diff --git a/locals.tf b/locals.tf index 6efec262..1f79c882 100755 --- a/locals.tf +++ b/locals.tf @@ -210,7 +210,7 @@ locals { rds_performance_insight = var.enable_nist_features == true ? true : false rds_performance_retention_period = var.enable_nist_features == true ? 7 : 0 - ###nist-resource-chcker + ###nist-resource-chcker bucket_exists = try(module.resource_checker[0].bucket_external["exists"], "false") waf_exists = try(module.resource_checker[0].waf_external["exists"], "false") waf_arn = try(module.resource_checker[0].waf_external["arn"], "") diff --git a/main.tf b/main.tf index feac989b..2b910c64 100755 --- a/main.tf +++ b/main.tf @@ -97,8 +97,8 @@ module "vpc" { hub_environment = var.hub_environment hub = var.hub vpc_nist_endpoints = var.vpc_nist_endpoints - local_s3_bucket_arn = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt" - depends_on = [module.spoke_logging_bucket] + local_s3_bucket_arn = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt" + depends_on = [module.spoke_logging_bucket] } @@ -313,7 +313,7 @@ module "postgresql" { tags = merge(local.tags, { "Backup" = var.enable_nist_features == true ? "Enabled" : null }) # DB subnet group - use public subnet if public access is requested - publicly_accessible = length(local.postgres_public_access_cidrs) > 0 && var.enable_nist_features == false ? true : false + publicly_accessible = length(local.postgres_public_access_cidrs) > 0 && var.enable_nist_features == false ? true : false subnet_ids = length(local.postgres_public_access_cidrs) > 0 ? length(module.vpc.public_subnets) > 0 ? module.vpc.database_subnets : module.vpc.database_subnets : module.vpc.database_subnets # DB parameter group @@ -395,12 +395,13 @@ module "spoke_logging_bucket" { spoke_account_id = var.spoke_account_id tags = local.tags hub_environment = var.hub_environment - depends_on = [module.resource_checker] + logging_account = var.logging_account + depends_on = [module.resource_checker] } ###################################Config Conformance Pack############################ module "nist_pack" { - count = var.enable_nist_features == true ? 1 : 0 + count = var.enable_nist_features == true ? 1 : 0 source = "./modules/aws_config" conformance_pack_name = var.conformance_pack_name custom_conformance_pack_name = var.custom_conformance_pack_name @@ -416,15 +417,15 @@ module "iam_access_analyzer" { analyzer_type_external = "ACCOUNT" analyzer_type_unused = "ACCOUNT_UNUSED_ACCESS" tags = local.tags - depends_on = [module.resource_checker] + depends_on = [module.resource_checker] } ######### WAF & WAF LOGGING ######### module "spoke_waf" { - count = var.enable_nist_features == true && local.waf_exists == "false" ? 1 : 0 - depends_on = [ module.spoke_logging_bucket , module.resource_checker] - source = "./modules/aws_waf" + count = var.enable_nist_features == true && local.waf_exists == "false" ? 1 : 0 + depends_on = [module.spoke_logging_bucket, module.resource_checker] + source = "./modules/aws_waf" local_s3_bucket_arn = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt" spoke_account_id = var.spoke_account_id location = var.location diff --git a/modules/aws_s3/main.tf b/modules/aws_s3/main.tf index 9ffe0649..c42cd187 100644 --- a/modules/aws_s3/main.tf +++ b/modules/aws_s3/main.tf @@ -76,7 +76,7 @@ data "aws_iam_policy_document" "assume_role_local" { } principals { type = "AWS" - identifiers = ["arn:aws:iam::730335345263:role/sascloud-awsng-logging-cross-account-iam-role"] + identifiers = ["arn:aws:iam::${var.logging_account}:role/sascloud-awsng-logging-cross-account-iam-role"] } actions = ["sts:AssumeRole"] } diff --git a/modules/aws_s3/variables.tf b/modules/aws_s3/variables.tf index b2c956a7..2956758c 100644 --- a/modules/aws_s3/variables.tf +++ b/modules/aws_s3/variables.tf @@ -41,3 +41,8 @@ variable "prefixes" { default = ["vpc-flow", "alb-nlb", "dns-query"] } +variable "logging_account" { + description = "Central logging accoutn ID" + type = string +} + diff --git a/outputs.tf b/outputs.tf index 6e5e38f9..e8723bb6 100755 --- a/outputs.tf +++ b/outputs.tf @@ -122,7 +122,7 @@ output "postgres_servers" { output "nat_ip" { description = "List of public Elastic IPs created for AWS NAT Gateway." - value = var.enable_nist_features == true ? null : module.vpc.nat_public_ips[0] + value = var.enable_nist_features == true ? null : module.vpc.nat_public_ips[0] } output "prefix" { diff --git a/variables.tf b/variables.tf index 2688606a..e01c40b6 100644 --- a/variables.tf +++ b/variables.tf @@ -779,7 +779,7 @@ variable "analyzer_name" { variable "central_logging_bucket" { type = string description = "Centralized logging bucket" - default = "" + default = "" } variable "conformance_pack_name" { @@ -865,6 +865,10 @@ variable "org_id" { default = "" } +variable "logging_account" { + description = "Central logging accoutn ID" + type = string +} diff --git a/vms.tf b/vms.tf index 3d418384..27fd533e 100644 --- a/vms.tf +++ b/vms.tf @@ -33,7 +33,7 @@ resource "aws_fsx_ontap_file_system" "ontap-fs" { security_group_ids = [local.workers_security_group_id] tags = merge(local.tags, { "Name" : "${var.prefix}-ontap-fs", "Backup" = var.enable_nist_features == true ? "Enabled" : null }) kms_key_id = lookup(local.kms_keys, "fsx_key", null) - depends_on = [module.ontap] + depends_on = [module.ontap] } # ONTAP storage virtual machine and volume resources @@ -180,6 +180,6 @@ module "nfs" { ssh_public_key = local.ssh_public_key enable_ebs_encryption = var.enable_ebs_encryption - cloud_init = data.cloudinit_config.nfs[0].rendered - ebs_cmk_key = lookup(local.kms_keys, "ebs_key", null) + cloud_init = data.cloudinit_config.nfs[0].rendered + ebs_cmk_key = lookup(local.kms_keys, "ebs_key", null) }