Advanced IaC Security Patterns

Advanced IaC Security Patterns

Modular IaC design enhances security by encapsulating best practices. Secure modules provide pre-validated configurations for common infrastructure patterns. Teams consume these modules rather than writing infrastructure from scratch. Module versioning enables gradual security improvements without breaking existing deployments.

# Secure Terraform module example
# modules/secure-web-app/main.tf

locals {
  common_tags = merge(
    var.tags,
    {
      Module     = "secure-web-app"
      ManagedBy  = "terraform"
      SecurityReviewed = "true"
    }
  )
}

# Application Load Balancer with security features
module "alb" {
  source = "../secure-alb"
  
  name               = "${var.name_prefix}-alb"
  vpc_id             = var.vpc_id
  subnet_ids         = var.public_subnet_ids
  
  # Security configurations
  enable_deletion_protection = var.environment == "production"
  enable_http2              = true
  drop_invalid_header_fields = true
  
  # SSL/TLS configuration
  ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
  certificate_arn = var.certificate_arn
  
  # Logging
  access_logs_enabled = true
  access_logs_bucket  = var.logs_bucket
  
  # WAF association
  web_acl_id = var.waf_web_acl_id
  
  tags = local.common_tags
}

# Auto Scaling Group with security hardening
module "asg" {
  source = "../secure-asg"
  
  name_prefix          = "${var.name_prefix}-asg"
  vpc_id              = var.vpc_id
  subnet_ids          = var.private_subnet_ids
  target_group_arns   = module.alb.target_group_arns
  
  # Launch template with security settings
  image_id               = data.aws_ami.hardened.id
  instance_type         = var.instance_type
  key_name              = var.key_name
  iam_instance_profile  = module.instance_profile.name
  
  # Security configurations
  ebs_optimized     = true
  enable_monitoring = true
  
  # Encryption
  encrypted     = true
  kms_key_id    = var.kms_key_id
  
  # Instance metadata service v2 only
  metadata_options = {
    http_endpoint               = "enabled"
    http_put_response_hop_limit = 1
    http_tokens                 = "required"
  }
  
  # User data for hardening
  user_data = base64encode(templatefile("${path.module}/user-data.sh", {
    cloudwatch_config = file("${path.module}/cloudwatch-config.json")
    ossec_config     = file("${path.module}/ossec.conf")
  }))
  
  tags = local.common_tags
}

# WAF configuration
module "waf" {
  source = "../waf-rules"
  
  name_prefix = "${var.name_prefix}-waf"
  
  # Rule groups
  enable_rate_limiting = true
  rate_limit_value    = 2000
  
  enable_geo_blocking = true
  blocked_countries   = var.blocked_countries
  
  enable_ip_reputation = true
  enable_sql_injection_protection = true
  enable_xss_protection = true
  
  # Custom rules
  custom_rules = var.waf_custom_rules
  
  tags = local.common_tags
}

# Outputs for security validation
output "security_validations" {
  value = {
    encryption_enabled = true
    waf_enabled       = var.waf_web_acl_id != null
    logging_enabled   = true
    backup_enabled    = true
    metadata_v2_only  = true
  }
}