Skip to content

nuvibit/terraform-aws-core-parameters

Repository files navigation

AWS Core Parameters (via SSM Parameter Store) Terraform module

nuvibit logo

Maintained by nuvibit.com Terraform Version Latest Release

Terraform module to store and read a terraform HCL map via AWS SSM Parameter Store. The main purpose of the module is to store foundation/core parameters from various AWS Accounts and make them available to other AWS Accounts. Foundation/core parameters can be sourced from different AWS Accounts. HCL maps with three hierarchy levels are supported.

Architecture

core-parameters architecture

Requirements

❗ This module utilizes cross-account IAM AssumeRoles
  • A dedicated AWS Account should be hosting the foundation/core parameters in AWS SSM Parameter Store
  • Other AWS Accounts can utilize the cross-account IAM AssumeRoles to access foundation/core parameters
  • Dedicated Terraform providers are required depending on the intended permissions

Features

  • Parameters in SSM Parameter Store can store HCL maps with up to three hierarchy levels
  • Cross-account writer and reader IAM AssumeRoles will be provisioned in the AWS Account hosting the foundation/core parameters
  • Parameters can be accessed from other AWS Accounts with IAM AssumeRoles

Usage

Foundation/Core Parameter Account

module "foundation_parameter_roles" {
  source  = "nuvibit/core-parameters/aws//modules/iam-roles"
  version = "~> 1.0"
}

locals {
  foundation_parameters = {
    foundation_parameters = {
      writer_role_arn = module.foundation_parameter_roles.parameters_writer_role_arn
      reader_role_arn = module.foundation_parameter_roles.parameters_reader_role_arn
    }
  }
}

module "foundation_parameter_writer" {
  source  = "nuvibit/core-parameters/aws"
  version = "~> 1.0"

  parameters    = local.foundation_parameters
}

Org Management Account

provider "aws" {
  region = "eu-central-1"
  alias  = "foundation_parameter_writer"

  assume_role {
    // requires module.foundation_parameter_reader
    role_arn = local.foundation_parameter_readonly["foundation_parameters"]["writer_role_arn"]
  }
}

data "aws_caller_identity" "current" {}
data "aws_organizations_organization" "current" {}

locals {
  foundation_org_mgmt_parameters = {
    version = "1.0"
    org_mgmt = {
      account_id  = data.aws_caller_identity.current.account_id
      org_id      = data.aws_organizations_organization.current.id
      main_region = "eu-central-1"
      example1 = {
        test1_a = "test1_a"
        test1_b = "test1_b"
      }
      example2 = {
        test2_a = "test2_a"
        test2_b = "test2_b"
      }
    }
    core_security = {
      delegation = {
        securityhub      = true
        guardduty        = true
        config           = true
        firewall_manager = true
      }
    }
    account_baseline = {
      auto_remediation = {
        role_name = "foundation-auto-remediation-role"
      }
      aws_config = {
        role_name = "FoundationAwsConfigRole"
      }
    }
  }
}

module "foundation_parameter_writer" {
  source  = "nuvibit/core-parameters/aws"
  version = "~> 1.0"

  parameters = local.foundation_org_mgmt_parameters
  providers = {
    aws.ssm_ps_writer = aws.foundation_org_mgmt_parameters
  }
}

Core Security delegation settings will be specified and configured in the Org Mgmt account.

Core Security Account

provider "aws" {
  region = "eu-central-1"
  alias  = "foundation_parameter_writer"

  assume_role {
    // requires module.foundation_parameter_reader
    role_arn = local.foundation_parameter_readonly["foundation_parameters"]["writer_role_arn"]
  }
}

data "aws_caller_identity" "current" {}

locals {
  foundation_core_security_parameters = {
    core_security = {
      account_id = data.aws_caller_identity.current.account_id
      auto_remediation = {
        execution_role_arn = module.core_security.auto_remediation["execution_role_arn"]
      }
      aws_config = {
        aggregator_name = module.core_security.aws_config["aggregator_name"]
      }
    }
  }
}

module "foundation_parameter_writer" {
  source  = "nuvibit/core-parameters/aws"
  version = "~> 1.0"

  parameters = local.foundation_core_security_parameters
  providers = {
    aws.ssm_ps_writer = aws.foundation_parameter_writer
  }
}

Other AWS Accounts

provider "aws" {
  region = "eu-central-1"
  alias  = "foundation_parameter_reader"

  assume_role {
    role_arn = "arn:aws:iam::{account-id of Foundation Core Parameter Account}:role/core-parameter-reader-role"
  }
}

module "foundation_parameter_reader" {
  source  = "nuvibit/core-parameters/aws//modules/reader"
  version = "~> 1.0"

  providers = {
    aws.ssm_ps_reader = aws.foundation_parameter_reader
  }
}

locals {
  foundation_parameter_readonly = module.foundation_parameter_reader.parameters
}

output "foundation_parameters" {
  value = local.foundation_parameter_readonly
}

Example output of foundation/core parameters

{
  "account_baseline" = {
    "auto_remediation" = {
      "role_name" = "foundation-auto-remediation-role"
    }
    "aws_config" = {
      "role_name" = "FoundationAwsConfigRole"
    }
  }
  "core_security" = {
    "account_id" = "******"
    "auto_remediation" = {
      "execution_role_arn" = "arn:aws:iam::******:role/auto-remediation-execution-role"
    }
    "aws_config" = {
      "aggregator_name" = "foundation_config_aggregator"
    }
    "delegation" = {
      "config"           = "true"
      "firewall_manager" = "true"
      "guardduty"        = "true"
      "securityhub"      = "true"
    }
  }
  "org_mgmt" = {
    "account_id" = "******"
    "example1" = {
      test1_a = "test1_a"
      test1_b = "test1_b"
    }
    "example2" = {
      "test2_a" = "test2_a"
      "test2_b" = "test2_b"
    }
    "main_region" = "eu-central-1"
    "org_id"      = "o-******"
  }
}

Examples

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.0

Providers

Name Version
aws.ssm_ps_writer >= 4.0

Modules

No modules.

Resources

Name Type
aws_ssm_parameter.ssm_parameters resource

Inputs

Name Description Type Default Required
parameters A map of parameters which should be stored as a map in SSM Parameter Store. any n/a yes
kms_key_arn KMS Key to be used to encrypt the parameter entries. string null no
parameters_overwrite Set to true to allow overwriting existing parameters. IAM role with write access is required. bool false no
parameters_path_prefix Prefix name to allow fully qualified parameter names which allows parameters to be stored as a map. string "/foundation" no
resource_tags A map of tags to assign to the resources in this module. map(string) {} no

Outputs

Name Description
parameters_map The map of parameters which are stored as a map in SSM Parameter Store.
parameters_path_prefix Pass through parameters_path_prefix.

Authors

This module is maintained by Nuvibit with help from these amazing contributors

License

This module is licensed under Apache 2.0
See LICENSE for full details



Copyright © 2022 Nuvibit AG

About

Terraform module to store and read a terraform HCL map via AWS SSM Parameter Store.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •