diff --git a/README.md b/README.md index 505dc5f..884960c 100644 --- a/README.md +++ b/README.md @@ -183,7 +183,6 @@ No modules. | [aws_config_config_rule.iam-policy-no-statements-with-full-access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.iam-user-no-policies-check](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.iam_root_access_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | -| [aws_config_config_rule.instances-in-vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.internet-gateway-authorized-vpc-only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.mfa_enabled_for_iam_console_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.multi-region-cloud-trail-enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | @@ -201,7 +200,6 @@ No modules. | [aws_config_config_rule.s3-bucket-level-public-access-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.s3-bucket-public-read-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.s3-bucket-public-write-prohibited](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | -| [aws_config_config_rule.s3-bucket-server-side-encryption-enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.s3_bucket_ssl_requests_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.vpc-sg-open-only-to-authorized-ports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | | [aws_config_config_rule.vpc_default_security_group_closed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) | resource | @@ -263,7 +261,6 @@ No modules. | check\_iam\_policy\_no\_statements\_with\_full\_access | Enable iam-policy-no-statements-with-full-access rule | `bool` | `true` | no | | check\_iam\_root\_access\_key | Enable iam-root-access-key rule | `bool` | `true` | no | | check\_iam\_user\_no\_policies\_check | Enable iam-user-no-policies-check rule | `bool` | `true` | no | -| check\_instances\_in\_vpc | Enable instances-in-vpc rule | `bool` | `true` | no | | check\_internet\_gateway\_authorized\_vpc\_only | Enable internet-gateway-authorized-vpc-only rule | `bool` | `false` | no | | check\_mfa\_enabled\_for\_iam\_console\_access | Enable mfa-enabled-for-iam-console-access rule | `bool` | `true` | no | | check\_multi\_region\_cloud\_trail | Enable multi-region-cloud-trail-enabled rule | `bool` | `false` | no | @@ -281,7 +278,6 @@ No modules. | check\_s3\_bucket\_level\_public\_access\_prohibited | Enable s3-bucket-level-public-access-prohibited rule | `bool` | `false` | no | | check\_s3\_bucket\_public\_read\_prohibited | Enable s3-bucket-public-read-prohibited rule | `bool` | `false` | no | | check\_s3\_bucket\_public\_write\_prohibited | Enable s3-bucket-public-write-prohibited rule | `bool` | `true` | no | -| check\_s3\_bucket\_server\_side\_encryption\_enabled | Enable s3-bucket-server-side-encryption-enabled rule | `bool` | `true` | no | | check\_s3\_bucket\_ssl\_requests\_only | Enable s3-bucket-ssl-requests-only rule | `bool` | `true` | no | | check\_vpc\_default\_security\_group\_closed | Enable vpc-default-security-group-closed rule | `bool` | `true` | no | | check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `false` | no | diff --git a/config-rules.tf b/config-rules.tf index 22b4f0b..aa01a29 100644 --- a/config-rules.tf +++ b/config-rules.tf @@ -178,21 +178,6 @@ resource "aws_config_config_rule" "cloud-trail-log-file-validation-enabled" { depends_on = [aws_config_configuration_recorder.main] } -resource "aws_config_config_rule" "instances-in-vpc" { - count = var.check_instances_in_vpc ? 1 : 0 - name = "instances-in-vpc" - description = "Ensure all EC2 instances run in a VPC" - - source { - owner = "AWS" - source_identifier = "INSTANCES_IN_VPC" - } - - tags = var.tags - - depends_on = [aws_config_configuration_recorder.main] -} - resource "aws_config_config_rule" "root-account-mfa-enabled" { count = var.check_root_account_mfa_enabled ? 1 : 0 name = "root-account-mfa-enabled" @@ -923,21 +908,6 @@ resource "aws_config_config_rule" "s3-bucket-acl-prohibited" { depends_on = [aws_config_configuration_recorder.main] } -resource "aws_config_config_rule" "s3-bucket-server-side-encryption-enabled" { - count = var.check_s3_bucket_server_side_encryption_enabled ? 1 : 0 - name = "s3-bucket-server-side-encryption-enabled" - description = "Checks if S3 bucket either has the S3 default encryption enabled or that S3 policy explicitly denies put-object requests without SSE that uses AES-256 or AWS KMS. The rule is NON_COMPLIANT if your Amazon S3 bucket is not encrypted by default." - - source { - owner = "AWS" - source_identifier = "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" - } - - tags = var.tags - - depends_on = [aws_config_configuration_recorder.main] -} - resource "aws_config_config_rule" "vpc-sg-open-only-to-authorized-ports" { count = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0 name = "vpc-sg-open-only-to-authorized-ports" diff --git a/variables.tf b/variables.tf index 92fa5e7..5dc7bbc 100644 --- a/variables.tf +++ b/variables.tf @@ -1,13 +1,13 @@ -variable "config_name" { - description = "The name of the AWS Config instance." - type = string - default = "aws-config" +variable "access_key_max_age" { + description = "Maximum number of days without rotation." + type = number + default = 90 } -variable "config_aggregator_name" { - description = "The name of the aggregator." - type = string - default = "organization" +variable "acm_days_to_expiration" { + description = "Specify the number of days before the rule flags the ACM Certificate as noncompliant." + type = number + default = 14 } variable "aggregate_organization" { @@ -16,243 +16,202 @@ variable "aggregate_organization" { default = false } -variable "config_role_permissions_boundary" { - description = "The ARN of the permissions boundary to apply to IAM roles created for AWS Config" - type = string - default = null -} - -variable "config_logs_bucket" { - description = "The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string." - type = string -} - -variable "config_logs_prefix" { - description = "The S3 prefix for AWS Config logs." - type = string - default = "config" -} - -variable "config_logs_bucket_kms_key_arn" { - description = "The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket." - type = string - default = null -} - -variable "config_max_execution_frequency" { - description = "The maximum frequency with which AWS Config runs evaluations for a rule." +variable "ami_required_tag_key_value" { + description = "Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2" type = string - default = "TwentyFour_Hours" + default = "" } -variable "config_delivery_frequency" { - description = "The frequency with which AWS Config delivers configuration snapshots." - default = "Six_Hours" +variable "authorized_vpc_ids" { + description = "Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON_COMPLIANT." type = string + default = "example,CSV" } -variable "acm_days_to_expiration" { - description = "Specify the number of days before the rule flags the ACM Certificate as noncompliant." - type = number - default = 14 -} - -variable "password_require_uppercase" { - description = "Require at least one uppercase character in password." +variable "check_access_keys_rotated" { + description = "Enable access-keys-rotated rule" type = bool default = true } -variable "password_require_lowercase" { - description = "Require at least one lowercase character in password." +variable "check_acm_certificate_expiration_check" { + description = "Enable acm-certificate-expiration-check rule" type = bool default = true } -variable "password_require_symbols" { - description = "Require at least one symbol in password." +variable "check_approved_amis_by_tag" { + description = "Enable approved-amis-by-tag rule" type = bool - default = true + default = false } -variable "password_require_numbers" { - description = "Require at least one number in password." +variable "check_cloud_trail_encryption" { + description = "Enable cloud-trail-encryption-enabled rule" type = bool - default = true + default = false } -variable "password_min_length" { - description = "Password minimum length." - type = number - default = 14 +variable "check_cloud_trail_log_file_validation" { + description = "Enable cloud-trail-log-file-validation-enabled rule" + type = bool + default = false } -variable "password_reuse_prevention" { - description = "Number of passwords before allowing reuse." - type = number - default = 24 +variable "check_cloudtrail_enabled" { + description = "Enable cloudtrail-enabled rule" + type = bool + default = true } -variable "password_max_age" { - description = "Number of days before password expiration." - type = number - default = 90 +variable "check_cloudwatch_log_group_encrypted" { + description = "Enable cloudwatch-log-group-encryption rule" + type = bool + default = true } -variable "check_root_account_mfa_enabled" { - description = "Enable root-account-mfa-enabled rule" +variable "check_cmk_backing_key_rotated" { + description = "Enable cmk_backing_key_rotation_enabled rule" type = bool - default = false + default = true } -variable "check_guard_duty" { - description = "Enable guardduty-enabled-centralized rule" +variable "check_cw_loggroup_retention_period" { + description = "Enable cloudwatch-log-group-retention-period-check rule" type = bool default = false } -variable "check_rds_public_access" { - description = "Enable rds-instance-public-access-check rule" +variable "check_db_instance_backup_enabled" { + description = "Enable db-instance-backup-enabled rule" type = bool default = false } -variable "check_multi_region_cloud_trail" { - description = "Enable multi-region-cloud-trail-enabled rule" +variable "check_dynamodb_table_encrypted_kms" { + description = "Enable dynamodb-table-encrypted-kms rule" type = bool default = false } -variable "check_cloudtrail_enabled" { - description = "Enable cloudtrail-enabled rule" +variable "check_dynamodb_table_encryption_enabled" { + description = "Enable checkdynamodb-table-encryption-enabled rule" type = bool default = true } -variable "check_cloud_trail_encryption" { - description = "Enable cloud-trail-encryption-enabled rule" +variable "check_ebs_optimized_instance" { + description = "Enable ebs-optimized-instance-check rule" type = bool default = false } -variable "check_cloud_trail_log_file_validation" { - description = "Enable cloud-trail-log-file-validation-enabled rule" +variable "check_ebs_snapshot_public_restorable" { + description = "Enable ebs-snapshot-public-restorable rule" type = bool - default = false + default = true } -variable "check_eip_attached" { - description = "Enable eip-attached rule" +variable "check_ec2_encrypted_volumes" { + description = "Enable ec2-encrypted-volumes rule" type = bool - default = false + default = true } -variable "check_required_tags" { - description = "Enable required-tags rule" +variable "check_ec2_imdsv2" { + description = "Enable IMDSv2 rule" type = bool default = false } -variable "required_tags_resource_types" { - description = "Resource types to check for tags." - type = list(string) - default = [] -} - -variable "required_tags" { - description = "A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional." - type = map(string) - default = {} -} - -variable "check_instances_in_vpc" { - description = "Enable instances-in-vpc rule" +variable "check_ec2_volume_inuse_check" { + description = "Enable ec2-volume-inuse-check rule" type = bool default = true } -variable "check_acm_certificate_expiration_check" { - description = "Enable acm-certificate-expiration-check rule" +variable "check_ecr_private_image_scanning_enabled" { + description = "Enable ecr-private-image-scanning-enabled rule" type = bool default = true } -variable "check_iam_password_policy" { - description = "Enable iam-password-policy rule" +variable "check_ecr_private_lifecycle_policy_configured" { + description = "Enable ecr-private-lifecycle-policy-configured rule" type = bool default = true } -variable "check_iam_group_has_users_check" { - description = "Enable iam-group-has-users-check rule" +variable "check_ecs_awsvpc_networking_enabled" { + description = "Enable ecs-awsvpc-networking-enabled rule" type = bool default = true } -variable "check_iam_user_no_policies_check" { - description = "Enable iam-user-no-policies-check rule" +variable "check_ecs_containers_nonprivileged" { + description = "Enable ecs-containers-nonprivileged rule" type = bool default = true } -variable "check_ec2_volume_inuse_check" { - description = "Enable ec2-volume-inuse-check rule" +variable "check_ecs_containers_readonly_access" { + description = "Enable ecs-containers-readonly-access rule" type = bool default = true } -variable "check_approved_amis_by_tag" { - description = "Enable approved-amis-by-tag rule" +variable "check_ecs_no_environment_secrets" { + description = "Enable ecs-no-environment-secrets rule" type = bool default = false } -variable "ami_required_tag_key_value" { - description = "Tag/s key and value which AMI has to have in order to be compliant: Example: key1:value1,key2:value2" - type = string - default = "" +variable "check_eip_attached" { + description = "Enable eip-attached rule" + type = bool + default = false } -variable "check_ec2_encrypted_volumes" { - description = "Enable ec2-encrypted-volumes rule" +variable "check_elb_deletion_protection_enabled" { + description = "Enable elb-deletion-protection-enabled rule" type = bool default = true } -variable "check_rds_storage_encrypted" { - description = "Enable rds-storage-encrypted rule" +variable "check_elb_logging_enabled" { + description = "Enable elb-logging-enabled rule" type = bool - default = true + default = false } -variable "check_rds_snapshots_public_prohibited" { - description = "Enable rds-snapshots-public-prohibited rule" +variable "check_guard_duty" { + description = "Enable guardduty-enabled-centralized rule" type = bool - default = true + default = false } -variable "check_s3_bucket_public_write_prohibited" { - description = "Enable s3-bucket-public-write-prohibited rule" +variable "check_iam_group_has_users_check" { + description = "Enable iam-group-has-users-check rule" type = bool default = true } -variable "check_cloudwatch_log_group_encrypted" { - description = "Enable cloudwatch-log-group-encryption rule" +variable "check_iam_password_policy" { + description = "Enable iam-password-policy rule" type = bool default = true } -variable "check_cw_loggroup_retention_period" { - description = "Enable cloudwatch-log-group-retention-period-check rule" +variable "check_iam_policy_no_statements_with_admin_access" { + description = "Enable iam-policy-no-statements-with-admin-access rule" type = bool - default = false + default = true } -variable "cw_loggroup_retention_period" { - description = "Retention period for cloudwatch logs in number of days" - type = number - default = 3653 +variable "check_iam_policy_no_statements_with_full_access" { + description = "Enable iam-policy-no-statements-with-full-access rule" + type = bool + default = true } variable "check_iam_root_access_key" { @@ -261,178 +220,207 @@ variable "check_iam_root_access_key" { default = true } -variable "check_ebs_snapshot_public_restorable" { - description = "Enable ebs-snapshot-public-restorable rule" +variable "check_iam_user_no_policies_check" { + description = "Enable iam-user-no-policies-check rule" type = bool default = true } -variable "check_vpc_default_security_group_closed" { - description = "Enable vpc-default-security-group-closed rule" +variable "check_internet_gateway_authorized_vpc_only" { + description = "Enable internet-gateway-authorized-vpc-only rule" type = bool - default = true + default = false } -variable "check_s3_bucket_ssl_requests_only" { - description = "Enable s3-bucket-ssl-requests-only rule" +variable "check_mfa_enabled_for_iam_console_access" { + description = "Enable mfa-enabled-for-iam-console-access rule" type = bool default = true } -variable "check_mfa_enabled_for_iam_console_access" { - description = "Enable mfa-enabled-for-iam-console-access rule" +variable "check_multi_region_cloud_trail" { + description = "Enable multi-region-cloud-trail-enabled rule" + type = bool + default = false +} + +variable "check_nacl_no_unrestricted_ssh_rdp" { + description = "Enable nacl-no-unrestricted-ssh-rdp rule" type = bool default = true } -variable "check_restricted_ssh" { - description = "Enable restricted-ssh rule" +variable "check_rds_cluster_deletion_protection_enabled" { + description = "Enable rds-cluster-deletion-protection-enabled rule" type = bool default = true } -variable "tags" { - description = "Tags to apply to AWS Config resources" - type = map(string) - default = {} +variable "check_rds_public_access" { + description = "Enable rds-instance-public-access-check rule" + type = bool + default = false } -variable "include_global_resource_types" { - description = "Specifies whether AWS Config includes all supported types of global resources with the resources that it records." +variable "check_rds_snapshot_encrypted" { + description = "Enable rds-snapshot-encrypted rule" type = bool default = true } -variable "config_sns_topic_arn" { - description = "An SNS topic to stream configuration changes and notifications to." - type = string - default = null +variable "check_rds_snapshots_public_prohibited" { + description = "Enable rds-snapshots-public-prohibited rule" + type = bool + default = true } -variable "enable_config_recorder" { - description = "Enables configuring the AWS Config recorder resources in this module." +variable "check_rds_storage_encrypted" { + description = "Enable rds-storage-encrypted rule" type = bool default = true } -variable "check_ec2_imdsv2" { - description = "Enable IMDSv2 rule" +variable "check_required_tags" { + description = "Enable required-tags rule" type = bool default = false } -variable "check_access_keys_rotated" { - description = "Enable access-keys-rotated rule" +variable "check_restricted_common_ports" { + description = "Enable restricted-common-ports-check" type = bool - default = true -} - -variable "access_key_max_age" { - description = "Maximum number of days without rotation." - type = number - default = 90 + default = false } -variable "check_cmk_backing_key_rotated" { - description = "Enable cmk_backing_key_rotation_enabled rule" +variable "check_restricted_ssh" { + description = "Enable restricted-ssh rule" type = bool default = true } -variable "cloud_trail_cloud_watch_logs_enabled" { - description = "Enable cloud_trail_cloud_watch_logs_enabled rule" +variable "check_root_account_mfa_enabled" { + description = "Enable root-account-mfa-enabled rule" type = bool - default = true -} - -variable "expected_delivery_window_age" { - description = "Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance." - type = number - default = 12 + default = false } -variable "check_dynamodb_table_encryption_enabled" { - description = "Enable checkdynamodb-table-encryption-enabled rule" +variable "check_s3_bucket_acl_prohibited" { + description = "Enable s3-bucket-acl-prohibited rule" type = bool default = true } -variable "check_dynamodb_table_encrypted_kms" { - description = "Enable dynamodb-table-encrypted-kms rule" +variable "check_s3_bucket_level_public_access_prohibited" { + description = "Enable s3-bucket-level-public-access-prohibited rule" type = bool default = false } -variable "dynamodb_arn_encryption_list" { - description = "Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables." - type = string - default = "example,CSV" +variable "check_s3_bucket_public_read_prohibited" { + description = "Enable s3-bucket-public-read-prohibited rule" + type = bool + default = false } -variable "check_ecr_private_image_scanning_enabled" { - description = "Enable ecr-private-image-scanning-enabled rule" +variable "check_s3_bucket_public_write_prohibited" { + description = "Enable s3-bucket-public-write-prohibited rule" type = bool default = true } -variable "check_ecr_private_lifecycle_policy_configured" { - description = "Enable ecr-private-lifecycle-policy-configured rule" +variable "check_s3_bucket_ssl_requests_only" { + description = "Enable s3-bucket-ssl-requests-only rule" type = bool default = true } -variable "check_ecs_awsvpc_networking_enabled" { - description = "Enable ecs-awsvpc-networking-enabled rule" +variable "check_vpc_default_security_group_closed" { + description = "Enable vpc-default-security-group-closed rule" type = bool default = true } -variable "check_ecs_containers_nonprivileged" { - description = "Enable ecs-containers-nonprivileged rule" +variable "check_vpc_sg_open_only_to_authorized_ports" { + description = "Enable vpc-sg-open-only-to-authorized-ports rule" type = bool - default = true + default = false } -variable "check_ecs_containers_readonly_access" { - description = "Enable ecs-containers-readonly-access rule" +variable "cloud_trail_cloud_watch_logs_enabled" { + description = "Enable cloud_trail_cloud_watch_logs_enabled rule" type = bool default = true } -variable "check_ecs_no_environment_secrets" { - description = "Enable ecs-no-environment-secrets rule" - type = bool - default = false +variable "config_aggregator_name" { + description = "The name of the aggregator." + type = string + default = "organization" } -variable "ecs_no_environment_secrets" { - description = "Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed." +variable "config_delivery_frequency" { + description = "The frequency with which AWS Config delivers configuration snapshots." + default = "Six_Hours" type = string - default = "example,CSV" } -variable "enable_efs_encrypted_check" { - description = "Enable efs-encrypted-check rule" - type = bool - default = false +variable "config_logs_bucket" { + description = "The S3 bucket for AWS Config logs. If you have set enable_config_recorder to false then this can be an empty string." + type = string } -variable "kms_key_id" { - description = "Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system." +variable "config_logs_bucket_kms_key_arn" { + description = "The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket." type = string - default = "example,CSV" + default = null } -variable "check_elb_deletion_protection_enabled" { - description = "Enable elb-deletion-protection-enabled rule" - type = bool - default = true +variable "config_logs_prefix" { + description = "The S3 prefix for AWS Config logs." + type = string + default = "config" } -variable "check_elb_logging_enabled" { - description = "Enable elb-logging-enabled rule" - type = bool - default = false +variable "config_max_execution_frequency" { + description = "The maximum frequency with which AWS Config runs evaluations for a rule." + type = string + default = "TwentyFour_Hours" +} + +variable "config_name" { + description = "The name of the AWS Config instance." + type = string + default = "aws-config" +} + +variable "config_role_permissions_boundary" { + description = "The ARN of the permissions boundary to apply to IAM roles created for AWS Config" + type = string + default = null +} + +variable "config_sns_topic_arn" { + description = "An SNS topic to stream configuration changes and notifications to." + type = string + default = null +} + +variable "cw_loggroup_retention_period" { + description = "Retention period for cloudwatch logs in number of days" + type = number + default = 3653 +} + +variable "dynamodb_arn_encryption_list" { + description = "Comma separated list of AWS KMS key ARNs allowed for encrypting Amazon DynamoDB Tables." + type = string + default = "example,CSV" +} + +variable "ecs_no_environment_secrets" { + description = "Comma-separated list of key names to search for in the environment variables of container definitions within Task Definitions. Extra spaces will be removed." + type = string + default = "example,CSV" } variable "elb_logging_s3_buckets" { @@ -441,16 +429,22 @@ variable "elb_logging_s3_buckets" { default = "example,CSV" } -variable "check_iam_policy_no_statements_with_admin_access" { - description = "Enable iam-policy-no-statements-with-admin-access rule" +variable "enable_config_recorder" { + description = "Enables configuring the AWS Config recorder resources in this module." type = bool default = true } -variable "check_iam_policy_no_statements_with_full_access" { - description = "Enable iam-policy-no-statements-with-full-access rule" +variable "enable_efs_encrypted_check" { + description = "Enable efs-encrypted-check rule" type = bool - default = true + default = false +} + +variable "enable_multi_account_logs" { + description = "Enable sending of logs and snapshots from different Config accounts / regions into a single bucket" + type = bool + default = false } variable "exclude_permission_boundary" { @@ -459,107 +453,101 @@ variable "exclude_permission_boundary" { default = false } -variable "check_nacl_no_unrestricted_ssh_rdp" { - description = "Enable nacl-no-unrestricted-ssh-rdp rule" - type = bool - default = true +variable "expected_delivery_window_age" { + description = "Maximum age in hours of the most recent delivery to CloudWatch logs that satisfies compliance." + type = number + default = 12 } -variable "check_internet_gateway_authorized_vpc_only" { - description = "Enable internet-gateway-authorized-vpc-only rule" +variable "include_global_resource_types" { + description = "Specifies whether AWS Config includes all supported types of global resources with the resources that it records." type = bool - default = false + default = true } -variable "authorized_vpc_ids" { - description = "Comma-separated list of the authorized VPC IDs with attached IGWs. If parameter is not provided all attached IGWs will be NON_COMPLIANT." +variable "kms_key_id" { + description = "Amazon Resource Name (ARN) of the KMS key that is used to encrypt the EFS file system." type = string default = "example,CSV" } -variable "check_rds_snapshot_encrypted" { - description = "Enable rds-snapshot-encrypted rule" - type = bool - default = true +variable "password_max_age" { + description = "Number of days before password expiration." + type = number + default = 90 } -variable "check_rds_cluster_deletion_protection_enabled" { - description = "Enable rds-cluster-deletion-protection-enabled rule" - type = bool - default = true +variable "password_min_length" { + description = "Password minimum length." + type = number + default = 14 } -variable "check_db_instance_backup_enabled" { - description = "Enable db-instance-backup-enabled rule" +variable "password_require_lowercase" { + description = "Require at least one lowercase character in password." type = bool - default = false + default = true } -variable "check_s3_bucket_level_public_access_prohibited" { - description = "Enable s3-bucket-level-public-access-prohibited rule" +variable "password_require_numbers" { + description = "Require at least one number in password." type = bool - default = false -} - -variable "s3_bucket_public_access_prohibited_exclusion" { - description = "Comma-separated list of known allowed public Amazon S3 bucket names." - type = string - default = "example,CSV" + default = true } -variable "check_s3_bucket_acl_prohibited" { - description = "Enable s3-bucket-acl-prohibited rule" +variable "password_require_symbols" { + description = "Require at least one symbol in password." type = bool default = true } -variable "check_s3_bucket_server_side_encryption_enabled" { - description = "Enable s3-bucket-server-side-encryption-enabled rule" +variable "password_require_uppercase" { + description = "Require at least one uppercase character in password." type = bool default = true } -variable "check_vpc_sg_open_only_to_authorized_ports" { - description = "Enable vpc-sg-open-only-to-authorized-ports rule" - type = bool - default = false +variable "password_reuse_prevention" { + description = "Number of passwords before allowing reuse." + type = number + default = 24 } -variable "vpc_sg_authorized_ports" { - description = "Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025'" - type = object({ - authorizedTcpPorts = optional(string, null) - authorizedUdpPorts = optional(string, null) - }) - default = {} +variable "required_tags" { + description = "A map of required resource tags. Format is tagNKey, tagNValue, where N is int. Values are optional." + type = map(string) + default = {} } -variable "resource_types" { - description = "A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types." +variable "required_tags_resource_types" { + description = "Resource types to check for tags." type = list(string) default = [] } -variable "enable_multi_account_logs" { - description = "Enable sending of logs and snapshots from different Config accounts / regions into a single bucket" - type = bool - default = false +variable "resource_types" { + description = "A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types." + type = list(string) + default = [] } -variable "check_restricted_common_ports" { - description = "Enable restricted-common-ports-check" - type = bool - default = false +variable "s3_bucket_public_access_prohibited_exclusion" { + description = "Comma-separated list of known allowed public Amazon S3 bucket names." + type = string + default = "example,CSV" } -variable "check_s3_bucket_public_read_prohibited" { - description = "Enable s3-bucket-public-read-prohibited rule" - type = bool - default = false +variable "tags" { + description = "Tags to apply to AWS Config resources" + type = map(string) + default = {} } -variable "check_ebs_optimized_instance" { - description = "Enable ebs-optimized-instance-check rule" - type = bool - default = false +variable "vpc_sg_authorized_ports" { + description = "Object with values as Comma-separated list of ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025'" + type = object({ + authorizedTcpPorts = optional(string, null) + authorizedUdpPorts = optional(string, null) + }) + default = {} }