Add Terraform modules for ACSC Windows Hardening deployment (Azure + AWS)#2
Add Terraform modules for ACSC Windows Hardening deployment (Azure + AWS)#2devnomadic with Copilot wants to merge 6 commits into
Conversation
Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
…output descriptions Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
|
@copilot Can a Terraform module be create for an AWS implementation? |
Yes, an AWS implementation is technically feasible. The equivalent AWS services would be: Azure → AWS Mapping:
Implementation approach:
However, there are key differences:
Would you like me to create an AWS-specific Terraform module in a separate directory (e.g., |
|
@copilot yes, maybe nest azure and aws directories under terrorform? |
…ctory Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
Done! Reorganized the structure in commit 0bb8d94: New Structure: The Azure module has been moved to Updated paths:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot where is the aws terraform module? |
The AWS Terraform module is currently a placeholder at The directory structure exists: Would you like me to implement the AWS module now? It would include:
The implementation would follow the architecture described in the AWS README. |
|
@copilot yes |
Co-authored-by: devnomadic <14085319+devnomadic@users.noreply.github.com>
AWS Terraform module implemented in commit 3506a2c! Module includes:
Quick Start: cd terraform/aws
cp terraform.tfvars.example terraform.tfvars
terraform init
terraform apply
aws ec2 create-tags --resources i-INSTANCE-ID --tags Key=ACSC-Hardening,Value=EnabledValidated successfully with Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Implements Infrastructure-as-Code deployment for ACSC hardening policies via Terraform, automating storage provisioning, GitHub release integration, and policy configuration. Includes complete implementations for both Azure and AWS.
Module Structure
The Terraform modules are organized by cloud provider:
Azure Module
AWS Module
Key Implementation Details
GitHub Release Integration
Automatically discovers and downloads MOF packages, hash files, and policy definitions from releases (used by both modules).
SAS Token Generation (Azure)
Generates read-only SAS tokens with configurable expiry for Guest Configuration extension access.
SSM Document Implementation (AWS)
Creates SSM documents that download packages from S3 and apply DSC configurations on a configurable schedule.
Error Handling
Configuration Options
Azure Module
configuration_level: Deploy HighPriority, MediumPriority, or Allassignment_type: ApplyAndMonitor (apply once) or ApplyAndAutoCorrect (continuous enforcement)sas_token_expiry_years: Token validity period (default: 2 years)AWS Module
configuration_level: Deploy HighPriority, MediumPriority, or Allremediation_schedule: State Manager execution frequency (default: rate(30 minutes))target_tag_key/target_tag_value: EC2 tags to target for hardening (default: ACSC-Hardening=Enabled)enable_versioning: Enable S3 bucket versioning (default: true)enable_encryption: Enable S3 server-side encryption (default: true)Documentation
Multi-Cloud Support
The module structure supports both Azure and AWS implementations:
Azure → AWS Service Mappings:
Notes
source_contentwhich loads packages into Terraform state. Current ACSC packages (~10MB) are well within practical limits.Indexedrather than deprecatedMicrosoft.GuestConfigurationfor provider compatibility.terraform validate.Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.