From 63fcb4db0180de51494564b6c7a8e567be9a4343 Mon Sep 17 00:00:00 2001
From: HarmanJyot Kaur <harman@clouddrove.com>
Date: Wed, 28 Jul 2021 22:05:04 +0530
Subject: [PATCH 1/2] pushed new improvement with added module support

---
 _example/example.tf              |  8 +++++
 main.tf                          | 35 ++++++++++++++++++++
 modules/alarm/main.tf            | 37 +++++++++++++++++++++
 modules/ebs/main.tf              |  9 ++++++
 modules/ebs/variable.tf          |  4 +++
 modules/security_hub/main.tf     | 44 +++++++++++++++++++++++++
 modules/security_hub/variable.tf | 28 ++++++++++++++++
 modules/shield/main.tf           | 26 +++++++++++++++
 modules/shield/output.tf         |  9 ++++++
 modules/shield/variable.tf       | 55 ++++++++++++++++++++++++++++++++
 variables.tf                     | 46 ++++++++++++++++++++++++++
 11 files changed, 301 insertions(+)
 create mode 100644 modules/ebs/main.tf
 create mode 100644 modules/ebs/variable.tf
 create mode 100644 modules/security_hub/main.tf
 create mode 100644 modules/security_hub/variable.tf
 create mode 100644 modules/shield/main.tf
 create mode 100644 modules/shield/output.tf
 create mode 100644 modules/shield/variable.tf

diff --git a/_example/example.tf b/_example/example.tf
index fb219e9..ee559e6 100644
--- a/_example/example.tf
+++ b/_example/example.tf
@@ -125,4 +125,12 @@ module "secure_baseline" {
   analyzer_enable = false
   type            = "ACCOUNT"
 
+  # Shield 
+  shield_enable = false
+
+  # EBS
+  default_ebs_enable = false
+
+  # Security Hub
+  security_hub_enable = false
 }
\ No newline at end of file
diff --git a/main.tf b/main.tf
index dbe0164..fcd90b3 100644
--- a/main.tf
+++ b/main.tf
@@ -182,4 +182,39 @@ module "iam_access_analyzer" {
     SLACK_WEBHOOK = var.slack_webhook
     SLACK_CHANNEL = var.slack_channel
   }
+}
+
+## Shield
+module "aws_shield" {
+  source = "./modules/shield"
+
+  name        = "shield"
+  environment = var.environment
+  managedby   = var.managedby
+  label_order = var.label_order
+  enabled     = var.enabled && var.shield_enable
+
+  ## AWS SHIELD
+  resource_arn = var.resource_arn
+
+}
+
+
+## EBS
+module "aws_ebs" {
+  source = "./modules/ebs"
+
+  enabled = var.enabled && var.default_ebs_enable
+}
+
+## AWS Security Hub
+module "security_hub" {
+  source = "./module/security_hub"
+
+  enabled                          = var.enabled && var.security_hub_enable
+  enable_ccis_standard             = var.enable_ccis_standard
+  enable_aws_foundational_standard = var.enable_aws_foundational_standard
+  enable_pci_dss_standard          = var.enable_pci_dss_standard
+
+
 }
\ No newline at end of file
diff --git a/modules/alarm/main.tf b/modules/alarm/main.tf
index 7e69d3c..8667003 100644
--- a/modules/alarm/main.tf
+++ b/modules/alarm/main.tf
@@ -563,3 +563,40 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
   insufficient_data_actions = []
   tags                      = module.labels.tags
 }
+
+#Module      : AWS_CLOUDWATCH_LOG_METRIC_FILTER
+#Description : Provides a CloudWatch Log Metric Filter resource.
+resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+
+  name           = "AWSConfigChanges"
+  pattern        = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
+  log_group_name = var.cloudtrail_log_group_name
+
+  metric_transformation {
+    name      = "AWSConfigChanges"
+    namespace = var.alarm_namespace
+    value     = "1"
+  }
+}
+
+#Module      : AWS_CLOUDWATCH_LOG_METRIC_ALARM
+#Description : Provides a CloudWatch Metric Alarm resource.
+resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+
+  alarm_name                = "AWSConfigChanges"
+  comparison_operator       = "GreaterThanOrEqualToThreshold"
+  evaluation_periods        = "1"
+  metric_name               = join("", aws_cloudwatch_log_metric_filter.vpc_changes.*.id)
+  namespace                 = var.alarm_namespace
+  period                    = "300"
+  statistic                 = "Sum"
+  threshold                 = "1"
+  alarm_description         = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
+  alarm_actions             = [aws_sns_topic.alarms[0].arn]
+  treat_missing_data        = "notBreaching"
+  insufficient_data_actions = []
+  tags                      = module.labels.tags
+
+}
diff --git a/modules/ebs/main.tf b/modules/ebs/main.tf
new file mode 100644
index 0000000..60eca11
--- /dev/null
+++ b/modules/ebs/main.tf
@@ -0,0 +1,9 @@
+## Managed By : CloudDrove
+## Copyright @ CloudDrove. All Right Reserved.
+
+
+resource "aws_ebs_encryption_by_default" "default" {
+  count = var.enabled ? 1 : 0
+
+  enabled = true
+}
\ No newline at end of file
diff --git a/modules/ebs/variable.tf b/modules/ebs/variable.tf
new file mode 100644
index 0000000..6271bd7
--- /dev/null
+++ b/modules/ebs/variable.tf
@@ -0,0 +1,4 @@
+variable "enabled" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
\ No newline at end of file
diff --git a/modules/security_hub/main.tf b/modules/security_hub/main.tf
new file mode 100644
index 0000000..df98881
--- /dev/null
+++ b/modules/security_hub/main.tf
@@ -0,0 +1,44 @@
+data "aws_region" "current" {}
+
+# Enable SecurityHub
+resource "aws_securityhub_account" "main" {
+  count = var.enabled ? 1 : 0
+}
+
+# Add member accounts
+resource "aws_securityhub_member" "members" {
+  count = var.enabled ? length(var.member_accounts) : 0
+
+  depends_on = [aws_securityhub_account.main]
+  account_id = var.member_accounts[count.index].account_id
+  email      = var.member_accounts[count.index].email
+  invite     = true
+}
+
+# Subscribe CIS benchmark
+resource "aws_securityhub_standards_subscription" "cis" {
+  count = var.enabled && var.enable_ccis_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+
+  depends_on = [aws_securityhub_account.main]
+}
+
+# Subscribe AWS foundational security best practices standard
+resource "aws_securityhub_standards_subscription" "aws_foundational" {
+  count = var.enabled && var.enable_aws_foundational_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
+
+  depends_on = [aws_securityhub_account.main]
+}
+
+# Subscribe PCI DSS standard
+resource "aws_securityhub_standards_subscription" "pci_dss" {
+  count = var.enabled && var.enable_pci_dss_standard ? 1 : 0
+
+  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
+
+  depends_on = [aws_securityhub_account.main]
+}
+
diff --git a/modules/security_hub/variable.tf b/modules/security_hub/variable.tf
new file mode 100644
index 0000000..ea9682f
--- /dev/null
+++ b/modules/security_hub/variable.tf
@@ -0,0 +1,28 @@
+variable "enabled" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "enable_cis_standard" {
+  description = "Boolean whether CIS standard is enabled."
+  default     = true
+}
+
+variable "enable_pci_dss_standard" {
+  description = "Boolean whether PCI DSS standard is enabled."
+  default     = true
+}
+
+variable "enable_aws_foundational_standard" {
+  description = "Boolean whether AWS Foundations standard is enabled."
+  default     = true
+}
+
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}
\ No newline at end of file
diff --git a/modules/shield/main.tf b/modules/shield/main.tf
new file mode 100644
index 0000000..703e39e
--- /dev/null
+++ b/modules/shield/main.tf
@@ -0,0 +1,26 @@
+## Managed By : CloudDrove
+## Copyright @ CloudDrove. All Right Reserved.
+
+
+#Module      : Label
+#Description : This terraform module is designed to generate consistent label names and
+#              tags for resources. You can use terraform-labels to implement a strict
+#              naming convention
+module "labels" {
+  source  = "clouddrove/labels/aws"
+  version = "0.15.0"
+
+  name        = var.name
+  environment = var.environment
+  label_order = var.label_order
+  managedby   = var.managedby
+}
+
+
+resource "aws_shield_protection" "default" {
+  count        = var.enabled ? 1 : 0
+  name         = format("%s-shield", module.labels.id)
+  resource_arn = var.resource_arn
+  tags         = module.labels.tags
+
+}
\ No newline at end of file
diff --git a/modules/shield/output.tf b/modules/shield/output.tf
new file mode 100644
index 0000000..5a41771
--- /dev/null
+++ b/modules/shield/output.tf
@@ -0,0 +1,9 @@
+output "id" {
+  value       = join("", aws_shield_protection.default.*.id)
+  description = "The unique identifier (ID) for the Protection object that is created."
+}
+
+output "arn" {
+  value       = join("", aws_shield_protection.default.*.arn)
+  description = "The unique identifier (ID) for the Protection object that is created."
+}
\ No newline at end of file
diff --git a/modules/shield/variable.tf b/modules/shield/variable.tf
new file mode 100644
index 0000000..669d6d2
--- /dev/null
+++ b/modules/shield/variable.tf
@@ -0,0 +1,55 @@
+#Module      : LABEL
+#Description : Terraform label module variables.
+variable "name" {
+  type        = string
+  default     = ""
+  description = "Name  (e.g. `app` or `cluster`)."
+}
+
+variable "environment" {
+  type        = string
+  default     = ""
+  description = "Environment (e.g. `prod`, `dev`, `staging`)."
+}
+
+variable "label_order" {
+  type        = list(any)
+  default     = []
+  description = "Label order, e.g. `name`,`application`."
+}
+
+variable "attributes" {
+  type        = list(any)
+  default     = []
+  description = "Additional attributes (e.g. `1`)."
+}
+
+variable "delimiter" {
+  type        = string
+  default     = "-"
+  description = "Delimiter to be used between `organization`, `environment`, `name` and `attributes`."
+}
+
+variable "tags" {
+  type        = map(any)
+  default     = {}
+  description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)."
+}
+
+variable "enabled" {
+  type        = bool
+  default     = true
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+}
+
+variable "shield_name" {
+  type        = string
+  default     = ""
+  description = "A friendly name for the Protection you are creating."
+}
+
+variable "resource_arn" {
+  type        = string
+  default     = ""
+  description = "The ARN (Amazon Resource Name) of the resource to be protected."
+}
diff --git a/variables.tf b/variables.tf
index b281f6c..8b4186b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -500,4 +500,50 @@ variable "schedule_expression" {
   type        = string
   default     = "cron(0 14 ? * THU *)" # Run every Thursday at 2PM UTC/9AM EST/10AM EDT
   description = "AWS Schedule Expression: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html"
+}
+
+#shield
+variable "shield_enable" {
+  description = "The boolean flag whether shield module is enabled or not. No resources are created when set to false."
+  default     = false
+}
+
+variable "resource_arn" {
+  type        = string
+  description = "The ARN (Amazon Resource Name) of the resource to be protected."
+}
+
+#ebs
+variable "default_ebs_enable" {
+  description = "The boolean flag whether Default EBS  module is enabled or not. No resources are created when set to false."
+  default     = false
+}
+
+#Security Hub
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}
+variable "security_hub_enable" {
+  description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "enable_cis_standard" {
+  description = "Boolean whether CIS standard is enabled."
+  default     = true
+}
+
+variable "enable_pci_dss_standard" {
+  description = "Boolean whether PCI DSS standard is enabled."
+  default     = true
+}
+
+variable "enable_aws_foundational_standard" {
+  description = "Boolean whether AWS Foundations standard is enabled."
+  default     = true
 }
\ No newline at end of file

From 0b771c63c913d2c8e511c1132312545a72d1046b Mon Sep 17 00:00:00 2001
From: HarmanJyot Kaur <harman@clouddrove.com>
Date: Wed, 28 Jul 2021 22:12:50 +0530
Subject: [PATCH 2/2] updated example

---
 _example/example.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_example/example.tf b/_example/example.tf
index ee559e6..d49e727 100644
--- a/_example/example.tf
+++ b/_example/example.tf
@@ -129,7 +129,7 @@ module "secure_baseline" {
   shield_enable = false
 
   # EBS
-  default_ebs_enable = false
+  default_ebs_enable = true
 
   # Security Hub
   security_hub_enable = false