Terraform AWS FIPS provider

Terraform AWS FIPS provider

Hey readers, I notice a lot of traffic going to my post on CentOS FIPS mode and felt like you guys would like to hear about the Terraform AWS FIPS provider. If that sounds up your ally, keep reading, this will be very helpful.

Terraform AWS FIPS provider
Remember, FIPS VALIDATED, not FIPS compliant

Why use Terraform AWS FIPS?

If you’re working with the federal government you will need to meet FIPS 140-2 requirements. These are validated encryption modules meeting the FIPS 140-2 standards and tested to meet those standards. I’ll re-iterate what I’ve said before, FIPS compliant is NOT FIPS validated. If in doubt you should double check that your implementation is on the FIPS validated list.

There’s more to meeting this requirement than what’s included in this blog post, but this blog post will meet that requirement with your cloud provider. Just remember, this secures your cloud but it’s not the same as setting up security WITHIN your cloud. Depending on your architecture this might be all you need, but that’s not likely.

Govcloud vs AWS East/West

I’ve included both providers in the github repo. You’ll notice more completeness in the us-west-2, this is because Govcloud is in us-west-2. I recommend sticking with us-west-2.

Terraform AWS FIPS provider github

Without further ado, here’s the link to my github repo for the Terraform AWS FIPS providers. I’ve even included a blank provider to make it easier to make more.

And an example of us-west-2 region’s FIPS provider:

provider "aws" {
    endpoints {
        acm = "https://acm-fips.us-west-2.amazonaws.com"
        acmpca = "https://acm-pca-fips.us-west-2.amazonaws.com"
        apigateway     = "https://apigateway-fips.us-west-2.amazonaws.com"
        appstream = "https://appstream2-fips.us-west-2.amazonaws.com"
        cloudformation = "https://cloudformation-fips.us-west-2.amazonaws.com"
        cloudfront = "https://cloudfront-fips.amazonaws.com"
        cloudtrail = "https://cloudtrail-fips.us-west-2.amazonaws.com"
        codebuild = "https://codebuild-fips.us-west-2.amazonaws.com"
        codecommit = "https://codecommit-fips.us-west-2.amazonaws.com"
        codedeploy = "https://codedeploy-fips.us-west-2.amazonaws.com"
        cognitoidentity = "https://cognito-identity-fips.us-west-2.amazonaws.com"
        cognitoidp = "https://cognito-idp-fips.us-west-2.amazonaws.com"
        configservice = "https://config-fips.us-west-2.amazonaws.com"
        datasync = "https://datasync-fips.us-west-2.amazonaws.com"
        directconnect = "https://directconnect-fips.us-west-2.amazonaws.com"
        dms = "https://dms-fips.us-west-2.amazonaws.com"
        ds = "https://ds-fips.us-west-2.amazonaws.com"
        dynamodb       = "https://dynamodb-fips.us-west-2.amazonaws.com"
        ec2             = "https://ec2-fips.us-west-2.amazonaws.com"
        ecr = "https://ecr-fips.us-west-2.amazonaws.com"
        elasticache = "https://elasticache-fips.us-west-2.amazonaws.com"
        elasticbeanstalk = "https://elasticbeanstalk-fips.us-west-2.amazonaws.com"
        elb = "https://elasticloadbalancing-fips.us-west-2.amazonaws.com"
        emr = "https://elasticmapreduce-fips.us-west-2.amazonaws.com"
        es = "https://es-fips.us-west-2.amazonaws.com"
        fms = "https://fms-fips.us-west-2.amazonaws.com"
        glacier = "https://glacier-fips.us-west-2.amazonaws.com"
        guardduty = "https://guardduty-fips.us-west-2.amazonaws.com"
        inspector = "https://inspector-fips.us-west-2.amazonaws.com"
        kinesis = "https://kinesis-fips.us-west-2.amazonaws.com"
        kms = "https://kms-fips.us-west-2.amazonaws.com"
        lambda = "https://lambda-fips.us-west-2.amazonaws.com"
        mq = "https://mq-fips.us-west-2.amazonaws.com"
        pinpoint = "https://pinpoint-fips.us-west-2.amazonaws.com"
        quicksight = "https://fips-us-west-2.quicksight.aws.amazon.com"
        rds = "https://rds-fips.us-west-2.amazonaws.com"
        redshift = "https://redshift-fips.us-west-2.amazonaws.com"
        resourcegroups = "https://resource-groups-fips.us-west-2.amazonaws.com"
        route53 = "https://route53-fips.amazonaws.com"
        s3 = "https://s3-fips.us-west-2.amazonaws.com"
        sagemaker = "https://api-fips.sagemaker.us-west-2.amazonaws.com"
        secretsmanager = "https://secretsmanager-fips.us-west-2.amazonaws.com"
        servicecatalog = "https://servicecatalog-fips.us-west-2.amazonaws.com"
        ses = "https://email-fips.us-west-2.amazonaws.com"
        shield = "https://shield-fips.us-east-1.amazonaws.com"
        sns = "https://sns-fips.us-west-2.amazonaws.com"
        sqs = "https://sqs-fips.us-west-2.amazonaws.com"
        ssm = "https://ssm-fips.us-west-2.amazonaws.com"
        sts = "https://sts-fips.us-west-2.amazonaws.com"
        swf = "https://swf-fips.us-west-2.amazonaws.com"
        waf = "https://waf-fips.amazonaws.com"
        wafregional = "https://waf-regional-fips.us-west-2.amazonaws.com"
        wafv2 = "https://wafv2-fips.us-west-2.amazonaws.com"
    }
}

Final word

I’ve noticed no problem turning this on for already deployed infrastructure. I haven’t tested this on all the endpoints, so tread carefully. Let me know if there are any problems and feel free to send an MR. I’m going to try and keep the repo up to date but I’ll gladly take any updates!


Comments are closed.