Alphabetize

cisagov · May 10, 2024 · 9926864 · 9926864
1 parent 3e95980
commit 9926864
Show file tree

Hide file tree

Showing 92 changed files with 847 additions and 883 deletions.
diff --git a/assessorworkbench_cloud_init.tf b/assessorworkbench_cloud_init.tf
@@ -3,8 +3,8 @@
 data "cloudinit_config" "assessorworkbench_cloud_init_tasks" {
   count = lookup(var.operations_instance_counts, "assessorworkbench", 0)
 
-  gzip          = true
   base64_encode = true
+  gzip          = true
 
   # Note: The filename parameters in each part below are only used to
   # name the mime-parts of the user-data.  They do not affect the

diff --git a/assessorworkbench_ec2.tf b/assessorworkbench_ec2.tf
@@ -19,8 +19,8 @@ data "aws_ami" "assessorworkbench" {
     values = ["ebs"]
   }
 
-  owners      = [local.images_account_id]
   most_recent = true
+  owners      = [local.images_account_id]
 }
 
 # The Assessor Workbench EC2 instances
@@ -40,7 +40,6 @@ resource "aws_instance" "assessorworkbench" {
   associate_public_ip_address = true
   iam_instance_profile        = aws_iam_instance_profile.assessorworkbench.name
   instance_type               = "t3.medium"
-  subnet_id                   = aws_subnet.operations.id
   # AWS Instance Meta-Data Service (IMDS) options
   metadata_options {
     # Enable IMDS (this is the default value)
@@ -56,23 +55,24 @@ resource "aws_instance" "assessorworkbench" {
     volume_size = 128
     volume_type = "gp3"
   }
-  user_data_base64 = data.cloudinit_config.assessorworkbench_cloud_init_tasks[count.index].rendered
-  vpc_security_group_ids = [
-    aws_security_group.cloudwatch_agent_endpoint_client.id,
-    aws_security_group.assessorworkbench.id,
-    aws_security_group.efs_client.id,
-    aws_security_group.guacamole_accessible.id,
-    aws_security_group.ssm_agent_endpoint_client.id,
-  ]
+  subnet_id = aws_subnet.operations.id
   tags = {
     Name = format("AssessorWorkbench%d", count.index)
   }
+  user_data_base64 = data.cloudinit_config.assessorworkbench_cloud_init_tasks[count.index].rendered
   # volume_tags does not yet inherit the default tags from the
   # provider.  See hashicorp/terraform-provider-aws#19188 for more
   # details.
   volume_tags = merge(data.aws_default_tags.assessment.tags, {
     Name = format("AssessorWorkbench%d", count.index)
   })
+  vpc_security_group_ids = [
+    aws_security_group.cloudwatch_agent_endpoint_client.id,
+    aws_security_group.assessorworkbench.id,
+    aws_security_group.efs_client.id,
+    aws_security_group.guacamole_accessible.id,
+    aws_security_group.ssm_agent_endpoint_client.id,
+  ]
 }
 
 # The EBS volume for each Assessor Workbench instance; it is used to
@@ -88,11 +88,10 @@ resource "aws_ebs_volume" "assessorworkbench_docker" {
   availability_zone = "${var.aws_region}${var.aws_availability_zone}"
   encrypted         = true
   size              = 16
-  type              = "gp3"
-
   tags = {
     Name = format("AssessorWorkbench%d Docker", count.index)
   }
+  type = "gp3"
 }
 
 # Attach EBS volume to Assessor Workbench instance

diff --git a/assessorworkbench_iam.tf b/assessorworkbench_iam.tf
@@ -21,23 +21,23 @@ resource "aws_iam_role" "assessorworkbench_instance_role" {
 resource "aws_iam_role_policy_attachment" "cloudwatch_agent_policy_attachment_assessorworkbench" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.assessorworkbench_instance_role.id
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+  role       = aws_iam_role.assessorworkbench_instance_role.id
 }
 
 # Attach the SSM Agent policy to this role as well
 resource "aws_iam_role_policy_attachment" "ssm_agent_policy_attachment_assessorworkbench" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.assessorworkbench_instance_role.id
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  role       = aws_iam_role.assessorworkbench_instance_role.id
 }
 
 # Attach a policy that allows the Assessor Workbench instances to
 # mount and write to the EFS
 resource "aws_iam_role_policy_attachment" "efs_mount_policy_attachment_assessorworkbench" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.assessorworkbench_instance_role.id
   policy_arn = aws_iam_policy.efs_mount_policy.arn
+  role       = aws_iam_role.assessorworkbench_instance_role.id
 }
diff --git a/assessorworkbench_route53.tf b/assessorworkbench_route53.tf
@@ -3,9 +3,9 @@ resource "aws_route53_record" "assessorworkbench_A" {
   count    = lookup(var.operations_instance_counts, "assessorworkbench", 0)
   provider = aws.provisionassessment
 
-  zone_id = aws_route53_zone.assessment_private.zone_id
   name    = "assessorworkbench${count.index}.${aws_route53_zone.assessment_private.name}"
-  type    = "A"
-  ttl     = var.dns_ttl
   records = [aws_instance.assessorworkbench[count.index].private_ip]
+  ttl     = var.dns_ttl
+  type    = "A"
+  zone_id = aws_route53_zone.assessment_private.zone_id
 }
diff --git a/assessorworkbench_sg.tf b/assessorworkbench_sg.tf
@@ -2,11 +2,10 @@
 resource "aws_security_group" "assessorworkbench" {
   provider = aws.provisionassessment
 
-  vpc_id = aws_vpc.assessment.id
-
   tags = {
     "Name" = "Assessor Workbench"
   }
+  vpc_id = aws_vpc.assessment.id
 }
 
 # Allow egress to anywhere via HTTP and HTTPS
@@ -16,12 +15,12 @@ resource "aws_security_group_rule" "assessorworkbench_egress_to_anywhere_via_htt
   for_each = toset(["80", "443"])
   provider = aws.provisionassessment
 
-  security_group_id = aws_security_group.assessorworkbench.id
-  type              = "egress"
-  protocol          = "tcp"
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = each.key
+  protocol          = "tcp"
+  security_group_id = aws_security_group.assessorworkbench.id
   to_port           = each.key
+  type              = "egress"
 }
 
 # Allow ingress from anywhere via the allowed ports
@@ -32,10 +31,10 @@ resource "aws_security_group_rule" "ingress_from_anywhere_to_assessorworkbench_v
   # acceptable form.
   for_each = { for d in var.inbound_ports_allowed["assessorworkbench"] : format("%s_%d_%d", d.protocol, d.from_port, d.to_port) => d }
 
-  security_group_id = aws_security_group.assessorworkbench.id
-  type              = "ingress"
-  protocol          = each.value["protocol"]
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = each.value["from_port"]
+  protocol          = each.value["protocol"]
+  security_group_id = aws_security_group.assessorworkbench.id
   to_port           = each.value["to_port"]
+  type              = "ingress"
 }
diff --git a/backend.tf b/backend.tf
@@ -1,10 +1,10 @@
 terraform {
   backend "s3" {
-    encrypt        = true
     bucket         = "cisa-cool-terraform-state"
     dynamodb_table = "terraform-state-lock"
+    encrypt        = true
+    key            = "cool-assessment-terraform/terraform.tfstate"
     profile        = "cool-terraform-backend"
     region         = "us-east-1"
-    key            = "cool-assessment-terraform/terraform.tfstate"
   }
 }
diff --git a/cloudwatch_agent_endpoint_client_sg.tf b/cloudwatch_agent_endpoint_client_sg.tf
@@ -2,22 +2,21 @@
 resource "aws_security_group" "cloudwatch_agent_endpoint_client" {
   provider = aws.provisionassessment
 
-  vpc_id = aws_vpc.assessment.id
-
   tags = {
     Name = "CloudWatch agent endpoint client"
   }
+  vpc_id = aws_vpc.assessment.id
 }
 
 # Allow egress via HTTPS to the CloudWatch agent endpoint security
 # group.
 resource "aws_security_group_rule" "egress_from_cloudwatch_agent_endpoint_client_to_cloudwatch_agent_endpoint_via_https" {
   provider = aws.provisionassessment
 
-  security_group_id        = aws_security_group.cloudwatch_agent_endpoint_client.id
-  type                     = "egress"
+  from_port                = 443
   protocol                 = "tcp"
+  security_group_id        = aws_security_group.cloudwatch_agent_endpoint_client.id
   source_security_group_id = aws_security_group.cloudwatch_agent_endpoint.id
-  from_port                = 443
   to_port                  = 443
+  type                     = "egress"
 }
diff --git a/cloudwatch_agent_endpoint_sg.tf b/cloudwatch_agent_endpoint_sg.tf
@@ -3,22 +3,21 @@
 resource "aws_security_group" "cloudwatch_agent_endpoint" {
   provider = aws.provisionassessment
 
-  vpc_id = aws_vpc.assessment.id
-
   tags = {
     Name = "CloudWatch agent endpoints"
   }
+  vpc_id = aws_vpc.assessment.id
 }
 
 # Allow ingress via HTTPS from the CloudWatch agent endpoint client
 # security group.
 resource "aws_security_group_rule" "ingress_from_cloudwatch_agent_endpoint_client_to_cloudwatch_agent_endpoint_via_https" {
   provider = aws.provisionassessment
 
-  security_group_id        = aws_security_group.cloudwatch_agent_endpoint.id
-  type                     = "ingress"
+  from_port                = 443
   protocol                 = "tcp"
+  security_group_id        = aws_security_group.cloudwatch_agent_endpoint.id
   source_security_group_id = aws_security_group.cloudwatch_agent_endpoint_client.id
-  from_port                = 443
   to_port                  = 443
+  type                     = "ingress"
 }
diff --git a/debiandesktop_cloud_init.tf b/debiandesktop_cloud_init.tf
@@ -3,8 +3,8 @@
 data "cloudinit_config" "debiandesktop_cloud_init_tasks" {
   count = lookup(var.operations_instance_counts, "debiandesktop", 0)
 
-  gzip          = true
   base64_encode = true
+  gzip          = true
 
   # Note: The filename parameters in each part below are only used to
   # name the mime-parts of the user-data.  They do not affect the

diff --git a/debiandesktop_ec2.tf b/debiandesktop_ec2.tf
@@ -19,8 +19,8 @@ data "aws_ami" "debiandesktop" {
     values = ["ebs"]
   }
 
-  owners      = [local.images_account_id]
   most_recent = true
+  owners      = [local.images_account_id]
 }
 
 # The "Debian desktop" EC2 instances
@@ -39,7 +39,6 @@ resource "aws_instance" "debiandesktop" {
   associate_public_ip_address = true
   iam_instance_profile        = aws_iam_instance_profile.debiandesktop.name
   instance_type               = "t3.medium"
-  subnet_id                   = aws_subnet.operations.id
   # AWS Instance Meta-Data Service (IMDS) options
   metadata_options {
     # Enable IMDS (this is the default value)
@@ -55,23 +54,24 @@ resource "aws_instance" "debiandesktop" {
     volume_size = 128
     volume_type = "gp3"
   }
-  user_data_base64 = data.cloudinit_config.debiandesktop_cloud_init_tasks[count.index].rendered
-  vpc_security_group_ids = [
-    aws_security_group.cloudwatch_agent_endpoint_client.id,
-    aws_security_group.debiandesktop.id,
-    aws_security_group.efs_client.id,
-    aws_security_group.guacamole_accessible.id,
-    aws_security_group.ssm_agent_endpoint_client.id,
-  ]
+  subnet_id = aws_subnet.operations.id
   tags = {
     Name = format("DebianDesktop%d", count.index)
   }
+  user_data_base64 = data.cloudinit_config.debiandesktop_cloud_init_tasks[count.index].rendered
   # volume_tags does not yet inherit the default tags from the
   # provider.  See hashicorp/terraform-provider-aws#19188 for more
   # details.
   volume_tags = merge(data.aws_default_tags.assessment.tags, {
     Name = format("DebianDesktop%d", count.index)
   })
+  vpc_security_group_ids = [
+    aws_security_group.cloudwatch_agent_endpoint_client.id,
+    aws_security_group.debiandesktop.id,
+    aws_security_group.efs_client.id,
+    aws_security_group.guacamole_accessible.id,
+    aws_security_group.ssm_agent_endpoint_client.id,
+  ]
 }
 
 # CloudWatch alarms for the Debian Desktop instances

diff --git a/debiandesktop_iam.tf b/debiandesktop_iam.tf
@@ -12,31 +12,31 @@ resource "aws_iam_instance_profile" "debiandesktop" {
 resource "aws_iam_role" "debiandesktop_instance_role" {
   provider = aws.provisionassessment
 
-  name               = "debiandesktop_instance_role_${terraform.workspace}"
   assume_role_policy = data.aws_iam_policy_document.ec2_service_assume_role_doc.json
+  name               = "debiandesktop_instance_role_${terraform.workspace}"
 }
 
 # Attach the CloudWatch Agent policy to this role as well
 resource "aws_iam_role_policy_attachment" "cloudwatch_agent_policy_attachment_debiandesktop" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.debiandesktop_instance_role.id
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+  role       = aws_iam_role.debiandesktop_instance_role.id
 }
 
 # Attach the SSM Agent policy to this role as well
 resource "aws_iam_role_policy_attachment" "ssm_agent_policy_attachment_debiandesktop" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.debiandesktop_instance_role.id
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  role       = aws_iam_role.debiandesktop_instance_role.id
 }
 
 # Attach a policy that allows the Debian desktop instances to mount and
 # write to the EFS
 resource "aws_iam_role_policy_attachment" "efs_mount_policy_attachment_debiandesktop" {
   provider = aws.provisionassessment
 
-  role       = aws_iam_role.debiandesktop_instance_role.id
   policy_arn = aws_iam_policy.efs_mount_policy.arn
+  role       = aws_iam_role.debiandesktop_instance_role.id
 }
diff --git a/debiandesktop_route53.tf b/debiandesktop_route53.tf
@@ -3,9 +3,9 @@ resource "aws_route53_record" "debiandesktop_A" {
   count    = lookup(var.operations_instance_counts, "debiandesktop", 0)
   provider = aws.provisionassessment
 
-  zone_id = aws_route53_zone.assessment_private.zone_id
   name    = "debiandesktop${count.index}.${aws_route53_zone.assessment_private.name}"
-  type    = "A"
-  ttl     = var.dns_ttl
   records = [aws_instance.debiandesktop[count.index].private_ip]
+  ttl     = var.dns_ttl
+  type    = "A"
+  zone_id = aws_route53_zone.assessment_private.zone_id
 }
diff --git a/debiandesktop_sg.tf b/debiandesktop_sg.tf
@@ -2,11 +2,10 @@
 resource "aws_security_group" "debiandesktop" {
   provider = aws.provisionassessment
 
-  vpc_id = aws_vpc.assessment.id
-
   tags = {
     "Name" = "Debian Desktop"
   }
+  vpc_id = aws_vpc.assessment.id
 }
 
 # Allow egress to Nessus web GUI port (8834)
@@ -15,12 +14,12 @@ resource "aws_security_group" "debiandesktop" {
 resource "aws_security_group_rule" "debiandesktop_egress_to_nessus_via_web_ui" {
   provider = aws.provisionassessment
 
-  security_group_id        = aws_security_group.debiandesktop.id
-  type                     = "egress"
+  from_port                = 8834
   protocol                 = "tcp"
+  security_group_id        = aws_security_group.debiandesktop.id
   source_security_group_id = aws_security_group.nessus.id
-  from_port                = 8834
   to_port                  = 8834
+  type                     = "egress"
 }
 
 # Allow egress to anywhere via HTTP and HTTPS
@@ -30,12 +29,12 @@ resource "aws_security_group_rule" "debiandesktop_egress_to_anywhere_via_http_an
   for_each = toset(["80", "443"])
   provider = aws.provisionassessment
 
-  security_group_id = aws_security_group.debiandesktop.id
-  type              = "egress"
-  protocol          = "tcp"
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = each.key
+  protocol          = "tcp"
+  security_group_id = aws_security_group.debiandesktop.id
   to_port           = each.key
+  type              = "egress"
 }
 
 # Allow ingress from anywhere via the allowed ports
@@ -46,10 +45,10 @@ resource "aws_security_group_rule" "ingress_from_anywhere_to_debiandesktop_via_a
   # acceptable form.
   for_each = { for d in var.inbound_ports_allowed["debiandesktop"] : format("%s_%d_%d", d.protocol, d.from_port, d.to_port) => d }
 
-  security_group_id = aws_security_group.debiandesktop.id
-  type              = "ingress"
-  protocol          = each.value["protocol"]
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = each.value["from_port"]
+  protocol          = each.value["protocol"]
+  security_group_id = aws_security_group.debiandesktop.id
   to_port           = each.value["to_port"]
+  type              = "ingress"
 }