-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
new: added a number of terraform files for policies (see the list in …
…the commit message) 081, 088, 089, 100, 175, 178, 180, 182, 192, 193, 194, 204, 205, 206, 207, 208, 209, 211, 213, 224, 225, 226, 227, 228, 229, 230, 239, 244, 252, 265, 266, 268, 269, 270, 271, 282, 283, 284, 285, 296, 301, 302, 303, 304, 305, 328, 365, 366, 367, 399, 406, 410, 412, 417, 422, 426, 441, 443, 446, 450, 523, 528, 541, 543, 545, 546, 549, 642, 661, 662, 663, 678, 695, 711, 722, 743, 915, 916
- Loading branch information
Vladyslav Yevsiukov
authored and
Vladyslav Yevsiukov
committed
Jul 24, 2023
1 parent
48114c6
commit 16e4d9c
Showing
1,075 changed files
with
24,083 additions
and
0 deletions.
There are no files selected for viewing
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-081-rds_not_open_to_large_scope/green/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 4" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws" { | ||
| profile = var.profile | ||
| region = var.default-region | ||
|
|
||
| default_tags { | ||
| tags = { | ||
| CustodianRule = "ecc-aws-081-rds_not_open_to_large_scope" | ||
| ComplianceStatus = "Green" | ||
| } | ||
| } | ||
| } |
33 changes: 33 additions & 0 deletions
33
terraform/ecc-aws-081-rds_not_open_to_large_scope/green/rds.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| resource "aws_security_group" "this" { | ||
| name = "081_security_group_green" | ||
| description = "Restrict inbound traffic" | ||
|
|
||
| ingress { | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["89.162.139.30/32"] | ||
| } | ||
| } | ||
|
|
||
| resource "random_password" "this" { | ||
| length = 12 | ||
| special = true | ||
| numeric = true | ||
| override_special = "!#$%*()-_=+[]{}:?" | ||
| } | ||
|
|
||
| resource "aws_db_instance" "this" { | ||
| identifier = "database-081-green" | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t2.micro" | ||
| allocated_storage = 20 | ||
| storage_type = "gp2" | ||
| db_name = "database081green" | ||
| username = "root" | ||
| password = random_password.this.result | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| vpc_security_group_ids = ["${aws_security_group.this.id}"] | ||
| } |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-081-rds_not_open_to_large_scope/green/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| profile = "c7n" | ||
| default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-081-rds_not_open_to_large_scope/green/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| variable "default-region" { | ||
| type = string | ||
| description = "Default region for resources will be created" | ||
| } | ||
|
|
||
| variable "profile" { | ||
| type = string | ||
| description = "Profile name configured before running apply" | ||
| } |
15 changes: 15 additions & 0 deletions
15
terraform/ecc-aws-081-rds_not_open_to_large_scope/iam/081-policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| { | ||
| "Version": "2012-10-17", | ||
| "Statement": [ | ||
| { | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "tag:GetResources", | ||
| "rds:DescribeDBInstances", | ||
| "ec2:DescribeSecurityGroups", | ||
| "ec2:DescribeSecurityGroupRules" | ||
| ], | ||
| "Resource": "*" | ||
| } | ||
| ] | ||
| } |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-081-rds_not_open_to_large_scope/red/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 4" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws"{ | ||
| profile = var.profile | ||
| region = var.default-region | ||
|
|
||
| default_tags { | ||
| tags = { | ||
| CustodianRule = "ecc-aws-081-rds_not_open_to_large_scope" | ||
| ComplianceStatus = "Red" | ||
| } | ||
| } | ||
| } |
33 changes: 33 additions & 0 deletions
33
terraform/ecc-aws-081-rds_not_open_to_large_scope/red/rds.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| resource "aws_security_group" "this" { | ||
| name = "081_security_group_red" | ||
| description = "Allow all inbound traffic" | ||
|
|
||
| ingress { | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
| } | ||
|
|
||
| resource "random_password" "this" { | ||
| length = 12 | ||
| special = true | ||
| numeric = true | ||
| override_special = "!#$%*()-_=+[]{}:?" | ||
| } | ||
|
|
||
| resource "aws_db_instance" "this" { | ||
| identifier = "database-081-red" | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t2.micro" | ||
| allocated_storage = 20 | ||
| storage_type = "gp2" | ||
| db_name = "database081red" | ||
| username = "root" | ||
| password = random_password.this.result | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| vpc_security_group_ids = ["${aws_security_group.this.id}"] | ||
| } |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-081-rds_not_open_to_large_scope/red/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| profile = "c7n" | ||
| default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-081-rds_not_open_to_large_scope/red/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| variable "default-region" { | ||
| type = string | ||
| description = "Default region for resources will be created" | ||
| } | ||
|
|
||
| variable "profile" { | ||
| type = string | ||
| description = "Profile name configured before running apply" | ||
| } |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-081-rds_not_open_to_large_scope/red1/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 4" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws"{ | ||
| profile = var.profile | ||
| region = var.default-region | ||
|
|
||
| default_tags { | ||
| tags = { | ||
| CustodianRule = "ecc-aws-081-rds_not_open_to_large_scope" | ||
| ComplianceStatus = "Red1" | ||
| } | ||
| } | ||
| } |
33 changes: 33 additions & 0 deletions
33
terraform/ecc-aws-081-rds_not_open_to_large_scope/red1/rds.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| resource "aws_security_group" "this" { | ||
| name = "081_security_group_red1" | ||
| description = "Allow all inbound traffic" | ||
|
|
||
| ingress { | ||
| from_port = 22 | ||
| to_port = 22 | ||
| protocol = "tcp" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
| } | ||
|
|
||
| resource "random_password" "this" { | ||
| length = 12 | ||
| special = true | ||
| numeric = true | ||
| override_special = "!#$%*()-_=+[]{}:?" | ||
| } | ||
|
|
||
| resource "aws_db_instance" "this" { | ||
| identifier = "database-081-red1" | ||
| engine = "mysql" | ||
| engine_version = "5.7" | ||
| instance_class = "db.t2.micro" | ||
| allocated_storage = 20 | ||
| db_name = "database081red1" | ||
| storage_type = "gp2" | ||
| username = "root" | ||
| password = random_password.this.result | ||
| parameter_group_name = "default.mysql5.7" | ||
| skip_final_snapshot = true | ||
| vpc_security_group_ids = ["${aws_security_group.this.id}"] | ||
| } |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-081-rds_not_open_to_large_scope/red1/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| profile = "c7n" | ||
| default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-081-rds_not_open_to_large_scope/red1/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| variable "default-region" { | ||
| type = string | ||
| description = "Default region for resources will be created" | ||
| } | ||
|
|
||
| variable "profile" { | ||
| type = string | ||
| description = "Profile name configured before running apply" | ||
| } |
122 changes: 122 additions & 0 deletions
122
terraform/ecc-aws-088-http_elb_certificate_expire_in_one_week/green/certificate.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| resource "aws_instance" "this" { | ||
| ami = data.aws_ami.this.id | ||
| instance_type = "t2.micro" | ||
| vpc_security_group_ids = [aws_security_group.this.id] | ||
| subnet_id = aws_subnet.subnet1.id | ||
| } | ||
|
|
||
| data "aws_ami" "this" { | ||
| most_recent = true | ||
| owners = ["amazon"] | ||
|
|
||
| filter { | ||
| name = "name" | ||
| values = ["amzn2-ami-hvm*"] | ||
| } | ||
| } | ||
|
|
||
| resource "aws_vpc" "this" { | ||
| cidr_block = "10.0.0.0/16" | ||
| } | ||
|
|
||
| resource "aws_internet_gateway" "this" { | ||
| vpc_id = aws_vpc.this.id | ||
| } | ||
|
|
||
| resource "aws_subnet" "subnet1" { | ||
| vpc_id = aws_vpc.this.id | ||
| cidr_block = "10.0.1.0/24" | ||
| availability_zone = "us-east-1a" | ||
| } | ||
|
|
||
| resource "aws_subnet" "subnet2" { | ||
| vpc_id = aws_vpc.this.id | ||
| cidr_block = "10.0.2.0/24" | ||
| availability_zone = "us-east-1b" | ||
| } | ||
|
|
||
| resource "aws_security_group" "this" { | ||
| name = "088_security_group_green" | ||
| description = "Allow inbound traffic" | ||
| vpc_id = aws_vpc.this.id | ||
|
|
||
| ingress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
|
|
||
| egress { | ||
| from_port = 0 | ||
| to_port = 0 | ||
| protocol = "-1" | ||
| cidr_blocks = ["0.0.0.0/0"] | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lb" "this" { | ||
| name = "088-lb-https-green" | ||
| internal = false | ||
| load_balancer_type = "application" | ||
| security_groups = [aws_security_group.this.id] | ||
| subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] | ||
| } | ||
|
|
||
| resource "aws_lb_target_group" "this" { | ||
| name = "088-lb-target-group-green" | ||
| port = 80 | ||
| protocol = "HTTP" | ||
| vpc_id = aws_vpc.this.id | ||
| } | ||
|
|
||
| resource "aws_lb_target_group_attachment" "this" { | ||
| target_group_arn = aws_lb_target_group.this.arn | ||
| target_id = aws_instance.this.id | ||
| port = 80 | ||
| } | ||
|
|
||
| resource "aws_lb_listener" "this" { | ||
| load_balancer_arn = aws_lb.this.arn | ||
| port = "443" | ||
| protocol = "HTTPS" | ||
| ssl_policy = "ELBSecurityPolicy-2016-08" | ||
| certificate_arn = aws_acm_certificate.this.arn | ||
|
|
||
| default_action { | ||
| type = "forward" | ||
| target_group_arn = aws_lb_target_group.this.arn | ||
| } | ||
| } | ||
|
|
||
| resource "aws_lb_listener_certificate" "this" { | ||
| listener_arn = aws_lb_listener.this.arn | ||
| certificate_arn = aws_acm_certificate.this.arn | ||
| } | ||
|
|
||
|
|
||
| resource "tls_private_key" "this" { | ||
| algorithm = "RSA" | ||
| } | ||
|
|
||
| resource "tls_self_signed_cert" "this" { | ||
| private_key_pem = tls_private_key.this.private_key_pem | ||
|
|
||
| subject { | ||
| common_name = "example.com" | ||
| organization = "ACME Examples, Inc" | ||
| } | ||
|
|
||
| validity_period_hours = 192 | ||
|
|
||
| allowed_uses = [ | ||
| "key_encipherment", | ||
| "digital_signature", | ||
| "server_auth", | ||
| ] | ||
| } | ||
|
|
||
| resource "aws_acm_certificate" "this" { | ||
| private_key = tls_private_key.this.private_key_pem | ||
| certificate_body = tls_self_signed_cert.this.cert_pem | ||
| } |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-088-http_elb_certificate_expire_in_one_week/green/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| terraform { | ||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "~> 4" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws"{ | ||
| profile = var.profile | ||
| region = var.default-region | ||
|
|
||
| default_tags { | ||
| tags = { | ||
| CustodianRule = "ecc-aws-088-http_load_balancer_certificate_expire_in_one_week" | ||
| ComplianceStatus = "Green" | ||
| } | ||
| } | ||
| } |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-088-http_elb_certificate_expire_in_one_week/green/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| profile = "c7n" | ||
| default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-088-http_elb_certificate_expire_in_one_week/green/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| variable "default-region" { | ||
| type = string | ||
| description = "Default region for resources will be created" | ||
| } | ||
|
|
||
| variable "profile" { | ||
| type = string | ||
| description = "Profile name configured before running apply" | ||
| } |
Oops, something went wrong.