Terraform module to store and read a terraform HCL map via AWS SSM Parameter Store. The main purpose of the module is to store foundation/core parameters from various AWS Accounts and make them available to other AWS Accounts. Foundation/core parameters can be sourced from different AWS Accounts. HCL maps with three hierarchy levels are supported.
| ❗ This module utilizes cross-account IAM AssumeRoles |
|---|
- A dedicated AWS Account should be hosting the foundation/core parameters in AWS SSM Parameter Store
- Other AWS Accounts can utilize the cross-account IAM AssumeRoles to access foundation/core parameters
- Dedicated Terraform providers are required depending on the intended permissions
- Parameters in SSM Parameter Store can store HCL maps with up to three hierarchy levels
- Cross-account writer and reader IAM AssumeRoles will be provisioned in the AWS Account hosting the foundation/core parameters
- Parameters can be accessed from other AWS Accounts with IAM AssumeRoles
module "foundation_parameter_roles" {
source = "nuvibit/core-parameters/aws//modules/iam-roles"
version = "~> 1.0"
}
locals {
foundation_parameters = {
foundation_parameters = {
writer_role_arn = module.foundation_parameter_roles.parameters_writer_role_arn
reader_role_arn = module.foundation_parameter_roles.parameters_reader_role_arn
}
}
}
module "foundation_parameter_writer" {
source = "nuvibit/core-parameters/aws"
version = "~> 1.0"
parameters = local.foundation_parameters
}provider "aws" {
region = "eu-central-1"
alias = "foundation_parameter_writer"
assume_role {
// requires module.foundation_parameter_reader
role_arn = local.foundation_parameter_readonly["foundation_parameters"]["writer_role_arn"]
}
}
data "aws_caller_identity" "current" {}
data "aws_organizations_organization" "current" {}
locals {
foundation_org_mgmt_parameters = {
version = "1.0"
org_mgmt = {
account_id = data.aws_caller_identity.current.account_id
org_id = data.aws_organizations_organization.current.id
main_region = "eu-central-1"
example1 = {
test1_a = "test1_a"
test1_b = "test1_b"
}
example2 = {
test2_a = "test2_a"
test2_b = "test2_b"
}
}
core_security = {
delegation = {
securityhub = true
guardduty = true
config = true
firewall_manager = true
}
}
account_baseline = {
auto_remediation = {
role_name = "foundation-auto-remediation-role"
}
aws_config = {
role_name = "FoundationAwsConfigRole"
}
}
}
}
module "foundation_parameter_writer" {
source = "nuvibit/core-parameters/aws"
version = "~> 1.0"
parameters = local.foundation_org_mgmt_parameters
providers = {
aws.ssm_ps_writer = aws.foundation_org_mgmt_parameters
}
}Core Security delegation settings will be specified and configured in the Org Mgmt account.
provider "aws" {
region = "eu-central-1"
alias = "foundation_parameter_writer"
assume_role {
// requires module.foundation_parameter_reader
role_arn = local.foundation_parameter_readonly["foundation_parameters"]["writer_role_arn"]
}
}
data "aws_caller_identity" "current" {}
locals {
foundation_core_security_parameters = {
core_security = {
account_id = data.aws_caller_identity.current.account_id
auto_remediation = {
execution_role_arn = module.core_security.auto_remediation["execution_role_arn"]
}
aws_config = {
aggregator_name = module.core_security.aws_config["aggregator_name"]
}
}
}
}
module "foundation_parameter_writer" {
source = "nuvibit/core-parameters/aws"
version = "~> 1.0"
parameters = local.foundation_core_security_parameters
providers = {
aws.ssm_ps_writer = aws.foundation_parameter_writer
}
}provider "aws" {
region = "eu-central-1"
alias = "foundation_parameter_reader"
assume_role {
role_arn = "arn:aws:iam::{account-id of Foundation Core Parameter Account}:role/core-parameter-reader-role"
}
}
module "foundation_parameter_reader" {
source = "nuvibit/core-parameters/aws//modules/reader"
version = "~> 1.0"
providers = {
aws.ssm_ps_reader = aws.foundation_parameter_reader
}
}
locals {
foundation_parameter_readonly = module.foundation_parameter_reader.parameters
}
output "foundation_parameters" {
value = local.foundation_parameter_readonly
}{
"account_baseline" = {
"auto_remediation" = {
"role_name" = "foundation-auto-remediation-role"
}
"aws_config" = {
"role_name" = "FoundationAwsConfigRole"
}
}
"core_security" = {
"account_id" = "******"
"auto_remediation" = {
"execution_role_arn" = "arn:aws:iam::******:role/auto-remediation-execution-role"
}
"aws_config" = {
"aggregator_name" = "foundation_config_aggregator"
}
"delegation" = {
"config" = "true"
"firewall_manager" = "true"
"guardduty" = "true"
"securityhub" = "true"
}
}
"org_mgmt" = {
"account_id" = "******"
"example1" = {
test1_a = "test1_a"
test1_b = "test1_b"
}
"example2" = {
"test2_a" = "test2_a"
"test2_b" = "test2_b"
}
"main_region" = "eu-central-1"
"org_id" = "o-******"
}
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0 |
| Name | Version |
|---|---|
| aws.ssm_ps_writer | >= 4.0 |
No modules.
| Name | Type |
|---|---|
| aws_ssm_parameter.ssm_parameters | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| parameters | A map of parameters which should be stored as a map in SSM Parameter Store. | any |
n/a | yes |
| kms_key_arn | KMS Key to be used to encrypt the parameter entries. | string |
null |
no |
| parameters_overwrite | Set to true to allow overwriting existing parameters. IAM role with write access is required. | bool |
false |
no |
| parameters_path_prefix | Prefix name to allow fully qualified parameter names which allows parameters to be stored as a map. | string |
"/foundation" |
no |
| resource_tags | A map of tags to assign to the resources in this module. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| parameters_map | The map of parameters which are stored as a map in SSM Parameter Store. |
| parameters_path_prefix | Pass through parameters_path_prefix. |
This module is maintained by Nuvibit with help from these amazing contributors
This module is licensed under Apache 2.0
See LICENSE for full details
Copyright © 2022 Nuvibit AG