Skip to content

Commit 7234c29

Browse files
authored
Corrected Hash Links (#116)
This PR corrects many broken hash links
1 parent e483749 commit 7234c29

File tree

16 files changed

+124
-120
lines changed

16 files changed

+124
-120
lines changed

_docs-sources/guides/build-it-yourself/6-achieve-compliance/2-production-grade-design/1-identity-and-access-management.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ This code creates an IAM user called `support`, adds them to a new group called
8383
2. The policy is attached to an IAM group, not directly to the IAM user (recommendation 1.15).
8484

8585
3. Recommendation 1.17 specifically requires that the Support policy be used. You should attach it to a group, as
86-
shown here.
86+
shown here.
8787

8888
## Do not use full administrator privileges
8989

@@ -275,7 +275,7 @@ aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>
275275
```
276276

277277
To automate this process you might decide to implement a Lambda function that runs on a regular schedule and removes
278-
all expired SSL/TLS certificates. Check out the [Apply the baseline to the root account](#apply_account_baseline_root), [Apply the to the logs account](#apply_account_baseline_logs) and [Apply the to the security account](#apply_account_baseline_security) section of the deployment walkthrough
278+
all expired SSL/TLS certificates. Check out the [Apply the baseline to the root account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/0-apply-account-baseline-root-to-root-account.md#apply-the-account-baseline-root-baseline-to-the-root-account), [Apply the to the logs account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/1-apply-account-baseline-app-to-logs-account.md) and [Apply the to the security account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/2-apply-account-baseline-security-to-security-account.md) section of the deployment walkthrough
279279
to see how this module is used from the Landing Zone account baselines and is deployed in each of your AWS accounts.
280280

281281
## IAM Access Analyzer
@@ -285,7 +285,7 @@ AWS Account or Organization.
285285

286286
To achieve this compliance requirement, enable the IAM Access Analyzer service for every AWS region you have enabled in
287287
every one of your AWS accounts. Alternatively, you could make use of the [`iam-access-analyzer-multi-region`](https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/iam-access-analyzer-multi-region) module
288-
available in the Gruntwork Service Catalog, or if you’re following this guide, refer to [Apply the baseline to the root account](#apply_account_baseline_root), [Apply the to the logs account](#apply_account_baseline_logs) and [Apply the to the security account](#apply_account_baseline_security) sections of the
288+
available in the Gruntwork Service Catalog, or if you’re following this guide, refer to [Apply the baseline to the root account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/0-apply-account-baseline-root-to-root-account.md#apply-the-account-baseline-root-baseline-to-the-root-account), [Apply the to the logs account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/1-apply-account-baseline-app-to-logs-account.md) and [Apply the to the security account](../3-deployment-walkthrough/8-deploy-landing-zone-solution/2-apply-account-baseline-security-to-security-account.md) sections of the
289289
deployment walkthrough to see how this module is used from the Landing Zone account baselines and is deployed in each of your AWS accounts.
290290

291291
Once enabled, it will scan only within the boundaries of the AWS Account or Organization it has access to. Only specific

_docs-sources/guides/build-it-yourself/6-achieve-compliance/3-deployment-walkthrough/8-deploy-landing-zone-solution/0-apply-account-baseline-root-to-root-account.md

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -291,29 +291,29 @@ The example code above does the following:
291291
1. **Create 6 child AWS accounts**. These accounts are described in more detail in the [How to configure a production-grade AWS account structure using Gruntwork AWS Landing Zone child accounts section](https://www.gruntwork.io/guides/foundations/how-to-configure-production-grade-aws-account-structure/#child_accounts).
292292

293293
2. **Associate an email address with each of the child accounts**. This will be the email address for the root user of
294-
each account and AWS requires that the root user’s email address is _globally_ unique, so it cannot be the email
295-
address you used for the root account or any of the other child accounts. You’ll have to either create multiple email
296-
accounts in your company’s email system, or, if your company uses Gmail (perhaps as part of G Suite), you can take
297-
advantage of the fact that [Gmail
298-
ignores everything after a plus sign in an email address](https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html), so that while AWS will see
299-
300-
`[email protected]` as three unique email addresses, Gmail will see them all as the same email
301-
address, `[email protected]`.
294+
each account and AWS requires that the root user’s email address is _globally_ unique, so it cannot be the email
295+
address you used for the root account or any of the other child accounts. You’ll have to either create multiple email
296+
accounts in your company’s email system, or, if your company uses Gmail (perhaps as part of G Suite), you can take
297+
advantage of the fact that [Gmail
298+
ignores everything after a plus sign in an email address](https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-more-from-your.html), so that while AWS will see
299+
300+
`[email protected]` as three unique email addresses, Gmail will see them all as the same email
301+
address, `[email protected]`.
302302

303303
3. **Mark one of the child accounts as a logs account**. We set `is_logs_account = true` on one of the child accounts
304-
to indicate it is the logs account where we will aggregate AWS Config, CloudTrail, IAM Access Analyzer, Security Hub and Amazon Macie data from all the other accounts.
305-
The `account-baseline-root` module will automatically create an S3 bucket for AWS Config and an S3 bucket and KMS CMK
306-
= for CloudTrail in this account and configure the root account to send all the AWS Config and CloudTrail data to these
307-
S3 buckets. Later on, you’ll configure all the other accounts to send their data to these S3 buckets too.
304+
to indicate it is the logs account where we will aggregate AWS Config, CloudTrail, IAM Access Analyzer, Security Hub and Amazon Macie data from all the other accounts.
305+
The `account-baseline-root` module will automatically create an S3 bucket for AWS Config and an S3 bucket and KMS CMK
306+
= for CloudTrail in this account and configure the root account to send all the AWS Config and CloudTrail data to these
307+
S3 buckets. Later on, you’ll configure all the other accounts to send their data to these S3 buckets too.
308308

309309
4. **Create IAM groups**. By default, `account-baseline-root` will **not** create a `full-access` IAM group as CIS requirement 1.16 guides. It will create a `support` and a `billing` IAM group (for the support and finance teams).
310310

311311
5. **Create IAM users**. For this example, we create `alice` and `bob`, adding `alice` to the `full-access`
312-
IAM group and `bob` to the `billing` IAM group. _Note_: your own IAM user (the one you created manually) should be
313-
in the `users` list; we’ll use the `import` command to put this user under Terraform management shortly.
312+
IAM group and `bob` to the `billing` IAM group. _Note_: your own IAM user (the one you created manually) should be
313+
in the `users` list; we’ll use the `import` command to put this user under Terraform management shortly.
314314

315315
6. **Generate a password for each user**. We encrypt this password with that user’s PGP key from Keybase (we’ll come
316-
back to how to handle the passwords shortly).
316+
back to how to handle the passwords shortly).
317317

318318
Pull in the [backend](https://www.terraform.io/docs/backends/) settings from a root `terragrunt.hcl` file that you
319319
`include` in each child `terragrunt.hcl`:
@@ -581,6 +581,6 @@ Use this process to reset the password for the root user of each child account y
581581

582582
## Lock down the root user in the child accounts
583583

584-
Once you’re able to access the root user of each child account, you should follow the steps in [Lock down the root user](#lock_down_root_user)
584+
Once you’re able to access the root user of each child account, you should follow the steps in [Lock down the root user](../4-lock-down-the-root-user.md)
585585
for each of those child accounts—including enabling MFA and deleting the root user’s access keys—and (almost) never use
586586
those root users again.

_docs-sources/guides/build-it-yourself/6-achieve-compliance/3-deployment-walkthrough/8-deploy-landing-zone-solution/3-apply-account-baseline-app-to-other-child-accounts.md

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
sidebar_label: Apply the account-baseline-app to the other child accounts
33
---
4+
45
# Apply the `account-baseline-app` to the other child accounts
56

67
Now that your **security** account is fully configured, you need to apply the security baseline to the remaining child
@@ -206,15 +207,15 @@ The code above does the following:
206207
2. **Enable AWS Config**. We’ve configured AWS Config to use the S3 bucket in the logs account.
207208

208209
3. **Configure the dev IAM role**. We create a `dev` IAM role in this account, which will get read and write access to
209-
the services specified in `dev_permitted_services`.
210+
the services specified in `dev_permitted_services`.
210211

211212
4. **Configure the Auto Deploy IAM role**. We also create an `auto-deploy` IAM role that can be assumed by a CI server
212-
in the `shared-services` account to do deployments. This role will have the permissions specified in
213-
`auto_deploy_permissions`.
213+
in the `shared-services` account to do deployments. This role will have the permissions specified in
214+
`auto_deploy_permissions`.
214215

215216
5. **Configure cross-account IAM roles**. We then specify which other accounts are allowed to assume the IAM roles in
216-
this account. For the most part, we grant all permissions to the security account, so that by assigning users to IAM
217-
groups in that account, you’ll be able to access IAM roles in all the other child accounts.
217+
this account. For the most part, we grant all permissions to the security account, so that by assigning users to IAM
218+
groups in that account, you’ll be able to access IAM roles in all the other child accounts.
218219

219220
Configure your Terraform backend:
220221

@@ -272,24 +273,24 @@ On some operating systems, such as MacOS, you may also need to increase your ope
272273
**Next, try authenticating as an IAM user to the child accounts:**
273274

274275
1. Use your IAM user’s user name and password (decrypted using keybase) to log into the web console of the security
275-
account (remember to use the IAM user sign-in URL for the security account).
276+
account (remember to use the IAM user sign-in URL for the security account).
276277

277-
2. Follow the steps in [Lock down the root account IAM users](#lock_down_iam_users) to lock down your IAM user in the security account. This includes
278-
configuring an MFA device for your IAM user.
278+
2. Follow the steps in [Lock down the root account IAM users](../6-lock-down-the-root-account-iam-users.md) to lock down your IAM user in the security account. This includes
279+
configuring an MFA device for your IAM user.
279280

280281
3. After configuring an MFA device, log out, and then log back into the security account again, this time providing your
281-
MFA token. If you don’t do this, attempting to assume IAM roles in other accounts won’t work, as those roles require
282-
an MFA token to be present.
282+
MFA token. If you don’t do this, attempting to assume IAM roles in other accounts won’t work, as those roles require
283+
an MFA token to be present.
283284

284285
4. Try to [switch to a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) in
285-
one of the other child accounts using the AWS Web Console. For example, authenticate as one of the IAM users in the
286-
security account, and then assume the `allow-full-access-from-other-accounts` role in the dev account (you can find
287-
the default list of IAM roles created in each account
288-
[here](https://github.com/gruntwork-io/module-security/tree/master/modules/cross-account-iam-roles#resources-created)).
286+
one of the other child accounts using the AWS Web Console. For example, authenticate as one of the IAM users in the
287+
security account, and then assume the `allow-full-access-from-other-accounts` role in the dev account (you can find
288+
the default list of IAM roles created in each account
289+
[here](https://github.com/gruntwork-io/module-security/tree/master/modules/cross-account-iam-roles#resources-created)).
289290

290291
5. Alternatively, you can use the `aws-vault login xxx` command to login to the AWS Web Console for any profile `xxx`
291-
that you’ve configured in `aws-vault`. For example, `aws-vault login logs-from-root` will open up your web browser
292-
and log you into the `logs` account using the `OrganizationAccountAccessRole` IAM Role.
292+
that you’ve configured in `aws-vault`. For example, `aws-vault login logs-from-root` will open up your web browser
293+
and log you into the `logs` account using the `OrganizationAccountAccessRole` IAM Role.
293294

294295
## Configure AWS Security Hub in the root account
295296

_docs-sources/guides/reference-architecture/02-authenticate/02-setting-up-initial-access.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ organization, AWS does _not_ allow you to set those passwords. So, to get the pa
2424
1. Click "Forgot your password" to reset the password.
2525
1. Check the email address associated with the root user account for a link you can use to create a new password.
2626

27-
Please note that the root user account can do just about *anything* in your AWS account, bypassing almost all security
27+
Please note that the root user account can do just about _anything_ in your AWS account, bypassing almost all security
2828
restrictions you put in place, so you need to take extra care with protecting this account. We **very strongly**
2929
recommend that when you reset the password for each account, you:
3030

@@ -60,7 +60,7 @@ Once you have access with the IAM user, be sure to do the following to finish co
6060

6161
1. **Enable MFA**. [Follow these instructions to enable
6262
MFA](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) for your IAM user. It takes
63-
less than a minute and_dramatically_ improves your security posture. Moreover, MFA is **required** by the Reference
63+
less than a minute and*dramatically* improves your security posture. Moreover, MFA is **required** by the Reference
6464
Architecture, and you won't be able to access any other accounts without it!
6565

6666
1. **Logout and log back in**. After enabling MFA, you need to log out and then log back in, thereby forcing AWS to
@@ -133,7 +133,7 @@ A few notes about the code above:
133133

134134
To deploy this new code and create the new IAM users, you will need to:
135135

136-
1. **Authenticate**. [Authenticate to AWS via the CLI](#authenticate-to-aws-via-the-cli).
136+
1. **Authenticate**. [Authenticate to AWS via the CLI](04-authenticate-to-aws-via-the-cli.md).
137137

138138
1. **Apply your changes**. Run `terragrunt apply`.
139139

_docs-sources/guides/reference-architecture/02-authenticate/06-authenticate-to-the-vpn-server.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ that has access to the SQS queues in those accounts.
3333

3434
To be able to assume an IAM role, your IAM user needs to be part of an IAM group with the proper permissions, such as
3535
`_account.xxx-full-access` or `_account.xxx-openvpn-users`, where `xxx` is the name of the account you want to access
36-
(`stage`, `prod`, etc). See [Configure other IAM users](#configure-other-iam-users) for instructions on adding users to
36+
(`stage`, `prod`, etc). See [Configure other IAM users](02-setting-up-initial-access.md#configure-other-iam-users) for instructions on adding users to
3737
IAM groups.
3838

3939
## Use openvpn-admin to generate a configuration file
@@ -43,7 +43,7 @@ to authenticate. To generate this configuration file, do the following:
4343

4444
1. Install the latest [openvpn-admin binary](https://github.com/gruntwork-io/terraform-aws-openvpn/releases) for your OS.
4545

46-
1. [Authenticate to AWS via the CLI](#authenticate-to-aws-via-the-cli). You will need to assume an IAM role in the AWS
46+
1. [Authenticate to AWS via the CLI](04-authenticate-to-aws-via-the-cli.md). You will need to assume an IAM role in the AWS
4747
account with the OpenVPN server you're trying to connect to. This IAM role must have access to the SQS queues used
4848
by OpenVPN server. Typically, the `allow-full-access-from-other-accounts` or
4949
`openvpn-server-allow-certificate-requests-for-external-accounts` IAM role is what you want.
Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,24 @@
11
# Useful tips
22

33
- **Destroy resources in groups instead of all at once.**
4-
- There are [known instabilities](#known-errors) with destroying many modules at once. In addition, Terragrunt is
5-
designed to process the modules in a graph, and will not continue on if there is an error. This means that you
6-
could run into situations where Terragrunt has destroyed a module, but returns an error due to Terraform bugs that
7-
prevent you from cleanly calling destroy twice.
4+
5+
- There are [known instabilities](10-known-errors.md) with destroying many modules at once. In addition, Terragrunt is
6+
designed to process the modules in a graph, and will not continue on if there is an error. This means that you
7+
could run into situations where Terragrunt has destroyed a module, but returns an error due to Terraform bugs that
8+
prevent you from cleanly calling destroy twice.
89
- To address these instabilities, it is recommended to destroy the resources in groups. For example, you can start
9-
by destroying all the services first (e.g., `stage/REGION/stage/services`), then the data stores (e.g.,
10-
`stage/REGION/stage/data-stores`), and finally the networking resources (e.g., `stage/REGION/stage/networking`).
10+
by destroying all the services first (e.g., `stage/REGION/stage/services`), then the data stores (e.g.,
11+
`stage/REGION/stage/data-stores`), and finally the networking resources (e.g., `stage/REGION/stage/networking`).
1112
- When identifying groups to destroy, use [terragrunt
12-
graph-dependencies](https://terragrunt.gruntwork.io/docs/reference/cli-options/#graph-dependencies) to view the
13-
dependency graph so that you destroy the modules in the right order.
13+
graph-dependencies](https://terragrunt.gruntwork.io/docs/reference/cli-options/#graph-dependencies) to view the
14+
dependency graph so that you destroy the modules in the right order.
1415

1516
- **Empty + Delete S3 buckets using the web console (when destroying whole environments).**
16-
- As mentioned in [Pre-requisite: force_destroy on S3 buckets](#pre-requisite-force_destroy-on-s3-buckets), it is
17-
recommended to set `force_destroy = true` prior to running destroy so that terraform can destroy the S3 buckets.
18-
However, this can be cumbersome if you are destroying whole environments, as it can be difficult to flip the bit in
19-
every single module.
17+
- As mentioned in [Pre-requisite: force_destroy on S3 buckets](03-pre-requisite-force-destroy-on-s3-buckets.md), it is
18+
recommended to set `force_destroy = true` prior to running destroy so that terraform can destroy the S3 buckets.
19+
However, this can be cumbersome if you are destroying whole environments, as it can be difficult to flip the bit in
20+
every single module.
2021
- Instead, oftentimes it is faster and more convenient to first empty and then delete the buckets using the AWS web console prior to
21-
invoking `destroy` with `terragrunt`.
22+
invoking `destroy` with `terragrunt`.
2223
- **IMPORTANT**: You should only do this if you are intending on destroying an entire environment. Otherwise, it is
23-
too easy to accidentally delete the wrong S3 bucket.
24+
too easy to accidentally delete the wrong S3 bucket.

_docs-sources/guides/stay-up-to-date/terraform/5-how-to-update-to-aws-provider-v3/2-deployment-walkthrough.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -154,7 +154,7 @@ updates).
154154
If you purchased the Gruntwork Reference Architecture, you will have a copy of the `infrastructure-live` and
155155
`infrastructure-modules` repositories that contain the infrastructure code for deploying the Reference Architecture. You
156156
will need to update the relevant code in `infrastructure-modules` to use a compatible version of the
157-
Gruntwork Infrastructure as Code Library, as per [the compatibility table](#compatibility-table) above.
157+
Gruntwork Infrastructure as Code Library, as per [the compatibility table](#version-compatibility-table) above.
158158

159159
To help guide you through the upgrade process, we have updated the Acme Reference Architecture examples to support AWS
160160
provider v3. You can refer to the following release notes for detailed information and code patches that you can apply

0 commit comments

Comments
 (0)