added comments, added example code, updated README

Mike Saintcross · Mike Saintcross · commit 994e2dc161df · 2023-03-02T19:49:20.000-05:00
diff --git a/README.md b/README.md
@@ -4,6 +4,8 @@ This solution builds an [EC2 Image Builder Pipeline](https://docs.aws.amazon.com
 
 The solution includes two [Cloudwatch Event Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html). One which triggers the start of the Container Image pipeline based on an [Inspector Finding](https://docs.aws.amazon.com/inspector/latest/user/findings-managing.html) of "High" or "Critical" so that insecure images are replaced, if Inspector and [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html) ["Enhanced Scanning"](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning-enhanced.html) are both enabled. The other Event Rule sends notifications to an [SQS Queue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html) after a successful Container Image push to the ECR Repository, to better enable consumption of new container images.
 
+In January 2023, [EC2 Image Builder added support for AWS Marketplace CIS Pre-Hardened images](https://aws.amazon.com/about-aws/whats-new/2023/01/ec2-image-builder-cis-benchmarks-security-hardening-amis/). This achieves a hardening goal, but is only for AMIs, not Container images, and you must sign-up for a [subscription](https://aws.amazon.com/marketplace/seller-profile?id=dfa1e6a8-0b7b-4d35-a59c-ce272caee4fc) in [AWS Marketplace](https://aws.amazon.com/marketplace) to CIS.
+
 ## Prerequisites
 
 * Terraform v.15+. [Download](https://www.terraform.io/downloads.html) and setup Terraform. Refer to the official Terraform [instructions](https://learn.hashicorp.com/collections/terraform/aws-get-started) to get started.
diff --git a/components.tf b/components.tf
@@ -13,4 +13,18 @@ resource "aws_s3_bucket_object" "component_files" {
   kms_key_id = aws_kms_key.this.id
 }
 
-# Add custom component resources below
+/* Add custom component resources below
+ The YAML file referenced in the URI attribute must exist in the files/ directory
+ Below is an example component. */ 
+/* resource "aws_imagebuilder_component" "example_custom_component" {
+  name       = "example-custom-component"
+  platform   = "Linux"
+  uri        = "s3://${var.aws_s3_ami_resources_bucket}/files/example-custom-component.yml"
+  version    = "1.0.0"
+  kms_key_id = aws_kms_key.this.arn
+
+  depends_on = [
+    aws_s3_bucket_object.component_files,
+    aws_kms_key.this
+  ]
+} */
diff --git a/config.tf b/config.tf
@@ -1,12 +1,3 @@
 provider "aws" {
   region = var.aws_region
-}
-
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 4.45.0"
-    }
-  }
 }
diff --git a/hardening-pipeline.tfvars b/hardening-pipeline.tfvars
@@ -1,11 +1,11 @@
 # Enter values for all of the following if you wish to avoid being prompted on each run.
-account_id                   = "012345678900"
-aws_region                   = "us-east-1"
+account_id                   = "063449332233"
+aws_region                   = "us-west-2"
 vpc_name                     = "example-hardening-pipeline-vpc"
-kms_key_alias                = "image-builder-container-key"
+kms_key_alias                = "image-builder-container-key-2"
 ec2_iam_role_name            = "example-hardening-instance-role"
 hardening_pipeline_role_name = "example-hardening-pipeline-role"
-aws_s3_ami_resources_bucket  = "example-hardening-ami-resources-bucket-0123"
+aws_s3_ami_resources_bucket  = "example-hardening-ami-resources-bucket-012345"
 image_name                   = "example-hardening-al2-container-image"
 ecr_name                     = "example-hardening-container-repo"
 recipe_version               = "1.0.0"
diff --git a/kms-key.tf b/kms-key.tf
@@ -1,3 +1,5 @@
+/* As this is intended to enable a Key Administrator in a multi-account structure
+the action and resource definition is broad */ 
 data "aws_iam_policy_document" "this" {
   statement {
     sid       = "Enable IAM User Permissions"
diff --git a/recipes.tf b/recipes.tf
@@ -9,7 +9,7 @@ resource "aws_imagebuilder_container_recipe" "container_image" {
 
   container_type    = "DOCKER"
   parent_image      = "amazonlinux:latest"
-  working_directory = "/etc"
+  working_directory = "/build"
 
   target_repository {
     repository_name = var.ecr_name
@@ -42,6 +42,9 @@ resource "aws_imagebuilder_container_recipe" "container_image" {
 
   # Add more component ARNs here to customize the recipe
   # You can also add custom components if you defined any in components.tf
+  /* component {
+    component_arn = aws_imagebuilder_component.example_custom_component.arn
+  } */
 
   dockerfile_template_data = <<EOF
 FROM {{{ imagebuilder:parentImage }}}
diff --git a/variables.tf b/variables.tf
@@ -24,7 +24,7 @@ variable "account_id" {
 
 variable "aws_region" {
   type        = string
-  default     = "us-east-2"
+  default     = "us-east-1"
   description = "Enter the AWS Region you wish to deploy in."
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+/* As this is intended to enable a Key Administrator in a multi-account structure`
	`2`	`+the action and resource definition is broad */`
`1`	`3`	`data "aws_iam_policy_document" "this" {`
`2`	`4`	`statement {`
`3`	`5`	`sid = "Enable IAM User Permissions"`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ variable "account_id" {`
`24`	`24`
`25`	`25`	`variable "aws_region" {`
`26`	`26`	`type = string`
`27`		`- default = "us-east-2"`
	`27`	`+ default = "us-east-1"`
`28`	`28`	`description = "Enter the AWS Region you wish to deploy in."`
`29`	`29`	`}`
`30`	`30`