Add compliance regulations tweaks (#102)

elastio · Sep 13, 2024 · f835ee2 · f835ee2
1 parent fc3c704
commit f835ee2
Show file tree

Hide file tree

Showing 6 changed files with 369 additions and 23 deletions.
diff --git a/elastio-nat-provision-lambda/README.md b/elastio-nat-provision-lambda/README.md
@@ -17,18 +17,18 @@ be no route `0.0.0.0/0` configured in the route table of the private subnet.
 
 1. Use one of the following quick-create links. Choose the region where your Elastio Cloud Connector is deployed.
 
-    * [us-east-1](https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [us-east-2](https://us-east-2.console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [us-west-1](https://us-west-1.console.aws.amazon.com/cloudformation/home?region=us-west-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [us-west-2](https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [eu-central-1](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [eu-west-1](https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [eu-west-2](https://eu-west-2.console.aws.amazon.com/cloudformation/home?region=eu-west-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [eu-west-3](https://eu-west-3.console.aws.amazon.com/cloudformation/home?region=eu-west-3#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [ca-central-1](https://ca-central-1.console.aws.amazon.com/cloudformation/home?region=ca-central-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [ap-south-1](https://ap-south-1.console.aws.amazon.com/cloudformation/home?region=ap-south-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [ap-southeast-1](https://ap-southeast-1.console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
-    * [ap-southeast-2](https://ap-southeast-2.console.aws.amazon.com/cloudformation/home?region=ap-southeast-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [us-east-1](https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [us-east-2](https://us-east-2.console.aws.amazon.com/cloudformation/home?region=us-east-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [us-west-1](https://us-west-1.console.aws.amazon.com/cloudformation/home?region=us-west-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [us-west-2](https://us-west-2.console.aws.amazon.com/cloudformation/home?region=us-west-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [eu-central-1](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [eu-west-1](https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [eu-west-2](https://eu-west-2.console.aws.amazon.com/cloudformation/home?region=eu-west-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [eu-west-3](https://eu-west-3.console.aws.amazon.com/cloudformation/home?region=eu-west-3#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [ca-central-1](https://ca-central-1.console.aws.amazon.com/cloudformation/home?region=ca-central-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [ap-south-1](https://ap-south-1.console.aws.amazon.com/cloudformation/home?region=ap-south-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [ap-southeast-1](https://ap-southeast-1.console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
+    * [ap-southeast-2](https://ap-southeast-2.console.aws.amazon.com/cloudformation/home?region=ap-southeast-2#/stacks/create/review?templateURL=https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml&stackName=elastio-nat-provision-lambda)
 
 2. Check the box in front of `I acknowledge that AWS CloudFormation might create IAM resources`
     and click `Create stack`.
@@ -37,5 +37,5 @@ be no route `0.0.0.0/0` configured in the route table of the private subnet.
 
 To update the existing CFN stack use the Cloudformation UI or AWS CLI and pass the following CFN template link to replace the existing template:
 ```
-https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v4/cloudformation-lambda.yaml
+https://elastio-prod-artifacts-us-east-2.s3.us-east-2.amazonaws.com/contrib/elastio-nat-provision-lambda/v5/cloudformation-lambda.yaml
 ```
diff --git a/elastio-nat-provision-lambda/cloudformation-lambda.yaml b/elastio-nat-provision-lambda/cloudformation-lambda.yaml
@@ -56,6 +56,44 @@ Parameters:
     AllowedValues: [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653]
     Description: The number of days to retain the log events in the lambda's log group
 
+  LambdaTracing:
+    Type: String
+    Default: 'false'
+    AllowedValues: ['true', 'false']
+    Description: Enable AWS X-Ray tracing for the lambda function
+
+  EncryptWithCmk:
+    Type: String
+    AllowedValues: ['true', 'false']
+    Default: 'false'
+    Description: Add a custom prefix to names of all IAM resources deployed by this stack
+
+  IamResourceNamesPrefix:
+    Type: String
+    Default: ''
+    Description: Prefix for the IAM resources created by this stack
+
+  IamResourceNamesSuffix:
+    Type: String
+    Default: ''
+    Description: Add a custom suffix to names of all IAM resources deployed by this stack
+
+  GlobalManagedPolicies:
+    Type: String
+    Default: ''
+    Description: Comma separated list of IAM managed policies ARNs to attach to all Elastio IAM roles
+
+  GlobalPermissionBoundary:
+    Type: String
+    Default: ''
+    Description: The ARN of the IAM managed policy to use as a permission boundary for all Elastio IAM roles
+
+Conditions:
+  LambdaTracingCondition: !Equals [!Ref LambdaTracing, 'true']
+  EncryptWithCmkCondition: !Equals [!Ref EncryptWithCmk, 'true']
+  GlobalManagedPoliciesNotEmptyCondition: !Not [!Equals [!Ref GlobalManagedPolicies, '']]
+  GlobalPermissionBoundaryNotEmptyCondition: !Not [!Equals [!Ref GlobalPermissionBoundary, '']]
+
 Resources:
   # The default log group that AWS Lambda creates has retention disabled.
   # We don't want to store logs indefinitely, so we create a custom log group with
@@ -72,6 +110,16 @@ Resources:
   lambdaRole:
     Type: AWS::IAM::Role
     Properties:
+      RoleName: !Join
+        - ""
+        - - !Ref IamResourceNamesPrefix
+          - ElastioNatProvisionLambda
+          - "-"
+          # This stack can be deployed in many regions, so we need to include the region in the name
+          # to avoid name conflicts between regions.
+          - !Ref AWS::Region
+          - !Ref IamResourceNamesSuffix
+
       Tags:
         - Key: elastio:resource
           Value: 'true'
@@ -83,6 +131,23 @@ Resources:
             Principal:
               Service: lambda.amazonaws.com
             Action: sts:AssumeRole
+
+      PermissionsBoundary: !If
+        - GlobalPermissionBoundaryNotEmptyCondition
+        - !Ref GlobalPermissionBoundary
+        - !Ref AWS::NoValue
+
+      ManagedPolicyArns: !If
+        - GlobalManagedPoliciesNotEmptyCondition
+        - !Split
+          - ","
+          - !Join
+            - ","
+            - - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
+              - !Ref GlobalManagedPolicies
+        - [arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess]
+
+
       Policies:
         - PolicyName: ElastioNatProvisionPolicy
           PolicyDocument:
@@ -131,10 +196,30 @@ Resources:
   lambdaInvocationRole:
     Type: AWS::IAM::Role
     Properties:
+      RoleName: !Join
+        - ""
+        - - !Ref IamResourceNamesPrefix
+          - ElastioNatProvisionLambdaInvocation
+          - "-"
+          # This stack can be deployed in many regions, so we need to include the region in the name
+          # to avoid name conflicts between regions.
+          - !Ref AWS::Region
+          - !Ref IamResourceNamesSuffix
+
       Tags:
         - Key: elastio:resource
           Value: 'true'
 
+      PermissionsBoundary: !If
+        - GlobalPermissionBoundaryNotEmptyCondition
+        - !Ref GlobalPermissionBoundary
+        - !Ref AWS::NoValue
+
+      ManagedPolicyArns: !If
+        - GlobalManagedPoliciesNotEmptyCondition
+        - !Split [",", !Ref GlobalManagedPolicies]
+        - !Ref AWS::NoValue
+
       AssumeRolePolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -145,7 +230,7 @@ Resources:
                 - scheduler.amazonaws.com
             Action: sts:AssumeRole
       Policies:
-        - PolicyName: lambdaInvokePolicy
+        - PolicyName: LambdaInvokePolicy
           PolicyDocument:
             Version: 2012-10-17
             Statement:
@@ -157,10 +242,30 @@ Resources:
   stateMachineExecutionRole:
     Type: AWS::IAM::Role
     Properties:
+      RoleName: !Join
+        - ""
+        - - !Ref IamResourceNamesPrefix
+          - ElastioNatProvisionStateMachineExecution
+          - "-"
+          # This stack can be deployed in many regions, so we need to include the region in the name
+          # to avoid name conflicts between regions.
+          - !Ref AWS::Region
+          - !Ref IamResourceNamesSuffix
+
       Tags:
         - Key: elastio:resource
           Value: 'true'
 
+      PermissionsBoundary: !If
+        - GlobalPermissionBoundaryNotEmptyCondition
+        - !Ref GlobalPermissionBoundary
+        - !Ref AWS::NoValue
+
+      ManagedPolicyArns: !If
+        - GlobalManagedPoliciesNotEmptyCondition
+        - !Split [",", !Ref GlobalManagedPolicies]
+        - !Ref AWS::NoValue
+
       AssumeRolePolicyDocument:
         Version: 2012-10-17
         Statement:
@@ -169,7 +274,7 @@ Resources:
               Service: events.amazonaws.com
             Action: sts:AssumeRole
       Policies:
-        - PolicyName: startStateMachinePolicy
+        - PolicyName: StartStateMachinePolicy
           PolicyDocument:
             Version: 2012-10-17
             Statement:
@@ -178,6 +283,33 @@ Resources:
                   - states:StartExecution
                 Resource: !GetAtt natGatewayCleanupStateMachine.Arn
 
+  kmsEncryptionKey:
+    Condition: EncryptWithCmkCondition
+    Type: AWS::KMS::Key
+    Properties:
+      Description: KMS key for Elastio NAT Gateway provisioner stack
+      EnableKeyRotation: true
+      PendingWindowInDays: 7
+      Tags:
+        - Key: elastio:resource
+          Value: 'true'
+      KeyPolicy:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: Allow administration of the key
+            Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            Action: kms:*
+            Resource: '*'
+
+  kmsEncryptionKeyAlias:
+    Condition: EncryptWithCmkCondition
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: alias/elastio-nat-gateway-provisioner-encryption
+      TargetKeyId: !Ref kmsEncryptionKey
+
   lambdaFunction:
     Type: AWS::Lambda::Function
     Properties:
@@ -191,6 +323,17 @@ Resources:
       MemorySize: !Ref LambdaMemorySize
       Timeout: !Ref LambdaTimeout
       Role: !GetAtt lambdaRole.Arn
+
+      TracingConfig: !If
+        - LambdaTracingCondition
+        - Mode: Active
+        - !Ref AWS::NoValue
+
+      KmsKeyArn: !If
+        - EncryptWithCmkCondition
+        - !GetAtt kmsEncryptionKey.Arn
+        - !Ref AWS::NoValue
+
       Environment:
         Variables:
           NAT_GATEWAY_SCOPE: !Ref NatGatewayScope
@@ -302,8 +445,9 @@ Resources:
       Tags:
         - Key: elastio:resource
           Value: 'true'
-      StateMachineName: elastio-nat-gateway-provision-state-machine
+      StateMachineName: elastio-nat-gateway-provision
       RoleArn: !GetAtt lambdaInvocationRole.Arn
+
       Definition:
         StartAt: Wait
         States:

diff --git a/elastio-nat-provision-lambda/version b/elastio-nat-provision-lambda/version
@@ -1 +1 @@
-v4
+v5
diff --git a/elastio-terraform-deployment/README.md b/elastio-terraform-deployment/README.md
@@ -57,6 +57,9 @@ module "elastio" {
         "subnet-0004",
       ]
     }
+
+    # Other optional configuration tweaks. See `module/variables.tf` for more info
+    # iam_resource_names_prefix = "prefix"
   ]
 
   # This input is optional. Here you can specify the version of the NAT provisioning stack.

diff --git a/elastio-terraform-deployment/module/main.tf b/elastio-terraform-deployment/module/main.tf
@@ -22,19 +22,73 @@ data "http" "cloudformation_template" {
   }
 }
 
+locals {
+  global_acc_cfn_params = {
+    encryptWithCmk = var.encrypt_with_cmk,
+    lambdaTracing  = var.lambda_tracing,
+    globalManagedPolicies = (
+      var.global_managed_policies == null
+      ? null
+      : join(",", var.global_managed_policies)
+    ),
+    globalPermissionBoundary          = var.global_permission_boundary,
+    iamResourceNamesPrefix            = var.iam_resource_names_prefix
+    iamResourceNamesSuffix            = var.iam_resource_names_suffix
+    iamResourceNamesStatic            = var.iam_resource_names_static
+    disableCustomerManagedIamPolicies = var.disable_customer_managed_iam_policies
+    supportRoleExpirationDate         = var.support_role_expiration_date
+    tenantRoleArn                     = "arn:aws:iam::176355207749:role/vkryvenko.development.elastio.us"
+  }
+
+  enriched_connectors = [
+    for connector in var.elastio_cloud_connectors :
+    merge(
+      connector,
+      {
+        # Add the PascalCase version of the region name, because this is the
+        # naming convention used in CFN parameters for regional settings.
+        region_pascal = join(
+          "",
+          [for word in split("-", connector.region) : title(word)]
+        )
+      }
+    )
+  ]
+
+  regional_acc_cfn_params = merge(
+    [
+      for connector in local.enriched_connectors :
+      {
+        "s3AccessLoggingTargetBucket${connector.region_pascal}"          = connector.s3_access_logging.target_bucket,
+        "s3AccessLoggingTargetPrefix${connector.region_pascal}"          = connector.s3_access_logging.target_prefix,
+        "s3AccessLoggingTargetObjectKeyFormat${connector.region_pascal}" = connector.s3_access_logging.target_object_key_format,
+      }
+      if connector.s3_access_logging != null
+    ]
+    ...
+  )
+
+  account_level_stack_params = {
+    for key, value in merge(local.global_acc_cfn_params, local.regional_acc_cfn_params) :
+    key => tostring(value)
+    if value != null
+  }
+}
+
 resource "aws_cloudformation_stack" "elastio_account_level_stack" {
   name         = "elastio-account-level-stack"
   template_url = data.http.cloudformation_template.response_body
   tags = {
     "elastio:resource" = "true"
   }
   capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters   = local.account_level_stack_params
 }
 
 resource "aws_cloudformation_stack" "elastio_nat_provision_stack" {
   count = var.elastio_nat_provision_stack == null ? 0 : 1
 
-  name = "elastio-nat-provision-lambda"
+  name         = "elastio-nat-provision-lambda"
   template_url = join(
     "/",
     [
@@ -46,7 +100,23 @@ resource "aws_cloudformation_stack" "elastio_nat_provision_stack" {
   tags = {
     "elastio:resource" = "true"
   }
-  capabilities = ["CAPABILITY_IAM"]
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    for key, value in {
+      EncryptWithCmk         = var.encrypt_with_cmk
+      LambdaTracing          = var.lambda_tracing
+      IamResourceNamesPrefix = var.iam_resource_names_prefix
+      IamResourceNamesSuffix = var.iam_resource_names_suffix
+      GlobalManagedPolicies = (
+        var.global_managed_policies == null
+        ? null
+        : join(",", var.global_managed_policies)
+      ),
+      GlobalPermissionBoundary = var.global_permission_boundary,
+    } :
+    key => tostring(value)
+    if value != null
+  }
 }
 
 data "aws_caller_identity" "current" {}
@@ -68,8 +138,11 @@ resource "terraform_data" "elastio_cloud_connector" {
     request.region => request
   }
 
-  input            = each.value
-  triggers_replace = each.value
+  input = each.value
+  triggers_replace = {
+    connector      = each.value,
+    acc_cfn_params = local.account_level_stack_params,
+  }
 
   provisioner "local-exec" {
     command = <<CMD