Terraform code to create the necessary resources to run the dmarc-import application in the COOL DNS account.
| Name | Version |
|---|---|
| terraform | ~> 1.0 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.dnsprovisionaccount | ~> 4.9 |
| aws.organizationsreadonly | ~> 4.9 |
| terraform | n/a |
| Name | Source | Version |
|---|---|---|
| dmarc_import | github.com/cisagov/dmarc-import-tf-module | n/a |
| Name | Type |
|---|---|
| aws_iam_policy.elasticsearchreadonly_policy | resource |
| aws_iam_policy.elasticsearchreadwrite_policy | resource |
| aws_iam_policy.provisiondmarcimport | resource |
| aws_iam_role.elasticsearchreadonly_role | resource |
| aws_iam_role.elasticsearchreadwrite_role | resource |
| aws_iam_role_policy_attachment.elasticsearchreadonly_policy_attachment | resource |
| aws_iam_role_policy_attachment.elasticsearchreadwrite_policy_attachment | resource |
| aws_iam_role_policy_attachment.provisiondmarcimport | resource |
| aws_caller_identity.current | data source |
| aws_caller_identity.dns | data source |
| aws_iam_policy_document.assume_role_doc | data source |
| aws_iam_policy_document.elasticsearchreadonly_assume_role_doc | data source |
| aws_iam_policy_document.elasticsearchreadonly_doc | data source |
| aws_iam_policy_document.elasticsearchreadwrite_doc | data source |
| aws_iam_policy_document.provisiondmarcimport | data source |
| aws_organizations_organization.cool | data source |
| terraform_remote_state.dns | data source |
| terraform_remote_state.master | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
| cognito_authenticated_role_name | The name of the IAM role that grants authenticated access to the Elasticsearch database. | string |
"dmarc-import-authenticated" |
no |
| cognito_identity_pool_name | The name of the Cognito identity pool to use for access to the Elasticsearch database. | string |
"dmarc-import" |
no |
| cognito_user_pool_client_name | The name of the Cognito user pool client to use for access to the Elasticsearch database. | string |
"dmarc-import" |
no |
| cognito_user_pool_domain | The domain to use for the Cognito endpoint. For custom domains, this is the fully-qualified domain name, such as "auth.example.com". For Amazon Cognito prefix domains, this is the prefix alone, such as "auth". | string |
"dmarc-import" |
no |
| cognito_user_pool_name | The name of the Cognito user pool to use for access to the Elasticsearch database. | string |
"dmarc-import" |
no |
| cognito_usernames | A map whose keys are the usernames of each Cognito user and whose values are a map containing supported user attributes. The only currently-supported attribute is "email" (string). Example: { "firstname1.lastname1" = { "email" = "firstname1.lastname1@foo.gov" }, "firstname2.lastname2" = { "email" = "firstname2.lastname2@foo.gov" } } |
map(object({ email = string })) |
{} |
no |
| cyhy_account_id | The ID of the CyHy account. | string |
n/a | yes |
| elasticsearch_domain_name | The domain name of the Elasticsearch instance. | string |
"dmarc-import-elasticsearch" |
no |
| elasticsearch_index | The Elasticsearch index to which to write DMARC aggregate report data. | string |
"dmarc_aggregate_reports" |
no |
| elasticsearch_type | The Elasticsearch type corresponding to a DMARC aggregate report. | string |
"report" |
no |
| elasticsearchreadonly_role_description | The description to associate with the IAM role (and policy) that allows sufficient permissions to read (but not write) to the dmarc-import Elasticsearch database. | string |
"Allows sufficient permissions to read (but not write) to the dmarc-import Elasticsearch database." |
no |
| elasticsearchreadonly_role_name | The name to assign the IAM role (and policy) that allows sufficient permissions to read (but not write) the to dmarc-import Elasticsearch database. | string |
"ElasticsearchReadOnly" |
no |
| elasticsearchreadwrite_role_description | The description to associate with the IAM role (and policy) that allows sufficient permissions to read and write to the dmarc-import Elasticsearch database. | string |
"Allows sufficient permissions to read and write to the dmarc-import Elasticsearch database." |
no |
| elasticsearchreadwrite_role_name | The name to assign the IAM role (and policy) that allows sufficient permissions to read and write the to dmarc-import Elasticsearch database. | string |
"ElasticsearchReadWrite" |
no |
| emails | A list of the email addresses at which DMARC aggregate reports are being received. | list(string) |
[ "reports@dmarc.cyber.dhs.gov" ] |
no |
| lambda_function_name | The name of the dmarc-import Lambda function. | string |
"dmarc-import" |
no |
| lambda_function_zip_file | The location of the zip file for the Lambda function. | string |
"../dmarc-import-lambda/dmarc-import.zip" |
no |
| opensearch_service_role_for_auth_name | The name of the IAM role that gives Amazon OpenSearch Service permissions to configure the Amazon Cognito user and identity pools and use them for OpenSearch Dashboards/Kibana authentication. | string |
"opensearch-service-cognito-access" |
no |
| permanent_bucket_name | The name of the S3 bucket where the DMARC aggregate report emails are stored permanently. | string |
"cool-dmarc-import-permanent" |
no |
| provisiondmarcimport_policy_description | The description to associate with the IAM policy that allows sufficient permissions to provision the dmarc-import infrastructure. | string |
"Allows sufficient permissions to provision the dmarc-import infrastructure." |
no |
| provisiondmarcimport_policy_name | The name to assign the IAM policy that allows sufficient permissions to provision the dmarc-import infrastructure. | string |
"ProvisionDmarcImport" |
no |
| queue_name | The name of the SQS queue where events will be sent as DMARC aggregate reports are received. | string |
"cool-dmarc-import-queue" |
no |
| rule_set_name | The name of the SES rule set that processes DMARC aggregate reports. | string |
"dmarc-import-rules" |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| temporary_bucket_name | The name of the S3 bucket where the DMARC aggregate report emails are stored temporarily (until processed). | string |
"cool-dmarc-import-temporary" |
no |
| Name | Description |
|---|---|
| elasticsearchreadonly_role | IAM role that allows sufficient permissions to read (but not write) to the dmarc-import Elasticsearch database. |
| elasticsearchreadwrite_role | IAM role that allows sufficient permissions to read and write to the dmarc-import Elasticsearch database. |
| provisiondmarcimport_policy | IAM policy that allows sufficient permissions to provision the dmarc-import infrastructure. |
Running pre-commit requires running terraform init in every
directory that contains Terraform code. In this repository, this is
only the main directory.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.