generated from rhythmictech/terraform-terraform-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsg_open_admin_ports.tf
80 lines (63 loc) · 2.51 KB
/
sg_open_admin_ports.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
resource "aws_config_config_rule" "sg_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
name = "restrict-sg-open-admin-db-ports"
description = "Detects security groups with rules allowing 0.0.0.0/0 access to admin or database ports"
source {
owner = "AWS"
source_identifier = "INCOMING_SSH_DISABLED"
}
scope {
compliance_resource_types = ["AWS::EC2::SecurityGroup"]
}
}
resource "aws_ssm_document" "delete_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
name = "DeleteOpenAdminDBPorts"
document_type = "Automation"
document_format = "YAML"
content = templatefile("${path.module}/ssm_documents/delete_open_admin_db_ports.yaml", {
SNSTopicArn = try(aws_sns_topic.admin_notifications[0].arn, "")
})
}
resource "aws_config_remediation_configuration" "delete_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
config_rule_name = aws_config_config_rule.sg_open_admin_db_ports[0].name
resource_type = "AWS::EC2::SecurityGroup"
target_type = "SSM_DOCUMENT"
target_id = aws_ssm_document.delete_open_admin_db_ports[0].name
parameter {
name = "SecurityGroupId"
resource_value = "RESOURCE_ID"
}
automatic = true
maximum_automatic_attempts = 1
}
resource "aws_iam_role" "delete_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
name = "config-remediation-delete-open-admin-db-ports"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
tags = local.tags
}
data "aws_iam_policy_document" "delete_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
statement {
effect = "Allow"
actions = [
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress"
]
resources = ["*"]
}
}
resource "aws_iam_role_policy" "delete_open_admin_db_ports" {
count = var.enable_sg_open_port_deletion ? 1 : 0
name = "config-remediation-delete-open-admin-db-ports-policy"
role = aws_iam_role.delete_open_admin_db_ports[0].id
policy = data.aws_iam_policy_document.delete_open_admin_db_ports[0].json
}
resource "aws_iam_role_policy" "delete_open_admin_db_ports_publish_to_sns" {
count = var.enable_sns_notifications ? 1 : 0
name = "config-remediation-delete-open-admin-db-ports-publish-to-sns-policy"
role = aws_iam_role.delete_open_admin_db_ports[0].id
policy = data.aws_iam_policy_document.publish_to_sns.json
}