initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,12 @@
+# Root module for creating baseline resources including:
+- iam password policy
+- delete default VPCs in all region
+- create cloudtrail
+- enable aws config in all region
+- enable guardduty
+- enable securityhub
+- disable s3 public access
+- require EBS encryption
+
+## If AWS organisation is in use
+If you are using AWS organisation, setup delegated admin for guardduty and securityhub. This allows centralised management.
@@ -0,0 +1,51 @@
+module "iam-baseline" {
+  # iam password policy, baseline roles, access analyzer, cloudhealth role
+  source = "../../modules/security_identity_compliance/roles_iam_resources"
+
+  customer-name      = var.customer-name
+  default-tags       = local.default-tags
+  create-cloudhealth-resources = false
+}
+
+module "cloudtrail" {
+  # Create cloudtrail
+  source = "../../modules/security_identity_compliance/cloudtrail_cwlogs"
+  resource-prefix = local.resource-prefix
+  default-tags = local.default-tags
+}
+
+module "delete-default-vpcs" {
+  # delete default VPCs in all regions
+  source = "../../modules/networking/delete-default-vpcs"
+}
+
+module "enable-aws-config" {
+  # enable aws config in all regions and setup aggregation
+  source = "../../modules/security_identity_compliance/aws_config"
+  resource-prefix = local.resource-prefix
+  default-tags  = local.default-tags
+}
+
+module "enable-guardduty" {
+  /* enable guardduty
+  If you are using AWS organisation, GD delegated admin should be configured
+  on the landing zone security account. This allows centralised management.
+  See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
+  */
+  source = "../../modules/security_identity_compliance/guardduty"
+  default-tags = local.default-tags
+}
+
+module "enable-securityhub" {
+  /* enable security hub
+  If you are using AWS organisation, SH deleted admin should be configured
+  on the landing zone security account. This allows centralised management.
+  https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
+  */
+  source = "../../modules/security_identity_compliance/security_hub"
+}
+
+module "default-account-settings" {
+  # other default account settings
+  source = "../../modules/security_identity_compliance/other-default-settings"
+}
@@ -0,0 +1,13 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = "~> 1.2.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.75.2"
+    }
+  }
+}
@@ -0,0 +1,5 @@
+aws-region        = "ap-southeast-1"
+customer-name     = "ken2026"
+environment       = "lab"
+project           = "terraform-dev"
+application       = "infra"
@@ -0,0 +1,19 @@
+variable "aws-region" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+
+locals {
+  default-tags = {
+    ServiceProvider = "RackspaceTechnology"
+    Environment = var.environment
+    Project = var.project
+    Application = var.application
+    TerraformMode = "managed"
+    TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
+    BuildDate = formatdate("YYYYMMDD", timestamp())
+  }
+  resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
+}
+