Skip to content

Add Terraform modules for ACSC Windows Hardening deployment (Azure + AWS)#2

Draft
devnomadic with Copilot wants to merge 6 commits into
mainfrom
copilot/add-terraform-module
Draft

Add Terraform modules for ACSC Windows Hardening deployment (Azure + AWS)#2
devnomadic with Copilot wants to merge 6 commits into
mainfrom
copilot/add-terraform-module

Conversation

Copilot AI commented Dec 28, 2025

Copy link
Copy Markdown

Implements Infrastructure-as-Code deployment for ACSC hardening policies via Terraform, automating storage provisioning, GitHub release integration, and policy configuration. Includes complete implementations for both Azure and AWS.

Module Structure

The Terraform modules are organized by cloud provider:

terraform/
├── README.md          # Overview and comparison of both modules
├── azure/             # Azure implementation
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   ├── policy.tf
│   ├── terraform.tfvars.example
│   └── README.md
└── aws/               # AWS implementation
    ├── main.tf
    ├── variables.tf
    ├── outputs.tf
    ├── iam.tf
    ├── ssm.tf
    ├── terraform.tfvars.example
    └── README.md

Azure Module

  • main.tf - Storage account, container, blob management; GitHub release API integration; SAS token generation
  • policy.tf - Azure Policy definitions and assignments for High/Medium priority configurations; managed identity and RBAC setup
  • variables.tf - Input validation for subscription, resource group, storage account, configuration level, assignment type
  • outputs.tf - Sensitive SAS URIs, policy IDs, managed identity principals, release metadata
  • terraform.tfvars.example - Reference configuration

AWS Module

  • main.tf - S3 bucket with encryption/versioning, GitHub release integration, package uploads
  • iam.tf - IAM roles, policies, and instance profile for EC2 instances
  • ssm.tf - SSM documents and State Manager associations for automated DSC application and remediation
  • variables.tf - AWS-specific inputs (region, bucket name, schedule, target tags)
  • outputs.tf - S3 bucket details, SSM document names, IAM resources, release metadata
  • terraform.tfvars.example - Reference configuration

Key Implementation Details

GitHub Release Integration

data "http" "github_release" {
  url = var.release_version != "" 
    ? "https://api.github.com/repos/${var.github_repo}/releases/tags/${var.release_version}"
    : "https://api.github.com/repos/${var.github_repo}/releases/latest"
}

Automatically discovers and downloads MOF packages, hash files, and policy definitions from releases (used by both modules).

SAS Token Generation (Azure)

data "azurerm_storage_account_blob_container_sas" "high_priority" {
  connection_string = azurerm_storage_account.acsc.primary_connection_string
  container_name    = azurerm_storage_container.acsc.name
  start             = timestamp()
  expiry            = timeadd(timestamp(), format("%dh", var.sas_token_expiry_years * 8760))
  permissions {
    read = true
  }
}

Generates read-only SAS tokens with configurable expiry for Guest Configuration extension access.

SSM Document Implementation (AWS)

resource "aws_ssm_document" "high_priority_dsc" {
  name            = "ACSC-HighPriority-DSC"
  document_type   = "Command"
  # PowerShell script to download from S3 and apply DSC
}

resource "aws_ssm_association" "high_priority" {
  name                = aws_ssm_document.high_priority_dsc.name
  schedule_expression = var.remediation_schedule
  targets {
    key    = "tag:${var.target_tag_key}"
    values = [var.target_tag_value]
  }
}

Creates SSM documents that download packages from S3 and apply DSC configurations on a configurable schedule.

Error Handling

  • Asset lookup validates GitHub release contains required files
  • Hash parsing handles both "HASH FILENAME" and "HASH" formats
  • Empty URL detection prevents HTTP data source failures
  • Count-based conditional deployment for High/Medium priorities

Configuration Options

Azure Module

  • configuration_level: Deploy HighPriority, MediumPriority, or All
  • assignment_type: ApplyAndMonitor (apply once) or ApplyAndAutoCorrect (continuous enforcement)
  • sas_token_expiry_years: Token validity period (default: 2 years)

AWS Module

  • configuration_level: Deploy HighPriority, MediumPriority, or All
  • remediation_schedule: State Manager execution frequency (default: rate(30 minutes))
  • target_tag_key / target_tag_value: EC2 tags to target for hardening (default: ACSC-Hardening=Enabled)
  • enable_versioning: Enable S3 bucket versioning (default: true)
  • enable_encryption: Enable S3 server-side encryption (default: true)

Documentation

  • terraform/README.md - Overview of both Azure and AWS modules with comparison table
  • terraform/azure/README.md - Comprehensive guide covering prerequisites, variables, outputs, authentication methods, troubleshooting, cost estimation
  • terraform/aws/README.md - Complete documentation with Quick Start, prerequisites, variables, troubleshooting, and implementation details
  • README.md - Updated to position Terraform as primary deployment method with paths to both modules

Multi-Cloud Support

The module structure supports both Azure and AWS implementations:

Azure → AWS Service Mappings:

  • Azure Storage Account → S3 Bucket
  • Azure Machine Configuration → AWS Systems Manager State Manager
  • Azure Policy → Systems Manager Compliance
  • Managed Identity → IAM Instance Profile
  • SAS Token → S3 Direct Access via IAM

Notes

  • Storage blobs/objects use source_content which loads packages into Terraform state. Current ACSC packages (~10MB) are well within practical limits.
  • Azure policy mode uses Indexed rather than deprecated Microsoft.GuestConfiguration for provider compatibility.
  • AWS implementation requires EC2 instances to have SSM Agent installed and be tagged with target tags.
  • Both modules validated successfully with terraform validate.
Original prompt

This section details on the original issue you should resolve

<issue_title>Add Terraform Module</issue_title>
<issue_description>Create Terraform module to:

1 - Create a storage account for DSC MOF
2 - Upload MOF files from Github release
3 - Generate SAS token link
4 - Create policy machine configuration definition & assignment</issue_description>

Comments on the Issue (you are @copilot in this section)


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits December 28, 2025 15:32
Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
…output descriptions

Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
Copilot AI changed the title [WIP] Create Terraform module for storage account and configuration Add Terraform module for ACSC Windows Hardening deployment Dec 28, 2025
Copilot AI requested a review from devnomadic December 28, 2025 15:38
@devnomadic

Copy link
Copy Markdown
Owner

@copilot Can a Terraform module be create for an AWS implementation?

Copilot AI commented Dec 30, 2025

Copy link
Copy Markdown
Author

@copilot Can a Terraform module be create for an AWS implementation?

Yes, an AWS implementation is technically feasible. The equivalent AWS services would be:

Azure → AWS Mapping:

  • Azure Storage Account → S3 bucket
  • Azure Machine Configuration → AWS Systems Manager State Manager
  • Azure Policy → AWS Config Rules / Systems Manager Compliance
  • DSC packages → SSM Documents (AWS-ApplyDSCMofs)

Implementation approach:

  1. S3 bucket for DSC MOF packages with pre-signed URLs
  2. Systems Manager State Manager associations to apply DSC configurations
  3. Systems Manager Compliance for drift detection and reporting
  4. IAM roles/policies for EC2 instances

However, there are key differences:

  • AWS Systems Manager DSC support is more limited than Azure Machine Configuration
  • AWS doesn't have direct equivalent to Azure's Guest Configuration extension auto-install
  • DSC on AWS requires SSM agent and proper IAM instance profiles pre-configured
  • Windows hardening via DSC on AWS typically uses AWS-RunPowerShellScript with DSC modules

Would you like me to create an AWS-specific Terraform module in a separate directory (e.g., terraform-aws/)? This would be a new module alongside the existing Azure implementation.

@devnomadic

Copy link
Copy Markdown
Owner

@copilot yes, maybe nest azure and aws directories under terrorform?

…ctory

Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>

Copilot AI commented Dec 30, 2025

Copy link
Copy Markdown
Author

@copilot yes, maybe nest azure and aws directories under terrorform?

Done! Reorganized the structure in commit 0bb8d94:

New Structure:

terraform/
├── README.md          # Overview of both modules
├── azure/             # Azure implementation (moved from terraform/)
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   ├── policy.tf
│   ├── terraform.tfvars.example
│   ├── README.md
│   └── .gitignore
└── aws/               # AWS implementation (placeholder)
    └── README.md      # Detailed roadmap and architecture

The Azure module has been moved to terraform/azure/ and validated successfully. The AWS directory includes a comprehensive placeholder README with planned architecture, features, and implementation roadmap.

Updated paths:

  • Quick Start now references cd terraform/azure
  • Main README reflects the nested structure
  • All Terraform validation passes in new location

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint-api.hashicorp.com
    • Triggering command: /usr/local/bin/terraform terraform version (dns block)
    • Triggering command: /usr/local/bin/terraform terraform init (dns block)
    • Triggering command: /usr/local/bin/terraform terraform validate (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Add Terraform module for ACSC Windows Hardening deployment Add Terraform modules for ACSC Windows Hardening deployment (Azure + AWS) Dec 30, 2025
@devnomadic

Copy link
Copy Markdown
Owner

@copilot where is the aws terraform module?

Copilot AI commented Dec 30, 2025

Copy link
Copy Markdown
Author

@copilot where is the aws terraform module?

The AWS Terraform module is currently a placeholder at terraform/aws/README.md with "Status: Under Development". It contains planned architecture and features but no actual Terraform code yet.

The directory structure exists:

terraform/aws/
└── README.md  # Roadmap and architecture only

Would you like me to implement the AWS module now? It would include:

  • main.tf - S3 bucket, GitHub release integration, pre-signed URLs
  • variables.tf - AWS-specific inputs (region, bucket name, etc.)
  • outputs.tf - S3 URLs, SSM document IDs
  • ssm.tf - Systems Manager documents and State Manager associations
  • iam.tf - IAM roles and policies for EC2 instances
  • terraform.tfvars.example - Example configuration

The implementation would follow the architecture described in the AWS README.

@devnomadic

Copy link
Copy Markdown
Owner

@copilot yes

Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>

Copilot AI commented Dec 30, 2025

Copy link
Copy Markdown
Author

@copilot yes

AWS Terraform module implemented in commit 3506a2c!

Module includes:

  • main.tf - S3 bucket with encryption/versioning, GitHub release integration, package uploads
  • iam.tf - IAM role, policies, and instance profile for EC2 instances
  • ssm.tf - SSM documents and State Manager associations for both High/Medium priority
  • variables.tf - AWS-specific variables (region, bucket name, schedule, tags)
  • outputs.tf - S3 bucket details, SSM document names, IAM resources, release info
  • terraform.tfvars.example - Example configuration
  • README.md - Updated with Quick Start, prerequisites, and troubleshooting

Quick Start:

cd terraform/aws
cp terraform.tfvars.example terraform.tfvars
terraform init
terraform apply
aws ec2 create-tags --resources i-INSTANCE-ID --tags Key=ACSC-Hardening,Value=Enabled

Validated successfully with terraform validate. See terraform/aws/README.md for full documentation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint-api.hashicorp.com
    • Triggering command: /usr/local/bin/terraform terraform version (dns block)
    • Triggering command: /usr/local/bin/terraform terraform init (dns block)
    • Triggering command: /usr/local/bin/terraform terraform validate (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Terraform Module

2 participants