` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | `[]` | no |
-| [securityhub\_enabled](#input\_securityhub\_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | `true` | no |
-| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | `"IAM-Support"` | no |
-| [support\_iam\_role\_policy\_name](#input\_support\_iam\_role\_policy\_name) | The name of the support role policy. | `string` | `"IAM-Support-Role"` | no |
-| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(any)` | n/a | yes |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | `{}` | no |
-| [target\_regions](#input\_target\_regions) | A list of regions to set up with this module. | `list` | [
"ap-northeast-1",
"ap-northeast-2",
"ap-northeast-3",
"ap-south-1",
"ap-southeast-1",
"ap-southeast-2",
"ca-central-1",
"eu-central-1",
"eu-north-1",
"eu-west-1",
"eu-west-2",
"eu-west-3",
"sa-east-1",
"us-east-1",
"us-east-2",
"us-west-1",
"us-west-2"
]
| no |
-| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [use\_external\_audit\_log\_bucket](#input\_use\_external\_audit\_log\_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | `false` | no |
-| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [vpc\_enable](#input\_vpc\_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | `true` | no |
-| [vpc\_enable\_flow\_logs](#input\_vpc\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | `true` | no |
-| [vpc\_flow\_logs\_destination\_type](#input\_vpc\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | `"cloud-watch-logs"` | no |
-| [vpc\_flow\_logs\_log\_group\_name](#input\_vpc\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | `"default-vpc-flow-logs"` | no |
-| [vpc\_flow\_logs\_retention\_in\_days](#input\_vpc\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | `365` | no |
-| [vpc\_flow\_logs\_s3\_arn](#input\_vpc\_flow\_logs\_s3\_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | `""` | no |
-| [vpc\_flow\_logs\_s3\_key\_prefix](#input\_vpc\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | `"flow-logs"` | no |
-| [vpc\_iam\_role\_name](#input\_vpc\_iam\_role\_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | `"VPC-Flow-Logs-Publisher"` | no |
-| [vpc\_iam\_role\_policy\_name](#input\_vpc\_iam\_role\_policy\_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | `"VPC-Flow-Logs-Publish-Policy"` | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [audit\_log\_bucket\_name](#input\_audit\_log\_bucket\_name) | The name of the S3 bucket to store various audit logs. | `string` | yes |
+| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `string` | yes |
+| [region](#input\_region) | The AWS region in which global resources are set up. | `string` | yes |
+| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(string)` | yes |
+| [account\_type](#input\_account\_type) | The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise.` | `string` | no |
+| [alarm\_baseline\_enabled](#input\_alarm\_baseline\_enabled) | Boolean whether alarm-baseline is enabled. | `bool` | no |
+| [alarm\_namespace](#input\_alarm\_namespace) | The namespace in which all alarms are set up. | `string` | no |
+| [alarm\_sns\_topic\_kms\_master\_key\_id](#input\_alarm\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no |
+| [alarm\_sns\_topic\_name](#input\_alarm\_sns\_topic\_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no |
+| [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | no |
+| [analyzer\_baseline\_enabled](#input\_analyzer\_baseline\_enabled) | Boolean whether analyzer-baseline is enabled. | `bool` | no |
+| [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no |
+| [audit\_log\_bucket\_access\_logs\_name](#input\_audit\_log\_bucket\_access\_logs\_name) | The name of the S3 bucket to store various audit logs. | `string` | no |
+| [audit\_log\_bucket\_custom\_policy\_json](#input\_audit\_log\_bucket\_custom\_policy\_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no |
+| [audit\_log\_bucket\_force\_destroy](#input\_audit\_log\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
+| [audit\_log\_bucket\_key\_enabled](#input\_audit\_log\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no |
+| [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no |
+| [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [cloudtrail\_baseline\_enabled](#input\_cloudtrail\_baseline\_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no |
+| [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [cloudtrail\_cloudwatch\_logs\_enabled](#input\_cloudtrail\_cloudwatch\_logs\_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no |
+| [cloudtrail\_cloudwatch\_logs\_group\_name](#input\_cloudtrail\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no |
+| [cloudtrail\_dynamodb\_event\_logging\_tables](#input\_cloudtrail\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no |
+| [cloudtrail\_iam\_role\_name](#input\_cloudtrail\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no |
+| [cloudtrail\_iam\_role\_policy\_name](#input\_cloudtrail\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no |
+| [cloudtrail\_key\_deletion\_window\_in\_days](#input\_cloudtrail\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no |
+| [cloudtrail\_lambda\_invocation\_logging\_lambdas](#input\_cloudtrail\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no |
+| [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the trail. | `string` | no |
+| [cloudtrail\_s3\_key\_prefix](#input\_cloudtrail\_s3\_key\_prefix) | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | no |
+| [cloudtrail\_s3\_object\_level\_logging\_buckets](#input\_cloudtrail\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no |
+| [cloudtrail\_sns\_topic\_enabled](#input\_cloudtrail\_sns\_topic\_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no |
+| [cloudtrail\_sns\_topic\_name](#input\_cloudtrail\_sns\_topic\_name) | The name of the SNS topic to link to the trail. | `string` | no |
+| [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no |
+| [config\_aggregator\_name](#input\_config\_aggregator\_name) | The name of the organizational AWS Config Configuration Aggregator. | `string` | no |
+| [config\_aggregator\_name\_prefix](#input\_config\_aggregator\_name\_prefix) | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | `string` | no |
+| [config\_baseline\_enabled](#input\_config\_baseline\_enabled) | Boolean whether config-baseline is enabled. | `bool` | no |
+| [config\_delivery\_frequency](#input\_config\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no |
+| [config\_global\_resources\_all\_regions](#input\_config\_global\_resources\_all\_regions) | Record global resources in all regions. If false, only default region will record global resources. | `bool` | no |
+| [config\_iam\_role\_name](#input\_config\_iam\_role\_name) | The name of the IAM Role which AWS Config will use. | `string` | no |
+| [config\_iam\_role\_policy\_name](#input\_config\_iam\_role\_policy\_name) | The name of the IAM Role Policy which AWS Config will use. | `string` | no |
+| [config\_s3\_bucket\_key\_prefix](#input\_config\_s3\_bucket\_key\_prefix) | The prefix used when writing AWS Config snapshots into the S3 bucket. | `string` | no |
+| [config\_sns\_topic\_kms\_master\_key\_id](#input\_config\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no |
+| [config\_sns\_topic\_name](#input\_config\_sns\_topic\_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no |
+| [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [create\_password\_policy](#input\_create\_password\_policy) | Define if the password policy should be created. | `bool` | no |
+| [create\_support\_role](#input\_create\_support\_role) | Define if the support role should be created. | `bool` | no |
+| [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [guardduty\_disable\_email\_notification](#input\_guardduty\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no |
+| [guardduty\_enabled](#input\_guardduty\_enabled) | Boolean whether the guardduty-baseline module is enabled or disabled | `bool` | no |
+| [guardduty\_finding\_publishing\_frequency](#input\_guardduty\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no |
+| [guardduty\_invitation\_message](#input\_guardduty\_invitation\_message) | Message for invitation. | `string` | no |
+| [iam\_baseline\_enabled](#input\_iam\_baseline\_enabled) | Boolean whether iam-baseline is enabled. | `bool` | no |
+| [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [master\_account\_id](#input\_master\_account\_id) | The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`. | `string` | no |
+| [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | no |
+| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({
account_id = string
email = string
})) | no |
+| [mfa\_console\_signin\_allow\_sso](#input\_mfa\_console\_signin\_allow\_sso) | The boolean flag whether the no\_mfa\_console\_signin alarm allows SSO auth to be ignored. | `bool` | no |
+| [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | no |
+| [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [network\_gw\_changes\_enabled](#input\_network\_gw\_changes\_enabled) | The boolean flag whether the network\_gw\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no |
+| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
+| [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no |
+| [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no |
+| [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no |
+| [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | no |
+| [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [s3\_baseline\_enabled](#input\_s3\_baseline\_enabled) | Boolean whether s3-baseline is enabled. | `bool` | no |
+| [s3\_block\_public\_acls](#input\_s3\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no |
+| [s3\_block\_public\_policy](#input\_s3\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no |
+| [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [s3\_ignore\_public\_acls](#input\_s3\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no |
+| [s3\_restrict\_public\_buckets](#input\_s3\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no |
+| [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [securityhub\_enable\_aws\_foundational\_standard](#input\_securityhub\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no |
+| [securityhub\_enable\_cis\_standard](#input\_securityhub\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | no |
+| [securityhub\_enable\_pci\_dss\_standard](#input\_securityhub\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no |
+| [securityhub\_enable\_product\_arns](#input\_securityhub\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no |
+| [securityhub\_enabled](#input\_securityhub\_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | no |
+| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
+| [target\_regions](#input\_target\_regions) | A list of regions to set up with this module. | `list(string)` | no |
+| [turn\_off\_organization\_trail](#input\_turn\_off\_organization\_trail) | Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no |
+| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [use\_external\_audit\_log\_bucket](#input\_use\_external\_audit\_log\_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | no |
+| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [vpc\_enable](#input\_vpc\_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | no |
+| [vpc\_enable\_flow\_logs](#input\_vpc\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | no |
+| [vpc\_flow\_logs\_destination\_type](#input\_vpc\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no |
+| [vpc\_flow\_logs\_log\_group\_name](#input\_vpc\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | no |
+| [vpc\_flow\_logs\_retention\_in\_days](#input\_vpc\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no |
+| [vpc\_flow\_logs\_s3\_arn](#input\_vpc\_flow\_logs\_s3\_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | no |
+| [vpc\_flow\_logs\_s3\_key\_prefix](#input\_vpc\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no |
+| [vpc\_iam\_role\_name](#input\_vpc\_iam\_role\_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | no |
+| [vpc\_iam\_role\_policy\_name](#input\_vpc\_iam\_role\_policy\_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | no |
## Outputs
@@ -375,7 +242,7 @@ This module is composed of several submodules and each of which can be used inde
| [cloudtrail\_sns\_topic](#output\_cloudtrail\_sns\_topic) | The sns topic linked to the cloudtrail. |
| [config\_configuration\_recorder](#output\_config\_configuration\_recorder) | The configuration recorder in each region. |
| [config\_iam\_role](#output\_config\_iam\_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. |
-| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic that AWS Config delivers notifications to. |
+| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic) that AWS Config delivers notifications to. |
| [default\_network\_acl](#output\_default\_network\_acl) | The default network ACL. |
| [default\_route\_table](#output\_default\_route\_table) | The default route table. |
| [default\_security\_group](#output\_default\_security\_group) | The ID of the default security group. |
@@ -386,11 +253,6 @@ This module is composed of several submodules and each of which can be used inde
| [vpc\_flow\_logs\_iam\_role](#output\_vpc\_flow\_logs\_iam\_role) | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. |
-## Compatibility
-
-- Starting from v0.20, this module requires [Terraform Provider for AWS](https://github.com/terraform-providers/terraform-provider-aws) v3.0 or later. Please use v0.19 if you need to use v2.x or earlier.
-- Starting from v0.10, this module requires Terraform v0.12 or later. Please use v0.9 if you need to use Terraform v0.11 or ealier.
-
[cis amazon web services foundations v1.4.0]: https://www.cisecurity.org/benchmark/amazon_web_services/
[aws foundational security best practices v1.0.0]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html
[providers within modules - terraform docs]: https://www.terraform.io/docs/modules/usage.html#providers-within-modules
diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf
index 69a74954..1af69a50 100644
--- a/analyzer_baselines.tf
+++ b/analyzer_baselines.tf
@@ -1,226 +1,245 @@
locals {
- is_analyzer_enabled = local.is_individual_account || local.is_master_account
+ is_analyzer_enabled = var.analyzer_baseline_enabled && (local.is_individual_account || local.is_master_account)
}
# --------------------------------------------------------------------------------------------------
# Analyzer Baseline
# --------------------------------------------------------------------------------------------------
+
module "analyzer_baseline_ap-northeast-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-1")
+
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ap-northeast-2" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-2") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-northeast-2
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-2")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ap-south-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-south-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-south-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-south-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ap-northeast-3" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-3") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-northeast-3
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-3")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ap-southeast-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-southeast-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ap-southeast-2" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-2") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ap-southeast-2
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-2")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_ca-central-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.ca-central-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_eu-central-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.eu-central-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_eu-north-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "eu-north-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.eu-north-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-north-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_eu-west-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.eu-west-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_eu-west-2" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-2") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.eu-west-2
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-2")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_eu-west-3" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-3") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.eu-west-3
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-3")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_sa-east-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.sa-east-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_us-east-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "us-east-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.us-east-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-east-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_us-east-2" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "us-east-2") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.us-east-2
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-east-2")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_us-west-1" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "us-west-1") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.us-west-1
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-west-1")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
module "analyzer_baseline_us-west-2" {
+ count = local.is_analyzer_enabled && contains(var.target_regions, "us-west-2") ? 1 : 0
source = "./modules/analyzer-baseline"
providers = {
aws = aws.us-west-2
}
- enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-west-2")
analyzer_name = var.analyzer_name
is_organization = local.is_master_account
- tags = var.tags
+
+ tags = var.tags
}
diff --git a/bucket.tf b/bucket.tf
index 671801b1..5d92b3d9 100644
--- a/bucket.tf
+++ b/bucket.tf
@@ -1,24 +1,25 @@
# --------------------------------------------------------------------------------------------------
# Configure the S3 bucket to store audit logs.
# --------------------------------------------------------------------------------------------------
+
locals {
use_external_bucket = var.use_external_audit_log_bucket
- audit_log_bucket_id = local.use_external_bucket ? data.aws_s3_bucket.external[0].id : module.audit_log_bucket.this_bucket.id
- audit_log_bucket_arn = local.use_external_bucket ? data.aws_s3_bucket.external[0].arn : module.audit_log_bucket.this_bucket.arn
+ audit_log_bucket_id = local.use_external_bucket ? data.aws_s3_bucket.external[0].id : module.audit_log_bucket[0].this_bucket.id
+ audit_log_bucket_arn = local.use_external_bucket ? data.aws_s3_bucket.external[0].arn : module.audit_log_bucket[0].this_bucket.arn
audit_log_cloudtrail_destination = join("/", [local.audit_log_bucket_arn, trim(var.cloudtrail_s3_key_prefix, "/")])
audit_log_config_destination = join("/", [local.audit_log_bucket_arn, trim(var.config_s3_bucket_key_prefix, "/")])
audit_log_flow_logs_destination = join("/", [local.audit_log_bucket_arn, trim(var.vpc_flow_logs_s3_key_prefix, "/")])
-
- flow_logs_use_s3 = var.vpc_flow_logs_destination_type == "s3"
}
# --------------------------------------------------------------------------------------------------
# Case 1. Use the external S3 bucket.
# --------------------------------------------------------------------------------------------------
+
data "aws_s3_bucket" "external" {
- count = local.use_external_bucket ? 1 : 0
+ count = local.use_external_bucket ? 1 : 0
+
bucket = var.audit_log_bucket_name
}
@@ -28,14 +29,16 @@ data "aws_s3_bucket" "external" {
# Create a S3 bucket to store various audit logs.
# Bucket policies are derived from the default bucket policy and official AWS documents.
# --------------------------------------------------------------------------------------------------
+
module "audit_log_bucket" {
+ count = local.use_external_bucket ? 0 : 1
source = "./modules/secure-bucket"
bucket_name = var.audit_log_bucket_name
- log_bucket_name = "${var.audit_log_bucket_name}-access-logs"
+ bucket_key_enabled = var.audit_log_bucket_key_enabled
+ log_bucket_name = var.audit_log_bucket_access_logs_name != "" ? var.audit_log_bucket_access_logs_name : "${var.audit_log_bucket_name}-access-logs"
lifecycle_glacier_transition_days = var.audit_log_lifecycle_glacier_transition_days
force_destroy = var.audit_log_bucket_force_destroy
- enabled = !local.use_external_bucket
tags = var.tags
@@ -46,10 +49,8 @@ data "aws_organizations_organization" "org" {
count = local.is_individual_account ? 0 : 1
}
-# --------------------------------------------------------------------------------------------------
# Apply policies to enforce SSL connections.
# https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "audit_log_base" {
count = local.use_external_bucket ? 0 : 1
@@ -57,8 +58,8 @@ data "aws_iam_policy_document" "audit_log_base" {
actions = ["s3:*"]
effect = "Deny"
resources = [
- module.audit_log_bucket.this_bucket.arn,
- "${module.audit_log_bucket.this_bucket.arn}/*"
+ module.audit_log_bucket[0].this_bucket.arn,
+ "${module.audit_log_bucket[0].this_bucket.arn}/*"
]
condition {
test = "Bool"
@@ -72,14 +73,12 @@ data "aws_iam_policy_document" "audit_log_base" {
}
}
-# --------------------------------------------------------------------------------------------------
# Apply policies for CloudTrail log delivery based on AWS CloudTrail User Guide.
# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-s3-bucket-policy-for-cloudtrail.html
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "audit_log_cloud_trail" {
count = local.use_external_bucket ? 0 : 1
- source_json = data.aws_iam_policy_document.audit_log_base[0].json
+ source_policy_documents = [data.aws_iam_policy_document.audit_log_base[0].json]
statement {
sid = "AWSCloudTrailAclCheck20150319"
@@ -88,7 +87,7 @@ data "aws_iam_policy_document" "audit_log_cloud_trail" {
type = "Service"
identifiers = ["cloudtrail.amazonaws.com"]
}
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
statement {
@@ -110,14 +109,12 @@ data "aws_iam_policy_document" "audit_log_cloud_trail" {
}
}
-# --------------------------------------------------------------------------------------------------
# Apply policies for AWS Config log delivery based on AWS Config Developer Guide.
# https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "audit_log_config" {
count = local.use_external_bucket ? 0 : 1
- source_json = data.aws_iam_policy_document.audit_log_cloud_trail[0].json
+ source_policy_documents = [data.aws_iam_policy_document.audit_log_cloud_trail[0].json]
statement {
sid = "AWSConfigBucketPermissionsCheck"
@@ -126,7 +123,7 @@ data "aws_iam_policy_document" "audit_log_config" {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
statement {
@@ -136,7 +133,7 @@ data "aws_iam_policy_document" "audit_log_config" {
type = "Service"
identifiers = ["config.amazonaws.com"]
}
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
statement {
@@ -167,7 +164,7 @@ data "aws_iam_policy_document" "audit_log_config" {
identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
}
actions = ["s3:GetBucketAcl"]
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
}
@@ -181,7 +178,7 @@ data "aws_iam_policy_document" "audit_log_config" {
identifiers = [for account in statement.value : "arn:aws:iam::${account.account_id}:root"]
}
actions = ["s3:ListBucket", "s3:GetBucketLocation"]
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
}
@@ -205,15 +202,13 @@ data "aws_iam_policy_document" "audit_log_config" {
}
}
-# --------------------------------------------------------------------------------------------------
# Apply policies for AWS Config log delivery based on Amazon Virtual Private Cloud User Guide.
# This policy is necessary only when the log destination of VPC Flow Logs is set to S3.
# https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "audit_log_flow_logs" {
- count = !local.use_external_bucket && local.flow_logs_use_s3 ? 1 : 0
+ count = !local.use_external_bucket && local.flow_logs_to_s3 ? 1 : 0
- source_json = data.aws_iam_policy_document.audit_log_config[0].json
+ source_policy_documents = [data.aws_iam_policy_document.audit_log_config[0].json]
statement {
sid = "AWSLogDeliveryAclCheck"
@@ -222,7 +217,7 @@ data "aws_iam_policy_document" "audit_log_flow_logs" {
type = "Service"
identifiers = ["delivery.logs.amazonaws.com"]
}
- resources = [module.audit_log_bucket.this_bucket.arn]
+ resources = [module.audit_log_bucket[0].this_bucket.arn]
}
statement {
@@ -248,13 +243,13 @@ data "aws_iam_policy_document" "audit_log_flow_logs" {
data "aws_iam_policy_document" "audit_log" {
count = local.use_external_bucket ? 0 : 1
- source_json = local.flow_logs_use_s3 ? data.aws_iam_policy_document.audit_log_flow_logs[0].json : data.aws_iam_policy_document.audit_log_config[0].json
- override_json = var.audit_log_bucket_custom_policy_json
+ source_policy_documents = [local.flow_logs_to_s3 ? data.aws_iam_policy_document.audit_log_flow_logs[0].json : data.aws_iam_policy_document.audit_log_config[0].json]
+ override_policy_documents = [var.audit_log_bucket_custom_policy_json]
}
resource "aws_s3_bucket_policy" "audit_log" {
count = local.use_external_bucket ? 0 : 1
- bucket = module.audit_log_bucket.this_bucket.id
+ bucket = module.audit_log_bucket[0].this_bucket.id
policy = data.aws_iam_policy_document.audit_log[0].json
}
diff --git a/compliance.md b/compliance.md
index 7e8fe8bd..82070dcf 100644
--- a/compliance.md
+++ b/compliance.md
@@ -27,7 +27,7 @@ Implementation status for each item is categorized as follows.
| 1.4 | Ensure no root account access key exists | N/A | |
| 1.5 | Ensure MFA is enabled for the "root" account | N/A | |
| 1.6 | Ensure hardware MFA is enabled for the "root" account | N/A | |
-| 1.7 | Eliminate use of the root user for administrative and daily taks | N/A | |
+| 1.7 | Eliminate use of the root user for administrative and daily tasks | N/A | |
| 1.8 | Ensure IAM password policy requires minimum length of 14 or greater | OK | |
| 1.9 | Ensure IAM password policy prevents password reuse | OK | |
| 1.10 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password | N/A | |
diff --git a/config_baselines.tf b/config_baselines.tf
index 68d0de2f..8e7278ea 100644
--- a/config_baselines.tf
+++ b/config_baselines.tf
@@ -1,22 +1,22 @@
locals {
config_topics = [
- module.config_baseline_ap-northeast-1.config_sns_topic,
- module.config_baseline_ap-northeast-2.config_sns_topic,
- module.config_baseline_ap-northeast-3.config_sns_topic,
- module.config_baseline_ap-south-1.config_sns_topic,
- module.config_baseline_ap-southeast-1.config_sns_topic,
- module.config_baseline_ap-southeast-2.config_sns_topic,
- module.config_baseline_ca-central-1.config_sns_topic,
- module.config_baseline_eu-central-1.config_sns_topic,
- module.config_baseline_eu-north-1.config_sns_topic,
- module.config_baseline_eu-west-1.config_sns_topic,
- module.config_baseline_eu-west-2.config_sns_topic,
- module.config_baseline_eu-west-3.config_sns_topic,
- module.config_baseline_sa-east-1.config_sns_topic,
- module.config_baseline_us-east-1.config_sns_topic,
- module.config_baseline_us-east-2.config_sns_topic,
- module.config_baseline_us-west-1.config_sns_topic,
- module.config_baseline_us-west-2.config_sns_topic,
+ one(module.config_baseline_ap-northeast-1[*].config_sns_topic),
+ one(module.config_baseline_ap-northeast-2[*].config_sns_topic),
+ one(module.config_baseline_ap-northeast-3[*].config_sns_topic),
+ one(module.config_baseline_ap-south-1[*].config_sns_topic),
+ one(module.config_baseline_ap-southeast-1[*].config_sns_topic),
+ one(module.config_baseline_ap-southeast-2[*].config_sns_topic),
+ one(module.config_baseline_ca-central-1[*].config_sns_topic),
+ one(module.config_baseline_eu-central-1[*].config_sns_topic),
+ one(module.config_baseline_eu-north-1[*].config_sns_topic),
+ one(module.config_baseline_eu-west-1[*].config_sns_topic),
+ one(module.config_baseline_eu-west-2[*].config_sns_topic),
+ one(module.config_baseline_eu-west-3[*].config_sns_topic),
+ one(module.config_baseline_sa-east-1[*].config_sns_topic),
+ one(module.config_baseline_us-east-1[*].config_sns_topic),
+ one(module.config_baseline_us-east-2[*].config_sns_topic),
+ one(module.config_baseline_us-west-1[*].config_sns_topic),
+ one(module.config_baseline_us-west-2[*].config_sns_topic),
]
}
@@ -24,8 +24,10 @@ locals {
# Create an IAM Role for AWS Config recorder to publish results and send notifications.
# Reference: https://docs.aws.amazon.com/config/latest/developerguide/gs-cli-prereq.html#gs-cli-create-iamrole
# --------------------------------------------------------------------------------------------------
+
data "aws_iam_policy_document" "recorder_assume_role_policy" {
count = var.config_baseline_enabled ? 1 : 0
+
statement {
principals {
type = "Service"
@@ -36,16 +38,20 @@ data "aws_iam_policy_document" "recorder_assume_role_policy" {
}
resource "aws_iam_role" "recorder" {
- count = var.config_baseline_enabled ? 1 : 0
+ count = var.config_baseline_enabled ? 1 : 0
+
name = var.config_iam_role_name
assume_role_policy = data.aws_iam_policy_document.recorder_assume_role_policy[0].json
+ permissions_boundary = var.permissions_boundary_arn
+
tags = var.tags
}
# See https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
data "aws_iam_policy_document" "recorder_publish_policy" {
count = var.config_baseline_enabled ? 1 : 0
+
statement {
actions = ["s3:GetBucketAcl", "s3:ListBucket"]
resources = [local.audit_log_bucket_arn]
@@ -74,14 +80,16 @@ data "aws_iam_policy_document" "recorder_publish_policy" {
}
resource "aws_iam_role_policy" "recorder_publish_policy" {
- count = var.config_baseline_enabled ? 1 : 0
+ count = var.config_baseline_enabled ? 1 : 0
+
name = var.config_iam_role_policy_name
role = one(aws_iam_role.recorder[*].id)
policy = data.aws_iam_policy_document.recorder_publish_policy[0].json
}
resource "aws_iam_role_policy_attachment" "recorder_read_policy" {
- count = var.config_baseline_enabled ? 1 : 0
+ count = var.config_baseline_enabled ? 1 : 0
+
role = one(aws_iam_role.recorder[*].id)
policy_arn = "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole"
}
@@ -91,14 +99,15 @@ resource "aws_iam_role_policy_attachment" "recorder_read_policy" {
# Needs to be set up in each region.
# Global resource types are only recorded in the region specified by var.region.
# --------------------------------------------------------------------------------------------------
+
module "config_baseline_ap-northeast-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -106,19 +115,20 @@ module "config_baseline_ap-northeast-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ap-northeast-2" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-2") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-northeast-2
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-2")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -126,19 +136,20 @@ module "config_baseline_ap-northeast-2" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-2"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ap-northeast-3" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-3") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-northeast-3
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-3")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -146,19 +157,20 @@ module "config_baseline_ap-northeast-3" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-northeast-3"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ap-south-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-south-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-south-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-south-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -166,19 +178,20 @@ module "config_baseline_ap-south-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-south-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ap-southeast-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-southeast-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -186,19 +199,20 @@ module "config_baseline_ap-southeast-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ap-southeast-2" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-2") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ap-southeast-2
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-2")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -206,19 +220,20 @@ module "config_baseline_ap-southeast-2" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-2"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_ca-central-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.ca-central-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -226,19 +241,20 @@ module "config_baseline_ca-central-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ca-central-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_eu-central-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.eu-central-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-central-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -246,19 +262,20 @@ module "config_baseline_eu-central-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-central-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_eu-north-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "eu-north-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.eu-north-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-north-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -266,19 +283,20 @@ module "config_baseline_eu-north-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-north-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_eu-west-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.eu-west-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -286,19 +304,20 @@ module "config_baseline_eu-west-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_eu-west-2" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-2") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.eu-west-2
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-2")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -306,19 +325,20 @@ module "config_baseline_eu-west-2" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-2"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_eu-west-3" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-3") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.eu-west-3
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-3")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -326,19 +346,20 @@ module "config_baseline_eu-west-3" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "eu-west-3"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_sa-east-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.sa-east-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -346,19 +367,20 @@ module "config_baseline_sa-east-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "sa-east-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_us-east-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "us-east-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.us-east-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "us-east-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -366,19 +388,20 @@ module "config_baseline_us-east-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_us-east-2" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "us-east-2") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.us-east-2
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "us-east-2")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -386,19 +409,20 @@ module "config_baseline_us-east-2" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-east-2"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_us-west-1" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "us-west-1") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.us-west-1
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "us-west-1")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -406,19 +430,20 @@ module "config_baseline_us-west-1" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-1"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
module "config_baseline_us-west-2" {
+ count = var.config_baseline_enabled && contains(var.target_regions, "us-west-2") ? 1 : 0
source = "./modules/config-baseline"
providers = {
aws = aws.us-west-2
}
- enabled = var.config_baseline_enabled && contains(var.target_regions, "us-west-2")
iam_role_arn = one(aws_iam_role.recorder[*].arn)
s3_bucket_name = local.audit_log_bucket_id
s3_key_prefix = var.config_s3_bucket_key_prefix
@@ -426,7 +451,8 @@ module "config_baseline_us-west-2" {
sns_topic_name = var.config_sns_topic_name
sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id
include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "us-west-2"
- tags = var.tags
+
+ tags = var.tags
depends_on = [aws_s3_bucket_policy.audit_log]
}
@@ -437,7 +463,8 @@ module "config_baseline_us-west-2" {
resource "aws_config_config_rule" "iam_mfa" {
count = var.config_baseline_enabled ? 1 : 0
- name = "IAMAccountMFAEnabled"
+
+ name = "IAMAccountMFAEnabled"
source {
owner = "AWS"
@@ -470,15 +497,15 @@ resource "aws_config_config_rule" "iam_mfa" {
resource "aws_config_config_rule" "unused_credentials" {
count = var.config_baseline_enabled ? 1 : 0
- name = "UnusedCredentialsNotExist"
+
+ name = "UnusedCredentialsNotExist"
+ input_parameters = "{\"maxCredentialUsageAge\": \"90\"}"
source {
owner = "AWS"
source_identifier = "IAM_USER_UNUSED_CREDENTIALS_CHECK"
}
- input_parameters = "{\"maxCredentialUsageAge\": \"90\"}"
-
tags = var.tags
# Ensure this rule is created after all configuration recorders.
@@ -505,7 +532,8 @@ resource "aws_config_config_rule" "unused_credentials" {
resource "aws_config_config_rule" "user_no_policies" {
count = var.config_baseline_enabled ? 1 : 0
- name = "NoPoliciesAttachedToUser"
+
+ name = "NoPoliciesAttachedToUser"
source {
owner = "AWS"
@@ -544,7 +572,8 @@ resource "aws_config_config_rule" "user_no_policies" {
resource "aws_config_config_rule" "no_policies_with_full_admin_access" {
count = var.config_baseline_enabled ? 1 : 0
- name = "NoPoliciesWithFullAdminAccess"
+
+ name = "NoPoliciesWithFullAdminAccess"
source {
owner = "AWS"
@@ -587,6 +616,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" {
# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "config_organization_assume_role_policy" {
count = var.config_baseline_enabled ? 1 : 0
+
statement {
principals {
type = "Service"
@@ -602,6 +632,8 @@ resource "aws_iam_role" "config_organization" {
name_prefix = var.config_aggregator_name_prefix
assume_role_policy = data.aws_iam_policy_document.config_organization_assume_role_policy[0].json
+ permissions_boundary = var.permissions_boundary_arn
+
tags = var.tags
}
diff --git a/docs/upgrade-1.0.md b/docs/upgrade-1.0.md
new file mode 100644
index 00000000..9b834c4f
--- /dev/null
+++ b/docs/upgrade-1.0.md
@@ -0,0 +1,67 @@
+# Version 1.0 Upgrade Guide
+
+This document outlines a way to upgrade this module from v0.x to v1.0 or later.
+The following guidance only applies if `var.use_external_audit_log_bucket` is set to `false`, which is a default behavior.
+
+Following the changes introduced in AWS provider v4.0, several configurations for S3 buckets were extracted from `aws_s3_bucket` resource to newly added resources.
+It is recommended to import these resources before running `terraform apply` to prevent data loss.
+
+See [the upgrade guide for AWS provider] for more detail.
+
+## Audit log bucket migrations
+
+Following configurations from `module.audit_log_bucket[0].aws_s3_bucket.content` were extracted to separated resources.
+
+- `module.audit_log_bucket[0].aws_s3_bucket_acl.content`
+- `module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.content`
+- `module.audit_log_bucket[0].aws_s3_bucket_logging.content`
+- `module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.content`
+- `module.audit_log_bucket[0].aws_s3_bucket_versioning.content`
+
+To import the current configuration into these resources, use `terraform import` command as follows.
+
+```sh
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_acl.content" "$AUDIT_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.content" "$AUDIT_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_logging.content" "$AUDIT_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.content" "$AUDIT_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_versioning.content" "$AUDIT_LOG_BUCKET"
+```
+
+### Notes
+
+- `$MODULE_PATH` should be replaced the actual path of this module in your project, e.g. `module.secure_baseline`.
+- `$AUDIT_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket.aws_s3_bucket[0].content.id`.
+
+## Access logging bucket migrations
+
+Following configurations from `module.audit_log_bucket[0].aws_s3_bucket.access_log` were extracted to separated resources.
+
+- `module.audit_log_bucket[0].aws_s3_bucket.access_log`
+- `module.audit_log_bucket[0].aws_s3_bucket_acl.access_log`
+- `module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.access_log`
+- `module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.access_log`
+
+These resources can be imported by `terraform import` command as well.
+
+```sh
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket.access_log" "$ACCESS_LOG_BUCKET"
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_acl.access_log" "$ACCESS_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_lifecycle_configuration.access_log" "$ACCESS_LOG_BUCKET"
+
+$ terraform import "$MODULE_PATH.module.audit_log_bucket[0].aws_s3_bucket_server_side_encryption_configuration.access_log" "$ACCESS_LOG_BUCKET"
+
+```
+
+### Notes
+
+- `$MODULE_PATH` should be replaced the actual path of this module in your project, e.g. `module.secure_baseline`.
+- `$ACCESS_LOG_BUCKET` should be replaced with the state bucket name. The actual value in your state file as `module.audit_log_bucket[0].aws_s3_bucket.access_log.id`.
+
+[aws provider]: https://github.com/hashicorp/terraform-provider-aws
+[the upgrade guide for aws provider]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade
diff --git a/ebs_baselines.tf b/ebs_baselines.tf
index 2a3ec0c3..3da9c5ea 100644
--- a/ebs_baselines.tf
+++ b/ebs_baselines.tf
@@ -1,171 +1,156 @@
# --------------------------------------------------------------------------------------------------
-# SecurityHub Baseline
+# EBS Baseline
# --------------------------------------------------------------------------------------------------
+
module "ebs_baseline_ap-northeast-1" {
+ count = contains(var.target_regions, "ap-northeast-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = contains(var.target_regions, "ap-northeast-1")
}
module "ebs_baseline_ap-northeast-2" {
+ count = contains(var.target_regions, "ap-northeast-2") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-northeast-2
}
-
- enabled = contains(var.target_regions, "ap-northeast-2")
}
module "ebs_baseline_ap-northeast-3" {
+ count = contains(var.target_regions, "ap-northeast-3") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-northeast-3
}
-
- enabled = contains(var.target_regions, "ap-northeast-3")
}
module "ebs_baseline_ap-south-1" {
+ count = contains(var.target_regions, "ap-south-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-south-1
}
-
- enabled = contains(var.target_regions, "ap-south-1")
}
module "ebs_baseline_ap-southeast-1" {
+ count = contains(var.target_regions, "ap-southeast-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-southeast-1
}
-
- enabled = contains(var.target_regions, "ap-southeast-1")
}
module "ebs_baseline_ap-southeast-2" {
+ count = contains(var.target_regions, "ap-southeast-2") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ap-southeast-2
}
-
- enabled = contains(var.target_regions, "ap-southeast-2")
}
module "ebs_baseline_ca-central-1" {
+ count = contains(var.target_regions, "ca-central-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.ca-central-1
}
-
- enabled = contains(var.target_regions, "ca-central-1")
}
module "ebs_baseline_eu-central-1" {
+ count = contains(var.target_regions, "eu-central-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.eu-central-1
}
-
- enabled = contains(var.target_regions, "eu-central-1")
}
module "ebs_baseline_eu-north-1" {
+ count = contains(var.target_regions, "eu-north-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.eu-north-1
}
-
- enabled = contains(var.target_regions, "eu-north-1")
}
module "ebs_baseline_eu-west-1" {
+ count = contains(var.target_regions, "eu-west-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.eu-west-1
}
-
- enabled = contains(var.target_regions, "eu-west-1")
}
module "ebs_baseline_eu-west-2" {
+ count = contains(var.target_regions, "eu-west-2") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.eu-west-2
}
-
- enabled = contains(var.target_regions, "eu-west-2")
}
module "ebs_baseline_eu-west-3" {
+ count = contains(var.target_regions, "eu-west-3") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.eu-west-3
}
-
- enabled = contains(var.target_regions, "eu-west-3")
}
module "ebs_baseline_sa-east-1" {
+ count = contains(var.target_regions, "sa-east-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.sa-east-1
}
-
- enabled = contains(var.target_regions, "sa-east-1")
}
module "ebs_baseline_us-east-1" {
+ count = contains(var.target_regions, "us-east-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.us-east-1
}
-
- enabled = contains(var.target_regions, "us-east-1")
}
module "ebs_baseline_us-east-2" {
+ count = contains(var.target_regions, "us-east-2") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.us-east-2
}
-
- enabled = contains(var.target_regions, "us-east-2")
}
module "ebs_baseline_us-west-1" {
+ count = contains(var.target_regions, "us-west-1") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.us-west-1
}
-
- enabled = contains(var.target_regions, "us-west-1")
}
module "ebs_baseline_us-west-2" {
+ count = contains(var.target_regions, "us-west-2") ? 1 : 0
source = "./modules/ebs-baseline"
providers = {
aws = aws.us-west-2
}
-
- enabled = contains(var.target_regions, "us-west-2")
}
diff --git a/examples/external-bucket/bucket.tf b/examples/external-bucket/bucket.tf
index c79b5322..3221f456 100644
--- a/examples/external-bucket/bucket.tf
+++ b/examples/external-bucket/bucket.tf
@@ -1,9 +1,13 @@
resource "aws_s3_bucket" "logs" {
bucket = var.audit_s3_bucket_name
- acl = "private"
force_destroy = true
}
+resource "aws_s3_bucket_acl" "logs" {
+ bucket = aws_s3_bucket.logs.id
+ acl = "private"
+}
+
data "aws_iam_policy_document" "logs_bucket_policy" {
statement {
sid = "AWSCloudTrailAclCheckForConfig"
diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf
index 0643a6a0..8ab31369 100644
--- a/examples/external-bucket/main.tf
+++ b/examples/external-bucket/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/examples/external-bucket/outputs.tf b/examples/external-bucket/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/external-bucket/variables.tf b/examples/external-bucket/variables.tf
index 6a5322c5..c8c4fd3b 100644
--- a/examples/external-bucket/variables.tf
+++ b/examples/external-bucket/variables.tf
@@ -1,9 +1,11 @@
variable "audit_s3_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
default = "us-east-1"
}
diff --git a/examples/organization/README.md b/examples/organization/README.md
index 832c16f5..a1054752 100644
--- a/examples/organization/README.md
+++ b/examples/organization/README.md
@@ -7,7 +7,7 @@ When it sets to `master`, this module configure the account to be ready to gathe
## Master Account
-In the master account configuration, you need to set `account_type` to `master` and specify member account information in `member accounts`.
+In the master account configuration, you need to set `account_type` to `master` and specify member account information in `member_accounts`.
The following shows a sample usage.
diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf
index 6994b45b..f74dfcf4 100644
--- a/examples/organization/master/main.tf
+++ b/examples/organization/master/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/examples/organization/master/outputs.tf b/examples/organization/master/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/organization/master/variables.tf b/examples/organization/master/variables.tf
index 4b2effb9..91abcd10 100644
--- a/examples/organization/master/variables.tf
+++ b/examples/organization/master/variables.tf
@@ -1,13 +1,19 @@
variable "audit_s3_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
+}
+
+variable "member_accounts" {
+ description = "A list of AWS account IDs."
+ type = list(object({
+ account_id = string
+ email = string
+ }))
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
default = "us-east-1"
}
-variable "member_accounts" {
- description = "A list of AWS account IDs."
- default = []
-}
diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf
index 12b25e9f..8c20c3d9 100644
--- a/examples/organization/member/main.tf
+++ b/examples/organization/member/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/examples/organization/member/outputs.tf b/examples/organization/member/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/organization/member/variables.tf b/examples/organization/member/variables.tf
index 9c513eb9..a84c6dad 100644
--- a/examples/organization/member/variables.tf
+++ b/examples/organization/member/variables.tf
@@ -1,12 +1,10 @@
variable "audit_s3_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
default = "us-east-1"
}
-
-variable "master_account_id" {
- description = "The ID of the master AWS account."
-}
diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf
index f6e2a8a4..391872ec 100644
--- a/examples/select-region/main.tf
+++ b/examples/select-region/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/examples/select-region/outputs.tf b/examples/select-region/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/select-region/variables.tf b/examples/select-region/variables.tf
index 6a5322c5..c8c4fd3b 100644
--- a/examples/select-region/variables.tf
+++ b/examples/select-region/variables.tf
@@ -1,9 +1,11 @@
variable "audit_s3_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
default = "us-east-1"
}
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
index 0706ad27..5e672c8e 100644
--- a/examples/simple/main.tf
+++ b/examples/simple/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/examples/simple/outputs.tf b/examples/simple/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
index 6a5322c5..c8c4fd3b 100644
--- a/examples/simple/variables.tf
+++ b/examples/simple/variables.tf
@@ -1,9 +1,11 @@
variable "audit_s3_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
default = "us-east-1"
}
diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf
index 24e62d91..1d88499f 100644
--- a/guardduty_baselines.tf
+++ b/guardduty_baselines.tf
@@ -3,19 +3,20 @@
# Needs to be set up in each region.
# This is an extra configuration which is not included in CIS benchmark.
# --------------------------------------------------------------------------------------------------
+
locals {
guardduty_master_account_id = var.master_account_id
guardduty_member_accounts = var.member_accounts
}
module "guardduty_baseline_ap-northeast-1" {
+ count = contains(var.target_regions, "ap-northeast-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = contains(var.target_regions, "ap-northeast-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -26,13 +27,13 @@ module "guardduty_baseline_ap-northeast-1" {
}
module "guardduty_baseline_ap-northeast-2" {
+ count = contains(var.target_regions, "ap-northeast-2") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ap-northeast-2
}
- enabled = contains(var.target_regions, "ap-northeast-2") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -43,13 +44,13 @@ module "guardduty_baseline_ap-northeast-2" {
}
module "guardduty_baseline_ap-northeast-3" {
+ count = contains(var.target_regions, "ap-northeast-3") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ap-northeast-3
}
- enabled = contains(var.target_regions, "ap-northeast-3") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -60,13 +61,13 @@ module "guardduty_baseline_ap-northeast-3" {
}
module "guardduty_baseline_ap-south-1" {
+ count = contains(var.target_regions, "ap-south-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ap-south-1
}
- enabled = contains(var.target_regions, "ap-south-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -77,13 +78,13 @@ module "guardduty_baseline_ap-south-1" {
}
module "guardduty_baseline_ap-southeast-1" {
+ count = contains(var.target_regions, "ap-southeast-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ap-southeast-1
}
- enabled = contains(var.target_regions, "ap-southeast-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -100,7 +101,7 @@ module "guardduty_baseline_ap-southeast-2" {
aws = aws.ap-southeast-2
}
- enabled = contains(var.target_regions, "ap-southeast-2") && var.guardduty_enabled
+ count = contains(var.target_regions, "ap-southeast-2") && var.guardduty_enabled ? 1 : 0
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -111,13 +112,13 @@ module "guardduty_baseline_ap-southeast-2" {
}
module "guardduty_baseline_ca-central-1" {
+ count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.ca-central-1
}
- enabled = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -128,13 +129,13 @@ module "guardduty_baseline_ca-central-1" {
}
module "guardduty_baseline_eu-central-1" {
+ count = contains(var.target_regions, "eu-central-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.eu-central-1
}
- enabled = contains(var.target_regions, "eu-central-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -145,13 +146,13 @@ module "guardduty_baseline_eu-central-1" {
}
module "guardduty_baseline_eu-north-1" {
+ count = contains(var.target_regions, "eu-north-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.eu-north-1
}
- enabled = contains(var.target_regions, "eu-north-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -162,13 +163,13 @@ module "guardduty_baseline_eu-north-1" {
}
module "guardduty_baseline_eu-west-1" {
+ count = contains(var.target_regions, "eu-west-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.eu-west-1
}
- enabled = contains(var.target_regions, "eu-west-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -179,13 +180,13 @@ module "guardduty_baseline_eu-west-1" {
}
module "guardduty_baseline_eu-west-2" {
+ count = contains(var.target_regions, "eu-west-2") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.eu-west-2
}
- enabled = contains(var.target_regions, "eu-west-2") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -196,13 +197,13 @@ module "guardduty_baseline_eu-west-2" {
}
module "guardduty_baseline_eu-west-3" {
+ count = contains(var.target_regions, "eu-west-3") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.eu-west-3
}
- enabled = contains(var.target_regions, "eu-west-3") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -213,13 +214,13 @@ module "guardduty_baseline_eu-west-3" {
}
module "guardduty_baseline_sa-east-1" {
+ count = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.sa-east-1
}
- enabled = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -230,13 +231,13 @@ module "guardduty_baseline_sa-east-1" {
}
module "guardduty_baseline_us-east-1" {
+ count = contains(var.target_regions, "us-east-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.us-east-1
}
- enabled = contains(var.target_regions, "us-east-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -247,13 +248,13 @@ module "guardduty_baseline_us-east-1" {
}
module "guardduty_baseline_us-east-2" {
+ count = contains(var.target_regions, "us-east-2") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.us-east-2
}
- enabled = contains(var.target_regions, "us-east-2") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -264,13 +265,13 @@ module "guardduty_baseline_us-east-2" {
}
module "guardduty_baseline_us-west-1" {
+ count = contains(var.target_regions, "us-west-1") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.us-west-1
}
- enabled = contains(var.target_regions, "us-west-1") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
@@ -281,13 +282,13 @@ module "guardduty_baseline_us-west-1" {
}
module "guardduty_baseline_us-west-2" {
+ count = contains(var.target_regions, "us-west-2") && var.guardduty_enabled ? 1 : 0
source = "./modules/guardduty-baseline"
providers = {
aws = aws.us-west-2
}
- enabled = contains(var.target_regions, "us-west-2") && var.guardduty_enabled
disable_email_notification = var.guardduty_disable_email_notification
finding_publishing_frequency = var.guardduty_finding_publishing_frequency
invitation_message = var.guardduty_invitation_message
diff --git a/main.tf b/main.tf
index 7cb9ef27..1b807f35 100644
--- a/main.tf
+++ b/main.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.15"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
# A provider alias should be passed for each AWS region.
# Reference: https://docs.aws.amazon.com/general/latest/gr/rande.html
@@ -29,9 +29,8 @@ data "aws_caller_identity" "current" {}
locals {
is_individual_account = var.account_type == "individual"
is_master_account = var.account_type == "master"
- is_member_account = var.account_type == "member"
-
- is_cloudtrail_enabled = local.is_individual_account || local.is_master_account
+ is_cloudtrail_enabled = var.cloudtrail_baseline_enabled && (local.is_individual_account || local.is_master_account)
+ is_organization_trail = local.is_master_account && !var.turn_off_organization_trail
}
# --------------------------------------------------------------------------------------------------
@@ -39,12 +38,12 @@ locals {
# --------------------------------------------------------------------------------------------------
module "iam_baseline" {
+ count = var.iam_baseline_enabled ? 1 : 0
source = "./modules/iam-baseline"
- aws_account_id = var.aws_account_id
support_iam_role_name = var.support_iam_role_name
- support_iam_role_policy_name = var.support_iam_role_policy_name
support_iam_role_principal_arns = var.support_iam_role_principal_arns
+ permissions_boundary_arn = var.permissions_boundary_arn
minimum_password_length = var.minimum_password_length
password_reuse_prevention = var.password_reuse_prevention
require_lowercase_characters = var.require_lowercase_characters
@@ -64,9 +63,9 @@ module "iam_baseline" {
# --------------------------------------------------------------------------------------------------
module "cloudtrail_baseline" {
+ count = local.is_cloudtrail_enabled ? 1 : 0
source = "./modules/cloudtrail-baseline"
- enabled = local.is_cloudtrail_enabled
aws_account_id = var.aws_account_id
cloudtrail_depends_on = [aws_s3_bucket_policy.audit_log]
cloudtrail_name = var.cloudtrail_name
@@ -77,6 +76,7 @@ module "cloudtrail_baseline" {
cloudwatch_logs_retention_in_days = var.cloudwatch_logs_retention_in_days
iam_role_name = var.cloudtrail_iam_role_name
iam_role_policy_name = var.cloudtrail_iam_role_policy_name
+ permissions_boundary_arn = var.permissions_boundary_arn
key_deletion_window_in_days = var.cloudtrail_key_deletion_window_in_days
region = var.region
s3_bucket_name = local.audit_log_bucket_id
@@ -84,8 +84,9 @@ module "cloudtrail_baseline" {
s3_object_level_logging_buckets = var.cloudtrail_s3_object_level_logging_buckets
dynamodb_event_logging_tables = var.cloudtrail_dynamodb_event_logging_tables
lambda_invocation_logging_lambdas = var.cloudtrail_lambda_invocation_logging_lambdas
- is_organization_trail = local.is_master_account
- tags = var.tags
+ is_organization_trail = local.is_organization_trail
+
+ tags = var.tags
}
# --------------------------------------------------------------------------------------------------
@@ -93,11 +94,12 @@ module "cloudtrail_baseline" {
# --------------------------------------------------------------------------------------------------
module "alarm_baseline" {
+ count = var.alarm_baseline_enabled && local.is_cloudtrail_enabled && var.cloudtrail_cloudwatch_logs_enabled ? 1 : 0
source = "./modules/alarm-baseline"
- enabled = local.is_cloudtrail_enabled && var.cloudtrail_cloudwatch_logs_enabled
unauthorized_api_calls_enabled = var.unauthorized_api_calls_enabled
no_mfa_console_signin_enabled = var.no_mfa_console_signin_enabled
+ mfa_console_signin_allow_sso = var.mfa_console_signin_allow_sso
root_usage_enabled = var.root_usage_enabled
iam_changes_enabled = var.iam_changes_enabled
cloudtrail_cfg_changes_enabled = var.cloudtrail_cfg_changes_enabled
@@ -112,7 +114,7 @@ module "alarm_baseline" {
vpc_changes_enabled = var.vpc_changes_enabled
organizations_changes_enabled = var.organizations_changes_enabled
alarm_namespace = var.alarm_namespace
- cloudtrail_log_group_name = local.is_cloudtrail_enabled ? module.cloudtrail_baseline.log_group : ""
+ cloudtrail_log_group_name = local.is_cloudtrail_enabled ? module.cloudtrail_baseline[0].log_group : ""
sns_topic_name = var.alarm_sns_topic_name
sns_topic_kms_master_key_id = var.alarm_sns_topic_kms_master_key_id
@@ -124,6 +126,7 @@ module "alarm_baseline" {
# --------------------------------------------------------------------------------------------------
module "s3_baseline" {
+ count = var.s3_baseline_enabled ? 1 : 0
source = "./modules/s3-baseline"
block_public_acls = var.s3_block_public_acls
diff --git a/migrations.tf b/migrations.tf
new file mode 100644
index 00000000..b011346b
--- /dev/null
+++ b/migrations.tf
@@ -0,0 +1,555 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 1.0.0
+# Replacing `enabled` argument in secure-bucket module with `count` meta-argument
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = module.audit_log_bucket
+ to = module.audit_log_bucket[0]
+}
+
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Replacing `enabled` argument in each sub-module with `count` meta-argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = module.cloudtrail_baseline
+ to = module.cloudtrail_baseline[0]
+}
+
+moved {
+ from = module.alarm_baseline
+ to = module.alarm_baseline[0]
+}
+
+moved {
+ from = module.s3_baseline
+ to = module.s3_baseline[0]
+}
+
+moved {
+ from = module.iam_baseline
+ to = module.iam_baseline[0]
+}
+
+moved {
+ from = module.analyzer_baseline
+ to = module.analyzer_baseline[0]
+}
+
+# Config baseline
+moved {
+ from = module.config_baseline_ap-northeast-1
+ to = module.config_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.config_baseline_ap-northeast-2
+ to = module.config_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.config_baseline_ap-northeast-3
+ to = module.config_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.config_baseline_ap-south-1
+ to = module.config_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.config_baseline_ap-southeast-1
+ to = module.config_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.config_baseline_ap-southeast-2
+ to = module.config_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.config_baseline_ca-central-1
+ to = module.config_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.config_baseline_eu-central-1
+ to = module.config_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.config_baseline_eu-north-1
+ to = module.config_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.config_baseline_eu-west-1
+ to = module.config_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.config_baseline_eu-west-2
+ to = module.config_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.config_baseline_eu-west-3
+ to = module.config_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.config_baseline_sa-east-1
+ to = module.config_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.config_baseline_us-east-1
+ to = module.config_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.config_baseline_us-east-2
+ to = module.config_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.config_baseline_us-west-1
+ to = module.config_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.config_baseline_us-west-2
+ to = module.config_baseline_us-west-2[0]
+}
+
+# EBS baseline
+moved {
+ from = module.ebs_baseline_ap-northeast-1
+ to = module.ebs_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_ap-northeast-2
+ to = module.ebs_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.ebs_baseline_ap-northeast-3
+ to = module.ebs_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.ebs_baseline_ap-south-1
+ to = module.ebs_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_ap-southeast-1
+ to = module.ebs_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_ap-southeast-2
+ to = module.ebs_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.ebs_baseline_ca-central-1
+ to = module.ebs_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_eu-central-1
+ to = module.ebs_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_eu-north-1
+ to = module.ebs_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_eu-west-1
+ to = module.ebs_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_eu-west-2
+ to = module.ebs_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.ebs_baseline_eu-west-3
+ to = module.ebs_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.ebs_baseline_sa-east-1
+ to = module.ebs_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_us-east-1
+ to = module.ebs_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_us-east-2
+ to = module.ebs_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.ebs_baseline_us-west-1
+ to = module.ebs_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.ebs_baseline_us-west-2
+ to = module.ebs_baseline_us-west-2[0]
+}
+
+# Guardduty baseline
+moved {
+ from = module.guardduty_baseline_ap-northeast-1
+ to = module.guardduty_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ap-northeast-2
+ to = module.guardduty_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ap-northeast-3
+ to = module.guardduty_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ap-south-1
+ to = module.guardduty_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ap-southeast-1
+ to = module.guardduty_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ap-southeast-2
+ to = module.guardduty_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.guardduty_baseline_ca-central-1
+ to = module.guardduty_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_eu-central-1
+ to = module.guardduty_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_eu-north-1
+ to = module.guardduty_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_eu-west-1
+ to = module.guardduty_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_eu-west-2
+ to = module.guardduty_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.guardduty_baseline_eu-west-3
+ to = module.guardduty_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.guardduty_baseline_sa-east-1
+ to = module.guardduty_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_us-east-1
+ to = module.guardduty_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_us-east-2
+ to = module.guardduty_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.guardduty_baseline_us-west-1
+ to = module.guardduty_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.guardduty_baseline_us-west-2
+ to = module.guardduty_baseline_us-west-2[0]
+}
+
+# SecurityHub baseline
+moved {
+ from = module.securityhub_baseline_ap-northeast-1
+ to = module.securityhub_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ap-northeast-2
+ to = module.securityhub_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ap-northeast-3
+ to = module.securityhub_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ap-south-1
+ to = module.securityhub_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ap-southeast-1
+ to = module.securityhub_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ap-southeast-2
+ to = module.securityhub_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.securityhub_baseline_ca-central-1
+ to = module.securityhub_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_eu-central-1
+ to = module.securityhub_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_eu-north-1
+ to = module.securityhub_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_eu-west-1
+ to = module.securityhub_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_eu-west-2
+ to = module.securityhub_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.securityhub_baseline_eu-west-3
+ to = module.securityhub_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.securityhub_baseline_sa-east-1
+ to = module.securityhub_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_us-east-1
+ to = module.securityhub_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_us-east-2
+ to = module.securityhub_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.securityhub_baseline_us-west-1
+ to = module.securityhub_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.securityhub_baseline_us-west-2
+ to = module.securityhub_baseline_us-west-2[0]
+}
+
+# vpc baseline
+moved {
+ from = module.vpc_baseline_ap-northeast-1
+ to = module.vpc_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_ap-northeast-2
+ to = module.vpc_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.vpc_baseline_ap-northeast-3
+ to = module.vpc_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.vpc_baseline_ap-south-1
+ to = module.vpc_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_ap-southeast-1
+ to = module.vpc_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_ap-southeast-2
+ to = module.vpc_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.vpc_baseline_ca-central-1
+ to = module.vpc_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_eu-central-1
+ to = module.vpc_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_eu-north-1
+ to = module.vpc_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_eu-west-1
+ to = module.vpc_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_eu-west-2
+ to = module.vpc_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.vpc_baseline_eu-west-3
+ to = module.vpc_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.vpc_baseline_sa-east-1
+ to = module.vpc_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_us-east-1
+ to = module.vpc_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_us-east-2
+ to = module.vpc_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.vpc_baseline_us-west-1
+ to = module.vpc_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.vpc_baseline_us-west-2
+ to = module.vpc_baseline_us-west-2[0]
+}
+
+# analyzer baseline
+moved {
+ from = module.analyzer_baseline_ap-northeast-1
+ to = module.analyzer_baseline_ap-northeast-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ap-northeast-2
+ to = module.analyzer_baseline_ap-northeast-2[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ap-northeast-3
+ to = module.analyzer_baseline_ap-northeast-3[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ap-south-1
+ to = module.analyzer_baseline_ap-south-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ap-southeast-1
+ to = module.analyzer_baseline_ap-southeast-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ap-southeast-2
+ to = module.analyzer_baseline_ap-southeast-2[0]
+}
+
+moved {
+ from = module.analyzer_baseline_ca-central-1
+ to = module.analyzer_baseline_ca-central-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_eu-central-1
+ to = module.analyzer_baseline_eu-central-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_eu-north-1
+ to = module.analyzer_baseline_eu-north-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_eu-west-1
+ to = module.analyzer_baseline_eu-west-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_eu-west-2
+ to = module.analyzer_baseline_eu-west-2[0]
+}
+
+moved {
+ from = module.analyzer_baseline_eu-west-3
+ to = module.analyzer_baseline_eu-west-3[0]
+}
+
+moved {
+ from = module.analyzer_baseline_sa-east-1
+ to = module.analyzer_baseline_sa-east-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_us-east-1
+ to = module.analyzer_baseline_us-east-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_us-east-2
+ to = module.analyzer_baseline_us-east-2[0]
+}
+
+moved {
+ from = module.analyzer_baseline_us-west-1
+ to = module.analyzer_baseline_us-west-1[0]
+}
+
+moved {
+ from = module.analyzer_baseline_us-west-2
+ to = module.analyzer_baseline_us-west-2[0]
+}
diff --git a/modules/alarm-baseline/README.md b/modules/alarm-baseline/README.md
index b307e705..bf0e5cdd 100644
--- a/modules/alarm-baseline/README.md
+++ b/modules/alarm-baseline/README.md
@@ -7,84 +7,40 @@ Set up CloudWatch alarms to notify you when critical changes happen in your AWS
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_cloudwatch_log_metric_filter.aws_config_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.cloudtrail_cfg_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.console_signin_failures](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.disable_or_delete_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.iam_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.nacl_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.network_gw_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.no_mfa_console_signin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.organizations_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.root_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.route_table_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.s3_bucket_policy_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.security_group_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.unauthorized_api_calls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_log_metric_filter.vpc_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter) | resource |
-| [aws_cloudwatch_metric_alarm.aws_config_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.cloudtrail_cfg_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.console_signin_failures](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.disable_or_delete_cmk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.iam_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.nacl_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.network_gw_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.no_mfa_console_signin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.organizations_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.root_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.route_table_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.s3_bucket_policy_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.security_group_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.unauthorized_api_calls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_cloudwatch_metric_alarm.vpc_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
-| [aws_sns_topic.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.alarms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.alarms-sns-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [alarm\_namespace](#input\_alarm\_namespace) | The namespace in which all alarms are set up. | `string` | `"CISBenchmark"` | no |
-| [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the CloudWatch Logs group to which CloudTrail events are delivered. | `any` | n/a | yes |
-| [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [network\_gw\_changes\_enabled](#input\_network\_gw\_changes\_enabled) | The boolean flag whether the network\_gw\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [sns\_topic\_kms\_master\_key\_id](#input\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `any` | `null` | no |
-| [sns\_topic\_name](#input\_sns\_topic\_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | `"CISAlarm"` | no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
-| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the CloudWatch Logs group to which CloudTrail events are delivered. | `string` | yes |
+| [alarm\_namespace](#input\_alarm\_namespace) | The namespace in which all alarms are set up. | `string` | no |
+| [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [mfa\_console\_signin\_allow\_sso](#input\_mfa\_console\_signin\_allow\_sso) | The boolean flag whether the no\_mfa\_console\_signin alarm allows SSO auth to be ignored. | `bool` | no |
+| [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [network\_gw\_changes\_enabled](#input\_network\_gw\_changes\_enabled) | The boolean flag whether the network\_gw\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [sns\_topic\_kms\_master\_key\_id](#input\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no |
+| [sns\_topic\_name](#input\_sns\_topic\_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
+| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no |
+| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no |
## Outputs
diff --git a/modules/alarm-baseline/main.tf b/modules/alarm-baseline/main.tf
index 39d84f82..2d12e970 100644
--- a/modules/alarm-baseline/main.tf
+++ b/modules/alarm-baseline/main.tf
@@ -6,28 +6,21 @@ data "aws_region" "current" {}
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "alarms" {
- count = var.enabled ? 1 : 0
-
- name = var.sns_topic_name
-
+ name = var.sns_topic_name
kms_master_key_id = var.sns_topic_kms_master_key_id
tags = var.tags
}
resource "aws_sns_topic_policy" "alarms" {
- count = var.enabled ? 1 : 0
- arn = aws_sns_topic.alarms[0].arn
-
- policy = data.aws_iam_policy_document.alarms-sns-policy[0].json
+ arn = aws_sns_topic.alarms.arn
+ policy = data.aws_iam_policy_document.alarms-sns-policy.json
}
data "aws_iam_policy_document" "alarms-sns-policy" {
- count = var.enabled ? 1 : 0
-
statement {
actions = ["sns:Publish"]
- resources = [aws_sns_topic.alarms[0].arn]
+ resources = [aws_sns_topic.alarms.arn]
principals {
type = "Service"
@@ -47,7 +40,7 @@ data "aws_iam_policy_document" "alarms-sns-policy" {
# --------------------------------------------------------------------------------------------------
resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
- count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0
+ count = var.unauthorized_api_calls_enabled ? 1 : 0
name = "UnauthorizedAPICalls"
pattern = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}"
@@ -61,7 +54,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" {
}
resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
- count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0
+ count = var.unauthorized_api_calls_enabled ? 1 : 0
alarm_name = "UnauthorizedAPICalls"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -72,7 +65,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -80,10 +73,13 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" {
}
resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
- count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0
+ count = var.no_mfa_console_signin_enabled ? 1 : 0
- name = "NoMFAConsoleSignin"
- pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }"
+ name = "NoMFAConsoleSignin"
+ pattern = join(" ", [
+ "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\")",
+ var.mfa_console_signin_allow_sso ? "&& ($.userIdentity.type = \"IAMUser\") && ($.responseElements.ConsoleLogin = \"Success\") }" : "}",
+ ])
log_group_name = var.cloudtrail_log_group_name
metric_transformation {
@@ -94,7 +90,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" {
}
resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
- count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0
+ count = var.no_mfa_console_signin_enabled ? 1 : 0
alarm_name = "NoMFAConsoleSignin"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -105,7 +101,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -113,7 +109,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" {
}
resource "aws_cloudwatch_log_metric_filter" "root_usage" {
- count = var.enabled && var.root_usage_enabled ? 1 : 0
+ count = var.root_usage_enabled ? 1 : 0
name = "RootUsage"
pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }"
@@ -127,7 +123,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" {
}
resource "aws_cloudwatch_metric_alarm" "root_usage" {
- count = var.enabled && var.root_usage_enabled ? 1 : 0
+ count = var.root_usage_enabled ? 1 : 0
alarm_name = "RootUsage"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -138,7 +134,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -146,7 +142,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" {
}
resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
- count = var.enabled && var.iam_changes_enabled ? 1 : 0
+ count = var.iam_changes_enabled ? 1 : 0
name = "IAMChanges"
pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}"
@@ -160,7 +156,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" {
}
resource "aws_cloudwatch_metric_alarm" "iam_changes" {
- count = var.enabled && var.iam_changes_enabled ? 1 : 0
+ count = var.iam_changes_enabled ? 1 : 0
alarm_name = "IAMChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -171,7 +167,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -179,7 +175,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
- count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0
+ count = var.cloudtrail_cfg_changes_enabled ? 1 : 0
name = "CloudTrailCfgChanges"
pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }"
@@ -193,7 +189,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" {
}
resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
- count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0
+ count = var.cloudtrail_cfg_changes_enabled ? 1 : 0
alarm_name = "CloudTrailCfgChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -204,7 +200,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -212,7 +208,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
- count = var.enabled && var.console_signin_failures_enabled ? 1 : 0
+ count = var.console_signin_failures_enabled ? 1 : 0
name = "ConsoleSigninFailures"
pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }"
@@ -226,7 +222,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" {
}
resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
- count = var.enabled && var.console_signin_failures_enabled ? 1 : 0
+ count = var.console_signin_failures_enabled ? 1 : 0
alarm_name = "ConsoleSigninFailures"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -237,7 +233,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -245,7 +241,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" {
}
resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
- count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0
+ count = var.disable_or_delete_cmk_enabled ? 1 : 0
name = "DisableOrDeleteCMK"
pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }"
@@ -259,7 +255,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" {
}
resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
- count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0
+ count = var.disable_or_delete_cmk_enabled ? 1 : 0
alarm_name = "DisableOrDeleteCMK"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -270,7 +266,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -278,7 +274,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" {
}
resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
- count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0
+ count = var.s3_bucket_policy_changes_enabled ? 1 : 0
name = "S3BucketPolicyChanges"
pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }"
@@ -292,7 +288,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" {
}
resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
- count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0
+ count = var.s3_bucket_policy_changes_enabled ? 1 : 0
alarm_name = "S3BucketPolicyChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -303,7 +299,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -311,7 +307,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
- count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+ count = var.aws_config_changes_enabled ? 1 : 0
name = "AWSConfigChanges"
pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }"
@@ -325,7 +321,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" {
}
resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
- count = var.enabled && var.aws_config_changes_enabled ? 1 : 0
+ count = var.aws_config_changes_enabled ? 1 : 0
alarm_name = "AWSConfigChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -336,7 +332,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -344,7 +340,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
- count = var.enabled && var.security_group_changes_enabled ? 1 : 0
+ count = var.security_group_changes_enabled ? 1 : 0
name = "SecurityGroupChanges"
pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}"
@@ -358,7 +354,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" {
}
resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
- count = var.enabled && var.security_group_changes_enabled ? 1 : 0
+ count = var.security_group_changes_enabled ? 1 : 0
alarm_name = "SecurityGroupChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -369,7 +365,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -377,7 +373,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
- count = var.enabled && var.nacl_changes_enabled ? 1 : 0
+ count = var.nacl_changes_enabled ? 1 : 0
name = "NACLChanges"
pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }"
@@ -391,7 +387,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" {
}
resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
- count = var.enabled && var.nacl_changes_enabled ? 1 : 0
+ count = var.nacl_changes_enabled ? 1 : 0
alarm_name = "NACLChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -402,7 +398,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -410,7 +406,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
- count = var.enabled && var.network_gw_changes_enabled ? 1 : 0
+ count = var.network_gw_changes_enabled ? 1 : 0
name = "NetworkGWChanges"
pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }"
@@ -424,7 +420,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" {
}
resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
- count = var.enabled && var.network_gw_changes_enabled ? 1 : 0
+ count = var.network_gw_changes_enabled ? 1 : 0
alarm_name = "NetworkGWChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -435,7 +431,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -443,7 +439,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
- count = var.enabled && var.route_table_changes_enabled ? 1 : 0
+ count = var.route_table_changes_enabled ? 1 : 0
name = "RouteTableChanges"
pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }"
@@ -457,7 +453,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" {
}
resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
- count = var.enabled && var.route_table_changes_enabled ? 1 : 0
+ count = var.route_table_changes_enabled ? 1 : 0
alarm_name = "RouteTableChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -468,7 +464,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -476,7 +472,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
- count = var.enabled && var.vpc_changes_enabled ? 1 : 0
+ count = var.vpc_changes_enabled ? 1 : 0
name = "VPCChanges"
pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }"
@@ -490,7 +486,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" {
}
resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
- count = var.enabled && var.vpc_changes_enabled ? 1 : 0
+ count = var.vpc_changes_enabled ? 1 : 0
alarm_name = "VPCChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -501,7 +497,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
@@ -509,7 +505,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" {
}
resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
- count = var.enabled && var.organizations_changes_enabled ? 1 : 0
+ count = var.organizations_changes_enabled ? 1 : 0
name = "OrganizationsChanges"
pattern = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }"
@@ -523,7 +519,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" {
}
resource "aws_cloudwatch_metric_alarm" "organizations_changes" {
- count = var.enabled && var.organizations_changes_enabled ? 1 : 0
+ count = var.organizations_changes_enabled ? 1 : 0
alarm_name = "OrganizationsChanges"
comparison_operator = "GreaterThanOrEqualToThreshold"
@@ -534,7 +530,7 @@ resource "aws_cloudwatch_metric_alarm" "organizations_changes" {
statistic = "Sum"
threshold = "1"
alarm_description = "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches."
- alarm_actions = [aws_sns_topic.alarms[0].arn]
+ alarm_actions = [aws_sns_topic.alarms.arn]
treat_missing_data = "notBreaching"
insufficient_data_actions = []
diff --git a/modules/alarm-baseline/migrations.tf b/modules/alarm-baseline/migrations.tf
new file mode 100644
index 00000000..ccbd1d1f
--- /dev/null
+++ b/modules/alarm-baseline/migrations.tf
@@ -0,0 +1,14 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_sns_topic.alarms[0]
+ to = aws_sns_topic.alarms
+}
+
+moved {
+ from = aws_sns_topic_policy.alarms[0]
+ to = aws_sns_topic_policy.alarms
+}
diff --git a/modules/alarm-baseline/variables.tf b/modules/alarm-baseline/variables.tf
index eadfadac..c1c651b6 100644
--- a/modules/alarm-baseline/variables.tf
+++ b/modules/alarm-baseline/variables.tf
@@ -1,105 +1,126 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "unauthorized_api_calls_enabled" {
description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "no_mfa_console_signin_enabled" {
description = "The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
+variable "mfa_console_signin_allow_sso" {
+ description = "The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored."
+ type = bool
+ default = false
+}
+
variable "root_usage_enabled" {
description = "The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "iam_changes_enabled" {
description = "The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "cloudtrail_cfg_changes_enabled" {
description = "The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "console_signin_failures_enabled" {
description = "The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "disable_or_delete_cmk_enabled" {
description = "The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "s3_bucket_policy_changes_enabled" {
description = "The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "aws_config_changes_enabled" {
description = "The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "security_group_changes_enabled" {
description = "The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "nacl_changes_enabled" {
description = "The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "network_gw_changes_enabled" {
description = "The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "route_table_changes_enabled" {
description = "The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "vpc_changes_enabled" {
description = "The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "organizations_changes_enabled" {
description = "The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "alarm_namespace" {
description = "The namespace in which all alarms are set up."
+ type = string
default = "CISBenchmark"
}
variable "cloudtrail_log_group_name" {
description = "The name of the CloudWatch Logs group to which CloudTrail events are delivered."
+ type = string
}
variable "sns_topic_name" {
description = "The name of the SNS Topic which will be notified when any alarm is performed."
+ type = string
default = "CISAlarm"
}
variable "sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
+ type = string
default = null
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/alarm-baseline/versions.tf b/modules/alarm-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/alarm-baseline/versions.tf
+++ b/modules/alarm-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/analyzer-baseline/README.md b/modules/analyzer-baseline/README.md
index ed33cc2a..c54533ff 100644
--- a/modules/analyzer-baseline/README.md
+++ b/modules/analyzer-baseline/README.md
@@ -9,33 +9,22 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_accessanalyzer_analyzer.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) | resource |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | `"default-analyer"` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [is\_organization](#input\_is\_organization) | The boolean flag whether this module is configured for the organization master account or the individual account. | `bool` | `false` | no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no |
+| [is\_organization](#input\_is\_organization) | The boolean flag whether this module is configured for the organization master account or the individual account. | `bool` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/analyzer-baseline/main.tf b/modules/analyzer-baseline/main.tf
index 93b248a1..74108796 100644
--- a/modules/analyzer-baseline/main.tf
+++ b/modules/analyzer-baseline/main.tf
@@ -1,6 +1,4 @@
resource "aws_accessanalyzer_analyzer" "default" {
- count = var.enabled ? 1 : 0
-
analyzer_name = var.analyzer_name
type = var.is_organization ? "ORGANIZATION" : "ACCOUNT"
diff --git a/modules/analyzer-baseline/migrations.tf b/modules/analyzer-baseline/migrations.tf
new file mode 100644
index 00000000..0228cb37
--- /dev/null
+++ b/modules/analyzer-baseline/migrations.tf
@@ -0,0 +1,9 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_accessanalyzer_analyzer.default[0]
+ to = aws_accessanalyzer_analyzer.default
+}
diff --git a/modules/analyzer-baseline/outputs.tf b/modules/analyzer-baseline/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/analyzer-baseline/variables.tf b/modules/analyzer-baseline/variables.tf
index 4d9f0a18..a5fcf3c1 100644
--- a/modules/analyzer-baseline/variables.tf
+++ b/modules/analyzer-baseline/variables.tf
@@ -1,21 +1,19 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "analyzer_name" {
description = "The name for the IAM Access Analyzer resource to be created."
+ type = string
default = "default-analyer"
}
variable "is_organization" {
description = "The boolean flag whether this module is configured for the organization master account or the individual account."
+ type = bool
default = false
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/analyzer-baseline/versions.tf b/modules/analyzer-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/analyzer-baseline/versions.tf
+++ b/modules/analyzer-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/cloudtrail-baseline/README.md b/modules/cloudtrail-baseline/README.md
index ac3fa736..c2e4d27a 100644
--- a/modules/cloudtrail-baseline/README.md
+++ b/modules/cloudtrail-baseline/README.md
@@ -7,59 +7,39 @@ Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTra
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_cloudtrail.global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
-| [aws_cloudwatch_log_group.cloudtrail_events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_iam_role.cloudwatch_delivery](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy.cloudwatch_delivery_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
-| [aws_kms_key.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
-| [aws_sns_topic.cloudtrail-sns-topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.local-account-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
-| [aws_iam_policy_document.cloudtrail-sns-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cloudtrail_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cloudwatch_delivery_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.cloudwatch_delivery_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `any` | n/a | yes |
-| [cloudtrail\_depends\_on](#input\_cloudtrail\_depends\_on) | External resources which should be set up before CloudTrail. | `list` | `[]` | no |
-| [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the trail. | `string` | `"cloudtrail-multi-region"` | no |
-| [cloudtrail\_sns\_topic\_enabled](#input\_cloudtrail\_sns\_topic\_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | `true` | no |
-| [cloudtrail\_sns\_topic\_name](#input\_cloudtrail\_sns\_topic\_name) | The SNS topic linked to the CloudTrail | `string` | `"cloudtrail-multi-region-sns-topic"` | no |
-| [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | `true` | no |
-| [cloudwatch\_logs\_group\_name](#input\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | `"cloudtrail-multi-region"` | no |
-| [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | `365` | no |
-| [dynamodb\_event\_logging\_tables](#input\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list` | [
"arn:aws:dynamodb"
]
| no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | `"CloudTrail-CloudWatch-Delivery-Role"` | no |
-| [iam\_role\_policy\_name](#input\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | `"CloudTrail-CloudWatch-Delivery-Policy"` | no |
-| [is\_organization\_trail](#input\_is\_organization\_trail) | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | `false` | no |
-| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | `10` | no |
-| [lambda\_invocation\_logging\_lambdas](#input\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list` | [
"arn:aws:lambda"
]
| no |
-| [region](#input\_region) | The AWS region in which CloudTrail is set up. | `any` | n/a | yes |
-| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the S3 bucket which will store configuration snapshots. | `any` | n/a | yes |
-| [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | `""` | no |
-| [s3\_object\_level\_logging\_buckets](#input\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list` | [
"arn:aws:s3:::"
]
| no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `string` | yes |
+| [region](#input\_region) | The AWS region in which CloudTrail is set up. | `string` | yes |
+| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the S3 bucket which will store configuration snapshots. | `string` | yes |
+| [cloudtrail\_depends\_on](#input\_cloudtrail\_depends\_on) | External resources which should be set up before CloudTrail. | `list(any)` | no |
+| [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the trail. | `string` | no |
+| [cloudtrail\_sns\_topic\_enabled](#input\_cloudtrail\_sns\_topic\_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no |
+| [cloudtrail\_sns\_topic\_name](#input\_cloudtrail\_sns\_topic\_name) | The SNS topic linked to the CloudTrail | `string` | no |
+| [cloudwatch\_logs\_enabled](#input\_cloudwatch\_logs\_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no |
+| [cloudwatch\_logs\_group\_name](#input\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no |
+| [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no |
+| [dynamodb\_event\_logging\_tables](#input\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no |
+| [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no |
+| [iam\_role\_policy\_name](#input\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no |
+| [is\_organization\_trail](#input\_is\_organization\_trail) | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no |
+| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no |
+| [lambda\_invocation\_logging\_lambdas](#input\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no |
+| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
+| [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | no |
+| [s3\_object\_level\_logging\_buckets](#input\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/cloudtrail-baseline/main.tf b/modules/cloudtrail-baseline/main.tf
index f00709fc..67c83d72 100644
--- a/modules/cloudtrail-baseline/main.tf
+++ b/modules/cloudtrail-baseline/main.tf
@@ -2,7 +2,7 @@
# CloudWatch Logs group to accept CloudTrail event stream.
# --------------------------------------------------------------------------------------------------
resource "aws_cloudwatch_log_group" "cloudtrail_events" {
- count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0
+ count = var.cloudwatch_logs_enabled ? 1 : 0
name = var.cloudwatch_logs_group_name
retention_in_days = var.cloudwatch_logs_retention_in_days
@@ -10,11 +10,9 @@ resource "aws_cloudwatch_log_group" "cloudtrail_events" {
tags = var.tags
}
-# --------------------------------------------------------------------------------------------------
# IAM Role to deliver CloudTrail events to CloudWatch Logs group.
# The policy was derived from the default key policy descrived in AWS CloudTrail User Guide.
# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "cloudwatch_delivery_assume_policy" {
statement {
principals {
@@ -26,16 +24,18 @@ data "aws_iam_policy_document" "cloudwatch_delivery_assume_policy" {
}
resource "aws_iam_role" "cloudwatch_delivery" {
- count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0
+ count = var.cloudwatch_logs_enabled ? 1 : 0
name = var.iam_role_name
assume_role_policy = data.aws_iam_policy_document.cloudwatch_delivery_assume_policy.json
+ permissions_boundary = var.permissions_boundary_arn
+
tags = var.tags
}
data "aws_iam_policy_document" "cloudwatch_delivery_policy" {
- count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0
+ count = var.cloudwatch_logs_enabled ? 1 : 0
statement {
sid = "AWSCloudTrailCreateLogStream2014110"
@@ -51,19 +51,16 @@ data "aws_iam_policy_document" "cloudwatch_delivery_policy" {
}
resource "aws_iam_role_policy" "cloudwatch_delivery_policy" {
- count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0
-
- name = var.iam_role_policy_name
- role = aws_iam_role.cloudwatch_delivery[0].id
+ count = var.cloudwatch_logs_enabled ? 1 : 0
+ name = var.iam_role_policy_name
+ role = aws_iam_role.cloudwatch_delivery[0].id
policy = data.aws_iam_policy_document.cloudwatch_delivery_policy[0].json
}
-# --------------------------------------------------------------------------------------------------
# KMS Key to encrypt CloudTrail events.
# The policy was derived from the default key policy described in AWS CloudTrail User Guide.
# https://docs.aws.amazon.com/awscloudtrail/latest/userguide/default-cmk-policy.html
-# --------------------------------------------------------------------------------------------------
data "aws_iam_policy_document" "cloudtrail_key_policy" {
policy_id = "Key policy created by CloudTrail"
@@ -187,13 +184,10 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" {
}
resource "aws_kms_key" "cloudtrail" {
- count = var.enabled ? 1 : 0
-
description = "A KMS key to encrypt CloudTrail events."
deletion_window_in_days = var.key_deletion_window_in_days
enable_key_rotation = "true"
-
- policy = data.aws_iam_policy_document.cloudtrail_key_policy.json
+ policy = data.aws_iam_policy_document.cloudtrail_key_policy.json
tags = var.tags
}
@@ -204,14 +198,14 @@ resource "aws_kms_key" "cloudtrail" {
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "cloudtrail-sns-topic" {
- count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0
+ count = var.cloudtrail_sns_topic_enabled ? 1 : 0
name = var.cloudtrail_sns_topic_name
- kms_master_key_id = aws_kms_key.cloudtrail[0].id
+ kms_master_key_id = aws_kms_key.cloudtrail.id
}
data "aws_iam_policy_document" "cloudtrail-sns-policy" {
- count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0
+ count = var.cloudtrail_sns_topic_enabled ? 1 : 0
statement {
actions = ["sns:Publish"]
@@ -225,7 +219,7 @@ data "aws_iam_policy_document" "cloudtrail-sns-policy" {
}
resource "aws_sns_topic_policy" "local-account-cloudtrail" {
- count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0
+ count = var.cloudtrail_sns_topic_enabled ? 1 : 0
arn = aws_sns_topic.cloudtrail-sns-topic[0].arn
policy = data.aws_iam_policy_document.cloudtrail-sns-policy[0].json
@@ -236,17 +230,14 @@ resource "aws_sns_topic_policy" "local-account-cloudtrail" {
# --------------------------------------------------------------------------------------------------
resource "aws_cloudtrail" "global" {
- count = var.enabled ? 1 : 0
-
- name = var.cloudtrail_name
-
+ name = var.cloudtrail_name
cloud_watch_logs_group_arn = var.cloudwatch_logs_enabled ? "${aws_cloudwatch_log_group.cloudtrail_events[0].arn}:*" : null
cloud_watch_logs_role_arn = var.cloudwatch_logs_enabled ? aws_iam_role.cloudwatch_delivery[0].arn : null
enable_log_file_validation = true
include_global_service_events = true
is_multi_region_trail = true
is_organization_trail = var.is_organization_trail
- kms_key_id = aws_kms_key.cloudtrail[0].arn
+ kms_key_id = aws_kms_key.cloudtrail.arn
s3_bucket_name = var.s3_bucket_name
s3_key_prefix = var.s3_key_prefix
sns_topic_name = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0].arn : null
diff --git a/modules/cloudtrail-baseline/migrations.tf b/modules/cloudtrail-baseline/migrations.tf
new file mode 100644
index 00000000..e6143138
--- /dev/null
+++ b/modules/cloudtrail-baseline/migrations.tf
@@ -0,0 +1,14 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_kms_key.cloudtrail[0]
+ to = aws_kms_key.cloudtrail
+}
+
+moved {
+ from = aws_cloudtrail.global[0]
+ to = aws_cloudtrail.global
+}
diff --git a/modules/cloudtrail-baseline/outputs.tf b/modules/cloudtrail-baseline/outputs.tf
index 416e69fd..95d44711 100644
--- a/modules/cloudtrail-baseline/outputs.tf
+++ b/modules/cloudtrail-baseline/outputs.tf
@@ -1,24 +1,24 @@
output "cloudtrail" {
description = "The trail for recording events in all regions."
- value = var.enabled ? aws_cloudtrail.global[0] : null
+ value = aws_cloudtrail.global
}
output "cloudtrail_sns_topic" {
description = "The sns topic linked to the cloudtrail."
- value = var.cloudtrail_sns_topic_enabled && var.enabled ? aws_sns_topic.cloudtrail-sns-topic[0] : null
+ value = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0] : null
}
output "kms_key" {
description = "The KMS key used for encrypting CloudTrail events."
- value = var.enabled ? aws_kms_key.cloudtrail[0] : null
+ value = aws_kms_key.cloudtrail
}
output "log_delivery_iam_role" {
description = "The IAM role used for delivering CloudTrail events to CloudWatch Logs."
- value = var.cloudwatch_logs_enabled && var.enabled ? aws_iam_role.cloudwatch_delivery[0] : null
+ value = var.cloudwatch_logs_enabled ? aws_iam_role.cloudwatch_delivery[0] : null
}
output "log_group" {
description = "The CloudWatch Logs log group which stores CloudTrail events."
- value = var.cloudwatch_logs_enabled && var.enabled ? aws_cloudwatch_log_group.cloudtrail_events[0].name : null
+ value = var.cloudwatch_logs_enabled ? aws_cloudwatch_log_group.cloudtrail_events[0].name : null
}
diff --git a/modules/cloudtrail-baseline/variables.tf b/modules/cloudtrail-baseline/variables.tf
index 06fe6089..062143af 100644
--- a/modules/cloudtrail-baseline/variables.tf
+++ b/modules/cloudtrail-baseline/variables.tf
@@ -1,94 +1,113 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "aws_account_id" {
description = "The AWS Account ID number of the account."
+ type = string
}
variable "cloudtrail_name" {
description = "The name of the trail."
+ type = string
default = "cloudtrail-multi-region"
}
variable "cloudtrail_sns_topic_enabled" {
description = "Specifies whether the trail is delivered to a SNS topic."
+ type = bool
default = true
}
variable "cloudtrail_sns_topic_name" {
description = "The SNS topic linked to the CloudTrail"
+ type = string
default = "cloudtrail-multi-region-sns-topic"
}
variable "cloudwatch_logs_enabled" {
description = "Specifies whether the trail is delivered to CloudWatch Logs."
+ type = bool
default = true
}
variable "cloudwatch_logs_group_name" {
description = "The name of CloudWatch Logs group to which CloudTrail events are delivered."
+ type = string
default = "cloudtrail-multi-region"
}
variable "cloudwatch_logs_retention_in_days" {
description = "Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely."
+ type = number
default = 365
}
variable "iam_role_name" {
description = "The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group."
+ type = string
default = "CloudTrail-CloudWatch-Delivery-Role"
}
variable "iam_role_policy_name" {
description = "The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group."
+ type = string
default = "CloudTrail-CloudWatch-Delivery-Policy"
}
+variable "permissions_boundary_arn" {
+ description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+ type = string
+ default = ""
+}
+
variable "key_deletion_window_in_days" {
description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days."
+ type = number
default = 10
}
variable "region" {
description = "The AWS region in which CloudTrail is set up."
+ type = string
}
variable "s3_bucket_name" {
description = "The name of the S3 bucket which will store configuration snapshots."
+ type = string
}
variable "s3_key_prefix" {
description = "The prefix for the specified S3 bucket."
+ type = string
default = ""
}
variable "is_organization_trail" {
description = "Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+ type = bool
default = false
}
variable "s3_object_level_logging_buckets" {
description = "The list of S3 bucket ARNs on which to enable object-level logging."
+ type = list(string)
default = ["arn:aws:s3:::"] # All S3 buckets
}
variable "dynamodb_event_logging_tables" {
description = "The list of DynamoDB table ARNs on which to enable event logging."
+ type = list(string)
default = ["arn:aws:dynamodb"] # All DynamoDB tables
}
variable "lambda_invocation_logging_lambdas" {
description = "The list of lambda ARNs on which to enable invocation logging."
+ type = list(string)
default = ["arn:aws:lambda"] # All lambdas
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
@@ -97,5 +116,6 @@ variable "tags" {
# https://stackoverflow.com/questions/58275233/terraform-depends-on-with-modules
variable "cloudtrail_depends_on" {
description = "External resources which should be set up before CloudTrail."
+ type = list(any)
default = []
}
diff --git a/modules/cloudtrail-baseline/versions.tf b/modules/cloudtrail-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/cloudtrail-baseline/versions.tf
+++ b/modules/cloudtrail-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/config-baseline/README.md b/modules/config-baseline/README.md
index 55e73882..caf34f2d 100644
--- a/modules/config-baseline/README.md
+++ b/modules/config-baseline/README.md
@@ -7,47 +7,29 @@ Enable AWS Config in all regions to automatically take configuration snapshots.
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_config_configuration_recorder.recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder) | resource |
-| [aws_config_configuration_recorder_status.recorder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
-| [aws_config_delivery_channel.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
-| [aws_sns_topic.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.config-sns-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [delivery\_channel\_name](#input\_delivery\_channel\_name) | The name of the delivery channel. | `string` | `"default"` | no |
-| [delivery\_frequency](#input\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | `"One_Hour"` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN of the IAM Role which AWS Config will use. | `any` | n/a | yes |
-| [include\_global\_resource\_types](#input\_include\_global\_resource\_types) | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | `true` | no |
-| [recorder\_name](#input\_recorder\_name) | The name of the configuration recorder. | `string` | `"default"` | no |
-| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the S3 bucket which will store configuration snapshots. | `any` | n/a | yes |
-| [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | `""` | no |
-| [sns\_topic\_kms\_master\_key\_id](#input\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `any` | `null` | no |
-| [sns\_topic\_name](#input\_sns\_topic\_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | `"ConfigChanges"` | no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN of the IAM Role which AWS Config will use. | `string` | yes |
+| [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name of the S3 bucket which will store configuration snapshots. | `string` | yes |
+| [delivery\_channel\_name](#input\_delivery\_channel\_name) | The name of the delivery channel. | `string` | no |
+| [delivery\_frequency](#input\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no |
+| [include\_global\_resource\_types](#input\_include\_global\_resource\_types) | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | no |
+| [recorder\_name](#input\_recorder\_name) | The name of the configuration recorder. | `string` | no |
+| [s3\_key\_prefix](#input\_s3\_key\_prefix) | The prefix for the specified S3 bucket. | `string` | no |
+| [sns\_topic\_kms\_master\_key\_id](#input\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no |
+| [sns\_topic\_name](#input\_sns\_topic\_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/config-baseline/main.tf b/modules/config-baseline/main.tf
index 7ed259f0..f8c92248 100644
--- a/modules/config-baseline/main.tf
+++ b/modules/config-baseline/main.tf
@@ -6,28 +6,21 @@ data "aws_region" "current" {}
# --------------------------------------------------------------------------------------------------
resource "aws_sns_topic" "config" {
- count = var.enabled ? 1 : 0
-
- name = var.sns_topic_name
-
+ name = var.sns_topic_name
kms_master_key_id = var.sns_topic_kms_master_key_id
tags = var.tags
}
resource "aws_sns_topic_policy" "config" {
- count = var.enabled ? 1 : 0
- arn = aws_sns_topic.config[0].arn
-
- policy = data.aws_iam_policy_document.config-sns-policy[0].json
+ arn = aws_sns_topic.config.arn
+ policy = data.aws_iam_policy_document.config-sns-policy.json
}
data "aws_iam_policy_document" "config-sns-policy" {
- count = var.enabled ? 1 : 0
-
statement {
actions = ["sns:Publish"]
- resources = [aws_sns_topic.config[0].arn]
+ resources = [aws_sns_topic.config.arn]
principals {
type = "Service"
@@ -43,10 +36,7 @@ data "aws_iam_policy_document" "config-sns-policy" {
}
resource "aws_config_configuration_recorder" "recorder" {
- count = var.enabled ? 1 : 0
-
- name = var.recorder_name
-
+ name = var.recorder_name
role_arn = var.iam_role_arn
recording_group {
@@ -56,26 +46,21 @@ resource "aws_config_configuration_recorder" "recorder" {
}
resource "aws_config_delivery_channel" "bucket" {
- count = var.enabled ? 1 : 0
-
- name = var.delivery_channel_name
-
+ name = var.delivery_channel_name
s3_bucket_name = var.s3_bucket_name
s3_key_prefix = var.s3_key_prefix
- sns_topic_arn = aws_sns_topic.config[0].arn
+ sns_topic_arn = aws_sns_topic.config.arn
snapshot_delivery_properties {
delivery_frequency = var.delivery_frequency
}
- depends_on = [aws_config_configuration_recorder.recorder[0]]
+ depends_on = [aws_config_configuration_recorder.recorder]
}
resource "aws_config_configuration_recorder_status" "recorder" {
- count = var.enabled ? 1 : 0
-
- name = aws_config_configuration_recorder.recorder[0].id
-
+ name = aws_config_configuration_recorder.recorder.id
is_enabled = true
- depends_on = [aws_config_delivery_channel.bucket[0]]
+
+ depends_on = [aws_config_delivery_channel.bucket]
}
diff --git a/modules/config-baseline/migrations.tf b/modules/config-baseline/migrations.tf
new file mode 100644
index 00000000..4719799c
--- /dev/null
+++ b/modules/config-baseline/migrations.tf
@@ -0,0 +1,29 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_sns_topic.config[0]
+ to = aws_sns_topic.config
+}
+
+moved {
+ from = aws_sns_topic_policy.config[0]
+ to = aws_sns_topic_policy.config
+}
+
+moved {
+ from = aws_config_configuration_recorder.recorder[0]
+ to = aws_config_configuration_recorder.recorder
+}
+
+moved {
+ from = aws_config_configuration_recorder_status.recorder[0]
+ to = aws_config_configuration_recorder_status.recorder
+}
+
+moved {
+ from = aws_config_delivery_channel.bucket[0]
+ to = aws_config_delivery_channel.bucket
+}
diff --git a/modules/config-baseline/outputs.tf b/modules/config-baseline/outputs.tf
index 295ace30..20ee6775 100644
--- a/modules/config-baseline/outputs.tf
+++ b/modules/config-baseline/outputs.tf
@@ -1,9 +1,9 @@
output "configuration_recorder" {
description = "The configuration recorder."
- value = var.enabled ? aws_config_configuration_recorder.recorder[0] : null
+ value = aws_config_configuration_recorder.recorder
}
output "config_sns_topic" {
description = "The SNS topic that AWS Config delivers notifications to."
- value = var.enabled ? aws_sns_topic.config[0] : null
+ value = aws_sns_topic.config
}
diff --git a/modules/config-baseline/variables.tf b/modules/config-baseline/variables.tf
index 842eba95..07b33a57 100644
--- a/modules/config-baseline/variables.tf
+++ b/modules/config-baseline/variables.tf
@@ -1,54 +1,59 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "iam_role_arn" {
description = "The ARN of the IAM Role which AWS Config will use."
+ type = string
}
variable "s3_bucket_name" {
description = "The name of the S3 bucket which will store configuration snapshots."
+ type = string
}
variable "s3_key_prefix" {
description = "The prefix for the specified S3 bucket."
+ type = string
default = ""
}
variable "sns_topic_name" {
description = "The name of the SNS Topic to be used to notify configuration changes."
+ type = string
default = "ConfigChanges"
}
variable "sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
+ type = string
default = null
}
variable "delivery_frequency" {
description = "The frequency which AWS Config sends a snapshot into the S3 bucket."
+ type = string
default = "One_Hour"
}
variable "recorder_name" {
description = "The name of the configuration recorder."
+ type = string
default = "default"
}
variable "delivery_channel_name" {
description = "The name of the delivery channel."
+ type = string
default = "default"
}
variable "include_global_resource_types" {
description = "Specifies whether AWS Config includes all supported types of global resources with the resources that it records."
+ type = bool
default = true
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/config-baseline/versions.tf b/modules/config-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/config-baseline/versions.tf
+++ b/modules/config-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/ebs-baseline/README.md b/modules/ebs-baseline/README.md
index 059c6d74..407a21cd 100644
--- a/modules/ebs-baseline/README.md
+++ b/modules/ebs-baseline/README.md
@@ -9,30 +9,18 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
+No inputs.
## Outputs
diff --git a/modules/ebs-baseline/main.tf b/modules/ebs-baseline/main.tf
index 280ce04e..1a20ec8f 100644
--- a/modules/ebs-baseline/main.tf
+++ b/modules/ebs-baseline/main.tf
@@ -1,8 +1,3 @@
-# --------------------------------------------------------------------------------------------------
-# Enable Default EBS Encryption
-# --------------------------------------------------------------------------------------------------
resource "aws_ebs_encryption_by_default" "this" {
- count = var.enabled ? 1 : 0
-
enabled = true
}
diff --git a/modules/ebs-baseline/migrations.tf b/modules/ebs-baseline/migrations.tf
new file mode 100644
index 00000000..7e802c77
--- /dev/null
+++ b/modules/ebs-baseline/migrations.tf
@@ -0,0 +1,9 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_ebs_encryption_by_default.this[0]
+ to = aws_ebs_encryption_by_default.this
+}
diff --git a/modules/ebs-baseline/outputs.tf b/modules/ebs-baseline/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/ebs-baseline/variables.tf b/modules/ebs-baseline/variables.tf
index 9b77876f..e69de29b 100644
--- a/modules/ebs-baseline/variables.tf
+++ b/modules/ebs-baseline/variables.tf
@@ -1,4 +0,0 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
diff --git a/modules/ebs-baseline/versions.tf b/modules/ebs-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/ebs-baseline/versions.tf
+++ b/modules/ebs-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/guardduty-baseline/README.md b/modules/guardduty-baseline/README.md
index 0d10b1d8..602bff00 100644
--- a/modules/guardduty-baseline/README.md
+++ b/modules/guardduty-baseline/README.md
@@ -7,38 +7,25 @@ Enable GuardDuty in all regions.
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_guardduty_detector.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource |
-| [aws_guardduty_invite_accepter.master](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_invite_accepter) | resource |
-| [aws_guardduty_member.members](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_member) | resource |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [disable\_email\_notification](#input\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | `false` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | `"SIX_HOURS"` | no |
-| [invitation\_message](#input\_invitation\_message) | Message for invitation. | `string` | `"This is an automatic invitation message from guardduty-baseline module."` | no |
-| [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | `""` | no |
-| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({
account_id = string
email = string
})) | `[]` | no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [disable\_email\_notification](#input\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no |
+| [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no |
+| [invitation\_message](#input\_invitation\_message) | Message for invitation. | `string` | no |
+| [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | no |
+| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({
account_id = string
email = string
})) | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/guardduty-baseline/main.tf b/modules/guardduty-baseline/main.tf
index d2416510..1bb6d4df 100644
--- a/modules/guardduty-baseline/main.tf
+++ b/modules/guardduty-baseline/main.tf
@@ -1,10 +1,4 @@
-# --------------------------------------------------------------------------------------------------
-# Enables GuardDuty.
-# --------------------------------------------------------------------------------------------------
-
resource "aws_guardduty_detector" "default" {
- count = var.enabled ? 1 : 0
-
enable = true
finding_publishing_frequency = var.finding_publishing_frequency
@@ -23,11 +17,10 @@ resource "aws_guardduty_detector" "default" {
}
resource "aws_guardduty_member" "members" {
- count = var.enabled ? length(var.member_accounts) : 0
-
- detector_id = aws_guardduty_detector.default[0].id
- invite = true
+ count = length(var.member_accounts)
+ detector_id = aws_guardduty_detector.default.id
+ invite = true
account_id = var.member_accounts[count.index].account_id
disable_email_notification = var.disable_email_notification
email = var.member_accounts[count.index].email
@@ -35,8 +28,8 @@ resource "aws_guardduty_member" "members" {
}
resource "aws_guardduty_invite_accepter" "master" {
- count = var.enabled && var.master_account_id != "" ? 1 : 0
+ count = var.master_account_id != "" ? 1 : 0
- detector_id = aws_guardduty_detector.default[0].id
+ detector_id = aws_guardduty_detector.default.id
master_account_id = var.master_account_id
}
diff --git a/modules/guardduty-baseline/migrations.tf b/modules/guardduty-baseline/migrations.tf
new file mode 100644
index 00000000..1c11e822
--- /dev/null
+++ b/modules/guardduty-baseline/migrations.tf
@@ -0,0 +1,9 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_guardduty_detector.default[0]
+ to = aws_guardduty_detector.default
+}
diff --git a/modules/guardduty-baseline/outputs.tf b/modules/guardduty-baseline/outputs.tf
index f0413467..067efd52 100644
--- a/modules/guardduty-baseline/outputs.tf
+++ b/modules/guardduty-baseline/outputs.tf
@@ -1,4 +1,4 @@
output "guardduty_detector" {
description = "The GuardDuty detector."
- value = var.enabled ? aws_guardduty_detector.default[0] : null
+ value = aws_guardduty_detector.default
}
diff --git a/modules/guardduty-baseline/variables.tf b/modules/guardduty-baseline/variables.tf
index 0aa9d673..1ced3c55 100644
--- a/modules/guardduty-baseline/variables.tf
+++ b/modules/guardduty-baseline/variables.tf
@@ -1,25 +1,24 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "disable_email_notification" {
description = "Boolean whether an email notification is sent to the accounts."
+ type = bool
default = false
}
variable "finding_publishing_frequency" {
description = "Specifies the frequency of notifications sent for subsequent finding occurrences."
+ type = string
default = "SIX_HOURS"
}
variable "invitation_message" {
description = "Message for invitation."
+ type = string
default = "This is an automatic invitation message from guardduty-baseline module."
}
variable "master_account_id" {
description = "AWS account ID for master account."
+ type = string
default = ""
}
@@ -34,7 +33,8 @@ variable "member_accounts" {
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/guardduty-baseline/versions.tf b/modules/guardduty-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/guardduty-baseline/versions.tf
+++ b/modules/guardduty-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/iam-baseline/README.md b/modules/iam-baseline/README.md
index dbf232eb..a484a7b2 100644
--- a/modules/iam-baseline/README.md
+++ b/modules/iam-baseline/README.md
@@ -11,46 +11,32 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
-| [aws_iam_role.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.support_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_policy_document.support_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | `true` | no |
-| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `any` | n/a | yes |
-| [create\_password\_policy](#input\_create\_password\_policy) | Define if the password policy should be created. | `bool` | `true` | no |
-| [create\_support\_role](#input\_create\_support\_role) | Define if the support role should be created. | `bool` | `true` | no |
-| [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | `0` | no |
-| [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | `14` | no |
-| [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | `24` | no |
-| [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | `false` | no |
-| [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | `false` | no |
-| [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | `false` | no |
-| [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | `false` | no |
-| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | `"IAM-Support"` | no |
-| [support\_iam\_role\_policy\_name](#input\_support\_iam\_role\_policy\_name) | The name of the support role policy. | `string` | `"IAM-Support-Role"` | no |
-| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(any)` | n/a | yes |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(any)` | yes |
+| [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | no |
+| [create\_password\_policy](#input\_create\_password\_policy) | Define if the password policy should be created. | `bool` | no |
+| [create\_support\_role](#input\_create\_support\_role) | Define if the support role should be created. | `bool` | no |
+| [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | no |
+| [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | no |
+| [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no |
+| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no |
+| [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no |
+| [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no |
+| [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no |
+| [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | no |
+| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/iam-baseline/main.tf b/modules/iam-baseline/main.tf
index 69081e86..e1bace2b 100644
--- a/modules/iam-baseline/main.tf
+++ b/modules/iam-baseline/main.tf
@@ -3,6 +3,8 @@
# --------------------------------------------------------------------------------------------------
resource "aws_iam_account_password_policy" "default" {
+ count = var.create_password_policy ? 1 : 0
+
minimum_password_length = var.minimum_password_length
password_reuse_prevention = var.password_reuse_prevention
require_lowercase_characters = var.require_lowercase_characters
@@ -11,12 +13,12 @@ resource "aws_iam_account_password_policy" "default" {
require_symbols = var.require_symbols
allow_users_to_change_password = var.allow_users_to_change_password
max_password_age = var.max_password_age
- count = var.create_password_policy ? 1 : 0
}
# --------------------------------------------------------------------------------------------------
# Support Role
# --------------------------------------------------------------------------------------------------
+
data "aws_iam_policy_document" "support_assume_policy" {
statement {
principals {
@@ -28,16 +30,20 @@ data "aws_iam_policy_document" "support_assume_policy" {
}
resource "aws_iam_role" "support" {
+ count = var.create_support_role ? 1 : 0
+
name = var.support_iam_role_name
assume_role_policy = data.aws_iam_policy_document.support_assume_policy.json
- count = var.create_support_role ? 1 : 0
+
+ permissions_boundary = var.permissions_boundary_arn
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "support_policy" {
+ count = var.create_support_role ? 1 : 0
+
role = aws_iam_role.support[0].id
policy_arn = "arn:aws:iam::aws:policy/AWSSupportAccess"
- count = var.create_support_role ? 1 : 0
}
diff --git a/modules/iam-baseline/variables.tf b/modules/iam-baseline/variables.tf
index 4e3177d1..4f79fae5 100644
--- a/modules/iam-baseline/variables.tf
+++ b/modules/iam-baseline/variables.tf
@@ -1,15 +1,13 @@
-variable "aws_account_id" {
- description = "The AWS Account ID number of the account."
-}
-
variable "support_iam_role_name" {
description = "The name of the the support role."
+ type = string
default = "IAM-Support"
}
-variable "support_iam_role_policy_name" {
- description = "The name of the support role policy."
- default = "IAM-Support-Role"
+variable "permissions_boundary_arn" {
+ description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+ type = string
+ default = ""
}
variable "support_iam_role_principal_arns" {
@@ -19,60 +17,69 @@ variable "support_iam_role_principal_arns" {
variable "max_password_age" {
description = "The number of days that an user password is valid."
+ type = number
default = 0
}
variable "minimum_password_length" {
description = "Minimum length to require for user passwords."
+ type = number
default = 14
}
variable "password_reuse_prevention" {
description = "The number of previous passwords that users are prevented from reusing."
+ type = number
default = 24
}
variable "require_lowercase_characters" {
description = "Whether to require lowercase characters for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_numbers" {
description = "Whether to require numbers for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_uppercase_characters" {
description = "Whether to require uppercase characters for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_symbols" {
description = "Whether to require symbols for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "allow_users_to_change_password" {
description = "Whether to allow users to change their own password."
+ type = bool
default = true
}
variable "create_password_policy" {
- type = bool
description = "Define if the password policy should be created."
+ type = bool
default = true
}
variable "create_support_role" {
- type = bool
description = "Define if the support role should be created."
+ type = bool
default = true
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/iam-baseline/versions.tf b/modules/iam-baseline/versions.tf
index 811c8034..610707a1 100644
--- a/modules/iam-baseline/versions.tf
+++ b/modules/iam-baseline/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/s3-baseline/README.md b/modules/s3-baseline/README.md
index 50e80545..018d3a68 100644
--- a/modules/s3-baseline/README.md
+++ b/modules/s3-baseline/README.md
@@ -10,32 +10,22 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_s3_account_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block) | resource |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | `true` | no |
-| [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | `true` | no |
-| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | `true` | no |
-| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | `true` | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no |
+| [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no |
+| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no |
+| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no |
## Outputs
diff --git a/modules/s3-baseline/main.tf b/modules/s3-baseline/main.tf
index 503202b3..a4e2a522 100644
--- a/modules/s3-baseline/main.tf
+++ b/modules/s3-baseline/main.tf
@@ -1,6 +1,3 @@
-# --------------------------------------------------------------------------------------------------
-# S3 account-level Public Access Block
-# --------------------------------------------------------------------------------------------------
resource "aws_s3_account_public_access_block" "this" {
block_public_acls = var.block_public_acls
block_public_policy = var.block_public_policy
diff --git a/modules/s3-baseline/outputs.tf b/modules/s3-baseline/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/s3-baseline/variables.tf b/modules/s3-baseline/variables.tf
index 0cf1d32a..0d9e5c7c 100644
--- a/modules/s3-baseline/variables.tf
+++ b/modules/s3-baseline/variables.tf
@@ -1,19 +1,23 @@
variable "block_public_acls" {
description = "Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "block_public_policy" {
description = "Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "ignore_public_acls" {
description = "Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "restrict_public_buckets" {
description = "Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true."
+ type = bool
default = true
}
diff --git a/modules/s3-baseline/versions.tf b/modules/s3-baseline/versions.tf
index 811c8034..610707a1 100644
--- a/modules/s3-baseline/versions.tf
+++ b/modules/s3-baseline/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/secure-bucket/README.md b/modules/secure-bucket/README.md
index 1bf9a5bb..139fbcde 100644
--- a/modules/secure-bucket/README.md
+++ b/modules/secure-bucket/README.md
@@ -8,39 +8,24 @@ Creates a S3 bucket with access logging enabled.
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_s3_bucket.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.content](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_policy.access_log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.access_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_public_access_block.content](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_iam_policy_document.access_log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [bucket\_name](#input\_bucket\_name) | n/a | `any` | n/a | yes |
-| [enabled](#input\_enabled) | A boolean that indicates this module is enabled. Resources are not created if it is set to false. | `bool` | `true` | no |
-| [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no |
-| [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier. | `number` | `90` | no |
-| [log\_bucket\_name](#input\_log\_bucket\_name) | n/a | `any` | n/a | yes |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [bucket\_name](#input\_bucket\_name) | The name of the S3 bucket to create. | `string` | yes |
+| [log\_bucket\_name](#input\_log\_bucket\_name) | The name of the S3 bucket to store access logs to the main bucket. | `string` | yes |
+| [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for this bucket. | `bool` | no |
+| [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no |
+| [lifecycle\_glacier\_transition\_days](#input\_lifecycle\_glacier\_transition\_days) | The number of days after object creation when the object is archived into Glacier. Setting to zero disables the transition. | `number` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/secure-bucket/main.tf b/modules/secure-bucket/main.tf
index f120ecf1..44c9425d 100644
--- a/modules/secure-bucket/main.tf
+++ b/modules/secure-bucket/main.tf
@@ -1,12 +1,10 @@
data "aws_iam_policy_document" "access_log_policy" {
- count = var.enabled ? 1 : 0
-
statement {
actions = ["s3:*"]
effect = "Deny"
resources = [
- aws_s3_bucket.access_log[0].arn,
- "${aws_s3_bucket.access_log[0].arn}/*"
+ aws_s3_bucket.access_log.arn,
+ "${aws_s3_bucket.access_log.arn}/*"
]
condition {
test = "Bool"
@@ -21,41 +19,48 @@ data "aws_iam_policy_document" "access_log_policy" {
}
resource "aws_s3_bucket" "access_log" {
- count = var.enabled ? 1 : 0
+ bucket = var.log_bucket_name
+ force_destroy = var.force_destroy
+
+ tags = var.tags
+}
- bucket = var.log_bucket_name
+resource "aws_s3_bucket_acl" "access_log" {
+ bucket = aws_s3_bucket.access_log.id
+ acl = "log-delivery-write"
+}
- acl = "log-delivery-write"
+resource "aws_s3_bucket_server_side_encryption_configuration" "access_log" {
+ bucket = aws_s3_bucket.access_log.id
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
}
- force_destroy = var.force_destroy
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "access_log" {
+ count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
- lifecycle_rule {
- id = "auto-archive"
- enabled = true
+ bucket = aws_s3_bucket.access_log.id
- prefix = "/"
+ rule {
+ id = "auto-archive"
+ status = "Enabled"
+
+ filter {}
transition {
days = var.lifecycle_glacier_transition_days
storage_class = "GLACIER"
}
}
-
- tags = var.tags
}
resource "aws_s3_bucket_policy" "access_log_policy" {
- count = var.enabled ? 1 : 0
-
- bucket = aws_s3_bucket.access_log[0].id
- policy = data.aws_iam_policy_document.access_log_policy[0].json
+ bucket = aws_s3_bucket.access_log.id
+ policy = data.aws_iam_policy_document.access_log_policy.json
depends_on = [
aws_s3_bucket_public_access_block.access_log,
@@ -63,10 +68,7 @@ resource "aws_s3_bucket_policy" "access_log_policy" {
}
resource "aws_s3_bucket_public_access_block" "access_log" {
- count = var.enabled ? 1 : 0
-
- bucket = aws_s3_bucket.access_log[0].id
-
+ bucket = aws_s3_bucket.access_log.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
@@ -74,37 +76,49 @@ resource "aws_s3_bucket_public_access_block" "access_log" {
}
resource "aws_s3_bucket" "content" {
- count = var.enabled ? 1 : 0
+ bucket = var.bucket_name
+ force_destroy = var.force_destroy
- bucket = var.bucket_name
+ tags = var.tags
- acl = "private"
- force_destroy = var.force_destroy
+ depends_on = [
+ aws_s3_bucket_public_access_block.access_log
+ ]
+}
+
+resource "aws_s3_bucket_acl" "content" {
+ bucket = aws_s3_bucket.content.id
+ acl = "private"
+}
- server_side_encryption_configuration {
- rule {
- apply_server_side_encryption_by_default {
- sse_algorithm = "AES256"
- }
+resource "aws_s3_bucket_server_side_encryption_configuration" "content" {
+ bucket = aws_s3_bucket.content.id
+
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "AES256"
}
+ bucket_key_enabled = var.bucket_key_enabled
}
+}
- logging {
- target_bucket = aws_s3_bucket.access_log[0].id
- }
+resource "aws_s3_bucket_logging" "content" {
+ bucket = aws_s3_bucket.content.id
- versioning {
- enabled = true
- # Temporarily disabled due to Terraform issue.
- # https://github.com/terraform-providers/terraform-provider-aws/issues/629
- # mfa_delete = true
- }
+ target_bucket = aws_s3_bucket.access_log.id
+ target_prefix = ""
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "content" {
+ count = var.lifecycle_glacier_transition_days > 0 ? 1 : 0
- lifecycle_rule {
- id = "auto-archive"
- enabled = true
+ bucket = aws_s3_bucket.content.id
- prefix = "/"
+ rule {
+ id = "auto-archive"
+ status = "Enabled"
+
+ filter {}
transition {
days = var.lifecycle_glacier_transition_days
@@ -112,25 +126,28 @@ resource "aws_s3_bucket" "content" {
}
noncurrent_version_transition {
- days = var.lifecycle_glacier_transition_days
- storage_class = "GLACIER"
+ noncurrent_days = var.lifecycle_glacier_transition_days
+ storage_class = "GLACIER"
}
}
+}
- tags = var.tags
+resource "aws_s3_bucket_versioning" "content" {
+ bucket = aws_s3_bucket.content.id
- depends_on = [
- aws_s3_bucket_public_access_block.access_log
- ]
+ versioning_configuration {
+ status = "Enabled"
+ # Temporarily disabled due to Terraform issue.
+ # https://github.com/terraform-providers/terraform-provider-aws/issues/629
+ # mfa_delete = true
+ }
}
resource "aws_s3_bucket_public_access_block" "content" {
- count = var.enabled ? 1 : 0
-
- bucket = aws_s3_bucket.content[0].id
-
+ bucket = aws_s3_bucket.content.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
+
diff --git a/modules/secure-bucket/migrations.tf b/modules/secure-bucket/migrations.tf
new file mode 100644
index 00000000..6cf058aa
--- /dev/null
+++ b/modules/secure-bucket/migrations.tf
@@ -0,0 +1,30 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 1.0.0
+# Replacing `enabled` argument in secure-bucket module with `count` meta-argument
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_s3_bucket.access_log[0]
+ to = aws_s3_bucket.access_log
+}
+
+moved {
+ from = aws_s3_bucket_policy.access_log_policy[0]
+ to = aws_s3_bucket_policy.access_log_policy
+}
+
+moved {
+ from = aws_s3_bucket_public_access_block.access_log[0]
+ to = aws_s3_bucket_public_access_block.access_log
+}
+
+moved {
+ from = aws_s3_bucket.content[0]
+ to = aws_s3_bucket.content
+}
+
+moved {
+ from = aws_s3_bucket_public_access_block.content[0]
+ to = aws_s3_bucket_public_access_block.content
+}
+
diff --git a/modules/secure-bucket/outputs.tf b/modules/secure-bucket/outputs.tf
index 5aa51670..0d9f5924 100644
--- a/modules/secure-bucket/outputs.tf
+++ b/modules/secure-bucket/outputs.tf
@@ -1,9 +1,9 @@
output "this_bucket" {
description = "This S3 bucket."
- value = var.enabled ? aws_s3_bucket.content[0] : null
+ value = aws_s3_bucket.content
}
output "log_bucket" {
description = "The S3 bucket used for storing access logs of this bucket."
- value = var.enabled ? aws_s3_bucket.access_log[0] : null
+ value = aws_s3_bucket.access_log
}
diff --git a/modules/secure-bucket/variables.tf b/modules/secure-bucket/variables.tf
index f06357e3..7f84faa2 100644
--- a/modules/secure-bucket/variables.tf
+++ b/modules/secure-bucket/variables.tf
@@ -1,27 +1,35 @@
variable "bucket_name" {
+ description = "The name of the S3 bucket to create."
+ type = string
}
variable "log_bucket_name" {
+ description = "The name of the S3 bucket to store access logs to the main bucket."
+ type = string
}
variable "lifecycle_glacier_transition_days" {
- description = "The number of days after object creation when the object is archived into Glacier."
- default = 90
+ description = "The number of days after object creation when the object is archived into Glacier. Setting to zero disables the transition."
+ type = number
+ default = 0
}
variable "force_destroy" {
description = " A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+ type = bool
default = false
}
-variable "enabled" {
- description = "A boolean that indicates this module is enabled. Resources are not created if it is set to false."
- default = true
-}
-
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
+
+variable "bucket_key_enabled" {
+ description = "Whether or not to use Amazon S3 Bucket Keys for this bucket."
+ type = bool
+ default = false
+}
diff --git a/modules/secure-bucket/versions.tf b/modules/secure-bucket/versions.tf
index 811c8034..610707a1 100644
--- a/modules/secure-bucket/versions.tf
+++ b/modules/secure-bucket/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/securityhub-baseline/README.md b/modules/securityhub-baseline/README.md
index 0d8a0ba0..f67a9d80 100644
--- a/modules/securityhub-baseline/README.md
+++ b/modules/securityhub-baseline/README.md
@@ -12,41 +12,26 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_securityhub_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
-| [aws_securityhub_member.members](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_member) | resource |
-| [aws_securityhub_product_subscription.products](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_product_subscription) | resource |
-| [aws_securityhub_standards_subscription.aws_foundational](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
-| [aws_securityhub_standards_subscription.cis](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
-| [aws_securityhub_standards_subscription.pci_dss](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [enable\_aws\_foundational\_standard](#input\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | `true` | no |
-| [enable\_cis\_standard](#input\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | `true` | no |
-| [enable\_pci\_dss\_standard](#input\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | `true` | no |
-| [enable\_product\_arns](#input\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | `[]` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({
account_id = string
email = string
})) | `[]` | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [aggregate\_findings](#input\_aggregate\_findings) | Boolean whether to enable finding aggregator for every region | `bool` | no |
+| [enable\_aws\_foundational\_standard](#input\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no |
+| [enable\_cis\_standard](#input\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | no |
+| [enable\_pci\_dss\_standard](#input\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no |
+| [enable\_product\_arns](#input\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no |
+| [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | no |
+| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | list(object({
account_id = string
email = string
})) | no |
## Outputs
diff --git a/modules/securityhub-baseline/main.tf b/modules/securityhub-baseline/main.tf
index ab1a24c6..bb87b7e6 100644
--- a/modules/securityhub-baseline/main.tf
+++ b/modules/securityhub-baseline/main.tf
@@ -1,16 +1,26 @@
data "aws_region" "current" {}
+
# --------------------------------------------------------------------------------------------------
# Enable SecurityHub
# --------------------------------------------------------------------------------------------------
+
resource "aws_securityhub_account" "main" {
- count = var.enabled ? 1 : 0
+}
+
+resource "aws_securityhub_finding_aggregator" "main" {
+ count = var.aggregate_findings && var.master_account_id == "" ? 1 : 0
+
+ linking_mode = "ALL_REGIONS"
+
+ depends_on = [aws_securityhub_account.main]
}
# --------------------------------------------------------------------------------------------------
# Add member accounts
# --------------------------------------------------------------------------------------------------
+
resource "aws_securityhub_member" "members" {
- count = var.enabled ? length(var.member_accounts) : 0
+ count = length(var.member_accounts)
depends_on = [aws_securityhub_account.main]
account_id = var.member_accounts[count.index].account_id
@@ -18,44 +28,45 @@ resource "aws_securityhub_member" "members" {
invite = true
}
+resource "aws_securityhub_invite_accepter" "invitee" {
+ count = var.master_account_id != "" ? 1 : 0
+
+ master_id = var.master_account_id
+
+ depends_on = [aws_securityhub_account.main]
+}
+
# --------------------------------------------------------------------------------------------------
-# Subscribe CIS benchmark
+# Subscribe standards
# --------------------------------------------------------------------------------------------------
+
resource "aws_securityhub_standards_subscription" "cis" {
- count = var.enabled && var.enable_cis_standard ? 1 : 0
+ count = var.enable_cis_standard ? 1 : 0
- standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+ standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
depends_on = [aws_securityhub_account.main]
}
-# --------------------------------------------------------------------------------------------------
-# Subscribe AWS foundational security best practices standard
-# --------------------------------------------------------------------------------------------------
resource "aws_securityhub_standards_subscription" "aws_foundational" {
- count = var.enabled && var.enable_aws_foundational_standard ? 1 : 0
+ count = var.enable_aws_foundational_standard ? 1 : 0
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
depends_on = [aws_securityhub_account.main]
}
-# --------------------------------------------------------------------------------------------------
-# Subscribe PCI DSS standard
-# --------------------------------------------------------------------------------------------------
resource "aws_securityhub_standards_subscription" "pci_dss" {
- count = var.enabled && var.enable_pci_dss_standard ? 1 : 0
+ count = var.enable_pci_dss_standard ? 1 : 0
standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
depends_on = [aws_securityhub_account.main]
}
-# --------------------------------------------------------------------------------------------------
-# Subscribe to 3rd party products
-# --------------------------------------------------------------------------------------------------
+# 3rd party products
resource "aws_securityhub_product_subscription" "products" {
- count = var.enabled ? length(var.enable_product_arns) : 0
+ count = length(var.enable_product_arns)
product_arn = replace(var.enable_product_arns[count.index], "", data.aws_region.current.name)
diff --git a/modules/securityhub-baseline/migrations.tf b/modules/securityhub-baseline/migrations.tf
new file mode 100644
index 00000000..9388b177
--- /dev/null
+++ b/modules/securityhub-baseline/migrations.tf
@@ -0,0 +1,10 @@
+
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_securityhub_account.main[0]
+ to = aws_securityhub_account.main
+}
diff --git a/modules/securityhub-baseline/outputs.tf b/modules/securityhub-baseline/outputs.tf
new file mode 100644
index 00000000..e69de29b
diff --git a/modules/securityhub-baseline/variables.tf b/modules/securityhub-baseline/variables.tf
index 0dc4fd27..05e8153c 100644
--- a/modules/securityhub-baseline/variables.tf
+++ b/modules/securityhub-baseline/variables.tf
@@ -1,20 +1,24 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
+variable "aggregate_findings" {
+ description = "Boolean whether to enable finding aggregator for every region"
+ type = bool
+ default = false
}
variable "enable_cis_standard" {
description = "Boolean whether CIS standard is enabled."
+ type = bool
default = true
}
variable "enable_pci_dss_standard" {
description = "Boolean whether PCI DSS standard is enabled."
+ type = bool
default = true
}
variable "enable_aws_foundational_standard" {
description = "Boolean whether AWS Foundations standard is enabled."
+ type = bool
default = true
}
@@ -24,6 +28,12 @@ variable "enable_product_arns" {
default = []
}
+variable "master_account_id" {
+ description = "AWS account ID for master account."
+ type = string
+ default = ""
+}
+
variable "member_accounts" {
description = "A list of IDs and emails of AWS accounts which associated as member accounts."
type = list(object({
diff --git a/modules/securityhub-baseline/versions.tf b/modules/securityhub-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/securityhub-baseline/versions.tf
+++ b/modules/securityhub-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/modules/vpc-baseline/README.md b/modules/vpc-baseline/README.md
index 1128efe5..189df87e 100644
--- a/modules/vpc-baseline/README.md
+++ b/modules/vpc-baseline/README.md
@@ -11,45 +11,27 @@
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.50.0 |
+| [terraform](#requirement\_terraform) | >= 1.1.4 |
+| [aws](#requirement\_aws) | >= 4.3 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
-
-## Modules
-
-No modules.
-
-## Resources
-
-| Name | Type |
-|------|------|
-| [aws_cloudwatch_log_group.default_vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_default_network_acl.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
-| [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
-| [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
-| [aws_default_subnet.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_subnet) | resource |
-| [aws_default_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
-| [aws_flow_log.default_vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
-| [aws_availability_zones.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+| [aws](#provider\_aws) | >= 4.3 |
## Inputs
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| [enable\_flow\_logs](#input\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in the default VPC | `bool` | `true` | no |
-| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| [flow\_logs\_destination\_type](#input\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | `"cloud-watch-logs"` | no |
-| [flow\_logs\_iam\_role\_arn](#input\_flow\_logs\_iam\_role\_arn) | The ARN of the IAM Role which will be used by VPC Flow Logs if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | `""` | no |
-| [flow\_logs\_log\_group\_name](#input\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | `""` | no |
-| [flow\_logs\_retention\_in\_days](#input\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | `365` | no |
-| [flow\_logs\_s3\_arn](#input\_flow\_logs\_s3\_arn) | The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | `""` | no |
-| [flow\_logs\_s3\_key\_prefix](#input\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | `"flow-logs"` | no |
-| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` | {
"Terraform": true
} | no |
+| Name | Description | Type | Required |
+|------|-------------|------|:--------:|
+| [enable\_flow\_logs](#input\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in the default VPC | `bool` | no |
+| [flow\_logs\_destination\_type](#input\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no |
+| [flow\_logs\_iam\_role\_arn](#input\_flow\_logs\_iam\_role\_arn) | The ARN of the IAM Role which will be used by VPC Flow Logs if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | no |
+| [flow\_logs\_log\_group\_name](#input\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | no |
+| [flow\_logs\_retention\_in\_days](#input\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no |
+| [flow\_logs\_s3\_arn](#input\_flow\_logs\_s3\_arn) | The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | no |
+| [flow\_logs\_s3\_key\_prefix](#input\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no |
+| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no |
## Outputs
diff --git a/modules/vpc-baseline/main.tf b/modules/vpc-baseline/main.tf
index e16873b4..2573cd4d 100644
--- a/modules/vpc-baseline/main.tf
+++ b/modules/vpc-baseline/main.tf
@@ -1,9 +1,17 @@
locals {
- is_cw_logs = var.enable_flow_logs && var.flow_logs_destination_type == "cloud-watch-logs"
- s3_destination_arn = "${var.flow_logs_s3_arn}/${var.flow_logs_s3_key_prefix}"
+ flow_logs_to_cw_logs = var.enable_flow_logs && var.flow_logs_destination_type == "cloud-watch-logs"
}
-data "aws_availability_zones" "all" {
+data "aws_subnets" "default" {
+ filter {
+ name = "default-for-az"
+ values = [true]
+ }
+}
+
+data "aws_subnet" "default" {
+ for_each = toset(data.aws_subnets.default.ids)
+ id = each.value
}
# --------------------------------------------------------------------------------------------------
@@ -11,7 +19,7 @@ data "aws_availability_zones" "all" {
# --------------------------------------------------------------------------------------------------
resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
- count = var.enabled && var.enable_flow_logs && local.is_cw_logs ? 1 : 0
+ count = var.enable_flow_logs && local.flow_logs_to_cw_logs ? 1 : 0
name = var.flow_logs_log_group_name
retention_in_days = var.flow_logs_retention_in_days
@@ -20,12 +28,12 @@ resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" {
}
resource "aws_flow_log" "default_vpc_flow_logs" {
- count = var.enabled && var.enable_flow_logs ? 1 : 0
+ count = var.enable_flow_logs ? 1 : 0
log_destination_type = var.flow_logs_destination_type
- log_destination = local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn : local.s3_destination_arn
- iam_role_arn = local.is_cw_logs ? var.flow_logs_iam_role_arn : null
- vpc_id = aws_default_vpc.default[0].id
+ log_destination = local.flow_logs_to_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn : "${var.flow_logs_s3_arn}/${var.flow_logs_s3_key_prefix}"
+ iam_role_arn = local.flow_logs_to_cw_logs ? var.flow_logs_iam_role_arn : null
+ vpc_id = aws_default_vpc.default.id
traffic_type = "ALL"
tags = var.tags
@@ -36,8 +44,6 @@ resource "aws_flow_log" "default_vpc_flow_logs" {
# --------------------------------------------------------------------------------------------------
resource "aws_default_vpc" "default" {
- count = var.enabled ? 1 : 0
-
tags = merge(
var.tags,
{ Name = "Default VPC" }
@@ -45,9 +51,9 @@ resource "aws_default_vpc" "default" {
}
resource "aws_default_subnet" "default" {
- count = var.enabled ? length(data.aws_availability_zones.all.names) : 0
+ for_each = data.aws_subnet.default
- availability_zone = data.aws_availability_zones.all.names[count.index]
+ availability_zone = each.value.availability_zone
map_public_ip_on_launch = false
tags = merge(
@@ -57,9 +63,7 @@ resource "aws_default_subnet" "default" {
}
resource "aws_default_route_table" "default" {
- count = var.enabled ? 1 : 0
-
- default_route_table_id = aws_default_vpc.default[0].default_route_table_id
+ default_route_table_id = aws_default_vpc.default.default_route_table_id
tags = merge(
var.tags,
@@ -67,13 +71,11 @@ resource "aws_default_route_table" "default" {
)
}
-// Ignore "subnet_ids" changes to avoid the known issue below.
-// https://github.com/hashicorp/terraform/issues/9824
-// https://github.com/terraform-providers/terraform-provider-aws/issues/346
+# Ignore "subnet_ids" changes to avoid the known issue below.
+# https://github.com/hashicorp/terraform/issues/9824
+# https://github.com/terraform-providers/terraform-provider-aws/issues/346
resource "aws_default_network_acl" "default" {
- count = var.enabled ? 1 : 0
-
- default_network_acl_id = aws_default_vpc.default[0].default_network_acl_id
+ default_network_acl_id = aws_default_vpc.default.default_network_acl_id
tags = merge(
var.tags,
@@ -86,9 +88,7 @@ resource "aws_default_network_acl" "default" {
}
resource "aws_default_security_group" "default" {
- count = var.enabled ? 1 : 0
-
- vpc_id = aws_default_vpc.default[0].id
+ vpc_id = aws_default_vpc.default.id
tags = merge(
var.tags,
diff --git a/modules/vpc-baseline/migrations.tf b/modules/vpc-baseline/migrations.tf
new file mode 100644
index 00000000..343a55b6
--- /dev/null
+++ b/modules/vpc-baseline/migrations.tf
@@ -0,0 +1,24 @@
+# --------------------------------------------------------------------------------------------------
+# Migrations to 0.31.0
+# Removing `enabled` argument.
+# --------------------------------------------------------------------------------------------------
+
+moved {
+ from = aws_default_vpc.default[0]
+ to = aws_default_vpc.default
+}
+
+moved {
+ from = aws_default_route_table.default[0]
+ to = aws_default_route_table.default
+}
+
+moved {
+ from = aws_default_network_acl.default[0]
+ to = aws_default_network_acl.default
+}
+
+moved {
+ from = aws_default_security_group.default[0]
+ to = aws_default_security_group.default
+}
diff --git a/modules/vpc-baseline/outputs.tf b/modules/vpc-baseline/outputs.tf
index a50d0923..b446115b 100644
--- a/modules/vpc-baseline/outputs.tf
+++ b/modules/vpc-baseline/outputs.tf
@@ -1,24 +1,24 @@
output "default_vpc" {
description = "The default VPC."
- value = var.enabled ? aws_default_vpc.default[0] : null
+ value = aws_default_vpc.default
}
output "default_security_group" {
description = "The default security group."
- value = var.enabled ? aws_default_security_group.default[0] : null
+ value = aws_default_security_group.default
}
output "default_network_acl" {
description = "The default network ACL."
- value = var.enabled ? aws_default_network_acl.default[0] : null
+ value = aws_default_network_acl.default
}
output "default_route_table" {
description = "The default route table."
- value = var.enabled ? aws_default_route_table.default[0] : null
+ value = aws_default_route_table.default
}
output "vpc_flow_logs_group" {
description = "The CloudWatch Logs log group which stores VPC Flow Logs."
- value = var.enabled && local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0] : null
+ value = local.flow_logs_to_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0] : null
}
diff --git a/modules/vpc-baseline/variables.tf b/modules/vpc-baseline/variables.tf
index a92dcb43..e61c99bd 100644
--- a/modules/vpc-baseline/variables.tf
+++ b/modules/vpc-baseline/variables.tf
@@ -1,52 +1,57 @@
-variable "enabled" {
- description = "The boolean flag whether this module is enabled or not. No resources are created when set to false."
- default = true
-}
-
variable "enable_flow_logs" {
description = "The boolean flag whether to enable VPC Flow Logs in the default VPC"
+ type = bool
default = true
}
variable "flow_logs_destination_type" {
description = "The type of the logging destination. Valid values: cloud-watch-logs, s3"
+ type = string
default = "cloud-watch-logs"
}
# --------------------------------------------------------------------------------------------------
# Variables for CloudWatch Logs logging.
# --------------------------------------------------------------------------------------------------
+
variable "flow_logs_log_group_name" {
description = "The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc_log_destination_type is cloud-watch-logs."
+ type = string
default = ""
}
variable "flow_logs_iam_role_arn" {
description = "The ARN of the IAM Role which will be used by VPC Flow Logs if vpc_log_destination_type is cloud-watch-logs."
+ type = string
default = ""
}
variable "flow_logs_retention_in_days" {
description = "Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely."
+ type = number
default = 365
}
# --------------------------------------------------------------------------------------------------
# Variables for S3 logging.
# --------------------------------------------------------------------------------------------------
+
variable "flow_logs_s3_arn" {
description = "The ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3."
+ type = string
default = ""
}
variable "flow_logs_s3_key_prefix" {
description = "The prefix used when VPC Flow Logs delivers logs to the S3 bucket."
+ type = string
default = "flow-logs"
}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
- "Terraform" = true
+ "Terraform" = "true"
}
}
diff --git a/modules/vpc-baseline/versions.tf b/modules/vpc-baseline/versions.tf
index 811c8034..e30c400a 100644
--- a/modules/vpc-baseline/versions.tf
+++ b/modules/vpc-baseline/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 0.13"
+ required_version = ">= 1.1.4"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.50.0"
+ version = ">= 4.3"
}
}
}
diff --git a/outputs.tf b/outputs.tf
index 7897d755..beae8b0b 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -4,7 +4,7 @@
output "audit_bucket" {
description = "The S3 bucket used for storing audit logs."
- value = module.audit_log_bucket.this_bucket
+ value = one(module.audit_log_bucket[*].this_bucket)
}
# --------------------------------------------------------------------------------------------------
@@ -13,7 +13,7 @@ output "audit_bucket" {
output "alarm_sns_topic" {
description = "The SNS topic to which CloudWatch Alarms will be sent."
- value = module.alarm_baseline.alarm_sns_topic
+ value = one(module.alarm_baseline[*].alarm_sns_topic)
}
# --------------------------------------------------------------------------------------------------
@@ -22,27 +22,27 @@ output "alarm_sns_topic" {
output "cloudtrail" {
description = "The trail for recording events in all regions."
- value = module.cloudtrail_baseline.cloudtrail
+ value = one(module.cloudtrail_baseline[*].cloudtrail)
}
output "cloudtrail_sns_topic" {
description = "The sns topic linked to the cloudtrail."
- value = module.cloudtrail_baseline.cloudtrail_sns_topic
+ value = one(module.cloudtrail_baseline[*].cloudtrail_sns_topic)
}
output "cloudtrail_kms_key" {
description = "The KMS key used for encrypting CloudTrail events."
- value = module.cloudtrail_baseline.kms_key
+ value = one(module.cloudtrail_baseline[*].kms_key)
}
output "cloudtrail_log_delivery_iam_role" {
description = "The IAM role used for delivering CloudTrail events to CloudWatch Logs."
- value = module.cloudtrail_baseline.log_delivery_iam_role
+ value = one(module.cloudtrail_baseline[*].log_delivery_iam_role)
}
output "cloudtrail_log_group" {
description = "The CloudWatch Logs log group which stores CloudTrail events."
- value = module.cloudtrail_baseline.log_group
+ value = one(module.cloudtrail_baseline[*].log_group)
}
# --------------------------------------------------------------------------------------------------
@@ -58,46 +58,46 @@ output "config_configuration_recorder" {
description = "The configuration recorder in each region."
value = {
- "ap-northeast-1" = module.config_baseline_ap-northeast-1.configuration_recorder
- "ap-northeast-2" = module.config_baseline_ap-northeast-2.configuration_recorder
- "ap-northeast-3" = module.config_baseline_ap-northeast-3.configuration_recorder
- "ap-south-1" = module.config_baseline_ap-south-1.configuration_recorder
- "ap-southeast-1" = module.config_baseline_ap-southeast-1.configuration_recorder
- "ap-southeast-2" = module.config_baseline_ap-southeast-2.configuration_recorder
- "ca-central-1" = module.config_baseline_ca-central-1.configuration_recorder
- "eu-central-1" = module.config_baseline_eu-central-1.configuration_recorder
- "eu-west-1" = module.config_baseline_eu-west-1.configuration_recorder
- "eu-west-2" = module.config_baseline_eu-west-2.configuration_recorder
- "eu-west-3" = module.config_baseline_eu-west-3.configuration_recorder
- "sa-east-1" = module.config_baseline_sa-east-1.configuration_recorder
- "us-east-1" = module.config_baseline_us-east-1.configuration_recorder
- "us-east-2" = module.config_baseline_us-east-2.configuration_recorder
- "us-west-1" = module.config_baseline_us-west-1.configuration_recorder
- "us-west-2" = module.config_baseline_us-west-2.configuration_recorder
+ "ap-northeast-1" = one(module.config_baseline_ap-northeast-1[*].configuration_recorder)
+ "ap-northeast-2" = one(module.config_baseline_ap-northeast-2[*].configuration_recorder)
+ "ap-northeast-3" = one(module.config_baseline_ap-northeast-3[*].configuration_recorder)
+ "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder)
+ "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder)
+ "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder)
+ "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder)
+ "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder)
+ "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder)
+ "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder)
+ "eu-west-3" = one(module.config_baseline_eu-west-3[*].configuration_recorder)
+ "sa-east-1" = one(module.config_baseline_sa-east-1[*].configuration_recorder)
+ "us-east-1" = one(module.config_baseline_us-east-1[*].configuration_recorder)
+ "us-east-2" = one(module.config_baseline_us-east-2[*].configuration_recorder)
+ "us-west-1" = one(module.config_baseline_us-west-1[*].configuration_recorder)
+ "us-west-2" = one(module.config_baseline_us-west-2[*].configuration_recorder)
}
}
output "config_sns_topic" {
- description = "The SNS topic that AWS Config delivers notifications to."
+ description = "The SNS topic) that AWS Config delivers notifications to."
value = {
- "ap-northeast-1" = module.config_baseline_ap-northeast-1.config_sns_topic
- "ap-northeast-2" = module.config_baseline_ap-northeast-2.config_sns_topic
- "ap-northeast-3" = module.config_baseline_ap-northeast-3.config_sns_topic
- "ap-south-1" = module.config_baseline_ap-south-1.config_sns_topic
- "ap-southeast-1" = module.config_baseline_ap-southeast-1.config_sns_topic
- "ap-southeast-2" = module.config_baseline_ap-southeast-2.config_sns_topic
- "ca-central-1" = module.config_baseline_ca-central-1.config_sns_topic
- "eu-central-1" = module.config_baseline_eu-central-1.config_sns_topic
- "eu-north-1" = module.config_baseline_eu-north-1.config_sns_topic
- "eu-west-1" = module.config_baseline_eu-west-1.config_sns_topic
- "eu-west-2" = module.config_baseline_eu-west-2.config_sns_topic
- "eu-west-3" = module.config_baseline_eu-west-3.config_sns_topic
- "sa-east-1" = module.config_baseline_sa-east-1.config_sns_topic
- "us-east-1" = module.config_baseline_us-east-1.config_sns_topic
- "us-east-2" = module.config_baseline_us-east-2.config_sns_topic
- "us-west-1" = module.config_baseline_us-west-1.config_sns_topic
- "us-west-2" = module.config_baseline_us-west-2.config_sns_topic
+ "ap-northeast-1" = one(module.config_baseline_ap-northeast-1[*].config_sns_topic)
+ "ap-northeast-2" = one(module.config_baseline_ap-northeast-2[*].config_sns_topic)
+ "ap-northeast-3" = one(module.config_baseline_ap-northeast-3[*].config_sns_topic)
+ "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic)
+ "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic)
+ "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic)
+ "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic)
+ "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic)
+ "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic)
+ "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic)
+ "eu-west-2" = one(module.config_baseline_eu-west-2[*].config_sns_topic)
+ "eu-west-3" = one(module.config_baseline_eu-west-3[*].config_sns_topic)
+ "sa-east-1" = one(module.config_baseline_sa-east-1[*].config_sns_topic)
+ "us-east-1" = one(module.config_baseline_us-east-1[*].config_sns_topic)
+ "us-east-2" = one(module.config_baseline_us-east-2[*].config_sns_topic)
+ "us-west-1" = one(module.config_baseline_us-west-1[*].config_sns_topic)
+ "us-west-2" = one(module.config_baseline_us-west-2[*].config_sns_topic)
}
}
@@ -109,22 +109,22 @@ output "guardduty_detector" {
description = "The GuardDuty detector in each region."
value = {
- "ap-northeast-1" = module.guardduty_baseline_ap-northeast-1.guardduty_detector
- "ap-northeast-2" = module.guardduty_baseline_ap-northeast-2.guardduty_detector
- "ap-northeast-3" = module.guardduty_baseline_ap-northeast-3.guardduty_detector
- "ap-south-1" = module.guardduty_baseline_ap-south-1.guardduty_detector
- "ap-southeast-1" = module.guardduty_baseline_ap-southeast-1.guardduty_detector
- "ap-southeast-2" = module.guardduty_baseline_ap-southeast-2.guardduty_detector
- "ca-central-1" = module.guardduty_baseline_ca-central-1.guardduty_detector
- "eu-central-1" = module.guardduty_baseline_eu-central-1.guardduty_detector
- "eu-north-1" = module.guardduty_baseline_eu-north-1.guardduty_detector
- "eu-west-1" = module.guardduty_baseline_eu-west-1.guardduty_detector
- "eu-west-2" = module.guardduty_baseline_eu-west-2.guardduty_detector
- "sa-east-1" = module.guardduty_baseline_sa-east-1.guardduty_detector
- "us-east-1" = module.guardduty_baseline_us-east-1.guardduty_detector
- "us-east-2" = module.guardduty_baseline_us-east-2.guardduty_detector
- "us-west-1" = module.guardduty_baseline_us-west-1.guardduty_detector
- "us-west-2" = module.guardduty_baseline_us-west-2.guardduty_detector
+ "ap-northeast-1" = one(module.guardduty_baseline_ap-northeast-1[*].guardduty_detector)
+ "ap-northeast-2" = one(module.guardduty_baseline_ap-northeast-2[*].guardduty_detector)
+ "ap-northeast-3" = one(module.guardduty_baseline_ap-northeast-3[*].guardduty_detector)
+ "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector)
+ "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector)
+ "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector)
+ "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector)
+ "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector)
+ "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector)
+ "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector)
+ "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector)
+ "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector)
+ "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector)
+ "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector)
+ "us-west-1" = one(module.guardduty_baseline_us-west-1[*].guardduty_detector)
+ "us-west-2" = one(module.guardduty_baseline_us-west-2[*].guardduty_detector)
}
}
@@ -134,7 +134,7 @@ output "guardduty_detector" {
output "support_iam_role" {
description = "The IAM role used for the support user."
- value = module.iam_baseline.support_iam_role
+ value = one(module.iam_baseline[*].support_iam_role)
}
# --------------------------------------------------------------------------------------------------
@@ -143,30 +143,30 @@ output "support_iam_role" {
output "vpc_flow_logs_iam_role" {
description = "The IAM role used for delivering VPC Flow Logs to CloudWatch Logs."
- value = local.is_cw_logs ? aws_iam_role.flow_logs_publisher : null
+ value = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher : null
}
output "vpc_flow_logs_group" {
description = "The CloudWatch Logs log group which stores VPC Flow Logs in each region."
- value = local.is_cw_logs ? {
- "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.vpc_flow_logs_group
- "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.vpc_flow_logs_group
- "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.vpc_flow_logs_group
- "ap-south-1" = module.vpc_baseline_ap-south-1.vpc_flow_logs_group
- "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.vpc_flow_logs_group
- "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.vpc_flow_logs_group
- "ca-central-1" = module.vpc_baseline_ca-central-1.vpc_flow_logs_group
- "eu-central-1" = module.vpc_baseline_eu-central-1.vpc_flow_logs_group
- "eu-north-1" = module.vpc_baseline_eu-north-1.vpc_flow_logs_group
- "eu-west-1" = module.vpc_baseline_eu-west-1.vpc_flow_logs_group
- "eu-west-2" = module.vpc_baseline_eu-west-2.vpc_flow_logs_group
- "eu-west-3" = module.vpc_baseline_eu-west-3.vpc_flow_logs_group
- "sa-east-1" = module.vpc_baseline_sa-east-1.vpc_flow_logs_group
- "us-east-1" = module.vpc_baseline_us-east-1.vpc_flow_logs_group
- "us-east-2" = module.vpc_baseline_us-east-2.vpc_flow_logs_group
- "us-west-1" = module.vpc_baseline_us-west-1.vpc_flow_logs_group
- "us-west-2" = module.vpc_baseline_us-west-2.vpc_flow_logs_group
+ value = local.flow_logs_to_cw_logs ? {
+ "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].vpc_flow_logs_group)
+ "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].vpc_flow_logs_group)
+ "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].vpc_flow_logs_group)
+ "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group)
+ "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group)
+ "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group)
+ "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group)
+ "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group)
+ "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group)
+ "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group)
+ "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].vpc_flow_logs_group)
+ "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].vpc_flow_logs_group)
+ "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].vpc_flow_logs_group)
+ "us-east-1" = one(module.vpc_baseline_us-east-1[*].vpc_flow_logs_group)
+ "us-east-2" = one(module.vpc_baseline_us-east-2[*].vpc_flow_logs_group)
+ "us-west-1" = one(module.vpc_baseline_us-west-1[*].vpc_flow_logs_group)
+ "us-west-2" = one(module.vpc_baseline_us-west-2[*].vpc_flow_logs_group)
} : null
}
@@ -174,23 +174,23 @@ output "default_vpc" {
description = "The default VPC."
value = {
- "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_vpc
- "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_vpc
- "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_vpc
- "ap-south-1" = module.vpc_baseline_ap-south-1.default_vpc
- "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_vpc
- "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_vpc
- "ca-central-1" = module.vpc_baseline_ca-central-1.default_vpc
- "eu-central-1" = module.vpc_baseline_eu-central-1.default_vpc
- "eu-north-1" = module.vpc_baseline_eu-north-1.default_vpc
- "eu-west-1" = module.vpc_baseline_eu-west-1.default_vpc
- "eu-west-2" = module.vpc_baseline_eu-west-2.default_vpc
- "eu-west-3" = module.vpc_baseline_eu-west-3.default_vpc
- "sa-east-1" = module.vpc_baseline_sa-east-1.default_vpc
- "us-east-1" = module.vpc_baseline_us-east-1.default_vpc
- "us-east-2" = module.vpc_baseline_us-east-2.default_vpc
- "us-west-1" = module.vpc_baseline_us-west-1.default_vpc
- "us-west-2" = module.vpc_baseline_us-west-2.default_vpc
+ "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_vpc)
+ "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_vpc)
+ "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_vpc)
+ "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc)
+ "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc)
+ "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc)
+ "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc)
+ "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc)
+ "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc)
+ "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc)
+ "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_vpc)
+ "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_vpc)
+ "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_vpc)
+ "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_vpc)
+ "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_vpc)
+ "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_vpc)
+ "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_vpc)
}
}
@@ -198,23 +198,23 @@ output "default_security_group" {
description = "The ID of the default security group."
value = {
- "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_security_group
- "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_security_group
- "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_security_group
- "ap-south-1" = module.vpc_baseline_ap-south-1.default_security_group
- "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_security_group
- "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_security_group
- "ca-central-1" = module.vpc_baseline_ca-central-1.default_security_group
- "eu-central-1" = module.vpc_baseline_eu-central-1.default_security_group
- "eu-north-1" = module.vpc_baseline_eu-north-1.default_security_group
- "eu-west-1" = module.vpc_baseline_eu-west-1.default_security_group
- "eu-west-2" = module.vpc_baseline_eu-west-2.default_security_group
- "eu-west-3" = module.vpc_baseline_eu-west-3.default_security_group
- "sa-east-1" = module.vpc_baseline_sa-east-1.default_security_group
- "us-east-1" = module.vpc_baseline_us-east-1.default_security_group
- "us-east-2" = module.vpc_baseline_us-east-2.default_security_group
- "us-west-1" = module.vpc_baseline_us-west-1.default_security_group
- "us-west-2" = module.vpc_baseline_us-west-2.default_security_group
+ "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_security_group)
+ "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_security_group)
+ "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_security_group)
+ "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group)
+ "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group)
+ "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group)
+ "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group)
+ "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group)
+ "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group)
+ "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group)
+ "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_security_group)
+ "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_security_group)
+ "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_security_group)
+ "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_security_group)
+ "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_security_group)
+ "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_security_group)
+ "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_security_group)
}
}
@@ -222,23 +222,23 @@ output "default_network_acl" {
description = "The default network ACL."
value = {
- "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_network_acl
- "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_network_acl
- "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_network_acl
- "ap-south-1" = module.vpc_baseline_ap-south-1.default_network_acl
- "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_network_acl
- "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_network_acl
- "ca-central-1" = module.vpc_baseline_ca-central-1.default_network_acl
- "eu-central-1" = module.vpc_baseline_eu-central-1.default_network_acl
- "eu-north-1" = module.vpc_baseline_eu-north-1.default_network_acl
- "eu-west-1" = module.vpc_baseline_eu-west-1.default_network_acl
- "eu-west-2" = module.vpc_baseline_eu-west-2.default_network_acl
- "eu-west-3" = module.vpc_baseline_eu-west-3.default_network_acl
- "sa-east-1" = module.vpc_baseline_sa-east-1.default_network_acl
- "us-east-1" = module.vpc_baseline_us-east-1.default_network_acl
- "us-east-2" = module.vpc_baseline_us-east-2.default_network_acl
- "us-west-1" = module.vpc_baseline_us-west-1.default_network_acl
- "us-west-2" = module.vpc_baseline_us-west-2.default_network_acl
+ "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_network_acl)
+ "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_network_acl)
+ "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_network_acl)
+ "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl)
+ "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl)
+ "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl)
+ "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl)
+ "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl)
+ "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl)
+ "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl)
+ "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_network_acl)
+ "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_network_acl)
+ "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_network_acl)
+ "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_network_acl)
+ "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_network_acl)
+ "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_network_acl)
+ "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_network_acl)
}
}
@@ -246,23 +246,23 @@ output "default_route_table" {
description = "The default route table."
value = {
- "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_route_table
- "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_route_table
- "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_route_table
- "ap-south-1" = module.vpc_baseline_ap-south-1.default_route_table
- "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_route_table
- "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_route_table
- "ca-central-1" = module.vpc_baseline_ca-central-1.default_route_table
- "eu-central-1" = module.vpc_baseline_eu-central-1.default_route_table
- "eu-north-1" = module.vpc_baseline_eu-north-1.default_route_table
- "eu-west-1" = module.vpc_baseline_eu-west-1.default_route_table
- "eu-west-2" = module.vpc_baseline_eu-west-2.default_route_table
- "eu-west-3" = module.vpc_baseline_eu-west-3.default_route_table
- "sa-east-1" = module.vpc_baseline_sa-east-1.default_route_table
- "us-east-1" = module.vpc_baseline_us-east-1.default_route_table
- "us-east-2" = module.vpc_baseline_us-east-2.default_route_table
- "us-west-1" = module.vpc_baseline_us-west-1.default_route_table
- "us-west-2" = module.vpc_baseline_us-west-2.default_route_table
+ "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_route_table)
+ "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_route_table)
+ "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_route_table)
+ "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table)
+ "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table)
+ "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table)
+ "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table)
+ "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table)
+ "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table)
+ "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table)
+ "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_route_table)
+ "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_route_table)
+ "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_route_table)
+ "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_route_table)
+ "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_route_table)
+ "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_route_table)
+ "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_route_table)
}
}
diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf
index ba90ed9a..a8324d6e 100644
--- a/securityhub_baselines.tf
+++ b/securityhub_baselines.tf
@@ -1,259 +1,296 @@
# --------------------------------------------------------------------------------------------------
# SecurityHub Baseline
# --------------------------------------------------------------------------------------------------
+
locals {
- securityhub_member_accounts = var.member_accounts
+ securityhub_master_account_id = var.master_account_id
+ securityhub_member_accounts = var.member_accounts
}
module "securityhub_baseline_ap-northeast-1" {
+ count = contains(var.target_regions, "ap-northeast-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = contains(var.target_regions, "ap-northeast-1") && var.securityhub_enabled
+
+ aggregate_findings = var.region == "ap-northeast-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ap-northeast-2" {
+ count = contains(var.target_regions, "ap-northeast-2") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-northeast-2
}
- enabled = contains(var.target_regions, "ap-northeast-2") && var.securityhub_enabled
+ aggregate_findings = var.region == "ap-northeast-2"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ap-northeast-3" {
+ count = contains(var.target_regions, "ap-northeast-3") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-northeast-3
}
- enabled = contains(var.target_regions, "ap-northeast-3") && var.securityhub_enabled
+ aggregate_findings = var.region == "ap-northeast-3"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ap-south-1" {
+ count = contains(var.target_regions, "ap-south-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-south-1
}
- enabled = contains(var.target_regions, "ap-south-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "ap-south-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ap-southeast-1" {
+ count = contains(var.target_regions, "ap-southeast-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-southeast-1
}
- enabled = contains(var.target_regions, "ap-southeast-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "ap-southeast-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ap-southeast-2" {
+ count = contains(var.target_regions, "ap-southeast-2") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ap-southeast-2
}
- enabled = contains(var.target_regions, "ap-southeast-2") && var.securityhub_enabled
+ aggregate_findings = var.region == "ap-southeast-2"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_ca-central-1" {
+ count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.ca-central-1
}
- enabled = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "ca-central-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_eu-central-1" {
+ count = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.eu-central-1
}
- enabled = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "eu-central-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_eu-north-1" {
+ count = contains(var.target_regions, "eu-north-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.eu-north-1
}
- enabled = contains(var.target_regions, "eu-north-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "eu-north-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_eu-west-1" {
+ count = contains(var.target_regions, "eu-west-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.eu-west-1
}
- enabled = contains(var.target_regions, "eu-west-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "eu-west-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_eu-west-2" {
+ count = contains(var.target_regions, "eu-west-2") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.eu-west-2
}
- enabled = contains(var.target_regions, "eu-west-2") && var.securityhub_enabled
+ aggregate_findings = var.region == "eu-west-2"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_eu-west-3" {
+ count = contains(var.target_regions, "eu-west-3") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.eu-west-3
}
- enabled = contains(var.target_regions, "eu-west-3") && var.securityhub_enabled
+ aggregate_findings = var.region == "eu-west-3"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_sa-east-1" {
+ count = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.sa-east-1
}
- enabled = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "sa-east-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_us-east-1" {
+ count = contains(var.target_regions, "us-east-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.us-east-1
}
- enabled = contains(var.target_regions, "us-east-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "us-east-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_us-east-2" {
+ count = contains(var.target_regions, "us-east-2") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.us-east-2
}
- enabled = contains(var.target_regions, "us-east-2") && var.securityhub_enabled
+ aggregate_findings = var.region == "us-east-2"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_us-west-1" {
+ count = contains(var.target_regions, "us-west-1") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.us-west-1
}
- enabled = contains(var.target_regions, "us-west-1") && var.securityhub_enabled
+ aggregate_findings = var.region == "us-west-1"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
module "securityhub_baseline_us-west-2" {
+ count = contains(var.target_regions, "us-west-2") && var.securityhub_enabled ? 1 : 0
source = "./modules/securityhub-baseline"
providers = {
aws = aws.us-west-2
}
- enabled = contains(var.target_regions, "us-west-2") && var.securityhub_enabled
+ aggregate_findings = var.region == "us-west-2"
enable_cis_standard = var.securityhub_enable_cis_standard
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
enable_product_arns = var.securityhub_enable_product_arns
+ master_account_id = local.securityhub_master_account_id
member_accounts = local.securityhub_member_accounts
}
diff --git a/test/fixtures/simple_local/main.tf b/test/fixtures/simple_local/main.tf
deleted file mode 100644
index c0515dbb..00000000
--- a/test/fixtures/simple_local/main.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-terraform {
- required_version = ">= 0.15"
-
- backend "local" {
- path = "../terraform.tfstate"
- }
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 3.50.0"
- }
- }
-}
-
-provider "aws" {
- region = var.region
-}
-
-data "aws_caller_identity" "current" {
-}
-
-resource "aws_iam_user" "admin" {
- name = "admin"
-}
-
-module "secure_baseline" {
- source = "../../../"
-
- audit_log_bucket_name = var.audit_s3_bucket_name
- aws_account_id = data.aws_caller_identity.current.account_id
- region = var.region
- support_iam_role_principal_arns = [aws_iam_user.admin.arn]
-
- # Setting it to true means all audit logs are automatically deleted
- # when you run `terraform destroy`.
- # Note that it might be inappropriate for highly secured environment.
- audit_log_bucket_force_destroy = true
-
- providers = {
- aws = aws
- aws.ap-northeast-1 = aws.ap-northeast-1
- aws.ap-northeast-2 = aws.ap-northeast-2
- aws.ap-northeast-3 = aws.ap-northeast-3
- aws.ap-south-1 = aws.ap-south-1
- aws.ap-southeast-1 = aws.ap-southeast-1
- aws.ap-southeast-2 = aws.ap-southeast-2
- aws.ca-central-1 = aws.ca-central-1
- aws.eu-central-1 = aws.eu-central-1
- aws.eu-north-1 = aws.eu-north-1
- aws.eu-west-1 = aws.eu-west-1
- aws.eu-west-2 = aws.eu-west-2
- aws.eu-west-3 = aws.eu-west-3
- aws.sa-east-1 = aws.sa-east-1
- aws.us-east-1 = aws.us-east-1
- aws.us-east-2 = aws.us-east-2
- aws.us-west-1 = aws.us-west-1
- aws.us-west-2 = aws.us-west-2
- }
-}
-
diff --git a/test/fixtures/simple_local/regions.tf b/test/fixtures/simple_local/regions.tf
deleted file mode 100644
index 6937e512..00000000
--- a/test/fixtures/simple_local/regions.tf
+++ /dev/null
@@ -1,90 +0,0 @@
-# --------------------------------------------------------------------------------------------------
-# A list of providers for all AWS regions.
-# Reference: https://docs.aws.amazon.com/general/latest/gr/rande.html
-# --------------------------------------------------------------------------------------------------
-
-provider "aws" {
- region = "ap-northeast-1"
- alias = "ap-northeast-1"
-}
-
-provider "aws" {
- region = "ap-northeast-2"
- alias = "ap-northeast-2"
-}
-
-provider "aws" {
- region = "ap-northeast-3"
- alias = "ap-northeast-3"
-}
-
-provider "aws" {
- region = "ap-south-1"
- alias = "ap-south-1"
-}
-
-provider "aws" {
- region = "ap-southeast-1"
- alias = "ap-southeast-1"
-}
-
-provider "aws" {
- region = "ap-southeast-2"
- alias = "ap-southeast-2"
-}
-
-provider "aws" {
- region = "ca-central-1"
- alias = "ca-central-1"
-}
-
-provider "aws" {
- region = "eu-central-1"
- alias = "eu-central-1"
-}
-
-provider "aws" {
- region = "eu-north-1"
- alias = "eu-north-1"
-}
-
-provider "aws" {
- region = "eu-west-1"
- alias = "eu-west-1"
-}
-
-provider "aws" {
- region = "eu-west-2"
- alias = "eu-west-2"
-}
-
-provider "aws" {
- region = "eu-west-3"
- alias = "eu-west-3"
-}
-
-provider "aws" {
- region = "sa-east-1"
- alias = "sa-east-1"
-}
-
-provider "aws" {
- region = "us-east-1"
- alias = "us-east-1"
-}
-
-provider "aws" {
- region = "us-east-2"
- alias = "us-east-2"
-}
-
-provider "aws" {
- region = "us-west-1"
- alias = "us-west-1"
-}
-
-provider "aws" {
- region = "us-west-2"
- alias = "us-west-2"
-}
-
diff --git a/test/fixtures/simple_local/variables.tf b/test/fixtures/simple_local/variables.tf
deleted file mode 100644
index 3e186522..00000000
--- a/test/fixtures/simple_local/variables.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-variable "audit_s3_bucket_name" {
- description = "The name of the S3 bucket to store various audit logs."
-}
-
-variable "region" {
- description = "The AWS region in which global resources are set up."
- default = "us-east-1"
-}
diff --git a/test/fixtures/simple_registry/main.tf b/test/fixtures/simple_registry/main.tf
deleted file mode 100644
index aae57124..00000000
--- a/test/fixtures/simple_registry/main.tf
+++ /dev/null
@@ -1,61 +0,0 @@
-terraform {
- required_version = ">= 0.15"
-
- backend "local" {
- path = "../terraform.tfstate"
- }
-
- required_providers {
- aws = {
- source = "hashicorp/aws"
- version = ">= 3.50.0"
- }
- }
-}
-
-provider "aws" {
- region = var.region
-}
-
-data "aws_caller_identity" "current" {
-}
-
-resource "aws_iam_user" "admin" {
- name = "admin"
-}
-
-module "secure_baseline" {
- source = "nozaq/secure-baseline/aws"
-
- audit_log_bucket_name = var.audit_s3_bucket_name
- aws_account_id = data.aws_caller_identity.current.account_id
- region = var.region
- support_iam_role_principal_arns = [aws_iam_user.admin.arn]
-
- # Setting it to true means all audit logs are automatically deleted
- # when you run `terraform destroy`.
- # Note that it might be inappropriate for highly secured environment.
- audit_log_bucket_force_destroy = true
-
- providers = {
- aws = aws
- aws.ap-northeast-1 = aws.ap-northeast-1
- aws.ap-northeast-2 = aws.ap-northeast-2
- aws.ap-northeast-3 = aws.ap-northeast-3
- aws.ap-south-1 = aws.ap-south-1
- aws.ap-southeast-1 = aws.ap-southeast-1
- aws.ap-southeast-2 = aws.ap-southeast-2
- aws.ca-central-1 = aws.ca-central-1
- aws.eu-central-1 = aws.eu-central-1
- aws.eu-north-1 = aws.eu-north-1
- aws.eu-west-1 = aws.eu-west-1
- aws.eu-west-2 = aws.eu-west-2
- aws.eu-west-3 = aws.eu-west-3
- aws.sa-east-1 = aws.sa-east-1
- aws.us-east-1 = aws.us-east-1
- aws.us-east-2 = aws.us-east-2
- aws.us-west-1 = aws.us-west-1
- aws.us-west-2 = aws.us-west-2
- }
-}
-
diff --git a/test/fixtures/simple_registry/regions.tf b/test/fixtures/simple_registry/regions.tf
deleted file mode 100644
index 6937e512..00000000
--- a/test/fixtures/simple_registry/regions.tf
+++ /dev/null
@@ -1,90 +0,0 @@
-# --------------------------------------------------------------------------------------------------
-# A list of providers for all AWS regions.
-# Reference: https://docs.aws.amazon.com/general/latest/gr/rande.html
-# --------------------------------------------------------------------------------------------------
-
-provider "aws" {
- region = "ap-northeast-1"
- alias = "ap-northeast-1"
-}
-
-provider "aws" {
- region = "ap-northeast-2"
- alias = "ap-northeast-2"
-}
-
-provider "aws" {
- region = "ap-northeast-3"
- alias = "ap-northeast-3"
-}
-
-provider "aws" {
- region = "ap-south-1"
- alias = "ap-south-1"
-}
-
-provider "aws" {
- region = "ap-southeast-1"
- alias = "ap-southeast-1"
-}
-
-provider "aws" {
- region = "ap-southeast-2"
- alias = "ap-southeast-2"
-}
-
-provider "aws" {
- region = "ca-central-1"
- alias = "ca-central-1"
-}
-
-provider "aws" {
- region = "eu-central-1"
- alias = "eu-central-1"
-}
-
-provider "aws" {
- region = "eu-north-1"
- alias = "eu-north-1"
-}
-
-provider "aws" {
- region = "eu-west-1"
- alias = "eu-west-1"
-}
-
-provider "aws" {
- region = "eu-west-2"
- alias = "eu-west-2"
-}
-
-provider "aws" {
- region = "eu-west-3"
- alias = "eu-west-3"
-}
-
-provider "aws" {
- region = "sa-east-1"
- alias = "sa-east-1"
-}
-
-provider "aws" {
- region = "us-east-1"
- alias = "us-east-1"
-}
-
-provider "aws" {
- region = "us-east-2"
- alias = "us-east-2"
-}
-
-provider "aws" {
- region = "us-west-1"
- alias = "us-west-1"
-}
-
-provider "aws" {
- region = "us-west-2"
- alias = "us-west-2"
-}
-
diff --git a/test/fixtures/simple_registry/variables.tf b/test/fixtures/simple_registry/variables.tf
deleted file mode 100644
index 3e186522..00000000
--- a/test/fixtures/simple_registry/variables.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-variable "audit_s3_bucket_name" {
- description = "The name of the S3 bucket to store various audit logs."
-}
-
-variable "region" {
- description = "The AWS region in which global resources are set up."
- default = "us-east-1"
-}
diff --git a/test/go.mod b/test/go.mod
deleted file mode 100644
index 52f50ea9..00000000
--- a/test/go.mod
+++ /dev/null
@@ -1,17 +0,0 @@
-module github.com/nozaq/terraform-aws-secure-baseline
-
-go 1.16
-
-require (
- github.com/apparentlymart/go-textseg/v12 v12.0.0 // indirect
- github.com/coreos/go-etcd v2.0.0+incompatible // indirect
- github.com/cpuguy83/go-md2man v1.0.10 // indirect
- github.com/google/uuid v1.3.0
- github.com/gruntwork-io/terratest v0.38.1
- github.com/hashicorp/golang-lru v0.5.3 // indirect
- github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2 // indirect
- github.com/stretchr/testify v1.7.0 // indirect
- github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8 // indirect
- github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238 // indirect
- k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e // indirect
-)
diff --git a/test/go.sum b/test/go.sum
deleted file mode 100644
index 8e18857d..00000000
--- a/test/go.sum
+++ /dev/null
@@ -1,1402 +0,0 @@
-bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
-cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
-cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
-cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/Azure/azure-sdk-for-go v16.2.1+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v50.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
-github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
-github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
-github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
-github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k=
-github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
-github.com/Azure/go-autorest/autorest v0.11.20/go.mod h1:o3tqFY+QR40VOlk+pV4d77mORO64jOXSgEnPQgLK6JY=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
-github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
-github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
-github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
-github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE=
-github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
-github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk=
-github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.8/go.mod h1:kxyKZTSfKh8OVFWPAgOgQ/frrJgeYQJPyR5fLFmXko4=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g=
-github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM=
-github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
-github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc=
-github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA=
-github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
-github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8=
-github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
-github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
-github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
-github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
-github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
-github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
-github.com/Microsoft/go-winio v0.4.17-0.20210211115548-6eac466e5fa3/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.4.17-0.20210324224401-5516f17a5958/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.4.17/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/go-winio v0.5.0/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
-github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/Microsoft/hcsshim v0.8.7-0.20190325164909-8abdbb8205e4/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
-github.com/Microsoft/hcsshim v0.8.7/go.mod h1:OHd7sQqRFrYd3RmSgbgji+ctCwkbq2wbEYNSzOYtcBQ=
-github.com/Microsoft/hcsshim v0.8.9/go.mod h1:5692vkUqntj1idxauYlpoINNKeqCiG6Sg38RRsjT5y8=
-github.com/Microsoft/hcsshim v0.8.14/go.mod h1:NtVKoYxQuTLx6gEq0L96c9Ju4JbRJ4nY2ow3VK6a9Lg=
-github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn69iY6URG00=
-github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600=
-github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU=
-github.com/Microsoft/hcsshim/test v0.0.0-20210227013316-43a75bb4edd3/go.mod h1:mw7qgWloBUl75W/gVH3cQszUg1+gUITj7D6NY7ywVnY=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
-github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8=
-github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:CgnQgUtFrFz9mxFNtED3jI5tLDjKlOM+oUF/sTk6ps0=
-github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM=
-github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0=
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0=
-github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec=
-github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
-github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
-github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
-github.com/aws/aws-sdk-go v1.15.11/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
-github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.38.28 h1:2ZzgEupSluR18ClxUnHwXKyuADheZpMblXRAsHqF0tI=
-github.com/aws/aws-sdk-go v1.38.28/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
-github.com/aws/aws-sdk-go v1.40.56/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q=
-github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
-github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
-github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
-github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
-github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
-github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
-github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
-github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkpoint-restore/go-criu/v4 v4.1.0/go.mod h1:xUQBLp4RLc5zJtWY++yjOoMoB5lihDt7fai+75m+rGw=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
-github.com/cilium/ebpf v0.0.0-20200702112145-1c8d4c9ef775/go.mod h1:7cR51M8ViRLIdUjrmSXlK9pkrsDlLHbO8jiB8X8JnOc=
-github.com/cilium/ebpf v0.2.0/go.mod h1:To2CFviqOWL/M0gIMsvSMlqe7em/l1ALkX1PyjrX2Qs=
-github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
-github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
-github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
-github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
-github.com/containerd/aufs v1.0.0/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
-github.com/containerd/btrfs v0.0.0-20201111183144-404b9149801e/go.mod h1:jg2QkJcsabfHugurUvvPhS3E08Oxiuh5W/g1ybB4e0E=
-github.com/containerd/btrfs v0.0.0-20210316141732-918d888fb676/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss=
-github.com/containerd/btrfs v1.0.0/go.mod h1:zMcX3qkXTAi9GI50+0HOeuV8LU2ryCE/V2vG/ZBiTss=
-github.com/containerd/cgroups v0.0.0-20190717030353-c4b9ac5c7601/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI=
-github.com/containerd/cgroups v0.0.0-20190919134610-bf292b21730f/go.mod h1:OApqhQ4XNSNC13gXIwDjhOQxjWa/NxkwZXJ1EvqT0ko=
-github.com/containerd/cgroups v0.0.0-20200531161412-0dbf7f05ba59/go.mod h1:pA0z1pT8KYB3TCXK/ocprsh7MAkoW8bZVzPdih9snmM=
-github.com/containerd/cgroups v0.0.0-20200710171044-318312a37340/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
-github.com/containerd/cgroups v0.0.0-20200824123100-0b889c03f102/go.mod h1:s5q4SojHctfxANBDvMeIaIovkq29IP48TKAxnhYRxvo=
-github.com/containerd/cgroups v0.0.0-20210114181951-8a68de567b68/go.mod h1:ZJeTFisyysqgcCdecO57Dj79RfL0LNeGiFUqLYQRYLE=
-github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU=
-github.com/containerd/console v0.0.0-20180822173158-c12b1e7919c1/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
-github.com/containerd/console v0.0.0-20181022165439-0650fd9eeb50/go.mod h1:Tj/on1eG8kiEhd0+fhSDzsPAFESxzBBvdyEgyryXffw=
-github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
-github.com/containerd/console v1.0.1/go.mod h1:XUsP6YE/mKtz6bxc+I8UiKKTP04qjQL4qcS3XoQ5xkw=
-github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
-github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ=
-github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU=
-github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI=
-github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s=
-github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g=
-github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo=
-github.com/containerd/continuity v0.0.0-20201208142359-180525291bb7/go.mod h1:kR3BEg7bDFaEddKm54WSmrol1fKWDU1nKYkgrcgZT7Y=
-github.com/containerd/continuity v0.0.0-20210208174643-50096c924a4e/go.mod h1:EXlVlkqNba9rJe3j7w3Xa924itAMLgZH4UD/Q4PExuQ=
-github.com/containerd/continuity v0.1.0/go.mod h1:ICJu0PwR54nI0yPEnJ6jcS+J7CZAUXrLh8lPo2knzsM=
-github.com/containerd/fifo v0.0.0-20180307165137-3d5202aec260/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/fifo v0.0.0-20190226154929-a9fb20d87448/go.mod h1:ODA38xgv3Kuk8dQz2ZQXpnv/UZZUHUCL7pnLehbXgQI=
-github.com/containerd/fifo v0.0.0-20200410184934-f15a3290365b/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
-github.com/containerd/fifo v0.0.0-20201026212402-0724c46b320c/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
-github.com/containerd/fifo v0.0.0-20210316144830-115abcc95a1d/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
-github.com/containerd/fifo v1.0.0/go.mod h1:ocF/ME1SX5b1AOlWi9r677YJmCPSwwWnQ9O123vzpE4=
-github.com/containerd/go-cni v1.0.1/go.mod h1:+vUpYxKvAF72G9i1WoDOiPGRtQpqsNW/ZHtSlv++smU=
-github.com/containerd/go-cni v1.0.2/go.mod h1:nrNABBHzu0ZwCug9Ije8hL2xBCYh/pjfMb1aZGrrohk=
-github.com/containerd/go-runc v0.0.0-20180907222934-5a6d9f37cfa3/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-github.com/containerd/go-runc v0.0.0-20190911050354-e029b79d8cda/go.mod h1:IV7qH3hrUgRmyYrtgEeGWJfWbgcHL9CSRruz2Vqcph0=
-github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
-github.com/containerd/go-runc v0.0.0-20201020171139-16b287bc67d0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
-github.com/containerd/go-runc v1.0.0/go.mod h1:cNU0ZbCgCQVZK4lgG3P+9tn9/PaJNmoDXPpoJhDR+Ok=
-github.com/containerd/imgcrypt v1.0.1/go.mod h1:mdd8cEPW7TPgNG4FpuP3sGBiQ7Yi/zak9TYCG3juvb0=
-github.com/containerd/imgcrypt v1.0.4-0.20210301171431-0ae5c75f59ba/go.mod h1:6TNsg0ctmizkrOgXRNQjAPFWpMYRWuiB6dSF4Pfa5SA=
-github.com/containerd/imgcrypt v1.1.1-0.20210312161619-7ed62a527887/go.mod h1:5AZJNI6sLHJljKuI9IHnw1pWqo/F0nGDOuR9zgTs7ow=
-github.com/containerd/imgcrypt v1.1.1/go.mod h1:xpLnwiQmEUJPvQoAapeb2SNCxz7Xr6PJrXQb0Dpc4ms=
-github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFYfE5+So4M5syatU0N0f0LbWpuqyMi4/BE8c=
-github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
-github.com/containerd/stargz-snapshotter/estargz v0.7.0/go.mod h1:83VWDqHnurTKliEB0YvWMiCfLDwv4Cjj1X9Vk98GJZw=
-github.com/containerd/ttrpc v0.0.0-20190828154514-0e0f228740de/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-github.com/containerd/ttrpc v0.0.0-20190828172938-92c8520ef9f8/go.mod h1:PvCDdDGpgqzQIzDW1TphrGLssLDZp2GuS+X5DkEJB8o=
-github.com/containerd/ttrpc v0.0.0-20191028202541-4f1b8fe65a5c/go.mod h1:LPm1u0xBw8r8NOKoOdNMeVHSawSsltak+Ihv+etqsE8=
-github.com/containerd/ttrpc v1.0.1/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/ttrpc v1.0.2/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
-github.com/containerd/typeurl v0.0.0-20180627222232-a93fcdb778cd/go.mod h1:Cm3kwCdlkCfMSHURc+r6fwoGH6/F1hH3S4sg0rLFWPc=
-github.com/containerd/typeurl v0.0.0-20190911142611-5eb25027c9fd/go.mod h1:GeKYzf2pQcqv7tJ0AoCuuhtnqhva5LNU3U+OyKxxJpk=
-github.com/containerd/typeurl v1.0.1/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
-github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
-github.com/containerd/zfs v0.0.0-20200918131355-0a33824f23a2/go.mod h1:8IgZOBdv8fAgXddBT4dBXJPtxyRsejFIpXoklgxgEjw=
-github.com/containerd/zfs v0.0.0-20210301145711-11e8f1707f62/go.mod h1:A9zfAbMlQwE+/is6hi0Xw8ktpL+6glmqZYtevJgaB8Y=
-github.com/containerd/zfs v0.0.0-20210315114300-dde8f0fda960/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containerd/zfs v0.0.0-20210324211415-d5c4544f0433/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containerd/zfs v1.0.0/go.mod h1:m+m51S1DvAP6r3FcmYCp54bQ34pyOwTieQDNRIRHsFY=
-github.com/containernetworking/cni v0.7.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/cni v0.8.0/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/cni v0.8.1/go.mod h1:LGwApLUm2FpoOfxTDEeq8T9ipbpZ61X79hmU3w8FmsY=
-github.com/containernetworking/plugins v0.8.6/go.mod h1:qnw5mN19D8fIwkqW7oHHYDHVlzhJpcY6TQxn/fUyDDM=
-github.com/containernetworking/plugins v0.9.1/go.mod h1:xP/idU2ldlzN6m4p5LmGiwRDjeJr6FLK6vuiUwoH7P8=
-github.com/containers/ocicrypt v1.0.1/go.mod h1:MeJDzk1RJHv89LjsH0Sp5KTY3ZYkjXO/C+bKAeWFIrc=
-github.com/containers/ocicrypt v1.1.0/go.mod h1:b8AOe0YR67uU8OqfVNcznfFpAzu3rdgUV4GP9qXPfu4=
-github.com/containers/ocicrypt v1.1.1/go.mod h1:Dm55fwWm1YZAjYRaJ94z2mfZikIyIN4B0oB3dj3jFxY=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
-github.com/coreos/go-iptables v0.5.0/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20161114122254-48702e0da86b/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
-github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
-github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
-github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
-github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=
-github.com/d2g/hardwareaddr v0.0.0-20190221164911-e7d9fbe030e4/go.mod h1:bMl4RjIciD2oAxI7DmWRx6gbeqrkoLqv3MV0vzNad+I=
-github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0=
-github.com/dgrijalva/jwt-go v0.0.0-20170104182250-a601269ab70c/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
-github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
-github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
-github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v0.0.0-20190905152932-14b96e55d84c/go.mod h1:0+TTO4EOBfRPhZXAeF1Vu+W3hHZ8eLp8PgKVZlcvtFY=
-github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
-github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-events v0.0.0-20170721190031-9461782956ad/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
-github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
-github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
-github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
-github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA=
-github.com/garyburd/redigo v0.0.0-20150301180006-535138d7bcd7/go.mod h1:NR3MbYisc3/PwhQ00EMzDiPmrwpPxAn5GI05/YaO1SY=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU=
-github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-ini/ini v1.25.4/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
-github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
-github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
-github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
-github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
-github.com/godbus/dbus v0.0.0-20151105175453-c7fdd8b5cd55/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
-github.com/godbus/dbus v0.0.0-20180201030542-885f9cc04c9c/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
-github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
-github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/googleapis v1.2.0/go.mod h1:Njal3psf3qN6dwBtQfUmBZh2ybovJ0tlu3o/AC7HYjU=
-github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk=
-github.com/google/go-containerregistry v0.6.0/go.mod h1:euCCtNbZ6tKqi1E72vwDj2xZcN5ttKpZLfa/wSo5iLw=
-github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
-github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
-github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro=
-github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78=
-github.com/gruntwork-io/terratest v0.37.8 h1:XCkznySLTQfQiASqgHeqc47aT9xb3zdx4Gv6kN47bWc=
-github.com/gruntwork-io/terratest v0.37.8/go.mod h1:CSHpZNJdqYQ+TUrigM100jcahRUV5X6w7K2kZJ8iylY=
-github.com/gruntwork-io/terratest v0.38.1 h1:vymd5+mrynqre6b1GFGPMuKVE/ta38hGKssKNmVi3Kw=
-github.com/gruntwork-io/terratest v0.38.1/go.mod h1:XzW8PL9pAGbLyiBdQ5OiAeWSNpZ/9ycItjYstSS2PV8=
-github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
-github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
-github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
-github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
-github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
-github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
-github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
-github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
-github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
-github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY=
-github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY=
-github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg=
-github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
-github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
-github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
-github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
-github.com/hashicorp/terraform-json v0.12.0 h1:8czPgEEWWPROStjkWPUnTQDXmpmZPlkQAwYYLETaTvw=
-github.com/hashicorp/terraform-json v0.12.0/go.mod h1:pmbq9o4EuL43db5+0ogX10Yofv1nozM+wskr/bGFJpI=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
-github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o=
-github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s=
-github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8=
-github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/klauspost/compress v1.13.0/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
-github.com/marstr/guid v1.1.0/go.mod h1:74gB1z2wpxxInTG6yaqA7KrtM0NZ+RbrcqDvYHefzho=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-shellwords v1.0.3/go.mod h1:3xCvwCdWdlDJUrvuMn7Wuy9eWs4pE8vqg+NOMyg4B2o=
-github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
-github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
-github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/miekg/pkcs11 v1.0.3/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
-github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible/go.mod h1:8AuVvqP/mXw1px98n46wfvcGfQ4ci2FwoAjKYxuo3Z4=
-github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
-github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
-github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM=
-github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
-github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
-github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
-github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
-github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
-github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
-github.com/onsi/ginkgo v0.0.0-20151202141238-7f8ab55aaf3b/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
-github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0-rc1.0.20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.0/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/runc v0.0.0-20190115041553-12f6a991201f/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc8.0.20190926000215-3e425f80a8c9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc9/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
-github.com/opencontainers/runc v1.0.0-rc93/go.mod h1:3NOsor4w32B2tC0Zbl8Knk4Wg84SM2ImC1fxBuqJ/H0=
-github.com/opencontainers/runtime-spec v0.1.2-0.20190507144316-5b71a03e2700/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2-0.20190207185410-29686dbc5559/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-spec v1.0.3-0.20200929063507-e6143ca7d51d/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/runtime-tools v0.0.0-20181011054405-1d69bd0f9c39/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
-github.com/opencontainers/selinux v1.6.0/go.mod h1:VVGKuOLlE7v4PJyT6h7mNWvq1rzqiriPsEqVhc+svHE=
-github.com/opencontainers/selinux v1.8.0/go.mod h1:RScLhm78qiWa2gbVCcGkC7tCGdgk3ogry1nUQF8Evvo=
-github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888=
-github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
-github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
-github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok=
-github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/prometheus/client_golang v0.0.0-20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
-github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
-github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.0.5/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
-github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
-github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto=
-github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
-github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U=
-github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=
-github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
-github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
-github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
-github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
-github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
-github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
-github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
-github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
-github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
-github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo=
-github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
-github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
-github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmFBXmLKZu9Nxj3WKYEafiSqer2rnvPr0en9UNpI=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
-github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
-github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
-github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU=
-github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
-github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
-github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
-github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
-github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
-github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
-github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk=
-github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
-go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
-go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
-go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
-go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
-go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190619014844-b5b0513f8c1b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
-golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190514135907-3a4b5fb9f71f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190522044717-8097e1b27ff5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190602015325-4c4f7f33c9ed/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190812073006-9eafafc0a87e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200817155316-9781c653f443/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200916030750-2334cc1a136f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200922070232-aee5d888a860/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201117170446-d9b008d0a637/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201202213521-69691e467435/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
-gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
-gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
-google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU=
-google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94=
-google.golang.org/api v0.44.0/go.mod h1:EBOGZqzyhtvMDoxwS97ctnh0zUmYY6CxqXsc1AvkYD8=
-google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190522204451-c2c4e71fbf69/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
-google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
-google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
-gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
-gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
-k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs=
-k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
-k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
-k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8=
-k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
-k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
-k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
-k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg=
-k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
-k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
-k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
-k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
-k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM=
-k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
-k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
-k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0=
-k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE=
-k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s=
-k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc=
-k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
-k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
-k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM=
-k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM=
-k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
-k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
-k8s.io/cri-api v0.20.6/go.mod h1:ew44AjNXwyn1s0U4xCKGodU7J1HzBeZ1MpGrpa5r8Yc=
-k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
-k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
-k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
-k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
-k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8=
-k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
-modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw=
-modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk=
-modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k=
-modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs=
-modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
-sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI=
-sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/structured-merge-diff/v4 v4.0.3/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
diff --git a/test/simple_test.go b/test/simple_test.go
deleted file mode 100644
index 716b6266..00000000
--- a/test/simple_test.go
+++ /dev/null
@@ -1,56 +0,0 @@
-package test
-
-import (
- "testing"
-
- "github.com/google/uuid"
- "github.com/gruntwork-io/terratest/modules/aws"
- "github.com/gruntwork-io/terratest/modules/terraform"
-)
-
-func TestSimpleExampleApply(t *testing.T) {
- bucketName := uuid.NewString()
- awsRegion := aws.GetRandomStableRegion(t, nil, nil)
-
- registryTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: "../examples/simple",
- Vars: map[string]interface{}{
- "audit_s3_bucket_name": bucketName,
- "region": awsRegion,
- },
- NoColor: true,
- })
- defer terraform.Destroy(t, registryTerraformOptions)
-
- terraform.InitAndApply(t, registryTerraformOptions)
-}
-
-func TestDiffFromMaster(t *testing.T) {
- bucketName := uuid.NewString()
- awsRegion := aws.GetRandomStableRegion(t, nil, nil)
-
- registryTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: "./fixtures/simple_registry",
- Vars: map[string]interface{}{
- "audit_s3_bucket_name": bucketName,
- "region": awsRegion,
- },
- NoColor: true,
- })
- defer terraform.Destroy(t, registryTerraformOptions)
-
- terraform.InitAndApply(t, registryTerraformOptions)
-
- localTerraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
- TerraformDir: "./fixtures/simple_local",
- Vars: map[string]interface{}{
- "audit_s3_bucket_name": bucketName,
- "region": awsRegion,
- },
- NoColor: true,
- MigrateState: true,
- })
- planResult := terraform.InitAndPlan(t, localTerraformOptions)
-
- t.Log(planResult)
-}
diff --git a/variables.tf b/variables.tf
index ae94dbef..a942f3c9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,19 +4,23 @@
variable "aws_account_id" {
description = "The AWS Account ID number of the account."
+ type = string
}
variable "region" {
description = "The AWS region in which global resources are set up."
+ type = string
}
variable "account_type" {
description = "The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise."
+ type = string
default = "individual"
}
variable "master_account_id" {
description = "The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`."
+ type = string
default = ""
}
@@ -29,8 +33,15 @@ variable "member_accounts" {
default = []
}
+variable "permissions_boundary_arn" {
+ description = "The permissions boundary ARN for all IAM Roles, provisioned by this module"
+ type = string
+ default = ""
+}
+
variable "target_regions" {
description = "A list of regions to set up with this module."
+ type = list(string)
default = [
"ap-northeast-1",
"ap-northeast-2",
@@ -54,6 +65,7 @@ variable "target_regions" {
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
+ type = map(string)
default = {
}
}
@@ -61,177 +73,184 @@ variable "tags" {
# --------------------------------------------------------------------------------------------------
# Variables for audit log bucket configurations.
# --------------------------------------------------------------------------------------------------
+
variable "audit_log_bucket_name" {
description = "The name of the S3 bucket to store various audit logs."
+ type = string
+}
+
+variable "audit_log_bucket_access_logs_name" {
+ description = "The name of the S3 bucket to store various audit logs."
+ type = string
+ default = ""
}
variable "audit_log_bucket_custom_policy_json" {
description = "Override policy for the audit log bucket. Allows addition of extra policies."
+ type = string
default = "{}"
}
+variable "audit_log_bucket_key_enabled" {
+ description = "Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket."
+ type = bool
+ default = false
+}
+
variable "audit_log_lifecycle_glacier_transition_days" {
- description = "The number of days after log creation when the log file is archived into Glacier."
- default = 90
+ description = "The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition."
+ type = number
+ default = 0
}
variable "audit_log_bucket_force_destroy" {
description = "A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable."
+ type = bool
default = false
}
variable "use_external_audit_log_bucket" {
description = "A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false."
+ type = bool
default = false
}
# --------------------------------------------------------------------------------------------------
# Variables for iam-baseline module.
# --------------------------------------------------------------------------------------------------
-variable "create_password_policy" {
- type = bool
- description = "Define if the password policy should be created."
- default = true
-}
-variable "create_master_role" {
+variable "iam_baseline_enabled" {
+ description = "Boolean whether iam-baseline is enabled."
type = bool
- description = "Define if the master role should be created."
default = true
}
-variable "create_manager_role" {
+variable "create_password_policy" {
+ description = "Define if the password policy should be created."
type = bool
- description = "Define if the manager role should be created."
default = true
}
variable "create_support_role" {
- type = bool
description = "Define if the support role should be created."
+ type = bool
default = true
}
-variable "master_iam_role_name" {
- description = "The name of the IAM Master role."
- default = "IAM-Master"
-}
-
-variable "master_iam_role_policy_name" {
- description = "The name of the IAM Master role policy."
- default = "IAM-Master-Policy"
-}
-
-variable "manager_iam_role_name" {
- description = "The name of the IAM Manager role."
- default = "IAM-Manager"
-}
-
-variable "manager_iam_role_policy_name" {
- description = "The name of the IAM Manager role policy."
- default = "IAM-Manager-Policy"
-}
-
variable "support_iam_role_name" {
description = "The name of the the support role."
+ type = string
default = "IAM-Support"
}
-variable "support_iam_role_policy_name" {
- description = "The name of the support role policy."
- default = "IAM-Support-Role"
-}
-
variable "support_iam_role_principal_arns" {
- type = list(any)
+ type = list(string)
description = "List of ARNs of the IAM principal elements by which the support role could be assumed."
}
variable "max_password_age" {
description = "The number of days that an user password is valid."
+ type = number
default = 0
}
variable "minimum_password_length" {
description = "Minimum length to require for user passwords."
+ type = number
default = 14
}
variable "password_reuse_prevention" {
description = "The number of previous passwords that users are prevented from reusing."
+ type = number
default = 24
}
variable "require_lowercase_characters" {
description = "Whether to require lowercase characters for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_numbers" {
description = "Whether to require numbers for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_uppercase_characters" {
description = "Whether to require uppercase characters for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "require_symbols" {
description = "Whether to require symbols for user passwords."
- default = false
+ type = bool
+ default = true
}
variable "allow_users_to_change_password" {
description = "Whether to allow users to change their own password."
+ type = bool
default = true
}
# --------------------------------------------------------------------------------------------------
# Variables for vpc-baseline module.
# --------------------------------------------------------------------------------------------------
+
variable "vpc_enable" {
description = "Boolean whether the VPC baseline module should be enabled"
+ type = bool
default = true
}
variable "vpc_iam_role_name" {
description = "The name of the IAM Role which VPC Flow Logs will use."
+ type = string
default = "VPC-Flow-Logs-Publisher"
}
variable "vpc_iam_role_policy_name" {
description = "The name of the IAM Role Policy which VPC Flow Logs will use."
+ type = string
default = "VPC-Flow-Logs-Publish-Policy"
}
variable "vpc_enable_flow_logs" {
description = "The boolean flag whether to enable VPC Flow Logs in default VPCs"
+ type = bool
default = true
}
variable "vpc_flow_logs_destination_type" {
description = "The type of the logging destination. Valid values: cloud-watch-logs, s3"
+ type = string
default = "cloud-watch-logs"
}
variable "vpc_flow_logs_log_group_name" {
description = "The name of CloudWatch Logs group to which VPC Flow Logs are delivered."
+ type = string
default = "default-vpc-flow-logs"
}
variable "vpc_flow_logs_retention_in_days" {
description = "Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely."
+ type = number
default = 365
}
variable "vpc_flow_logs_s3_arn" {
description = "ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3."
+ type = string
default = ""
}
variable "vpc_flow_logs_s3_key_prefix" {
description = "The prefix used when VPC Flow Logs delivers logs to the S3 bucket."
+ type = string
default = "flow-logs"
}
@@ -239,53 +258,64 @@ variable "vpc_flow_logs_s3_key_prefix" {
# --------------------------------------------------------------------------------------------------
# Variables for config-baseline module.
# --------------------------------------------------------------------------------------------------
+
variable "config_baseline_enabled" {
description = "Boolean whether config-baseline is enabled."
+ type = bool
default = true
}
variable "config_delivery_frequency" {
description = "The frequency which AWS Config sends a snapshot into the S3 bucket."
+ type = string
default = "One_Hour"
}
variable "config_iam_role_name" {
description = "The name of the IAM Role which AWS Config will use."
+ type = string
default = "Config-Recorder"
}
variable "config_iam_role_policy_name" {
description = "The name of the IAM Role Policy which AWS Config will use."
+ type = string
default = "Config-Recorder-Policy"
}
variable "config_s3_bucket_key_prefix" {
description = "The prefix used when writing AWS Config snapshots into the S3 bucket."
+ type = string
default = "config"
}
variable "config_sns_topic_name" {
description = "The name of the SNS Topic to be used to notify configuration changes."
+ type = string
default = "ConfigChanges"
}
variable "config_sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
+ type = string
default = null
}
variable "config_aggregator_name" {
description = "The name of the organizational AWS Config Configuration Aggregator."
+ type = string
default = "organization-aggregator"
}
variable "config_aggregator_name_prefix" {
description = "The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator."
+ type = string
default = "config-for-organization-role"
}
variable "config_global_resources_all_regions" {
description = "Record global resources in all regions. If false, only default region will record global resources."
+ type = bool
default = false
}
@@ -293,68 +323,93 @@ variable "config_global_resources_all_regions" {
# Variables for cloudtrail-baseline module.
# --------------------------------------------------------------------------------------------------
+variable "cloudtrail_baseline_enabled" {
+ description = "Boolean whether cloudtrail-baseline is enabled."
+ type = bool
+ default = true
+}
+
+variable "turn_off_organization_trail" {
+ description = "Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account."
+ type = bool
+ default = false
+}
+
variable "cloudtrail_cloudwatch_logs_enabled" {
description = "Specifies whether the trail is delivered to CloudWatch Logs."
+ type = bool
default = true
}
variable "cloudtrail_cloudwatch_logs_group_name" {
description = "The name of CloudWatch Logs group to which CloudTrail events are delivered."
+ type = string
default = "cloudtrail-multi-region"
}
variable "cloudwatch_logs_retention_in_days" {
description = "Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely."
+ type = number
default = 365
}
variable "cloudtrail_iam_role_name" {
description = "The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group."
+ type = string
default = "CloudTrail-CloudWatch-Delivery-Role"
}
variable "cloudtrail_iam_role_policy_name" {
description = "The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group."
+ type = string
default = "CloudTrail-CloudWatch-Delivery-Policy"
}
variable "cloudtrail_key_deletion_window_in_days" {
description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days."
+ type = number
default = 10
}
variable "cloudtrail_name" {
description = "The name of the trail."
+ type = string
default = "cloudtrail-multi-region"
}
variable "cloudtrail_sns_topic_enabled" {
description = "Specifies whether the trail is delivered to a SNS topic."
+ type = bool
default = true
}
variable "cloudtrail_sns_topic_name" {
description = "The name of the SNS topic to link to the trail."
+ type = string
default = "cloudtrail-multi-region-sns-topic"
}
variable "cloudtrail_s3_key_prefix" {
description = "The prefix used when CloudTrail delivers events to the S3 bucket."
+ type = string
default = "cloudtrail"
}
variable "cloudtrail_s3_object_level_logging_buckets" {
description = "The list of S3 bucket ARNs on which to enable object-level logging."
+ type = list(string)
default = ["arn:aws:s3:::"] # All S3 buckets
}
variable "cloudtrail_dynamodb_event_logging_tables" {
description = "The list of DynamoDB table ARNs on which to enable event logging."
+ type = list(string)
default = ["arn:aws:dynamodb"] # All DynamoDB tables
}
variable "cloudtrail_lambda_invocation_logging_lambdas" {
description = "The list of lambda ARNs on which to enable invocation logging."
+ type = list(string)
default = ["arn:aws:lambda"] # All lambdas
}
@@ -362,162 +417,213 @@ variable "cloudtrail_lambda_invocation_logging_lambdas" {
# Variables for alarm-baseline module.
# --------------------------------------------------------------------------------------------------
+variable "alarm_baseline_enabled" {
+ description = "Boolean whether alarm-baseline is enabled."
+ type = bool
+ default = true
+}
+
variable "alarm_namespace" {
description = "The namespace in which all alarms are set up."
+ type = string
default = "CISBenchmark"
}
variable "alarm_sns_topic_name" {
description = "The name of the SNS Topic which will be notified when any alarm is performed."
+ type = string
default = "CISAlarm"
}
variable "alarm_sns_topic_kms_master_key_id" {
description = "To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption"
+ type = string
default = null
}
variable "unauthorized_api_calls_enabled" {
description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "no_mfa_console_signin_enabled" {
description = "The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
+variable "mfa_console_signin_allow_sso" {
+ description = "The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored."
+ type = bool
+ default = false
+}
+
variable "root_usage_enabled" {
description = "The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "iam_changes_enabled" {
description = "The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "cloudtrail_cfg_changes_enabled" {
description = "The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "console_signin_failures_enabled" {
description = "The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "disable_or_delete_cmk_enabled" {
description = "The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "s3_bucket_policy_changes_enabled" {
description = "The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "aws_config_changes_enabled" {
description = "The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "security_group_changes_enabled" {
description = "The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "nacl_changes_enabled" {
description = "The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "network_gw_changes_enabled" {
description = "The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "route_table_changes_enabled" {
description = "The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "vpc_changes_enabled" {
description = "The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
variable "organizations_changes_enabled" {
description = "The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false."
+ type = bool
default = true
}
# --------------------------------------------------------------------------------------------------
# Variables for guardduty-baseline module.
# --------------------------------------------------------------------------------------------------
+
variable "guardduty_enabled" {
description = "Boolean whether the guardduty-baseline module is enabled or disabled"
+ type = bool
default = true
}
variable "guardduty_disable_email_notification" {
description = "Boolean whether an email notification is sent to the accounts."
+ type = bool
default = false
}
variable "guardduty_finding_publishing_frequency" {
description = "Specifies the frequency of notifications sent for subsequent finding occurrences."
+ type = string
default = "SIX_HOURS"
}
variable "guardduty_invitation_message" {
description = "Message for invitation."
+ type = string
default = "This is an automatic invitation message from guardduty-baseline module."
}
# --------------------------------------------------------------------------------------------------
# Variables for s3-baseline module.
# --------------------------------------------------------------------------------------------------
+
+variable "s3_baseline_enabled" {
+ description = "Boolean whether s3-baseline is enabled."
+ type = bool
+ default = true
+}
+
variable "s3_block_public_acls" {
description = "Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "s3_block_public_policy" {
description = "Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "s3_ignore_public_acls" {
description = "Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true."
+ type = bool
default = true
}
variable "s3_restrict_public_buckets" {
description = "Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true."
+ type = bool
default = true
}
# --------------------------------------------------------------------------------------------------
# Variables for securityhub-baseline module.
# --------------------------------------------------------------------------------------------------
+
variable "securityhub_enabled" {
description = "Boolean whether the securityhub-baseline module is enabled or disabled"
+ type = bool
default = true
}
variable "securityhub_enable_cis_standard" {
description = "Boolean whether CIS standard is enabled."
+ type = bool
default = true
}
variable "securityhub_enable_pci_dss_standard" {
description = "Boolean whether PCI DSS standard is enabled."
+ type = bool
default = false
}
variable "securityhub_enable_aws_foundational_standard" {
description = "Boolean whether AWS Foundations standard is enabled."
+ type = bool
default = true
}
@@ -530,7 +636,15 @@ variable "securityhub_enable_product_arns" {
# --------------------------------------------------------------------------------------------------
# Variables for analyzer-baseline module.
# --------------------------------------------------------------------------------------------------
+
+variable "analyzer_baseline_enabled" {
+ description = "Boolean whether analyzer-baseline is enabled."
+ type = bool
+ default = true
+}
+
variable "analyzer_name" {
description = "The name for the IAM Access Analyzer resource to be created."
+ type = string
default = "default-analyzer"
}
diff --git a/vpc_baselines.tf b/vpc_baselines.tf
index 4bb08b5d..fd2ed472 100644
--- a/vpc_baselines.tf
+++ b/vpc_baselines.tf
@@ -1,8 +1,7 @@
locals {
- is_enabled = var.vpc_enable
- is_cw_logs = local.is_enabled && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "cloud-watch-logs")
- is_s3 = local.is_enabled && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "s3")
- flow_logs_s3_arn = local.is_s3 ? (
+ flow_logs_to_cw_logs = var.vpc_enable && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "cloud-watch-logs")
+ flow_logs_to_s3 = var.vpc_enable && var.vpc_enable_flow_logs && (var.vpc_flow_logs_destination_type == "s3")
+ flow_logs_s3_arn = local.flow_logs_to_s3 ? (
var.vpc_flow_logs_s3_arn != "" ? var.vpc_flow_logs_s3_arn : local.audit_log_bucket_arn
) : ""
}
@@ -11,8 +10,9 @@ locals {
# Create an IAM Role for publishing VPC Flow Logs into CloudWatch Logs group.
# Reference: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-logs-iam
# --------------------------------------------------------------------------------------------------
+
data "aws_iam_policy_document" "flow_logs_publisher_assume_role_policy" {
- count = local.is_cw_logs ? 1 : 0
+ count = local.flow_logs_to_cw_logs ? 1 : 0
statement {
principals {
@@ -24,16 +24,18 @@ data "aws_iam_policy_document" "flow_logs_publisher_assume_role_policy" {
}
resource "aws_iam_role" "flow_logs_publisher" {
- count = local.is_cw_logs ? 1 : 0
+ count = local.flow_logs_to_cw_logs ? 1 : 0
name = var.vpc_iam_role_name
assume_role_policy = data.aws_iam_policy_document.flow_logs_publisher_assume_role_policy[0].json
+ permissions_boundary = var.permissions_boundary_arn
+
tags = var.tags
}
data "aws_iam_policy_document" "flow_logs_publish_policy" {
- count = local.is_cw_logs ? 1 : 0
+ count = local.flow_logs_to_cw_logs ? 1 : 0
statement {
actions = [
@@ -48,7 +50,7 @@ data "aws_iam_policy_document" "flow_logs_publish_policy" {
}
resource "aws_iam_role_policy" "flow_logs_publish_policy" {
- count = local.is_cw_logs ? 1 : 0
+ count = local.flow_logs_to_cw_logs ? 1 : 0
name = var.vpc_iam_role_policy_name
role = aws_iam_role.flow_logs_publisher[0].id
@@ -62,341 +64,324 @@ resource "aws_iam_role_policy" "flow_logs_publish_policy" {
# --------------------------------------------------------------------------------------------------
module "vpc_baseline_ap-northeast-1" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-northeast-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-northeast-1
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ap-northeast-2" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-northeast-2") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-northeast-2
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-2")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ap-northeast-3" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-northeast-3") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-northeast-3
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-3")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ap-south-1" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-south-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-south-1
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-south-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ap-southeast-1" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-southeast-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-southeast-1
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-southeast-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ap-southeast-2" {
+ count = var.vpc_enable && contains(var.target_regions, "ap-southeast-2") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ap-southeast-2
}
- enabled = local.is_enabled && contains(var.target_regions, "ap-southeast-2")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_ca-central-1" {
+ count = var.vpc_enable && contains(var.target_regions, "ca-central-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.ca-central-1
}
- enabled = local.is_enabled && contains(var.target_regions, "ca-central-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_eu-central-1" {
+ count = var.vpc_enable && contains(var.target_regions, "eu-central-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.eu-central-1
}
- enabled = local.is_enabled && contains(var.target_regions, "eu-central-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_eu-north-1" {
+ count = var.vpc_enable && contains(var.target_regions, "eu-north-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.eu-north-1
}
- enabled = local.is_enabled && contains(var.target_regions, "eu-north-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_eu-west-1" {
+ count = var.vpc_enable && contains(var.target_regions, "eu-west-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.eu-west-1
}
- enabled = local.is_enabled && contains(var.target_regions, "eu-west-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_eu-west-2" {
+ count = var.vpc_enable && contains(var.target_regions, "eu-west-2") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.eu-west-2
}
- enabled = local.is_enabled && contains(var.target_regions, "eu-west-2")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_eu-west-3" {
+ count = var.vpc_enable && contains(var.target_regions, "eu-west-3") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.eu-west-3
}
- enabled = local.is_enabled && contains(var.target_regions, "eu-west-3")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_sa-east-1" {
+ count = var.vpc_enable && contains(var.target_regions, "sa-east-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.sa-east-1
}
- enabled = local.is_enabled && contains(var.target_regions, "sa-east-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_us-east-1" {
+ count = var.vpc_enable && contains(var.target_regions, "us-east-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.us-east-1
}
- enabled = local.is_enabled && contains(var.target_regions, "us-east-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_us-east-2" {
+ count = var.vpc_enable && contains(var.target_regions, "us-east-2") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.us-east-2
}
- enabled = local.is_enabled && contains(var.target_regions, "us-east-2")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_us-west-1" {
+ count = var.vpc_enable && contains(var.target_regions, "us-west-1") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.us-west-1
}
- enabled = local.is_enabled && contains(var.target_regions, "us-west-1")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}
module "vpc_baseline_us-west-2" {
+ count = var.vpc_enable && contains(var.target_regions, "us-west-2") ? 1 : 0
source = "./modules/vpc-baseline"
providers = {
aws = aws.us-west-2
}
- enabled = local.is_enabled && contains(var.target_regions, "us-west-2")
enable_flow_logs = var.vpc_enable_flow_logs
flow_logs_destination_type = var.vpc_flow_logs_destination_type
flow_logs_log_group_name = var.vpc_flow_logs_log_group_name
- flow_logs_iam_role_arn = local.is_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
+ flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null
flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days
flow_logs_s3_arn = local.flow_logs_s3_arn
flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix
-
tags = var.tags
}