Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/dasmeta/terraform-aws-account
Terraform module to create AWS account setup
https://github.com/dasmeta/terraform-aws-account
account aws module terraform terraform-module
Last synced: about 1 month ago
JSON representation
Terraform module to create AWS account setup
- Host: GitHub
- URL: https://github.com/dasmeta/terraform-aws-account
- Owner: dasmeta
- License: apache-2.0
- Created: 2022-12-06T11:33:29.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2024-11-18T13:59:18.000Z (about 2 months ago)
- Last Synced: 2024-11-18T15:07:36.447Z (about 2 months ago)
- Topics: account, aws, module, terraform, terraform-module
- Language: HCL
- Homepage: www.dasmeta.com
- Size: 98.6 KB
- Stars: 0
- Watchers: 2
- Forks: 1
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security-hub.tf
Awesome Lists containing this project
README
# terraform-aws-account
## this module allows to configure aws account level resources which are not part to specific environment/application and are global impact on aws
## basic example
```hcl
module "account" {
source = "dasmeta/account/aws"
version = "x.y.z"
create_cloudwatch_log_role = true
}
```
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | ~> 1.3 |
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | n/a |
## Modules
| Name | Source | Version |
|------|--------|---------|
| [buckets](#module\_buckets) | dasmeta/modules/aws//modules/s3 | 2.1.2 |
| [cloudtrail](#module\_cloudtrail) | dasmeta/modules/aws//modules/cloudtrail/ | 2.18.0 |
| [cloudwatch\_alarm\_actions](#module\_cloudwatch\_alarm\_actions) | dasmeta/monitoring/aws//modules/cloudwatch-alarm-actions | 1.19.5 |
| [cloudwatch\_alarm\_actions\_virginia](#module\_cloudwatch\_alarm\_actions\_virginia) | dasmeta/monitoring/aws//modules/cloudwatch-alarm-actions | 1.19.5 |
| [enforce\_mfa](#module\_enforce\_mfa) | terraform-module/enforce-mfa/aws | ~> 1.0 |
| [enforce\_mfa\_group](#module\_enforce\_mfa\_group) | terraform-aws-modules/iam/aws//modules/iam-group-with-policies | 5.47.1 |
| [groups](#module\_groups) | terraform-aws-modules/iam/aws//modules/iam-group-with-policies | 5.47.1 |
| [monitoring\_billing](#module\_monitoring\_billing) | dasmeta/monitoring/aws//modules/billing | 1.19.3 |
| [monitoring\_security\_hub](#module\_monitoring\_security\_hub) | dasmeta/monitoring/aws//modules/aws-security-hub-opsgenie | 1.5.2 |
| [password\_policy](#module\_password\_policy) | dasmeta/modules/aws//modules/iam-account-password-policy | 2.18.0 |
| [secrets](#module\_secrets) | dasmeta/modules/aws//modules/secret | 2.18.0 |
| [users](#module\_users) | dasmeta/modules/aws//modules/aws-iam-user | 2.1.2 |
## Resources
| Name | Type |
|------|------|
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [alarm\_actions](#input\_alarm\_actions) | Whether to enable/create regional(TODO: add also us-east-1 region alarm also for health-check alarms) SNS topic/subscribers |
object({
enabled = optional(bool, false)
topic_name = optional(string, "account-alarms-handling")
enable_dead_letter_queue = optional(bool, false)
email_addresses = optional(list(string), [])
phone_numbers = optional(list(string), [])
web_endpoints = optional(list(string), [])
teams_webhooks = optional(list(string), [])
slack_webhooks = optional(list(object({
hook_url = string
channel = string
username = string
})), [])
servicenow_webhooks = optional(list(object({
domain = string
path = string
user = string
pass = string
})), [])
billing_alarm = optional(object({ # Allows to setup billing (cost exceeded) alarm for aws account, NOTE: you have to at first enable 'alarm_actions' and then enable this
enabled = optional(bool, false)
name = optional(string, "Account-Monthly-Budget")
limit_amount = optional(string, "200")
limit_unit = optional(string, "USD")
time_unit = optional(string, "MONTHLY")
time_period_start = optional(string, "2022-01-01_00:00")
time_period_end = optional(string, "2087-06-15_00:00")
thresholds = optional(list(string), ["40", "60", "80", "90", "100", "110"])
threshold_type = optional(string, "PERCENTAGE")
comparison_operator = optional(string, "GREATER_THAN")
notification_type = optional(string, "ACTUAL")
notify_email_addresses = optional(list(string), [])
}), { enabled : false })
security_hub_alarms = optional(object({ # Allows to enable security hub for aws account, create separate sns topic for it and setup opsgenie subscriber.
enabled = optional(bool, false)
opsgenie_webhook = optional(string, null)
securityhub_action_target_name = optional(string, "Send-to-SNS")
sns_topic_name = optional(string, "Send-to-Opsgenie")
protocol = optional(string, "https")
link_mode = optional(string, "ALL_REGIONS")
enable_security_hub = optional(bool, true) # not confuse with enabled option, this one is for setting "false" in case when aws security hub service already enabled
enable_security_hub_finding_aggregator = optional(bool, true)
}), { enabled : false })
}) | {
"billing_alarm": {
"enabled": false
},
"enabled": false,
"security_hub_alarms": {
"enabled": false
}
} | no |
| [alarm\_actions\_virginia](#input\_alarm\_actions\_virginia) | Whether to enable/create regional(TODO: add also us-east-1 region alarm also for health-check alarms) SNS topic/subscribers | object({
enabled = optional(bool, false)
topic_name = optional(string, "account-alarms-handling")
enable_dead_letter_queue = optional(bool, false)
email_addresses = optional(list(string), [])
phone_numbers = optional(list(string), [])
web_endpoints = optional(list(string), [])
teams_webhooks = optional(list(string), [])
slack_webhooks = optional(list(object({
hook_url = string
channel = string
username = string
})), [])
servicenow_webhooks = optional(list(object({
domain = string
path = string
user = string
pass = string
})), [])
billing_alarm = optional(object({ # Allows to setup billing (cost exceeded) alarm for aws account, NOTE: you have to at first enable 'alarm_actions' and then enable this
enabled = optional(bool, false)
name = optional(string, "Account-Monthly-Budget")
limit_amount = optional(string, "200")
limit_unit = optional(string, "USD")
time_unit = optional(string, "MONTHLY")
time_period_start = optional(string, "2022-01-01_00:00")
time_period_end = optional(string, "2087-06-15_00:00")
threshold = optional(string, "200")
threshold_type = optional(string, "PERCENTAGE")
comparison_operator = optional(string, "GREATER_THAN")
notification_type = optional(string, "ACTUAL")
notify_email_addresses = optional(list(string), [])
}), { enabled : false })
security_hub_alarms = optional(object({ # Allows to enable security hub for aws account, create separate sns topic for it and setup opsgenie subscriber.
enabled = optional(bool, false)
opsgenie_webhook = optional(string, null)
securityhub_action_target_name = optional(string, "Send-to-SNS")
sns_topic_name = optional(string, "Send-to-Opsgenie")
protocol = optional(string, "https")
link_mode = optional(string, "ALL_REGIONS")
enable_security_hub = optional(bool, true) # not confuse with enabled option, this one is for setting "false" in case when aws security hub service already enabled
enable_security_hub_finding_aggregator = optional(bool, true)
}), { enabled : false })
}) | {
"billing_alarm": {
"enabled": false
},
"enabled": false,
"security_hub_alarms": {
"enabled": false
}
} | no |
| [buckets](#input\_buckets) | List of buckets | list(object({
name = string
acl = optional(string, null)
ignore_public_acls = optional(bool, true)
restrict_public_buckets = optional(bool, true)
block_public_acls = optional(bool, true)
block_public_policy = optional(bool, true)
versioning = optional(map(string), { enabled = true })
website = optional(map(string), {})
create_index_html = optional(bool, false)
create_iam_user = optional(bool, false)
bucket_files = optional(object({ path = string }), { path = "" })
})) | `[]` | no |
| [cloudtrail](#input\_cloudtrail) | Cloudtrail configuration | object({
enabled = optional(bool, false)
enable_cloudwatch_logs = optional(bool, false)
name = optional(string, "audit") # Name of CloudTrail
bucket_name = optional(string, "") # Whether to create new fresh bucket or use existing one, if set non empty it will use existing one with provided name
include_global_service_events = optional(bool, true) # Specifies whether the trail is publishing events from global services such as IAM to the log files
enable_log_file_validation = optional(bool, true) # Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs
is_organization_trail = optional(bool, true) # The trail is an AWS Organizations trail
is_multi_region_trail = optional(bool, true) # Specifies whether the trail is created in the current region or in all regions
cloud_watch_logs_group_arn = optional(string, "") # Specifies a log group name using an Amazon Resource Name (ARN), that represents the log group to which CloudTrail logs will be delivered
cloud_watch_logs_role_arn = optional(string, "") # Specifies the role for the CloudWatch Logs endpoint to assume to write to a user’s log group
cloud_watch_logs_group_retention = optional(number, 90) # Specifies the number of days you want to retain log events in the specified log group.
enable_logging = optional(bool, true) # Enable logging for the trail
sns_topic_name = optional(string, null) # Specifies the name of the Amazon SNS topic defined for notification of log file delivery
event_selector = optional(list(object({ # Specifies an event selector for enabling data event logging. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this variable
include_management_events = bool
read_write_type = string
data_resource = list(object({
type = string
values = list(string)
}))
})), [])
insight_selectors = optional(list(string), [])
alerts_events = optional(list(string), ["iam-user-creation-or-deletion"]) # Some possible values are: iam-user-creation-or-deletion, iam-role-creation-or-deletion, iam-policy-changes, s3-creation-or-deletion, root-account-usage, elastic-ip-association-and-disassociation and etc.
}) | {
"enabled": false
} | no |
| [create\_cloudwatch\_log\_role](#input\_create\_cloudwatch\_log\_role) | This is an account level configuration which creates IAM role with policy allowing cloudwatch sync/push logs into cloudwatch | `bool` | `false` | no |
| [enforce\_mfa](#input\_enforce\_mfa) | MFA related configs, set the name for enforce MFA IAM user group value to null if you want this group to not be created | object({
enabled = optional(bool, false) # whether to create enforce mfa iam group
group_name = optional(string, "enforce-mfa")
policy_name = optional(string, "mfa-enforce-policy")
manage_own_signing_certificates = optional(bool, true)
manage_own_ssh_public_keys = optional(bool, true)
manage_own_git_credentials = optional(bool, true)
attach_iam_self_management_policy = optional(bool, false)
}) | `{}` | no |
| [groups](#input\_groups) | n/a | list(object({
name = string
custom_group_policies = optional(list(map(string)), [])
custom_group_policy_arns = optional(list(string), [])
attach_iam_self_management_policy = optional(bool, false)
users = optional(list(string), [])
})) | `[]` | no |
| [password\_policy](#input\_password\_policy) | Allows to create/set aws iam users password policy for better security | object({
enabled = optional(bool, false)
allow_users_to_change_password = optional(bool, true)
minimum_password_length = optional(number, 10)
require_lowercase_characters = optional(bool, true)
require_numbers = optional(bool, true)
require_symbols = optional(bool, true)
require_uppercase_characters = optional(bool, true)
max_password_age = optional(number, 90)
hard_expiry = optional(bool, false)
password_reuse_prevention = optional(number, 3)
}) | `{}` | no |
| [secrets](#input\_secrets) | Allows to create account level aws secret manager secret for storing global/shared secrets, which supposed can be used by all services/apps/environments | object({
enabled = optional(bool, false)
name = optional(string, "account")
value = optional(any, null)
recovery_window_in_days = optional(number, 30)
}) | `{}` | no |
| [users](#input\_users) | List of users | list(object({
username = string
policy_attachment = optional(list(string), [])
enforce_mfa = optional(bool, true) # whether user should be placed into enforce mfa group, note that the enforce_mfa.enabled should be set to true to have this applied
create = optional(bool, true) # whether the user should be created or not, so that existing iam user can be linked/placed into a group
})) | `[]` | no |
## Outputs
| Name | Description |
|------|-------------|
| [users](#output\_users) | created users data |