Moves ksoc connect module to rad-security #1

maximillianbrain1 · 2024-06-10T11:44:07Z

Moves the ksoc-connect module to rad-security organization and provider. I added permissions to allow both ksoc-connector and rad-security connector roles to assume the role created in a customer's account. It will register the rad-security-connector role when registering with our API. We remove the ksoc-connect role once all of our customers re-register using the new module. I am not familiar with EKS Audit Logging, so I did not touch those resources.

Local terraform plan output:

Terraform will perform the following actions:

  # module.rad-security-connect.data.aws_iam_policy_document.firehose_to_s3[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "firehose_to_s3"  {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:AbortMultipartUpload",
              + "s3:GetBucketLocation",
              + "s3:GetObject",
              + "s3:ListBucket",
              + "s3:ListBucketMultipartUploads",
              + "s3:PutObject",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]
        }
    }

  # module.rad-security-connect.data.aws_iam_policy_document.ksoc_s3_access[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "ksoc_s3_access"  {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "s3:GetObject",
              + "s3:ListBucket",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]
        }
    }

  # module.rad-security-connect.data.aws_iam_policy_document.logs_to_firehose[0] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "logs_to_firehose"  {
      + id            = (known after apply)
      + json          = (known after apply)
      + minified_json = (known after apply)

      + statement {
          + actions   = [
              + "firehose:PutRecord",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.rad-security-connect.aws_cloudwatch_log_subscription_filter.subscription_filter["/aws/eks/pe-sbx-us-west-2/cluster"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "subscription_filter" {
      + destination_arn = (known after apply)
      + distribution    = "Random"
      + filter_pattern  = "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }"
      + id              = (known after apply)
      + log_group_name  = "/aws/eks/pe-sbx-us-west-2/cluster"
      + name            = "ksoc-audit-logs"
      + role_arn        = (known after apply)
    }

  # module.rad-security-connect.aws_cloudwatch_log_subscription_filter.subscription_filter["/aws/eks/sbx-operator-testing-0563cfff/cluster"] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "subscription_filter" {
      + destination_arn = (known after apply)
      + distribution    = "Random"
      + filter_pattern  = "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }"
      + id              = (known after apply)
      + log_group_name  = "/aws/eks/sbx-operator-testing-0563cfff/cluster"
      + name            = "ksoc-audit-logs"
      + role_arn        = (known after apply)
    }

  # module.rad-security-connect.aws_iam_instance_profile.this will be created
  + resource "aws_iam_instance_profile" "this" {
      + arn         = (known after apply)
      + create_date = (known after apply)
      + id          = (known after apply)
      + name        = "rad-security-connect"
      + name_prefix = (known after apply)
      + path        = "/"
      + role        = "rad-security-connect"
      + tags_all    = (known after apply)
      + unique_id   = (known after apply)
    }

  # module.rad-security-connect.aws_iam_policy.connect_policy["0"] will be created
  + resource "aws_iam_policy" "connect_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Part 0 of the policy required for rad-security-connect"
      + id               = (known after apply)
      + name             = "rad-security_connect_policy_0"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "account:GetAlternateContact",
                          + "acm:DescribeCertificate",
                          + "acm:ListCertificates",
                          + "apigateway:GET",
                          + "application-autoscaling:DescribeScalingPolicies",
                          + "autoscaling:DescribeAutoScalingGroups",
                          + "autoscaling:DescribeLaunchConfigurations",
                          + "autoscaling:DescribeLifecycleHooks",
                          + "autoscaling:DescribeLoadBalancerTargetGroups",
                          + "autoscaling:DescribeLoadBalancers",
                          + "autoscaling:DescribeNotificationConfigurations",
                          + "autoscaling:DescribePolicies",
                          + "backup:DescribeRecoveryPoint",
                          + "backup:GetBackupPlan",
                          + "backup:GetBackupVaultAccessPolicy",
                          + "backup:ListBackupPlans",
                          + "backup:ListBackupVaults",
                          + "backup:ListRecoveryPointsByBackupVault",
                          + "cloudformation:DescribeStacks",
                          + "cloudformation:ListStacks",
                          + "cloudfront:GetDistribution",
                          + "cloudfront:ListDistributions",
                          + "cloudtrail:DescribeTrails",
                          + "cloudtrail:GetEventSelectors",
                          + "cloudtrail:GetTrail",
                          + "cloudtrail:GetTrailStatus",
                          + "cloudtrail:ListTags",
                          + "cloudtrail:ListTrails",
                          + "cloudwatch:DescribeAlarms",
                          + "cloudwatch:ListMetrics",
                          + "cloudwatch:ListTagsForResource",
                          + "codebuild:BatchGetProjects",
                          + "codebuild:ListProjects",
                          + "codebuild:ListSharedProjects",
                          + "codepipeline:GetPipeline",
                          + "codepipeline:ListPipelines",
                          + "codepipeline:ListWebhooks",
                          + "config:DescribeConfigurationRecorderStatus",
                          + "config:DescribeConfigurationRecorders",
                          + "config:DescribeDeliveryChannels",
                          + "dax:DescribeClusters",
                          + "dax:ListTags",
                          + "directconnect:DescribeConnections",
                          + "directconnect:DescribeLags",
                          + "dms:DescribeReplicationInstances",
                          + "dynamodb:DescribeContinuousBackups",
                          + "dynamodb:DescribeTable",
                          + "dynamodb:DescribeTableReplicaAutoScaling",
                          + "dynamodb:ListTables",
                          + "dynamodb:ListTagsOfResource",
                          + "ec2:DescribeAddresses",
                          + "ec2:DescribeFlowLogs",
                          + "ec2:DescribeHosts",
                          + "ec2:DescribeImageAttribute",
                          + "ec2:DescribeImages",
                          + "ec2:DescribeInstances",
                          + "ec2:DescribeInternetGateways",
                          + "ec2:DescribeNetworkAcls",
                          + "ec2:DescribeNetworkInterfaces",
                          + "ec2:DescribeRegions",
                          + "ec2:DescribeRouteTables",
                          + "ec2:DescribeSecurityGroups",
                          + "ec2:DescribeSnapshotAttribute",
                          + "ec2:DescribeSnapshots",
                          + "ec2:DescribeSubnets",
                          + "ec2:DescribeTransitGatewayAttachments",
                          + "ec2:DescribeTransitGateways",
                          + "ec2:DescribeVolumes",
                          + "ec2:DescribeVpcEndpoints",
                          + "ec2:DescribeVpcs",
                          + "ec2:DescribeVpnConnections",
                          + "ec2:DescribeVpnGateways",
                          + "ec2:GetEbsDefaultKmsKeyId",
                          + "ec2:GetEbsEncryptionByDefault",
                          + "ecr:DescribeImageScanFindings",
                          + "ecr:DescribeImages",
                          + "ecr:DescribeRegistry",
                          + "ecr:DescribeRepositories",
                          + "ecr:GetLifecyclePolicy",
                          + "ecr:GetRepositoryPolicy",
                          + "ecr:ListTagsForResource",
                          + "ecs:DescribeClusters",
                          + "ecs:DescribeServices",
                          + "ecs:ListClusters",
                          + "ecs:ListServices",
                          + "ecs:ListTaskDefinitions",
                          + "eks:DescribeAddon",
                          + "eks:DescribeCluster",
                          + "eks:DescribeFargateProfile",
                          + "eks:DescribeIdentityProviderConfig",
                          + "eks:DescribeNodegroup",
                          + "eks:ListAddons",
                          + "eks:ListClusters",
                          + "eks:ListFargateProfiles",
                          + "eks:ListIdentityProviderConfigs",
                          + "eks:ListNodegroups",
                          + "elasticache:DescribeCacheClusters",
                          + "elasticache:DescribeSnapshots",
                          + "elasticache:ListTagsForResource",
                          + "elasticbeanstalk:DescribeConfigurationSettings",
                          + "elasticbeanstalk:DescribeEnvironmentResources",
                          + "elasticbeanstalk:DescribeEnvironments",
                          + "elasticfilesystem:DescribeAccessPoints",
                          + "elasticfilesystem:DescribeFileSystemPolicy",
                          + "elasticfilesystem:DescribeFileSystems",
                          + "elasticloadbalancing:DescribeListeners",
                          + "elasticloadbalancing:DescribeLoadBalancerAttributes",
                          + "elasticloadbalancing:DescribeLoadBalancerPolicies",
                          + "elasticloadbalancing:DescribeLoadBalancers",
                          + "elasticloadbalancing:DescribeTags",
                          + "elasticloadbalancing:DescribeTargetGroups",
                          + "elasticmapreduce:DescribeCluster",
                          + "elasticmapreduce:ListClusters",
                          + "es:DescribeDomain",
                          + "es:ListDomainNames",
                          + "guardduty:GetDetector",
                          + "guardduty:GetFindings",
                          + "guardduty:ListDetectors",
                          + "guardduty:ListFilters",
                          + "guardduty:ListFindings",
                          + "guardduty:ListIPSets",
                          + "guardduty:ListMembers",
                          + "guardduty:ListPublishingDestinations",
                          + "guardduty:ListThreatIntelSets",
                          + "iam:GenerateServiceLastAccessedDetails",
                          + "iam:GetAccountAuthorizationDetails",
                          + "iam:GetAccountPasswordPolicy",
                          + "iam:GetAccountSummary",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "app" = "rad-security"
        }
      + tags_all         = {
          + "app" = "rad-security"
        }
    }

  # module.rad-security-connect.aws_iam_policy.connect_policy["1"] will be created
  + resource "aws_iam_policy" "connect_policy" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + description      = "Part 1 of the policy required for rad-security-connect"
      + id               = (known after apply)
      + name             = "rad-security_connect_policy_1"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "iam:GetCredentialReport",
                          + "iam:GetGroup",
                          + "iam:GetGroupPolicy",
                          + "iam:GetPolicy",
                          + "iam:GetRole",
                          + "iam:GetRolePolicy",
                          + "iam:GetServiceLastAccessedDetails",
                          + "iam:GetUser",
                          + "iam:ListAccountAliases",
                          + "iam:ListAttachedRolePolicies",
                          + "iam:ListAttachedUserPolicies",
                          + "iam:ListGroupPolicies",
                          + "iam:ListGroups",
                          + "iam:ListPolicies",
                          + "iam:ListPolicyTags",
                          + "iam:ListRolePolicies",
                          + "iam:ListRoles",
                          + "iam:ListUsers",
                          + "iam:ListVirtualMFADevices",
                          + "inspector2:ListCoverage",
                          + "kinesis:DescribeStream",
                          + "kinesis:ListStreams",
                          + "kms:DescribeKey",
                          + "kms:GetKeyPolicy",
                          + "kms:GetKeyRotationStatus",
                          + "kms:ListGrants",
                          + "kms:ListKeys",
                          + "kms:ListResourceTags",
                          + "lambda:GetFunction",
                          + "lambda:GetFunctionCodeSigningConfig",
                          + "lambda:GetPolicy",
                          + "lambda:GetRuntimeManagementConfig",
                          + "lambda:ListAliases",
                          + "lambda:ListEventSourceMappings",
                          + "lambda:ListFunctionEventInvokeConfigs",
                          + "lambda:ListFunctionUrlConfigs",
                          + "lambda:ListFunctions",
                          + "lambda:ListProvisionedConcurrencyConfigs",
                          + "lambda:ListVersionsByFunction",
                          + "lightsail:GetContainerServiceDeployments",
                          + "lightsail:GetContainerServices",
                          + "lightsail:GetDisk",
                          + "lightsail:GetDisks",
                          + "lightsail:GetDistributions",
                          + "lightsail:GetInstances",
                          + "lightsail:GetLoadBalancer",
                          + "lightsail:GetLoadBalancers",
                          + "lightsail:GetStaticIp",
                          + "lightsail:GetStaticIps",
                          + "logs:DescribeLogGroups",
                          + "logs:DescribeMetricFilters",
                          + "logs:DescribeSubscriptionFilters",
                          + "logs:ListTagsLogGroup",
                          + "organizations:DescribeAccount",
                          + "organizations:DescribeOrganization",
                          + "organizations:ListAccounts",
                          + "rds:DescribeDBClusterSnapshotAttributes",
                          + "rds:DescribeDBClusterSnapshots",
                          + "rds:DescribeDBClusters",
                          + "rds:DescribeDBInstances",
                          + "rds:DescribeDBSecurityGroups",
                          + "rds:DescribeDBSnapshots",
                          + "rds:DescribeEventSubscriptions",
                          + "rds:ListTagsForResource",
                          + "redshift:DescribeClusterParameterGroups",
                          + "redshift:DescribeClusterParameters",
                          + "redshift:DescribeClusters",
                          + "route53:GetHostedZone",
                          + "route53:ListHostedZones",
                          + "route53:ListQueryLoggingConfigs",
                          + "route53:ListResourceRecordSets",
                          + "route53:ListTagsForResources",
                          + "route53:ListTrafficPolicyInstancesByHostedZone",
                          + "s3:GetAccessGrant",
                          + "s3:GetAccountPublicAccessBlock",
                          + "s3:GetBucketAcl",
                          + "s3:GetBucketCors",
                          + "s3:GetBucketLocation",
                          + "s3:GetBucketNotification",
                          + "s3:GetBucketObjectLockConfiguration",
                          + "s3:GetBucketTagging",
                          + "s3:GetBucketWebsite",
                          + "s3:GetEncryptionConfiguration",
                          + "s3:GetLifecycleConfiguration",
                          + "s3:ListAllMyBuckets",
                          + "s3:ListBucket",
                          + "sagemaker:DescribeApp",
                          + "sagemaker:DescribeEndpointConfig",
                          + "sagemaker:DescribeNotebookInstance",
                          + "sagemaker:ListApps",
                          + "sagemaker:ListEndpointConfigs",
                          + "sagemaker:ListNotebookInstances",
                          + "secretsmanager:DescribeSecret",
                          + "secretsmanager:GetResourcePolicy",
                          + "secretsmanager:ListSecretVersionIds",
                          + "secretsmanager:ListSecrets",
                          + "securityhub:GetEnabledStandards",
                          + "securityhub:GetFindings",
                          + "shield:DescribeAttack",
                          + "shield:DescribeProtection",
                          + "shield:DescribeProtectionGroup",
                          + "shield:DescribeSubscription",
                          + "shield:ListAttacks",
                          + "shield:ListProtectionGroups",
                          + "shield:ListProtections",
                          + "sns:GetSubscriptionAttributes",
                          + "sns:GetTopicAttributes",
                          + "sns:ListSubscriptions",
                          + "sns:ListTagsForResource",
                          + "sns:ListTopics",
                          + "sqs:GetQueueAttributes",
                          + "sqs:ListQueueTags",
                          + "sqs:ListQueues",
                          + "ssm:DescribeDocument",
                          + "ssm:DescribeDocumentPermission",
                          + "ssm:DescribeInstanceInformation",
                          + "ssm:DescribeInstancePatches",
                          + "ssm:DescribeParameters",
                          + "ssm:GetDocument",
                          + "ssm:ListComplianceItems",
                          + "ssm:ListDocumentVersions",
                          + "ssm:ListDocuments",
                          + "waf:GetWebACL",
                          + "waf:ListRuleGroups",
                          + "waf:ListWebACLs",
                          + "wafv2:ListRuleGroups",
                          + "wafv2:ListWebACLs",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "app" = "rad-security"
        }
      + tags_all         = {
          + "app" = "rad-security"
        }
    }

  # module.rad-security-connect.aws_iam_policy.ksoc_s3_access[0] will be created
  + resource "aws_iam_policy" "ksoc_s3_access" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = (known after apply)
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # module.rad-security-connect.aws_iam_role.cloudwatch[0] will be created
  + resource "aws_iam_role" "cloudwatch" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = [
                              + "logs.us-west-2.amazonaws.com",
                              + "logs.us-west-1.amazonaws.com",
                              + "logs.us-east-2.amazonaws.com",
                              + "logs.us-east-1.amazonaws.com",
                            ]
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "ksoc-cloudwatch-logs"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = "ksoc-cloudwatch-logs-to-firehose-policy"
          + policy = (known after apply)
        }
    }

  # module.rad-security-connect.aws_iam_role.firehose[0] will be created
  + resource "aws_iam_role" "firehose" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "firehose.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "ksoc-firehose"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = "ksoc-firehose-to-s3-policy"
          + policy = (known after apply)
        }
    }

  # module.rad-security-connect.aws_iam_role.ksoc_s3_access[0] will be created
  + resource "aws_iam_role" "ksoc_s3_access" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::955322216602:role/ksoc-data-pipeline"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "ksoc-audit-logs"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.rad-security-connect.aws_iam_role.this will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = [
                          + "sts:TagSession",
                          + "sts:AssumeRole",
                        ]
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = [
                              + "arn:aws:iam::955322216602:role/rad-security-connector",
                              + "arn:aws:iam::955322216602:role/ksoc-connector",
                            ]
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + description           = "IAM role for rad-security-connect"
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "rad-security-connect"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.rad-security-connect.aws_iam_role_policy_attachment.ksoc_s3_access[0] will be created
  + resource "aws_iam_role_policy_attachment" "ksoc_s3_access" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "ksoc-audit-logs"
    }

  # module.rad-security-connect.aws_iam_role_policy_attachment.rad-security_connect_policy_attachment["0"] will be created
  + resource "aws_iam_role_policy_attachment" "rad-security_connect_policy_attachment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "rad-security-connect"
    }

  # module.rad-security-connect.aws_iam_role_policy_attachment.rad-security_connect_policy_attachment["1"] will be created
  + resource "aws_iam_role_policy_attachment" "rad-security_connect_policy_attachment" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "rad-security-connect"
    }

  # module.rad-security-connect.aws_kinesis_firehose_delivery_stream.firehose[0] will be created
  + resource "aws_kinesis_firehose_delivery_stream" "firehose" {
      + arn            = (known after apply)
      + destination    = "extended_s3"
      + destination_id = (known after apply)
      + id             = (known after apply)
      + name           = "ksoc-audit-logs"
      + tags_all       = (known after apply)
      + version_id     = (known after apply)

      + extended_s3_configuration {
          + bucket_arn         = (known after apply)
          + buffering_interval = 60
          + buffering_size     = 5
          + compression_format = "UNCOMPRESSED"
          + custom_time_zone   = "UTC"
          + role_arn           = (known after apply)
          + s3_backup_mode     = "Disabled"

          + cloudwatch_logging_options {
              + enabled         = (known after apply)
              + log_group_name  = (known after apply)
              + log_stream_name = (known after apply)
            }
        }
    }

  # module.rad-security-connect.aws_s3_bucket.audit_logs[0] will be created
  + resource "aws_s3_bucket" "audit_logs" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = (known after apply)
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = true
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags                        = {
          + "ksoc-data-type" = "eks-audit-logs"
        }
      + tags_all                    = {
          + "ksoc-data-type" = "eks-audit-logs"
        }
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)

      + cors_rule {
          + allowed_headers = (known after apply)
          + allowed_methods = (known after apply)
          + allowed_origins = (known after apply)
          + expose_headers  = (known after apply)
          + max_age_seconds = (known after apply)
        }

      + grant {
          + id          = (known after apply)
          + permissions = (known after apply)
          + type        = (known after apply)
          + uri         = (known after apply)
        }

      + lifecycle_rule {
          + abort_incomplete_multipart_upload_days = (known after apply)
          + enabled                                = (known after apply)
          + id                                     = (known after apply)
          + prefix                                 = (known after apply)
          + tags                                   = (known after apply)

          + expiration {
              + date                         = (known after apply)
              + days                         = (known after apply)
              + expired_object_delete_marker = (known after apply)
            }

          + noncurrent_version_expiration {
              + days = (known after apply)
            }

          + noncurrent_version_transition {
              + days          = (known after apply)
              + storage_class = (known after apply)
            }

          + transition {
              + date          = (known after apply)
              + days          = (known after apply)
              + storage_class = (known after apply)
            }
        }

      + logging {
          + target_bucket = (known after apply)
          + target_prefix = (known after apply)
        }

      + object_lock_configuration {
          + object_lock_enabled = (known after apply)

          + rule {
              + default_retention {
                  + days  = (known after apply)
                  + mode  = (known after apply)
                  + years = (known after apply)
                }
            }
        }

      + replication_configuration {
          + role = (known after apply)

          + rules {
              + delete_marker_replication_status = (known after apply)
              + id                               = (known after apply)
              + prefix                           = (known after apply)
              + priority                         = (known after apply)
              + status                           = (known after apply)

              + destination {
                  + account_id         = (known after apply)
                  + bucket             = (known after apply)
                  + replica_kms_key_id = (known after apply)
                  + storage_class      = (known after apply)

                  + access_control_translation {
                      + owner = (known after apply)
                    }

                  + metrics {
                      + minutes = (known after apply)
                      + status  = (known after apply)
                    }

                  + replication_time {
                      + minutes = (known after apply)
                      + status  = (known after apply)
                    }
                }

              + filter {
                  + prefix = (known after apply)
                  + tags   = (known after apply)
                }

              + source_selection_criteria {
                  + sse_kms_encrypted_objects {
                      + enabled = (known after apply)
                    }
                }
            }
        }

      + server_side_encryption_configuration {
          + rule {
              + bucket_key_enabled = (known after apply)

              + apply_server_side_encryption_by_default {
                  + kms_master_key_id = (known after apply)
                  + sse_algorithm     = (known after apply)
                }
            }
        }

      + versioning {
          + enabled    = (known after apply)
          + mfa_delete = (known after apply)
        }

      + website {
          + error_document           = (known after apply)
          + index_document           = (known after apply)
          + redirect_all_requests_to = (known after apply)
          + routing_rules            = (known after apply)
        }
    }

  # module.rad-security-connect.aws_s3_bucket_versioning.audit_logs[0] will be created
  + resource "aws_s3_bucket_versioning" "audit_logs" {
      + bucket = (known after apply)
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

  # module.rad-security-connect.rad-security_aws_register.this will be created
  + resource "rad-security_aws_register" "this" {
      + api_path                      = (known after apply)
      + aws_account_id                = (sensitive value)
      + id                            = (known after apply)
      + rad_security_assumed_role_arn = "arn:aws:iam::955322216602:role/rad-security-connector"
      + rad_security_registered       = (known after apply)
    }

  # module.rad-security-connect.random_id.uniq will be created
  + resource "random_id" "uniq" {
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 4
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 18 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply"
now.

Signed-off-by: Max Brain <[email protected]>

BREAKING CHANGE: Moves ksoc connect module to rad-security

2bb9ece

Signed-off-by: Max Brain <[email protected]>

maximillianbrain1 changed the title ~~BREAKING CHANGE: Moves ksoc connect module to rad-security~~ Moves ksoc connect module to rad-security Jun 10, 2024

jeffreyfriedman approved these changes Jun 10, 2024

View reviewed changes

maximillianbrain1 merged commit 006facb into main Jun 11, 2024
2 checks passed

maximillianbrain1 deleted the move_ksoc_connect_module_to_rad-security branch June 11, 2024 07:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Moves ksoc connect module to rad-security #1

Moves ksoc connect module to rad-security #1

maximillianbrain1 commented Jun 10, 2024 •

edited

Loading

Moves ksoc connect module to rad-security #1

Moves ksoc connect module to rad-security #1

Conversation

maximillianbrain1 commented Jun 10, 2024 • edited Loading

maximillianbrain1 commented Jun 10, 2024 •

edited

Loading