Enhancement | Sync le-template with le-ref-arch (ISSUE-23)

template/management/global/organizations/accounts.tf

@@ -1,6 +1,9 @@
 #
 # Organization accounts
 #
+# Root account of the organization: mainly used for consolidated billing reports
+# but it could also be used to manage the SCPs of the OUs and accounts.
+#
 # Uncomment after first `apply`
 #resource "aws_organizations_account" "management" {
 #  name  = "${var.project_long}-management"

template/management/global/organizations/organization.tf

@@ -4,13 +4,17 @@
 resource "aws_organizations_organization" "main" {
   # Not needed at first, might be needed later: https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html
   aws_service_access_principals = [
+    "malware-protection.guardduty.amazonaws.com",
     "guardduty.amazonaws.com",
     "access-analyzer.amazonaws.com",
     "aws-artifact-account-sync.amazonaws.com",
     "backup.amazonaws.com",
     "cloudtrail.amazonaws.com",
     "config.amazonaws.com",
-    "sso.amazonaws.com"
+    "ram.amazonaws.com",
+    "sso.amazonaws.com",
+    "fms.amazonaws.com",
+    "inspector2.amazonaws.com",
   ]
 
   # Enable all feature set to enable SCPs
@@ -25,7 +29,7 @@ resource "aws_organizations_organization" "main" {
 
 #
 # Delegate administration of access analyzer to security account
-# 
+#
 resource "aws_organizations_delegated_administrator" "access_analyzer_administrator" {
   account_id        = aws_organizations_account.accounts["security"].id
   service_principal = "access-analyzer.amazonaws.com"

template/management/global/organizations/policies_scp.tf

@@ -111,3 +111,89 @@ resource "aws_organizations_policy" "standard" {
       aws_organizations_organization.main
   ]
 }
+
+#
+# Delete protection policy (scp)
+#
+resource "aws_organizations_policy" "delete_protection" {
+  name        = "delete-protection"
+  description = "Delete protection"
+
+  content = <<JSON
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Statement1",
+      "Effect": "Deny",
+      "Action": [
+        "ec2:DeleteTransitGateway",
+        "ec2:ModifyTransitGateway",
+        "ec2:ModifyTransitGatewayVpcAttachment",
+        "ec2:DeleteTransitGatewayConnectPeer",
+        "ec2:DeleteTransitGatewayConnect",
+        "ec2:DeleteTransitGatewayMulticastDomain",
+        "ec2:DeleteTransitGatewayPeeringAttachment",
+        "ec2:DeleteTransitGatewayPrefixListReference",
+        "ec2:DeleteTransitGatewayRoute",
+        "ec2:DeleteTransitGatewayRouteTable",
+        "ec2:DeleteTransitGatewayVpcAttachment"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {
+        "ForAnyValue:StringEquals": {
+          "aws:ResourceTag/protectFromDeletion": [
+            "true"
+          ]
+        }
+      }
+    }
+  ]
+}
+JSON
+}
+
+#
+# Delete protection policy (scp)
+#
+resource "aws_organizations_policy" "tag_protection" {
+  name        = "tag-protection"
+  description = "This policy prevents all user but DevOps role to delete or modify tags on EC2, RDs and EKS resources"
+
+  content = <<JSON
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Statement1",
+      "Effect": "Deny",
+      "Action": [
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "rds:AddTagsToResource",
+        "rds:RemoveTagsFromResource",
+        "eks:UntagResource",
+        "eks:TagResource"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {
+        "StringNotEquals": {
+          "aws:PrincipalArn": [
+            "arn:aws:iam::${aws_organizations_account.accounts["shared"].id}:role/DevOps",
+          ]
+        },
+        "ForAnyValue:StringEquals": {
+          "aws:TagKeys": [
+            "ProtectFromDeletion"
+          ]
+        }
+      }
+    }
+  ]
+}
+JSON
+}

template/management/global/organizations/policy_scp_attachments.tf

@@ -11,3 +11,29 @@ resource "aws_organizations_policy_attachment" "policy_attachments" {
     aws_organizations_organizational_unit.units
   ]
 }
+
+#
+# Delete protection policy attachment
+#
+resource "aws_organizations_policy_attachment" "delete_protection" {
+
+  for_each = { for v in [
+    "shared",
+  ] : v => v }
+
+  policy_id = aws_organizations_policy.delete_protection.id
+  target_id = aws_organizations_organizational_unit.units[each.value].id
+}
+
+#
+# Tag protection policy attachment
+#
+resource "aws_organizations_policy_attachment" "tag_protection" {
+
+  for_each = { for v in [
+    "shared",
+  ] : v => v }
+
+  policy_id = aws_organizations_policy.tag_protection.id
+  target_id = aws_organizations_organizational_unit.units[each.value].id
+}

template/management/global/sso/config.tf

@@ -13,7 +13,7 @@ terraform {
   required_version = "~> 1.2"
 
   required_providers {
-    aws = "~> 4.2"
+    aws = "~> 4.40"
   }
 
   backend "s3" {

template/management/global/sso/policies.tf

@@ -27,11 +27,14 @@ data "aws_iam_policy_document" "devops" {
       "compute-optimizer:*",
       "datasync:*",
       "dlm:*",
+      "ds:*",
       "dynamodb:*",
       "ec2:*",
+      "ec2-instance-connect:*",
       "ecr:*",
       "ecr-public:*",
       "ecs:*",
+      "elasticfilesystem:*",
       "eks:*",
       "elasticache:*",
       "elasticbeanstalk:*",
@@ -46,10 +49,12 @@ data "aws_iam_policy_document" "devops" {
       "kafka:*",
       "kms:*",
       "lambda:*",
+      "license-manager:*",
       "lightsail:*",
       "logs:*",
       "network-firewall:*",
       "networkmanager:*",
+      "q:*",
       "ram:*",
       "rds:*",
       "redshift:*",
@@ -61,12 +66,14 @@ data "aws_iam_policy_document" "devops" {
       "route53resolver:*",
       "s3:*",
       "ses:*",
+      "secretsmanager:*",
       "shield:*",
       "sns:*",
       "sqs:*",
       "ssm:*",
       "sts:*",
       "support:*",
+      "servicediscovery:*",
       "tag:*",
       "transfer:*",
       "trustedadvisor:*",
@@ -75,6 +82,8 @@ data "aws_iam_policy_document" "devops" {
       "waf:*",
       "wafv2:*",
       "waf-regional:*",
+      "workspaces:*",
+      "workspaces-web:*",
       "wellarchitected:*"
     ]
     resources = ["*"]

template/security/primary_region/security-base/account.tf

@@ -12,3 +12,11 @@ resource "aws_s3_account_public_access_block" "main" {
   block_public_acls   = true
   block_public_policy = true
 }
+
+module "root-login-notifications" {
+  source = "github.com/binbashar/terraform-aws-root-login-notifications.git?ref=v2.3.0"
+
+  alarm_suffix   = "${var.environment}-account"
+  send_sns       = true
+  sns_topic_name = var.sns_topic_name_monitoring_sec
+}

template/security/primary_region/security-base/config.tf

@@ -13,7 +13,7 @@ terraform {
   required_version = "~> 1.2"
 
   required_providers {
-    aws = "~> 4.0"
+    aws = "~> 4.10"
   }
 
   backend "s3" {

template/security/primary_region/security-base/iam_access_analizer.tf

@@ -1,4 +1,11 @@
 #
+# NOTE: In order to enable AccessAnalyzer with the Organization at the zone of
+# of trust in the Security account, this account needs to be set as a delegated
+# administrator. Such step cannot be performed by Terraform yet so it was set
+# up manually as described below:
+# https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-settings.html
+#
+#
 # Access Analyzer
 #
 resource "aws_accessanalyzer_analyzer" "default" {

template/security/primary_region/security-base/variables.tf

@@ -1,3 +1,13 @@
+#=============================#
+# Notifications               #
+#=============================#
+#
+# AWS SNS -> Lambda -> Slack: tools-monitoring-sec
+#
+variable "sns_topic_name_monitoring_sec" {
+  description = ""
+  default     = "sns-topic-slack-notify-monitoring-sec"
+
 #
 # security/config/backend.tfvars
 #

template/shared/primary_region/base-network/config.tf

@@ -13,7 +13,7 @@ terraform {
   required_version = "~> 1.2"
 
   required_providers {
-    aws = "~> 4.0"
+    aws = "~> 4.10"
   }
 
   backend "s3" {

template/shared/primary_region/security-base/account.tf

@@ -12,3 +12,11 @@ resource "aws_s3_account_public_access_block" "main" {
   block_public_acls   = true
   block_public_policy = true
 }
+
+module "root-login-notifications" {
+  source = "github.com/binbashar/terraform-aws-root-login-notifications.git?ref=v2.3.0"
+
+  alarm_suffix   = "${var.environment}-account"
+  send_sns       = true
+  sns_topic_name = var.sns_topic_name_monitoring_sec
+}

template/shared/primary_region/security-base/config.tf

@@ -2,18 +2,18 @@
 # AWS Provider Settings       #
 #=============================#
 provider "aws" {
-  region                  = var.region
-  profile                 = var.profile
+  region  = var.region
+  profile = var.profile
 }
 
 #=============================#
 # Backend Config (partial)    #
 #=============================#
 terraform {
-  required_version = ">= 0.14.11"
+  required_version = "~> 1.2.7"
 
   required_providers {
-    aws = "~> 3.0"
+    aws = "~> 4.10"
   }
 
   backend "s3" {

template/shared/primary_region/security-base/variables.tf

@@ -1,3 +1,14 @@
+#=============================#
+# Notifications               #
+#=============================#
+#
+# AWS SNS -> Lambda -> Slack: tools-monitoring-sec
+#
+variable "sns_topic_name_monitoring_sec" {
+  description = ""
+  default     = "sns-topic-slack-notify-monitoring-sec"
+}
+
 #
 # shared/config/backend.tfvars
 #