feat(guardrails): add module

Author: Script47

guardrails/README.md

@@ -0,0 +1,39 @@
+# Guardrails
+
+## About
+
+This module allows you to setup default guardrails to harden your AWS account with the following features:
+
+- EBS encryption by default
+- S3 account wide public block access
+- IAM account password policy
+
+## Usage
+
+See `variables.tf` for the full argument reference.
+
+```hcl
+module "guardrails" {
+  source      = "github.com/script47/aws-tf-modules/guardrails"
+
+  ebs = {
+    encrypted = true
+  }
+
+  s3 = {
+    public_access_block = {
+        enabled                 = true
+        block_public_acls       = true
+        block_public_policy     = true
+        ignore_public_acls      = true
+        restrict_public_buckets = true
+    }
+  }
+
+  iam = {
+    password_policy = {
+
+    }
+  }
+}
+```

guardrails/iam.tf

@@ -1 +1,14 @@
-# aws_iam_account_password_policy
+resource "aws_iam_account_password_policy" "this" {
+  count = var.iam.password_policy.enabled ? 1 : 0
+
+  allow_users_to_change_password = var.iam.password_policy.allow_users_to_change_password
+  password_reuse_prevention      = var.iam.password_policy.password_reuse_prevention
+  hard_expiry                    = var.iam.password_policy.hard_expiry
+  max_password_age               = var.iam.password_policy.max_password_age
+  minimum_password_length        = var.iam.password_policy.minimum_password_length
+
+  require_lowercase_characters   = var.iam.password_policy.require_lowercase_characters
+  require_uppercase_characters   = var.iam.password_policy.require_uppercase_characters
+  require_numbers                = var.iam.password_policy.require_numbers
+  require_symbols                = var.iam.password_policy.require_symbols
+}

guardrails/providers.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.13"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 6"
+    }
+  }
+}

guardrails/s3.tf

@@ -1,6 +1,8 @@
 resource "aws_s3_account_public_access_block" "this" {
-  block_public_acls       = var.s3.block_public_acls
-  block_public_policy     = var.s3.block_public_policy
-  ignore_public_acls      = var.s3.ignore_public_acls
-  restrict_public_buckets = var.s3.restrict_public_buckets
+  count = var.s3.public_access_block.enabled
+
+  block_public_acls       = var.s3.public_access_block.block_public_acls
+  block_public_policy     = var.s3.public_access_block.block_public_policy
+  ignore_public_acls      = var.s3.public_access_block.ignore_public_acls
+  restrict_public_buckets = var.s3.public_access_block.restrict_public_buckets
 }

guardrails/variables.tf

@@ -1,29 +1,41 @@
 variable "ebs" {
+  description = "EBS account-level config"
   type = object({
     encrypted = optional(bool, true)
   })
   default = {}
 }
 
 variable "s3" {
+  description = "S3 account-level config"
   type = object({
-    block_public_acls       = optional(bool, true)
-    block_public_policy     = optional(bool, true)
-    ignore_public_acls      = optional(bool, true)
-    restrict_public_buckets = optional(bool, true)
+    public_access_block = optional(object({
+      enabled                 = optional(bool, true)
+      block_public_acls       = optional(bool, true)
+      block_public_policy     = optional(bool, true)
+      ignore_public_acls      = optional(bool, true)
+      restrict_public_buckets = optional(bool, true)      
+    }), {})
   })
   default = {}
 }
 
-# variable "iam" {
-#   type = object({
-#      password_policy = optional(object({
-#         allow_password_change = optional(bool, true)
-          # reuse_prevention = optional(bool, true)
-#         hard_expiry = optional(bool, false)
-#         max_password_age = optional(number, null)
-          # min_length = optional(number, 8)
+variable "iam" {
+  description = "IAM account-level config"
+  type = object({
+    password_policy = optional(object({
+      enabled                        = optional(bool, true)
+      allow_users_to_change_password = optional(bool, true)
+      password_reuse_prevention      = optional(number, 0)
+      hard_expiry                    = optional(bool, false)
+      max_password_age               = optional(number, null)
+      minimum_password_length        = optional(number, 12)
 
-#      }), {}) 
-#   })
-# }
+      require_lowercase_characters   = optional(bool, true)
+      require_uppercase_characters   = optional(bool, true)
+      require_numbers                = optional(bool, true)
+      require_symbols                = optional(bool, true)
+    }), {})
+  })
+  default = {}
+}