feat: AWS Terraform Modules

[afiune]

AWS Terraform Modules

Introducing our AWS Terraform Modules to configure AWS Config and CloudTrail integrations.

This change adds three main Terraform modules:

• AWS IAM Role (aws/modules/iam_role)
• AWS Config (aws/modules/config)
• AWS CloudTrail (aws/modules/cloudtrail)

AWS IAM Role Module

Both of our integrations (Config and CloudTrail) require to have an IAM Role
with an assume role policy, this module abstracts the management of this role
that is used by both AWS Config and AWS CloudTrail Modules.

AWS Config Module

This module creates the Lacework IAM Role and a Lacework AWS_CFG external integration.

provider "aws" {}

provider "lacework" {}

module "aws_config" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/config"
}

AWS CouldTrail Module

Use this module to create and configure CloudTrail in your AWS account, such
configuration will be used to create an AWS CloudTrail external integration in
your Lacework account.

This module will:

• Enable a CloudTrail
• Create a CloudTrail S3 bucket
• Create an SNS topic
• Create and subscribe an SQS queue to the CT SNS topic
• Create a Lacework IAM Role
• Create a cross-account policy and attached to the Lacework IAM Role
• Create an AWS_CT_SQS Lacework external integration

provider "aws" {}

provider "lacework" {}

module "aws_cloudtrail" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/cloudtrail"
}

Both Modules

Using both modules will allow users to have both Lacework external integrations,
AWS Config and CloudTrail. The modules are designed to work together like the
following example:

provider "aws" {}

provider "lacework" {}

module "aws_config" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/config"
}

module "aws_cloudtrail" {
	source = "github.com/lacework/terraform-provisioning/aws/modules/cloudtrail"
	bucket_force_destroy  = true
	use_existing_iam_role = true
	iam_role_name         = module.aws_config.iam_role_name
	iam_role_external_id  = module.aws_config.external_id
}

Signed-off-by: Salim Afiune Maya afiune@lacework.net

[smford22]

@afiune I still think we need to be more verbose with our naming conventions for the folder. "simple1-from-scratch" means something to you and me, but maybe not to our users. Thoughts?

[afiune]

@scottford-lw I could not agree more with you, we also need a ton of documentation
that I would really appreciate help with. 💯

[scottford-lw]

@afiune spelling ;)

[scottford-lw]

@afiune thinking further I am not sure that we really need examples for the config and iam_role that don't pass any attributes. I think we can just show the examples customizing the vars, but if we want to keep both examples, what do you think about this...?

modules
├── cloudtrail
│   └── examples
│       ├── complete-cloudtrail
│       ├── existing-cloudtrail
│       └── existing-cloudtrail-iam-role
├── config
│   └── examples
│       ├── custom-config
│       └── default-config
└── iam_role
    └── examples
        ├── custom-config
        └── default-config

[scottford-lw]

Once we merge this we will dive into the README files for the project and make it super clear how to get these working.

[scottford-lw]