Merge pull request #14 from schubergphilis/service-quota

feat: add role to integrate with the terraform-aws-mcaf-service-quotas-manager module + formatting
schubergphilis · Dec 28, 2023 · c036e2d · c036e2d
2 parents 21f5197 + 8c1f2da
commit c036e2d
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ monitor_iam_activity_sso           = false
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
 
 ## Providers
@@ -74,7 +74,9 @@ monitor_iam_activity_sso           = false
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_service_quota_manager_role"></a> [service\_quota\_manager\_role](#module\_service\_quota\_manager\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.3 |
 
 ## Resources
 
@@ -102,6 +104,7 @@ No modules.
 | <a name="input_aws_security_hub_standards_arns"></a> [aws\_security\_hub\_standards\_arns](#input\_aws\_security\_hub\_standards\_arns) | A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled | `list(string)` | `null` | no |
 | <a name="input_monitor_iam_activity_sns_topic_arn"></a> [monitor\_iam\_activity\_sns\_topic\_arn](#input\_monitor\_iam\_activity\_sns\_topic\_arn) | SNS Topic that should receive captured IAM activity events | `string` | `null` | no |
 | <a name="input_monitor_iam_activity_sso"></a> [monitor\_iam\_activity\_sso](#input\_monitor\_iam\_activity\_sso) | Whether IAM activity from SSO roles should be monitored | `bool` | `true` | no |
+| <a name="input_service_quotas_manager_role"></a> [service\_quotas\_manager\_role](#input\_service\_quotas\_manager\_role) | Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module | <pre>object({<br>    assuming_principal_identifier = string<br>    path                          = optional(string, "/")<br>    permissions_boundary          = optional(string, null)<br>  })</pre> | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags | `map(string)` | `{}` | no |
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -1,5 +1,6 @@
 resource "aws_cloudwatch_log_metric_filter" "iam_activity" {
-  for_each       = var.monitor_iam_activity_sns_topic_arn != null ? local.iam_activity : {}
+  for_each = var.monitor_iam_activity_sns_topic_arn != null ? local.iam_activity : {}
+
   name           = "BaseLine-IAMActivity-${each.key}"
   pattern        = each.value
   log_group_name = data.aws_cloudwatch_log_group.cloudtrail[0].name
@@ -12,7 +13,8 @@ resource "aws_cloudwatch_log_metric_filter" "iam_activity" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "iam_activity" {
-  for_each                  = aws_cloudwatch_log_metric_filter.iam_activity
+  for_each = aws_cloudwatch_log_metric_filter.iam_activity
+
   alarm_name                = each.value.name
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "1"
@@ -28,7 +30,8 @@ resource "aws_cloudwatch_metric_alarm" "iam_activity" {
 }
 
 resource "aws_config_aggregate_authorization" "default" {
-  for_each   = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator }
+  for_each = { for aggregator in local.aws_config_aggregators : "${aggregator.account_id}-${aggregator.region}" => aggregator }
+
   account_id = each.value.account_id
   region     = each.value.region
   tags       = var.tags
@@ -39,12 +42,14 @@ resource "aws_ebs_encryption_by_default" "default" {
 }
 
 resource "aws_ebs_default_kms_key" "default" {
-  count   = var.aws_ebs_encryption_custom_key == true ? 1 : 0
+  count = var.aws_ebs_encryption_custom_key == true ? 1 : 0
+
   key_arn = var.aws_kms_key_arn
 }
 
 resource "aws_iam_account_password_policy" "default" {
-  count                          = var.account_password_policy != null ? 1 : 0
+  count = var.account_password_policy != null ? 1 : 0
+
   allow_users_to_change_password = var.account_password_policy.allow_users_to_change
   max_password_age               = var.account_password_policy.max_age
   minimum_password_length        = var.account_password_policy.minimum_length
@@ -60,3 +65,57 @@ resource "aws_securityhub_standards_subscription" "default" {
 
   standards_arn = each.value
 }
+
+module "service_quota_manager_role" {
+  count  = var.service_quotas_manager_role != null ? 1 : 0
+  source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.3"
+
+  name                  = "ServiceQuotaManager"
+  create_policy         = true
+  path                  = var.service_quotas_manager_role.path
+  permissions_boundary  = var.service_quotas_manager_role.permissions_boundary
+  policy_arns           = ["arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess"]
+  postfix               = true
+  principal_identifiers = [var.service_quotas_manager_role.assuming_principal_identifier]
+  principal_type        = "AWS"
+  tags                  = var.tags
+
+  role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "AllowConfigReadAccess",
+          "Effect" : "Allow",
+          "Action" : "config:SelectResourceConfig",
+          "Resource" : "*"
+        },
+        {
+          "Sid" : "AllowSupportAccess",
+          "Effect" : "Allow",
+          "Action" : [
+            "support:DescribeSeverityLevels",
+            "support:AddCommunicationToCase"
+          ],
+          "Resource" : "*"
+        },
+        {
+          "Sid" : "AllowCeAccessForServiceAutoDiscovery",
+          "Effect" : "Allow",
+          "Action" : [
+            "ce:GetCostAndUsage"
+          ],
+          "Resource" : "*"
+        },
+        {
+          "Sid" : "AllowServiceQuotaIncreaseRequestAccess",
+          "Effect" : "Allow",
+          "Action" : [
+            "servicequotas:RequestServiceQuotaIncrease"
+          ],
+          "Resource" : "*"
+        }
+      ]
+    }
+  )
+}
diff --git a/variables.tf b/variables.tf
@@ -55,6 +55,16 @@ variable "aws_security_hub_standards_arns" {
   description = "A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled"
 }
 
+variable "service_quotas_manager_role" {
+  type = object({
+    assuming_principal_identifier = string
+    path                          = optional(string, "/")
+    permissions_boundary          = optional(string, null)
+  })
+  default     = null
+  description = "Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module"
+}
+
 variable "monitor_iam_activity_sns_topic_arn" {
   type        = string
   default     = null

diff --git a/versions.tf b/versions.tf
@@ -5,5 +5,5 @@ terraform {
       version = ">= 4.0.0"
     }
   }
-  required_version = ">= 0.13"
+  required_version = ">= 1.2.0"
 }