feat: allow enabling/disabling individual alarms (nozaq#164)

Dominic DePasquale · web-flow · commit 163865528275 · 2021-03-14T10:13:00.000+09:00
diff --git a/modules/alarm-baseline/main.tf b/modules/alarm-baseline/main.tf
@@ -15,7 +15,7 @@ resource "aws_sns_topic" "alarms" {
 # --------------------------------------------------------------------------------------------------
 
 resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0
 
   name           = "UnauthorizedAPICalls"
   pattern        = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }"
@@ -29,7 +29,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0
 
   alarm_name                = "UnauthorizedAPICalls"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -48,7 +48,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0
 
   name           = "NoMFAConsoleSignin"
   pattern        = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
@@ -62,7 +62,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0
 
   alarm_name                = "NoMFAConsoleSignin"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -81,7 +81,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "root_usage" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.root_usage_enabled ? 1 : 0
 
   name           = "RootUsage"
   pattern        = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
@@ -95,7 +95,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "root_usage" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.root_usage_enabled ? 1 : 0
 
   alarm_name                = "RootUsage"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -114,7 +114,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.iam_changes_enabled ? 1 : 0
 
   name           = "IAMChanges"
   pattern        = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
@@ -128,7 +128,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "iam_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.iam_changes_enabled ? 1 : 0
 
   alarm_name                = "IAMChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -147,7 +147,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0
 
   name           = "CloudTrailCfgChanges"
   pattern        = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
@@ -161,7 +161,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0
 
   alarm_name                = "CloudTrailCfgChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -180,7 +180,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.console_signin_failures_enabled ? 1 : 0
 
   name           = "ConsoleSigninFailures"
   pattern        = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
@@ -194,7 +194,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.console_signin_failures_enabled ? 1 : 0
 
   alarm_name                = "ConsoleSigninFailures"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -213,7 +213,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0
 
   name           = "DisableOrDeleteCMK"
   pattern        = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
@@ -227,7 +227,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0
 
   alarm_name                = "DisableOrDeleteCMK"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -246,7 +246,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0
 
   name           = "S3BucketPolicyChanges"
   pattern        = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
@@ -260,7 +260,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0
 
   alarm_name                = "S3BucketPolicyChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -279,7 +279,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
 
   name           = "AWSConfigChanges"
   pattern        = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
@@ -293,7 +293,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
 
   alarm_name                = "AWSConfigChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -312,7 +312,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.security_group_changes_enabled ? 1 : 0
 
   name           = "SecurityGroupChanges"
   pattern        = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
@@ -326,7 +326,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.security_group_changes_enabled ? 1 : 0
 
   alarm_name                = "SecurityGroupChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -345,7 +345,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.nacl_changes_enabled ? 1 : 0
 
   name           = "NACLChanges"
   pattern        = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
@@ -359,7 +359,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.nacl_changes_enabled ? 1 : 0
 
   alarm_name                = "NACLChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -378,7 +378,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.network_gw_changes_enabled ? 1 : 0
 
   name           = "NetworkGWChanges"
   pattern        = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
@@ -392,7 +392,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.network_gw_changes_enabled ? 1 : 0
 
   alarm_name                = "NetworkGWChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -411,7 +411,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.route_table_changes_enabled ? 1 : 0
 
   name           = "RouteTableChanges"
   pattern        = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
@@ -425,7 +425,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.route_table_changes_enabled ? 1 : 0
 
   alarm_name                = "RouteTableChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -444,7 +444,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.vpc_changes_enabled ? 1 : 0
 
   name           = "VPCChanges"
   pattern        = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
@@ -458,7 +458,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.vpc_changes_enabled ? 1 : 0
 
   alarm_name                = "VPCChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
@@ -477,7 +477,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.organizations_changes_enabled ? 1 : 0
 
   name           = "OrganizationsChanges"
   pattern        = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
@@ -491,7 +491,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "organizations_changes" {
-  count = var.enabled ? 1 : 0
+  count = var.enabled && var.organizations_changes_enabled ? 1 : 0
 
   alarm_name                = "OrganizationsChanges"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
diff --git a/modules/alarm-baseline/variables.tf b/modules/alarm-baseline/variables.tf
@@ -3,6 +3,81 @@ variable "enabled" {
   default     = true
 }
 
+variable "unauthorized_api_calls_enabled" {
+  description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "no_mfa_console_signin_enabled" {
+  description = "The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "root_usage_enabled" {
+  description = "The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "iam_changes_enabled" {
+  description = "The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "cloudtrail_cfg_changes_enabled" {
+  description = "The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "console_signin_failures_enabled" {
+  description = "The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "disable_or_delete_cmk_enabled" {
+  description = "The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "s3_bucket_policy_changes_enabled" {
+  description = "The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "aws_config_changes_enabled" {
+  description = "The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "security_group_changes_enabled" {
+  description = "The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "nacl_changes_enabled" {
+  description = "The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "network_gw_changes_enabled" {
+  description = "The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "route_table_changes_enabled" {
+  description = "The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "vpc_changes_enabled" {
+  description = "The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
+variable "organizations_changes_enabled" {
+  description = "The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false."
+  default     = true
+}
+
 variable "alarm_namespace" {
   description = "The namespace in which all alarms are set up."
   default     = "CISBenchmark"
