Skip to content

Terraform code to create a site-to-site VPN tunnel between the COOL and the CISA CDM (Continuous Diagnostics and Mitigation) environment, as well as some related resources to feed COOL logging data to CDM.

License

Notifications You must be signed in to change notification settings

cisagov/cool-sharedservices-cdm

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cool-sharedservices-cdm

GitHub Build Status

This is a Terraform deployment for creating the site-to-site VPN tunnel between the COOL and the CDM (Continuous Diagnostics and Mitigation) environment in the COOL Shared Services account. It also creates:

  • The resources necessary to stream the COOL Shared Services CloudWatch logs into an S3 bucket where they can be imported into the CDM environment
  • An IAM user and role that allows access to the CloudTrail logs in the COOL Shared Services account and the S3 bucket where the CloudWatch logs are stored

This deployment should be applied immediately after cisagov/cool-sharedservices-networking, and before cisagov/cool-sharedservices-freeipa or cisagov/cool-sharedservices-openvpn.

Pre-requisites

  • Terraform installed on your system.
  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
  • Access to all of the Terraform remote states specified in remote_states.tf.

Requirements

Name Version
terraform ~> 1.1
aws ~> 5.0
null ~> 3.0

Providers

Name Version
aws ~> 5.0
aws.organizationsreadonly ~> 5.0
aws.sharedservicesprovisionaccount ~> 5.0
null ~> 3.0
terraform n/a

Modules

Name Source Version
cdm_cloudtrail github.com/cisagov/cool-cdm-cloudtrail-tf-module n/a

Resources

Name Type
aws_cloudwatch_log_subscription_filter.cdm resource
aws_customer_gateway.cdm resource
aws_ec2_transit_gateway_route.cdm_sharedservices resource
aws_ec2_transit_gateway_route.cdm_vpn resource
aws_ec2_transit_gateway_route.sharedservices_vpn resource
aws_ec2_transit_gateway_route_table.cdm resource
aws_ec2_transit_gateway_route_table_association.cdm resource
aws_iam_policy.cloudwatch resource
aws_iam_policy.cloudwatch_to_firehose resource
aws_iam_policy.firehose_to_s3 resource
aws_iam_policy.provisioncdm_policy resource
aws_iam_role.cloudwatch_to_firehose resource
aws_iam_role.firehose_to_s3 resource
aws_iam_role_policy_attachment.cloudwatch resource
aws_iam_role_policy_attachment.cloudwatch_to_firehose resource
aws_iam_role_policy_attachment.firehose_to_s3 resource
aws_iam_role_policy_attachment.provisioncdm_policy_attachment resource
aws_kinesis_firehose_delivery_stream.cloudwatch_logs resource
aws_ram_resource_share.to_cdm resource
aws_route53_resolver_endpoint.from_cdm resource
aws_route53_resolver_endpoint.to_cdm resource
aws_route53_resolver_rule.to_cdm resource
aws_route53_resolver_rule_association.to_cdm resource
aws_s3_bucket.cloudwatch resource
aws_s3_bucket_notification.cloudwatch resource
aws_s3_bucket_ownership_controls.cloudwatch resource
aws_s3_bucket_public_access_block.cloudwatch resource
aws_s3_bucket_server_side_encryption_configuration.cloudwatch resource
aws_security_group.cdm resource
aws_security_group.dns_from_cdm resource
aws_security_group.dns_to_cdm resource
aws_security_group_rule.cdm resource
aws_security_group_rule.crowdstrike_falcon resource
aws_security_group_rule.dns_from_cdm resource
aws_security_group_rule.dns_to_cdm resource
aws_sns_topic.cloudwatch_logs resource
aws_sns_topic_policy.cloudwatch_logs resource
aws_sns_topic_subscription.cloudwatch_logs resource
aws_sqs_queue.cloudwatch_logs resource
aws_sqs_queue.cloudwatch_logs_dead_letter resource
aws_sqs_queue_policy.cloudwatch_logs resource
aws_sqs_queue_policy.cloudwatch_logs_dead_letter resource
aws_vpc_dhcp_options.cdm resource
aws_vpc_dhcp_options_association.cdm resource
aws_vpn_connection.cdm resource
null_resource.break_association_with_default_route_table resource
aws_caller_identity.current data source
aws_caller_identity.sharedservices data source
aws_iam_policy_document.allow_access_to_selected_cloudwatch_logs data source
aws_iam_policy_document.cloudwatch_assume_role data source
aws_iam_policy_document.cloudwatch_to_firehose data source
aws_iam_policy_document.firehose_assume_role data source
aws_iam_policy_document.firehose_to_s3 data source
aws_iam_policy_document.provisioncdm_policy_doc data source
aws_iam_policy_document.s3_to_sns data source
aws_iam_policy_document.sns_to_sqs data source
aws_iam_policy_document.sns_to_sqs_dead_letter data source
aws_organizations_organization.cool data source
terraform_remote_state.master data source
terraform_remote_state.networking data source
terraform_remote_state.sharedservices data source
terraform_remote_state.users data source

Inputs

Name Description Type Default Required
aws_region The AWS region where the Shared Services account resides (e.g. "us-east-1"). string "us-east-1" no
cdm_cidr The CIDR block on the CDM end of the site-to-site VPN tunnel (e.g. "10.201.0.0/16"). string n/a yes
cdm_cloudtrail_assume_role_policy_description The description to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "The IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data in the AccountName account."). string n/a yes
cdm_cloudtrail_assume_role_policy_name The name to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., "ACCTNAME-AssumeCdmCloudTrail"). string n/a yes
cdm_cloudwatch_bucket_name The name of the S3 bucket that will receive logs from CloudWatch so that they can later be ingested by CDM (e.g. "cdm-cloudwatch-logs"). string n/a yes
cdm_dns_ips The DNS server IPs for the CDM environment (e.g. ["100.200.75.25", "100.200.100.50"]). list(string) n/a yes
cdm_domains The domains for the CDM environment (e.g. ["thulsa.example.com", "doom.example.com", "222.111.10.in-addr.arpa"]). The first domain listed should be the main CDM domain, as it will be used as an additional search domain for DNS lookups. list(string) n/a yes
cdm_tunnel_ip The IP address of the site-to-site VPN tunnel endpoint on the CDM side (e.g. "100.200.75.25"). string n/a yes
cdm_user_name The user name of the CDM user who will assume the role to access the CloudTrail data. string n/a yes
cdm_vpn_preshared_key The pre-shared key to use for setting up the site-to-site VPN connection between the COOL and CDM. This must be a string of 36 characters, which can include alphanumerics, periods, and underscores (e.g. "abcdefghijklmnopqrstuvwxyz01234567._"). string n/a yes
cloudwatch_logs_sns_topic_name The name of the SNS topic that will receive notifications from the CDM S3 bucket when objects are added to it (e.g. "cdm-cloudwatch-logs"). string "cdm-cloudwatch-logs" no
cloudwatch_logs_sqs_queue_name The name of the SQS queue that will receive CloudWatch log events when objects are added to the CDM S3 bucket (e.g. "cdm-cloudwatch-logs"). Note that this name will be appended with "-dead-letter" to create the name of the SQS dead-letter queue that receives events that could not be delivered to the main queue. string "cdm-cloudwatch-logs" no
cloudwatch_policy_description The description to associate with the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested. string "Allows read access to the specific CloudWatch log streams in which CDM is interested." no
cloudwatch_policy_instances Each string corresponds to the name of an instance, which itself corresponds to a CloudWatch log stream to which CDM is to be allowed read access. (The name of the instance should be as it appears in the CloudWatch log stream; in some cases this is the FQDN and in others it is just the hostname.) The selected CloudWatch log groups in which these streams reside are defined by the variable cloudwatch_policy_log_groups. list(string) [] no
cloudwatch_policy_log_groups Each string corresponds to the name of a CloudWatch log group for which CDM is to be allowed read access for selected CloudWatch log streams. The selected CloudWatch log streams inside these log groups to which CDM is to be allowed access are defined by the variable cloudwatch_policy_log_streams. list(string) [] no
cloudwatch_policy_name The name to assign the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested. string "CdmCloudWatchReadOnly" no
cloudwatch_to_firehose_role_description The description to associate with the IAM policy and role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM. string "The IAM policy/role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM." no
cloudwatch_to_firehose_role_name The name to assign the IAM policy and role that allow CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM. string "CdmCloudWatchLogsToFirehose" no
firehose_delivery_stream_name The name to assign the Firehose delivery stream that will receive the CloudWatch log events and send them to the CDM S3 bucket. string "cdm-cloudwatch-logs" no
firehose_to_s3_role_description The description to associate with the IAM policy and role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM. string "The IAM policy/role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM." no
firehose_to_s3_role_name The name to assign the IAM policy and role that allow Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM. string "CdmFirehoseToS3" no
provisionaccount_role_name The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account. string "ProvisionAccount" no
provisioncdm_policy_description The description to associate with the IAM policy that allows provisioning of the CDM layer in the Shared Services account. string "Allows provisioning of the CDM layer in the Shared Services account." no
provisioncdm_policy_name The name to assign the IAM policy that allows provisioning of the CDM layer in the Shared Services account. string "ProvisionCdm" no
tags Tags to apply to all AWS resources created. map(string) {} no

Outputs

Name Description
cdm_cloudtrail_access_policy The IAM policy with the necessary permissions to access the CDM CloudTrail data.
cdm_cloudtrail_access_role The IAM role that can be assumed to access the CDM CloudTrail data.
cdm_cloudtrail_assume_access_role_policy The IAM policy that allows the CDM user to assume the IAM role that allows access the CDM CloudTrail data.
cdm_cloudtrail_bucket The S3 bucket where CloudTrail logs are stored for CDM.
cdm_cloudtrail_deadletter_queue The SQS deadletter queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket for which processing has failed.
cdm_cloudtrail_queue The SQS queue of messages notifying of CloudTrail logs being written to the CDM S3 bucket.
cdm_cloudtrail_topic The SNS topic for notifications of CloudTrail logs being written to the CDM S3 bucket.
cdm_cloudtrail_trail The CloudTrail trail for CDM.
cdm_cloudwatch_access_policy The IAM policy with the necessary permissions to access the CDM CloudWatch data.
cdm_cloudwatch_logs_bucket The S3 bucket where CloudWatch logs are stored for CDM.
cdm_cloudwatch_logs_sns_topic The SNS topic that receives notifications from the CDM S3 bucket and is subscribed to by the SQS queue.
cdm_cloudwatch_logs_sqs_dead_letter_queue The SQS dead letter queue that receives events that could not be delivered to the main queue.
cdm_cloudwatch_logs_sqs_queue The SQS queue that receives CloudWatch log events when objects are added to the CDM S3 bucket.
cdm_customer_gateway The gateway for the site-to-site VPN connection to CDM.
cdm_security_group A security group that allows for all necessary communications between the CDM agents and the CDM CIDRs.
cdm_tgw_route_table The custom Transit Gateway route table for the CDM VPN connection.
cdm_tgw_route_table_association The association between the CDM VPN connection and its custom Transit Gateway route table.
cdm_vpc_dhcp_options The Shared Services VPC DHCP options. These are identical to the DHCP options created in cisagov/cool-sharedservices-networking, except that we add the main CDM domain (var.cdm_domains[0]) to the DNS search path.
cdm_vpc_dhcp_options_association The association between the Shared Services VPC and the CDM-enhanced DHCP options.
cdm_vpn_connection The site-to-site VPN connection to CDM.
dns_from_cdm_security_group The security group that allows DNS requests from the CDM environment.
dns_to_cdm_security_group The security group that allows DNS requests to the CDM environment.
route53_resolver_endpoint_from_cdm The Route53 resolver that allows the CDM environment to resolve DNS queries in our environment.
route53_resolver_endpoint_to_cdm The Route53 resolver that allows us to resolve DNS queries in the CDM environment.
route53_resolver_rules_to_cdm The Route53 resolver rules that allow us to resolve DNS queries in the CDM environment.
route53_resolver_rules_to_cdm_ram_shares The RAM shares for the Route53 resolver rules that allow us to resolve DNS queries in the CDM environment.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, this is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform code to create a site-to-site VPN tunnel between the COOL and the CISA CDM (Continuous Diagnostics and Mitigation) environment, as well as some related resources to feed COOL logging data to CDM.

Topics

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published