docs and restructure

Author: Script47

guardrails/README.md

@@ -0,0 +1,39 @@
+# Guardrails
+
+## About
+
+This module allows you to setup default guardrails to harden your AWS account with the following features:
+
+- EBS encryption by default
+- S3 account wide public block access
+- IAM account password policy
+
+## Usage
+
+See `variables.tf` for the full argument reference.
+
+```hcl
+module "guardrails" {
+  source      = "github.com/script47/aws-tf-modules/guardrails"
+
+  ebs = {
+    encrypted = true
+  }
+
+  s3 = {
+    public_access_block = {
+        enabled                 = true
+        block_public_acls       = true
+        block_public_policy     = true
+        ignore_public_acls      = true
+        restrict_public_buckets = true
+    }
+  }
+
+  iam = {
+    password_policy = {
+
+    }
+  }
+}
+```

guardrails/iam.tf

@@ -1 +1,14 @@
-# aws_iam_account_password_policy
+# resource "aws_iam_account_password_policy" "this" {
+#   count = var.iam.password_policy.enabled ? 1 : 0
+
+#   allow_users_to_change_password = var.iam.password_policy.allow_users_to_change_password
+#   password_reuse_prevention      = var.iam.password_policy.password_reuse_prevention
+#   hard_expiry                    = var.iam.password_policy.hard_expiry
+#   max_password_age               = var.iam.password_policy.max_password_age
+#   minimum_password_length        = var.iam.password_policy.minimum_password_length
+
+#   require_lowercase_characters   = var.iam.password_policy.require_lowercase_characters
+#   require_uppercase_characters   = var.iam.password_policy.require_uppercase_characters
+#   require_numbers                = var.iam.password_policy.require_numbers
+#   require_symbols                = var.iam.password_policy.require_symbols
+# }

guardrails/providers.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.13"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "~> 6"
+    }
+  }
+}

guardrails/s3.tf

@@ -1,6 +1,8 @@
 resource "aws_s3_account_public_access_block" "this" {
-  block_public_acls       = var.s3.block_public_acls
-  block_public_policy     = var.s3.block_public_policy
-  ignore_public_acls      = var.s3.ignore_public_acls
-  restrict_public_buckets = var.s3.restrict_public_buckets
+  count = var.s3.public_access_block.enabled
+
+  block_public_acls       = var.s3.public_access_block.block_public_acls
+  block_public_policy     = var.s3.public_access_block.block_public_policy
+  ignore_public_acls      = var.s3.public_access_block.ignore_public_acls
+  restrict_public_buckets = var.s3.public_access_block.restrict_public_buckets
 }

guardrails/variables.tf

@@ -1,29 +1,41 @@
 variable "ebs" {
+  description = "EBS account-level config"
   type = object({
     encrypted = optional(bool, true)
   })
   default = {}
 }
 
 variable "s3" {
+  description = "S3 account-level config"
   type = object({
-    block_public_acls       = optional(bool, true)
-    block_public_policy     = optional(bool, true)
-    ignore_public_acls      = optional(bool, true)
-    restrict_public_buckets = optional(bool, true)
+    public_access_block = optional(object({
+      enabled                 = optional(bool, true)
+      block_public_acls       = optional(bool, true)
+      block_public_policy     = optional(bool, true)
+      ignore_public_acls      = optional(bool, true)
+      restrict_public_buckets = optional(bool, true)      
+    }), {})
   })
   default = {}
 }
 
 # variable "iam" {
+#   description = "IAM account-level config"
 #   type = object({
-#      password_policy = optional(object({
-#         allow_password_change = optional(bool, true)
-          # reuse_prevention = optional(bool, true)
-#         hard_expiry = optional(bool, false)
-#         max_password_age = optional(number, null)
-          # min_length = optional(number, 8)
+#     password_policy = optional(object({
+#       enabled                        = optional(bool, true)
+#       allow_users_to_change_password = optional(bool, true)
+#       password_reuse_prevention      = optional(number, 24)
+#       hard_expiry                    = optional(bool, false)
+#       max_password_age               = optional(number, 90)
+#       minimum_password_length        = optional(number, 14)
 
-#      }), {}) 
+#       require_lowercase_characters   = optional(bool, true)
+#       require_uppercase_characters   = optional(bool, true)
+#       require_numbers                = optional(bool, true)
+#       require_symbols                = optional(bool, true)
+#     }), {})
 #   })
-# }
+#   default = {}
+# }