Gruntwork, an organization focused on creating reusable infrastructure code, announced the general availability of CIS Service Catalog and CIS Reference Architecture 2.0. Center for Internet Security (CIS) benchmarks are internationally recognized as security standards for defending IT systems and data against cyberattacks. Existing and future users of Gruntwork can now rapidly get started with a production-ready AWS technology stack and AWS services.
In her blog post, Ana Krivokapić, principal software engineer at Gruntwork, provided the details about the announcement. Compliant with CIS Amazon Web Services Foundations Benchmark, the CIS Service Catalog will provide high-level services to combine multiple Terraform modules into a single unit ready to be deployed to production.
Each service will include Terraform code to provide the infrastructure, packer templates to build Amazon Machine Images for specific components, along with scripts, documentation, and automated tests.
As an example, Krivokapić mentioned below code snippet which can be used for deploying a CIS-compliant VPC to block access to remote server administration ports. This is in accordance with CIS recommendation 5.1 and 5.2.
module "vpc" {
# Replace <VERSION> with the most recent release from thehttps://github.com/gruntwork-io/terraform-aws-cis-service-catalog/releases:
source = "<git::git@github.com>:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc?ref=<VERSION>" # Set the basic required variables first
vpc_name = "example-vpc"
aws_region = "us-east-1"
cidr_block = "10.2.0.0/16"
num_nat_gateways = 1 # Other params omitted to keep the example simple
}
One more example is Gruntwork Landing Zone for AWS, which creates a CIS-Compliant AWS Landing Zone. The module comprises of services such as AWS CloudTrail, AWS Config, GuardDuty, EBS encryption, aligned with other CIS requirements.
Providing the background of the 2.0 version of the Gruntwork Reference architecture, Krivokapić said that the Reference Architecture is an end-to-end architecture to run the entire infrastructure on AWS, managed as code. It includes CIS-compliant Landing Zone, VPC, EKS, deployed "in about one day".
Using the Gruntwork CIS Service Catalog in its entirety, the Reference Architecture version 2.0 includes Gruntwork Landing Zone Subscription, Gruntwork Pipelines Solution, along with the following improvements:
- latest
terragrunt
features such as- generate blocks for DRY provider configurations
- dependency blocks for explicit dependency management the modules
read_terragrunt_config
for DRY configuration variables
- compatibility with Terraform 0.14.x
- improved CIS Reference Architecture, compliant with version 1.3.0
- build scripts for building AMIs and Docker images
- cross account sharing of encrypted AMIs
- end-to-end encryption by default
Users will only need to maintain live infrastructure configurations such as AWS regions, instance types, disk size, domain names, etc.
On a related topic, Gruntwork has created a production readiness checklist, which aligns with their mission to "Make it 10x easier to understand, build and deploy software". Recently, they have also released CIS-Compliant Amazon EKS Cluster and HIPAA-compliant reference applications.