Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/cyralinc/terraform-aws-sidecar-ec2

Cyral Sidecar module for AWS EC2
https://github.com/cyralinc/terraform-aws-sidecar-ec2
aws cyral terraform terraform-module
Last synced: about 14 hours ago
JSON representation
Cyral Sidecar module for AWS EC2
Host: GitHub
URL: https://github.com/cyralinc/terraform-aws-sidecar-ec2
Owner: cyralinc
License: apache-2.0
Created: 2021-05-13T17:22:26.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-11-01T21:37:04.000Z (6 days ago)
Last Synced: 2024-11-01T22:19:59.631Z (6 days ago)
Topics: aws, cyral, terraform, terraform-module
Language: HCL
Homepage: https://registry.terraform.io/modules/cyralinc/sidecar-ec2/aws/latest
Size: 396 KB
Stars: 6
Watchers: 7
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project

README

        # Cyral sidecar module for AWS EC2

Use this Terraform module to deploy a sidecar on AWS EC2 instances.

Refer to the [quickstart guide](https://github.com/cyral-quickstart/quickstart-sidecar-terraform-aws-ec2#readme)

for more information on how to use this module or upgrade your sidecar.

## Architecture

![Deployment architecture](https://raw.githubusercontent.com/cyralinc/terraform-aws-sidecar-ec2/main/images/aws_architecture.png)

The elements shown in the architecture diagram above are deployed by this module.

The module requires existing VPC and subnets in order to create the necessary

components for the sidecar to run. In a high-level, these are the resources deployed:

* EC2

    * Auto scaling group (responsible for managing EC2 instances and EBS volumes)

    * Network load balancer (optional)

    * Security group

* Secrets Manager

    * Sidecar credentials

    * Sidecar CA certificate

    * Sidecar self-signed certificate

* IAM

    * Sidecar role

* Cloudwatch

    * Log group (optional)

## Usage

```hcl

provider "aws" {

  # Define the target AWS region

  region = "us-east-1"

}

module "cyral_sidecar" {

  source  = "cyralinc/sidecar-ec2/aws"  

  version = "~> 5.0" # terraform module version

  sidecar_id      = ""

  control_plane   = ""

  client_id          = ""

  client_secret      = ""

  

  # Leave empty if you prefer to perform upgrades directly

  # from the control plane.

  sidecar_version = ""

  # Considering MongoDB ports are from the range 27017 to 27019

  sidecar_ports = [443, 3306, 5432, 27017, 27018, 27019]

  vpc_id  = ""

  subnets = [""]

  # Inbound CIDR to SSH into the EC2 instances

  ssh_inbound_cidr        = ["0.0.0.0/0"]

  # Inbound CIDR to access ports defined in `sidecar_ports`

  db_inbound_cidr         = ["0.0.0.0/0"]

  # Inbound CIDR to monitor the EC2 instances (port 9000)

  monitoring_inbound_cidr = ["0.0.0.0/0"]

}

```

**Note:**

- `name_prefix` is defined automatically. If you wish to define a custom

  `name_prefix`, please keep in mind that its length must be **at most 24

  characters**.

## Upgrade

### Module upgrade

If you are coming from `v4` of this module, read the

[upgrade notes](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/upgrade-notes.md) for specific

instructions on how to upgrade this module.

### Sidecar upgrade

This module supports [1-click upgrade](https://cyral.com/docs/sidecars/manage/upgrade#1-click-upgrade).

To enable the 1-click upgrade feature, leave the variable `sidecar_version` empty and upgrade

the sidecar from Cyral control plane.

If you prefer to block upgrades from the Cyral control plane and use a **static version**, assign

the desired sidecar version to `sidecar_version`. To upgrade your sidecar, update this parameter

with the target version and run `terraform apply`.

Learn more in the [sidecar upgrade procedures](https://cyral.com/docs/sidecars/manage/upgrade) page.

## Advanced

Instructions for advanced deployment configurations are available for the following topics:

* [Advanced networking configuration](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/networking.md)

* [Bring your own secret](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/byos.md)

* [Customer initialization scripts](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/custom-user-data.md)

* [Enable the S3 File Browser](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/s3-browser.md)

* [Memory limits](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/memlim.md)

* [Sidecar certificates](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/certificates.md)

* [Sidecar instance metrics](https://github.com/cyralinc/terraform-aws-sidecar-ec2/blob/main/docs/metrics.md)

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.9 |

|  [aws](#requirement\_aws) | >= 3.73.0, < 6.0.0 |

|  [tls](#requirement\_tls) | ~> 4.0.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 3.73.0, < 6.0.0 |

|  [tls](#provider\_tls) | ~> 4.0.0 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_autoscaling_group.asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |

| [aws_cloudwatch_log_group.lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |

| [aws_iam_instance_profile.sidecar_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |

| [aws_iam_policy.init_script_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

| [aws_iam_role.sidecar_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role_policy_attachment.init_script_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_iam_role_policy_attachment.user_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_launch_template.lt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |

| [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |

| [aws_lb_listener.ls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

| [aws_lb_target_group.tg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |

| [aws_route53_record.cyral-sidecar-dns-record](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

| [aws_secretsmanager_secret.self_signed_ca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |

| [aws_secretsmanager_secret.self_signed_tls_cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |

| [aws_secretsmanager_secret.sidecar_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |

| [aws_secretsmanager_secret_version.self_signed_ca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |

| [aws_secretsmanager_secret_version.self_signed_tls_cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |

| [aws_secretsmanager_secret_version.sidecar_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |

| [aws_security_group.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |

| [tls_private_key.ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |

| [tls_private_key.tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |

| [tls_self_signed_cert.ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |

| [tls_self_signed_cert.tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |

| [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |

| [aws_arn.cw_lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |

| [aws_availability_zones.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.init_script_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.sidecar](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_lbs.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lbs) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [additional\_security\_groups](#input\_additional\_security\_groups) | List of the IDs of the additional security groups that will be attached to the sidecar instances. If providing
`additional_target_groups`, use this parameter to provide security groups with the inbound rules to allow
inbound traffic from the target groups to the instances. | `list(string)` | `[]` | no |

|  [additional\_target\_groups](#input\_additional\_target\_groups) | List of the ARNs of the additional target groups that will be attached to the sidecar instances. Use it in
conjunction with `additional_security_groups` to provide the inbound rules for the ports associated with 
them, otherwise the incoming traffic from the target groups will not be allowed to access the EC2 instances. | `list(string)` | `[]` | no |

|  [ami\_id](#input\_ami\_id) | AMI ID that will be used for the EC2 instances. If not provided,
will use the latest Amazon Linux 2 AMI available. | `string` | `""` | no |

|  [asg\_desired](#input\_asg\_desired) | The desired number of hosts to create in the auto scaling group | `number` | `1` | no |

|  [asg\_max](#input\_asg\_max) | The maximum number of hosts to create in the auto scaling group | `number` | `3` | no |

|  [asg\_min](#input\_asg\_min) | The minimum number of hosts to create in the auto scaling group | `number` | `1` | no |

|  [asg\_min\_healthy\_percentage](#input\_asg\_min\_healthy\_percentage) | The minimum percentage of healthy instances during an ASG refresh | `number` | `100` | no |

|  [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | Associates a public IP to sidecar EC2 instances | `bool` | `false` | no |

|  [ca\_certificate\_role\_arn](#input\_ca\_certificate\_role\_arn) | (Optional) ARN of an AWS IAM Role to assume when reading the CA certificate. | `string` | `""` | no |

|  [ca\_certificate\_secret\_arn](#input\_ca\_certificate\_secret\_arn) | (Optional) ARN of secret in AWS Secrets Manager that contains a CA certificate to sign sidecar-generated certs. | `string` | `""` | no |

|  [client\_id](#input\_client\_id) | (Optional) The client id assigned to the sidecar. If not provided, must provide a secret containing the respective client id using `secret_arn`. | `string` | `""` | no |

|  [client\_secret](#input\_client\_secret) | (Optional) The client secret assigned to the sidecar. If not provided, must provide a secret containing the respective client secret using `secret_arn`. | `string` | `""` | no |

|  [cloudwatch\_log\_group\_name](#input\_cloudwatch\_log\_group\_name) | (Optional) Cloudwatch log group name. | `string` | `""` | no |

|  [cloudwatch\_logs\_retention](#input\_cloudwatch\_logs\_retention) | Cloudwatch logs retention in days | `number` | `14` | no |

|  [container\_registry](#input\_container\_registry) | Address of the container registry where Cyral images are stored. | `string` | `"public.ecr.aws/cyral"` | no |

|  [container\_registry\_key](#input\_container\_registry\_key) | Corresponding key for the user name provided to authenticate to the container registry. | `string` | `""` | no |

|  [container\_registry\_username](#input\_container\_registry\_username) | Username to authenticate to the container registry. | `string` | `""` | no |

|  [control\_plane](#input\_control\_plane) | Address of the control plane - .cyral.com | `string` | n/a | yes |

|  [custom\_host\_role](#input\_custom\_host\_role) | (Optional) Name of an AWS IAM Role to attach to the EC2 instance profile. | `string` | `""` | no |

|  [custom\_tags](#input\_custom\_tags) | Custom tags to be added to all AWS resources created | `map(any)` | `{}` | no |

|  [custom\_user\_data](#input\_custom\_user\_data) | Ancillary consumer supplied user-data script. Bash scripts must be added to a map as a value of the key `pre`, `pre_sidecar_start`, `post` denoting execution order with respect to sidecar installation. (Approx Input Size = 19KB) | `map(any)` | 
{
  "post": "",
  "pre": "",
  "pre_sidecar_start": ""
} | no |

|  [db\_inbound\_cidr](#input\_db\_inbound\_cidr) | Allowed CIDR blocks for database access to the sidecar. Can't be combined with 'db\_inbound\_security\_group'. | `list(string)` | n/a | yes |

|  [db\_inbound\_security\_group](#input\_db\_inbound\_security\_group) | Pre-existing security group IDs allowed to connect to db in the EC2 host. Can't be combined with 'db\_inbound\_cidr'. | `list(string)` | `[]` | no |

|  [deploy\_load\_balancer](#input\_deploy\_load\_balancer) | Deploy or not the load balancer and target groups. This option makes the ASG have only one replica, irrelevant of the Asg Min Max and Desired | `bool` | `true` | no |

|  [dns\_hosted\_zone\_id](#input\_dns\_hosted\_zone\_id) | (Optional) Route53 hosted zone ID for the corresponding 'dns\_name' provided | `string` | `""` | no |

|  [dns\_name](#input\_dns\_name) | (Optional) Fully qualified domain name that will be automatically created/updated to reference the sidecar LB | `string` | `""` | no |

|  [dns\_overwrite](#input\_dns\_overwrite) | (Optional) Update an existing DNS name informed in `dns_name`. | `bool` | `false` | no |

|  [ec2\_ebs\_kms\_arn](#input\_ec2\_ebs\_kms\_arn) | ARN of the KMS key used to encrypt/decrypt EBS volumes. If unset, EBS will use the default KMS key. Make sure the KMS key allows the principal `arn:aws:iam::ACCOUNT_NUMBER:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling`, otherwise the ASG will not be able to launch the new instances. | `string` | `""` | no |

|  [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Enable cross zone load balancing | `bool` | `true` | no |

|  [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | The minimum amount of time (in seconds) to keep a new instance in service before terminating it if it's found to be unhealthy | `number` | `300` | no |

|  [iam\_policies](#input\_iam\_policies) | (Optional) List of IAM policies ARNs that will be attached to the sidecar IAM role | `list(string)` | `[]` | no |

|  [idp\_certificate](#input\_idp\_certificate) | (Optional) The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks. | `string` | `""` | no |

|  [idp\_sso\_login\_url](#input\_idp\_sso\_login\_url) | (Optional) The IdP SSO URL for the IdP being used with Snowflake. | `string` | `""` | no |

|  [instance\_metadata\_token](#input\_instance\_metadata\_token) | Instance Metadata Service token requirement | `string` | `"required"` | no |

|  [instance\_type](#input\_instance\_type) | Amazon EC2 instance type for the sidecar instances | `string` | `"t3.medium"` | no |

|  [key\_name](#input\_key\_name) | AWS key name | `string` | `""` | no |

|  [launch\_template\_tags\_resource\_types](#input\_launch\_template\_tags\_resource\_types) | Set of resource types to be used to add custom tags to the launch template. See also `custom_tags`. | `set(string)` | [
  "instance",
  "volume",
  "network-interface"
] | no |

|  [load\_balancer\_certificate\_arn](#input\_load\_balancer\_certificate\_arn) | (Optional) ARN of SSL certificate that will be used for client connections to Snowflake. | `string` | `""` | no |

|  [load\_balancer\_scheme](#input\_load\_balancer\_scheme) | EC2 network load balancer scheme (`internal` or `internet-facing`)
Parameter has no effect in case `deploy_load_balancer = false`. | `string` | `"internal"` | no |

|  [load\_balancer\_security\_groups](#input\_load\_balancer\_security\_groups) | List of the IDs of the additional security groups that will be attached to the load balancer.
Parameter has no effect in case `deploy_load_balancer = false`. | `list(string)` | `[]` | no |

|  [load\_balancer\_sticky\_ports](#input\_load\_balancer\_sticky\_ports) | List of ports that will have session stickiness enabled.
This parameter must be a subset of 'sidecar\_ports'. | `list(number)` | `[]` | no |

|  [load\_balancer\_subnets](#input\_load\_balancer\_subnets) | Subnets to add load balancer to. If not provided, the load balancer will assume the subnets
specified in the `subnets` parameter.
Parameter has no effect in case `deploy_load_balancer = false`. | `list(string)` | `[]` | no |

|  [load\_balancer\_tls\_ports](#input\_load\_balancer\_tls\_ports) | List of ports that will have TLS terminated at load balancer level
(snowflake support, for example). If assigned, 'load\_balancer\_certificate\_arn' 
must also be provided. This parameter must be a subset of 'sidecar\_ports'. | `list(number)` | `[]` | no |

|  [monitoring\_inbound\_cidr](#input\_monitoring\_inbound\_cidr) | Allowed CIDR blocks for health check and metric requests to the sidecar. If restricting the access, consider setting to the VPC CIDR or an equivalent to cover the assigned subnets as the load balancer performs health checks on the EC2 instances. | `list(string)` | n/a | yes |

|  [name\_prefix](#input\_name\_prefix) | Prefix for names of created resources in AWS. Maximum length is 24 characters. | `string` | `""` | no |

|  [recycle\_health\_check\_interval\_sec](#input\_recycle\_health\_check\_interval\_sec) | (Optional) The interval (in seconds) in which the sidecar instance checks whether it has been marked or recycling. | `number` | `30` | no |

|  [reduce\_security\_group\_rules\_count](#input\_reduce\_security\_group\_rules\_count) | If set to `false`, each port in `sidecar_ports` will be used individually for each CIDR in `db_inbound_cidr` to create inbound rules in the sidecar security group, resulting in a number of inbound rules that is equal to the number of `sidecar_ports` * `db_inbound_cidr`. If set to `true`, the entire sidecar port range from `min(sidecar_ports)` to `max(sidecar_ports)` will be used to configure each inbound rule for each CIDR in `db_inbound_cidr` for the sidecar security group. Setting it to `true` can be useful if you need to use multiple sequential sidecar ports and different CIDRs for DB inbound (`db_inbound_cidr`) since it will significantly reduce the number of inbound rules and avoid hitting AWS quotas. As a side effect, it will open all the ports between `min(sidecar_ports)` and `max(sidecar_ports)` in the security group created by this module. | `bool` | `false` | no |

|  [repositories\_supported](#input\_repositories\_supported) | List of all repositories that will be supported by the sidecar (lower case only) | `list(string)` | [
  "denodo",
  "dremio",
  "dynamodb",
  "mongodb",
  "mysql",
  "oracle",
  "postgresql",
  "redshift",
  "snowflake",
  "sqlserver",
  "s3"
] | no |

|  [secret\_arn](#input\_secret\_arn) | Full ARN of the AWS Secrets Manager secret used to store the sidecar secrets. If unset, sidecar will manage its own secret. See the topic `Bring Your Own Secret` in the `Advanced` documentation section. | `string` | `""` | no |

|  [secret\_role\_arn](#input\_secret\_role\_arn) | (Optional) ARN of an AWS IAM Role to assume when reading the secret informed in `secret_arn`. | `string` | `""` | no |

|  [secrets\_kms\_arn](#input\_secrets\_kms\_arn) | ARN of the KMS key used to encrypt/decrypt secrets. If unset, secrets will use the default KMS key. | `string` | `""` | no |

|  [sidecar\_id](#input\_sidecar\_id) | Sidecar identifier | `string` | n/a | yes |

|  [sidecar\_ports](#input\_sidecar\_ports) | List of ports allowed to connect to the sidecar through the load balancer and security group. The maximum number of ports is limited to Network Load Balancers quotas (listeners and target groups). See also 'load\_balancer\_tls\_ports'. Avoid port `9000` as it is reserved for instance monitoring. | `list(number)` | n/a | yes |

|  [sidecar\_private\_idp\_key](#input\_sidecar\_private\_idp\_key) | (Optional) The private key used to sign SAML Assertions generated by the sidecar. Enter this value as a one-line string with literal new line characters (
) specifying the line breaks. | `string` | `""` | no |

|  [sidecar\_public\_idp\_certificate](#input\_sidecar\_public\_idp\_certificate) | (Optional) The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Enter this value as a one-line string with literal new line characters (
) specifying the line breaks. | `string` | `""` | no |

|  [sidecar\_version](#input\_sidecar\_version) | (Optional, but required for Control Planes < v4.10) The version of the sidecar. If unset and the Control Plane version is >= v4.10, the sidecar version will be dynamically retrieved from the Control Plane, otherwise an error will occur and this value must be provided. | `string` | `""` | no |

|  [ssh\_inbound\_cidr](#input\_ssh\_inbound\_cidr) | Allowed CIDR blocks for SSH access to the sidecar. Can't be combined with 'ssh\_inbound\_security\_group'. | `list(string)` | n/a | yes |

|  [ssh\_inbound\_security\_group](#input\_ssh\_inbound\_security\_group) | Pre-existing security group IDs allowed to ssh into the EC2 host. Can't be combined with 'ssh\_inbound\_cidr'. | `list(string)` | `[]` | no |

|  [subnets](#input\_subnets) | Subnets to add sidecar to (list of string) | `list(string)` | n/a | yes |

|  [tls\_certificate\_role\_arn](#input\_tls\_certificate\_role\_arn) | (Optional) ARN of an AWS IAM Role to assume when reading the TLS certificate. | `string` | `""` | no |

|  [tls\_certificate\_secret\_arn](#input\_tls\_certificate\_secret\_arn) | (Optional) ARN of secret in AWS Secrets Manager that contains a certificate to terminate TLS connections. | `string` | `""` | no |

|  [tls\_skip\_verify](#input\_tls\_skip\_verify) | (Optional) Skip TLS verification for HTTPS communication with the control plane and during sidecar initialization | `bool` | `false` | no |

|  [volume\_size](#input\_volume\_size) | Size of the sidecar disk | `number` | `15` | no |

|  [volume\_type](#input\_volume\_type) | Type of the sidecar disk | `string` | `"gp3"` | no |

|  [vpc\_id](#input\_vpc\_id) | AWS VPC ID to deploy sidecar to | `string` | n/a | yes |

## Outputs

| Name | Description |

|------|-------------|

|  [ami\_id](#output\_ami\_id) | EC2 AMI id |

|  [autoscaling\_group\_arn](#output\_autoscaling\_group\_arn) | Auto scaling group ARN |

|  [ca\_certificate\_secret\_arn](#output\_ca\_certificate\_secret\_arn) | ARN of the CA certificate secret used by the sidecar |

|  [cloudwatch\_log\_group\_name](#output\_cloudwatch\_log\_group\_name) | Name of the CloudWatch log group where sidecar logs are stored |

|  [dns](#output\_dns) | Sidecar DNS endpoint |

|  [iam\_role\_arn](#output\_iam\_role\_arn) | Sidecar IAM role ARN |

|  [launch\_template\_arn](#output\_launch\_template\_arn) | Launch template ARN |

|  [load\_balancer\_arn](#output\_load\_balancer\_arn) | Load balancer ARN |

|  [load\_balancer\_dns](#output\_load\_balancer\_dns) | Sidecar load balancer DNS endpoint |

|  [secret\_arn](#output\_secret\_arn) | ARN of the secret with the credentials used by the sidecar |

|  [security\_group\_id](#output\_security\_group\_id) | Sidecar security group id |

|  [tls\_certificate\_secret\_arn](#output\_tls\_certificate\_secret\_arn) | ARN of the TLS certificate secret used by the sidecar |