files", []))
+
+    if args.json_output:
+        # Omit tf_content from JSON output (verbose HCL) — include file lists only
+        json_out: dict = {
+            "status": "ok",
+            "region": REGION,
+            "modules_generated": modules_to_run,
+            "files": result["files"],
+            "file_count": len(result["files"]),
+        }
+        print(json.dumps(json_out, indent=2))
+    else:
+        _human_output(result, modules_to_run)
+
+
+if __name__ == "__main__":
+    main()