vpc module fixes (#3)

vpc module fixes and add CIS checks

Author: ShibraAmin18

README.md

@@ -104,10 +104,17 @@ To configure Pritunl VPN:
 
 Security scanning is graciously provided by Prowler. Prowler is the leading fully hosted, cloud-native solution providing continuous cluster security and compliance.
 
-| Benchmark | Description |
-|--------|---------------|
-| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | No Security Groups open to 0.0.0.0/0 |
-| Ensure the default security group of every VPC restricts all traffic | No Default Security Groups open to 0.0.0.0/0 |
+In this module, we have implemented the following CIS Compliance checks for VPC:
+
+| Benchmark | Description | Status |
+|-----------|-------------|--------|
+| Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to port 3389 | No Security Groups open to 0.0.0.0/0 | ✔ |
+| Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports | For all VPCs created using this module | ✔ |
+| Ensure the default security group of every VPC restricts all traffic | For all VPCs created using this module | ✔ |
+| Ensure VPC flow logging is enabled in all VPCs | No Default Security Groups open to 0.0.0.0/0 | ✔ |
+| Ensure IAM instance roles are used for AWS resource access from instances |For VPN server created using this module | ✓ |
+| Ensure EBS volume encryption is enabled   | For VPN server created using this module | ✓ |
+
 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/simple-vpc/README.md

@@ -2,7 +2,7 @@
 
 Configuration in this directory creates set of VPC resources which may be sufficient for development environment.
 
-There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all availability zones.
+There is a public subnet created per availability zone with Internet Gateway and route tables.
 
 [Read more about AWS regions, availability zones and local zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones).
 

examples/simple-vpc/main.tf

@@ -10,8 +10,6 @@ locals {
   vpc_cidr = "10.10.0.0/16"
 }
 
-data "aws_availability_zones" "available" {}
-
 module "vpc" {
   source                = "squareops/vpc/aws"
   name                  = local.name

examples/peering/README.md renamed to examples/vpc-with-peering/README.md

@@ -4,13 +4,25 @@ Configuration in this directory creates a VPC peering connection between two VPC
 
 ## Usage
 
-To run this example you need to execute:
+To run this example you need to execute this module in two parts :
 
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
+1. Execute the below command to deploy accepter and requester VPC:
+
+    ```bash
+    $ cd vpc-requester-accepter
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+    ```
+2. Copy the VPC id from the output and update in root (peering) main.tf locals block.
+
+3. Execute the below command for peering of created VPC:
+
+    ```bash
+    $ terraform init
+    $ terraform plan
+    $ terraform apply
+    ```
 
 Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
 

examples/peering/main.tf renamed to examples/vpc-with-peering/main.tf

@@ -0,0 +1,36 @@
+locals {
+  region = "us-east-2"
+  additional_aws_tags = {
+    Owner      = "SquareOps"
+    Expires    = "Never"
+    Department = "Engineering"
+  }
+}
+
+module "vpc_accepter" {
+  source                = "squareops/vpc/aws"
+  name                  = "accepter"
+  vpc_cidr              = "10.10.0.0/16"
+  environment           = "dev"
+  availability_zones    = 2
+  public_subnet_enabled = true
+}
+
+module "vpc_requester" {
+  source                = "squareops/vpc/aws"
+  name                  = "requester"
+  vpc_cidr              = "172.10.0.0/16"
+  environment           = "uat"
+  availability_zones    = 2
+  public_subnet_enabled = true
+}
+
+output "vpc_id_accepter" {
+  description = "The ID of the accepter VPC"
+  value       = module.vpc_accepter.vpc_id
+}
+
+output "vpc_id_requester" {
+  description = "The ID of the requester VPC"
+  value       = module.vpc_requester.vpc_id
+}

examples/peering/output.tf renamed to examples/vpc-with-peering/output.tf

@@ -0,0 +1,6 @@
+provider "aws" {
+  region = local.region
+  default_tags {
+    tags = local.additional_aws_tags
+  }
+}

examples/vpc-with-peering/vpc-requester-accepter/main.tf

@@ -10,8 +10,6 @@ locals {
   vpc_cidr = "10.10.0.0/16"
 }
 
-data "aws_availability_zones" "available" {}
-
 module "vpc" {
   source                 = "squareops/vpc/aws"
   name                   = local.name

examples/vpc-with-peering/vpc-requester-accepter/providers.tf

@@ -42,6 +42,7 @@ resource "aws_vpc_peering_connection" "this" {
   provider    = aws.peer
   tags = {
     Name = var.name
+    Side = "Requester"
   }
 }
 
@@ -53,6 +54,7 @@ resource "aws_vpc_peering_connection_accepter" "this" {
   auto_accept               = true
   tags = {
     Name = var.name
+    Side = "Accepter"
   }
 }