From b8c1e4087366fd74a256af97c03239ec1457b7f0 Mon Sep 17 00:00:00 2001 From: Oreoluwa Agunbiade Date: Wed, 8 Dec 2021 15:55:34 -0700 Subject: [PATCH] Fixes navigation between service catalog variables (#82) --- .../app-orchestration/amazon-ecs-cluster.md | 700 ++--- .../amazon-ecs-fargate-cluster.md | 73 +- .../app-orchestration/amazon-ecs-service.md | 1261 ++++----- .../amazon-eks-core-services.md | 590 ++-- .../app-orchestration/amazon-eks-workers.md | 931 +++---- .../services/app-orchestration/amazon-eks.md | 1217 +++------ .../auto-scaling-group-asg.md | 689 ++--- .../app-orchestration/ec-2-instance.md | 524 ++-- .../app-orchestration/kubernetes-namespace.md | 150 +- .../app-orchestration/kubernetes-service.md | 757 ++---- .../services/app-orchestration/lambda.md | 656 ++--- .../public-static-website.md | 260 +- .../ci-cd-pipeline/ecs-deploy-runner.md | 381 +-- .../services/ci-cd-pipeline/jenkins.md | 788 ++---- .../services/data-storage/amazon-aurora.md | 876 +++--- .../data-storage/amazon-ecr-repositories.md | 139 +- .../amazon-elasti-cache-for-memcached.md | 227 +- .../amazon-elasti-cache-for-redis.md | 337 +-- .../data-storage/amazon-elasticsearch.md | 502 ++-- .../services/data-storage/amazon-rds.md | 953 +++---- .../services/data-storage/s-3-bucket.md | 381 +-- .../aws-app-account-baseline-wrapper.md | 1690 +++++------- .../aws-root-account-baseline-wrapper.md | 2372 ++++++---------- .../aws-security-account-baseline-wrapper.md | 2416 ++++++----------- .../services/landing-zone/gruntwork-access.md | 117 +- .../landing-zone/iam-users-and-iam-groups.md | 843 +++--- .../networking/elastic-load-balancer-elb.md | 447 ++- .../services/networking/management-vpc.md | 414 ++- .../networking/route-53-hosted-zones.md | 172 +- .../services/networking/sns-topics.md | 128 +- .../networking/virtual-private-cloud-vpc.md | 920 +++---- docs/reference/services/security/bastion.md | 359 +-- docs/reference/services/security/open-vpn.md | 645 ++--- .../services/security/tls-scripts.md | 22 +- 34 files changed, 8360 insertions(+), 14577 deletions(-) diff --git a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md index 3fada8b8d..656386a22 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md @@ -10,453 +10,263 @@ Deploy an Amazon ECS Cluster ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications -

    -
    • -
  • -

    - - allow_ssh_from_cidr_blocks - - The IP address ranges in CIDR format from which to allow incoming SSH requests to the ECS instances. -

    -
    • -
  • -

    - - allow_ssh_from_security_group_ids - - The IDs of security groups from which to allow incoming SSH requests to the ECS instances. -

    -
    • -
  • -

    - - autoscaling_termination_protection - - Protect EC2 instances running ECS tasks from being terminated due to scale in (spot instances do not support lifecycle modifications). Note that the behavior of termination protection differs between clusters with capacity providers and clusters without. When capacity providers is turned on and this flag is true, only instances that have 0 ECS tasks running will be scaled in, regardless of capacity_provider_target. If capacity providers is turned off and this flag is true, this will prevent ANY instances from being scaled in. -

    -
    • -
  • -

    - - capacity_provider_enabled - - Enable a capacity provider to autoscale the EC2 ASG created for this ECS cluster. -

    -
    • -
  • -

    - - capacity_provider_max_scale_step - - Maximum step adjustment size to the ASG's desired instance count. A number between 1 and 10000. -

    -
    • -
  • -

    - - capacity_provider_min_scale_step - - Minimum step adjustment size to the ASG's desired instance count. A number between 1 and 10000. -

    -
    • -
  • -

    - - capacity_provider_target - - Target cluster utilization for the ASG capacity provider; a number from 1 to 100. This number influences when scale out happens, and when instances should be scaled in. For example, a setting of 90 means that new instances will be provisioned when all instances are at 90% utilization, while instances that are only 10% utilized (CPU and Memory usage from tasks = 10%) will be scaled in. -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the ECS cluster instances during boot. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax -

    -
    • -
  • -

    - - cloudwatch_log_group_name - - The name of the log group to create in CloudWatch. Defaults to `var.cluster_name-logs`. -

    -
    • -
  • -

    - - cluster_access_from_sgs - - Specify a list of Security Groups that will have access to the ECS cluster. Only used if var.enable_cluster_access_ports is set to true -

    -
    • -
  • -

    - - cluster_instance_ami - - The AMI to run on each instance in the ECS cluster. You can build the AMI using the Packer template ecs-node-al2.json. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. -

    -
    • -
  • -

    - - cluster_instance_ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with ECS workers. You can build the AMI using the Packer template ecs-node-al2.json. Only used if var.cluster_instance_ami is null. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. Set to null if cluster_instance_ami is set. -

    -
    • -
  • -

    - - cluster_instance_associate_public_ip_address - - Whether to associate a public IP address with an instance in a VPC -

    -
    • -
  • -

    - - cluster_instance_keypair_name - - The name of the Key Pair that can be used to SSH to each instance in the ECS cluster -

    -
    • -
  • -

    - - cluster_instance_type - - The type of instances to run in the ECS cluster (e.g. t2.medium) -

    -
    • -
  • -

    - - cluster_max_size - - The maxiumum number of instances to run in the ECS cluster -

    -
    • -
  • -

    - - cluster_min_size - - The minimum number of instances to run in the ECS cluster -

    -
    • -
  • -

    - - cluster_name - - The name of the ECS cluster -

    -
    • -
  • -

    - - default_user - - The default OS user for the ECS worker AMI. For AWS Amazon Linux AMIs, which is what the Packer template in ecs-node-al2.json uses, the default OS user is 'ec2-user'. -

    -
    • -
  • -

    - - disallowed_availability_zones - - A list of availability zones in the region that should be skipped when deploying ECS. You can use this to avoid availability zones that may not be able to provision the resources (e.g instance type does not exist). If empty, allows all availability zones. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to enable Cloudwatch log aggregation for the ECS cluster -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to enable Cloudwatch metrics collection for the ECS cluster -

    -
    • -
  • -

    - - enable_cluster_access_ports - - Specify a list of ECS Cluster ports which should be accessible from the security groups given in cluster_access_from_sgs -

    -
    • -
  • -

    - - enable_ecs_cloudwatch_alarms - - Set to true to enable several basic Cloudwatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true -

    -
    • -
  • -

    - - enable_ssh_grunt - - Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. -

    -
    • -
  • -

    - - high_cpu_utilization_evaluation_periods - - The number of periods over which data is compared to the specified threshold -

    -
    • -
  • -

    - - high_cpu_utilization_period - - The period, in seconds, over which to measure the CPU utilization percentage. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - high_cpu_utilization_statistic - - The statistic to apply to the alarm's high CPU metric. Either of the following is supported: SampleCount, Average, Sum, Minimum, Maximum -

    -
    • -
  • -

    - - high_cpu_utilization_threshold - - Trigger an alarm if the ECS Cluster has a CPU utilization percentage above this threshold. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - high_disk_utilization_period - - The period, in seconds, over which to measure the disk utilization percentage. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - high_disk_utilization_threshold - - Trigger an alarm if the EC2 instances in the ECS Cluster have a disk utilization percentage above this threshold. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - high_memory_utilization_evaluation_periods - - The number of periods over which data is compared to the specified threshold -

    -
    • -
  • -

    - - high_memory_utilization_period - - The period, in seconds, over which to measure the memory utilization percentage. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - high_memory_utilization_statistic - - The statistic to apply to the alarm's high CPU metric. Either of the following is supported: SampleCount, Average, Sum, Minimum, Maximum -

    -
    • -
  • -

    - - high_memory_utilization_threshold - - Trigger an alarm if the ECS Cluster has a memory utilization percentage above this threshold. Only used if var.enable_ecs_cloudwatch_alarms is set to true -

    -
    • -
  • -

    - - internal_alb_sg_ids - - The Security Group ID for the internal ALB -

    -
    • -
  • -

    - - multi_az_capacity_provider - - Enable a multi-az capacity provider to autoscale the EC2 ASGs created for this ECS cluster, only if capacity_provider_enabled = true -

    -
    • -
  • -

    - - public_alb_sg_ids - - The Security Group ID for the public ALB -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the nodes in this ECS cluster. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the nodes in this ECS cluster with sudo permissions. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - tenancy - - The tenancy of this server. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which the ECS cluster should be launched -

    -
    • -
  • -

    - - vpc_subnet_ids - - The IDs of the subnets in which to deploy the ECS cluster instances -

    -
    • -
- - - - + + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications + + + +* [**`allow_ssh_from_cidr_blocks`**](#allow_ssh_from_cidr_blocks) — The IP address ranges in CIDR format from which to allow incoming SSH requests to the ECS instances. + + + +* [**`allow_ssh_from_security_group_ids`**](#allow_ssh_from_security_group_ids) — The IDs of security groups from which to allow incoming SSH requests to the ECS instances. + + + +* [**`autoscaling_termination_protection`**](#autoscaling_termination_protection) — Protect EC2 instances running ECS tasks from being terminated due to scale in (spot instances do not support lifecycle modifications). Note that the behavior of termination protection differs between clusters with capacity providers and clusters without. When capacity providers is turned on and this flag is true, only instances that have 0 ECS tasks running will be scaled in, regardless of [`capacity_provider_target`](#capacity_provider_target). If capacity providers is turned off and this flag is true, this will prevent ANY instances from being scaled in. + + + +* [**`capacity_provider_enabled`**](#capacity_provider_enabled) — Enable a capacity provider to autoscale the EC2 ASG created for this ECS cluster. + + + +* [**`capacity_provider_max_scale_step`**](#capacity_provider_max_scale_step) — Maximum step adjustment size to the ASG's desired instance count. A number between 1 and 10000. + + + +* [**`capacity_provider_min_scale_step`**](#capacity_provider_min_scale_step) — Minimum step adjustment size to the ASG's desired instance count. A number between 1 and 10000. + + + +* [**`capacity_provider_target`**](#capacity_provider_target) — Target cluster utilization for the ASG capacity provider; a number from 1 to 100. This number influences when scale out happens, and when instances should be scaled in. For example, a setting of 90 means that new instances will be provisioned when all instances are at 90% utilization, while instances that are only 10% utilized (CPU and Memory usage from tasks = 10%) will be scaled in. + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the ECS cluster instances during boot. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax + + + +* [**`cloudwatch_log_group_name`**](#cloudwatch_log_group_name) — The name of the log group to create in CloudWatch. Defaults to [``var.cluster_name`](#`var.cluster_name)-logs`. + + + +* [**`cluster_access_from_sgs`**](#cluster_access_from_sgs) — Specify a list of Security Groups that will have access to the ECS cluster. Only used if [`enable_cluster_access_ports`](#enable_cluster_access_ports) is set to true + + + +* [**`cluster_instance_ami`**](#cluster_instance_ami) — The AMI to run on each instance in the ECS cluster. You can build the AMI using the Packer template ecs-node-al2.json. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. + + + +* [**`cluster_instance_ami_filters`**](#cluster_instance_ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with ECS workers. You can build the AMI using the Packer template ecs-node-al2.json. Only used if [`cluster_instance_ami`](#cluster_instance_ami) is null. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. Set to null if [`cluster_instance_ami`](#cluster_instance_ami) is set. + + + +* [**`cluster_instance_associate_public_ip_address`**](#cluster_instance_associate_public_ip_address) — Whether to associate a public IP address with an instance in a VPC + + + +* [**`cluster_instance_keypair_name`**](#cluster_instance_keypair_name) — The name of the Key Pair that can be used to SSH to each instance in the ECS cluster + + + +* [**`cluster_instance_type`**](#cluster_instance_type) — The type of instances to run in the ECS cluster (e.g. t2.medium) + + + +* [**`cluster_max_size`**](#cluster_max_size) — The maxiumum number of instances to run in the ECS cluster + + + +* [**`cluster_min_size`**](#cluster_min_size) — The minimum number of instances to run in the ECS cluster + + + +* [**`cluster_name`**](#cluster_name) — The name of the ECS cluster + + + +* [**`default_user`**](#default_user) — The default OS user for the ECS worker AMI. For AWS Amazon Linux AMIs, which is what the Packer template in ecs-node-al2.json uses, the default OS user is 'ec2-user'. + + + +* [**`disallowed_availability_zones`**](#disallowed_availability_zones) — A list of availability zones in the region that should be skipped when deploying ECS. You can use this to avoid availability zones that may not be able to provision the resources (e.g instance type does not exist). If empty, allows all availability zones. + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to enable Cloudwatch log aggregation for the ECS cluster + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to enable Cloudwatch metrics collection for the ECS cluster + + + +* [**`enable_cluster_access_ports`**](#enable_cluster_access_ports) — Specify a list of ECS Cluster ports which should be accessible from the security groups given in [`cluster_access_from_sgs`](#cluster_access_from_sgs) + + + +* [**`enable_ecs_cloudwatch_alarms`**](#enable_ecs_cloudwatch_alarms) — Set to true to enable several basic Cloudwatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn) + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true + + + +* [**`enable_ssh_grunt`**](#enable_ssh_grunt) — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. + + + +* [**`high_cpu_utilization_evaluation_periods`**](#high_cpu_utilization_evaluation_periods) — The number of periods over which data is compared to the specified threshold + + + +* [**`high_cpu_utilization_period`**](#high_cpu_utilization_period) — The period, in seconds, over which to measure the CPU utilization percentage. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`high_cpu_utilization_statistic`**](#high_cpu_utilization_statistic) — The statistic to apply to the alarm's high CPU metric. Either of the following is supported: SampleCount, Average, Sum, Minimum, Maximum + + + +* [**`high_cpu_utilization_threshold`**](#high_cpu_utilization_threshold) — Trigger an alarm if the ECS Cluster has a CPU utilization percentage above this threshold. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`high_disk_utilization_period`**](#high_disk_utilization_period) — The period, in seconds, over which to measure the disk utilization percentage. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`high_disk_utilization_threshold`**](#high_disk_utilization_threshold) — Trigger an alarm if the EC2 instances in the ECS Cluster have a disk utilization percentage above this threshold. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`high_memory_utilization_evaluation_periods`**](#high_memory_utilization_evaluation_periods) — The number of periods over which data is compared to the specified threshold + + + +* [**`high_memory_utilization_period`**](#high_memory_utilization_period) — The period, in seconds, over which to measure the memory utilization percentage. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`high_memory_utilization_statistic`**](#high_memory_utilization_statistic) — The statistic to apply to the alarm's high CPU metric. Either of the following is supported: SampleCount, Average, Sum, Minimum, Maximum + + + +* [**`high_memory_utilization_threshold`**](#high_memory_utilization_threshold) — Trigger an alarm if the ECS Cluster has a memory utilization percentage above this threshold. Only used if [`enable_ecs_cloudwatch_alarms`](#enable_ecs_cloudwatch_alarms) is set to true + + + +* [**`internal_alb_sg_ids`**](#internal_alb_sg_ids) — The Security Group ID for the internal ALB + + + +* [**`multi_az_capacity_provider`**](#multi_az_capacity_provider) — Enable a multi-az capacity provider to autoscale the EC2 ASGs created for this ECS cluster, only if [`capacity_provider_enabled`](#capacity_provider_enabled) = true + + + +* [**`public_alb_sg_ids`**](#public_alb_sg_ids) — The Security Group ID for the public ALB + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the nodes in this ECS cluster. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the nodes in this ECS cluster with sudo permissions. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`tenancy`**](#tenancy) — The tenancy of this server. Must be one of: default, dedicated, or host. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which the ECS cluster should be launched + + + +* [**`vpc_subnet_ids`**](#vpc_subnet_ids) — The IDs of the subnets in which to deploy the ECS cluster instances + + + + + + +* [**`all_metric_widgets`**](#all_metric_widgets) — A list of all the CloudWatch Dashboard metric widgets available in this module. + + + +* [**`ecs_cluster_arn`**](#ecs_cluster_arn) — The ID of the ECS cluster + + + +* [**`ecs_cluster_asg_name`**](#ecs_cluster_asg_name) — The name of the ECS cluster's autoscaling group (ASG) + + + +* [**`ecs_cluster_asg_names`**](#ecs_cluster_asg_names) — For configurations with multiple ASGs, this contains a list of ASG names. + + + +* [**`ecs_cluster_capacity_provider_names`**](#ecs_cluster_capacity_provider_names) — For configurations with multiple capacity providers, this contains a list of all capacity provider names. + + + +* [**`ecs_cluster_launch_configuration_id`**](#ecs_cluster_launch_configuration_id) — The ID of the launch configuration used by the ECS cluster's auto scaling group (ASG) + + + +* [**`ecs_cluster_name`**](#ecs_cluster_name) — The name of the ECS cluster + + + +* [**`ecs_cluster_vpc_id`**](#ecs_cluster_vpc_id) — The ID of the VPC into which the ECS cluster is launched + + + +* [**`ecs_cluster_vpc_subnet_ids`**](#ecs_cluster_vpc_subnet_ids) — The VPC subnet IDs into which the ECS cluster can launch resources into + + + +* [**`ecs_instance_iam_role_arn`**](#ecs_instance_iam_role_arn) — The ARN of the IAM role applied to ECS instances + + + +* [**`ecs_instance_iam_role_id`**](#ecs_instance_iam_role_id) — The ID of the IAM role applied to ECS instances + + + +* [**`ecs_instance_iam_role_name`**](#ecs_instance_iam_role_name) — The name of the IAM role applied to ECS instances + + + +* [**`ecs_instance_security_group_id`**](#ecs_instance_security_group_id) — The ID of the security group applied to ECS instances + + + +* [**`metric_widget_ecs_cluster_cpu_usage`**](#metric_widget_ecs_cluster_cpu_usage) — The CloudWatch Dashboard metric widget for the ECS cluster workers' CPU utilization metric. + + + +* [**`metric_widget_ecs_cluster_memory_usage`**](#metric_widget_ecs_cluster_memory_usage) — The CloudWatch Dashboard metric widget for the ECS cluster workers' Memory utilization metric. + + diff --git a/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md index 9d2741854..fcc925b95 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md @@ -10,54 +10,35 @@ Deploy an Amazon ECS Cluster optimized for Fargate only usage. ### Reference - - - - -
    - -
  • -

    - - arn - - ARN of the ECS cluster that was created. -

    -
    • -
  • -

    - - name - - The name of the ECS cluster. -

    -
    • -
- + + + + +* [**`cluster_name`**](#cluster_name) — The name of the ECS cluster + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the ECS Cluster. The key is the tag name and the value is the tag value. + + + +* [**`enable_container_insights`**](#enable_container_insights) — Whether or not to enable container insights monitoring on the ECS cluster. + + + + + + +* [**`arn`**](#arn) — ARN of the ECS cluster that was created. + + + +* [**`name`**](#name) — The name of the ECS cluster. + + diff --git a/docs/reference/services/app-orchestration/amazon-ecs-service.md b/docs/reference/services/app-orchestration/amazon-ecs-service.md index 59bb70174..fce14890d 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-service.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-service.md @@ -10,810 +10,467 @@ Deploy an Amazon ECS Service ### Reference - -
    - -
  • -

    - - alarm_sns_topic_arns - - A list of ARNs of the SNS topic(s) to write alarm events to -

    -
    • -
  • -

    - - alarm_sns_topic_arns_us_east_1 - - A list of SNS topic ARNs to notify when the route53 health check changes to ALARM, OK, or INSUFFICIENT_DATA state. Note: these SNS topics MUST be in us-east-1! This is because Route 53 only sends CloudWatch metrics to us-east-1, so we must create the alarm in that region, and therefore, can only notify SNS topics in that region -

    -
    • -
  • -

    - - alb_sticky_session_cookie_duration - - The time period, in seconds, during which requests from a client should be routed to the same Target. After this time period expires, the load balancer-generated cookie is considered stale. The acceptable range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). Only used if var.elb_target_groups is set. -

    -
    • -
  • -

    - - alb_sticky_session_type - - The type of Sticky Sessions to use. See https://goo.gl/MNwqNu for possible values. Only used if var.elb_target_groups is set. -

    -
    • -
  • -

    - - canary_container_definitions - - List of container definitions to use for the canary ECS task. Each entry corresponds to a different ECS container definition. -

    -
    • -
  • -

    - - canary_version - - Which version of the ECS Service Docker container to deploy as a canary (e.g. 0.57) -

    -
    • -
  • -

    - - capacity_provider_strategy - - The capacity provider strategy to use for the service. Note that the capacity providers have to be present on the ECS cluster before deploying the ECS service. When provided, var.launch_type is ignored. -

    -
    • -
  • -

    - - clb_container_name - - The name of the container, as it appears in the var.task_arn Task definition, to associate with a CLB. Currently, ECS can only associate a CLB with a single container per service. Only used if clb_name is set. -

    -
    • -
  • -

    - - clb_container_port - - The port on the container in var.clb_container_name to associate with an CLB. Currently, ECS can only associate a CLB with a single container per service. Only used if clb_name is set. -

    -
    • -
  • -

    - - clb_name - - The name of a Classic Load Balancer (CLB) to associate with this service. Containers in the service will automatically register with the CLB when booting up. Set to null if using ELBv2. -

    -
    • -
  • -

    - - cloudwatch_log_group_name - - The name for the Cloudwatch logs that will be generated by the ecs service -

    -
    • -
  • -

    - - container_definitions - - List of container definitions to use for the ECS task. Each entry corresponds to a different ECS container definition. -

    -
    • -
  • -

    - - cpu - - The number of CPU units to allocate to the ECS Service. -

    -
    • -
  • -

    - - create_route53_entry - - Set to true if you want a DNS record automatically created and pointed at the the load balancer for the ECS service -

    -
    • -
  • -

    - - custom_docker_command - - If var.use_custom_docker_run_command is set to true, set this variable to the custom docker run command you want to provide -

    -
    • -
  • -

    - - custom_ecs_service_role_name - - The name to use for the ECS Service IAM role, which is used to grant permissions to the ECS service to register the task IPs to ELBs. -

    -
    • -
  • -

    - - custom_iam_policy_prefix - - Prefix for name of the custom IAM policies created by this module (those resulting from var.iam_policy and var.secrets_access). If omitted, defaults to var.service_name. -

    -
    • -
  • -

    - - custom_iam_role_name_prefix - - Prefix for name of the IAM role used by the ECS task. -

    -
    • -
  • -

    - - custom_task_execution_iam_role_name_prefix - - Prefix for name of task execution IAM role and policy that grants access to CloudWatch and ECR. -

    -
    • -
  • -

    - - default_listener_arns - - A map of all the listeners on the load balancer. The keys should be the port numbers and the values should be the ARN of the listener for that port. -

    -
    • -
  • -

    - - default_listener_ports - - The default port numbers on the load balancer to attach listener rules to. You can override this default on a rule-by-rule basis by setting the listener_ports parameter in each rule. The port numbers specified in this variable and the listener_ports parameter must exist in var.listener_arns. -

    -
    • -
  • -

    - - dependencies - - Create a dependency between the resources in this module to the interpolated values in this list (and thus the source resources). In other words, the resources in this module will now depend on the resources backing the values in this list such that those resources need to be created before the resources in this module, and the resources in this module need to be destroyed before the resources in the list. -

    -
    • -
  • -

    - - deployment_check_loglevel - - Set the logging level of the deployment check script. You can set this to `error`, `warn`, or `info`, in increasing verbosity. -

    -
    • -
  • -

    - - deployment_check_timeout_seconds - - Seconds to wait before timing out each check for verifying ECS service deployment. See ecs_deploy_check_binaries for more details. -

    -
    • -
  • -

    - - deployment_circuit_breaker_enabled - - Set to 'true' to prevent the task from attempting to continuously redeploy after a failed health check. -

    -
    • -
  • -

    - - deployment_circuit_breaker_rollback - - Set to 'true' to also automatically roll back to the last successful deployment. deploy_circuit_breaker_enabled must also be true to enable this behavior. -

    -
    • -
  • -

    - - deployment_maximum_percent - - The upper limit, as a percentage of var.desired_number_of_tasks, of the number of running tasks that can be running in a service during a deployment. Setting this to more than 100 means that during deployment, ECS will deploy new instances of a Task before undeploying the old ones. -

    -
    • -
  • -

    - - deployment_minimum_healthy_percent - - The lower limit, as a percentage of var.desired_number_of_tasks, of the number of running tasks that must remain running and healthy in a service during a deployment. Setting this to less than 100 means that during deployment, ECS may undeploy old instances of a Task before deploying new ones. -

    -
    • -
  • -

    - - desired_number_of_canary_tasks - - How many instances of the ECS Service to run across the ECS cluster for a canary deployment. Typically, only 0 or 1 should be used. -

    -
    • -
  • -

    - - desired_number_of_tasks - - How many instances of the ECS Service to run across the ECS cluster -

    -
    • -
  • -

    - - domain_name - - The domain name to create a route 53 record for. This DNS record will point to the load balancer for the ECS service -

    -
    • -
  • -

    - - ecs_cluster_arn - - The ARN of the cluster to which the ecs service should be deployed. -

    -
    • -
  • -

    - - ecs_cluster_name - - The name of the ecs cluster to deploy the ecs service onto. -

    -
    • -
  • -

    - - ecs_instance_security_group_id - - The ID of the security group that should be applied to ecs service instances -

    -
    • -
  • -

    - - ecs_node_port_mappings - - A map of ports to be opened via security groups applied to the EC2 instances that back the ECS cluster, when not using fargate. The key should be the container port and the value should be what host port to map it to. -

    -
    • -
  • -

    - - efs_volumes - - (Optional) A map of EFS volumes that containers in your task may use. Each item in the list should be a map compatible with https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#efs-volume-configuration-arguments. -

    -
    • -
  • -

    - - elb_slow_start - - The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds. Only used if var.elb_target_groups is set. -

    -
    • -
  • -

    - - elb_target_group_deregistration_delay - - The amount of time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. Only used if var.elb_target_groups is set. -

    -
    • -
  • -

    - - elb_target_group_vpc_id - - The ID of the VPC in which to create the target group. Only used if var.elb_target_groups is set. -

    -
    • -
  • -

    - - elb_target_groups - - Configurations for ELB target groups for ALBs and NLBs that should be associated with the ECS Tasks. Each entry corresponds to a separate target group. Set to the empty object ({}) if you are not using an ALB or NLB. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable Cloudwatch alarms on the ecs service instances -

    -
    • -
  • -

    - - enable_ecs_deployment_check - - Whether or not to enable the ECS deployment check binary to make terraform wait for the task to be deployed. See ecs_deploy_check_binaries for more details. You must install the companion binary before the check can be used. Refer to the README for more details. -

    -
    • -
  • -

    - - enable_execute_command - - Specifies whether to enable Amazon ECS Exec for the tasks within the service. -

    -
    • -
  • -

    - - enable_route53_health_check - - Set this to true to create a route 53 health check and Cloudwatch alarm that will alert if your domain becomes unreachable -

    -
    • -
  • -

    - - expose_ecs_service_to_other_ecs_nodes - - Set this to true to allow the ecs service to be accessed by other ecs nodes -

    -
    • -
  • -

    - - fixed_response_rules - - -

    -
    • -
  • -

    - - forward_rules - - -

    -
    • -
  • -

    - - health_check_enabled - - If true, enable health checks on the target group. Only applies to ELBv2. For CLBs, health checks are not configurable. -

    -
    • -
  • -

    - - health_check_grace_period_seconds - - Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2,147,483,647. Only valid for services configured to use load balancers. -

    -
    • -
  • -

    - - health_check_healthy_threshold - - The number of consecutive successful health checks required before considering an unhealthy Target healthy. The acceptable range is 2 to 10. -

    -
    • -
  • -

    - - health_check_interval - - The approximate amount of time, in seconds, between health checks of an individual Target. Minimum value 5 seconds, Maximum value 300 seconds. -

    -
    • -
  • -

    - - health_check_matcher - - The HTTP codes to use when checking for a successful response from a Target. You can specify multiple values (e.g. '200,202') or a range of values (e.g. '200-299'). Required when using ALBs. -

    -
    • -
  • -

    - - health_check_path - - The ping path that is the destination on the Targets for health checks. Required when using ALBs. -

    -
    • -
  • -

    - - health_check_port - - The port the ELB uses when performing health checks on Targets. The default is to use the port on which each target receives traffic from the load balancer, indicated by the value 'traffic-port'. -

    -
    • -
  • -

    - - health_check_timeout - - The amount of time, in seconds, during which no response from a Target means a failed health check. The acceptable range is 2 to 60 seconds. -

    -
    • -
  • -

    - - health_check_unhealthy_threshold - - The number of consecutive failed health checks required before considering a target unhealthy. The acceptable range is 2 to 10. For NLBs, this value must be the same as the health_check_healthy_threshold. -

    -
    • -
  • -

    - - high_cpu_utilization_period - - The period, in seconds, over which to measure the CPU utilization percentage -

    -
    • -
  • -

    - - high_cpu_utilization_threshold - - Trigger an alarm if the ECS Service has a CPU utilization percentage above this threshold -

    -
    • -
  • -

    - - high_memory_utilization_period - - The period, in seconds, over which to measure the memory utilization percentage -

    -
    • -
  • -

    - - high_memory_utilization_threshold - - Trigger an alarm if the ECS Service has a memory utilization percentage above this threshold -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the Route 53 hosted zone into which the Route 53 DNS record should be written -

    -
    • -
  • -

    - - iam_policy - - An object defining the policy to attach to the ECS task. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. -

    -
    • -
  • -

    - - launch_type - - The launch type of the ECS service. Must be one of EC2 or FARGATE. When using FARGATE, you must set the network mode to awsvpc and configure it. When using EC2, you can configure the placement strategy using the variables var.placement_strategy_type, var.placement_strategy_field, var.placement_constraint_type, var.placement_constraint_expression. This variable is ignored if var.capacity_provider_strategy is provided. -

    -
    • -
  • -

    - - lb_hosted_zone_id - - The ID of the Route 53 Hosted Zone in which to create a DNS A record pointed to the ECS service's load balancer -

    -
    • -
  • -

    - - max_number_of_tasks - - The maximum number of instances of the ECS Service to run. Auto scaling will never scale out above this number. -

    -
    • -
  • -

    - - memory - - How much memory, in MB, to give the ECS Service. -

    -
    • -
  • -

    - - min_number_of_tasks - - The minimum number of instances of the ECS Service to run. Auto scaling will never scale in below this number. -

    -
    • -
  • -

    - - network_configuration - - The configuration to use when setting up the VPC network mode. Required and only used if network_mode is awsvpc. -

    -
    • -
  • -

    - - network_mode - - The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If the network_mode is set to awsvpc, you must configure var.network_configuration. -

    -
    • -
  • -

    - - original_lb_dns_name - - The DNS name that was assigned by AWS to the load balancer upon creation -

    -
    • -
  • -

    - - placement_constraint_expression - - Cluster Query Language expression to apply to the constraint for matching. Does not need to be specified for the distinctInstance constraint type. -

    -
    • -
  • -

    - - placement_constraint_type - - The type of constraint to apply for container instance placement. The only valid values at this time are memberOf and distinctInstance. -

    -
    • -
  • -

    - - placement_strategy_field - - The field to apply the placement strategy against. For the spread placement strategy, valid values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone. For the binpack placement strategy, valid values are cpu and memory. For the random placement strategy, this field is not used. -

    -
    • -
  • -

    - - placement_strategy_type - - The strategy to use when placing ECS tasks on EC2 instances. Can be binpack (default), random, or spread. -

    -
    • -
  • -

    - - propagate_tags - - Whether tags should be propogated to the tasks from the service or from the task definition. Valid values are SERVICE and TASK_DEFINITION. Defaults to SERVICE. If set to null, no tags are created for tasks. -

    -
    • -
  • -

    - - proxy_configuration_container_name - - Use the name of the Envoy proxy container from `container_definitions` as the container name. -

    -
    • -
  • -

    - - proxy_configuration_properties - - A map of network configuration parameters to provide the Container Network Interface (CNI) plugin. -

    -
    • -
  • -

    - - redirect_rules - - -

    -
    • -
  • -

    - - route53_health_check_path - - The path, without any leading slash, that can be used as a health check (e.g. healthcheck) by Route 53. Should return a 200 OK when the service is up and running. -

    -
    • -
  • -

    - - route53_health_check_port - - The port to use for Route 53 health checks. This should be the port for the service that is available at the publicly accessible domain name (var.domain_name). -

    -
    • -
  • -

    - - route53_health_check_protocol - - The protocol to use for Route 53 health checks. Should be one of HTTP, HTTPS. -

    -
    • -
  • -

    - - secrets_access - - A list of ARNs of Secrets Manager secrets that the task should have permissions to read. The IAM role for the task will be granted `secretsmanager:GetSecretValue` for each secret in the list. The ARN can be either the complete ARN, including the randomly generated suffix, or the ARN without the suffix. If the latter, the module will look up the full ARN automatically. This is helpful in cases where you don't yet know the randomly generated suffix because the rest of the ARN is a predictable value. -

    -
    • -
  • -

    - - secrets_manager_arns - - A list of ARNs for Secrets Manager secrets that the ECS execution IAM policy should be granted access to read. Note that this is different from the ECS task IAM policy. The execution policy is concerned with permissions required to run the ECS task. -

    -
    • -
  • -

    - - secrets_manager_kms_key_arn - - The ARN of the kms key associated with secrets manager -

    -
    • -
  • -

    - - service_name - - The name of the ECS service (e.g. my-service-stage) -

    -
    • -
  • -

    - - service_tags - - A map of tags to apply to the ECS service. Each item in this list should be a map with the parameters key and value. -

    -
    • -
  • -

    - - task_cpu - - The CPU units for the instances that Fargate will spin up. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size. Required when using FARGATE launch type. -

    -
    • -
  • -

    - - task_definition_tags - - A map of tags to apply to the task definition. Each item in this list should be a map with the parameters key and value. -

    -
    • -
  • -

    - - task_memory - - The memory units for the instances that Fargate will spin up. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size. Required when using FARGATE launch type. -

    -
    • -
  • -

    - - use_alb_sticky_sessions - - If true, the ALB will use use Sticky Sessions as described at https://goo.gl/VLcNbk. Only used if var.elb_target_groups is set. Note that this can only be true when associating with an ALB. This cannot be used with CLBs or NLBs. -

    -
    • -
  • -

    - - use_auto_scaling - - Whether or not to enable auto scaling for the ecs service -

    -
    • -
  • -

    - - use_custom_docker_run_command - - Set this to true if you want to pass a custom docker run command. If you set this to true, you must supply var.custom_docker_command -

    -
    • -
  • -

    - - volumes - - (Optional) A map of volume blocks that containers in your task may use. The key should be the name of the volume and the value should be a map compatible with https://www.terraform.io/docs/providers/aws/r/ecs_task_definition.html#volume-block-arguments, but not including the name parameter. -

    -
    • -
- - - - + + + + +* [**`alarm_sns_topic_arns`**](#alarm_sns_topic_arns) — A list of ARNs of the SNS topic(s) to write alarm events to + + + +* [**`alarm_sns_topic_arns_us_east_1`**](#alarm_sns_topic_arns_us_east_1) — A list of SNS topic ARNs to notify when the route53 health check changes to ALARM, OK, or [`INSUFFICIENT_DATA`](#INSUFFICIENT_DATA) state. Note: these SNS topics MUST be in us-east-1! This is because Route 53 only sends CloudWatch metrics to us-east-1, so we must create the alarm in that region, and therefore, can only notify SNS topics in that region + + + +* [**`alb_sticky_session_cookie_duration`**](#alb_sticky_session_cookie_duration) — The time period, in seconds, during which requests from a client should be routed to the same Target. After this time period expires, the load balancer-generated cookie is considered stale. The acceptable range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). Only used if [`elb_target_groups`](#elb_target_groups) is set. + + + +* [**`alb_sticky_session_type`**](#alb_sticky_session_type) — The type of Sticky Sessions to use. See https://goo.gl/MNwqNu for possible values. Only used if [`elb_target_groups`](#elb_target_groups) is set. + + + +* [**`canary_container_definitions`**](#canary_container_definitions) — List of container definitions to use for the canary ECS task. Each entry corresponds to a different ECS container definition. + + + +* [**`canary_version`**](#canary_version) — Which version of the ECS Service Docker container to deploy as a canary (e.g. 0.57) + + + +* [**`capacity_provider_strategy`**](#capacity_provider_strategy) — The capacity provider strategy to use for the service. Note that the capacity providers have to be present on the ECS cluster before deploying the ECS service. When provided, [`launch_type`](#launch_type) is ignored. + + + +* [**`clb_container_name`**](#clb_container_name) — The name of the container, as it appears in the [`task_arn`](#task_arn) Task definition, to associate with a CLB. Currently, ECS can only associate a CLB with a single container per service. Only used if [`clb_name`](#clb_name) is set. + + + +* [**`clb_container_port`**](#clb_container_port) — The port on the container in [`clb_container_name`](#clb_container_name) to associate with an CLB. Currently, ECS can only associate a CLB with a single container per service. Only used if [`clb_name`](#clb_name) is set. + + + +* [**`clb_name`**](#clb_name) — The name of a Classic Load Balancer (CLB) to associate with this service. Containers in the service will automatically register with the CLB when booting up. Set to null if using ELBv2. + + + +* [**`cloudwatch_log_group_name`**](#cloudwatch_log_group_name) — The name for the Cloudwatch logs that will be generated by the ecs service + + + +* [**`container_definitions`**](#container_definitions) — List of container definitions to use for the ECS task. Each entry corresponds to a different ECS container definition. + + + +* [**`cpu`**](#cpu) — The number of CPU units to allocate to the ECS Service. + + + +* [**`create_route53_entry`**](#create_route53_entry) — Set to true if you want a DNS record automatically created and pointed at the the load balancer for the ECS service + + + +* [**`custom_docker_command`**](#custom_docker_command) — If [`use_custom_docker_run_command`](#use_custom_docker_run_command) is set to true, set this variable to the custom docker run command you want to provide + + + +* [**`custom_ecs_service_role_name`**](#custom_ecs_service_role_name) — The name to use for the ECS Service IAM role, which is used to grant permissions to the ECS service to register the task IPs to ELBs. + + + +* [**`custom_iam_policy_prefix`**](#custom_iam_policy_prefix) — Prefix for name of the custom IAM policies created by this module (those resulting from [`iam_policy`](#iam_policy) and [`secrets_access`](#secrets_access)). If omitted, defaults to [`service_name`](#service_name). + + + +* [**`custom_iam_role_name_prefix`**](#custom_iam_role_name_prefix) — Prefix for name of the IAM role used by the ECS task. + + + +* [**`custom_task_execution_iam_role_name_prefix`**](#custom_task_execution_iam_role_name_prefix) — Prefix for name of task execution IAM role and policy that grants access to CloudWatch and ECR. + + + +* [**`default_listener_arns`**](#default_listener_arns) — A map of all the listeners on the load balancer. The keys should be the port numbers and the values should be the ARN of the listener for that port. + + + +* [**`default_listener_ports`**](#default_listener_ports) — The default port numbers on the load balancer to attach listener rules to. You can override this default on a rule-by-rule basis by setting the [`listener_ports`](#listener_ports) parameter in each rule. The port numbers specified in this variable and the [`listener_ports`](#listener_ports) parameter must exist in [`listener_arns`](#listener_arns). + + + +* [**`dependencies`**](#dependencies) — Create a dependency between the resources in this module to the interpolated values in this list (and thus the source resources). In other words, the resources in this module will now depend on the resources backing the values in this list such that those resources need to be created before the resources in this module, and the resources in this module need to be destroyed before the resources in the list. + + + +* [**`deployment_check_loglevel`**](#deployment_check_loglevel) — Set the logging level of the deployment check script. You can set this to `error`, `warn`, or `info`, in increasing verbosity. + + + +* [**`deployment_check_timeout_seconds`**](#deployment_check_timeout_seconds) — Seconds to wait before timing out each check for verifying ECS service deployment. See [`ecs_deploy_check_binaries`](#ecs_deploy_check_binaries) for more details. + + + +* [**`deployment_circuit_breaker_enabled`**](#deployment_circuit_breaker_enabled) — Set to 'true' to prevent the task from attempting to continuously redeploy after a failed health check. + + + +* [**`deployment_circuit_breaker_rollback`**](#deployment_circuit_breaker_rollback) — Set to 'true' to also automatically roll back to the last successful deployment. [`deploy_circuit_breaker_enabled`](#deploy_circuit_breaker_enabled) must also be true to enable this behavior. + + + +* [**`deployment_maximum_percent`**](#deployment_maximum_percent) — The upper limit, as a percentage of [`desired_number_of_tasks`](#desired_number_of_tasks), of the number of running tasks that can be running in a service during a deployment. Setting this to more than 100 means that during deployment, ECS will deploy new instances of a Task before undeploying the old ones. + + + +* [**`deployment_minimum_healthy_percent`**](#deployment_minimum_healthy_percent) — The lower limit, as a percentage of [`desired_number_of_tasks`](#desired_number_of_tasks), of the number of running tasks that must remain running and healthy in a service during a deployment. Setting this to less than 100 means that during deployment, ECS may undeploy old instances of a Task before deploying new ones. + + + +* [**`desired_number_of_canary_tasks`**](#desired_number_of_canary_tasks) — How many instances of the ECS Service to run across the ECS cluster for a canary deployment. Typically, only 0 or 1 should be used. + + + +* [**`desired_number_of_tasks`**](#desired_number_of_tasks) — How many instances of the ECS Service to run across the ECS cluster + + + +* [**`domain_name`**](#domain_name) — The domain name to create a route 53 record for. This DNS record will point to the load balancer for the ECS service + + + +* [**`ecs_cluster_arn`**](#ecs_cluster_arn) — The ARN of the cluster to which the ecs service should be deployed. + + + +* [**`ecs_cluster_name`**](#ecs_cluster_name) — The name of the ecs cluster to deploy the ecs service onto. + + + +* [**`ecs_instance_security_group_id`**](#ecs_instance_security_group_id) — The ID of the security group that should be applied to ecs service instances + + + +* [**`ecs_node_port_mappings`**](#ecs_node_port_mappings) — A map of ports to be opened via security groups applied to the EC2 instances that back the ECS cluster, when not using fargate. The key should be the container port and the value should be what host port to map it to. + + + +* [**`efs_volumes`**](#efs_volumes) — (Optional) A map of EFS volumes that containers in your task may use. Each item in the list should be a map compatible with [`https://www.terraform.io/docs/providers/aws/r/ecs_task_definition`](#https://www.terraform.io/docs/providers/aws/r/ecs_task_definition).html#efs-volume-configuration-arguments. + + + +* [**`elb_slow_start`**](#elb_slow_start) — The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds. Only used if [`elb_target_groups`](#elb_target_groups) is set. + + + +* [**`elb_target_group_deregistration_delay`**](#elb_target_group_deregistration_delay) — The amount of time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. Only used if [`elb_target_groups`](#elb_target_groups) is set. + + + +* [**`elb_target_group_vpc_id`**](#elb_target_group_vpc_id) — The ID of the VPC in which to create the target group. Only used if [`elb_target_groups`](#elb_target_groups) is set. + + + +* [**`elb_target_groups`**](#elb_target_groups) — Configurations for ELB target groups for ALBs and NLBs that should be associated with the ECS Tasks. Each entry corresponds to a separate target group. Set to the empty object ({}) if you are not using an ALB or NLB. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable Cloudwatch alarms on the ecs service instances + + + +* [**`enable_ecs_deployment_check`**](#enable_ecs_deployment_check) — Whether or not to enable the ECS deployment check binary to make terraform wait for the task to be deployed. See [`ecs_deploy_check_binaries`](#ecs_deploy_check_binaries) for more details. You must install the companion binary before the check can be used. Refer to the README for more details. + + + +* [**`enable_execute_command`**](#enable_execute_command) — Specifies whether to enable Amazon ECS Exec for the tasks within the service. + + + +* [**`enable_route53_health_check`**](#enable_route53_health_check) — Set this to true to create a route 53 health check and Cloudwatch alarm that will alert if your domain becomes unreachable + + + +* [**`expose_ecs_service_to_other_ecs_nodes`**](#expose_ecs_service_to_other_ecs_nodes) — Set this to true to allow the ecs service to be accessed by other ecs nodes + + + +* [**`fixed_response_rules`**](#fixed_response_rules) — + + + +* [**`forward_rules`**](#forward_rules) — + + + +* [**`health_check_enabled`**](#health_check_enabled) — If true, enable health checks on the target group. Only applies to ELBv2. For CLBs, health checks are not configurable. + + + +* [**`health_check_grace_period_seconds`**](#health_check_grace_period_seconds) — Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2,147,483,647. Only valid for services configured to use load balancers. + + + +* [**`health_check_healthy_threshold`**](#health_check_healthy_threshold) — The number of consecutive successful health checks required before considering an unhealthy Target healthy. The acceptable range is 2 to 10. + + + +* [**`health_check_interval`**](#health_check_interval) — The approximate amount of time, in seconds, between health checks of an individual Target. Minimum value 5 seconds, Maximum value 300 seconds. + + + +* [**`health_check_matcher`**](#health_check_matcher) — The HTTP codes to use when checking for a successful response from a Target. You can specify multiple values (e.g. '200,202') or a range of values (e.g. '200-299'). Required when using ALBs. + + + +* [**`health_check_path`**](#health_check_path) — The ping path that is the destination on the Targets for health checks. Required when using ALBs. + + + +* [**`health_check_port`**](#health_check_port) — The port the ELB uses when performing health checks on Targets. The default is to use the port on which each target receives traffic from the load balancer, indicated by the value 'traffic-port'. + + + +* [**`health_check_timeout`**](#health_check_timeout) — The amount of time, in seconds, during which no response from a Target means a failed health check. The acceptable range is 2 to 60 seconds. + + + +* [**`health_check_unhealthy_threshold`**](#health_check_unhealthy_threshold) — The number of consecutive failed health checks required before considering a target unhealthy. The acceptable range is 2 to 10. For NLBs, this value must be the same as the [`health_check_healthy_threshold`](#health_check_healthy_threshold). + + + +* [**`high_cpu_utilization_period`**](#high_cpu_utilization_period) — The period, in seconds, over which to measure the CPU utilization percentage + + + +* [**`high_cpu_utilization_threshold`**](#high_cpu_utilization_threshold) — Trigger an alarm if the ECS Service has a CPU utilization percentage above this threshold + + + +* [**`high_memory_utilization_period`**](#high_memory_utilization_period) — The period, in seconds, over which to measure the memory utilization percentage + + + +* [**`high_memory_utilization_threshold`**](#high_memory_utilization_threshold) — Trigger an alarm if the ECS Service has a memory utilization percentage above this threshold + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the Route 53 hosted zone into which the Route 53 DNS record should be written + + + +* [**`iam_policy`**](#iam_policy) — An object defining the policy to attach to the ECS task. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. + + + +* [**`launch_type`**](#launch_type) — The launch type of the ECS service. Must be one of EC2 or FARGATE. When using FARGATE, you must set the network mode to awsvpc and configure it. When using EC2, you can configure the placement strategy using the variables [`placement_strategy_type`](#placement_strategy_type), [`placement_strategy_field`](#placement_strategy_field), [`placement_constraint_type`](#placement_constraint_type), [`placement_constraint_expression`](#placement_constraint_expression). This variable is ignored if [`capacity_provider_strategy`](#capacity_provider_strategy) is provided. + + + +* [**`lb_hosted_zone_id`**](#lb_hosted_zone_id) — The ID of the Route 53 Hosted Zone in which to create a DNS A record pointed to the ECS service's load balancer + + + +* [**`max_number_of_tasks`**](#max_number_of_tasks) — The maximum number of instances of the ECS Service to run. Auto scaling will never scale out above this number. + + + +* [**`memory`**](#memory) — How much memory, in MB, to give the ECS Service. + + + +* [**`min_number_of_tasks`**](#min_number_of_tasks) — The minimum number of instances of the ECS Service to run. Auto scaling will never scale in below this number. + + + +* [**`network_configuration`**](#network_configuration) — The configuration to use when setting up the VPC network mode. Required and only used if [`network_mode`](#network_mode) is awsvpc. + + + +* [**`network_mode`**](#network_mode) — The Docker networking mode to use for the containers in the task. The valid values are none, bridge, awsvpc, and host. If the [`network_mode`](#network_mode) is set to awsvpc, you must configure [`network_configuration`](#network_configuration). + + + +* [**`original_lb_dns_name`**](#original_lb_dns_name) — The DNS name that was assigned by AWS to the load balancer upon creation + + + +* [**`placement_constraint_expression`**](#placement_constraint_expression) — Cluster Query Language expression to apply to the constraint for matching. Does not need to be specified for the distinctInstance constraint type. + + + +* [**`placement_constraint_type`**](#placement_constraint_type) — The type of constraint to apply for container instance placement. The only valid values at this time are memberOf and distinctInstance. + + + +* [**`placement_strategy_field`**](#placement_strategy_field) — The field to apply the placement strategy against. For the spread placement strategy, valid values are instanceId (or host, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone. For the binpack placement strategy, valid values are cpu and memory. For the random placement strategy, this field is not used. + + + +* [**`placement_strategy_type`**](#placement_strategy_type) — The strategy to use when placing ECS tasks on EC2 instances. Can be binpack (default), random, or spread. + + + +* [**`propagate_tags`**](#propagate_tags) — Whether tags should be propogated to the tasks from the service or from the task definition. Valid values are SERVICE and [`TASK_DEFINITION`](#TASK_DEFINITION). Defaults to SERVICE. If set to null, no tags are created for tasks. + + + +* [**`proxy_configuration_container_name`**](#proxy_configuration_container_name) — Use the name of the Envoy proxy container from [``container_definitions`](#`container_definitions)` as the container name. + + + +* [**`proxy_configuration_properties`**](#proxy_configuration_properties) — A map of network configuration parameters to provide the Container Network Interface (CNI) plugin. + + + +* [**`redirect_rules`**](#redirect_rules) — + + + +* [**`route53_health_check_path`**](#route53_health_check_path) — The path, without any leading slash, that can be used as a health check (e.g. healthcheck) by Route 53. Should return a 200 OK when the service is up and running. + + + +* [**`route53_health_check_port`**](#route53_health_check_port) — The port to use for Route 53 health checks. This should be the port for the service that is available at the publicly accessible domain name [`(var.domain_name`](#(var.domain_name)). + + + +* [**`route53_health_check_protocol`**](#route53_health_check_protocol) — The protocol to use for Route 53 health checks. Should be one of HTTP, HTTPS. + + + +* [**`secrets_access`**](#secrets_access) — A list of ARNs of Secrets Manager secrets that the task should have permissions to read. The IAM role for the task will be granted `secretsmanager:GetSecretValue` for each secret in the list. The ARN can be either the complete ARN, including the randomly generated suffix, or the ARN without the suffix. If the latter, the module will look up the full ARN automatically. This is helpful in cases where you don't yet know the randomly generated suffix because the rest of the ARN is a predictable value. + + + +* [**`secrets_manager_arns`**](#secrets_manager_arns) — A list of ARNs for Secrets Manager secrets that the ECS execution IAM policy should be granted access to read. Note that this is different from the ECS task IAM policy. The execution policy is concerned with permissions required to run the ECS task. + + + +* [**`secrets_manager_kms_key_arn`**](#secrets_manager_kms_key_arn) — The ARN of the kms key associated with secrets manager + + + +* [**`service_name`**](#service_name) — The name of the ECS service (e.g. my-service-stage) + + + +* [**`service_tags`**](#service_tags) — A map of tags to apply to the ECS service. Each item in this list should be a map with the parameters key and value. + + + +* [**`task_cpu`**](#task_cpu) — The CPU units for the instances that Fargate will spin up. Options here: [`https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate`](#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate).html#fargate-tasks-size. Required when using FARGATE launch type. + + + +* [**`task_definition_tags`**](#task_definition_tags) — A map of tags to apply to the task definition. Each item in this list should be a map with the parameters key and value. + + + +* [**`task_memory`**](#task_memory) — The memory units for the instances that Fargate will spin up. Options here: [`https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate`](#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate).html#fargate-tasks-size. Required when using FARGATE launch type. + + + +* [**`use_alb_sticky_sessions`**](#use_alb_sticky_sessions) — If true, the ALB will use use Sticky Sessions as described at https://goo.gl/VLcNbk. Only used if [`elb_target_groups`](#elb_target_groups) is set. Note that this can only be true when associating with an ALB. This cannot be used with CLBs or NLBs. + + + +* [**`use_auto_scaling`**](#use_auto_scaling) — Whether or not to enable auto scaling for the ecs service + + + +* [**`use_custom_docker_run_command`**](#use_custom_docker_run_command) — Set this to true if you want to pass a custom docker run command. If you set this to true, you must supply [`custom_docker_command`](#custom_docker_command) + + + +* [**`volumes`**](#volumes) — (Optional) A map of volume blocks that containers in your task may use. The key should be the name of the volume and the value should be a map compatible with [`https://www.terraform.io/docs/providers/aws/r/ecs_task_definition`](#https://www.terraform.io/docs/providers/aws/r/ecs_task_definition).html#volume-block-arguments, but not including the name parameter. + + + + + + +* [**`all_metric_widgets`**](#all_metric_widgets) — A list of all the CloudWatch Dashboard metric widgets available in this module. + + + +* [**`aws_ecs_task_definition_arn`**](#aws_ecs_task_definition_arn) — The ARN of the ECS task definition + + + +* [**`aws_ecs_task_definition_canary_arn`**](#aws_ecs_task_definition_canary_arn) — The ARN of the canary ECS task definition + + + +* [**`canary_service_arn`**](#canary_service_arn) — The ARN of the canary service. Canary services are optional and can be helpful when you're attempting to verify a release candidate + + + +* [**`capacity_provider_strategy`**](#capacity_provider_strategy) — The capacity provider strategy determines how infrastructure (such as EC2 instances or Fargate) that backs your ECS service is managed. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-capacity-providers.html for more information + + + +* [**`ecs_node_port_mappings`**](#ecs_node_port_mappings) — A map representing the instance host and container ports that should be opened + + + +* [**`ecs_task_execution_iam_role_arn`**](#ecs_task_execution_iam_role_arn) — The ARN of the ECS task's IAM role + + + +* [**`ecs_task_execution_iam_role_name`**](#ecs_task_execution_iam_role_name) — The name of the ECS task execution IAM role. The execution role is used by the ECS container agent to make calls to the ECS API, pull container images from ECR, use the logs driver, etc + + + +* [**`ecs_task_iam_role_arn`**](#ecs_task_iam_role_arn) — The ARN of the IAM role associated with the ECS task + + + +* [**`ecs_task_iam_role_name`**](#ecs_task_iam_role_name) — The name of the IAM role granting permissions to the running ECS task itself. Note this role is separate from the execution role which is assumed by the ECS container agent + + + +* [**`metric_widget_ecs_service_cpu_usage`**](#metric_widget_ecs_service_cpu_usage) — The metric widget for the ECS service's CPU usage + + + +* [**`metric_widget_ecs_service_memory_usage`**](#metric_widget_ecs_service_memory_usage) — The metric widget for the ECS service's memory usage + + + +* [**`route53_domain_name`**](#route53_domain_name) — The domain name of the optional route53 record, which points at the load balancer for the ECS service + + + +* [**`service_app_autoscaling_target_arn`**](#service_app_autoscaling_target_arn) — The ARN of the app autoscaling target + + + +* [**`service_app_autoscaling_target_resource_id`**](#service_app_autoscaling_target_resource_id) — The resource ID of the autoscaling target + + + +* [**`service_arn`**](#service_arn) — The ARN of the ECS service + + + +* [**`service_iam_role_arn`**](#service_iam_role_arn) — The ARN of the service role associated with the ELB of the ECS service + + + +* [**`service_iam_role_name`**](#service_iam_role_name) — The name of the service role associated with the ELB of the ECS service + + + +* [**`target_group_arns`**](#target_group_arns) — The ARNs of the ECS service's load balancer's target groups + + + +* [**`target_group_names`**](#target_group_names) — The names of the ECS service's load balancer's target groups + + diff --git a/docs/reference/services/app-orchestration/amazon-eks-core-services.md b/docs/reference/services/app-orchestration/amazon-eks-core-services.md index e0da32c4d..45e583ef2 100644 --- a/docs/reference/services/app-orchestration/amazon-eks-core-services.md +++ b/docs/reference/services/app-orchestration/amazon-eks-core-services.md @@ -10,383 +10,223 @@ Deploy core administrative applications on top of Amazon EC2 Kubernetes Service ### Reference - -
    - -
  • -

    - - alb_ingress_controller_pod_node_affinity - - Configure affinity rules for the ALB Ingress Controller Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. -

    -
    • -
  • -

    - - alb_ingress_controller_pod_tolerations - - Configure tolerations rules to allow the ALB Ingress Controller Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. -

    -
    • -
  • -

    - - autoscaler_down_delay_after_add - - Minimum time to wait after a scale up event before any node is considered for scale down. -

    -
    • -
  • -

    - - autoscaler_scale_down_unneeded_time - - Minimum time to wait since the node became unused before the node is considered for scale down by the autoscaler. -

    -
    • -
  • -

    - - autoscaler_skip_nodes_with_local_storage - - If true cluster autoscaler will never delete nodes with pods with local storage, e.g. EmptyDir or HostPath -

    -
    • -
  • -

    - - aws_region - - The AWS region in which all resources will be created -

    -
    • -
  • -

    - - cluster_autoscaler_pod_annotations - - Annotations to apply to the cluster autoscaler pod(s), as key value pairs. -

    -
    • -
  • -

    - - cluster_autoscaler_pod_labels - - Labels to apply to the cluster autoscaler pod(s), as key value pairs. -

    -
    • -
  • -

    - - cluster_autoscaler_pod_node_affinity - - Configure affinity rules for the cluster-autoscaler Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. -

    -
    • -
  • -

    - - cluster_autoscaler_pod_resources - - Pod resource requests and limits to use. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. -

    -
    • -
  • -

    - - cluster_autoscaler_pod_tolerations - - Configure tolerations rules to allow the cluster-autoscaler Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. -

    -
    • -
  • -

    - - cluster_autoscaler_release_name - - The name to use for the helm release for cluster-autoscaler. This is useful to force a redeployment of the cluster-autoscaler component. -

    -
    • -
  • -

    - - cluster_autoscaler_repository - - Which docker repository to use to install the cluster autoscaler. Check the following link for valid repositories to use https://github.com/kubernetes/autoscaler/releases -

    -
    • -
  • -

    - - cluster_autoscaler_scaling_strategy - - Specifies an 'expander' for the cluster autoscaler. This helps determine which ASG to scale when additional resource capacity is needed. -

    -
    • -
  • -

    - - cluster_autoscaler_version - - Which version of the cluster autoscaler to install. This should match the major/minor version (e.g., v1.20) of your Kubernetes Installation. See https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases for a list of versions. -

    -
    • -
  • -

    - - eks_cluster_name - - The name of the EKS cluster where the core services will be deployed into. -

    -
    • -
  • -

    - - eks_iam_role_for_service_accounts_config - - Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: `openid_connect_provider_arn` and `openid_connect_provider_url`. The `openid_connect_provider_arn` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while `openid_connect_provider_url` is the URL. Set to null if you do not wish to use IAM role with Service Accounts. -

    -
    • -
  • -

    - - enable_alb_ingress_controller - - Whether or not to enable the AWS LB Ingress controller. -

    -
    • -
  • -

    - - enable_cluster_autoscaler - - Whether or not to enable cluster-autoscaler for Autoscaling EKS worker nodes. -

    -
    • -
  • -

    - - enable_external_dns - - Whether or not to enable external-dns for DNS entry syncing with Route 53 for Services and Ingresses. -

    -
    • -
  • -

    - - enable_fargate_fluent_bit - - Whether or not to enable fluent-bit on EKS Fargate workers for log aggregation. -

    -
    • -
  • -

    - - enable_fluent_bit - - Whether or not to enable fluent-bit for log aggregation. -

    -
    • -
  • -

    - - external_dns_pod_node_affinity - - Configure affinity rules for the external-dns Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. -

    -
    • -
  • -

    - - external_dns_pod_tolerations - - Configure tolerations rules to allow the external-dns Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. -

    -
    • -
  • -

    - - external_dns_route53_hosted_zone_domain_filters - - Only create records in hosted zones that match the provided domain names. Empty list (default) means match all zones. Zones must satisfy all three constraints (var.external_dns_route53_hosted_zone_tag_filters, var.external_dns_route53_hosted_zone_id_filters, and var.external_dns_route53_hosted_zone_domain_filters). -

    -
    • -
  • -

    - - external_dns_route53_hosted_zone_id_filters - - Only create records in hosted zones that match the provided IDs. Empty list (default) means match all zones. Zones must satisfy all three constraints (var.external_dns_route53_hosted_zone_tag_filters, var.external_dns_route53_hosted_zone_id_filters, and var.external_dns_route53_hosted_zone_domain_filters). -

    -
    • -
  • -

    - - external_dns_route53_hosted_zone_tag_filters - - Only create records in hosted zones that match the provided tags. Each item in the list should specify tag key and tag value as a map. Empty list (default) means match all zones. Zones must satisfy all three constraints (var.external_dns_route53_hosted_zone_tag_filters, var.external_dns_route53_hosted_zone_id_filters, and var.external_dns_route53_hosted_zone_domain_filters). -

    -
    • -
  • -

    - - external_dns_sources - - K8s resources type to be observed for new DNS entries by ExternalDNS. -

    -
    • -
  • -

    - - fargate_fluent_bit_execution_iam_role_arns - - List of ARNs of Fargate execution IAM Roles that should get permissions to ship logs using fluent-bit. This must be provided if enable_fargate_fluent_bit is true. -

    -
    • -
  • -

    - - fargate_fluent_bit_extra_filters - - Additional filters that fluent-bit should apply to log output. This string should be formatted according to the Fluent-bit docs (https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter). -

    -
    • -
  • -

    - - fargate_fluent_bit_extra_parsers - - Additional parsers that fluent-bit should export logs to. This string should be formatted according to the Fluent-bit docs (https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output). -

    -
    • -
  • -

    - - fargate_fluent_bit_log_stream_prefix - - Prefix string to use for the CloudWatch Log Stream that gets created for each Fargate pod. -

    -
    • -
  • -

    - - fargate_worker_disallowed_availability_zones - - A list of availability zones in the region that we CANNOT use to deploy the EKS Fargate workers. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. -

    -
    • -
  • -

    - - fluent_bit_extra_filters - - Additional filters that fluent-bit should apply to log output. This string should be formatted according to the Fluent-bit docs (https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter). -

    -
    • -
  • -

    - - fluent_bit_extra_outputs - - Additional output streams that fluent-bit should export logs to. This string should be formatted according to the Fluent-bit docs (https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output). -

    -
    • -
  • -

    - - fluent_bit_log_group_already_exists - - If set to true, that means that the CloudWatch Log Group fluent-bit should use for streaming logs already exists and does not need to be created. -

    -
    • -
  • -

    - - fluent_bit_log_group_name - - Name of the CloudWatch Log Group fluent-bit should use to stream logs to. When null (default), uses the eks_cluster_name as the Log Group name. -

    -
    • -
  • -

    - - fluent_bit_log_group_retention - - number of days to retain log events. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. Select 0 to never expire. -

    -
    • -
  • -

    - - fluent_bit_log_stream_prefix - - Prefix string to use for the CloudWatch Log Stream that gets created for each pod. When null (default), the prefix is set to 'fluentbit'. -

    -
    • -
  • -

    - - fluent_bit_pod_node_affinity - - Configure affinity rules for the fluent-bit Pods to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. -

    -
    • -
  • -

    - - fluent_bit_pod_tolerations - - Configure tolerations rules to allow the fluent-bit Pods to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. -

    -
    • -
  • -

    - - pod_execution_iam_role_arn - - ARN of IAM Role to use as the Pod execution role for Fargate. Required if any of the services are being scheduled on Fargate. Set to null if none of the Pods are being scheduled on Fargate. -

    -
    • -
  • -

    - - route53_record_update_policy - - Policy for how DNS records are sychronized between sources and providers (options: sync, upsert-only). -

    -
    • -
  • -

    - - schedule_alb_ingress_controller_on_fargate - - When true, the ALB ingress controller pods will be scheduled on Fargate. -

    -
    • -
  • -

    - - schedule_cluster_autoscaler_on_fargate - - When true, the cluster autoscaler pods will be scheduled on Fargate. It is recommended to run the cluster autoscaler on Fargate to avoid the autoscaler scaling down a node where it is running (and thus shutting itself down during a scale down event). However, since Fargate is only supported on a handful of regions, we don't default to true here. -

    -
    • -
  • -

    - - schedule_external_dns_on_fargate - - When true, the external-dns pods will be scheduled on Fargate. -

    -
    • -
  • -

    - - service_dns_mappings - - Configure Kubernetes Services to lookup external DNS records. This can be useful to bind friendly internal service names to domains (e.g. the RDS database endpoint). -

    -
    • -
  • -

    - - use_exec_plugin_for_auth - - If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. -

    -
    • -
  • -

    - - use_kubergrunt_to_fetch_token - - EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC where the EKS cluster is deployed. -

    -
    • -
  • -

    - - worker_vpc_subnet_ids - - The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. Required if any of the services are being scheduled on Fargate. Set to empty list if none of the Pods are being scheduled on Fargate. -

    -
    • -
- - - - + + + + +* [**`alb_ingress_controller_pod_node_affinity`**](#alb_ingress_controller_pod_node_affinity) — Configure affinity rules for the ALB Ingress Controller Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. + + + +* [**`alb_ingress_controller_pod_tolerations`**](#alb_ingress_controller_pod_tolerations) — Configure tolerations rules to allow the ALB Ingress Controller Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. + + + +* [**`autoscaler_down_delay_after_add`**](#autoscaler_down_delay_after_add) — Minimum time to wait after a scale up event before any node is considered for scale down. + + + +* [**`autoscaler_scale_down_unneeded_time`**](#autoscaler_scale_down_unneeded_time) — Minimum time to wait since the node became unused before the node is considered for scale down by the autoscaler. + + + +* [**`autoscaler_skip_nodes_with_local_storage`**](#autoscaler_skip_nodes_with_local_storage) — If true cluster autoscaler will never delete nodes with pods with local storage, e.g. EmptyDir or HostPath + + + +* [**`aws_region`**](#aws_region) — The AWS region in which all resources will be created + + + +* [**`cluster_autoscaler_pod_annotations`**](#cluster_autoscaler_pod_annotations) — Annotations to apply to the cluster autoscaler pod(s), as key value pairs. + + + +* [**`cluster_autoscaler_pod_labels`**](#cluster_autoscaler_pod_labels) — Labels to apply to the cluster autoscaler pod(s), as key value pairs. + + + +* [**`cluster_autoscaler_pod_node_affinity`**](#cluster_autoscaler_pod_node_affinity) — Configure affinity rules for the cluster-autoscaler Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. + + + +* [**`cluster_autoscaler_pod_resources`**](#cluster_autoscaler_pod_resources) — Pod resource requests and limits to use. Refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. + + + +* [**`cluster_autoscaler_pod_tolerations`**](#cluster_autoscaler_pod_tolerations) — Configure tolerations rules to allow the cluster-autoscaler Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. + + + +* [**`cluster_autoscaler_release_name`**](#cluster_autoscaler_release_name) — The name to use for the helm release for cluster-autoscaler. This is useful to force a redeployment of the cluster-autoscaler component. + + + +* [**`cluster_autoscaler_repository`**](#cluster_autoscaler_repository) — Which docker repository to use to install the cluster autoscaler. Check the following link for valid repositories to use https://github.com/kubernetes/autoscaler/releases + + + +* [**`cluster_autoscaler_scaling_strategy`**](#cluster_autoscaler_scaling_strategy) — Specifies an 'expander' for the cluster autoscaler. This helps determine which ASG to scale when additional resource capacity is needed. + + + +* [**`cluster_autoscaler_version`**](#cluster_autoscaler_version) — Which version of the cluster autoscaler to install. This should match the major/minor version (e.g., v1.20) of your Kubernetes Installation. See https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases for a list of versions. + + + +* [**`eks_cluster_name`**](#eks_cluster_name) — The name of the EKS cluster where the core services will be deployed into. + + + +* [**`eks_iam_role_for_service_accounts_config`**](#eks_iam_role_for_service_accounts_config) — Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` and [``openid_connect_provider_url`](#`openid_connect_provider_url)`. The [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while [``openid_connect_provider_url`](#`openid_connect_provider_url)` is the URL. Set to null if you do not wish to use IAM role with Service Accounts. + + + +* [**`enable_alb_ingress_controller`**](#enable_alb_ingress_controller) — Whether or not to enable the AWS LB Ingress controller. + + + +* [**`enable_cluster_autoscaler`**](#enable_cluster_autoscaler) — Whether or not to enable cluster-autoscaler for Autoscaling EKS worker nodes. + + + +* [**`enable_external_dns`**](#enable_external_dns) — Whether or not to enable external-dns for DNS entry syncing with Route 53 for Services and Ingresses. + + + +* [**`enable_fargate_fluent_bit`**](#enable_fargate_fluent_bit) — Whether or not to enable fluent-bit on EKS Fargate workers for log aggregation. + + + +* [**`enable_fluent_bit`**](#enable_fluent_bit) — Whether or not to enable fluent-bit for log aggregation. + + + +* [**`external_dns_pod_node_affinity`**](#external_dns_pod_node_affinity) — Configure affinity rules for the external-dns Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. + + + +* [**`external_dns_pod_tolerations`**](#external_dns_pod_tolerations) — Configure tolerations rules to allow the external-dns Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. + + + +* [**`external_dns_route53_hosted_zone_domain_filters`**](#external_dns_route53_hosted_zone_domain_filters) — Only create records in hosted zones that match the provided domain names. Empty list (default) means match all zones. Zones must satisfy all three constraints [`(var.external_dns_route53_hosted_zone_tag_filters`](#(var.external_dns_route53_hosted_zone_tag_filters), [`external_dns_route53_hosted_zone_id_filters`](#external_dns_route53_hosted_zone_id_filters), and [`external_dns_route53_hosted_zone_domain_filters`](#external_dns_route53_hosted_zone_domain_filters)). + + + +* [**`external_dns_route53_hosted_zone_id_filters`**](#external_dns_route53_hosted_zone_id_filters) — Only create records in hosted zones that match the provided IDs. Empty list (default) means match all zones. Zones must satisfy all three constraints [`(var.external_dns_route53_hosted_zone_tag_filters`](#(var.external_dns_route53_hosted_zone_tag_filters), [`external_dns_route53_hosted_zone_id_filters`](#external_dns_route53_hosted_zone_id_filters), and [`external_dns_route53_hosted_zone_domain_filters`](#external_dns_route53_hosted_zone_domain_filters)). + + + +* [**`external_dns_route53_hosted_zone_tag_filters`**](#external_dns_route53_hosted_zone_tag_filters) — Only create records in hosted zones that match the provided tags. Each item in the list should specify tag key and tag value as a map. Empty list (default) means match all zones. Zones must satisfy all three constraints [`(var.external_dns_route53_hosted_zone_tag_filters`](#(var.external_dns_route53_hosted_zone_tag_filters), [`external_dns_route53_hosted_zone_id_filters`](#external_dns_route53_hosted_zone_id_filters), and [`external_dns_route53_hosted_zone_domain_filters`](#external_dns_route53_hosted_zone_domain_filters)). + + + +* [**`external_dns_sources`**](#external_dns_sources) — K8s resources type to be observed for new DNS entries by ExternalDNS. + + + +* [**`fargate_fluent_bit_execution_iam_role_arns`**](#fargate_fluent_bit_execution_iam_role_arns) — List of ARNs of Fargate execution IAM Roles that should get permissions to ship logs using fluent-bit. This must be provided if [`enable_fargate_fluent_bit`](#enable_fargate_fluent_bit) is true. + + + +* [**`fargate_fluent_bit_extra_filters`**](#fargate_fluent_bit_extra_filters) — Additional filters that fluent-bit should apply to log output. This string should be formatted according to the Fluent-bit docs [`(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter`](#(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter)). + + + +* [**`fargate_fluent_bit_extra_parsers`**](#fargate_fluent_bit_extra_parsers) — Additional parsers that fluent-bit should export logs to. This string should be formatted according to the Fluent-bit docs [`(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output`](#(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output)). + + + +* [**`fargate_fluent_bit_log_stream_prefix`**](#fargate_fluent_bit_log_stream_prefix) — Prefix string to use for the CloudWatch Log Stream that gets created for each Fargate pod. + + + +* [**`fargate_worker_disallowed_availability_zones`**](#fargate_worker_disallowed_availability_zones) — A list of availability zones in the region that we CANNOT use to deploy the EKS Fargate workers. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. + + + +* [**`fluent_bit_extra_filters`**](#fluent_bit_extra_filters) — Additional filters that fluent-bit should apply to log output. This string should be formatted according to the Fluent-bit docs [`(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter`](#(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_filter)). + + + +* [**`fluent_bit_extra_outputs`**](#fluent_bit_extra_outputs) — Additional output streams that fluent-bit should export logs to. This string should be formatted according to the Fluent-bit docs [`(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output`](#(https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/configuration-file#config_output)). + + + +* [**`fluent_bit_log_group_already_exists`**](#fluent_bit_log_group_already_exists) — If set to true, that means that the CloudWatch Log Group fluent-bit should use for streaming logs already exists and does not need to be created. + + + +* [**`fluent_bit_log_group_name`**](#fluent_bit_log_group_name) — Name of the CloudWatch Log Group fluent-bit should use to stream logs to. When null (default), uses the [`eks_cluster_name`](#eks_cluster_name) as the Log Group name. + + + +* [**`fluent_bit_log_group_retention`**](#fluent_bit_log_group_retention) — number of days to retain log events. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. Select 0 to never expire. + + + +* [**`fluent_bit_log_stream_prefix`**](#fluent_bit_log_stream_prefix) — Prefix string to use for the CloudWatch Log Stream that gets created for each pod. When null (default), the prefix is set to 'fluentbit'. + + + +* [**`fluent_bit_pod_node_affinity`**](#fluent_bit_pod_node_affinity) — Configure affinity rules for the fluent-bit Pods to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. + + + +* [**`fluent_bit_pod_tolerations`**](#fluent_bit_pod_tolerations) — Configure tolerations rules to allow the fluent-bit Pods to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. + + + +* [**`pod_execution_iam_role_arn`**](#pod_execution_iam_role_arn) — ARN of IAM Role to use as the Pod execution role for Fargate. Required if any of the services are being scheduled on Fargate. Set to null if none of the Pods are being scheduled on Fargate. + + + +* [**`route53_record_update_policy`**](#route53_record_update_policy) — Policy for how DNS records are sychronized between sources and providers (options: sync, upsert-only). + + + +* [**`schedule_alb_ingress_controller_on_fargate`**](#schedule_alb_ingress_controller_on_fargate) — When true, the ALB ingress controller pods will be scheduled on Fargate. + + + +* [**`schedule_cluster_autoscaler_on_fargate`**](#schedule_cluster_autoscaler_on_fargate) — When true, the cluster autoscaler pods will be scheduled on Fargate. It is recommended to run the cluster autoscaler on Fargate to avoid the autoscaler scaling down a node where it is running (and thus shutting itself down during a scale down event). However, since Fargate is only supported on a handful of regions, we don't default to true here. + + + +* [**`schedule_external_dns_on_fargate`**](#schedule_external_dns_on_fargate) — When true, the external-dns pods will be scheduled on Fargate. + + + +* [**`service_dns_mappings`**](#service_dns_mappings) — Configure Kubernetes Services to lookup external DNS records. This can be useful to bind friendly internal service names to domains (e.g. the RDS database endpoint). + + + +* [**`use_exec_plugin_for_auth`**](#use_exec_plugin_for_auth) — If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the [`use_kubergrunt_to_fetch_token`](#use_kubergrunt_to_fetch_token) input variable to control whether kubergrunt or aws is used to fetch tokens. + + + +* [**`use_kubergrunt_to_fetch_token`**](#use_kubergrunt_to_fetch_token) — EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if [`use_exec_plugin_for_auth`](#use_exec_plugin_for_auth) is set to true. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC where the EKS cluster is deployed. + + + +* [**`worker_vpc_subnet_ids`**](#worker_vpc_subnet_ids) — The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. Required if any of the services are being scheduled on Fargate. Set to empty list if none of the Pods are being scheduled on Fargate. + + + + + + +* [**`container_logs_cloudwatch_log_group_name`**](#container_logs_cloudwatch_log_group_name) — Name of the CloudWatch Log Group used to store the container logs. + + diff --git a/docs/reference/services/app-orchestration/amazon-eks-workers.md b/docs/reference/services/app-orchestration/amazon-eks-workers.md index d70097f4d..127a2a3a3 100644 --- a/docs/reference/services/app-orchestration/amazon-eks-workers.md +++ b/docs/reference/services/app-orchestration/amazon-eks-workers.md @@ -10,600 +10,347 @@ Deploy EC2 instances as Kubernetes workers for Amazon Elastic Kubernetes Service ### Reference - -
    - -
  • -

    - - additional_security_groups_for_workers - - A list of additional security group IDs to be attached on worker groups. -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_inbound_ssh_from_cidr_blocks - - The list of CIDR blocks to allow inbound SSH access to the worker groups. -

    -
    • -
  • -

    - - allow_inbound_ssh_from_security_groups - - The list of security group IDs to allow inbound SSH access to the worker groups. -

    -
    • -
  • -

    - - asg_custom_iam_role_name - - Custom name for the IAM role for the Self-managed workers. When null, a default name based on worker_name_prefix will be used. One of asg_custom_iam_role_name and asg_iam_role_arn is required (must be non-null) if asg_iam_role_already_exists is true. -

    -
    • -
  • -

    - - asg_default_instance_root_volume_encryption - - Default value for the asg_instance_root_volume_encryption field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_encryption will use this value. -

    -
    • -
  • -

    - - asg_default_instance_root_volume_size - - Default value for the asg_instance_root_volume_size field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_size will use this value. -

    -
    • -
  • -

    - - asg_default_instance_root_volume_type - - Default value for the asg_instance_root_volume_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_type will use this value. -

    -
    • -
  • -

    - - asg_default_instance_type - - Default value for the asg_instance_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_type will use this value. -

    -
    • -
  • -

    - - asg_default_max_size - - Default value for the max_size field of autoscaling_group_configurations. Any map entry that does not specify max_size will use this value. -

    -
    • -
  • -

    - - asg_default_min_size - - Default value for the min_size field of autoscaling_group_configurations. Any map entry that does not specify min_size will use this value. -

    -
    • -
  • -

    - - asg_default_multi_instance_overrides - - Default value for the multi_instance_overrides field of autoscaling_group_configurations. Any map entry that does not specify multi_instance_overrides will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_allocation_strategy - - Default value for the on_demand_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify on_demand_allocation_strategy will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_base_capacity - - Default value for the on_demand_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_base_capacity will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_percentage_above_base_capacity - - Default value for the on_demand_percentage_above_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_percentage_above_base_capacity will use this value. -

    -
    • -
  • -

    - - asg_default_spot_allocation_strategy - - Default value for the spot_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify spot_allocation_strategy will use this value. -

    -
    • -
  • -

    - - asg_default_spot_instance_pools - - Default value for the spot_instance_pools field of autoscaling_group_configurations. Any map entry that does not specify spot_instance_pools will use this value. -

    -
    • -
  • -

    - - asg_default_spot_max_price - - Default value for the spot_max_price field of autoscaling_group_configurations. Any map entry that does not specify spot_max_price will use this value. Set to empty string (default) to mean on-demand price. -

    -
    • -
  • -

    - - asg_default_tags - - Default value for the tags field of autoscaling_group_configurations. Any map entry that does not specify tags will use this value. -

    -
    • -
  • -

    - - asg_default_use_multi_instances_policy - - Default value for the use_multi_instances_policy field of autoscaling_group_configurations. Any map entry that does not specify use_multi_instances_policy will use this value. -

    -
    • -
  • -

    - - asg_iam_instance_profile_name - - Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If var.asg_use_resource_name_prefix is true, this will be used as a name prefix. -

    -
    • -
  • -

    - - asg_iam_role_already_exists - - Whether or not the IAM role used for the Self-managed workers already exists. When false, this module will create a new IAM role. -

    -
    • -
  • -

    - - asg_iam_role_arn - - ARN of the IAM role to use if iam_role_already_exists = true. When null, uses asg_custom_iam_role_name to lookup the ARN. One of asg_custom_iam_role_name and asg_iam_role_arn is required (must be non-null) if asg_iam_role_already_exists is true. -

    -
    • -
  • -

    - - asg_security_group_tags - - A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - asg_use_resource_name_prefix - - When true, all the relevant resources for self managed workers will be set to use the name_prefix attribute so that unique names are generated for them. This allows those resources to support recreation through create_before_destroy lifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster. -

    -
    • -
  • -

    - - autoscaling_group_configurations - - Configure one or more self-managed Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure self-managed ASGs. -

    -
    • -
  • -

    - - autoscaling_group_include_autoscaler_discovery_tags - - Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them. Only used for self-managed workers. -

    -
    • -
  • -

    - - aws_auth_merger_namespace - - Namespace where the AWS Auth Merger is deployed. If configured, the worker IAM role will be mapped to the Kubernetes RBAC group for Nodes using a ConfigMap in the auth merger namespace. -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. To override the default boot script installed as part of the module, use the key `default`. -

    -
    • -
  • -

    - - cluster_instance_ami - - The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. Only used if var.cluster_instance_ami_filters is null. Set to null if cluster_instance_ami_filters is set. -

    -
    • -
  • -

    - - cluster_instance_ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. If both are defined, var.cluster_instance_ami_filters will be used. Set to null if cluster_instance_ami is set. -

    -
    • -
  • -

    - - cluster_instance_associate_public_ip_address - - Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet. -

    -
    • -
  • -

    - - cluster_instance_keypair_name - - The name of the Key Pair that can be used to SSH to each instance in the EKS cluster. -

    -
    • -
  • -

    - - custom_egress_security_group_rules - - A map of unique identifiers to egress security group rules to attach to the worker groups. -

    -
    • -
  • -

    - - custom_ingress_security_group_rules - - A map of unique identifiers to ingress security group rules to attach to the worker groups. -

    -
    • -
  • -

    - - dashboard_cpu_usage_widget_parameters - - Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_disk_usage_widget_parameters - - Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_memory_usage_widget_parameters - - Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - eks_cluster_name - - The name of the EKS cluster. The cluster must exist/already be deployed. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - managed_node_group_configurations - - Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups. -

    -
    • -
  • -

    - - managed_node_group_custom_iam_role_name - - Custom name for the IAM role for the Managed Node Groups. When null, a default name based on worker_name_prefix will be used. One of managed_node_group_custom_iam_role_name and managed_node_group_iam_role_arn is required (must be non-null) if managed_node_group_iam_role_already_exists is true. -

    -
    • -
  • -

    - - managed_node_group_iam_role_already_exists - - Whether or not the IAM role used for the Managed Node Group workers already exists. When false, this module will create a new IAM role. -

    -
    • -
  • -

    - - managed_node_group_iam_role_arn - - ARN of the IAM role to use if iam_role_already_exists = true. When null, uses managed_node_group_custom_iam_role_name to lookup the ARN. One of managed_node_group_custom_iam_role_name and managed_node_group_iam_role_arn is required (must be non-null) if managed_node_group_iam_role_already_exists is true. -

    -
    • -
  • -

    - - node_group_default_capacity_type - - Default value for capacity_type field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_desired_size - - Default value for desired_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_encryption - - Default value for the instance_root_volume_encryption field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_size - - Default value for the instance_root_volume_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_type - - Default value for the instance_root_volume_type field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_types - - Default value for instance_types field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_labels - - Default value for labels field of managed_node_group_configurations. Unlike common_labels which will always be merged in, these labels are only used if the labels field is omitted from the configuration. -

    -
    • -
  • -

    - - node_group_default_max_size - - Default value for max_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_min_size - - Default value for min_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_subnet_ids - - Default value for subnet_ids field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_tags - - Default value for tags field of managed_node_group_configurations. Unlike common_tags which will always be merged in, these tags are only used if the tags field is omitted from the configuration. -

    -
    • -
  • -

    - - node_group_launch_template_instance_type - - The instance type to configure in the launch template. This value will be used when the instance_types field is set to null (NOT omitted, in which case var.node_group_default_instance_types will be used). -

    -
    • -
  • -

    - - node_group_names - - The names of the node groups. When null, this value is automatically calculated from the managed_node_group_configurations map. This variable must be set if any of the values of the managed_node_group_configurations map depends on a resource that is not available at plan time to work around terraform limitations with for_each. -

    -
    • -
  • -

    - - node_group_security_group_tags - - A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - tenancy - - The tenancy of the servers in the self-managed worker ASG. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - use_exec_plugin_for_auth - - If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. -

    -
    • -
  • -

    - - use_kubergrunt_to_fetch_token - - EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. -

    -
    • -
  • -

    - - worker_k8s_role_mapping_name - - Name of the IAM role to Kubernetes RBAC group mapping ConfigMap. Only used if aws_auth_merger_namespace is not null. -

    -
    • -
  • -

    - - worker_name_prefix - - Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default. -

    -
    • -
- - - - + + + + +* [**`additional_security_groups_for_workers`**](#additional_security_groups_for_workers) — A list of additional security group IDs to be attached on worker groups. + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_inbound_ssh_from_cidr_blocks`**](#allow_inbound_ssh_from_cidr_blocks) — The list of CIDR blocks to allow inbound SSH access to the worker groups. + + + +* [**`allow_inbound_ssh_from_security_groups`**](#allow_inbound_ssh_from_security_groups) — The list of security group IDs to allow inbound SSH access to the worker groups. + + + +* [**`asg_custom_iam_role_name`**](#asg_custom_iam_role_name) — Custom name for the IAM role for the Self-managed workers. When null, a default name based on [`worker_name_prefix`](#worker_name_prefix) will be used. One of [`asg_custom_iam_role_name`](#asg_custom_iam_role_name) and [`asg_iam_role_arn`](#asg_iam_role_arn) is required (must be non-null) if [`asg_iam_role_already_exists`](#asg_iam_role_already_exists) is true. + + + +* [**`asg_default_instance_root_volume_encryption`**](#asg_default_instance_root_volume_encryption) — Default value for the [`asg_instance_root_volume_encryption`](#asg_instance_root_volume_encryption) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_encryption`](#asg_instance_root_volume_encryption) will use this value. + + + +* [**`asg_default_instance_root_volume_size`**](#asg_default_instance_root_volume_size) — Default value for the [`asg_instance_root_volume_size`](#asg_instance_root_volume_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_size`](#asg_instance_root_volume_size) will use this value. + + + +* [**`asg_default_instance_root_volume_type`**](#asg_default_instance_root_volume_type) — Default value for the [`asg_instance_root_volume_type`](#asg_instance_root_volume_type) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_type`](#asg_instance_root_volume_type) will use this value. + + + +* [**`asg_default_instance_type`**](#asg_default_instance_type) — Default value for the [`asg_instance_type`](#asg_instance_type) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_type`](#asg_instance_type) will use this value. + + + +* [**`asg_default_max_size`**](#asg_default_max_size) — Default value for the [`max_size`](#max_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`max_size`](#max_size) will use this value. + + + +* [**`asg_default_min_size`**](#asg_default_min_size) — Default value for the [`min_size`](#min_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`min_size`](#min_size) will use this value. + + + +* [**`asg_default_multi_instance_overrides`**](#asg_default_multi_instance_overrides) — Default value for the [`multi_instance_overrides`](#multi_instance_overrides) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`multi_instance_overrides`](#multi_instance_overrides) will use this value. + + + +* [**`asg_default_on_demand_allocation_strategy`**](#asg_default_on_demand_allocation_strategy) — Default value for the [`on_demand_allocation_strategy`](#on_demand_allocation_strategy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_allocation_strategy`](#on_demand_allocation_strategy) will use this value. + + + +* [**`asg_default_on_demand_base_capacity`**](#asg_default_on_demand_base_capacity) — Default value for the [`on_demand_base_capacity`](#on_demand_base_capacity) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_base_capacity`](#on_demand_base_capacity) will use this value. + + + +* [**`asg_default_on_demand_percentage_above_base_capacity`**](#asg_default_on_demand_percentage_above_base_capacity) — Default value for the [`on_demand_percentage_above_base_capacity`](#on_demand_percentage_above_base_capacity) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_percentage_above_base_capacity`](#on_demand_percentage_above_base_capacity) will use this value. + + + +* [**`asg_default_spot_allocation_strategy`**](#asg_default_spot_allocation_strategy) — Default value for the [`spot_allocation_strategy`](#spot_allocation_strategy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_allocation_strategy`](#spot_allocation_strategy) will use this value. + + + +* [**`asg_default_spot_instance_pools`**](#asg_default_spot_instance_pools) — Default value for the [`spot_instance_pools`](#spot_instance_pools) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_instance_pools`](#spot_instance_pools) will use this value. + + + +* [**`asg_default_spot_max_price`**](#asg_default_spot_max_price) — Default value for the [`spot_max_price`](#spot_max_price) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_max_price`](#spot_max_price) will use this value. Set to empty string (default) to mean on-demand price. + + + +* [**`asg_default_tags`**](#asg_default_tags) — Default value for the tags field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify tags will use this value. + + + +* [**`asg_default_use_multi_instances_policy`**](#asg_default_use_multi_instances_policy) — Default value for the [`use_multi_instances_policy`](#use_multi_instances_policy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`use_multi_instances_policy`](#use_multi_instances_policy) will use this value. + + + +* [**`asg_iam_instance_profile_name`**](#asg_iam_instance_profile_name) — Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If [`asg_use_resource_name_prefix`](#asg_use_resource_name_prefix) is true, this will be used as a name prefix. + + + +* [**`asg_iam_role_already_exists`**](#asg_iam_role_already_exists) — Whether or not the IAM role used for the Self-managed workers already exists. When false, this module will create a new IAM role. + + + +* [**`asg_iam_role_arn`**](#asg_iam_role_arn) — ARN of the IAM role to use if [`iam_role_already_exists`](#iam_role_already_exists) = true. When null, uses [`asg_custom_iam_role_name`](#asg_custom_iam_role_name) to lookup the ARN. One of [`asg_custom_iam_role_name`](#asg_custom_iam_role_name) and [`asg_iam_role_arn`](#asg_iam_role_arn) is required (must be non-null) if [`asg_iam_role_already_exists`](#asg_iam_role_already_exists) is true. + + + +* [**`asg_security_group_tags`**](#asg_security_group_tags) — A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value. + + + +* [**`asg_use_resource_name_prefix`**](#asg_use_resource_name_prefix) — When true, all the relevant resources for self managed workers will be set to use the [`name_prefix`](#name_prefix) attribute so that unique names are generated for them. This allows those resources to support recreation through [`create_before_destroy`](#create_before_destroy) lifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster. + + + +* [**`autoscaling_group_configurations`**](#autoscaling_group_configurations) — Configure one or more self-managed Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure self-managed ASGs. + + + +* [**`autoscaling_group_include_autoscaler_discovery_tags`**](#autoscaling_group_include_autoscaler_discovery_tags) — Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them. Only used for self-managed workers. + + + +* [**`aws_auth_merger_namespace`**](#aws_auth_merger_namespace) — Namespace where the AWS Auth Merger is deployed. If configured, the worker IAM role will be mapped to the Kubernetes RBAC group for Nodes using a ConfigMap in the auth merger namespace. + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. To override the default boot script installed as part of the module, use the key `default`. + + + +* [**`cluster_instance_ami`**](#cluster_instance_ami) — The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. Only used if [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is null. Set to null if [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is set. + + + +* [**`cluster_instance_ami_filters`**](#cluster_instance_ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. If both are defined, [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) will be used. Set to null if [`cluster_instance_ami`](#cluster_instance_ami) is set. + + + +* [**`cluster_instance_associate_public_ip_address`**](#cluster_instance_associate_public_ip_address) — Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet. + + + +* [**`cluster_instance_keypair_name`**](#cluster_instance_keypair_name) — The name of the Key Pair that can be used to SSH to each instance in the EKS cluster. + + + +* [**`custom_egress_security_group_rules`**](#custom_egress_security_group_rules) — A map of unique identifiers to egress security group rules to attach to the worker groups. + + + +* [**`custom_ingress_security_group_rules`**](#custom_ingress_security_group_rules) — A map of unique identifiers to ingress security group rules to attach to the worker groups. + + + +* [**`dashboard_cpu_usage_widget_parameters`**](#dashboard_cpu_usage_widget_parameters) — Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_disk_usage_widget_parameters`**](#dashboard_disk_usage_widget_parameters) — Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_memory_usage_widget_parameters`**](#dashboard_memory_usage_widget_parameters) — Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard. + + + +* [**`eks_cluster_name`**](#eks_cluster_name) — The name of the EKS cluster. The cluster must exist/already be deployed. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`managed_node_group_configurations`**](#managed_node_group_configurations) — Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups. + + + +* [**`managed_node_group_custom_iam_role_name`**](#managed_node_group_custom_iam_role_name) — Custom name for the IAM role for the Managed Node Groups. When null, a default name based on [`worker_name_prefix`](#worker_name_prefix) will be used. One of [`managed_node_group_custom_iam_role_name`](#managed_node_group_custom_iam_role_name) and [`managed_node_group_iam_role_arn`](#managed_node_group_iam_role_arn) is required (must be non-null) if [`managed_node_group_iam_role_already_exists`](#managed_node_group_iam_role_already_exists) is true. + + + +* [**`managed_node_group_iam_role_already_exists`**](#managed_node_group_iam_role_already_exists) — Whether or not the IAM role used for the Managed Node Group workers already exists. When false, this module will create a new IAM role. + + + +* [**`managed_node_group_iam_role_arn`**](#managed_node_group_iam_role_arn) — ARN of the IAM role to use if [`iam_role_already_exists`](#iam_role_already_exists) = true. When null, uses [`managed_node_group_custom_iam_role_name`](#managed_node_group_custom_iam_role_name) to lookup the ARN. One of [`managed_node_group_custom_iam_role_name`](#managed_node_group_custom_iam_role_name) and [`managed_node_group_iam_role_arn`](#managed_node_group_iam_role_arn) is required (must be non-null) if [`managed_node_group_iam_role_already_exists`](#managed_node_group_iam_role_already_exists) is true. + + + +* [**`node_group_default_capacity_type`**](#node_group_default_capacity_type) — Default value for [`capacity_type`](#capacity_type) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_desired_size`**](#node_group_default_desired_size) — Default value for [`desired_size`](#desired_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_encryption`**](#node_group_default_instance_root_volume_encryption) — Default value for the [`instance_root_volume_encryption`](#instance_root_volume_encryption) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_size`**](#node_group_default_instance_root_volume_size) — Default value for the [`instance_root_volume_size`](#instance_root_volume_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_type`**](#node_group_default_instance_root_volume_type) — Default value for the [`instance_root_volume_type`](#instance_root_volume_type) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_types`**](#node_group_default_instance_types) — Default value for [`instance_types`](#instance_types) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_labels`**](#node_group_default_labels) — Default value for labels field of [`managed_node_group_configurations`](#managed_node_group_configurations). Unlike [`common_labels`](#common_labels) which will always be merged in, these labels are only used if the labels field is omitted from the configuration. + + + +* [**`node_group_default_max_size`**](#node_group_default_max_size) — Default value for [`max_size`](#max_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_min_size`**](#node_group_default_min_size) — Default value for [`min_size`](#min_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_subnet_ids`**](#node_group_default_subnet_ids) — Default value for [`subnet_ids`](#subnet_ids) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_tags`**](#node_group_default_tags) — Default value for tags field of [`managed_node_group_configurations`](#managed_node_group_configurations). Unlike [`common_tags`](#common_tags) which will always be merged in, these tags are only used if the tags field is omitted from the configuration. + + + +* [**`node_group_launch_template_instance_type`**](#node_group_launch_template_instance_type) — The instance type to configure in the launch template. This value will be used when the [`instance_types`](#instance_types) field is set to null (NOT omitted, in which case [`node_group_default_instance_types`](#node_group_default_instance_types) will be used). + + + +* [**`node_group_names`**](#node_group_names) — The names of the node groups. When null, this value is automatically calculated from the [`managed_node_group_configurations`](#managed_node_group_configurations) map. This variable must be set if any of the values of the [`managed_node_group_configurations`](#managed_node_group_configurations) map depends on a resource that is not available at plan time to work around terraform limitations with [`for_each`](#for_each). + + + +* [**`node_group_security_group_tags`**](#node_group_security_group_tags) — A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`tenancy`**](#tenancy) — The tenancy of the servers in the self-managed worker ASG. Must be one of: default, dedicated, or host. + + + +* [**`use_exec_plugin_for_auth`**](#use_exec_plugin_for_auth) — If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the [`use_kubergrunt_to_fetch_token`](#use_kubergrunt_to_fetch_token) input variable to control whether kubergrunt or aws is used to fetch tokens. + + + +* [**`use_kubergrunt_to_fetch_token`**](#use_kubergrunt_to_fetch_token) — EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if [`use_exec_plugin_for_auth`](#use_exec_plugin_for_auth) is set to true. + + + +* [**`worker_k8s_role_mapping_name`**](#worker_k8s_role_mapping_name) — Name of the IAM role to Kubernetes RBAC group mapping ConfigMap. Only used if [`aws_auth_merger_namespace`](#aws_auth_merger_namespace) is not null. + + + +* [**`worker_name_prefix`**](#worker_name_prefix) — Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default. + + + + + + +* [**`managed_node_group_arns`**](#managed_node_group_arns) — Map of Node Group names to ARNs of the created EKS Node Groups. + + + +* [**`managed_node_group_worker_iam_role_arn`**](#managed_node_group_worker_iam_role_arn) — The ARN of the IAM role associated with the Managed Node Group EKS workers. + + + +* [**`managed_node_group_worker_iam_role_name`**](#managed_node_group_worker_iam_role_name) — The name of the IAM role associated with the Managed Node Group EKS workers. + + + +* [**`managed_node_group_worker_security_group_ids`**](#managed_node_group_worker_security_group_ids) — Map of Node Group names to Auto Scaling Group security group IDs. Empty if [`cluster_instance_keypair_name`](#cluster_instance_keypair_name) is not set. + + + +* [**`managed_node_group_worker_shared_security_group_id`**](#managed_node_group_worker_shared_security_group_id) — The ID of the common AWS Security Group associated with all the managed EKS workers. + + + +* [**`metric_widget_managed_node_group_worker_cpu_usage`**](#metric_widget_managed_node_group_worker_cpu_usage) — A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the Managed Node Group EKS workers. + + + +* [**`metric_widget_managed_node_group_worker_disk_usage`**](#metric_widget_managed_node_group_worker_disk_usage) — A CloudWatch Dashboard widget that graphs disk usage (percentage) of the Managed Node Group EKS workers. + + + +* [**`metric_widget_managed_node_group_worker_memory_usage`**](#metric_widget_managed_node_group_worker_memory_usage) — A CloudWatch Dashboard widget that graphs memory usage (percentage) of the Managed Node Group EKS workers. + + + +* [**`metric_widget_self_managed_worker_cpu_usage`**](#metric_widget_self_managed_worker_cpu_usage) — A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the self-managed EKS workers. + + + +* [**`metric_widget_self_managed_worker_disk_usage`**](#metric_widget_self_managed_worker_disk_usage) — A CloudWatch Dashboard widget that graphs disk usage (percentage) of the self-managed EKS workers. + + + +* [**`metric_widget_self_managed_worker_memory_usage`**](#metric_widget_self_managed_worker_memory_usage) — A CloudWatch Dashboard widget that graphs memory usage (percentage) of the self-managed EKS workers. + + + +* [**`self_managed_worker_iam_role_arn`**](#self_managed_worker_iam_role_arn) — The ARN of the IAM role associated with the self-managed EKS workers. + + + +* [**`self_managed_worker_iam_role_name`**](#self_managed_worker_iam_role_name) — The name of the IAM role associated with the self-managed EKS workers. + + + +* [**`self_managed_worker_security_group_id`**](#self_managed_worker_security_group_id) — The ID of the AWS Security Group associated with the self-managed EKS workers. + + + +* [**`worker_asg_names`**](#worker_asg_names) — The list of names of the ASGs that were deployed to act as EKS workers. + + diff --git a/docs/reference/services/app-orchestration/amazon-eks.md b/docs/reference/services/app-orchestration/amazon-eks.md index 0508209ec..30c679dd4 100644 --- a/docs/reference/services/app-orchestration/amazon-eks.md +++ b/docs/reference/services/app-orchestration/amazon-eks.md @@ -10,782 +10,451 @@ Deploy Kubernetes on top of Amazon Elastic Kubernetes Service (EKS) ### Reference - -
    - -
  • -

    - - additional_security_groups_for_control_plane - - A list of additional security group IDs to attach to the control plane. -

    -
    • -
  • -

    - - additional_security_groups_for_workers - - A list of additional security group IDs to attach to the worker nodes. -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_inbound_api_access_from_cidr_blocks - - The list of CIDR blocks to allow inbound access to the Kubernetes API. -

    -
    • -
  • -

    - - allow_inbound_ssh_from_cidr_blocks - - The list of CIDR blocks to allow inbound SSH access to the worker groups. -

    -
    • -
  • -

    - - allow_inbound_ssh_from_security_groups - - The list of security group IDs to allow inbound SSH access to the worker groups. -

    -
    • -
  • -

    - - allow_private_api_access_from_cidr_blocks - - The list of CIDR blocks to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint). -

    -
    • -
  • -

    - - allow_private_api_access_from_security_groups - - The list of security groups to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint). -

    -
    • -
  • -

    - - asg_default_instance_root_volume_encryption - - Default value for the asg_instance_root_volume_encryption field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_encryption will use this value. -

    -
    • -
  • -

    - - asg_default_instance_root_volume_size - - Default value for the asg_instance_root_volume_size field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_size will use this value. -

    -
    • -
  • -

    - - asg_default_instance_root_volume_type - - Default value for the asg_instance_root_volume_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_root_volume_type will use this value. -

    -
    • -
  • -

    - - asg_default_instance_type - - Default value for the asg_instance_type field of autoscaling_group_configurations. Any map entry that does not specify asg_instance_type will use this value. -

    -
    • -
  • -

    - - asg_default_max_size - - Default value for the max_size field of autoscaling_group_configurations. Any map entry that does not specify max_size will use this value. -

    -
    • -
  • -

    - - asg_default_min_size - - Default value for the min_size field of autoscaling_group_configurations. Any map entry that does not specify min_size will use this value. -

    -
    • -
  • -

    - - asg_default_multi_instance_overrides - - Default value for the multi_instance_overrides field of autoscaling_group_configurations. Any map entry that does not specify multi_instance_overrides will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_allocation_strategy - - Default value for the on_demand_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify on_demand_allocation_strategy will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_base_capacity - - Default value for the on_demand_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_base_capacity will use this value. -

    -
    • -
  • -

    - - asg_default_on_demand_percentage_above_base_capacity - - Default value for the on_demand_percentage_above_base_capacity field of autoscaling_group_configurations. Any map entry that does not specify on_demand_percentage_above_base_capacity will use this value. -

    -
    • -
  • -

    - - asg_default_spot_allocation_strategy - - Default value for the spot_allocation_strategy field of autoscaling_group_configurations. Any map entry that does not specify spot_allocation_strategy will use this value. -

    -
    • -
  • -

    - - asg_default_spot_instance_pools - - Default value for the spot_instance_pools field of autoscaling_group_configurations. Any map entry that does not specify spot_instance_pools will use this value. -

    -
    • -
  • -

    - - asg_default_spot_max_price - - Default value for the spot_max_price field of autoscaling_group_configurations. Any map entry that does not specify spot_max_price will use this value. Set to empty string (default) to mean on-demand price. -

    -
    • -
  • -

    - - asg_default_tags - - Default value for the tags field of autoscaling_group_configurations. Any map entry that does not specify tags will use this value. -

    -
    • -
  • -

    - - asg_default_use_multi_instances_policy - - Default value for the use_multi_instances_policy field of autoscaling_group_configurations. Any map entry that does not specify use_multi_instances_policy will use this value. -

    -
    • -
  • -

    - - asg_iam_instance_profile_name - - Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If var.asg_use_resource_name_prefix is true, this will be used as a name prefix. -

    -
    • -
  • -

    - - asg_iam_permissions_boundary - - ARN of a permission boundary to apply on the IAM role created for the self managed workers. -

    -
    • -
  • -

    - - asg_security_group_tags - - A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - asg_use_resource_name_prefix - - When true, all the relevant resources for self managed workers will be set to use the name_prefix attribute so that unique names are generated for them. This allows those resources to support recreation through create_before_destroy lifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster. -

    -
    • -
  • -

    - - autoscaling_group_configurations - - Configure one or more Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. If any of the values are not provided, the specified default variable will be used to lookup a default value. -

    -
    • -
  • -

    - - autoscaling_group_include_autoscaler_discovery_tags - - Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them. -

    -
    • -
  • -

    - - aws_auth_merger_default_configmap_name - - Name of the default aws-auth ConfigMap to use. This will be the name of the ConfigMap that gets created by this module in the aws-auth-merger namespace to seed the initial aws-auth ConfigMap. -

    -
    • -
  • -

    - - aws_auth_merger_image - - Location of the container image to use for the aws-auth-merger app. You can use the Dockerfile provided in terraform-aws-eks to construct an image. See https://github.com/gruntwork-io/terraform-aws-eks/blob/master/modules/eks-aws-auth-merger/core-concepts.md#how-do-i-use-the-aws-auth-merger for more info. -

    -
    • -
  • -

    - - aws_auth_merger_namespace - - Namespace to deploy the aws-auth-merger into. The app will watch for ConfigMaps in this Namespace to merge into the aws-auth ConfigMap. -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. To override the default boot script installed as part of the module, use the key `default`. -

    -
    • -
  • -

    - - cluster_iam_role_permissions_boundary - - ARN of permissions boundary to apply to the cluster IAM role - the IAM role created for the EKS cluster. -

    -
    • -
  • -

    - - cluster_instance_ami - - The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. Only used if var.cluster_instance_ami_filters is null. Set to null if cluster_instance_ami_filters is set. -

    -
    • -
  • -

    - - cluster_instance_ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of var.cluster_instance_ami or var.cluster_instance_ami_filters is required. If both are defined, var.cluster_instance_ami_filters will be used. Set to null if cluster_instance_ami is set. -

    -
    • -
  • -

    - - cluster_instance_associate_public_ip_address - - Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet. -

    -
    • -
  • -

    - - cluster_instance_keypair_name - - The name of the Key Pair that can be used to SSH to each instance in the EKS cluster -

    -
    • -
  • -

    - - cluster_name - - The name of the EKS cluster -

    -
    • -
  • -

    - - control_plane_disallowed_availability_zones - - A list of availability zones in the region that we CANNOT use to deploy the EKS control plane. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. -

    -
    • -
  • -

    - - control_plane_vpc_subnet_ids - - List of IDs of the subnets that can be used for the EKS Control Plane. -

    -
    • -
  • -

    - - create_default_fargate_iam_role - - When true, IAM role will be created and attached to Fargate control plane services. -

    -
    • -
  • -

    - - custom_default_fargate_iam_role_name - - The name to use for the default Fargate execution IAM role that is created when create_default_fargate_iam_role is true. When null, defaults to CLUSTER_NAME-fargate-role. -

    -
    • -
  • -

    - - custom_worker_egress_security_group_rules - - A map of unique identifiers to egress security group rules to attach to the worker groups. -

    -
    • -
  • -

    - - custom_worker_ingress_security_group_rules - - A map of unique identifiers to ingress security group rules to attach to the worker groups. -

    -
    • -
  • -

    - - dashboard_cpu_usage_widget_parameters - - Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_disk_usage_widget_parameters - - Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_memory_usage_widget_parameters - - Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - eks_cluster_security_group_tags - - A map of custom tags to apply to the Security Group for the EKS Cluster Control Plane. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - eks_cluster_tags - - A map of custom tags to apply to the EKS Cluster Control Plane. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - enable_aws_auth_merger - - If set to true, installs the aws-auth-merger to manage the aws-auth configuration. When true, requires setting the var.aws_auth_merger_image variable. -

    -
    • -
  • -

    - - enable_aws_auth_merger_fargate - - When true, deploy the aws-auth-merger into Fargate. It is recommended to run the aws-auth-merger on Fargate to avoid chicken and egg issues between the aws-auth-merger and having an authenticated worker pool. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true. -

    -
    • -
  • -

    - - enabled_control_plane_log_types - - A list of the desired control plane logging to enable. See https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html for the list of available logs. -

    -
    • -
  • -

    - - endpoint_public_access - - Whether or not to enable public API endpoints which allow access to the Kubernetes API from outside of the VPC. Note that private access within the VPC is always enabled. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - fargate_profile_executor_iam_role_arns_for_k8s_role_mapping - - List of ARNs of AWS IAM roles corresponding to Fargate Profiles that should be mapped as Kubernetes Nodes. -

    -
    • -
  • -

    - - fargate_worker_disallowed_availability_zones - - A list of availability zones in the region that we CANNOT use to deploy the EKS Fargate workers. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. -

    -
    • -
  • -

    - - iam_role_to_rbac_group_mapping - - Mapping of IAM role ARNs to Kubernetes RBAC groups that grant permissions to the user. -

    -
    • -
  • -

    - - iam_user_to_rbac_group_mapping - - Mapping of IAM user ARNs to Kubernetes RBAC groups that grant permissions to the user. -

    -
    • -
  • -

    - - kubernetes_version - - Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). -

    -
    • -
  • -

    - - managed_node_group_configurations - - Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups. -

    -
    • -
  • -

    - - node_group_default_capacity_type - - Default value for capacity_type field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_desired_size - - Default value for desired_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_encryption - - Default value for the instance_root_volume_encryption field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_size - - Default value for the instance_root_volume_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_root_volume_type - - Default value for the instance_root_volume_type field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_instance_types - - Default value for instance_types field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_labels - - Default value for labels field of managed_node_group_configurations. Unlike common_labels which will always be merged in, these labels are only used if the labels field is omitted from the configuration. -

    -
    • -
  • -

    - - node_group_default_max_size - - Default value for max_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_min_size - - Default value for min_size field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_subnet_ids - - Default value for subnet_ids field of managed_node_group_configurations. -

    -
    • -
  • -

    - - node_group_default_tags - - Default value for tags field of managed_node_group_configurations. Unlike common_tags which will always be merged in, these tags are only used if the tags field is omitted from the configuration. -

    -
    • -
  • -

    - - node_group_iam_permissions_boundary - - ARN of a permission boundary to apply on the IAM role created for the managed node groups. -

    -
    • -
  • -

    - - node_group_launch_template_instance_type - - The instance type to configure in the launch template. This value will be used when the instance_types field is set to null (NOT omitted, in which case var.node_group_default_instance_types will be used). -

    -
    • -
  • -

    - - node_group_security_group_tags - - A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - num_control_plane_vpc_subnet_ids - - Number of subnets provided in the var.control_plane_vpc_subnet_ids variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and for_each can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module). -

    -
    • -
  • -

    - - num_worker_vpc_subnet_ids - - Number of subnets provided in the var.worker_vpc_subnet_ids variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and for_each can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module). -

    -
    • -
  • -

    - - schedule_control_plane_services_on_fargate - - When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and create_default_fargate_iam_role be set to true. -

    -
    • -
  • -

    - - secret_envelope_encryption_kms_key_arn - - ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By default Secrets in EKS are encrypted at rest at the EBS layer in the managed etcd cluster using shared AWS managed keys. Setting this variable will configure Kubernetes to use envelope encryption to encrypt Secrets using this KMS key on top of the EBS layer encryption. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - tenancy - - The tenancy of this server. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - use_exec_plugin_for_auth - - If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. -

    -
    • -
  • -

    - - use_kubergrunt_sync_components - - When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated. -

    -
    • -
  • -

    - - use_kubergrunt_to_fetch_token - - EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. -

    -
    • -
  • -

    - - use_kubergrunt_verification - - When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead. -

    -
    • -
  • -

    - - vpc_id - - ID of the VPC where the EKS resources will be deployed. -

    -
    • -
  • -

    - - worker_iam_role_arns_for_k8s_role_mapping - - List of ARNs of AWS IAM roles corresponding to EC2 instances that should be mapped as Kubernetes Nodes. -

    -
    • -
  • -

    - - worker_name_prefix - - Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default. -

    -
    • -
  • -

    - - worker_vpc_subnet_ids - - A list of the subnets into which the EKS Cluster's administrative pods will be launched. These should usually be all private subnets and include one in each AWS Availability Zone. Required when var.schedule_control_plane_services_on_fargate is true. -

    -
    • -
- - - - + + + + +* [**`additional_security_groups_for_control_plane`**](#additional_security_groups_for_control_plane) — A list of additional security group IDs to attach to the control plane. + + + +* [**`additional_security_groups_for_workers`**](#additional_security_groups_for_workers) — A list of additional security group IDs to attach to the worker nodes. + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_inbound_api_access_from_cidr_blocks`**](#allow_inbound_api_access_from_cidr_blocks) — The list of CIDR blocks to allow inbound access to the Kubernetes API. + + + +* [**`allow_inbound_ssh_from_cidr_blocks`**](#allow_inbound_ssh_from_cidr_blocks) — The list of CIDR blocks to allow inbound SSH access to the worker groups. + + + +* [**`allow_inbound_ssh_from_security_groups`**](#allow_inbound_ssh_from_security_groups) — The list of security group IDs to allow inbound SSH access to the worker groups. + + + +* [**`allow_private_api_access_from_cidr_blocks`**](#allow_private_api_access_from_cidr_blocks) — The list of CIDR blocks to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint). + + + +* [**`allow_private_api_access_from_security_groups`**](#allow_private_api_access_from_security_groups) — The list of security groups to allow inbound access to the private Kubernetes API endpoint (e.g. the endpoint within the VPC, not the public endpoint). + + + +* [**`asg_default_instance_root_volume_encryption`**](#asg_default_instance_root_volume_encryption) — Default value for the [`asg_instance_root_volume_encryption`](#asg_instance_root_volume_encryption) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_encryption`](#asg_instance_root_volume_encryption) will use this value. + + + +* [**`asg_default_instance_root_volume_size`**](#asg_default_instance_root_volume_size) — Default value for the [`asg_instance_root_volume_size`](#asg_instance_root_volume_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_size`](#asg_instance_root_volume_size) will use this value. + + + +* [**`asg_default_instance_root_volume_type`**](#asg_default_instance_root_volume_type) — Default value for the [`asg_instance_root_volume_type`](#asg_instance_root_volume_type) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_root_volume_type`](#asg_instance_root_volume_type) will use this value. + + + +* [**`asg_default_instance_type`**](#asg_default_instance_type) — Default value for the [`asg_instance_type`](#asg_instance_type) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`asg_instance_type`](#asg_instance_type) will use this value. + + + +* [**`asg_default_max_size`**](#asg_default_max_size) — Default value for the [`max_size`](#max_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`max_size`](#max_size) will use this value. + + + +* [**`asg_default_min_size`**](#asg_default_min_size) — Default value for the [`min_size`](#min_size) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`min_size`](#min_size) will use this value. + + + +* [**`asg_default_multi_instance_overrides`**](#asg_default_multi_instance_overrides) — Default value for the [`multi_instance_overrides`](#multi_instance_overrides) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`multi_instance_overrides`](#multi_instance_overrides) will use this value. + + + +* [**`asg_default_on_demand_allocation_strategy`**](#asg_default_on_demand_allocation_strategy) — Default value for the [`on_demand_allocation_strategy`](#on_demand_allocation_strategy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_allocation_strategy`](#on_demand_allocation_strategy) will use this value. + + + +* [**`asg_default_on_demand_base_capacity`**](#asg_default_on_demand_base_capacity) — Default value for the [`on_demand_base_capacity`](#on_demand_base_capacity) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_base_capacity`](#on_demand_base_capacity) will use this value. + + + +* [**`asg_default_on_demand_percentage_above_base_capacity`**](#asg_default_on_demand_percentage_above_base_capacity) — Default value for the [`on_demand_percentage_above_base_capacity`](#on_demand_percentage_above_base_capacity) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`on_demand_percentage_above_base_capacity`](#on_demand_percentage_above_base_capacity) will use this value. + + + +* [**`asg_default_spot_allocation_strategy`**](#asg_default_spot_allocation_strategy) — Default value for the [`spot_allocation_strategy`](#spot_allocation_strategy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_allocation_strategy`](#spot_allocation_strategy) will use this value. + + + +* [**`asg_default_spot_instance_pools`**](#asg_default_spot_instance_pools) — Default value for the [`spot_instance_pools`](#spot_instance_pools) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_instance_pools`](#spot_instance_pools) will use this value. + + + +* [**`asg_default_spot_max_price`**](#asg_default_spot_max_price) — Default value for the [`spot_max_price`](#spot_max_price) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`spot_max_price`](#spot_max_price) will use this value. Set to empty string (default) to mean on-demand price. + + + +* [**`asg_default_tags`**](#asg_default_tags) — Default value for the tags field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify tags will use this value. + + + +* [**`asg_default_use_multi_instances_policy`**](#asg_default_use_multi_instances_policy) — Default value for the [`use_multi_instances_policy`](#use_multi_instances_policy) field of [`autoscaling_group_configurations`](#autoscaling_group_configurations). Any map entry that does not specify [`use_multi_instances_policy`](#use_multi_instances_policy) will use this value. + + + +* [**`asg_iam_instance_profile_name`**](#asg_iam_instance_profile_name) — Custom name for the IAM instance profile for the Self-managed workers. When null, the IAM role name will be used. If [`asg_use_resource_name_prefix`](#asg_use_resource_name_prefix) is true, this will be used as a name prefix. + + + +* [**`asg_iam_permissions_boundary`**](#asg_iam_permissions_boundary) — ARN of a permission boundary to apply on the IAM role created for the self managed workers. + + + +* [**`asg_security_group_tags`**](#asg_security_group_tags) — A map of tags to apply to the Security Group of the ASG for the self managed worker pool. The key is the tag name and the value is the tag value. + + + +* [**`asg_use_resource_name_prefix`**](#asg_use_resource_name_prefix) — When true, all the relevant resources for self managed workers will be set to use the [`name_prefix`](#name_prefix) attribute so that unique names are generated for them. This allows those resources to support recreation through [`create_before_destroy`](#create_before_destroy) lifecycle rules. Set to false if you were using any version before 0.65.0 and wish to avoid recreating the entire worker pool on your cluster. + + + +* [**`autoscaling_group_configurations`**](#autoscaling_group_configurations) — Configure one or more Auto Scaling Groups (ASGs) to manage the EC2 instances in this cluster. If any of the values are not provided, the specified default variable will be used to lookup a default value. + + + +* [**`autoscaling_group_include_autoscaler_discovery_tags`**](#autoscaling_group_include_autoscaler_discovery_tags) — Adds additional tags to each ASG that allow a cluster autoscaler to auto-discover them. + + + +* [**`aws_auth_merger_default_configmap_name`**](#aws_auth_merger_default_configmap_name) — Name of the default aws-auth ConfigMap to use. This will be the name of the ConfigMap that gets created by this module in the aws-auth-merger namespace to seed the initial aws-auth ConfigMap. + + + +* [**`aws_auth_merger_image`**](#aws_auth_merger_image) — Location of the container image to use for the aws-auth-merger app. You can use the Dockerfile provided in terraform-aws-eks to construct an image. See https://github.com/gruntwork-io/terraform-aws-eks/blob/master/modules/eks-aws-auth-merger/core-concepts.md#how-do-i-use-the-aws-auth-merger for more info. + + + +* [**`aws_auth_merger_namespace`**](#aws_auth_merger_namespace) — Namespace to deploy the aws-auth-merger into. The app will watch for ConfigMaps in this Namespace to merge into the aws-auth ConfigMap. + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the EKS worker nodes when it is booting. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. To override the default boot script installed as part of the module, use the key `default`. + + + +* [**`cluster_iam_role_permissions_boundary`**](#cluster_iam_role_permissions_boundary) — ARN of permissions boundary to apply to the cluster IAM role - the IAM role created for the EKS cluster. + + + +* [**`cluster_instance_ami`**](#cluster_instance_ami) — The AMI to run on each instance in the EKS cluster. You can build the AMI using the Packer template eks-node-al2.json. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. Only used if [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is null. Set to null if [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is set. + + + +* [**`cluster_instance_ami_filters`**](#cluster_instance_ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with self managed workers. You can build the AMI using the Packer template eks-node-al2.json. One of [`cluster_instance_ami`](#cluster_instance_ami) or [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) is required. If both are defined, [`cluster_instance_ami_filters`](#cluster_instance_ami_filters) will be used. Set to null if [`cluster_instance_ami`](#cluster_instance_ami) is set. + + + +* [**`cluster_instance_associate_public_ip_address`**](#cluster_instance_associate_public_ip_address) — Whether or not to associate a public IP address to the instances of the self managed ASGs. Will only work if the instances are launched in a public subnet. + + + +* [**`cluster_instance_keypair_name`**](#cluster_instance_keypair_name) — The name of the Key Pair that can be used to SSH to each instance in the EKS cluster + + + +* [**`cluster_name`**](#cluster_name) — The name of the EKS cluster + + + +* [**`control_plane_disallowed_availability_zones`**](#control_plane_disallowed_availability_zones) — A list of availability zones in the region that we CANNOT use to deploy the EKS control plane. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. + + + +* [**`control_plane_vpc_subnet_ids`**](#control_plane_vpc_subnet_ids) — List of IDs of the subnets that can be used for the EKS Control Plane. + + + +* [**`create_default_fargate_iam_role`**](#create_default_fargate_iam_role) — When true, IAM role will be created and attached to Fargate control plane services. + + + +* [**`custom_default_fargate_iam_role_name`**](#custom_default_fargate_iam_role_name) — The name to use for the default Fargate execution IAM role that is created when [`create_default_fargate_iam_role`](#create_default_fargate_iam_role) is true. When null, defaults to [`CLUSTER_NAME`](#CLUSTER_NAME)-fargate-role. + + + +* [**`custom_worker_egress_security_group_rules`**](#custom_worker_egress_security_group_rules) — A map of unique identifiers to egress security group rules to attach to the worker groups. + + + +* [**`custom_worker_ingress_security_group_rules`**](#custom_worker_ingress_security_group_rules) — A map of unique identifiers to ingress security group rules to attach to the worker groups. + + + +* [**`dashboard_cpu_usage_widget_parameters`**](#dashboard_cpu_usage_widget_parameters) — Parameters for the worker cpu usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_disk_usage_widget_parameters`**](#dashboard_disk_usage_widget_parameters) — Parameters for the worker disk usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_memory_usage_widget_parameters`**](#dashboard_memory_usage_widget_parameters) — Parameters for the worker memory usage widget to output for use in a CloudWatch dashboard. + + + +* [**`eks_cluster_security_group_tags`**](#eks_cluster_security_group_tags) — A map of custom tags to apply to the Security Group for the EKS Cluster Control Plane. The key is the tag name and the value is the tag value. + + + +* [**`eks_cluster_tags`**](#eks_cluster_tags) — A map of custom tags to apply to the EKS Cluster Control Plane. The key is the tag name and the value is the tag value. + + + +* [**`enable_aws_auth_merger`**](#enable_aws_auth_merger) — If set to true, installs the aws-auth-merger to manage the aws-auth configuration. When true, requires setting the [`aws_auth_merger_image`](#aws_auth_merger_image) variable. + + + +* [**`enable_aws_auth_merger_fargate`**](#enable_aws_auth_merger_fargate) — When true, deploy the aws-auth-merger into Fargate. It is recommended to run the aws-auth-merger on Fargate to avoid chicken and egg issues between the aws-auth-merger and having an authenticated worker pool. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true. + + + +* [**`enabled_control_plane_log_types`**](#enabled_control_plane_log_types) — A list of the desired control plane logging to enable. See https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html for the list of available logs. + + + +* [**`endpoint_public_access`**](#endpoint_public_access) — Whether or not to enable public API endpoints which allow access to the Kubernetes API from outside of the VPC. Note that private access within the VPC is always enabled. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`fargate_profile_executor_iam_role_arns_for_k8s_role_mapping`**](#fargate_profile_executor_iam_role_arns_for_k8s_role_mapping) — List of ARNs of AWS IAM roles corresponding to Fargate Profiles that should be mapped as Kubernetes Nodes. + + + +* [**`fargate_worker_disallowed_availability_zones`**](#fargate_worker_disallowed_availability_zones) — A list of availability zones in the region that we CANNOT use to deploy the EKS Fargate workers. You can use this to avoid availability zones that may not be able to provision the resources (e.g ran out of capacity). If empty, will allow all availability zones. + + + +* [**`iam_role_to_rbac_group_mapping`**](#iam_role_to_rbac_group_mapping) — Mapping of IAM role ARNs to Kubernetes RBAC groups that grant permissions to the user. + + + +* [**`iam_user_to_rbac_group_mapping`**](#iam_user_to_rbac_group_mapping) — Mapping of IAM user ARNs to Kubernetes RBAC groups that grant permissions to the user. + + + +* [**`kubernetes_version`**](#kubernetes_version) — Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). + + + +* [**`managed_node_group_configurations`**](#managed_node_group_configurations) — Configure one or more Node Groups to manage the EC2 instances in this cluster. Set to empty object ({}) if you do not wish to configure managed node groups. + + + +* [**`node_group_default_capacity_type`**](#node_group_default_capacity_type) — Default value for [`capacity_type`](#capacity_type) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_desired_size`**](#node_group_default_desired_size) — Default value for [`desired_size`](#desired_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_encryption`**](#node_group_default_instance_root_volume_encryption) — Default value for the [`instance_root_volume_encryption`](#instance_root_volume_encryption) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_size`**](#node_group_default_instance_root_volume_size) — Default value for the [`instance_root_volume_size`](#instance_root_volume_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_root_volume_type`**](#node_group_default_instance_root_volume_type) — Default value for the [`instance_root_volume_type`](#instance_root_volume_type) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_instance_types`**](#node_group_default_instance_types) — Default value for [`instance_types`](#instance_types) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_labels`**](#node_group_default_labels) — Default value for labels field of [`managed_node_group_configurations`](#managed_node_group_configurations). Unlike [`common_labels`](#common_labels) which will always be merged in, these labels are only used if the labels field is omitted from the configuration. + + + +* [**`node_group_default_max_size`**](#node_group_default_max_size) — Default value for [`max_size`](#max_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_min_size`**](#node_group_default_min_size) — Default value for [`min_size`](#min_size) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_subnet_ids`**](#node_group_default_subnet_ids) — Default value for [`subnet_ids`](#subnet_ids) field of [`managed_node_group_configurations`](#managed_node_group_configurations). + + + +* [**`node_group_default_tags`**](#node_group_default_tags) — Default value for tags field of [`managed_node_group_configurations`](#managed_node_group_configurations). Unlike [`common_tags`](#common_tags) which will always be merged in, these tags are only used if the tags field is omitted from the configuration. + + + +* [**`node_group_iam_permissions_boundary`**](#node_group_iam_permissions_boundary) — ARN of a permission boundary to apply on the IAM role created for the managed node groups. + + + +* [**`node_group_launch_template_instance_type`**](#node_group_launch_template_instance_type) — The instance type to configure in the launch template. This value will be used when the [`instance_types`](#instance_types) field is set to null (NOT omitted, in which case [`node_group_default_instance_types`](#node_group_default_instance_types) will be used). + + + +* [**`node_group_security_group_tags`**](#node_group_security_group_tags) — A map of tags to apply to the Security Group of the ASG for the managed node group pool. The key is the tag name and the value is the tag value. + + + +* [**`num_control_plane_vpc_subnet_ids`**](#num_control_plane_vpc_subnet_ids) — Number of subnets provided in the [`control_plane_vpc_subnet_ids`](#control_plane_vpc_subnet_ids) variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and [`for_each`](#for_each) can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module). + + + +* [**`num_worker_vpc_subnet_ids`**](#num_worker_vpc_subnet_ids) — Number of subnets provided in the [`worker_vpc_subnet_ids`](#worker_vpc_subnet_ids) variable. When null (default), this is computed dynamically from the list. This is used to workaround terraform limitations where resource count and [`for_each`](#for_each) can not depend on dynamic resources (e.g., if you are creating the subnets and the EKS cluster in the same module). + + + +* [**`schedule_control_plane_services_on_fargate`**](#schedule_control_plane_services_on_fargate) — When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and [`create_default_fargate_iam_role`](#create_default_fargate_iam_role) be set to true. + + + +* [**`secret_envelope_encryption_kms_key_arn`**](#secret_envelope_encryption_kms_key_arn) — ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By default Secrets in EKS are encrypted at rest at the EBS layer in the managed etcd cluster using shared AWS managed keys. Setting this variable will configure Kubernetes to use envelope encryption to encrypt Secrets using this KMS key on top of the EBS layer encryption. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the EKS workers with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`tenancy`**](#tenancy) — The tenancy of this server. Must be one of: default, dedicated, or host. + + + +* [**`use_exec_plugin_for_auth`**](#use_exec_plugin_for_auth) — If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the [`use_kubergrunt_to_fetch_token`](#use_kubergrunt_to_fetch_token) input variable to control whether kubergrunt or aws is used to fetch tokens. + + + +* [**`use_kubergrunt_sync_components`**](#use_kubergrunt_sync_components) — When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated. + + + +* [**`use_kubergrunt_to_fetch_token`**](#use_kubergrunt_to_fetch_token) — EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if [`use_exec_plugin_for_auth`](#use_exec_plugin_for_auth) is set to true. + + + +* [**`use_kubergrunt_verification`**](#use_kubergrunt_verification) — When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead. + + + +* [**`vpc_id`**](#vpc_id) — ID of the VPC where the EKS resources will be deployed. + + + +* [**`worker_iam_role_arns_for_k8s_role_mapping`**](#worker_iam_role_arns_for_k8s_role_mapping) — List of ARNs of AWS IAM roles corresponding to EC2 instances that should be mapped as Kubernetes Nodes. + + + +* [**`worker_name_prefix`**](#worker_name_prefix) — Prefix EKS worker resource names with this string. When you have multiple worker groups for the cluster, you can use this to namespace the resources. Defaults to empty string so that resource names are not excessively long by default. + + + +* [**`worker_vpc_subnet_ids`**](#worker_vpc_subnet_ids) — A list of the subnets into which the EKS Cluster's administrative pods will be launched. These should usually be all private subnets and include one in each AWS Availability Zone. Required when [`schedule_control_plane_services_on_fargate`](#schedule_control_plane_services_on_fargate) is true. + + + + + + +* [**`aws_auth_merger_namespace`**](#aws_auth_merger_namespace) — The namespace name for the aws-auth-merger add on, if created. + + + +* [**`eks_cluster_arn`**](#eks_cluster_arn) — The ARN of the EKS cluster that was deployed. + + + +* [**`eks_cluster_name`**](#eks_cluster_name) — The name of the EKS cluster that was deployed. + + + +* [**`eks_default_fargate_execution_role_arn`**](#eks_default_fargate_execution_role_arn) — A basic IAM Role ARN that has the minimal permissions to pull images from ECR that can be used for most Pods as Fargate Execution Role that do not need to interact with AWS. + + + +* [**`eks_iam_role_for_service_accounts_config`**](#eks_iam_role_for_service_accounts_config) — Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This outputs a map with two properties: [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` and [``openid_connect_provider_url`](#`openid_connect_provider_url)`. The [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while [``openid_connect_provider_url`](#`openid_connect_provider_url)` is the URL. + + + +* [**`eks_kubeconfig`**](#eks_kubeconfig) — Minimal configuration for kubectl to authenticate with the created EKS cluster. + + + +* [**`eks_worker_asg_names`**](#eks_worker_asg_names) — The list of names of the ASGs that were deployed to act as EKS workers. + + + +* [**`managed_node_group_worker_iam_role_arn`**](#managed_node_group_worker_iam_role_arn) — The ARN of the IAM role associated with the Managed Node Group EKS workers. + + + +* [**`managed_node_group_worker_iam_role_name`**](#managed_node_group_worker_iam_role_name) — The name of the IAM role associated with the Managed Node Group EKS workers. + + + +* [**`managed_node_group_worker_shared_security_group_id`**](#managed_node_group_worker_shared_security_group_id) — The ID of the common AWS Security Group associated with all the managed EKS workers. + + + +* [**`metric_widget_worker_cpu_usage`**](#metric_widget_worker_cpu_usage) — A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the EKS workers (self-managed and managed node groups). + + + +* [**`metric_widget_worker_disk_usage`**](#metric_widget_worker_disk_usage) — A CloudWatch Dashboard widget that graphs disk usage (percentage) of the EKS workers (self-managed and managed node groups). + + + +* [**`metric_widget_worker_memory_usage`**](#metric_widget_worker_memory_usage) — A CloudWatch Dashboard widget that graphs memory usage (percentage) of the EKS workers (self-managed and managed node groups). + + + +* [**`self_managed_worker_iam_role_arn`**](#self_managed_worker_iam_role_arn) — The ARN of the IAM role associated with the self-managed EKS workers. + + + +* [**`self_managed_worker_iam_role_name`**](#self_managed_worker_iam_role_name) — The name of the IAM role associated with the self-managed EKS workers. + + + +* [**`self_managed_worker_security_group_id`**](#self_managed_worker_security_group_id) — The ID of the AWS Security Group associated with the self-managed EKS workers. + + diff --git a/docs/reference/services/app-orchestration/auto-scaling-group-asg.md b/docs/reference/services/app-orchestration/auto-scaling-group-asg.md index d1f5cd740..3eedddd6c 100644 --- a/docs/reference/services/app-orchestration/auto-scaling-group-asg.md +++ b/docs/reference/services/app-orchestration/auto-scaling-group-asg.md @@ -10,446 +10,259 @@ Deploy an AMI across an Auto Scaling Group (ASG), with support for zero-downtime ### Reference - -
    - -
  • -

    - - alarm_sns_topic_arns_us_east_1 - - A list of SNS topic ARNs to notify when the health check changes to ALARM, OK, or INSUFFICIENT_DATA state. Note: these SNS topics MUST be in us-east-1! This is because Route 53 only sends CloudWatch metrics to us-east-1, so we must create the alarm in that region, and therefore, can only notify SNS topics in that region. -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the Jenkins backup job fails. -

    -
    • -
  • -

    - - allow_inbound_from_cidr_blocks - - The CIDR blocks from which to allow access to the ports in var.server_ports -

    -
    • -
  • -

    - - allow_inbound_from_security_group_ids - - The security group IDs from which to allow access to the ports in var.server_ports -

    -
    • -
  • -

    - - allow_ssh_from_cidr_blocks - - The CIDR blocks from which to allow SSH access -

    -
    • -
  • -

    - - allow_ssh_security_group_ids - - The security group IDs from which to allow SSH access -

    -
    • -
  • -

    - - ami - - The ID of the AMI to run on each instance in the ASG. The AMI needs to have `ec2-baseline` installed, since by default it will run `start_ec2_baseline` on the User Data. -

    -
    • -
  • -

    - - ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with the Bastion Host. You can build the AMI using the Packer template bastion-host.json. Only used if var.ami is null. One of var.ami or var.ami_filters is required. Set to null if passing the ami ID directly. -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the ASG instances during boot. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax -

    -
    • -
  • -

    - - create_route53_entry - - Set to true to create a DNS A record in Route 53 for this service. -

    -
    • -
  • -

    - - custom_tags - - A list of custom tags to apply to the EC2 Instances in this ASG. Each item in this list should be a map with the parameters key, value, and propagate_at_launch. -

    -
    • -
  • -

    - - default_forward_target_group_arns - - The ARN of the Target Group to which to route traffic. -

    -
    • -
  • -

    - - default_user - - The default OS user for the service AMI. For example, for AWS Ubuntu AMIs, the default OS user is 'ubuntu'. -

    -
    • -
  • -

    - - desired_capacity - - The desired number of EC2 Instances to run in the ASG initially. Note that auto scaling policies may change this value. If you're using auto scaling policies to dynamically resize the cluster, you should actually leave this value as null. -

    -
    • -
  • -

    - - domain_name - - The domain name to register in var.hosted_zone_id (e.g. foo.example.com). Only used if var.create_route53_entry is true. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to add AIM permissions to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Auto Scaling Group -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true -

    -
    • -
  • -

    - - enable_route53_health_check - - If set to true, use Route 53 to perform health checks on var.domain_name. -

    -
    • -
  • -

    - - enabled_metrics - - A list of metrics the ASG should enable for monitoring all instances in a group. The allowed values are GroupMinSize, GroupMaxSize, GroupDesiredCapacity, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupTerminatingInstances, GroupTotalInstances. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. -

    -
    • -
  • -

    - - fixed_response_listener_rules - - Listener rules for a fixed-response action. See comments below for information about the parameters. -

    -
    • -
  • -

    - - forward_listener_rules - - Listener rules for a forward action that distributes requests among one or more target groups. By default, sends traffic to the target groups created for the ports in var.server_ports. See comments below for information about the parameters. -

    -
    • -
  • -

    - - health_check_grace_period - - Time, in seconds, after an EC2 Instance comes into service before checking health. -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the Route 53 Hosted Zone in which to create a DNS A record for the Auto Scaling Group. Optional if create_route53_entry = false. -

    -
    • -
  • -

    - - iam_policy - - An object defining the policy to attach to `iam_role_name` if the IAM role is going to be created. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. Ignored if `iam_role_arn` is provided. Leave as null if you do not wish to use IAM role with Service Accounts. -

    -
    • -
  • -

    - - instance_type - - The type of instance to run in the ASG (e.g. t3.medium) -

    -
    • -
  • -

    - - key_pair_name - - The name of a Key Pair that can be used to SSH to the EC2 Instances in the ASG. Set to null if you don't want to enable Key Pair auth. -

    -
    • -
  • -

    - - lb_hosted_zone_id - - The ID of the Route 53 Hosted Zone in which to create a DNS A record for the Auto Scaling Group. Optional if create_route53_entry = false. -

    -
    • -
  • -

    - - listener_arns - - A map of all the listeners on the load balancer. The keys should be the port numbers and the values should be the ARN of the listener for that port. -

    -
    • -
  • -

    - - listener_ports - - The ports the ALB listens on for requests -

    -
    • -
  • -

    - - load_balancers - - A list of Elastic Load Balancer (ELB) names to associate with this ASG. If you're using the Application Load Balancer (ALB), see var.target_group_arns. -

    -
    • -
  • -

    - - max_size - - The maximum number of EC2 Instances to run in this ASG -

    -
    • -
  • -

    - - metadata_users - - List of users on the ASG EC2 instances that should be permitted access to the EC2 metadata. -

    -
    • -
  • -

    - - min_elb_capacity - - Wait for this number of EC2 Instances to show up healthy in the load balancer on creation. -

    -
    • -
  • -

    - - min_size - - The minimum number of EC2 Instances to run in this ASG -

    -
    • -
  • -

    - - name - - The name for the ASG and all other resources created by these templates. -

    -
    • -
  • -

    - - original_lb_dns_name - - The DNS name that was assigned by AWS to the load balancer upon creation -

    -
    • -
  • -

    - - redirect_listener_rules - - Listener rules for a redirect action. See comments below for information about the parameters. -

    -
    • -
  • -

    - - secrets_access - - A list of ARNs of Secrets Manager secrets that the task should have permissions to read. The IAM role for the task will be granted `secretsmanager:GetSecretValue` for each secret in the list. The ARN can be either the complete ARN, including the randomly generated suffix, or the ARN without the suffix. If the latter, the module will look up the full ARN automatically. This is helpful in cases where you don't yet know the randomly generated suffix because the rest of the ARN is a predictable value. -

    -
    • -
  • -

    - - server_ports - - The ports the EC2 instances listen on for requests. A Target Group will be created for each port and any rules specified in var.forward_rules will forward traffic to these Target Groups. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the instances. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the instances with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - ssh_port - - The port at which SSH will be allowed from var.allow_ssh_from_cidr_blocks and var.allow_ssh_security_group_ids -

    -
    • -
  • -

    - - subnet_ids - - The list of IDs of the subnets in which to deploy ASG. The list must only contain subnets in var.vpc_id. -

    -
    • -
  • -

    - - tag_asg_id_key - - The key for the tag that will be used to associate a unique identifier with this ASG. This identifier will persist between redeploys of the ASG, even though the underlying ASG is being deleted and replaced with a different one. -

    -
    • -
  • -

    - - termination_policies - - A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, Default. -

    -
    • -
  • -

    - - use_elb_health_checks - - Whether or not ELB or ALB health checks should be enabled. If set to true, the load_balancers or target_groups_arns variable should be set depending on the load balancer type you are using. Useful for testing connectivity before health check endpoints are available. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy the Auto Scaling Group -

    -
    • -
  • -

    - - wait_for_capacity_timeout - - A maximum duration that Terraform should wait for the EC2 Instances to be healthy before timing out. -

    -
    • -
- - - - + + + + +* [**`alarm_sns_topic_arns_us_east_1`**](#alarm_sns_topic_arns_us_east_1) — A list of SNS topic ARNs to notify when the health check changes to ALARM, OK, or [`INSUFFICIENT_DATA`](#INSUFFICIENT_DATA) state. Note: these SNS topics MUST be in us-east-1! This is because Route 53 only sends CloudWatch metrics to us-east-1, so we must create the alarm in that region, and therefore, can only notify SNS topics in that region. + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the Jenkins backup job fails. + + + +* [**`allow_inbound_from_cidr_blocks`**](#allow_inbound_from_cidr_blocks) — The CIDR blocks from which to allow access to the ports in [`server_ports`](#server_ports) + + + +* [**`allow_inbound_from_security_group_ids`**](#allow_inbound_from_security_group_ids) — The security group IDs from which to allow access to the ports in [`server_ports`](#server_ports) + + + +* [**`allow_ssh_from_cidr_blocks`**](#allow_ssh_from_cidr_blocks) — The CIDR blocks from which to allow SSH access + + + +* [**`allow_ssh_security_group_ids`**](#allow_ssh_security_group_ids) — The security group IDs from which to allow SSH access + + + +* [**`ami`**](#ami) — The ID of the AMI to run on each instance in the ASG. The AMI needs to have `ec2-baseline` installed, since by default it will run [``start_ec2_baseline`](#`start_ec2_baseline)` on the User Data. + + + +* [**`ami_filters`**](#ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with the Bastion Host. You can build the AMI using the Packer template bastion-host.json. Only used if var.ami is null. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if passing the ami ID directly. + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the ASG instances during boot. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax + + + +* [**`create_route53_entry`**](#create_route53_entry) — Set to true to create a DNS A record in Route 53 for this service. + + + +* [**`custom_tags`**](#custom_tags) — A list of custom tags to apply to the EC2 Instances in this ASG. Each item in this list should be a map with the parameters key, value, and [`propagate_at_launch`](#propagate_at_launch). + + + +* [**`default_forward_target_group_arns`**](#default_forward_target_group_arns) — The ARN of the Target Group to which to route traffic. + + + +* [**`default_user`**](#default_user) — The default OS user for the service AMI. For example, for AWS Ubuntu AMIs, the default OS user is 'ubuntu'. + + + +* [**`desired_capacity`**](#desired_capacity) — The desired number of EC2 Instances to run in the ASG initially. Note that auto scaling policies may change this value. If you're using auto scaling policies to dynamically resize the cluster, you should actually leave this value as null. + + + +* [**`domain_name`**](#domain_name) — The domain name to register in [`hosted_zone_id`](#hosted_zone_id) (e.g. foo.example.com). Only used if [`create_route53_entry`](#create_route53_entry) is true. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to add AIM permissions to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Auto Scaling Group + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true + + + +* [**`enable_route53_health_check`**](#enable_route53_health_check) — If set to true, use Route 53 to perform health checks on [`domain_name`](#domain_name). + + + +* [**`enabled_metrics`**](#enabled_metrics) — A list of metrics the ASG should enable for monitoring all instances in a group. The allowed values are GroupMinSize, GroupMaxSize, GroupDesiredCapacity, GroupInServiceInstances, GroupPendingInstances, GroupStandbyInstances, GroupTerminatingInstances, GroupTotalInstances. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. + + + +* [**`fixed_response_listener_rules`**](#fixed_response_listener_rules) — Listener rules for a fixed-response action. See comments below for information about the parameters. + + + +* [**`forward_listener_rules`**](#forward_listener_rules) — Listener rules for a forward action that distributes requests among one or more target groups. By default, sends traffic to the target groups created for the ports in [`server_ports`](#server_ports). See comments below for information about the parameters. + + + +* [**`health_check_grace_period`**](#health_check_grace_period) — Time, in seconds, after an EC2 Instance comes into service before checking health. + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the Route 53 Hosted Zone in which to create a DNS A record for the Auto Scaling Group. Optional if [`create_route53_entry`](#create_route53_entry) = false. + + + +* [**`iam_policy`**](#iam_policy) — An object defining the policy to attach to [``iam_role_name`](#`iam_role_name)` if the IAM role is going to be created. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. Ignored if [``iam_role_arn`](#`iam_role_arn)` is provided. Leave as null if you do not wish to use IAM role with Service Accounts. + + + +* [**`instance_type`**](#instance_type) — The type of instance to run in the ASG (e.g. t3.medium) + + + +* [**`key_pair_name`**](#key_pair_name) — The name of a Key Pair that can be used to SSH to the EC2 Instances in the ASG. Set to null if you don't want to enable Key Pair auth. + + + +* [**`lb_hosted_zone_id`**](#lb_hosted_zone_id) — The ID of the Route 53 Hosted Zone in which to create a DNS A record for the Auto Scaling Group. Optional if [`create_route53_entry`](#create_route53_entry) = false. + + + +* [**`listener_arns`**](#listener_arns) — A map of all the listeners on the load balancer. The keys should be the port numbers and the values should be the ARN of the listener for that port. + + + +* [**`listener_ports`**](#listener_ports) — The ports the ALB listens on for requests + + + +* [**`load_balancers`**](#load_balancers) — A list of Elastic Load Balancer (ELB) names to associate with this ASG. If you're using the Application Load Balancer (ALB), see [`target_group_arns`](#target_group_arns). + + + +* [**`max_size`**](#max_size) — The maximum number of EC2 Instances to run in this ASG + + + +* [**`metadata_users`**](#metadata_users) — List of users on the ASG EC2 instances that should be permitted access to the EC2 metadata. + + + +* [**`min_elb_capacity`**](#min_elb_capacity) — Wait for this number of EC2 Instances to show up healthy in the load balancer on creation. + + + +* [**`min_size`**](#min_size) — The minimum number of EC2 Instances to run in this ASG + + + +* [**`name`**](#name) — The name for the ASG and all other resources created by these templates. + + + +* [**`original_lb_dns_name`**](#original_lb_dns_name) — The DNS name that was assigned by AWS to the load balancer upon creation + + + +* [**`redirect_listener_rules`**](#redirect_listener_rules) — Listener rules for a redirect action. See comments below for information about the parameters. + + + +* [**`secrets_access`**](#secrets_access) — A list of ARNs of Secrets Manager secrets that the task should have permissions to read. The IAM role for the task will be granted `secretsmanager:GetSecretValue` for each secret in the list. The ARN can be either the complete ARN, including the randomly generated suffix, or the ARN without the suffix. If the latter, the module will look up the full ARN automatically. This is helpful in cases where you don't yet know the randomly generated suffix because the rest of the ARN is a predictable value. + + + +* [**`server_ports`**](#server_ports) — The ports the EC2 instances listen on for requests. A Target Group will be created for each port and any rules specified in [`forward_rules`](#forward_rules) will forward traffic to these Target Groups. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the instances. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to the instances with sudo permissions. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`ssh_port`**](#ssh_port) — The port at which SSH will be allowed from [`allow_ssh_from_cidr_blocks`](#allow_ssh_from_cidr_blocks) and [`allow_ssh_security_group_ids`](#allow_ssh_security_group_ids) + + + +* [**`subnet_ids`**](#subnet_ids) — The list of IDs of the subnets in which to deploy ASG. The list must only contain subnets in [`vpc_id`](#vpc_id). + + + +* [**`tag_asg_id_key`**](#tag_asg_id_key) — The key for the tag that will be used to associate a unique identifier with this ASG. This identifier will persist between redeploys of the ASG, even though the underlying ASG is being deleted and replaced with a different one. + + + +* [**`termination_policies`**](#termination_policies) — A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, Default. + + + +* [**`use_elb_health_checks`**](#use_elb_health_checks) — Whether or not ELB or ALB health checks should be enabled. If set to true, the [`load_balancers`](#load_balancers) or [`target_groups_arns`](#target_groups_arns) variable should be set depending on the load balancer type you are using. Useful for testing connectivity before health check endpoints are available. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy the Auto Scaling Group + + + +* [**`wait_for_capacity_timeout`**](#wait_for_capacity_timeout) — A maximum duration that Terraform should wait for the EC2 Instances to be healthy before timing out. + + + + + + +* [**`asg_name`**](#asg_name) — The name of the auto scaling group. + + + +* [**`asg_unique_id`**](#asg_unique_id) — A unique ID common to all ASGs used for [`get_desired_capacity`](#get_desired_capacity) on new deploys. + + + +* [**`fully_qualified_domain_name`**](#fully_qualified_domain_name) — The Fully Qualified Domain Name built using the zone domain and name. + + + +* [**`launch_configuration_id`**](#launch_configuration_id) — The ID of the launch configuration used for the ASG. + + + +* [**`launch_configuration_name`**](#launch_configuration_name) — The name of the launch configuration used for the ASG. + + + +* [**`lb_listener_rule_fixed_response_arns`**](#lb_listener_rule_fixed_response_arns) — The ARNs of the rules of type fixed-response. The key is the same key of the rule from the [``fixed_response_rules`](#`fixed_response_rules)` variable. + + + +* [**`lb_listener_rule_forward_arns`**](#lb_listener_rule_forward_arns) — The ARNs of the rules of type forward. The key is the same key of the rule from the [``forward_rules`](#`forward_rules)` variable. + + + +* [**`lb_listener_rule_redirect_arns`**](#lb_listener_rule_redirect_arns) — The ARNs of the rules of type redirect. The key is the same key of the rule from the [``redirect_rules`](#`redirect_rules)` variable. + + + +* [**`security_group_id`**](#security_group_id) — The ID of the Security Group that belongs to the ASG. + + diff --git a/docs/reference/services/app-orchestration/ec-2-instance.md b/docs/reference/services/app-orchestration/ec-2-instance.md index 5cf45fa6a..abf042bb4 100644 --- a/docs/reference/services/app-orchestration/ec-2-instance.md +++ b/docs/reference/services/app-orchestration/ec-2-instance.md @@ -10,341 +10,199 @@ Deploy an EC2 Instance, including server hardening, IAM role, EIP, EBS Volume, a ### Reference - -
    - -
  • -

    - - additional_security_group_ids - - A list of optional additional security group ids to assign to the EC2 instance. -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_port_from_cidr_blocks - - Accept inbound traffic on these port ranges from the specified CIDR blocks -

    -
    • -
  • -

    - - allow_port_from_security_group_ids - - Accept inbound traffic on these port ranges from the specified security groups -

    -
    • -
  • -

    - - allow_ssh_from_cidr_blocks - - Accept inbound SSH from these CIDR blocks -

    -
    • -
  • -

    - - allow_ssh_from_security_group_ids - - Accept inbound SSH from these security groups -

    -
    • -
  • -

    - - ami - - The AMI to run on the EC2 instance. This should be built from the Packer template under ec2-instance.json. One of var.ami or var.ami_filters is required. Set to null if looking up the ami with filters. -

    -
    • -
  • -

    - - ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with the EC2 instance. You can build the AMI using the Packer template ec2-instance.json. Only used if var.ami is null. One of var.ami or var.ami_filters is required. Set to null if passing the ami ID directly. -

    -
    • -
  • -

    - - attach_eip - - Determines if an Elastic IP (EIP) will be created for this instance. -

    -
    • -
  • -

    - - base_domain_name_tags - - Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name) -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the EC2 instance while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. -

    -
    • -
  • -

    - - create_dns_record - - Set to true to create a DNS record in Route53 pointing to the EC2 instance. If true, be sure to set var.fully_qualified_domain_name. -

    -
    • -
  • -

    - - default_user - - The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what the Packer template in ec2-instance.json uses, the default OS user is 'ubuntu'. -

    -
    • -
  • -

    - - dns_ttl - - DNS Time To Live in seconds. -

    -
    • -
  • -

    - - dns_zone_is_private - - Specify whether we're selecting a private or public Route 53 DNS Zone -

    -
    • -
  • -

    - - ebs_volumes - - The EBS volumes to attach to the instance. This must be a map of key/value pairs. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/metrics/cloudwatch-memory-disk-metrics-scripts to get memory and disk metrics in CloudWatch for your EC2 instance. -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true. -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true. -

    -
    • -
  • -

    - - enable_ssh_grunt - - Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - fully_qualified_domain_name - - The apex domain of the hostname for the EC2 instance (e.g., example.com). The complete hostname for the EC2 instance will be var.name.var.fully_qualified_domain_name (e.g., bastion.example.com). Only used if create_dns_record is true. -

    -
    • -
  • -

    - - instance_type - - The type of instance to run for the EC2 instance -

    -
    • -
  • -

    - - keypair_name - - The name of a Key Pair that can be used to SSH to this instance. This instance may have ssh-grunt installed. The preferred way to do SSH access is with your own IAM user name and SSH key. This Key Pair is only as a fallback. -

    -
    • -
  • -

    - - name - - The name of the EC2 instance and the other resources created by these templates -

    -
    • -
  • -

    - - root_volume_delete_on_termination - - If set to true, the root volume will be deleted when the Instance is terminated. -

    -
    • -
  • -

    - - root_volume_size - - The size of the root volume, in gigabytes. -

    -
    • -
  • -

    - - root_volume_type - - The root volume type. Must be one of: standard, gp2, io1. -

    -
    • -
  • -

    - - route53_lookup_domain_name - - The domain name to use to look up the Route 53 hosted zone. Will be a subset of fully_qualified_domain_name: e.g., my-company.com. Only one of route53_lookup_domain_name or route53_zone_id should be used. -

    -
    • -
  • -

    - - route53_zone_id - - The ID of the hosted zone to use. Allows specifying the hosted zone directly instead of looking it up via domain name. Only one of route53_lookup_domain_name or route53_zone_id should be used. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - subnet_id - - The ID of the subnet in which to deploy the EC2 instance. Must be a subnet in var.vpc_id. -

    -
    • -
  • -

    - - tags - - A map of tags to apply to the EC2 instance and the S3 Buckets. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - tenancy - - The tenancy of this instance. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy the EC2 instance. -

    -
    • -
- - - - + + + + +* [**`additional_security_group_ids`**](#additional_security_group_ids) — A list of optional additional security group ids to assign to the EC2 instance. + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_port_from_cidr_blocks`**](#allow_port_from_cidr_blocks) — Accept inbound traffic on these port ranges from the specified CIDR blocks + + + +* [**`allow_port_from_security_group_ids`**](#allow_port_from_security_group_ids) — Accept inbound traffic on these port ranges from the specified security groups + + + +* [**`allow_ssh_from_cidr_blocks`**](#allow_ssh_from_cidr_blocks) — Accept inbound SSH from these CIDR blocks + + + +* [**`allow_ssh_from_security_group_ids`**](#allow_ssh_from_security_group_ids) — Accept inbound SSH from these security groups + + + +* [**`ami`**](#ami) — The AMI to run on the EC2 instance. This should be built from the Packer template under ec2-instance.json. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if looking up the ami with filters. + + + +* [**`ami_filters`**](#ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with the EC2 instance. You can build the AMI using the Packer template ec2-instance.json. Only used if var.ami is null. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if passing the ami ID directly. + + + +* [**`attach_eip`**](#attach_eip) — Determines if an Elastic IP (EIP) will be created for this instance. + + + +* [**`base_domain_name_tags`**](#base_domain_name_tags) — Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name) + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the EC2 instance while it boots. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. + + + +* [**`create_dns_record`**](#create_dns_record) — Set to true to create a DNS record in Route53 pointing to the EC2 instance. If true, be sure to set [`fully_qualified_domain_name`](#fully_qualified_domain_name). + + + +* [**`default_user`**](#default_user) — The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what the Packer template in ec2-instance.json uses, the default OS user is 'ubuntu'. + + + +* [**`dns_ttl`**](#dns_ttl) — DNS Time To Live in seconds. + + + +* [**`dns_zone_is_private`**](#dns_zone_is_private) — Specify whether we're selecting a private or public Route 53 DNS Zone + + + +* [**`ebs_volumes`**](#ebs_volumes) — The EBS volumes to attach to the instance. This must be a map of key/value pairs. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/metrics/cloudwatch-memory-disk-metrics-scripts to get memory and disk metrics in CloudWatch for your EC2 instance. + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true. + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true. + + + +* [**`enable_ssh_grunt`**](#enable_ssh_grunt) — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`fully_qualified_domain_name`**](#fully_qualified_domain_name) — The apex domain of the hostname for the EC2 instance (e.g., example.com). The complete hostname for the EC2 instance will be [`name.var.fully_qualified_domain_name`](#name.var.fully_qualified_domain_name) (e.g., bastion.example.com). Only used if [`create_dns_record`](#create_dns_record) is true. + + + +* [**`instance_type`**](#instance_type) — The type of instance to run for the EC2 instance + + + +* [**`keypair_name`**](#keypair_name) — The name of a Key Pair that can be used to SSH to this instance. This instance may have ssh-grunt installed. The preferred way to do SSH access is with your own IAM user name and SSH key. This Key Pair is only as a fallback. + + + +* [**`name`**](#name) — The name of the EC2 instance and the other resources created by these templates + + + +* [**`root_volume_delete_on_termination`**](#root_volume_delete_on_termination) — If set to true, the root volume will be deleted when the Instance is terminated. + + + +* [**`root_volume_size`**](#root_volume_size) — The size of the root volume, in gigabytes. + + + +* [**`root_volume_type`**](#root_volume_type) — The root volume type. Must be one of: standard, gp2, io1. + + + +* [**`route53_lookup_domain_name`**](#route53_lookup_domain_name) — The domain name to use to look up the Route 53 hosted zone. Will be a subset of [`fully_qualified_domain_name`](#fully_qualified_domain_name): e.g., my-company.com. Only one of [`route53_lookup_domain_name`](#route53_lookup_domain_name) or [`route53_zone_id`](#route53_zone_id) should be used. + + + +* [**`route53_zone_id`**](#route53_zone_id) — The ID of the hosted zone to use. Allows specifying the hosted zone directly instead of looking it up via domain name. Only one of [`route53_lookup_domain_name`](#route53_lookup_domain_name) or [`route53_zone_id`](#route53_zone_id) should be used. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this EC2 instance. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`subnet_id`**](#subnet_id) — The ID of the subnet in which to deploy the EC2 instance. Must be a subnet in [`vpc_id`](#vpc_id). + + + +* [**`tags`**](#tags) — A map of tags to apply to the EC2 instance and the S3 Buckets. The key is the tag name and the value is the tag value. + + + +* [**`tenancy`**](#tenancy) — The tenancy of this instance. Must be one of: default, dedicated, or host. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy the EC2 instance. + + + + + + +* [**`dns_name`**](#dns_name) — The fully qualified name of the EC2 server. + + + +* [**`ec2_instance_iam_role_arn`**](#ec2_instance_iam_role_arn) — The ARN of the EC2 server's IAM role. + + + +* [**`ec2_instance_instance_id`**](#ec2_instance_instance_id) — The EC2 instance ID of the EC2 server. + + + +* [**`ec2_instance_private_ip`**](#ec2_instance_private_ip) — The private IP address of the EC2 server. + + + +* [**`ec2_instance_public_ip`**](#ec2_instance_public_ip) — The public IP address of the EC2 server. + + + +* [**`ec2_instance_security_group_id`**](#ec2_instance_security_group_id) — The ID of the EC2 servers's security group. + + + +* [**`ec2_instance_volume_info`**](#ec2_instance_volume_info) — Info about the created EBS volumes. + + + +* [**`ec2_instance_volume_parameters`**](#ec2_instance_volume_parameters) — The input parameters for the EBS volumes. + + diff --git a/docs/reference/services/app-orchestration/kubernetes-namespace.md b/docs/reference/services/app-orchestration/kubernetes-namespace.md index 0d65734ae..4a2543fd4 100644 --- a/docs/reference/services/app-orchestration/kubernetes-namespace.md +++ b/docs/reference/services/app-orchestration/kubernetes-namespace.md @@ -10,103 +10,63 @@ Provision a best practices Kubernetes Namespace on any Kubernetes Cluster. ### Reference - -
    - -
  • -

    - - annotations - - Map of string key default pairs that can be used to store arbitrary metadata on the namespace and roles. See the Kubernetes Reference for more info (https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). -

    -
    • -
  • -

    - - eks_cluster_name - - Name of the EKS cluster where the Namespace will be created. Required when var.schedule_pods_on_fargate is `true`. -

    -
    • -
  • -

    - - full_access_rbac_entities - - The list of RBAC entities that should have full access to the Namespace. -

    -
    • -
  • -

    - - labels - - Map of string key value pairs that can be used to organize and categorize the namespace and roles. See the Kubernetes Reference for more info (https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). -

    -
    • -
  • -

    - - name - - Name of the Namespace to create. -

    -
    • -
  • -

    - - pod_execution_iam_role_arn - - ARN of IAM Role to use as the Pod execution role for Fargate. Required if var.schedule_pods_on_fargate is true. -

    -
    • -
  • -

    - - read_only_access_rbac_entities - - The list of RBAC entities that should have read only access to the Namespace. -

    -
    • -
  • -

    - - schedule_pods_on_fargate - - When true, will create a Fargate Profile that matches all Pods in the Namespace. This means that all Pods in the Namespace will be scheduled on Fargate. Note that this value is only used if var.kubeconfig_auth_type is eks, as Fargate profiles can only be created against EKS clusters. -

    -
    • -
  • -

    - - worker_vpc_subnet_ids - - The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. At least 1 subnet is required if var.schedule_pods_on_fargate is true. -

    -
    • -
- - - - + + + + +* [**`annotations`**](#annotations) — Map of string key default pairs that can be used to store arbitrary metadata on the namespace and roles. See the Kubernetes Reference for more info (https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/). + + + +* [**`eks_cluster_name`**](#eks_cluster_name) — Name of the EKS cluster where the Namespace will be created. Required when [`schedule_pods_on_fargate`](#schedule_pods_on_fargate) is `true`. + + + +* [**`full_access_rbac_entities`**](#full_access_rbac_entities) — The list of RBAC entities that should have full access to the Namespace. + + + +* [**`labels`**](#labels) — Map of string key value pairs that can be used to organize and categorize the namespace and roles. See the Kubernetes Reference for more info (https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). + + + +* [**`name`**](#name) — Name of the Namespace to create. + + + +* [**`pod_execution_iam_role_arn`**](#pod_execution_iam_role_arn) — ARN of IAM Role to use as the Pod execution role for Fargate. Required if [`schedule_pods_on_fargate`](#schedule_pods_on_fargate) is true. + + + +* [**`read_only_access_rbac_entities`**](#read_only_access_rbac_entities) — The list of RBAC entities that should have read only access to the Namespace. + + + +* [**`schedule_pods_on_fargate`**](#schedule_pods_on_fargate) — When true, will create a Fargate Profile that matches all Pods in the Namespace. This means that all Pods in the Namespace will be scheduled on Fargate. Note that this value is only used if [`kubeconfig_auth_type`](#kubeconfig_auth_type) is eks, as Fargate profiles can only be created against EKS clusters. + + + +* [**`worker_vpc_subnet_ids`**](#worker_vpc_subnet_ids) — The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. At least 1 subnet is required if [`schedule_pods_on_fargate`](#schedule_pods_on_fargate) is true. + + + + + + +* [**`namespace_name`**](#namespace_name) — The name of the created namespace. + + + +* [**`namespace_rbac_access_all_role`**](#namespace_rbac_access_all_role) — The name of the rbac role that grants admin level permissions on the namespace. + + + +* [**`namespace_rbac_access_read_only_role`**](#namespace_rbac_access_read_only_role) — The name of the rbac role that grants read only permissions on the namespace. + + diff --git a/docs/reference/services/app-orchestration/kubernetes-service.md b/docs/reference/services/app-orchestration/kubernetes-service.md index 82c0bd914..d60f116b6 100644 --- a/docs/reference/services/app-orchestration/kubernetes-service.md +++ b/docs/reference/services/app-orchestration/kubernetes-service.md @@ -10,488 +10,285 @@ Deploy your application containers as a Kubernetes Service and Deployment follow ### Reference - -
    - -
  • -

    - - alb_acm_certificate_arns - - A list of ACM certificate ARNs to attach to the ALB. The first certificate in the list will be added as default certificate. -

    -
    • -
  • -

    - - alb_health_check_healthy_threshold - - The number of consecutive health check successes required before considering an unhealthy target healthy. -

    -
    • -
  • -

    - - alb_health_check_interval - - Interval between ALB health checks in seconds. -

    -
    • -
  • -

    - - alb_health_check_path - - URL path for the endpoint that the ALB health check should ping. Defaults to /. -

    -
    • -
  • -

    - - alb_health_check_port - - String value specifying the port that the ALB health check should probe. By default, this will be set to the traffic port. -

    -
    • -
  • -

    - - alb_health_check_protocol - - Protocol (HTTP or HTTPS) that the ALB health check should use to connect to the application container. -

    -
    • -
  • -

    - - alb_health_check_success_codes - - The HTTP status code that should be expected when doing health checks against the specified health check path. Accepts a single value (200), multiple values (200,201), or a range of values (200-300). -

    -
    • -
  • -

    - - alb_health_check_timeout - - The timeout, in seconds, during which no response from a target means a failed health check. -

    -
    • -
  • -

    - - application_name - - The name of the application (e.g. my-service-stage). Used for labeling Kubernetes resources. -

    -
    • -
  • -

    - - canary_image - - The Docker image to use for the canary. Required if desired_number_of_canary_pods is greater than 0. -

    -
    • -
  • -

    - - configmaps_as_env_vars - - Kubernetes ConfigMaps to be injected into the container. Each entry in the map represents a ConfigMap to be injected, with the key representing the name of the ConfigMap. The value is also a map, with each entry corresponding to an entry in the ConfigMap, with the key corresponding to the ConfigMap entry key and the value corresponding to the environment variable name. -

    -
    • -
  • -

    - - configmaps_as_volumes - - Kubernetes ConfigMaps to be injected into the container as volume mounts. Each entry in the map represents a ConfigMap to be mounted, with the key representing the name of the ConfigMap and the value representing a file path on the container to mount the ConfigMap to. -

    -
    • -
  • -

    - - container_image - - The Docker image to run. -

    -
    • -
  • -

    - - container_port - - The port number on which this service's Docker container accepts incoming traffic. -

    -
    • -
  • -

    - - container_protocol - - The protocol on which this service's Docker container accepts traffic. Must be one of the supported protocols: https://kubernetes.io/docs/concepts/services-networking/service/#protocol-support. -

    -
    • -
  • -

    - - custom_resources - - The map that lets you define Kubernetes resources you want installed and configured as part of the chart. -

    -
    • -
  • -

    - - desired_number_of_canary_pods - - The number of canary Pods to run on the Kubernetes cluster for this service. If greater than 0, you must provide var.canary_image. -

    -
    • -
  • -

    - - desired_number_of_pods - - The number of Pods to run on the Kubernetes cluster for this service. -

    -
    • -
  • -

    - - domain_name - - The domain name for the DNS A record to bind to the Ingress resource for this service (e.g. service.foo.com). Depending on your external-dns configuration, this will also create the DNS record in the configured DNS service (e.g., Route53). -

    -
    • -
  • -

    - - domain_propagation_ttl - - The TTL value of the DNS A record that is bound to the Ingress resource. Only used if var.domain_name is set and external-dns is deployed. -

    -
    • -
  • -

    - - eks_iam_role_for_service_accounts_config - - Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: `openid_connect_provider_arn` and `openid_connect_provider_url`. The `openid_connect_provider_arn` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while `openid_connect_provider_url` is the URL. Leave as an empty string if you do not wish to use IAM role with Service Accounts. -

    -
    • -
  • -

    - - enable_liveness_probe - - Whether or not to enable liveness probe. Liveness checks indicate whether or not the container is alive. When these checks fail, the cluster will automatically rotate the Pod. -

    -
    • -
  • -

    - - enable_readiness_probe - - Whether or not to enable readiness probe. Readiness checks indicate whether or not the container can accept traffic. When these checks fail, the Pods are automatically removed from the Service (and added back in when they pass). -

    -
    • -
  • -

    - - env_vars - - A map of environment variable name to environment variable value that should be made available to the Docker container. -

    -
    • -
  • -

    - - expose_type - - How the service will be exposed in the cluster. Must be one of `external` (accessible over the public Internet), `internal` (only accessible from within the same VPC as the cluster), `cluster-internal` (only accessible within the Kubernetes network). -

    -
    • -
  • -

    - - force_destroy_ingress_access_logs - - A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false. -

    -
    • -
  • -

    - - horizontal_pod_autoscaler - - Configure the Horizontal Pod Autoscaler information for the associated Deployment. HPA is disabled when this variable is set to null. -

    -
    • -
  • -

    - - iam_policy - - An object defining the policy to attach to `iam_role_name` if the IAM role is going to be created. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. Ignored if `iam_role_arn` is provided. Leave as null if you do not wish to use IAM role with Service Accounts. -

    -
    • -
  • -

    - - iam_role_exists - - Whether or not the IAM role passed in `iam_role_name` already exists. Set to true if it exists, or false if it needs to be created. Defaults to false. -

    -
    • -
  • -

    - - iam_role_name - - The name of an IAM role that will be used by the pod to access the AWS API. If `iam_role_exists` is set to false, this role will be created. Leave as an empty string if you do not wish to use IAM role with Service Accounts. -

    -
    • -
  • -

    - - ingress_access_logs_s3_bucket_already_exists - - Set to true if the S3 bucket to store the Ingress access logs is managed external to this module. -

    -
    • -
  • -

    - - ingress_access_logs_s3_bucket_name - - The name to use for the S3 bucket where the Ingress access logs will be stored. If you leave this blank, a name will be generated automatically based on var.application_name. -

    -
    • -
  • -

    - - ingress_access_logs_s3_prefix - - The prefix to use for ingress access logs associated with the ALB. All logs will be stored in a key with this prefix. If null, the application name will be used. -

    -
    • -
  • -

    - - ingress_annotations - - A list of custom ingress annotations, such as health checks and TLS certificates, to add to the Helm chart. See: https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/ -

    -
    • -
  • -

    - - ingress_backend_protocol - - The protocol used by the Ingress ALB resource to communicate with the Service. Must be one of HTTP or HTTPS. -

    -
    • -
  • -

    - - ingress_configure_ssl_redirect - - When true, HTTP requests will automatically be redirected to use SSL (HTTPS). Used only when expose_type is either external or internal. -

    -
    • -
  • -

    - - ingress_group - - Assign the ingress resource to an IngressGroup. All Ingress rules of the group will be collapsed to a single ALB. The rules will be collapsed in priority order, with lower numbers being evaluated first. -

    -
    • -
  • -

    - - ingress_listener_protocol_ports - - A list of maps of protocols and ports that the ALB should listen on. -

    -
    • -
  • -

    - - ingress_path - - Path prefix that should be matched to route to the service. Use /* to match all paths. -

    -
    • -
  • -

    - - ingress_ssl_redirect_rule_already_exists - - Set to true if the Ingress SSL redirect rule is managed externally. This is useful when configuring Ingress grouping and you only want one service to be managing the SSL redirect rules. Only used if ingress_configure_ssl_redirect is true. -

    -
    • -
  • -

    - - ingress_target_type - - Controls how the ALB routes traffic to the Pods. Supports 'instance' mode (route traffic to NodePort and load balance across all worker nodes, relying on Kubernetes Service networking to route to the pods), or 'ip' mode (route traffic directly to the pod IP - only works with AWS VPC CNI). Must be set to 'ip' if using Fargate. Only used if expose_type is not cluster-internal. -

    -
    • -
  • -

    - - liveness_probe_grace_period_seconds - - Seconds to wait after Pod creation before liveness probe has any effect. Any failures during this period are ignored. -

    -
    • -
  • -

    - - liveness_probe_interval_seconds - - The approximate amount of time, in seconds, between liveness checks of an individual Target. -

    -
    • -
  • -

    - - liveness_probe_path - - URL path for the endpoint that the liveness probe should ping. -

    -
    • -
  • -

    - - liveness_probe_port - - Port that the liveness probe should use to connect to the application container. -

    -
    • -
  • -

    - - liveness_probe_protocol - - Protocol (HTTP or HTTPS) that the liveness probe should use to connect to the application container. -

    -
    • -
  • -

    - - min_number_of_pods_available - - The minimum number of pods that should be available at any given point in time. This is used to configure a PodDisruptionBudget for the service, allowing you to achieve a graceful rollout. See https://blog.gruntwork.io/avoiding-outages-in-your-kubernetes-cluster-using-poddisruptionbudgets-ef6a4baa5085 for an introduction to PodDisruptionBudgets. -

    -
    • -
  • -

    - - namespace - - The Kubernetes Namespace to deploy the application into. -

    -
    • -
  • -

    - - num_days_after_which_archive_ingress_log_data - - After this number of days, Ingress log files should be transitioned from S3 to Glacier. Set to 0 to never archive logs. -

    -
    • -
  • -

    - - num_days_after_which_delete_ingress_log_data - - After this number of days, Ingress log files should be deleted from S3. Set to 0 to never delete logs. -

    -
    • -
  • -

    - - override_chart_inputs - - Override any computed chart inputs with this map. This map is shallow merged to the computed chart inputs prior to passing on to the Helm Release. This is provided as a workaround while the terraform module does not support a particular input value that is exposed in the underlying chart. Please always file a GitHub issue to request exposing additional underlying input values prior to using this variable. -

    -
    • -
  • -

    - - readiness_probe_grace_period_seconds - - Seconds to wait after Pod creation before liveness probe has any effect. Any failures during this period are ignored. -

    -
    • -
  • -

    - - readiness_probe_interval_seconds - - The approximate amount of time, in seconds, between liveness checks of an individual Target. -

    -
    • -
  • -

    - - readiness_probe_path - - URL path for the endpoint that the readiness probe should ping. -

    -
    • -
  • -

    - - readiness_probe_port - - Port that the readiness probe should use to connect to the application container. -

    -
    • -
  • -

    - - readiness_probe_protocol - - Protocol (HTTP or HTTPS) that the readiness probe should use to connect to the application container. -

    -
    • -
  • -

    - - scratch_paths - - Paths that should be allocated as tmpfs volumes in the Deployment container. Each entry in the map is a key value pair where the key is an arbitrary name to bind to the volume, and the value is the path in the container to mount the tmpfs volume. -

    -
    • -
  • -

    - - secrets_as_env_vars - - Kubernetes Secrets to be injected into the container. Each entry in the map represents a Secret to be injected, with the key representing the name of the Secret. The value is also a map, with each entry corresponding to an entry in the Secret, with the key corresponding to the Secret entry key and the value corresponding to the environment variable name. -

    -
    • -
  • -

    - - secrets_as_volumes - - Kubernetes Secrets to be injected into the container as volume mounts. Each entry in the map represents a Secret to be mounted, with the key representing the name of the Secret and the value representing a file path on the container to mount the Secret to. -

    -
    • -
  • -

    - - service_account_exists - - When true, and service_account_name is not blank, lookup and assign an existing ServiceAccount in the Namespace to the Pods. -

    -
    • -
  • -

    - - service_account_name - - The name of a service account to create for use with the Pods. This service account will be mapped to the IAM role defined in `var.iam_role_name` to give the pod permissions to access the AWS API. Must be unique in this namespace. Leave as an empty string if you do not wish to assign a Service Account to the Pods. -

    -
    • -
  • -

    - - service_port - - The port to expose on the Service. This is most useful when addressing the Service internally to the cluster, as it is ignored when connecting from the Ingress resource. -

    -
    • -
  • -

    - - sidecar_containers - - Map of keys to container definitions that allow you to manage additional side car containers that should be included in the Pod. Note that the values are injected directly into the container list for the Pod Spec. -

    -
    • -
  • -

    - - termination_grace_period_seconds - - Grace period in seconds that Kubernetes will wait before terminating the pod. The timeout happens in parallel to preStop hook and the SIGTERM signal, Kubernetes does not wait for preStop to finish before beginning the grace period. -

    -
    • -
  • -

    - - values_file_path - - A local file path where the helm chart values will be emitted. Use to debug issues with the helm chart values. Set to null to prevent creation of the file. -

    -
    • -
  • -

    - - wait - - When true, wait until Pods are up and healthy or wait_timeout seconds before exiting terraform. -

    -
    • -
  • -

    - - wait_timeout - - Number of seconds to wait for Pods to become healthy before marking the deployment as a failure. -

    -
    • -
- - -
    - -
- + + + + +* [**`alb_acm_certificate_arns`**](#alb_acm_certificate_arns) — A list of ACM certificate ARNs to attach to the ALB. The first certificate in the list will be added as default certificate. + + + +* [**`alb_health_check_healthy_threshold`**](#alb_health_check_healthy_threshold) — The number of consecutive health check successes required before considering an unhealthy target healthy. + + + +* [**`alb_health_check_interval`**](#alb_health_check_interval) — Interval between ALB health checks in seconds. + + + +* [**`alb_health_check_path`**](#alb_health_check_path) — URL path for the endpoint that the ALB health check should ping. Defaults to /. + + + +* [**`alb_health_check_port`**](#alb_health_check_port) — String value specifying the port that the ALB health check should probe. By default, this will be set to the traffic port. + + + +* [**`alb_health_check_protocol`**](#alb_health_check_protocol) — Protocol (HTTP or HTTPS) that the ALB health check should use to connect to the application container. + + + +* [**`alb_health_check_success_codes`**](#alb_health_check_success_codes) — The HTTP status code that should be expected when doing health checks against the specified health check path. Accepts a single value (200), multiple values (200,201), or a range of values (200-300). + + + +* [**`alb_health_check_timeout`**](#alb_health_check_timeout) — The timeout, in seconds, during which no response from a target means a failed health check. + + + +* [**`application_name`**](#application_name) — The name of the application (e.g. my-service-stage). Used for labeling Kubernetes resources. + + + +* [**`canary_image`**](#canary_image) — The Docker image to use for the canary. Required if [`desired_number_of_canary_pods`](#desired_number_of_canary_pods) is greater than 0. + + + +* [**`configmaps_as_env_vars`**](#configmaps_as_env_vars) — Kubernetes ConfigMaps to be injected into the container. Each entry in the map represents a ConfigMap to be injected, with the key representing the name of the ConfigMap. The value is also a map, with each entry corresponding to an entry in the ConfigMap, with the key corresponding to the ConfigMap entry key and the value corresponding to the environment variable name. + + + +* [**`configmaps_as_volumes`**](#configmaps_as_volumes) — Kubernetes ConfigMaps to be injected into the container as volume mounts. Each entry in the map represents a ConfigMap to be mounted, with the key representing the name of the ConfigMap and the value representing a file path on the container to mount the ConfigMap to. + + + +* [**`container_image`**](#container_image) — The Docker image to run. + + + +* [**`container_port`**](#container_port) — The port number on which this service's Docker container accepts incoming traffic. + + + +* [**`container_protocol`**](#container_protocol) — The protocol on which this service's Docker container accepts traffic. Must be one of the supported protocols: https://kubernetes.io/docs/concepts/services-networking/service/#protocol-support. + + + +* [**`custom_resources`**](#custom_resources) — The map that lets you define Kubernetes resources you want installed and configured as part of the chart. + + + +* [**`desired_number_of_canary_pods`**](#desired_number_of_canary_pods) — The number of canary Pods to run on the Kubernetes cluster for this service. If greater than 0, you must provide [`canary_image`](#canary_image). + + + +* [**`desired_number_of_pods`**](#desired_number_of_pods) — The number of Pods to run on the Kubernetes cluster for this service. + + + +* [**`domain_name`**](#domain_name) — The domain name for the DNS A record to bind to the Ingress resource for this service (e.g. service.foo.com). Depending on your external-dns configuration, this will also create the DNS record in the configured DNS service (e.g., Route53). + + + +* [**`domain_propagation_ttl`**](#domain_propagation_ttl) — The TTL value of the DNS A record that is bound to the Ingress resource. Only used if [`domain_name`](#domain_name) is set and external-dns is deployed. + + + +* [**`eks_iam_role_for_service_accounts_config`**](#eks_iam_role_for_service_accounts_config) — Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` and [``openid_connect_provider_url`](#`openid_connect_provider_url)`. The [``openid_connect_provider_arn`](#`openid_connect_provider_arn)` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while [``openid_connect_provider_url`](#`openid_connect_provider_url)` is the URL. Leave as an empty string if you do not wish to use IAM role with Service Accounts. + + + +* [**`enable_liveness_probe`**](#enable_liveness_probe) — Whether or not to enable liveness probe. Liveness checks indicate whether or not the container is alive. When these checks fail, the cluster will automatically rotate the Pod. + + + +* [**`enable_readiness_probe`**](#enable_readiness_probe) — Whether or not to enable readiness probe. Readiness checks indicate whether or not the container can accept traffic. When these checks fail, the Pods are automatically removed from the Service (and added back in when they pass). + + + +* [**`env_vars`**](#env_vars) — A map of environment variable name to environment variable value that should be made available to the Docker container. + + + +* [**`expose_type`**](#expose_type) — How the service will be exposed in the cluster. Must be one of `external` (accessible over the public Internet), `internal` (only accessible from within the same VPC as the cluster), `cluster-internal` (only accessible within the Kubernetes network). + + + +* [**`force_destroy_ingress_access_logs`**](#force_destroy_ingress_access_logs) — A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false. + + + +* [**`horizontal_pod_autoscaler`**](#horizontal_pod_autoscaler) — Configure the Horizontal Pod Autoscaler information for the associated Deployment. HPA is disabled when this variable is set to null. + + + +* [**`iam_policy`**](#iam_policy) — An object defining the policy to attach to [``iam_role_name`](#`iam_role_name)` if the IAM role is going to be created. Accepts a map of objects, where the map keys are sids for IAM policy statements, and the object fields are the resources, actions, and the effect ("Allow" or "Deny") of the statement. Ignored if [``iam_role_arn`](#`iam_role_arn)` is provided. Leave as null if you do not wish to use IAM role with Service Accounts. + + + +* [**`iam_role_exists`**](#iam_role_exists) — Whether or not the IAM role passed in [``iam_role_name`](#`iam_role_name)` already exists. Set to true if it exists, or false if it needs to be created. Defaults to false. + + + +* [**`iam_role_name`**](#iam_role_name) — The name of an IAM role that will be used by the pod to access the AWS API. If [``iam_role_exists`](#`iam_role_exists)` is set to false, this role will be created. Leave as an empty string if you do not wish to use IAM role with Service Accounts. + + + +* [**`ingress_access_logs_s3_bucket_already_exists`**](#ingress_access_logs_s3_bucket_already_exists) — Set to true if the S3 bucket to store the Ingress access logs is managed external to this module. + + + +* [**`ingress_access_logs_s3_bucket_name`**](#ingress_access_logs_s3_bucket_name) — The name to use for the S3 bucket where the Ingress access logs will be stored. If you leave this blank, a name will be generated automatically based on [`application_name`](#application_name). + + + +* [**`ingress_access_logs_s3_prefix`**](#ingress_access_logs_s3_prefix) — The prefix to use for ingress access logs associated with the ALB. All logs will be stored in a key with this prefix. If null, the application name will be used. + + + +* [**`ingress_annotations`**](#ingress_annotations) — A list of custom ingress annotations, such as health checks and TLS certificates, to add to the Helm chart. See: https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/ + + + +* [**`ingress_backend_protocol`**](#ingress_backend_protocol) — The protocol used by the Ingress ALB resource to communicate with the Service. Must be one of HTTP or HTTPS. + + + +* [**`ingress_configure_ssl_redirect`**](#ingress_configure_ssl_redirect) — When true, HTTP requests will automatically be redirected to use SSL (HTTPS). Used only when [`expose_type`](#expose_type) is either external or internal. + + + +* [**`ingress_group`**](#ingress_group) — Assign the ingress resource to an IngressGroup. All Ingress rules of the group will be collapsed to a single ALB. The rules will be collapsed in priority order, with lower numbers being evaluated first. + + + +* [**`ingress_listener_protocol_ports`**](#ingress_listener_protocol_ports) — A list of maps of protocols and ports that the ALB should listen on. + + + +* [**`ingress_path`**](#ingress_path) — Path prefix that should be matched to route to the service. Use /* to match all paths. + + + +* [**`ingress_ssl_redirect_rule_already_exists`**](#ingress_ssl_redirect_rule_already_exists) — Set to true if the Ingress SSL redirect rule is managed externally. This is useful when configuring Ingress grouping and you only want one service to be managing the SSL redirect rules. Only used if [`ingress_configure_ssl_redirect`](#ingress_configure_ssl_redirect) is true. + + + +* [**`ingress_target_type`**](#ingress_target_type) — Controls how the ALB routes traffic to the Pods. Supports 'instance' mode (route traffic to NodePort and load balance across all worker nodes, relying on Kubernetes Service networking to route to the pods), or 'ip' mode (route traffic directly to the pod IP - only works with AWS VPC CNI). Must be set to 'ip' if using Fargate. Only used if [`expose_type`](#expose_type) is not cluster-internal. + + + +* [**`liveness_probe_grace_period_seconds`**](#liveness_probe_grace_period_seconds) — Seconds to wait after Pod creation before liveness probe has any effect. Any failures during this period are ignored. + + + +* [**`liveness_probe_interval_seconds`**](#liveness_probe_interval_seconds) — The approximate amount of time, in seconds, between liveness checks of an individual Target. + + + +* [**`liveness_probe_path`**](#liveness_probe_path) — URL path for the endpoint that the liveness probe should ping. + + + +* [**`liveness_probe_port`**](#liveness_probe_port) — Port that the liveness probe should use to connect to the application container. + + + +* [**`liveness_probe_protocol`**](#liveness_probe_protocol) — Protocol (HTTP or HTTPS) that the liveness probe should use to connect to the application container. + + + +* [**`min_number_of_pods_available`**](#min_number_of_pods_available) — The minimum number of pods that should be available at any given point in time. This is used to configure a PodDisruptionBudget for the service, allowing you to achieve a graceful rollout. See https://blog.gruntwork.io/avoiding-outages-in-your-kubernetes-cluster-using-poddisruptionbudgets-ef6a4baa5085 for an introduction to PodDisruptionBudgets. + + + +* [**`namespace`**](#namespace) — The Kubernetes Namespace to deploy the application into. + + + +* [**`num_days_after_which_archive_ingress_log_data`**](#num_days_after_which_archive_ingress_log_data) — After this number of days, Ingress log files should be transitioned from S3 to Glacier. Set to 0 to never archive logs. + + + +* [**`num_days_after_which_delete_ingress_log_data`**](#num_days_after_which_delete_ingress_log_data) — After this number of days, Ingress log files should be deleted from S3. Set to 0 to never delete logs. + + + +* [**`override_chart_inputs`**](#override_chart_inputs) — Override any computed chart inputs with this map. This map is shallow merged to the computed chart inputs prior to passing on to the Helm Release. This is provided as a workaround while the terraform module does not support a particular input value that is exposed in the underlying chart. Please always file a GitHub issue to request exposing additional underlying input values prior to using this variable. + + + +* [**`readiness_probe_grace_period_seconds`**](#readiness_probe_grace_period_seconds) — Seconds to wait after Pod creation before liveness probe has any effect. Any failures during this period are ignored. + + + +* [**`readiness_probe_interval_seconds`**](#readiness_probe_interval_seconds) — The approximate amount of time, in seconds, between liveness checks of an individual Target. + + + +* [**`readiness_probe_path`**](#readiness_probe_path) — URL path for the endpoint that the readiness probe should ping. + + + +* [**`readiness_probe_port`**](#readiness_probe_port) — Port that the readiness probe should use to connect to the application container. + + + +* [**`readiness_probe_protocol`**](#readiness_probe_protocol) — Protocol (HTTP or HTTPS) that the readiness probe should use to connect to the application container. + + + +* [**`scratch_paths`**](#scratch_paths) — Paths that should be allocated as tmpfs volumes in the Deployment container. Each entry in the map is a key value pair where the key is an arbitrary name to bind to the volume, and the value is the path in the container to mount the tmpfs volume. + + + +* [**`secrets_as_env_vars`**](#secrets_as_env_vars) — Kubernetes Secrets to be injected into the container. Each entry in the map represents a Secret to be injected, with the key representing the name of the Secret. The value is also a map, with each entry corresponding to an entry in the Secret, with the key corresponding to the Secret entry key and the value corresponding to the environment variable name. + + + +* [**`secrets_as_volumes`**](#secrets_as_volumes) — Kubernetes Secrets to be injected into the container as volume mounts. Each entry in the map represents a Secret to be mounted, with the key representing the name of the Secret and the value representing a file path on the container to mount the Secret to. + + + +* [**`service_account_exists`**](#service_account_exists) — When true, and [`service_account_name`](#service_account_name) is not blank, lookup and assign an existing ServiceAccount in the Namespace to the Pods. + + + +* [**`service_account_name`**](#service_account_name) — The name of a service account to create for use with the Pods. This service account will be mapped to the IAM role defined in [``var.iam_role_name`](#`var.iam_role_name)` to give the pod permissions to access the AWS API. Must be unique in this namespace. Leave as an empty string if you do not wish to assign a Service Account to the Pods. + + + +* [**`service_port`**](#service_port) — The port to expose on the Service. This is most useful when addressing the Service internally to the cluster, as it is ignored when connecting from the Ingress resource. + + + +* [**`sidecar_containers`**](#sidecar_containers) — Map of keys to container definitions that allow you to manage additional side car containers that should be included in the Pod. Note that the values are injected directly into the container list for the Pod Spec. + + + +* [**`termination_grace_period_seconds`**](#termination_grace_period_seconds) — Grace period in seconds that Kubernetes will wait before terminating the pod. The timeout happens in parallel to preStop hook and the SIGTERM signal, Kubernetes does not wait for preStop to finish before beginning the grace period. + + + +* [**`values_file_path`**](#values_file_path) — A local file path where the helm chart values will be emitted. Use to debug issues with the helm chart values. Set to null to prevent creation of the file. + + + +* [**`wait`**](#wait) — When true, wait until Pods are up and healthy or [`wait_timeout`](#wait_timeout) seconds before exiting terraform. + + + +* [**`wait_timeout`**](#wait_timeout) — Number of seconds to wait for Pods to become healthy before marking the deployment as a failure. + + + + + + + diff --git a/docs/reference/services/app-orchestration/lambda.md b/docs/reference/services/app-orchestration/lambda.md index 9e45c060c..8be0c7fad 100644 --- a/docs/reference/services/app-orchestration/lambda.md +++ b/docs/reference/services/app-orchestration/lambda.md @@ -10,425 +10,247 @@ Deploy a Lambda on AWS. ### Reference - -
    - -
  • -

    - - alarm_sns_topic_arns - - A list of SNS topic ARNs to notify when the lambda alarms change to ALARM, OK, or INSUFFICIENT_DATA state -

    -
    • -
  • -

    - - assume_role_policy - - A custom assume role policy for the IAM role for this Lambda function. If not set, the default is a policy that allows the Lambda service to assume the IAM role, which is what most users will need. However, you can use this variable to override the policy for special cases, such as using a Lambda function to rotate AWS Secrets Manager secrets. -

    -
    • -
  • -

    - - command - - The CMD for the docker image. Only used if you specify a Docker image via image_uri. -

    -
    • -
  • -

    - - comparison_operator - - The arithmetic operation to use when comparing the specified Statistic and Threshold. The specified Statistic value is used as the first operand. Either of the following is supported: `GreaterThanOrEqualToThreshold`, `GreaterThanThreshold`, `LessThanThreshold`, `LessThanOrEqualToThreshold`. Additionally, the values `LessThanLowerOrGreaterThanUpperThreshold`, `LessThanLowerThreshold`, and `GreaterThanUpperThreshold` are used only for alarms based on anomaly detection models. -

    -
    • -
  • -

    - - create_resources - - Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not. -

    -
    • -
  • -

    - - datapoints_to_alarm - - The number of datapoints that must be breaching to trigger the alarm. -

    -
    • -
  • -

    - - dead_letter_target_arn - - The ARN of an SNS topic or an SQS queue to notify when invocation of a Lambda function fails. If this option is used, you must grant this function's IAM role (the ID is outputted as iam_role_id) access to write to the target object, which means allowing either the sns:Publish or sqs:SendMessage action on this ARN, depending on which service is targeted. -

    -
    • -
  • -

    - - description - - A description of what the Lambda function does. -

    -
    • -
  • -

    - - enable_versioning - - Set to true to enable versioning for this Lambda function. This allows you to use aliases to refer to execute different versions of the function in different environments. Note that an alternative way to run Lambda functions in multiple environments is to version your Terraform code. -

    -
    • -
  • -

    - - entry_point - - The ENTRYPOINT for the docker image. Only used if you specify a Docker image via image_uri. -

    -
    • -
  • -

    - - environment_variables - - A map of environment variables to pass to the Lambda function. AWS will automatically encrypt these with KMS and decrypt them when running the function. -

    -
    • -
  • -

    - - evaluation_periods - - The number of periods over which data is compared to the specified threshold. -

    -
    • -
  • -

    - - file_system_access_point_arn - - The ARN of an EFS access point to use to access the file system. Only used if var.mount_to_file_system is true. -

    -
    • -
  • -

    - - file_system_mount_path - - The mount path where the lambda can access the file system. This path must begin with /mnt/. Only used if var.mount_to_file_system is true. -

    -
    • -
  • -

    - - handler - - The function entrypoint in your code. This is typically the name of a function or method in your code that AWS will execute when this Lambda function is triggered. -

    -
    • -
  • -

    - - image_uri - - The ECR image URI containing the function's deployment package. Example: 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag -

    -
    • -
  • -

    - - kms_key_arn - - A custom KMS key to use to encrypt and decrypt Lambda function environment variables. Leave it blank to use the default KMS key provided in your AWS account. -

    -
    • -
  • -

    - - lambda_role_permissions_boundary_arn - - The ARN of the policy that is used to set the permissions boundary for the IAM role for the lambda -

    -
    • -
  • -

    - - layers - - The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can have a maximum of 5 Layers attached to each function. -

    -
    • -
  • -

    - - memory_size - - The maximum amount of memory, in MB, your Lambda function will be able to use at runtime. Can be set in 64MB increments from 128MB up to 1536MB. Note that the amount of CPU power given to a Lambda function is proportional to the amount of memory you request, so a Lambda function with 256MB of memory has twice as much CPU power as one with 128MB. -

    -
    • -
  • -

    - - metric_name - - The name for the alarm's associated metric. -

    -
    • -
  • -

    - - mount_to_file_system - - Set to true to mount your Lambda function on an EFS. Note that the lambda must also be deployed inside a VPC (run_in_vpc must be set to true) for this config to have any effect. -

    -
    • -
  • -

    - - name - - The name of the Lambda function. Used to namespace all resources created by this module. -

    -
    • -
  • -

    - - namespace - - The namespace to use for all resources created by this module. If not set, var.lambda_function_name, with '-scheduled' as a suffix, is used. -

    -
    • -
  • -

    - - period - - The period in seconds over which the specified `statistic` is applied. -

    -
    • -
  • -

    - - reserved_concurrent_executions - - The amount of reserved concurrent executions for this lambda function or -1 if unreserved. -

    -
    • -
  • -

    - - run_in_vpc - - Set to true to give your Lambda function access to resources within a VPC. -

    -
    • -
  • -

    - - runtime - - The runtime environment for the Lambda function (e.g. nodejs, python2.7, java8). See https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime for all possible values. -

    -
    • -
  • -

    - - s3_bucket - - An S3 bucket location containing the function's deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified. -

    -
    • -
  • -

    - - s3_key - - The path within var.s3_bucket where the deployment package is located. Exactly one of var.source_path or the var.s3_xxx variables must be specified. -

    -
    • -
  • -

    - - s3_object_version - - The version of the path in var.s3_key to use as the deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified. -

    -
    • -
  • -

    - - schedule_expression - - An expression that defines the schedule for this lambda job. For example, cron(0 20 * * ? *) or rate(5 minutes). For more information visit https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchevents-expressions.html -

    -
    • -
  • -

    - - should_create_outbound_rule - - If true, create an egress rule allowing all outbound traffic from Lambda function to the entire Internet (e.g. 0.0.0.0/0). -

    -
    • -
  • -

    - - skip_zip - - Set to true to skip zip archive creation and assume that var.source_path points to a pregenerated zip archive. -

    -
    • -
  • -

    - - source_path - - The path to the directory that contains your Lambda function source code. This code will be zipped up and uploaded to Lambda as your deployment package. If var.skip_zip is set to true, then this is assumed to be the path to an already-zipped file, and it will be uploaded directly to Lambda as a deployment package. Exactly one of var.source_path or the var.s3_xxx variables must be specified. -

    -
    • -
  • -

    - - statistic - - The statistic to apply to the alarm's associated metric. -

    -
    • -
  • -

    - - subnet_ids - - A list of subnet IDs the Lambda function should be able to access within your VPC. Only used if var.run_in_vpc is true. -

    -
    • -
  • -

    - - tags - - A map of tags to apply to the Lambda function. -

    -
    • -
  • -

    - - threshold - - The value against which the specified statistic is compared. This parameter is required for alarms based on static thresholds, but should not be used for alarms based on anomaly detection models. -

    -
    • -
  • -

    - - timeout - - The maximum amount of time, in seconds, your Lambda function will be allowed to run. Must be between 1 and 900 seconds. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC the Lambda function should be able to access. Only used if var.run_in_vpc is true. -

    -
    • -
  • -

    - - working_directory - - The working directory for the docker image. Only used if you specify a Docker image via image_uri. -

    -
    • -
  • -

    - - zip_output_path - - The path to store the output zip file of your source code. If empty, defaults to module path. This should be the full path to the zip file, not a directory. -

    -
    • -
- - - - + + + + +* [**`alarm_sns_topic_arns`**](#alarm_sns_topic_arns) — A list of SNS topic ARNs to notify when the lambda alarms change to ALARM, OK, or [`INSUFFICIENT_DATA`](#INSUFFICIENT_DATA) state + + + +* [**`assume_role_policy`**](#assume_role_policy) — A custom assume role policy for the IAM role for this Lambda function. If not set, the default is a policy that allows the Lambda service to assume the IAM role, which is what most users will need. However, you can use this variable to override the policy for special cases, such as using a Lambda function to rotate AWS Secrets Manager secrets. + + + +* [**`command`**](#command) — The CMD for the docker image. Only used if you specify a Docker image via [`image_uri`](#image_uri). + + + +* [**`comparison_operator`**](#comparison_operator) — The arithmetic operation to use when comparing the specified Statistic and Threshold. The specified Statistic value is used as the first operand. Either of the following is supported: `GreaterThanOrEqualToThreshold`, `GreaterThanThreshold`, `LessThanThreshold`, `LessThanOrEqualToThreshold`. Additionally, the values `LessThanLowerOrGreaterThanUpperThreshold`, `LessThanLowerThreshold`, and `GreaterThanUpperThreshold` are used only for alarms based on anomaly detection models. + + + +* [**`create_resources`**](#create_resources) — Set to false to have this module skip creating resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if this module should create anything or not. + + + +* [**`datapoints_to_alarm`**](#datapoints_to_alarm) — The number of datapoints that must be breaching to trigger the alarm. + + + +* [**`dead_letter_target_arn`**](#dead_letter_target_arn) — The ARN of an SNS topic or an SQS queue to notify when invocation of a Lambda function fails. If this option is used, you must grant this function's IAM role (the ID is outputted as [`iam_role_id`](#iam_role_id)) access to write to the target object, which means allowing either the sns:Publish or sqs:SendMessage action on this ARN, depending on which service is targeted. + + + +* [**`description`**](#description) — A description of what the Lambda function does. + + + +* [**`enable_versioning`**](#enable_versioning) — Set to true to enable versioning for this Lambda function. This allows you to use aliases to refer to execute different versions of the function in different environments. Note that an alternative way to run Lambda functions in multiple environments is to version your Terraform code. + + + +* [**`entry_point`**](#entry_point) — The ENTRYPOINT for the docker image. Only used if you specify a Docker image via [`image_uri`](#image_uri). + + + +* [**`environment_variables`**](#environment_variables) — A map of environment variables to pass to the Lambda function. AWS will automatically encrypt these with KMS and decrypt them when running the function. + + + +* [**`evaluation_periods`**](#evaluation_periods) — The number of periods over which data is compared to the specified threshold. + + + +* [**`file_system_access_point_arn`**](#file_system_access_point_arn) — The ARN of an EFS access point to use to access the file system. Only used if [`mount_to_file_system`](#mount_to_file_system) is true. + + + +* [**`file_system_mount_path`**](#file_system_mount_path) — The mount path where the lambda can access the file system. This path must begin with /mnt/. Only used if [`mount_to_file_system`](#mount_to_file_system) is true. + + + +* [**`handler`**](#handler) — The function entrypoint in your code. This is typically the name of a function or method in your code that AWS will execute when this Lambda function is triggered. + + + +* [**`image_uri`**](#image_uri) — The ECR image URI containing the function's deployment package. Example: [`01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag`](#01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag) + + + +* [**`kms_key_arn`**](#kms_key_arn) — A custom KMS key to use to encrypt and decrypt Lambda function environment variables. Leave it blank to use the default KMS key provided in your AWS account. + + + +* [**`lambda_role_permissions_boundary_arn`**](#lambda_role_permissions_boundary_arn) — The ARN of the policy that is used to set the permissions boundary for the IAM role for the lambda + + + +* [**`layers`**](#layers) — The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can have a maximum of 5 Layers attached to each function. + + + +* [**`memory_size`**](#memory_size) — The maximum amount of memory, in MB, your Lambda function will be able to use at runtime. Can be set in 64MB increments from 128MB up to 1536MB. Note that the amount of CPU power given to a Lambda function is proportional to the amount of memory you request, so a Lambda function with 256MB of memory has twice as much CPU power as one with 128MB. + + + +* [**`metric_name`**](#metric_name) — The name for the alarm's associated metric. + + + +* [**`mount_to_file_system`**](#mount_to_file_system) — Set to true to mount your Lambda function on an EFS. Note that the lambda must also be deployed inside a VPC [`(run_in_vpc`](#(run_in_vpc) must be set to true) for this config to have any effect. + + + +* [**`name`**](#name) — The name of the Lambda function. Used to namespace all resources created by this module. + + + +* [**`namespace`**](#namespace) — The namespace to use for all resources created by this module. If not set, [`lambda_function_name`](#lambda_function_name), with '-scheduled' as a suffix, is used. + + + +* [**`period`**](#period) — The period in seconds over which the specified `statistic` is applied. + + + +* [**`reserved_concurrent_executions`**](#reserved_concurrent_executions) — The amount of reserved concurrent executions for this lambda function or -1 if unreserved. + + + +* [**`run_in_vpc`**](#run_in_vpc) — Set to true to give your Lambda function access to resources within a VPC. + + + +* [**`runtime`**](#runtime) — The runtime environment for the Lambda function (e.g. nodejs, python2.7, java8). See [`https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction`](#https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction).html#SSS-CreateFunction-request-Runtime for all possible values. + + + +* [**`s3_bucket`**](#s3_bucket) — An S3 bucket location containing the function's deployment package. Exactly one of [`source_path`](#source_path) or the [`s3_xxx`](#s3_xxx) variables must be specified. + + + +* [**`s3_key`**](#s3_key) — The path within [`s3_bucket`](#s3_bucket) where the deployment package is located. Exactly one of [`source_path`](#source_path) or the [`s3_xxx`](#s3_xxx) variables must be specified. + + + +* [**`s3_object_version`**](#s3_object_version) — The version of the path in [`s3_key`](#s3_key) to use as the deployment package. Exactly one of [`source_path`](#source_path) or the [`s3_xxx`](#s3_xxx) variables must be specified. + + + +* [**`schedule_expression`**](#schedule_expression) — An expression that defines the schedule for this lambda job. For example, cron(0 20 * * ? *) or rate(5 minutes). For more information visit https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchevents-expressions.html + + + +* [**`should_create_outbound_rule`**](#should_create_outbound_rule) — If true, create an egress rule allowing all outbound traffic from Lambda function to the entire Internet (e.g. 0.0.0.0/0). + + + +* [**`skip_zip`**](#skip_zip) — Set to true to skip zip archive creation and assume that [`source_path`](#source_path) points to a pregenerated zip archive. + + + +* [**`source_path`**](#source_path) — The path to the directory that contains your Lambda function source code. This code will be zipped up and uploaded to Lambda as your deployment package. If [`skip_zip`](#skip_zip) is set to true, then this is assumed to be the path to an already-zipped file, and it will be uploaded directly to Lambda as a deployment package. Exactly one of [`source_path`](#source_path) or the [`s3_xxx`](#s3_xxx) variables must be specified. + + + +* [**`statistic`**](#statistic) — The statistic to apply to the alarm's associated metric. + + + +* [**`subnet_ids`**](#subnet_ids) — A list of subnet IDs the Lambda function should be able to access within your VPC. Only used if [`run_in_vpc`](#run_in_vpc) is true. + + + +* [**`tags`**](#tags) — A map of tags to apply to the Lambda function. + + + +* [**`threshold`**](#threshold) — The value against which the specified statistic is compared. This parameter is required for alarms based on static thresholds, but should not be used for alarms based on anomaly detection models. + + + +* [**`timeout`**](#timeout) — The maximum amount of time, in seconds, your Lambda function will be allowed to run. Must be between 1 and 900 seconds. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC the Lambda function should be able to access. Only used if [`run_in_vpc`](#run_in_vpc) is true. + + + +* [**`working_directory`**](#working_directory) — The working directory for the docker image. Only used if you specify a Docker image via [`image_uri`](#image_uri). + + + +* [**`zip_output_path`**](#zip_output_path) — The path to store the output zip file of your source code. If empty, defaults to module path. This should be the full path to the zip file, not a directory. + + + + + + +* [**`alarm_actions`**](#alarm_actions) — The list of actions to execute when this alarm transitions into an ALARM state from any other state + + + +* [**`alarm_arn`**](#alarm_arn) — ARN of the Cloudwatch alarm + + + +* [**`alarm_name`**](#alarm_name) — Name of the Cloudwatch alarm + + + +* [**`event_rule_arn`**](#event_rule_arn) — Cloudwatch Event Rule Arn + + + +* [**`event_rule_schedule`**](#event_rule_schedule) — Cloudwatch Event Rule schedule expression + + + +* [**`function_arn`**](#function_arn) — Amazon Resource Name (ARN) identifying the Lambda Function + + + +* [**`function_name`**](#function_name) — Unique name for Lambda Function + + + +* [**`iam_role_arn`**](#iam_role_arn) — Amazon Resource Name (ARN) of the AWS IAM Role created for the Lambda Function + + + +* [**`iam_role_id`**](#iam_role_id) — Name of the AWS IAM Role created for the Lambda Function + + + +* [**`insufficient_data_actions`**](#insufficient_data_actions) — The list of actions to execute when this alarm transitions into an [`INSUFFICIENT_DATA`](#INSUFFICIENT_DATA) state from any other state + + + +* [**`invoke_arn`**](#invoke_arn) — Amazon Resource Name (ARN) to be used for invoking the Lambda Function + + + +* [**`ok_actions`**](#ok_actions) — The list of actions to execute when this alarm transitions into an OK state from any other state + + + +* [**`qualified_arn`**](#qualified_arn) — Amazon Resource Name (ARN) identifying your Lambda Function version + + + +* [**`security_group_id`**](#security_group_id) — Security Group ID of the Security Group created for the Lambda Function + + + +* [**`version`**](#version) — Latest published version of your Lambda Function + + diff --git a/docs/reference/services/app-orchestration/public-static-website.md b/docs/reference/services/app-orchestration/public-static-website.md index 79d484208..144dceb5a 100644 --- a/docs/reference/services/app-orchestration/public-static-website.md +++ b/docs/reference/services/app-orchestration/public-static-website.md @@ -10,173 +10,103 @@ Deploy your static content and static websites on S3, using a CloudFront CDN. Su ### Reference - -
    - -
  • -

    - - acm_certificate_domain_name - - The domain name for which an ACM cert has been issued (e.g. *.foo.com). Only used if var.create_route53_entry is true. Set to blank otherwise. -

    -
    • -
  • -

    - - base_domain_name - - The domain name associated with a hosted zone in Route 53. Usually the base domain name of var.website_domain_name (e.g. foo.com). This is used to find the hosted zone that will be used for the CloudFront distribution. If var.create_route53_entry is true, one of base_domain_name or var.hosted_zone_id must be provided. -

    -
    • -
  • -

    - - base_domain_name_tags - - The tags associated with var.base_domain_name. If there are multiple hosted zones for the same base_domain_name, this will help filter the hosted zones so that the correct hosted zone is found. -

    -
    • -
  • -

    - - create_route53_entry - - If set to true, create a DNS A Record in Route 53. If var.create_route53_entry is true, one of base_domain_name or var.hosted_zone_id must be provided. -

    -
    • -
  • -

    - - custom_tags - - A map of custom tags to apply to the S3 bucket containing the website and the CloudFront distribution created for it. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - default_ttl - - The default amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an 'Cache-Control max-age' or 'Expires' header. -

    -
    • -
  • -

    - - error_document - - The path to the error document in the S3 bucket (e.g. error.html). -

    -
    • -
  • -

    - - force_destroy - - If set to true, this will force the delete of the website, redirect, and access log S3 buckets when you run terraform destroy, even if there is still content in those buckets. This is only meant for testing and should not be used in production. -

    -
    • -
  • -

    - - geo_locations_list - - The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (if var.geo_restriction_type is whitelist) or not distribute your content (if var.geo_restriction_type is blacklist). -

    -
    • -
  • -

    - - geo_restriction_type - - The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the Route 53 Hosted Zone in which to create the DNS A Records specified in var.website_domain_name. If var.create_route53_entry is true, one of base_domain_name or var.hosted_zone_id must be provided. -

    -
    • -
  • -

    - - index_document - - The path to the index document in the S3 bucket (e.g. index.html). -

    -
    • -
  • -

    - - max_ttl - - The maximum amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of 'Cache-Control max-age', 'Cache-Control s-maxage', and 'Expires' headers. -

    -
    • -
  • -

    - - min_ttl - - The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. -

    -
    • -
  • -

    - - routing_rules - - A json array containing routing rules describing redirect behavior and when redirects are applied. For routing rule syntax, see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html. This will only be used if var.should_redirect_all_requests is false -

    -
    • -
  • -

    - - viewer_protocol_policy - - Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. -

    -
    • -
  • -

    - - website_domain_name - - The name of the website and the S3 bucket to create (e.g. static.foo.com). -

    -
    • -
- - - - + + + + +* [**`acm_certificate_domain_name`**](#acm_certificate_domain_name) — The domain name for which an ACM cert has been issued (e.g. *.foo.com). Only used if [`create_route53_entry`](#create_route53_entry) is true. Set to blank otherwise. + + + +* [**`base_domain_name`**](#base_domain_name) — The domain name associated with a hosted zone in Route 53. Usually the base domain name of [`website_domain_name`](#website_domain_name) (e.g. foo.com). This is used to find the hosted zone that will be used for the CloudFront distribution. If [`create_route53_entry`](#create_route53_entry) is true, one of [`base_domain_name`](#base_domain_name) or [`hosted_zone_id`](#hosted_zone_id) must be provided. + + + +* [**`base_domain_name_tags`**](#base_domain_name_tags) — The tags associated with [`base_domain_name`](#base_domain_name). If there are multiple hosted zones for the same [`base_domain_name`](#base_domain_name), this will help filter the hosted zones so that the correct hosted zone is found. + + + +* [**`create_route53_entry`**](#create_route53_entry) — If set to true, create a DNS A Record in Route 53. If [`create_route53_entry`](#create_route53_entry) is true, one of [`base_domain_name`](#base_domain_name) or [`hosted_zone_id`](#hosted_zone_id) must be provided. + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the S3 bucket containing the website and the CloudFront distribution created for it. The key is the tag name and the value is the tag value. + + + +* [**`default_ttl`**](#default_ttl) — The default amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an 'Cache-Control max-age' or 'Expires' header. + + + +* [**`error_document`**](#error_document) — The path to the error document in the S3 bucket (e.g. error.html). + + + +* [**`force_destroy`**](#force_destroy) — If set to true, this will force the delete of the website, redirect, and access log S3 buckets when you run terraform destroy, even if there is still content in those buckets. This is only meant for testing and should not be used in production. + + + +* [**`geo_locations_list`**](#geo_locations_list) — The ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (if [`geo_restriction_type`](#geo_restriction_type) is whitelist) or not distribute your content (if [`geo_restriction_type`](#geo_restriction_type) is blacklist). + + + +* [**`geo_restriction_type`**](#geo_restriction_type) — The method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist. + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the Route 53 Hosted Zone in which to create the DNS A Records specified in [`website_domain_name`](#website_domain_name). If [`create_route53_entry`](#create_route53_entry) is true, one of [`base_domain_name`](#base_domain_name) or [`hosted_zone_id`](#hosted_zone_id) must be provided. + + + +* [**`index_document`**](#index_document) — The path to the index document in the S3 bucket (e.g. index.html). + + + +* [**`max_ttl`**](#max_ttl) — The maximum amount of time, in seconds, that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of 'Cache-Control max-age', 'Cache-Control s-maxage', and 'Expires' headers. + + + +* [**`min_ttl`**](#min_ttl) — The minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. + + + +* [**`routing_rules`**](#routing_rules) — A json array containing routing rules describing redirect behavior and when redirects are applied. For routing rule syntax, see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html. This will only be used if [`should_redirect_all_requests`](#should_redirect_all_requests) is false + + + +* [**`viewer_protocol_policy`**](#viewer_protocol_policy) — Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https. + + + +* [**`website_domain_name`**](#website_domain_name) — The name of the website and the S3 bucket to create (e.g. static.foo.com). + + + + + + +* [**`cloudfront_access_logs_bucket_arn`**](#cloudfront_access_logs_bucket_arn) — The ARN of the created S3 bucket associated with the website's CloudFront access logs. + + + +* [**`cloudfront_domain_names`**](#cloudfront_domain_names) — The domain names created for the CloudFront Distribution. Should be the same as the input [`website_domain_name`](#website_domain_name). + + + +* [**`cloudfront_id`**](#cloudfront_id) — The CloudFront ID of the created CloudFront Distribution. + + + +* [**`website_access_logs_bucket_arn`**](#website_access_logs_bucket_arn) — The ARN of the created S3 bucket associated with the website access logs. + + + +* [**`website_s3_bucket_arn`**](#website_s3_bucket_arn) — The ARN of the created S3 bucket associated with the website. + + diff --git a/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md b/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md index e852dcfb4..553d945ae 100644 --- a/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md +++ b/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md @@ -10,250 +10,147 @@ Use a CI/CD pipeline for deploying infrastructure code updates. ### Reference - -
    - -
  • -

    - - ami_builder_config - - Configuration options for the ami-builder container of the ECS deploy runner stack. This container will be used for building AMIs in the CI/CD pipeline using packer. Set to `null` to disable this container. -

    -
    • -
  • -

    - - container_cpu - - The default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size. -

    -
    • -
  • -

    - - container_default_launch_type - - The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2. -

    -
    • -
  • -

    - - container_max_cpu - - The maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function. -

    -
    • -
  • -

    - - container_max_memory - - The maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function. -

    -
    • -
  • -

    - - container_memory - - The default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size. -

    -
    • -
  • -

    - - docker_image_builder_config - - Configuration options for the docker-image-builder container of the ECS deploy runner stack. This container will be used for building docker images in the CI/CD pipeline. Set to `null` to disable this container. -

    -
    • -
  • -

    - - docker_image_builder_hardcoded_args - - Unlike hardcoded_options, this is used for hardcoded positional args and will always be passed in at the end of the args list. -

    -
    • -
  • -

    - - docker_image_builder_hardcoded_options - - Which options and args to always pass in alongside the ones provided by the command. This is a map of option keys to args to pass in. Each arg in the list will be passed in as a separate option. This will be passed in first, before the args provided by the user in the event data. -

    -
    • -
  • -

    - - ec2_worker_pool_configuration - - Worker configuration of a EC2 worker pool for the ECS cluster. An EC2 worker pool supports caching of Docker images, so your builds may run faster, whereas Fargate is serverless, so you have no persistent EC2 instances to manage and pay for. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode. Note that when this variable is set, this example module will automatically lookup and use the base ECS optimized AMI that AWS provides. -

    -
    • -
  • -

    - - iam_groups - - List of AWS IAM groups that should be given access to invoke the deploy runner. -

    -
    • -
  • -

    - - iam_roles - - List of AWS IAM roles that should be given access to invoke the deploy runner. -

    -
    • -
  • -

    - - iam_users - - List of AWS IAM usernames that should be given access to invoke the deploy runner. -

    -
    • -
  • -

    - - kms_grant_opt_in_regions - - Create multi-region resources in the specified regions. The best practice is to enable multi-region services in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. -

    -
    • -
  • -

    - - name - - Name of this instance of the deploy runner stack. Used to namespace all resources. -

    -
    • -
  • -

    - - private_subnet_ids - - List of IDs of private subnets that can be used for running the ECS task and Lambda function. -

    -
    • -
  • -

    - - shared_secrets_enabled - - If true, this module will create grants for a given shared secrets KMS key. You must pass a value for shared_secrets_kms_cmk_arn if this is set to true. Defaults to false. -

    -
    • -
  • -

    - - shared_secrets_kms_cmk_arn - - The ARN of the KMS CMK used for sharing AWS Secrets Manager secrets between accounts. -

    -
    • -
  • -

    - - snapshot_encryption_kms_cmk_arns - - Map of names to ARNs of KMS CMKs that are used to encrypt snapshots (including AMIs). This module will create the necessary KMS key grants to allow the respective deploy containers access to utilize the keys for managing the encrypted snapshots. The keys are arbitrary names that are used to identify the key. -

    -
    • -
  • -

    - - terraform_applier_config - - Configuration options for the terraform-applier container of the ECS deploy runner stack. This container will be used for running infrastructure deployment actions (including automated variable updates) in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container. -

    -
    • -
  • -

    - - terraform_planner_config - - Configuration options for the terraform-planner container of the ECS deploy runner stack. This container will be used for running infrastructure plan (including validate) actions in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container. -

    -
    • -
  • -

    - - vpc_id - - ID of the VPC where the ECS task and Lambda function should run. -

    -
    • -
- - -
    - -
  • -

    - - cloudwatch_log_group_name - - Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task. -

    -
    • -
  • -

    - - default_ecs_task_arn - - AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly. -

    -
    • -
  • -

    - - ecs_cluster_arn - - AWS ARN of the ECS Cluster that can be used to run the deploy runner task. -

    -
    • -
  • -

    - - ecs_task_arns - - Map of AWS ARNs of the ECS Task Definition. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). -

    -
    • -
  • -

    - - ecs_task_execution_role_arn - - ECS Task execution role ARN -

    -
    • -
  • -

    - - ecs_task_families - - Map of the families of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). -

    -
    • -
  • -

    - - ecs_task_iam_roles - - Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). -

    -
    • -
  • -

    - - ecs_task_revisions - - Map of the current revision of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). -

    -
    • -
  • -

    - - invoke_policy_arn - - The ARN of the IAM policy that allows access to the invoke the deploy runner. -

    -
    • -
  • -

    - - invoker_function_arn - - AWS ARN of the invoker lambda function that can be used to invoke a deployment. -

    -
    • -
  • -

    - - security_group_allow_all_outbound_id - - Security Group ID of the ECS task -

    -
    • -
- + + + + +* [**`ami_builder_config`**](#ami_builder_config) — Configuration options for the ami-builder container of the ECS deploy runner stack. This container will be used for building AMIs in the CI/CD pipeline using packer. Set to `null` to disable this container. + + + +* [**`container_cpu`**](#container_cpu) — The default CPU units for the instances that Fargate will spin up. The invoker allows users to override the CPU at run time, but this value will be used if the user provides no value for the CPU. Options here: [`https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate`](#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate).html#fargate-tasks-size. + + + +* [**`container_default_launch_type`**](#container_default_launch_type) — The default launch type of the ECS deploy runner workers. This launch type will be used if it is not overridden during invocation of the lambda function. Must be FARGATE or EC2. + + + +* [**`container_max_cpu`**](#container_max_cpu) — The maximum CPU units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function. + + + +* [**`container_max_memory`**](#container_max_memory) — The maximum memory units that is allowed to be specified by the user when invoking the deploy runner with the Lambda function. + + + +* [**`container_memory`**](#container_memory) — The default memory units for the instances that Fargate will spin up. The invoker allows users to override the memory at run time, but this value will be used if the user provides no value for memory. Options here: [`https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate`](#https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate).html#fargate-tasks-size. + + + +* [**`docker_image_builder_config`**](#docker_image_builder_config) — Configuration options for the docker-image-builder container of the ECS deploy runner stack. This container will be used for building docker images in the CI/CD pipeline. Set to `null` to disable this container. + + + +* [**`docker_image_builder_hardcoded_args`**](#docker_image_builder_hardcoded_args) — Unlike [`hardcoded_options`](#hardcoded_options), this is used for hardcoded positional args and will always be passed in at the end of the args list. + + + +* [**`docker_image_builder_hardcoded_options`**](#docker_image_builder_hardcoded_options) — Which options and args to always pass in alongside the ones provided by the command. This is a map of option keys to args to pass in. Each arg in the list will be passed in as a separate option. This will be passed in first, before the args provided by the user in the event data. + + + +* [**`ec2_worker_pool_configuration`**](#ec2_worker_pool_configuration) — Worker configuration of a EC2 worker pool for the ECS cluster. An EC2 worker pool supports caching of Docker images, so your builds may run faster, whereas Fargate is serverless, so you have no persistent EC2 instances to manage and pay for. If null, no EC2 worker pool will be allocated and the deploy runner will be in Fargate only mode. Note that when this variable is set, this example module will automatically lookup and use the base ECS optimized AMI that AWS provides. + + + +* [**`iam_groups`**](#iam_groups) — List of AWS IAM groups that should be given access to invoke the deploy runner. + + + +* [**`iam_roles`**](#iam_roles) — List of AWS IAM roles that should be given access to invoke the deploy runner. + + + +* [**`iam_users`**](#iam_users) — List of AWS IAM usernames that should be given access to invoke the deploy runner. + + + +* [**`kms_grant_opt_in_regions`**](#kms_grant_opt_in_regions) — Create multi-region resources in the specified regions. The best practice is to enable multi-region services in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. + + + +* [**`name`**](#name) — Name of this instance of the deploy runner stack. Used to namespace all resources. + + + +* [**`private_subnet_ids`**](#private_subnet_ids) — List of IDs of private subnets that can be used for running the ECS task and Lambda function. + + + +* [**`shared_secrets_enabled`**](#shared_secrets_enabled) — If true, this module will create grants for a given shared secrets KMS key. You must pass a value for [`shared_secrets_kms_cmk_arn`](#shared_secrets_kms_cmk_arn) if this is set to true. Defaults to false. + + + +* [**`shared_secrets_kms_cmk_arn`**](#shared_secrets_kms_cmk_arn) — The ARN of the KMS CMK used for sharing AWS Secrets Manager secrets between accounts. + + + +* [**`snapshot_encryption_kms_cmk_arns`**](#snapshot_encryption_kms_cmk_arns) — Map of names to ARNs of KMS CMKs that are used to encrypt snapshots (including AMIs). This module will create the necessary KMS key grants to allow the respective deploy containers access to utilize the keys for managing the encrypted snapshots. The keys are arbitrary names that are used to identify the key. + + + +* [**`terraform_applier_config`**](#terraform_applier_config) — Configuration options for the terraform-applier container of the ECS deploy runner stack. This container will be used for running infrastructure deployment actions (including automated variable updates) in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container. + + + +* [**`terraform_planner_config`**](#terraform_planner_config) — Configuration options for the terraform-planner container of the ECS deploy runner stack. This container will be used for running infrastructure plan (including validate) actions in the CI/CD pipeline with Terraform / Terragrunt. Set to `null` to disable this container. + + + +* [**`vpc_id`**](#vpc_id) — ID of the VPC where the ECS task and Lambda function should run. + + + + + + +* [**`cloudwatch_log_group_name`**](#cloudwatch_log_group_name) — Name of the CloudWatch Log Group used to store the log output from the Deploy Runner ECS task. + + + +* [**`default_ecs_task_arn`**](#default_ecs_task_arn) — AWS ARN of the default ECS Task Definition. Can be used to trigger the ECS Task directly. + + + +* [**`ecs_cluster_arn`**](#ecs_cluster_arn) — AWS ARN of the ECS Cluster that can be used to run the deploy runner task. + + + +* [**`ecs_task_arns`**](#ecs_task_arns) — Map of AWS ARNs of the ECS Task Definition. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). + + + +* [**`ecs_task_execution_role_arn`**](#ecs_task_execution_role_arn) — ECS Task execution role ARN + + + +* [**`ecs_task_families`**](#ecs_task_families) — Map of the families of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). + + + +* [**`ecs_task_iam_roles`**](#ecs_task_iam_roles) — Map of AWS ARNs and names of the IAM role that will be attached to the ECS task to grant it access to AWS resources. Each container will have its own IAM role. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). + + + +* [**`ecs_task_revisions`**](#ecs_task_revisions) — Map of the current revision of the ECS Task Definition that is currently live. There are four entries, one for each container in the standard config (docker-image-builder ; ami-builder ; terraform-planner ; terraform-applier). + + + +* [**`invoke_policy_arn`**](#invoke_policy_arn) — The ARN of the IAM policy that allows access to the invoke the deploy runner. + + + +* [**`invoker_function_arn`**](#invoker_function_arn) — AWS ARN of the invoker lambda function that can be used to invoke a deployment. + + + +* [**`security_group_allow_all_outbound_id`**](#security_group_allow_all_outbound_id) — Security Group ID of the ECS task + + diff --git a/docs/reference/services/ci-cd-pipeline/jenkins.md b/docs/reference/services/ci-cd-pipeline/jenkins.md index f213c08ac..51f6791d1 100644 --- a/docs/reference/services/ci-cd-pipeline/jenkins.md +++ b/docs/reference/services/ci-cd-pipeline/jenkins.md @@ -10,509 +10,295 @@ Deploy Jenkins CI Server on AWS. ### Reference - -
    - -
  • -

    - - acm_ssl_certificate_domain - - The domain name used for an SSL certificate issued by the Amazon Certificate Manager (ACM). -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the Jenkins backup job fails. -

    -
    • -
  • -

    - - alb_subnet_ids - - The IDs of the subnets in which to deploy the ALB that runs in front of Jenkins. Must be subnets in var.vpc_id. -

    -
    • -
  • -

    - - allow_incoming_http_from_cidr_blocks - - The IP address ranges in CIDR format from which to allow incoming HTTP requests to Jenkins. -

    -
    • -
  • -

    - - allow_incoming_http_from_security_group_ids - - The IDs of security groups from which to allow incoming HTTP requests to Jenkins. -

    -
    • -
  • -

    - - allow_ssh_from_cidr_blocks - - The IP address ranges in CIDR format from which to allow incoming SSH requests to Jenkins. -

    -
    • -
  • -

    - - allow_ssh_from_security_group_ids - - The IDs of security groups from which to allow incoming SSH requests to Jenkins. -

    -
    • -
  • -

    - - ami - - The ID of the AMI to run on the Jenkins server. This should be the AMI build from the Packer template jenkins-ubuntu.json. One of var.ami or var.ami_filters is required. Set to null if looking up the ami with filters. -

    -
    • -
  • -

    - - ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with Jenkins. You can build the AMI using the Packer template jenkins-ubuntu.json. Only used if var.ami is null. One of var.ami or var.ami_filters is required. Set to null if passing the ami ID directly. -

    -
    • -
  • -

    - - backup_job_alarm_period - - How often, in seconds, the backup job is expected to run. This is the same as var.backup_job_schedule_expression, but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the value of var.backup_job_metric_name and var.backup_job_metric_namespace isn't updated within this time period, as that indicates the backup failed to run. -

    -
    • -
  • -

    - - backup_job_metric_name - - The name for the CloudWatch Metric the AWS lambda backup job will increment every time the job completes successfully. -

    -
    • -
  • -

    - - backup_job_metric_namespace - - The namespace for the CloudWatch Metric the AWS lambda backup job will increment every time the job completes successfully. -

    -
    • -
  • -

    - - backup_job_schedule_expression - - A cron or rate expression that specifies how often to take a snapshot of the Jenkins server for backup purposes. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html for syntax details. -

    -
    • -
  • -

    - - backup_using_dlm - - Set to true to backup the Jenkins Server using AWS Data Lifecycle Management Policies. -

    -
    • -
  • -

    - - backup_using_lambda - - Set to true to backup the Jenkins Server using a Scheduled Lambda Function. -

    -
    • -
  • -

    - - build_permission_actions - - The list of IAM actions this Jenkins server should be allowed to do: e.g., ec2:*, s3:*, etc. This should be the list of IAM permissions Jenkins needs in this AWS account to run builds. These permissions will be added to the server's IAM role for all resources ('*'). -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the Jenkins server when it is booting. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. -

    -
    • -
  • -

    - - custom_tags - - A list of custom tags to apply to Jenkins and all other resources. -

    -
    • -
  • -

    - - default_user - - The default OS user for the Jenkins AMI. For AWS Ubuntu AMIs, which is what the Packer template in jenkins-ubunutu.json uses, the default OS user is 'ubuntu'. -

    -
    • -
  • -

    - - dlm_backup_job_schedule_interval - - How often this lifecycle policy should be evaluated, in hours. -

    -
    • -
  • -

    - - dlm_backup_job_schedule_name - - The name of the data lifecyle management schedule -

    -
    • -
  • -

    - - dlm_backup_job_schedule_number_of_snapshots_to_retain - - How many snapshots to keep. Must be an integer between 1 and 1000. -

    -
    • -
  • -

    - - dlm_backup_job_schedule_times - - A list of times in 24 hour clock format that sets when the lifecyle policy should be evaluated. Max of 1. -

    -
    • -
  • -

    - - domain_name - - The domain name for the DNS A record to add for Jenkins (e.g. jenkins.foo.com). Must be in the domain managed by var.hosted_zone_id. -

    -
    • -
  • -

    - - ebs_kms_key_arn - - The ARN of the KMS key used for encrypting the Jenkins EBS volume. The module will grant Jenkins permission to use this key. -

    -
    • -
  • -

    - - ebs_kms_key_arn_is_alias - - Whether or not the provide EBS KMS key ARN is a key alias. If providing the key ID, leave this set to false. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to add AIM permissions to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Jenkins server. -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true. -

    -
    • -
  • -

    - - enable_ssh_grunt - - Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. -

    -
    • -
  • -

    - - external_account_auto_deploy_iam_role_arns - - A list of IAM role ARNs in other AWS accounts that Jenkins will be able to assume to do automated deployment in those accounts. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the Route 53 Hosted Zone in which to create a DNS A record for Jenkins. -

    -
    • -
  • -

    - - instance_type - - The instance type to use for the Jenkins server (e.g. t2.medium) -

    -
    • -
  • -

    - - is_internal_alb - - Set to true to make the Jenkins ALB an internal ALB that cannot be accessed from the public Internet. We strongly recommend setting this to true to keep Jenkins more secure. -

    -
    • -
  • -

    - - jenkins_device_name - - The OS device name where the Jenkins EBS volume should be attached -

    -
    • -
  • -

    - - jenkins_mount_point - - The OS path where the Jenkins EBS volume should be mounted -

    -
    • -
  • -

    - - jenkins_subnet_id - - The ID of the subnet in which to deploy Jenkins. Must be a subnet in var.vpc_id. -

    -
    • -
  • -

    - - jenkins_user - - The OS user that should be used to run Jenkins -

    -
    • -
  • -

    - - jenkins_volume_encrypted - - Set to true to encrypt the Jenkins EBS volume. -

    -
    • -
  • -

    - - jenkins_volume_size - - The amount of disk space, in GB, to allocate for the EBS volume used by the Jenkins server. -

    -
    • -
  • -

    - - jenkins_volume_type - - The type of volume to use for the EBS volume used by the Jenkins server. Must be one of: standard, gp2, io1, sc1, or st1. -

    -
    • -
  • -

    - - keypair_name - - The name of a Key Pair that can be used to SSH to the Jenkins server. Leave blank if you don't want to enable Key Pair auth. -

    -
    • -
  • -

    - - memory - - The amount of memory to give Jenkins (e.g., 1g or 512m). Used for the -Xms and -Xmx settings. -

    -
    • -
  • -

    - - name - - Enter the name of the Jenkins server -

    -
    • -
  • -

    - - root_block_device_volume_type - - The type of volume to use for the root disk for Jenkins. Must be one of: standard, gp2, io1, sc1, or st1. -

    -
    • -
  • -

    - - root_volume_size - - The amount of disk space, in GB, to allocate for the root volume of this server. Note that all of Jenkins' data is stored on a separate EBS Volume (see var.jenkins_volume_size), so this root volume is primarily used for the OS, temp folders, apps, etc. -

    -
    • -
  • -

    - - skip_health_check - - If set to true, skip the health check, and start a rolling deployment of Jenkins without waiting for it to initially be in a healthy state. This is primarily useful if the server group is in a broken state and you want to force a deployment anyway. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Jenkins server. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Jenkins server with sudo permissions. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - tenancy - - The tenancy of this server. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy Jenkins -

    -
    • -
- - - - + + + + +* [**`acm_ssl_certificate_domain`**](#acm_ssl_certificate_domain) — The domain name used for an SSL certificate issued by the Amazon Certificate Manager (ACM). + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the Jenkins backup job fails. + + + +* [**`alb_subnet_ids`**](#alb_subnet_ids) — The IDs of the subnets in which to deploy the ALB that runs in front of Jenkins. Must be subnets in [`vpc_id`](#vpc_id). + + + +* [**`allow_incoming_http_from_cidr_blocks`**](#allow_incoming_http_from_cidr_blocks) — The IP address ranges in CIDR format from which to allow incoming HTTP requests to Jenkins. + + + +* [**`allow_incoming_http_from_security_group_ids`**](#allow_incoming_http_from_security_group_ids) — The IDs of security groups from which to allow incoming HTTP requests to Jenkins. + + + +* [**`allow_ssh_from_cidr_blocks`**](#allow_ssh_from_cidr_blocks) — The IP address ranges in CIDR format from which to allow incoming SSH requests to Jenkins. + + + +* [**`allow_ssh_from_security_group_ids`**](#allow_ssh_from_security_group_ids) — The IDs of security groups from which to allow incoming SSH requests to Jenkins. + + + +* [**`ami`**](#ami) — The ID of the AMI to run on the Jenkins server. This should be the AMI build from the Packer template jenkins-ubuntu.json. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if looking up the ami with filters. + + + +* [**`ami_filters`**](#ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with Jenkins. You can build the AMI using the Packer template jenkins-ubuntu.json. Only used if var.ami is null. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if passing the ami ID directly. + + + +* [**`backup_job_alarm_period`**](#backup_job_alarm_period) — How often, in seconds, the backup job is expected to run. This is the same as [`backup_job_schedule_expression`](#backup_job_schedule_expression), but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the value of [`backup_job_metric_name`](#backup_job_metric_name) and [`backup_job_metric_namespace`](#backup_job_metric_namespace) isn't updated within this time period, as that indicates the backup failed to run. + + + +* [**`backup_job_metric_name`**](#backup_job_metric_name) — The name for the CloudWatch Metric the AWS lambda backup job will increment every time the job completes successfully. + + + +* [**`backup_job_metric_namespace`**](#backup_job_metric_namespace) — The namespace for the CloudWatch Metric the AWS lambda backup job will increment every time the job completes successfully. + + + +* [**`backup_job_schedule_expression`**](#backup_job_schedule_expression) — A cron or rate expression that specifies how often to take a snapshot of the Jenkins server for backup purposes. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html for syntax details. + + + +* [**`backup_using_dlm`**](#backup_using_dlm) — Set to true to backup the Jenkins Server using AWS Data Lifecycle Management Policies. + + + +* [**`backup_using_lambda`**](#backup_using_lambda) — Set to true to backup the Jenkins Server using a Scheduled Lambda Function. + + + +* [**`build_permission_actions`**](#build_permission_actions) — The list of IAM actions this Jenkins server should be allowed to do: e.g., ec2:*, s3:*, etc. This should be the list of IAM permissions Jenkins needs in this AWS account to run builds. These permissions will be added to the server's IAM role for all resources ('*'). + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the Jenkins server when it is booting. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. + + + +* [**`custom_tags`**](#custom_tags) — A list of custom tags to apply to Jenkins and all other resources. + + + +* [**`default_user`**](#default_user) — The default OS user for the Jenkins AMI. For AWS Ubuntu AMIs, which is what the Packer template in jenkins-ubunutu.json uses, the default OS user is 'ubuntu'. + + + +* [**`dlm_backup_job_schedule_interval`**](#dlm_backup_job_schedule_interval) — How often this lifecycle policy should be evaluated, in hours. + + + +* [**`dlm_backup_job_schedule_name`**](#dlm_backup_job_schedule_name) — The name of the data lifecyle management schedule + + + +* [**`dlm_backup_job_schedule_number_of_snapshots_to_retain`**](#dlm_backup_job_schedule_number_of_snapshots_to_retain) — How many snapshots to keep. Must be an integer between 1 and 1000. + + + +* [**`dlm_backup_job_schedule_times`**](#dlm_backup_job_schedule_times) — A list of times in 24 hour clock format that sets when the lifecyle policy should be evaluated. Max of 1. + + + +* [**`domain_name`**](#domain_name) — The domain name for the DNS A record to add for Jenkins (e.g. jenkins.foo.com). Must be in the domain managed by [`hosted_zone_id`](#hosted_zone_id). + + + +* [**`ebs_kms_key_arn`**](#ebs_kms_key_arn) — The ARN of the KMS key used for encrypting the Jenkins EBS volume. The module will grant Jenkins permission to use this key. + + + +* [**`ebs_kms_key_arn_is_alias`**](#ebs_kms_key_arn_is_alias) — Whether or not the provide EBS KMS key ARN is a key alias. If providing the key ID, leave this set to false. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to add AIM permissions to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Jenkins server. + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true. + + + +* [**`enable_ssh_grunt`**](#enable_ssh_grunt) — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. + + + +* [**`external_account_auto_deploy_iam_role_arns`**](#external_account_auto_deploy_iam_role_arns) — A list of IAM role ARNs in other AWS accounts that Jenkins will be able to assume to do automated deployment in those accounts. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the Route 53 Hosted Zone in which to create a DNS A record for Jenkins. + + + +* [**`instance_type`**](#instance_type) — The instance type to use for the Jenkins server (e.g. t2.medium) + + + +* [**`is_internal_alb`**](#is_internal_alb) — Set to true to make the Jenkins ALB an internal ALB that cannot be accessed from the public Internet. We strongly recommend setting this to true to keep Jenkins more secure. + + + +* [**`jenkins_device_name`**](#jenkins_device_name) — The OS device name where the Jenkins EBS volume should be attached + + + +* [**`jenkins_mount_point`**](#jenkins_mount_point) — The OS path where the Jenkins EBS volume should be mounted + + + +* [**`jenkins_subnet_id`**](#jenkins_subnet_id) — The ID of the subnet in which to deploy Jenkins. Must be a subnet in [`vpc_id`](#vpc_id). + + + +* [**`jenkins_user`**](#jenkins_user) — The OS user that should be used to run Jenkins + + + +* [**`jenkins_volume_encrypted`**](#jenkins_volume_encrypted) — Set to true to encrypt the Jenkins EBS volume. + + + +* [**`jenkins_volume_size`**](#jenkins_volume_size) — The amount of disk space, in GB, to allocate for the EBS volume used by the Jenkins server. + + + +* [**`jenkins_volume_type`**](#jenkins_volume_type) — The type of volume to use for the EBS volume used by the Jenkins server. Must be one of: standard, gp2, io1, sc1, or st1. + + + +* [**`keypair_name`**](#keypair_name) — The name of a Key Pair that can be used to SSH to the Jenkins server. Leave blank if you don't want to enable Key Pair auth. + + + +* [**`memory`**](#memory) — The amount of memory to give Jenkins (e.g., 1g or 512m). Used for the -Xms and -Xmx settings. + + + +* [**`name`**](#name) — Enter the name of the Jenkins server + + + +* [**`root_block_device_volume_type`**](#root_block_device_volume_type) — The type of volume to use for the root disk for Jenkins. Must be one of: standard, gp2, io1, sc1, or st1. + + + +* [**`root_volume_size`**](#root_volume_size) — The amount of disk space, in GB, to allocate for the root volume of this server. Note that all of Jenkins' data is stored on a separate EBS Volume (see [`jenkins_volume_size`](#jenkins_volume_size)), so this root volume is primarily used for the OS, temp folders, apps, etc. + + + +* [**`skip_health_check`**](#skip_health_check) — If set to true, skip the health check, and start a rolling deployment of Jenkins without waiting for it to initially be in a healthy state. This is primarily useful if the server group is in a broken state and you want to force a deployment anyway. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Jenkins server. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Jenkins server with sudo permissions. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`tenancy`**](#tenancy) — The tenancy of this server. Must be one of: default, dedicated, or host. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy Jenkins + + + + + + +* [**`alb_arn`**](#alb_arn) — The ARN of the ALB deployed in front of Jenkins + + + +* [**`alb_dns_name`**](#alb_dns_name) — The DNS name of the ALB deployed in front of Jenkins + + + +* [**`alb_hosted_zone_id`**](#alb_hosted_zone_id) — The hosted zone ID of the ALB deployed in front of Jenkins + + + +* [**`alb_http_listener_arns`**](#alb_http_listener_arns) — The ARNs of just the HTTP ALB listeners of the ALB deployed in front of Jenkins + + + +* [**`alb_https_listener_acm_cert_arns`**](#alb_https_listener_acm_cert_arns) — The ARNs of just the HTTPS ALB listeners that usse ACM certs of the ALB deployed in front of Jenkins + + + +* [**`alb_https_listener_non_acm_cert_arns`**](#alb_https_listener_non_acm_cert_arns) — The ARNs of just the HTTPS ALB listeners that use non-ACM certs of the ALB deployed in front of Jenkins + + + +* [**`alb_listener_arns`**](#alb_listener_arns) — The ARNs of the ALB listeners of the ALB deployed in front of Jenkins + + + +* [**`alb_name`**](#alb_name) — The name of the ALB deployed in front of Jenkins + + + +* [**`alb_security_group_id`**](#alb_security_group_id) — The ID of the security group attached to the ALB deployed in front of Jenkins + + + +* [**`backup_lambda_function_arn`**](#backup_lambda_function_arn) — + + + +* [**`backup_lambda_function_name`**](#backup_lambda_function_name) — + + + +* [**`jenkins_asg_name`**](#jenkins_asg_name) — The name of the Auto Scaling Group in which Jenkins is running + + + +* [**`jenkins_domain_name`**](#jenkins_domain_name) — The public domain name configured for Jenkins + + + +* [**`jenkins_ebs_volume_id`**](#jenkins_ebs_volume_id) — The ID of the EBS Volume that will store the [`JENKINS_HOME`](#JENKINS_HOME) directory + + + +* [**`jenkins_iam_role_arn`**](#jenkins_iam_role_arn) — The ARN of the IAM role attached to the Jenkins EC2 Instance + + + +* [**`jenkins_iam_role_id`**](#jenkins_iam_role_id) — The ID of the IAM role attached to the Jenkins EC2 Instance + + + +* [**`jenkins_security_group_id`**](#jenkins_security_group_id) — The ID of the Security Group attached to the Jenkins EC2 Instance + + diff --git a/docs/reference/services/data-storage/amazon-aurora.md b/docs/reference/services/data-storage/amazon-aurora.md index fed8cb622..7bb8bcf40 100644 --- a/docs/reference/services/data-storage/amazon-aurora.md +++ b/docs/reference/services/data-storage/amazon-aurora.md @@ -10,565 +10,327 @@ Deploy and manage Amazon Aurora using Amazon's Relational Database Service (RDS) ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arns - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the share snapshot backup job fails. -

    -
    • -
  • -

    - - allow_connections_from_cidr_blocks - - The list of network CIDR blocks to allow network access to Aurora from. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - allow_connections_from_security_groups - - The list of IDs or Security Groups to allow network access to Aurora from. All security groups must either be in the VPC specified by var.vpc_id, or a peered VPC with the VPC specified by var.vpc_id. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - allow_major_version_upgrade - - Enable to allow major engine version upgrades when changing engine versions. -

    -
    • -
  • -

    - - apply_immediately - - Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime. -

    -
    • -
  • -

    - - aurora_subnet_ids - - The list of IDs of the subnets in which to deploy Aurora. The list must only contain subnets in var.vpc_id. -

    -
    • -
  • -

    - - backup_job_alarm_period - - How often, in seconds, the backup job is expected to run. This is the same as var.schedule_expression, but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't updated within this time period, as that indicates the backup failed to run. -

    -
    • -
  • -

    - - backup_retention_period - - How many days to keep backup snapshots around before cleaning them up. Max: 35 -

    -
    • -
  • -

    - - create_snapshot_cloudwatch_metric_namespace - - The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. -

    -
    • -
  • -

    - - custom_tags - - A map of custom tags to apply to the RDS cluster and all associated resources created for it. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - dashboard_cpu_usage_widget_parameters - - Parameters for the cpu usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_db_connections_widget_parameters - - Parameters for the database connections widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_disk_space_widget_parameters - - Parameters for the available disk space widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_memory_widget_parameters - - Parameters for the available memory widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_read_latency_widget_parameters - - Parameters for the read latency widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_write_latency_widget_parameters - - Parameters for the read latency widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - db_cluster_custom_parameter_group - - Configure a custom parameter group for the RDS DB cluster. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. -

    -
    • -
  • -

    - - db_config_secrets_manager_id - - The friendly name or ARN of an AWS Secrets Manager secret that contains database configuration information in the format outlined by this document: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html. The engine, username, password, dbname, and port fields must be included in the JSON. Note that even with this precaution, this information will be stored in plaintext in the Terraform state file! See the following blog post for more details: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1. If you do not wish to use Secrets Manager, leave this as null, and use the master_username, master_password, db_name, engine, and port variables. -

    -
    • -
  • -

    - - db_instance_custom_parameter_group - - Configure a custom parameter group for the RDS DB Instance. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. -

    -
    • -
  • -

    - - db_name - - The name for your database of up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database in the DB cluster you are creating. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. A value here overrides the value in db_config_secrets_manager_id. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. -

    -
    • -
  • -

    - - enable_deletion_protection - - Enable deletion protection on the database instance. If this is enabled, the database cannot be deleted. -

    -
    • -
  • -

    - - enable_perf_alarms - - Set to true to enable alarms related to performance, such as read and write latency alarms. Set to false to disable those alarms if you aren't sure what would be reasonable perf numbers for your RDS set up or if those numbers are too unpredictable. -

    -
    • -
  • -

    - - enable_share_snapshot_cloudwatch_alarms - - When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - enabled_cloudwatch_logs_exports - - If non-empty, the Aurora cluster will export the specified logs to Cloudwatch. Must be zero or more of: audit, error, general and slowquery -

    -
    • -
  • -

    - - engine - - The name of the database engine to be used for this DB cluster. Valid Values: aurora (for MySQL 5.6-compatible Aurora), aurora-mysql (for MySQL 5.7-compatible Aurora), and aurora-postgresql. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. A value here overrides the value in db_config_secrets_manager_id. -

    -
    • -
  • -

    - - engine_mode - - The version of aurora to run - provisioned or serverless. -

    -
    • -
  • -

    - - engine_version - - The Amazon Aurora DB engine version for the selected engine and engine_mode. Note: Starting with Aurora MySQL 2.03.2, Aurora engine versions have the following syntax <mysql-major-version>.mysql_aurora.<aurora-mysql-version>. e.g. 5.7.mysql_aurora.2.08.1. -

    -
    • -
  • -

    - - high_cpu_utilization_period - - The period, in seconds, over which to measure the CPU utilization percentage. -

    -
    • -
  • -

    - - high_cpu_utilization_threshold - - Trigger an alarm if the DB instance has a CPU utilization percentage above this threshold. -

    -
    • -
  • -

    - - high_read_latency_period - - The period, in seconds, over which to measure the read latency. -

    -
    • -
  • -

    - - high_read_latency_threshold - - Trigger an alarm if the DB instance read latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. -

    -
    • -
  • -

    - - high_write_latency_period - - The period, in seconds, over which to measure the write latency. -

    -
    • -
  • -

    - - high_write_latency_threshold - - Trigger an alarm if the DB instance write latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. -

    -
    • -
  • -

    - - iam_database_authentication_enabled - - Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Disabled by default. -

    -
    • -
  • -

    - - instance_count - - The number of DB instances, including the primary, to run in the RDS cluster. Only used when var.engine_mode is set to provisioned. -

    -
    • -
  • -

    - - instance_type - - The instance type to use for the db (e.g. db.r3.large). Only used when var.engine_mode is set to provisioned. -

    -
    • -
  • -

    - - kms_key_arn - - The ARN of a KMS key that should be used to encrypt data on disk. Only used if var.storage_encrypted is true. If you leave this null, the default RDS KMS key for the account will be used. -

    -
    • -
  • -

    - - low_disk_space_available_period - - The period, in seconds, over which to measure the available free disk space. -

    -
    • -
  • -

    - - low_disk_space_available_threshold - - Trigger an alarm if the amount of disk space, in Bytes, on the DB instance drops below this threshold. -

    -
    • -
  • -

    - - low_memory_available_period - - The period, in seconds, over which to measure the available free memory. -

    -
    • -
  • -

    - - low_memory_available_threshold - - Trigger an alarm if the amount of free memory, in Bytes, on the DB instance drops below this threshold. -

    -
    • -
  • -

    - - master_password - - The value to use for the master password of the database. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. A value here overrides the value in db_config_secrets_manager_id. -

    -
    • -
  • -

    - - master_username - - The value to use for the master username of the database. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. A value here overrides the value in db_config_secrets_manager_id. -

    -
    • -
  • -

    - - name - - The name used to namespace all the Aurora resources created by these templates, including the cluster and cluster instances (e.g. drupaldb). Must be unique in this region. Must be a lowercase string. -

    -
    • -
  • -

    - - port - - The port the DB will listen on (e.g. 3306). This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. A value here overrides the value in db_config_secrets_manager_id. -

    -
    • -
  • -

    - - publicly_accessible - - If you wish to make your database accessible from the public Internet, set this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The default is false, which means the database is only accessible from within the VPC, which is much more secure. This flag MUST be false for serverless mode. -

    -
    • -
  • -

    - - scaling_configuration_auto_pause - - Whether to enable automatic pause. A DB cluster can be paused only when it's idle (it has no connections). If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it. Only used when var.engine_mode is set to serverless. -

    -
    • -
  • -

    - - scaling_configuration_max_capacity - - The maximum capacity. The maximum capacity must be greater than or equal to the minimum capacity. Valid capacity values are 2, 4, 8, 16, 32, 64, 128, and 256. Only used when var.engine_mode is set to serverless. -

    -
    • -
  • -

    - - scaling_configuration_min_capacity - - The minimum capacity. The minimum capacity must be lesser than or equal to the maximum capacity. Valid capacity values are 2, 4, 8, 16, 32, 64, 128, and 256. Only used when var.engine_mode is set to serverless. -

    -
    • -
  • -

    - - scaling_configuration_seconds_until_auto_pause - - The time, in seconds, before an Aurora DB cluster in serverless mode is paused. Valid values are 300 through 86400. Only used when var.engine_mode is set to serverless. -

    -
    • -
  • -

    - - share_snapshot_max_snapshots - - The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - share_snapshot_schedule_expression - - An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if var.share_snapshot_with_another_account is true -

    -
    • -
  • -

    - - share_snapshot_with_account_id - - The ID of the AWS Account that the snapshot should be shared with. Required if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - share_snapshot_with_another_account - - If set to true, take periodic snapshots of the Aurora DB that should be shared with another account. -

    -
    • -
  • -

    - - skip_final_snapshot - - Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data! You almost never want to set this to true, unless you are doing automated or manual testing. -

    -
    • -
  • -

    - - snapshot_identifier - - If non-null, the RDS Instance will be restored from the given Snapshot ID. This is the Snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. -

    -
    • -
  • -

    - - storage_encrypted - - Specifies whether the DB cluster uses encryption for data at rest in the underlying storage for the DB, its automated backups, Read Replicas, and snapshots. Uses the default aws/rds key in KMS. -

    -
    • -
  • -

    - - too_many_db_connections_threshold - - Trigger an alarm if the number of connections to the DB instance goes above this threshold. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy Aurora. -

    -
    • -
- - - - + + + + +* [**`alarms_sns_topic_arns`**](#alarms_sns_topic_arns) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the share snapshot backup job fails. + + + +* [**`allow_connections_from_cidr_blocks`**](#allow_connections_from_cidr_blocks) — The list of network CIDR blocks to allow network access to Aurora from. One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`allow_connections_from_security_groups`**](#allow_connections_from_security_groups) — The list of IDs or Security Groups to allow network access to Aurora from. All security groups must either be in the VPC specified by [`vpc_id`](#vpc_id), or a peered VPC with the VPC specified by [`vpc_id`](#vpc_id). One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`allow_major_version_upgrade`**](#allow_major_version_upgrade) — Enable to allow major engine version upgrades when changing engine versions. + + + +* [**`apply_immediately`**](#apply_immediately) — Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime. + + + +* [**`aurora_subnet_ids`**](#aurora_subnet_ids) — The list of IDs of the subnets in which to deploy Aurora. The list must only contain subnets in [`vpc_id`](#vpc_id). + + + +* [**`backup_job_alarm_period`**](#backup_job_alarm_period) — How often, in seconds, the backup job is expected to run. This is the same as [`schedule_expression`](#schedule_expression), but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in [`create_snapshot_cloudwatch_metric_namespace`](#create_snapshot_cloudwatch_metric_namespace) isn't updated within this time period, as that indicates the backup failed to run. + + + +* [**`backup_retention_period`**](#backup_retention_period) — How many days to keep backup snapshots around before cleaning them up. Max: 35 + + + +* [**`create_snapshot_cloudwatch_metric_namespace`**](#create_snapshot_cloudwatch_metric_namespace) — The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the RDS cluster and all associated resources created for it. The key is the tag name and the value is the tag value. + + + +* [**`dashboard_cpu_usage_widget_parameters`**](#dashboard_cpu_usage_widget_parameters) — Parameters for the cpu usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_db_connections_widget_parameters`**](#dashboard_db_connections_widget_parameters) — Parameters for the database connections widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_disk_space_widget_parameters`**](#dashboard_disk_space_widget_parameters) — Parameters for the available disk space widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_memory_widget_parameters`**](#dashboard_memory_widget_parameters) — Parameters for the available memory widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_read_latency_widget_parameters`**](#dashboard_read_latency_widget_parameters) — Parameters for the read latency widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_write_latency_widget_parameters`**](#dashboard_write_latency_widget_parameters) — Parameters for the read latency widget to output for use in a CloudWatch dashboard. + + + +* [**`db_cluster_custom_parameter_group`**](#db_cluster_custom_parameter_group) — Configure a custom parameter group for the RDS DB cluster. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. + + + +* [**`db_config_secrets_manager_id`**](#db_config_secrets_manager_id) — The friendly name or ARN of an AWS Secrets Manager secret that contains database configuration information in the format outlined by this document: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html. The engine, username, password, dbname, and port fields must be included in the JSON. Note that even with this precaution, this information will be stored in plaintext in the Terraform state file! See the following blog post for more details: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1. If you do not wish to use Secrets Manager, leave this as null, and use the [`master_username`](#master_username), [`master_password`](#master_password), [`db_name`](#db_name), engine, and port variables. + + + +* [**`db_instance_custom_parameter_group`**](#db_instance_custom_parameter_group) — Configure a custom parameter group for the RDS DB Instance. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. + + + +* [**`db_name`**](#db_name) — The name for your database of up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database in the DB cluster you are creating. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). A value here overrides the value in [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. + + + +* [**`enable_deletion_protection`**](#enable_deletion_protection) — Enable deletion protection on the database instance. If this is enabled, the database cannot be deleted. + + + +* [**`enable_perf_alarms`**](#enable_perf_alarms) — Set to true to enable alarms related to performance, such as read and write latency alarms. Set to false to disable those alarms if you aren't sure what would be reasonable perf numbers for your RDS set up or if those numbers are too unpredictable. + + + +* [**`enable_share_snapshot_cloudwatch_alarms`**](#enable_share_snapshot_cloudwatch_alarms) — When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`enabled_cloudwatch_logs_exports`**](#enabled_cloudwatch_logs_exports) — If non-empty, the Aurora cluster will export the specified logs to Cloudwatch. Must be zero or more of: audit, error, general and slowquery + + + +* [**`engine`**](#engine) — The name of the database engine to be used for this DB cluster. Valid Values: aurora (for MySQL 5.6-compatible Aurora), aurora-mysql (for MySQL 5.7-compatible Aurora), and aurora-postgresql. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). A value here overrides the value in [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`engine_mode`**](#engine_mode) — The version of aurora to run - provisioned or serverless. + + + +* [**`engine_version`**](#engine_version) — The Amazon Aurora DB engine version for the selected engine and [`engine_mode`](#engine_mode). Note: Starting with Aurora MySQL 2.03.2, Aurora engine versions have the following syntax [`<mysql-major-version>.mysql_aurora`](#<mysql-major-version>.mysql_aurora).<aurora-mysql-version>. e.g. [`5.7.mysql_aurora`](#5.7.mysql_aurora).2.08.1. + + + +* [**`high_cpu_utilization_period`**](#high_cpu_utilization_period) — The period, in seconds, over which to measure the CPU utilization percentage. + + + +* [**`high_cpu_utilization_threshold`**](#high_cpu_utilization_threshold) — Trigger an alarm if the DB instance has a CPU utilization percentage above this threshold. + + + +* [**`high_read_latency_period`**](#high_read_latency_period) — The period, in seconds, over which to measure the read latency. + + + +* [**`high_read_latency_threshold`**](#high_read_latency_threshold) — Trigger an alarm if the DB instance read latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. + + + +* [**`high_write_latency_period`**](#high_write_latency_period) — The period, in seconds, over which to measure the write latency. + + + +* [**`high_write_latency_threshold`**](#high_write_latency_threshold) — Trigger an alarm if the DB instance write latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. + + + +* [**`iam_database_authentication_enabled`**](#iam_database_authentication_enabled) — Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Disabled by default. + + + +* [**`instance_count`**](#instance_count) — The number of DB instances, including the primary, to run in the RDS cluster. Only used when [`engine_mode`](#engine_mode) is set to provisioned. + + + +* [**`instance_type`**](#instance_type) — The instance type to use for the db (e.g. db.r3.large). Only used when [`engine_mode`](#engine_mode) is set to provisioned. + + + +* [**`kms_key_arn`**](#kms_key_arn) — The ARN of a KMS key that should be used to encrypt data on disk. Only used if [`storage_encrypted`](#storage_encrypted) is true. If you leave this null, the default RDS KMS key for the account will be used. + + + +* [**`low_disk_space_available_period`**](#low_disk_space_available_period) — The period, in seconds, over which to measure the available free disk space. + + + +* [**`low_disk_space_available_threshold`**](#low_disk_space_available_threshold) — Trigger an alarm if the amount of disk space, in Bytes, on the DB instance drops below this threshold. + + + +* [**`low_memory_available_period`**](#low_memory_available_period) — The period, in seconds, over which to measure the available free memory. + + + +* [**`low_memory_available_threshold`**](#low_memory_available_threshold) — Trigger an alarm if the amount of free memory, in Bytes, on the DB instance drops below this threshold. + + + +* [**`master_password`**](#master_password) — The value to use for the master password of the database. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). A value here overrides the value in [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`master_username`**](#master_username) — The value to use for the master username of the database. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). A value here overrides the value in [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`name`**](#name) — The name used to namespace all the Aurora resources created by these templates, including the cluster and cluster instances (e.g. drupaldb). Must be unique in this region. Must be a lowercase string. + + + +* [**`port`**](#port) — The port the DB will listen on (e.g. 3306). This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). A value here overrides the value in [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`publicly_accessible`**](#publicly_accessible) — If you wish to make your database accessible from the public Internet, set this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The default is false, which means the database is only accessible from within the VPC, which is much more secure. This flag MUST be false for serverless mode. + + + +* [**`scaling_configuration_auto_pause`**](#scaling_configuration_auto_pause) — Whether to enable automatic pause. A DB cluster can be paused only when it's idle (it has no connections). If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it. Only used when [`engine_mode`](#engine_mode) is set to serverless. + + + +* [**`scaling_configuration_max_capacity`**](#scaling_configuration_max_capacity) — The maximum capacity. The maximum capacity must be greater than or equal to the minimum capacity. Valid capacity values are 2, 4, 8, 16, 32, 64, 128, and 256. Only used when [`engine_mode`](#engine_mode) is set to serverless. + + + +* [**`scaling_configuration_min_capacity`**](#scaling_configuration_min_capacity) — The minimum capacity. The minimum capacity must be lesser than or equal to the maximum capacity. Valid capacity values are 2, 4, 8, 16, 32, 64, 128, and 256. Only used when [`engine_mode`](#engine_mode) is set to serverless. + + + +* [**`scaling_configuration_seconds_until_auto_pause`**](#scaling_configuration_seconds_until_auto_pause) — The time, in seconds, before an Aurora DB cluster in serverless mode is paused. Valid values are 300 through 86400. Only used when [`engine_mode`](#engine_mode) is set to serverless. + + + +* [**`share_snapshot_max_snapshots`**](#share_snapshot_max_snapshots) — The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`share_snapshot_schedule_expression`**](#share_snapshot_schedule_expression) — An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true + + + +* [**`share_snapshot_with_account_id`**](#share_snapshot_with_account_id) — The ID of the AWS Account that the snapshot should be shared with. Required if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`share_snapshot_with_another_account`**](#share_snapshot_with_another_account) — If set to true, take periodic snapshots of the Aurora DB that should be shared with another account. + + + +* [**`skip_final_snapshot`**](#skip_final_snapshot) — Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data! You almost never want to set this to true, unless you are doing automated or manual testing. + + + +* [**`snapshot_identifier`**](#snapshot_identifier) — If non-null, the RDS Instance will be restored from the given Snapshot ID. This is the Snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. + + + +* [**`storage_encrypted`**](#storage_encrypted) — Specifies whether the DB cluster uses encryption for data at rest in the underlying storage for the DB, its automated backups, Read Replicas, and snapshots. Uses the default aws/rds key in KMS. + + + +* [**`too_many_db_connections_threshold`**](#too_many_db_connections_threshold) — Trigger an alarm if the number of connections to the DB instance goes above this threshold. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy Aurora. + + + + + + +* [**`all_metric_widgets`**](#all_metric_widgets) — A list of all the CloudWatch Dashboard metric widgets available in this module. + + + +* [**`cleanup_snapshots_lambda_arn`**](#cleanup_snapshots_lambda_arn) — The ARN of the AWS Lambda Function used for cleaning up manual snapshots taken for sharing with secondary accounts. + + + +* [**`cluster_arn`**](#cluster_arn) — The ARN of the RDS Aurora cluster. + + + +* [**`cluster_id`**](#cluster_id) — The ID of the RDS Aurora cluster (e.g TODO). + + + +* [**`cluster_resource_id`**](#cluster_resource_id) — The unique resource ID assigned to the cluster e.g. cluster-POBCBQUFQC56EBAAWXGFJ77GRU. This is useful for allowing database authentication via IAM. + + + +* [**`create_snapshot_lambda_arn`**](#create_snapshot_lambda_arn) — The ARN of the AWS Lambda Function used for periodically taking snapshots to share with secondary accounts. + + + +* [**`instance_endpoints`**](#instance_endpoints) — A list of endpoints of the RDS instances that you can use to make requests to. + + + +* [**`metric_widget_aurora_cpu_usage`**](#metric_widget_aurora_cpu_usage) — A CloudWatch Dashboard widget that graphs CPU usage (percentage) of the Aurora cluster. + + + +* [**`metric_widget_aurora_db_connections`**](#metric_widget_aurora_db_connections) — A CloudWatch Dashboard widget that graphs the number of active database connections of the Aurora cluster. + + + +* [**`metric_widget_aurora_disk_space`**](#metric_widget_aurora_disk_space) — A CloudWatch Dashboard widget that graphs available disk space (in bytes) on the Aurora cluster. + + + +* [**`metric_widget_aurora_memory`**](#metric_widget_aurora_memory) — A CloudWatch Dashboard widget that graphs available memory (in bytes) on the Aurora cluster. + + + +* [**`metric_widget_aurora_read_latency`**](#metric_widget_aurora_read_latency) — A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on reads. + + + +* [**`metric_widget_aurora_write_latency`**](#metric_widget_aurora_write_latency) — A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on writes. + + + +* [**`port`**](#port) — The port used by the RDS Aurora cluster for handling database connections. + + + +* [**`primary_endpoint`**](#primary_endpoint) — The primary endpoint of the RDS Aurora cluster that you can use to make requests to. + + + +* [**`primary_host`**](#primary_host) — The host portion of the Aurora endpoint. [`primary_endpoint`](#primary_endpoint) is in the form '<host>:<port>', and this output returns just the host part. + + + +* [**`share_snapshot_lambda_arn`**](#share_snapshot_lambda_arn) — The ARN of the AWS Lambda Function used for sharing manual snapshots with secondary accounts. + + diff --git a/docs/reference/services/data-storage/amazon-ecr-repositories.md b/docs/reference/services/data-storage/amazon-ecr-repositories.md index 242d2f9df..65e49b40b 100644 --- a/docs/reference/services/data-storage/amazon-ecr-repositories.md +++ b/docs/reference/services/data-storage/amazon-ecr-repositories.md @@ -10,96 +10,59 @@ Create and manage multiple Amazon Elastic Container Repository (ECR) Repositorie ### Reference - -
    - -
  • -

    - - default_automatic_image_scanning - - Whether or not to enable image scanning on all the repos. Can be overridden on a per repo basis by the enable_automatic_image_scanning property in the repositories map. -

    -
    • -
  • -

    - - default_encryption_config - - The default encryption configuration to apply to the created ECR repository. When null, the images in the ECR repo will not be encrypted at rest. Can be overridden on a per repo basis by the encryption_config property in the repositories map. -

    -
    • -
  • -

    - - default_external_account_ids_with_read_access - - The default list of AWS account IDs for external AWS accounts that should be able to pull images from these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_read_access property in the repositories map. -

    -
    • -
  • -

    - - default_external_account_ids_with_write_access - - The default list of AWS account IDs for external AWS accounts that should be able to pull and push images to these ECR repos. Can be overridden on a per repo basis by the external_account_ids_with_write_access property in the repositories map. -

    -
    • -
  • -

    - - default_image_tag_mutability - - The tag mutability setting for all the repos. Must be one of: MUTABLE or IMMUTABLE. Can be overridden on a per repo basis by the image_tag_mutability property in the repositories map. -

    -
    • -
  • -

    - - global_tags - - A map of tags (where the key and value correspond to tag keys and values) that should be assigned to all ECR repositories. -

    -
    • -
  • -

    - - repositories - - A map of repo names to configurations for that repository. -

    -
    • -
- - - - + + + + +* [**`default_automatic_image_scanning`**](#default_automatic_image_scanning) — Whether or not to enable image scanning on all the repos. Can be overridden on a per repo basis by the [`enable_automatic_image_scanning`](#enable_automatic_image_scanning) property in the repositories map. + + + +* [**`default_encryption_config`**](#default_encryption_config) — The default encryption configuration to apply to the created ECR repository. When null, the images in the ECR repo will not be encrypted at rest. Can be overridden on a per repo basis by the [`encryption_config`](#encryption_config) property in the repositories map. + + + +* [**`default_external_account_ids_with_read_access`**](#default_external_account_ids_with_read_access) — The default list of AWS account IDs for external AWS accounts that should be able to pull images from these ECR repos. Can be overridden on a per repo basis by the [`external_account_ids_with_read_access`](#external_account_ids_with_read_access) property in the repositories map. + + + +* [**`default_external_account_ids_with_write_access`**](#default_external_account_ids_with_write_access) — The default list of AWS account IDs for external AWS accounts that should be able to pull and push images to these ECR repos. Can be overridden on a per repo basis by the [`external_account_ids_with_write_access`](#external_account_ids_with_write_access) property in the repositories map. + + + +* [**`default_image_tag_mutability`**](#default_image_tag_mutability) — The tag mutability setting for all the repos. Must be one of: MUTABLE or IMMUTABLE. Can be overridden on a per repo basis by the [`image_tag_mutability`](#image_tag_mutability) property in the repositories map. + + + +* [**`global_tags`**](#global_tags) — A map of tags (where the key and value correspond to tag keys and values) that should be assigned to all ECR repositories. + + + +* [**`repositories`**](#repositories) — A map of repo names to configurations for that repository. + + + + + + +* [**`ecr_read_policy_actions`**](#ecr_read_policy_actions) — A list of IAM policy actions necessary for ECR read access. + + + +* [**`ecr_repo_arns`**](#ecr_repo_arns) — A map of repository name to its ECR ARN. + + + +* [**`ecr_repo_urls`**](#ecr_repo_urls) — A map of repository name to its URL. + + + +* [**`ecr_write_policy_actions`**](#ecr_write_policy_actions) — A list of IAM policy actions necessary for ECR write access. + + diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md index 8e3febee1..8db25da1c 100644 --- a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md +++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md @@ -10,152 +10,91 @@ Deploy and manage Amazon ElastiCache for Memcached ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arns - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_connections_from_cidr_blocks - - The list of network CIDR blocks to allow network access to ElastiCache from. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the ElastiCache instances to be reachable. -

    -
    • -
  • -

    - - allow_connections_from_security_groups - - The list of IDs or Security Groups to allow network access to ElastiCache from. All security groups must either be in the VPC specified by var.vpc_id, or a peered VPC with the VPC specified by var.vpc_id. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the ElastiCache instances to be reachable. -

    -
    • -
  • -

    - - apply_immediately - - Specifies whether any database modifications are applied immediately, or during the next maintenance window. -

    -
    • -
  • -

    - - az_mode - - Specifies whether the nodes in this Memcached node group are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region. Valid values for this parameter are single-az or cross-az. If you want to choose cross-az, num_cache_nodes must be greater than 1. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - instance_type - - The compute and memory capacity of the nodes (e.g. cache.m4.large). -

    -
    • -
  • -

    - - maintenance_window - - Specifies the weekly time range for when maintenance on the cache cluster is performed (e.g. sun:05:00-sun:09:00). The format is ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. -

    -
    • -
  • -

    - - memcached_version - - Version number of memcached to use (e.g. 1.5.16). -

    -
    • -
  • -

    - - name - - The name used to namespace all resources created by these templates, including the ElastiCache cluster itself. Must be unique in this region. Must be a lowercase string. -

    -
    • -
  • -

    - - num_cache_nodes - - The initial number of cache nodes that the cache cluster will have. Must be between 1 and 20. -

    -
    • -
  • -

    - - port - - The port number on which each of the cache nodes will accept connections (e.g. 11211). -

    -
    • -
  • -

    - - subnet_ids - - The list of IDs of the subnets in which to deploy the ElasticCache instances. The list must only contain subnets in var.vpc_id. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy RDS. -

    -
    • -
- - - - + + + + +* [**`alarms_sns_topic_arns`**](#alarms_sns_topic_arns) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_connections_from_cidr_blocks`**](#allow_connections_from_cidr_blocks) — The list of network CIDR blocks to allow network access to ElastiCache from. One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the ElastiCache instances to be reachable. + + + +* [**`allow_connections_from_security_groups`**](#allow_connections_from_security_groups) — The list of IDs or Security Groups to allow network access to ElastiCache from. All security groups must either be in the VPC specified by [`vpc_id`](#vpc_id), or a peered VPC with the VPC specified by [`vpc_id`](#vpc_id). One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the ElastiCache instances to be reachable. + + + +* [**`apply_immediately`**](#apply_immediately) — Specifies whether any database modifications are applied immediately, or during the next maintenance window. + + + +* [**`az_mode`**](#az_mode) — Specifies whether the nodes in this Memcached node group are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region. Valid values for this parameter are single-az or cross-az. If you want to choose cross-az, [`num_cache_nodes`](#num_cache_nodes) must be greater than 1. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`instance_type`**](#instance_type) — The compute and memory capacity of the nodes (e.g. cache.m4.large). + + + +* [**`maintenance_window`**](#maintenance_window) — Specifies the weekly time range for when maintenance on the cache cluster is performed (e.g. sun:05:00-sun:09:00). The format is ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. + + + +* [**`memcached_version`**](#memcached_version) — Version number of memcached to use (e.g. 1.5.16). + + + +* [**`name`**](#name) — The name used to namespace all resources created by these templates, including the ElastiCache cluster itself. Must be unique in this region. Must be a lowercase string. + + + +* [**`num_cache_nodes`**](#num_cache_nodes) — The initial number of cache nodes that the cache cluster will have. Must be between 1 and 20. + + + +* [**`port`**](#port) — The port number on which each of the cache nodes will accept connections (e.g. 11211). + + + +* [**`subnet_ids`**](#subnet_ids) — The list of IDs of the subnets in which to deploy the ElasticCache instances. The list must only contain subnets in [`vpc_id`](#vpc_id). + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy RDS. + + + + + + +* [**`cache_addresses`**](#cache_addresses) — The list of addresses of the Memcached nodes without the port appended. + + + +* [**`cache_cluster_id`**](#cache_cluster_id) — The id of the ElastiCache Memcached cluster. + + + +* [**`cache_node_ids`**](#cache_node_ids) — The list of the AWS cache cluster node ids where each one represents a Memcached node. + + + +* [**`cache_port`**](#cache_port) — The port number on which each of the cache nodes will accept connections (e.g. 11211). + + + +* [**`configuration_endpoint`**](#configuration_endpoint) — The configuration endpoint to allow host discovery. + + diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md index b6c757155..23affe664 100644 --- a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md +++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md @@ -10,222 +10,131 @@ Deploy and manage Amazon ElastiCache for Redis ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arns - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_connections_from_cidr_blocks - - The list of network CIDR blocks to allow network access to ElastiCache from. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the ElastiCache instances to be reachable. -

    -
    • -
  • -

    - - allow_connections_from_security_groups - - The list of IDs or Security Groups to allow network access to ElastiCache from. All security groups must either be in the VPC specified by var.vpc_id, or a peered VPC with the VPC specified by var.vpc_id. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the ElastiCache instances to be reachable. -

    -
    • -
  • -

    - - apply_immediately - - Specifies whether any modifications are applied immediately, or during the next maintenance window. -

    -
    • -
  • -

    - - cluster_mode - - Specifies the number of shards and replicas per shard in the cluster. The list should contain a single map with keys 'num_node_groups' and 'replicas_per_node_group' set to desired integer values. -

    -
    • -
  • -

    - - enable_at_rest_encryption - - Whether to enable encryption at rest. -

    -
    • -
  • -

    - - enable_automatic_failover - - Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a read-only replica is automatically promoted to a read-write primary cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for replication_group_size. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_multi_az - - Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a read-only replica is automatically promoted to a read-write primary cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for replication_group_size. -

    -
    • -
  • -

    - - enable_transit_encryption - - Whether to enable encryption in transit. -

    -
    • -
  • -

    - - instance_type - - The compute and memory capacity of the nodes (e.g. cache.m4.large). -

    -
    • -
  • -

    - - maintenance_window - - Specifies the weekly time range for when maintenance on the cache cluster is performed (e.g. sun:05:00-sun:09:00). The format is ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. -

    -
    • -
  • -

    - - name - - The name used to namespace all resources created by these templates, including the ElastiCache cluster itself (e.g. rediscache). Must be unique in this region. Must be a lowercase string. -

    -
    • -
  • -

    - - parameter_group_name - - Name of the parameter group to associate with this cache cluster. This can be used to configure custom settings for the cluster. -

    -
    • -
  • -

    - - port - - The port number on which each of the cache nodes will accept connections (e.g. 6379). -

    -
    • -
  • -

    - - redis_version - - Version number of redis to use (e.g. 5.0.6). -

    -
    • -
  • -

    - - replication_group_size - - The total number of nodes in the Redis Replication Group. E.g. 1 represents just the primary node, 2 represents the primary plus a single Read Replica. -

    -
    • -
  • -

    - - snapshot_retention_limit - - The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. Set to 0 to disable snapshots. -

    -
    • -
  • -

    - - snapshot_window - - The daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs. Set to empty string to disable snapshots. -

    -
    • -
  • -

    - - sns_topic_for_notifications - - The ARN of the SNS Topic to which notifications will be sent when a Replication Group event happens, such as an automatic failover (e.g. arn:aws:sns:*:123456789012:my_sns_topic). An empty string is a valid value if you do not wish to receive notifications via SNS. -

    -
    • -
  • -

    - - subnet_ids - - The list of IDs of the subnets in which to deploy the ElasticCache instances. The list must only contain subnets in var.vpc_id. -

    -
    • -
  • -

    - - tags - - A set of tags to set for the ElastiCache Replication Group. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy RDS. -

    -
    • -
- - -
    - -
  • -

    - - cache_cluster_ids - - The list of AWS cache cluster ids where each one represents a Redis node. -

    -
    • -
  • -

    - - cache_node_id - - The id of the ElastiCache node. Note: Each Redis cache cluster has only one node and its id is always 0001. -

    -
    • -
  • -

    - - cache_port - - The port number on which each of the cache nodes will accept connections (e.g. 6379). -

    -
    • -
  • -

    - - configuration_endpoint - - When cluster mode is enabled, use this endpoint for all operations. Redis will automatically determine which of the cluster's node to access. -

    -
    • -
  • -

    - - primary_endpoint - - The primary endpoint is a DNS name that always resolves to the primary node in the Redis cluster. -

    -
    • -
  • -

    - - reader_endpoint - - When cluster mode is disabled, use this endpoint for all read operations. -

    -
    • -
- + + + + +* [**`alarms_sns_topic_arns`**](#alarms_sns_topic_arns) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_connections_from_cidr_blocks`**](#allow_connections_from_cidr_blocks) — The list of network CIDR blocks to allow network access to ElastiCache from. One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the ElastiCache instances to be reachable. + + + +* [**`allow_connections_from_security_groups`**](#allow_connections_from_security_groups) — The list of IDs or Security Groups to allow network access to ElastiCache from. All security groups must either be in the VPC specified by [`vpc_id`](#vpc_id), or a peered VPC with the VPC specified by [`vpc_id`](#vpc_id). One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the ElastiCache instances to be reachable. + + + +* [**`apply_immediately`**](#apply_immediately) — Specifies whether any modifications are applied immediately, or during the next maintenance window. + + + +* [**`cluster_mode`**](#cluster_mode) — Specifies the number of shards and replicas per shard in the cluster. The list should contain a single map with keys [`'num_node_groups`](#'num_node_groups)' and [`'replicas_per_node_group`](#'replicas_per_node_group)' set to desired integer values. + + + +* [**`enable_at_rest_encryption`**](#enable_at_rest_encryption) — Whether to enable encryption at rest. + + + +* [**`enable_automatic_failover`**](#enable_automatic_failover) — Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a read-only replica is automatically promoted to a read-write primary cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for [`replication_group_size`](#replication_group_size). + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_multi_az`**](#enable_multi_az) — Indicates whether Multi-AZ is enabled. When Multi-AZ is enabled, a read-only replica is automatically promoted to a read-write primary cluster if the existing primary cluster fails. If you specify true, you must specify a value greater than 1 for [`replication_group_size`](#replication_group_size). + + + +* [**`enable_transit_encryption`**](#enable_transit_encryption) — Whether to enable encryption in transit. + + + +* [**`instance_type`**](#instance_type) — The compute and memory capacity of the nodes (e.g. cache.m4.large). + + + +* [**`maintenance_window`**](#maintenance_window) — Specifies the weekly time range for when maintenance on the cache cluster is performed (e.g. sun:05:00-sun:09:00). The format is ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. + + + +* [**`name`**](#name) — The name used to namespace all resources created by these templates, including the ElastiCache cluster itself (e.g. rediscache). Must be unique in this region. Must be a lowercase string. + + + +* [**`parameter_group_name`**](#parameter_group_name) — Name of the parameter group to associate with this cache cluster. This can be used to configure custom settings for the cluster. + + + +* [**`port`**](#port) — The port number on which each of the cache nodes will accept connections (e.g. 6379). + + + +* [**`redis_version`**](#redis_version) — Version number of redis to use (e.g. 5.0.6). + + + +* [**`replication_group_size`**](#replication_group_size) — The total number of nodes in the Redis Replication Group. E.g. 1 represents just the primary node, 2 represents the primary plus a single Read Replica. + + + +* [**`snapshot_retention_limit`**](#snapshot_retention_limit) — The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. Set to 0 to disable snapshots. + + + +* [**`snapshot_window`**](#snapshot_window) — The daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs. Set to empty string to disable snapshots. + + + +* [**`sns_topic_for_notifications`**](#sns_topic_for_notifications) — The ARN of the SNS Topic to which notifications will be sent when a Replication Group event happens, such as an automatic failover (e.g. [`arn:aws:sns:*:123456789012:my_sns_topic`](#arn:aws:sns:*:123456789012:my_sns_topic)). An empty string is a valid value if you do not wish to receive notifications via SNS. + + + +* [**`subnet_ids`**](#subnet_ids) — The list of IDs of the subnets in which to deploy the ElasticCache instances. The list must only contain subnets in [`vpc_id`](#vpc_id). + + + +* [**`tags`**](#tags) — A set of tags to set for the ElastiCache Replication Group. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy RDS. + + + + + + +* [**`cache_cluster_ids`**](#cache_cluster_ids) — The list of AWS cache cluster ids where each one represents a Redis node. + + + +* [**`cache_node_id`**](#cache_node_id) — The id of the ElastiCache node. Note: Each Redis cache cluster has only one node and its id is always 0001. + + + +* [**`cache_port`**](#cache_port) — The port number on which each of the cache nodes will accept connections (e.g. 6379). + + + +* [**`configuration_endpoint`**](#configuration_endpoint) — When cluster mode is enabled, use this endpoint for all operations. Redis will automatically determine which of the cluster's node to access. + + + +* [**`primary_endpoint`**](#primary_endpoint) — The primary endpoint is a DNS name that always resolves to the primary node in the Redis cluster. + + + +* [**`reader_endpoint`**](#reader_endpoint) — When cluster mode is disabled, use this endpoint for all read operations. + + diff --git a/docs/reference/services/data-storage/amazon-elasticsearch.md b/docs/reference/services/data-storage/amazon-elasticsearch.md index 8f39f85d4..02fdc9e72 100644 --- a/docs/reference/services/data-storage/amazon-elasticsearch.md +++ b/docs/reference/services/data-storage/amazon-elasticsearch.md @@ -10,327 +10,191 @@ Deploy and manage Amazon Elasticsearch Service ### Reference - -
    - -
  • -

    - - advanced_options - - Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes). -

    -
    • -
  • -

    - - advanced_security_options - - Enable fine grain access control -

    -
    • -
  • -

    - - alarm_sns_topic_arns - - ARNs of the SNS topics associated with the CloudWatch alarms for the Elasticsearch cluster. -

    -
    • -
  • -

    - - allow_connections_from_cidr_blocks - - The list of network CIDR blocks to allow network access to Aurora from. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - allow_connections_from_security_groups - - The list of IDs or Security Groups to allow network access to Aurora from. All security groups must either be in the VPC specified by var.vpc_id, or a peered VPC with the VPC specified by var.vpc_id. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - automated_snapshot_start_hour - - Hour during which the service takes an automated daily snapshot of the indices in the domain. This setting has no effect on Elasticsearch 5.3 and later. -

    -
    • -
  • -

    - - availability_zone_count - - Number of Availability Zones for the domain to use with var.zone_awareness_enabled. Defaults to 2. Valid values: 2 or 3. -

    -
    • -
  • -

    - - create_service_linked_role - - Whether or not the Service Linked Role for Elasticsearch should be created within this module. Normally the service linked role is created automatically by AWS when creating the Elasticsearch domain in the web console, but API does not implement this logic. You can either have AWS automatically manage this by creating a domain manually in the console, or manage it in terraform using the landing zone modules or this variable. -

    -
    • -
  • -

    - - custom_endpoint - - Fully qualified domain for your custom endpoint. -

    -
    • -
  • -

    - - custom_endpoint_certificate_arn - - ACM certificate ARN for your custom endpoint. -

    -
    • -
  • -

    - - custom_endpoint_enabled - - Whether to enable custom endpoint for the Elasticsearch domain. -

    -
    • -
  • -

    - - custom_tags - - A map of custom tags to apply to the ElasticSearch Domain. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - dedicated_master_count - - The number of dedicated master nodes to run. We recommend setting this to 3 for production deployments. Only used if var.dedicated_master_enabled is true. -

    -
    • -
  • -

    - - dedicated_master_enabled - - Whether to deploy separate nodes specifically for performing cluster management tasks (e.g. tracking number of nodes, monitoring health, replicating changes). This increases the stability of large clusters and is required for clusters with more than 10 nodes. -

    -
    • -
  • -

    - - dedicated_master_type - - The instance type for the dedicated master nodes. These nodes can use a different instance type than the rest of the cluster. Only used if var.dedicated_master_enabled is true. -

    -
    • -
  • -

    - - domain_name - - The name of the Elasticsearch cluster. It must be unique to your account and region, start with a lowercase letter, contain between 3 and 28 characters, and contain only lowercase letters a-z, the numbers 0-9, and the hyphen (-). -

    -
    • -
  • -

    - - ebs_enabled - - Set to false to disable EBS volumes. This is useful for nodes that have optimized instance storage, like hosts running the i3 instance type. -

    -
    • -
  • -

    - - elasticsearch_version - - The version of Elasticsearch to deploy. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arns. -

    -
    • -
  • -

    - - enable_encryption_at_rest - - False by default because encryption at rest is not included in the free tier. When true, the Elasticsearch domain storage will be encrypted at rest using the KMS key described with var.encryption_kms_key_id. We strongly recommend configuring a custom KMS key instead of using the shared service key for a better security posture when configuring encryption at rest. -

    -
    • -
  • -

    - - enable_node_to_node_encryption - - Whether to enable node-to-node encryption. -

    -
    • -
  • -

    - - encryption_kms_key_id - - The ID of the KMS key to use to encrypt the Elasticsearch domain storage. Only used if enable_encryption_at_rest. When null, uses the aws/es service KMS key. -

    -
    • -
  • -

    - - iam_principal_arns - - The ARNS of the IAM users and roles to which to allow full access to the Elasticsearch cluster. Setting this to a restricted list is useful when using a public access cluster. -

    -
    • -
  • -

    - - instance_count - - The number of instances to deploy in the Elasticsearch cluster. This must be an even number if zone_awareness_enabled is true. -

    -
    • -
  • -

    - - instance_type - - The instance type to use for Elasticsearch data nodes (e.g., t2.small.elasticsearch, or m4.large.elasticsearch). For supported instance types see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html. -

    -
    • -
  • -

    - - internal_user_database_enabled - - Whether the internal user database is enabled. Enable this to use master accounts. Only used if advanced_security_options is set to true. -

    -
    • -
  • -

    - - iops - - The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is io1. -

    -
    • -
  • -

    - - is_public - - Whether the cluster is publicly accessible. -

    -
    • -
  • -

    - - master_user_arn - - ARN of the master user. Only used if advanced_security_options and internal_user_database_enabled are set to true. -

    -
    • -
  • -

    - - master_user_name - - Master account user name. Only used if advanced_security_options and internal_user_database_enabled are set to true. -

    -
    • -
  • -

    - - master_user_password - - Master account user password. Only used if advanced_security_options and internal_user_database_enabled are set to true. WARNING: this password will be stored in Terraform state. -

    -
    • -
  • -

    - - subnet_ids - - List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in. If var.zone_awareness_enabled is true, the first 2 or 3 provided subnet ids are used, depending on var.availability_zone_count. Otherwise only the first one is used. -

    -
    • -
  • -

    - - tls_security_policy - - The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is configured. -

    -
    • -
  • -

    - - update_timeout - - How long to wait for updates to the ES cluster before timing out and reporting an error. -

    -
    • -
  • -

    - - volume_size - - The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512). For volume size limits see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-limits.html. -

    -
    • -
  • -

    - - volume_type - - The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. -

    -
    • -
  • -

    - - vpc_id - - The id of the VPC to deploy into. It must be in the same region as the Elasticsearch domain and its tenancy must be set to Default. If zone_awareness_enabled is false, the Elasticsearch cluster will have an endpoint in one subnet of the VPC; otherwise it will have endpoints in two subnets. -

    -
    • -
  • -

    - - zone_awareness_enabled - - Whether to deploy the Elasticsearch nodes across two Availability Zones instead of one. Note that if you enable this, the instance_count MUST be an even number. -

    -
    • -
- - - - + + + + +* [**`advanced_options`**](#advanced_options) — Key-value string pairs to specify advanced configuration options. Note that the values for these configuration options must be strings (wrapped in quotes). + + + +* [**`advanced_security_options`**](#advanced_security_options) — Enable fine grain access control + + + +* [**`alarm_sns_topic_arns`**](#alarm_sns_topic_arns) — ARNs of the SNS topics associated with the CloudWatch alarms for the Elasticsearch cluster. + + + +* [**`allow_connections_from_cidr_blocks`**](#allow_connections_from_cidr_blocks) — The list of network CIDR blocks to allow network access to Aurora from. One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`allow_connections_from_security_groups`**](#allow_connections_from_security_groups) — The list of IDs or Security Groups to allow network access to Aurora from. All security groups must either be in the VPC specified by [`vpc_id`](#vpc_id), or a peered VPC with the VPC specified by [`vpc_id`](#vpc_id). One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`automated_snapshot_start_hour`**](#automated_snapshot_start_hour) — Hour during which the service takes an automated daily snapshot of the indices in the domain. This setting has no effect on Elasticsearch 5.3 and later. + + + +* [**`availability_zone_count`**](#availability_zone_count) — Number of Availability Zones for the domain to use with [`zone_awareness_enabled`](#zone_awareness_enabled). Defaults to 2. Valid values: 2 or 3. + + + +* [**`create_service_linked_role`**](#create_service_linked_role) — Whether or not the Service Linked Role for Elasticsearch should be created within this module. Normally the service linked role is created automatically by AWS when creating the Elasticsearch domain in the web console, but API does not implement this logic. You can either have AWS automatically manage this by creating a domain manually in the console, or manage it in terraform using the landing zone modules or this variable. + + + +* [**`custom_endpoint`**](#custom_endpoint) — Fully qualified domain for your custom endpoint. + + + +* [**`custom_endpoint_certificate_arn`**](#custom_endpoint_certificate_arn) — ACM certificate ARN for your custom endpoint. + + + +* [**`custom_endpoint_enabled`**](#custom_endpoint_enabled) — Whether to enable custom endpoint for the Elasticsearch domain. + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the ElasticSearch Domain. The key is the tag name and the value is the tag value. + + + +* [**`dedicated_master_count`**](#dedicated_master_count) — The number of dedicated master nodes to run. We recommend setting this to 3 for production deployments. Only used if [`dedicated_master_enabled`](#dedicated_master_enabled) is true. + + + +* [**`dedicated_master_enabled`**](#dedicated_master_enabled) — Whether to deploy separate nodes specifically for performing cluster management tasks (e.g. tracking number of nodes, monitoring health, replicating changes). This increases the stability of large clusters and is required for clusters with more than 10 nodes. + + + +* [**`dedicated_master_type`**](#dedicated_master_type) — The instance type for the dedicated master nodes. These nodes can use a different instance type than the rest of the cluster. Only used if [`dedicated_master_enabled`](#dedicated_master_enabled) is true. + + + +* [**`domain_name`**](#domain_name) — The name of the Elasticsearch cluster. It must be unique to your account and region, start with a lowercase letter, contain between 3 and 28 characters, and contain only lowercase letters a-z, the numbers 0-9, and the hyphen (-). + + + +* [**`ebs_enabled`**](#ebs_enabled) — Set to false to disable EBS volumes. This is useful for nodes that have optimized instance storage, like hosts running the i3 instance type. + + + +* [**`elasticsearch_version`**](#elasticsearch_version) — The version of Elasticsearch to deploy. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arns`](#alarms_sns_topic_arns). + + + +* [**`enable_encryption_at_rest`**](#enable_encryption_at_rest) — False by default because encryption at rest is not included in the free tier. When true, the Elasticsearch domain storage will be encrypted at rest using the KMS key described with [`encryption_kms_key_id`](#encryption_kms_key_id). We strongly recommend configuring a custom KMS key instead of using the shared service key for a better security posture when configuring encryption at rest. + + + +* [**`enable_node_to_node_encryption`**](#enable_node_to_node_encryption) — Whether to enable node-to-node encryption. + + + +* [**`encryption_kms_key_id`**](#encryption_kms_key_id) — The ID of the KMS key to use to encrypt the Elasticsearch domain storage. Only used if [`enable_encryption_at_rest`](#enable_encryption_at_rest). When null, uses the aws/es service KMS key. + + + +* [**`iam_principal_arns`**](#iam_principal_arns) — The ARNS of the IAM users and roles to which to allow full access to the Elasticsearch cluster. Setting this to a restricted list is useful when using a public access cluster. + + + +* [**`instance_count`**](#instance_count) — The number of instances to deploy in the Elasticsearch cluster. This must be an even number if [`zone_awareness_enabled`](#zone_awareness_enabled) is true. + + + +* [**`instance_type`**](#instance_type) — The instance type to use for Elasticsearch data nodes (e.g., t2.small.elasticsearch, or m4.large.elasticsearch). For supported instance types see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-supported-instance-types.html. + + + +* [**`internal_user_database_enabled`**](#internal_user_database_enabled) — Whether the internal user database is enabled. Enable this to use master accounts. Only used if [`advanced_security_options`](#advanced_security_options) is set to true. + + + +* [**`iops`**](#iops) — The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if [`volume_type`](#volume_type) is io1. + + + +* [**`is_public`**](#is_public) — Whether the cluster is publicly accessible. + + + +* [**`master_user_arn`**](#master_user_arn) — ARN of the master user. Only used if [`advanced_security_options`](#advanced_security_options) and [`internal_user_database_enabled`](#internal_user_database_enabled) are set to true. + + + +* [**`master_user_name`**](#master_user_name) — Master account user name. Only used if [`advanced_security_options`](#advanced_security_options) and [`internal_user_database_enabled`](#internal_user_database_enabled) are set to true. + + + +* [**`master_user_password`**](#master_user_password) — Master account user password. Only used if [`advanced_security_options`](#advanced_security_options) and [`internal_user_database_enabled`](#internal_user_database_enabled) are set to true. WARNING: this password will be stored in Terraform state. + + + +* [**`subnet_ids`**](#subnet_ids) — List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in. If [`zone_awareness_enabled`](#zone_awareness_enabled) is true, the first 2 or 3 provided subnet ids are used, depending on [`availability_zone_count`](#availability_zone_count). Otherwise only the first one is used. + + + +* [**`tls_security_policy`**](#tls_security_policy) — The name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is configured. + + + +* [**`update_timeout`**](#update_timeout) — How long to wait for updates to the ES cluster before timing out and reporting an error. + + + +* [**`volume_size`**](#volume_size) — The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512). For volume size limits see https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-limits.html. + + + +* [**`volume_type`**](#volume_type) — The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. + + + +* [**`vpc_id`**](#vpc_id) — The id of the VPC to deploy into. It must be in the same region as the Elasticsearch domain and its tenancy must be set to Default. If [`zone_awareness_enabled`](#zone_awareness_enabled) is false, the Elasticsearch cluster will have an endpoint in one subnet of the VPC; otherwise it will have endpoints in two subnets. + + + +* [**`zone_awareness_enabled`**](#zone_awareness_enabled) — Whether to deploy the Elasticsearch nodes across two Availability Zones instead of one. Note that if you enable this, the [`instance_count`](#instance_count) MUST be an even number. + + + + + + +* [**`cluster_arn`**](#cluster_arn) — The ARN of the Elasticsearch cluster created by this module. + + + +* [**`cluster_domain_id`**](#cluster_domain_id) — The domain ID of the Elasticsearch cluster created by this module. + + + +* [**`cluster_domain_name`**](#cluster_domain_name) — The name of the Elasticsearch domain. + + + +* [**`cluster_endpoint`**](#cluster_endpoint) — The endpoint of the Elasticsearch cluster created by this module. + + + +* [**`cluster_security_group_id`**](#cluster_security_group_id) — If the domain was created inside a VPC, the ID of the security group created by this module for securing the Elasticsearch cluster. + + + +* [**`kibana_endpoint`**](#kibana_endpoint) — Domain-specific endpoint for Kibana without https scheme. + + diff --git a/docs/reference/services/data-storage/amazon-rds.md b/docs/reference/services/data-storage/amazon-rds.md index aa3ace032..15030db25 100644 --- a/docs/reference/services/data-storage/amazon-rds.md +++ b/docs/reference/services/data-storage/amazon-rds.md @@ -10,614 +10,355 @@ Deploy and manage Amazon Relational Database Service (RDS) ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arns - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the share snapshot backup job fails. -

    -
    • -
  • -

    - - allocated_storage - - The amount of storage space the DB should use, in GB. -

    -
    • -
  • -

    - - allow_connections_from_cidr_blocks - - The list of network CIDR blocks to allow network access to RDS from. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - allow_connections_from_security_groups - - The list of IDs or Security Groups to allow network access to RDS from. All security groups must either be in the VPC specified by var.vpc_id, or a peered VPC with the VPC specified by var.vpc_id. One of var.allow_connections_from_cidr_blocks or var.allow_connections_from_security_groups must be specified for the database to be reachable. -

    -
    • -
  • -

    - - allow_manage_key_permissions_with_iam - - If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient. -

    -
    • -
  • -

    - - apply_immediately - - Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime. -

    -
    • -
  • -

    - - backup_job_alarm_period - - How often, in seconds, the backup job is expected to run. This is the same as var.schedule_expression, but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't updated within this time period, as that indicates the backup failed to run. -

    -
    • -
  • -

    - - backup_retention_period - - How many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. -

    -
    • -
  • -

    - - backup_window - - The daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs. -

    -
    • -
  • -

    - - cmk_administrator_iam_arns - - A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and var.kms_key_arn is null, the ARN of the current user will be used. -

    -
    • -
  • -

    - - cmk_external_user_iam_arns - - A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root). -

    -
    • -
  • -

    - - cmk_user_iam_arns - - A list of IAM ARNs for users who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and var.kms_key_arn is null, the ARN of the current user will be used. -

    -
    • -
  • -

    - - create_custom_kms_key - - If set to true, create a KMS CMK and use it to encrypt data on disk in the database. The permissions for this CMK will be assigned by the following variables: cmk_administrator_iam_arns, cmk_user_iam_arns, cmk_external_user_iam_arns, allow_manage_key_permissions. -

    -
    • -
  • -

    - - create_snapshot_cloudwatch_metric_namespace - - The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. -

    -
    • -
  • -

    - - custom_parameter_group - - Configure a custom parameter group for the RDS DB. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. -

    -
    • -
  • -

    - - custom_tags - - A map of custom tags to apply to the RDS Instance and the Security Group created for it. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - dashboard_cpu_usage_widget_parameters - - Parameters for the cpu usage widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_db_connections_widget_parameters - - Parameters for the database connections widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_disk_space_widget_parameters - - Parameters for the available disk space widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_memory_widget_parameters - - Parameters for the available memory widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_read_latency_widget_parameters - - Parameters for the read latency widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - dashboard_write_latency_widget_parameters - - Parameters for the read latency widget to output for use in a CloudWatch dashboard. -

    -
    • -
  • -

    - - db_config_secrets_manager_id - - The friendly name or ARN of an AWS Secrets Manager secret that contains database configuration information in the format outlined by this document: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html. The engine, username, password, dbname, and port fields must be included in the JSON. Note that even with this precaution, this information will be stored in plaintext in the Terraform state file! See the following blog post for more details: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1. If you do not wish to use Secrets Manager, leave this as null, and use the master_username, master_password, db_name, engine, and port variables. -

    -
    • -
  • -

    - - db_name - - The name for your database of up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create an empty database on the RDS instance. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. -

    -
    • -
  • -

    - - delete_automated_backups - - Specifies whether to remove automated backups immediately after the DB instance is deleted -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. -

    -
    • -
  • -

    - - enable_deletion_protection - - Enable deletion protection on the RDS instance. If this is enabled, the database cannot be deleted prior to disabling -

    -
    • -
  • -

    - - enable_perf_alarms - - Set to true to enable alarms related to performance, such as read and write latency alarms. Set to false to disable those alarms if you aren't sure what would be reasonable perf numbers for your RDS set up or if those numbers are too unpredictable. -

    -
    • -
  • -

    - - enable_share_snapshot_cloudwatch_alarms - - When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - enabled_cloudwatch_logs_exports - - List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL) and upgrade (PostgreSQL). -

    -
    • -
  • -

    - - engine - - The DB engine to use (e.g. mysql). This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. -

    -
    • -
  • -

    - - engine_version - - The version of var.engine to use (e.g. 8.0.17 for mysql). -

    -
    • -
  • -

    - - high_cpu_utilization_period - - The period, in seconds, over which to measure the CPU utilization percentage. -

    -
    • -
  • -

    - - high_cpu_utilization_threshold - - Trigger an alarm if the DB instance has a CPU utilization percentage above this threshold. -

    -
    • -
  • -

    - - high_read_latency_period - - The period, in seconds, over which to measure the read latency. -

    -
    • -
  • -

    - - high_read_latency_threshold - - Trigger an alarm if the DB instance read latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. -

    -
    • -
  • -

    - - high_write_latency_period - - The period, in seconds, over which to measure the write latency. -

    -
    • -
  • -

    - - high_write_latency_threshold - - Trigger an alarm if the DB instance write latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. -

    -
    • -
  • -

    - - iam_database_authentication_enabled - - Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Disabled by default. -

    -
    • -
  • -

    - - instance_type - - The instance type to use for the db (e.g. db.t3.micro) -

    -
    • -
  • -

    - - kms_key_arn - - The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK) that will be used to encrypt/decrypt backup files. If you leave this blank, the default RDS KMS key for the account will be used. If you set var.create_custom_kms_key to true, this value will be ignored and a custom key will be created and used instead. -

    -
    • -
  • -

    - - license_model - - The license model to use for this DB. Check the docs for your RDS DB for available license models. Set to an empty string to use the default. -

    -
    • -
  • -

    - - low_disk_space_available_period - - The period, in seconds, over which to measure the available free disk space. -

    -
    • -
  • -

    - - low_disk_space_available_threshold - - Trigger an alarm if the amount of disk space, in Bytes, on the DB instance drops below this threshold. -

    -
    • -
  • -

    - - low_memory_available_period - - The period, in seconds, over which to measure the available free memory. -

    -
    • -
  • -

    - - low_memory_available_threshold - - Trigger an alarm if the amount of free memory, in Bytes, on the DB instance drops below this threshold. -

    -
    • -
  • -

    - - master_password - - The value to use for the master password of the database. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. -

    -
    • -
  • -

    - - master_username - - The value to use for the master username of the database. This can also be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. -

    -
    • -
  • -

    - - max_allocated_storage - - When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling. -

    -
    • -
  • -

    - - multi_az - - Specifies if a standby instance should be deployed in another availability zone. If the primary fails, this instance will automatically take over. -

    -
    • -
  • -

    - - name - - The name used to namespace all the RDS resources created by these templates, including the cluster and cluster instances (e.g. mysql-stage). Must be unique in this region. Must be a lowercase string. -

    -
    • -
  • -

    - - num_read_replicas - - The number of read replicas to deploy -

    -
    • -
  • -

    - - port - - The port the DB will listen on (e.g. 3306). Alternatively, this can be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id. -

    -
    • -
  • -

    - - publicly_accessible - - If you wish to make your database accessible from the public Internet, set this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The default is false, which means the database is only accessible from within the VPC, which is much more secure. This flag MUST be false for serverless mode. -

    -
    • -
  • -

    - - replica_backup_retention_period - - How many days to keep backup snapshots around before cleaning them up on the read replicas. Must be 1 or greater to support read replicas. 0 means disable automated backups. -

    -
    • -
  • -

    - - share_snapshot_max_snapshots - - The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - share_snapshot_schedule_expression - - An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if var.share_snapshot_with_another_account is true -

    -
    • -
  • -

    - - share_snapshot_with_account_id - - The ID of the AWS Account that the snapshot should be shared with. Required if var.share_snapshot_with_another_account is true. -

    -
    • -
  • -

    - - share_snapshot_with_another_account - - If set to true, take periodic snapshots of the RDS DB that should be shared with another account. -

    -
    • -
  • -

    - - skip_final_snapshot - - Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data! You almost never want to set this to true, unless you are doing automated or manual testing. -

    -
    • -
  • -

    - - snapshot_identifier - - If non-null, the RDS Instance will be restored from the given Snapshot ID. This is the Snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. -

    -
    • -
  • -

    - - storage_encrypted - - Specifies whether the DB instance is encrypted. -

    -
    • -
  • -

    - - subnet_ids - - The list of IDs of the subnets in which to deploy RDS. The list must only contain subnets in var.vpc_id. -

    -
    • -
  • -

    - - too_many_db_connections_threshold - - Trigger an alarm if the number of connections to the DB instance goes above this threshold. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy RDS. -

    -
    • -
- - - - + + + + +* [**`alarms_sns_topic_arns`**](#alarms_sns_topic_arns) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the share snapshot backup job fails. + + + +* [**`allocated_storage`**](#allocated_storage) — The amount of storage space the DB should use, in GB. + + + +* [**`allow_connections_from_cidr_blocks`**](#allow_connections_from_cidr_blocks) — The list of network CIDR blocks to allow network access to RDS from. One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`allow_connections_from_security_groups`**](#allow_connections_from_security_groups) — The list of IDs or Security Groups to allow network access to RDS from. All security groups must either be in the VPC specified by [`vpc_id`](#vpc_id), or a peered VPC with the VPC specified by [`vpc_id`](#vpc_id). One of [`allow_connections_from_cidr_blocks`](#allow_connections_from_cidr_blocks) or [`allow_connections_from_security_groups`](#allow_connections_from_security_groups) must be specified for the database to be reachable. + + + +* [**`allow_manage_key_permissions_with_iam`**](#allow_manage_key_permissions_with_iam) — If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient. + + + +* [**`apply_immediately`**](#apply_immediately) — Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime. + + + +* [**`backup_job_alarm_period`**](#backup_job_alarm_period) — How often, in seconds, the backup job is expected to run. This is the same as [`schedule_expression`](#schedule_expression), but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in [`create_snapshot_cloudwatch_metric_namespace`](#create_snapshot_cloudwatch_metric_namespace) isn't updated within this time period, as that indicates the backup failed to run. + + + +* [**`backup_retention_period`**](#backup_retention_period) — How many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. + + + +* [**`backup_window`**](#backup_window) — The daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs. + + + +* [**`cmk_administrator_iam_arns`**](#cmk_administrator_iam_arns) — A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and [`kms_key_arn`](#kms_key_arn) is null, the ARN of the current user will be used. + + + +* [**`cmk_external_user_iam_arns`**](#cmk_external_user_iam_arns) — A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root). + + + +* [**`cmk_user_iam_arns`**](#cmk_user_iam_arns) — A list of IAM ARNs for users who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and [`kms_key_arn`](#kms_key_arn) is null, the ARN of the current user will be used. + + + +* [**`create_custom_kms_key`**](#create_custom_kms_key) — If set to true, create a KMS CMK and use it to encrypt data on disk in the database. The permissions for this CMK will be assigned by the following variables: [`cmk_administrator_iam_arns`](#cmk_administrator_iam_arns), [`cmk_user_iam_arns`](#cmk_user_iam_arns), [`cmk_external_user_iam_arns`](#cmk_external_user_iam_arns), [`allow_manage_key_permissions`](#allow_manage_key_permissions). + + + +* [**`create_snapshot_cloudwatch_metric_namespace`**](#create_snapshot_cloudwatch_metric_namespace) — The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. + + + +* [**`custom_parameter_group`**](#custom_parameter_group) — Configure a custom parameter group for the RDS DB. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group. + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the RDS Instance and the Security Group created for it. The key is the tag name and the value is the tag value. + + + +* [**`dashboard_cpu_usage_widget_parameters`**](#dashboard_cpu_usage_widget_parameters) — Parameters for the cpu usage widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_db_connections_widget_parameters`**](#dashboard_db_connections_widget_parameters) — Parameters for the database connections widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_disk_space_widget_parameters`**](#dashboard_disk_space_widget_parameters) — Parameters for the available disk space widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_memory_widget_parameters`**](#dashboard_memory_widget_parameters) — Parameters for the available memory widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_read_latency_widget_parameters`**](#dashboard_read_latency_widget_parameters) — Parameters for the read latency widget to output for use in a CloudWatch dashboard. + + + +* [**`dashboard_write_latency_widget_parameters`**](#dashboard_write_latency_widget_parameters) — Parameters for the read latency widget to output for use in a CloudWatch dashboard. + + + +* [**`db_config_secrets_manager_id`**](#db_config_secrets_manager_id) — The friendly name or ARN of an AWS Secrets Manager secret that contains database configuration information in the format outlined by this document: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html. The engine, username, password, dbname, and port fields must be included in the JSON. Note that even with this precaution, this information will be stored in plaintext in the Terraform state file! See the following blog post for more details: https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code-1d586955ace1. If you do not wish to use Secrets Manager, leave this as null, and use the [`master_username`](#master_username), [`master_password`](#master_password), [`db_name`](#db_name), engine, and port variables. + + + +* [**`db_name`**](#db_name) — The name for your database of up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create an empty database on the RDS instance. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`delete_automated_backups`**](#delete_automated_backups) — Specifies whether to remove automated backups immediately after the DB instance is deleted + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. + + + +* [**`enable_deletion_protection`**](#enable_deletion_protection) — Enable deletion protection on the RDS instance. If this is enabled, the database cannot be deleted prior to disabling + + + +* [**`enable_perf_alarms`**](#enable_perf_alarms) — Set to true to enable alarms related to performance, such as read and write latency alarms. Set to false to disable those alarms if you aren't sure what would be reasonable perf numbers for your RDS set up or if those numbers are too unpredictable. + + + +* [**`enable_share_snapshot_cloudwatch_alarms`**](#enable_share_snapshot_cloudwatch_alarms) — When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`enabled_cloudwatch_logs_exports`**](#enabled_cloudwatch_logs_exports) — List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL) and upgrade (PostgreSQL). + + + +* [**`engine`**](#engine) — The DB engine to use (e.g. mysql). This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`engine_version`**](#engine_version) — The version of var.engine to use (e.g. 8.0.17 for mysql). + + + +* [**`high_cpu_utilization_period`**](#high_cpu_utilization_period) — The period, in seconds, over which to measure the CPU utilization percentage. + + + +* [**`high_cpu_utilization_threshold`**](#high_cpu_utilization_threshold) — Trigger an alarm if the DB instance has a CPU utilization percentage above this threshold. + + + +* [**`high_read_latency_period`**](#high_read_latency_period) — The period, in seconds, over which to measure the read latency. + + + +* [**`high_read_latency_threshold`**](#high_read_latency_threshold) — Trigger an alarm if the DB instance read latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. + + + +* [**`high_write_latency_period`**](#high_write_latency_period) — The period, in seconds, over which to measure the write latency. + + + +* [**`high_write_latency_threshold`**](#high_write_latency_threshold) — Trigger an alarm if the DB instance write latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold. + + + +* [**`iam_database_authentication_enabled`**](#iam_database_authentication_enabled) — Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Disabled by default. + + + +* [**`instance_type`**](#instance_type) — The instance type to use for the db (e.g. db.t3.micro) + + + +* [**`kms_key_arn`**](#kms_key_arn) — The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK) that will be used to encrypt/decrypt backup files. If you leave this blank, the default RDS KMS key for the account will be used. If you set [`create_custom_kms_key`](#create_custom_kms_key) to true, this value will be ignored and a custom key will be created and used instead. + + + +* [**`license_model`**](#license_model) — The license model to use for this DB. Check the docs for your RDS DB for available license models. Set to an empty string to use the default. + + + +* [**`low_disk_space_available_period`**](#low_disk_space_available_period) — The period, in seconds, over which to measure the available free disk space. + + + +* [**`low_disk_space_available_threshold`**](#low_disk_space_available_threshold) — Trigger an alarm if the amount of disk space, in Bytes, on the DB instance drops below this threshold. + + + +* [**`low_memory_available_period`**](#low_memory_available_period) — The period, in seconds, over which to measure the available free memory. + + + +* [**`low_memory_available_threshold`**](#low_memory_available_threshold) — Trigger an alarm if the amount of free memory, in Bytes, on the DB instance drops below this threshold. + + + +* [**`master_password`**](#master_password) — The value to use for the master password of the database. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`master_username`**](#master_username) — The value to use for the master username of the database. This can also be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`max_allocated_storage`**](#max_allocated_storage) — When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to [`allocated_storage`](#allocated_storage). Must be greater than or equal to [`allocated_storage`](#allocated_storage) or 0 to disable Storage Autoscaling. + + + +* [**`multi_az`**](#multi_az) — Specifies if a standby instance should be deployed in another availability zone. If the primary fails, this instance will automatically take over. + + + +* [**`name`**](#name) — The name used to namespace all the RDS resources created by these templates, including the cluster and cluster instances (e.g. mysql-stage). Must be unique in this region. Must be a lowercase string. + + + +* [**`num_read_replicas`**](#num_read_replicas) — The number of read replicas to deploy + + + +* [**`port`**](#port) — The port the DB will listen on (e.g. 3306). Alternatively, this can be provided via AWS Secrets Manager. See the description of [`db_config_secrets_manager_id`](#db_config_secrets_manager_id). + + + +* [**`publicly_accessible`**](#publicly_accessible) — If you wish to make your database accessible from the public Internet, set this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The default is false, which means the database is only accessible from within the VPC, which is much more secure. This flag MUST be false for serverless mode. + + + +* [**`replica_backup_retention_period`**](#replica_backup_retention_period) — How many days to keep backup snapshots around before cleaning them up on the read replicas. Must be 1 or greater to support read replicas. 0 means disable automated backups. + + + +* [**`share_snapshot_max_snapshots`**](#share_snapshot_max_snapshots) — The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`share_snapshot_schedule_expression`**](#share_snapshot_schedule_expression) — An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true + + + +* [**`share_snapshot_with_account_id`**](#share_snapshot_with_account_id) — The ID of the AWS Account that the snapshot should be shared with. Required if [`share_snapshot_with_another_account`](#share_snapshot_with_another_account) is true. + + + +* [**`share_snapshot_with_another_account`**](#share_snapshot_with_another_account) — If set to true, take periodic snapshots of the RDS DB that should be shared with another account. + + + +* [**`skip_final_snapshot`**](#skip_final_snapshot) — Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data! You almost never want to set this to true, unless you are doing automated or manual testing. + + + +* [**`snapshot_identifier`**](#snapshot_identifier) — If non-null, the RDS Instance will be restored from the given Snapshot ID. This is the Snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. + + + +* [**`storage_encrypted`**](#storage_encrypted) — Specifies whether the DB instance is encrypted. + + + +* [**`subnet_ids`**](#subnet_ids) — The list of IDs of the subnets in which to deploy RDS. The list must only contain subnets in [`vpc_id`](#vpc_id). + + + +* [**`too_many_db_connections_threshold`**](#too_many_db_connections_threshold) — Trigger an alarm if the number of connections to the DB instance goes above this threshold. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy RDS. + + + + + + +* [**`all_metric_widgets`**](#all_metric_widgets) — A list of all the CloudWatch Dashboard metric widgets available in this module. + + + +* [**`db_name`**](#db_name) — The name of the empty database created on this RDS DB instance. + + + +* [**`metric_widget_rds_cpu_usage`**](#metric_widget_rds_cpu_usage) — A CloudWatch Dashboard widget that graphs CPU usage (percentage) on the RDS DB instance. + + + +* [**`metric_widget_rds_db_connections`**](#metric_widget_rds_db_connections) — A CloudWatch Dashboard widget that graphs the number of active database connections on the RDS DB Instance. + + + +* [**`metric_widget_rds_disk_space`**](#metric_widget_rds_disk_space) — A CloudWatch Dashboard widget that graphs available disk space (in bytes) on the RDS DB instance. + + + +* [**`metric_widget_rds_memory`**](#metric_widget_rds_memory) — A CloudWatch Dashboard widget that graphs available memory (in bytes) on the RDS DB instance. + + + +* [**`metric_widget_rds_read_latency`**](#metric_widget_rds_read_latency) — A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on reads. + + + +* [**`metric_widget_rds_write_latency`**](#metric_widget_rds_write_latency) — A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on writes. + + + +* [**`name`**](#name) — The name of the RDS DB instance. + + + +* [**`num_read_replicas`**](#num_read_replicas) — The number of read replicas for the RDS DB instance. + + + +* [**`port`**](#port) — The port of the RDS DB instance. + + + +* [**`primary_arn`**](#primary_arn) — The ARN of the RDS DB instance. + + + +* [**`primary_endpoint`**](#primary_endpoint) — The endpoint of the RDS DB instance that you can make requests to. + + + +* [**`primary_host`**](#primary_host) — The host portion of the RDS DB instance endpoint. [`primary_endpoint`](#primary_endpoint) is in the form '<host>:<port>', and this output returns just the host part. + + + +* [**`primary_id`**](#primary_id) — The ID of the RDS DB instance. + + + +* [**`read_replica_arns`**](#read_replica_arns) — A list of ARNs of the RDS DB instance's read replicas. + + + +* [**`read_replica_endpoints`**](#read_replica_endpoints) — A list of endpoints of the RDS DB instance's read replicas. + + + +* [**`read_replica_ids`**](#read_replica_ids) — A list of IDs of the RDS DB instance's read replicas. + + + +* [**`security_group_id`**](#security_group_id) — The ID of the Security Group that controls access to the RDS DB instance. + + diff --git a/docs/reference/services/data-storage/s-3-bucket.md b/docs/reference/services/data-storage/s-3-bucket.md index f6e1e294a..2e526d7b5 100644 --- a/docs/reference/services/data-storage/s-3-bucket.md +++ b/docs/reference/services/data-storage/s-3-bucket.md @@ -10,250 +10,147 @@ Deploy an S3 bucket for data storage, with support for access logging, versionin ### Reference - -
    - -
  • -

    - - access_logging_bucket - - The S3 bucket where access logs for this bucket should be stored. Set to null to disable access logging. -

    -
    • -
  • -

    - - access_logging_bucket_ownership - - Configure who will be the default owner of objects uploaded to the access logs S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. -

    -
    • -
  • -

    - - access_logging_bucket_policy_statements - - The IAM policy to apply to the S3 bucket used to store access logs. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. -

    -
    • -
  • -

    - - access_logging_prefix - - A prefix (i.e., folder path) to use for all access logs stored in access_logging_bucket. Only used if access_logging_bucket is specified. -

    -
    • -
  • -

    - - bucket_kms_key_arn - - Optional KMS key to use for encrypting data in the S3 bucket. If null, data in S3 will be encrypted using the default aws/s3 key. If provided, the key policy of the provided key must allow whoever is writing to this bucket to use that key. -

    -
    • -
  • -

    - - bucket_ownership - - Configure who will be the default owner of objects uploaded to this S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. -

    -
    • -
  • -

    - - bucket_policy_statements - - The IAM policy to apply to this S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. -

    -
    • -
  • -

    - - bucket_sse_algorithm - - The server-side encryption algorithm to use on the bucket. Valid values are AES256 and aws:kms. To disable server-side encryption, set var.enable_sse to false. -

    -
    • -
  • -

    - - cors_rules - - CORS rules to set on this S3 bucket -

    -
    • -
  • -

    - - enable_sse - - Set to true to enable server-side encryption for this bucket. You can control the algorithm using var.sse_algorithm. -

    -
    • -
  • -

    - - enable_versioning - - Set to true to enable versioning for this bucket. If enabled, instead of overriding objects, the S3 bucket will always create a new version of each object, so all the old values are retained. -

    -
    • -
  • -

    - - force_destroy_logs - - If set to true, when you run 'terraform destroy', delete all objects from the logs bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - force_destroy_primary - - If set to true, when you run 'terraform destroy', delete all objects from the primary bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - force_destroy_replica - - If set to true, when you run 'terraform destroy', delete all objects from the replica bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. Only used if enable_versioning is true. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - primary_bucket - - What to name the S3 bucket. Note that S3 bucket names must be globally unique across all AWS users! -

    -
    • -
  • -

    - - replica_bucket - - The S3 bucket that will be the replica of this bucket. Set to null to disable replication. -

    -
    • -
  • -

    - - replica_bucket_already_exists - - If set to true, replica bucket will be expected to already exist. -

    -
    • -
  • -

    - - replica_bucket_ownership - - Configure who will be the default owner of objects uploaded to the replica S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. -

    -
    • -
  • -

    - - replica_bucket_policy_statements - - The IAM policy to apply to the replica S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. -

    -
    • -
  • -

    - - replica_enable_sse - - Set to true to enable server-side encryption for the replica bucket. You can control the algorithm using var.replica_sse_algorithm. -

    -
    • -
  • -

    - - replica_region - - The AWS region for the replica bucket. -

    -
    • -
  • -

    - - replica_sse_algorithm - - The server-side encryption algorithm to use on the replica bucket. Valid values are AES256 and aws:kms. To disable server-side encryption, set var.replica_enable_sse to false. -

    -
    • -
  • -

    - - replication_role - - The ARN of the IAM role for Amazon S3 to assume when replicating objects. Only used if replication_bucket is specified. -

    -
    • -
  • -

    - - replication_rules - - The rules for managing replication. Only used if replication_bucket is specified. This should be a map, where the key is a unique ID for each replication rule and the value is an object of the form explained in a comment above. -

    -
    • -
  • -

    - - tags - - A map of tags to apply to the S3 Bucket. These tags will also be applied to the access logging and replica buckets (if any). The key is the tag name and the value is the tag value. -

    -
    • -
- - - - + + + + +* [**`access_logging_bucket`**](#access_logging_bucket) — The S3 bucket where access logs for this bucket should be stored. Set to null to disable access logging. + + + +* [**`access_logging_bucket_ownership`**](#access_logging_bucket_ownership) — Configure who will be the default owner of objects uploaded to the access logs S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. + + + +* [**`access_logging_bucket_policy_statements`**](#access_logging_bucket_policy_statements) — The IAM policy to apply to the S3 bucket used to store access logs. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. + + + +* [**`access_logging_prefix`**](#access_logging_prefix) — A prefix (i.e., folder path) to use for all access logs stored in [`access_logging_bucket`](#access_logging_bucket). Only used if [`access_logging_bucket`](#access_logging_bucket) is specified. + + + +* [**`bucket_kms_key_arn`**](#bucket_kms_key_arn) — Optional KMS key to use for encrypting data in the S3 bucket. If null, data in S3 will be encrypted using the default aws/s3 key. If provided, the key policy of the provided key must allow whoever is writing to this bucket to use that key. + + + +* [**`bucket_ownership`**](#bucket_ownership) — Configure who will be the default owner of objects uploaded to this S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. + + + +* [**`bucket_policy_statements`**](#bucket_policy_statements) — The IAM policy to apply to this S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. + + + +* [**`bucket_sse_algorithm`**](#bucket_sse_algorithm) — The server-side encryption algorithm to use on the bucket. Valid values are AES256 and aws:kms. To disable server-side encryption, set [`enable_sse`](#enable_sse) to false. + + + +* [**`cors_rules`**](#cors_rules) — CORS rules to set on this S3 bucket + + + +* [**`enable_sse`**](#enable_sse) — Set to true to enable server-side encryption for this bucket. You can control the algorithm using [`sse_algorithm`](#sse_algorithm). + + + +* [**`enable_versioning`**](#enable_versioning) — Set to true to enable versioning for this bucket. If enabled, instead of overriding objects, the S3 bucket will always create a new version of each object, so all the old values are retained. + + + +* [**`force_destroy_logs`**](#force_destroy_logs) — If set to true, when you run 'terraform destroy', delete all objects from the logs bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`force_destroy_primary`**](#force_destroy_primary) — If set to true, when you run 'terraform destroy', delete all objects from the primary bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`force_destroy_replica`**](#force_destroy_replica) — If set to true, when you run 'terraform destroy', delete all objects from the replica bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`mfa_delete`**](#mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. Only used if [`enable_versioning`](#enable_versioning) is true. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`primary_bucket`**](#primary_bucket) — What to name the S3 bucket. Note that S3 bucket names must be globally unique across all AWS users! + + + +* [**`replica_bucket`**](#replica_bucket) — The S3 bucket that will be the replica of this bucket. Set to null to disable replication. + + + +* [**`replica_bucket_already_exists`**](#replica_bucket_already_exists) — If set to true, replica bucket will be expected to already exist. + + + +* [**`replica_bucket_ownership`**](#replica_bucket_ownership) — Configure who will be the default owner of objects uploaded to the replica S3 bucket: must be one of BucketOwnerPreferred (the bucket owner owns objects), ObjectWriter (the writer of each object owns that object), or null (don't configure this feature). Note that this setting only takes effect if the object is uploaded with the bucket-owner-full-control canned ACL. See https://docs.aws.amazon.com/AmazonS3/latest/dev/about-object-ownership.html for more info. + + + +* [**`replica_bucket_policy_statements`**](#replica_bucket_policy_statements) — The IAM policy to apply to the replica S3 bucket. You can use this to grant read/write access. This should be a map, where each key is a unique statement ID (SID), and each value is an object that contains the parameters defined in the comment above. + + + +* [**`replica_enable_sse`**](#replica_enable_sse) — Set to true to enable server-side encryption for the replica bucket. You can control the algorithm using [`replica_sse_algorithm`](#replica_sse_algorithm). + + + +* [**`replica_region`**](#replica_region) — The AWS region for the replica bucket. + + + +* [**`replica_sse_algorithm`**](#replica_sse_algorithm) — The server-side encryption algorithm to use on the replica bucket. Valid values are AES256 and aws:kms. To disable server-side encryption, set [`replica_enable_sse`](#replica_enable_sse) to false. + + + +* [**`replication_role`**](#replication_role) — The ARN of the IAM role for Amazon S3 to assume when replicating objects. Only used if [`replication_bucket`](#replication_bucket) is specified. + + + +* [**`replication_rules`**](#replication_rules) — The rules for managing replication. Only used if [`replication_bucket`](#replication_bucket) is specified. This should be a map, where the key is a unique ID for each replication rule and the value is an object of the form explained in a comment above. + + + +* [**`tags`**](#tags) — A map of tags to apply to the S3 Bucket. These tags will also be applied to the access logging and replica buckets (if any). The key is the tag name and the value is the tag value. + + + + + + +* [**`access_logging_bucket_name`**](#access_logging_bucket_name) — The name of the access logging S3 bucket. + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The Route 53 Hosted Zone ID for this bucket's region. + + + +* [**`primary_bucket_arn`**](#primary_bucket_arn) — The ARN of the S3 bucket. + + + +* [**`primary_bucket_domain_name`**](#primary_bucket_domain_name) — The bucket domain name. Will be of format bucketname.s3.amazonaws.com. + + + +* [**`primary_bucket_name`**](#primary_bucket_name) — The name of the primary S3 bucket. + + + +* [**`primary_bucket_regional_domain_name`**](#primary_bucket_regional_domain_name) — The bucket region-specific domain name. The bucket domain name including the region name, please refer here for format. Note: The AWS CloudFront allows specifying S3 region-specific endpoint when creating S3 origin, it will prevent redirect issues from CloudFront to S3 Origin URL. + + + +* [**`replica_bucket_name`**](#replica_bucket_name) — The name of the replica S3 bucket. + + diff --git a/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md index 67936b91f..464ff5f50 100644 --- a/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md @@ -10,1083 +10,623 @@ A security baseline for AWS Landing Zone for configuring app accounts (dev, stag ### Reference - -
    - -
  • -

    - - additional_config_rules - - Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details -

    -
    • -
  • -

    - - allow_auto_deploy_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in var.auto_deploy_permissions. -

    -
    • -
  • -

    - - allow_billing_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. -

    -
    • -
  • -

    - - allow_cloudtrail_access_with_iam - - If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in var.kms_key_user_iam_arns will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) -

    -
    • -
  • -

    - - allow_dev_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in var.dev_permitted_services. -

    -
    • -
  • -

    - - allow_full_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. -

    -
    • -
  • -

    - - allow_logs_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If var.cloudtrail_kms_key_arn is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. -

    -
    • -
  • -

    - - allow_read_only_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. -

    -
    • -
  • -

    - - allow_ssh_grunt_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. -

    -
    • -
  • -

    - - allow_support_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account. -

    -
    • -
  • -

    - - auto_deploy_permissions - - A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If var.should_create_iam_group_auto_deploy is true, the list must have at least one element (e.g. '*'). -

    -
    • -
  • -

    - - aws_account_id - - The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. -

    -
    • -
  • -

    - - aws_region - - The AWS Region to use as the global config recorder and seed region for GuardDuty. -

    -
    • -
  • -

    - - cloudtrail_allow_kms_describe_key_to_external_aws_accounts - - Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. -

    -
    • -
  • -

    - - cloudtrail_cloudwatch_logs_group_name - - Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. -

    -
    • -
  • -

    - - cloudtrail_data_logging_enabled - - If true, logging of data events will be enabled. -

    -
    • -
  • -

    - - cloudtrail_data_logging_include_management_events - - Specify if you want your event selector to include management events for your trail. -

    -
    • -
  • -

    - - cloudtrail_data_logging_read_write_type - - Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. -

    -
    • -
  • -

    - - cloudtrail_data_logging_resources - - Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource' block within the 'event_selector' block of the 'aws_cloudtrail' resource for context: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource. -

    -
    • -
  • -

    - - cloudtrail_external_aws_account_ids_with_write_access - - Provide a list of AWS account IDs that will be allowed to send CloudTrail logs to this account. This is only required if you are aggregating CloudTrail logs in this account (e.g., this is the logs account) from other accounts. -

    -
    • -
  • -

    - - cloudtrail_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - cloudtrail_kms_key_administrator_iam_arns - - All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., if this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given administrator permissions for CMK, including the ability to change who can access this CMK and the extended log data it protects. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists (e.g., if this is the stage or prod account), set this parameter to an empty list. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn - - All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists (e.g., if this is the stage or prod account and you want to use a CMK that already exists in the logs account), set this to the ARN of that CMK. Otherwise (e.g., if this is the logs account), set this to null, and a new CMK will be created. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn_is_alias - - If the kms_key_arn provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires var.cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be true for multi-account scenarios. -

    -
    • -
  • -

    - - cloudtrail_kms_key_user_iam_arns - - All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given user access to this CMK, which will allow this user to read CloudTrail Logs. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists, set this parameter to an empty list (e.g., if this is the stage or prod account). -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_to_retain_cloudwatch_logs - - After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. -

    -
    • -
  • -

    - - cloudtrail_s3_bucket_already_exists - - Set to false to create an S3 bucket of name var.cloudtrail_s3_bucket_name in this account for storing CloudTrail logs (e.g., if this is the logs account). Set to true to assume the bucket specified in var.cloudtrail_s3_bucket_name already exists in another AWS account (e.g., if this is the stage or prod account and var.cloudtrail_s3_bucket_name is the name of a bucket in the logs account). -

    -
    • -
  • -

    - - cloudtrail_s3_bucket_name - - The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account (e.g., if this is the logs account) or the name of a bucket in another AWS account where logs should be sent (e.g., if this is the stage or prod account and you're specifying the name of a bucket in the logs account). -

    -
    • -
  • -

    - - cloudtrail_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - cloudtrail_tags - - Tags to apply to the CloudTrail resources. -

    -
    • -
  • -

    - - config_aggregate_config_data_in_external_account - - Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the config_central_account_id variable. This redundant variable has to exist because Terraform does not allow computed data in count and for_each parameters and var.config_central_account_id may be computed if its the ID of a newly-created AWS account. -

    -
    • -
  • -

    - - config_central_account_id - - If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account (e.g., if this is the stage or prod account, set this to the ID of the logs account). If the S3 bucket and SNS topics live in this account (e.g., this is the logs account), set this variable to null. Only used if var.config_aggregate_config_data_in_external_account is true. -

    -
    • -
  • -

    - - config_create_account_rules - - Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts. -

    -
    • -
  • -

    - - config_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - config_linked_accounts - - Provide a list of AWS account IDs that will be allowed to send AWS Config data to this account. This is only required if you are aggregating config data in this account (e.g., this is the logs account) from other accounts. -

    -
    • -
  • -

    - - config_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - config_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - config_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. -

    -
    • -
  • -

    - - config_s3_bucket_name - - The name of the S3 Bucket where Config items will be stored. Can be in the same account or in another account. -

    -
    • -
  • -

    - - config_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - config_should_create_s3_bucket - - Set to true to create an S3 bucket of name var.config_s3_bucket_name in this account for storing AWS Config data (e.g., if this is the logs account). Set to false to assume the bucket specified in var.config_s3_bucket_name already exists in another AWS account (e.g., if this is the stage or prod account and var.config_s3_bucket_name is the name of a bucket in the logs account). -

    -
    • -
  • -

    - - config_should_create_sns_topic - - set to true to create an sns topic in this account for sending aws config notifications (e.g., if this is the logs account). set to false to assume the topic specified in var.config_sns_topic_name already exists in another aws account (e.g., if this is the stage or prod account and var.config_sns_topic_name is the name of an sns topic in the logs account). -

    -
    • -
  • -

    - - config_sns_topic_name - - the name of the sns topic in where aws config notifications will be sent. can be in the same account or in another account. -

    -
    • -
  • -

    - - config_tags - - A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - configrules_maximum_execution_frequency - - The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency -

    -
    • -
  • -

    - - dev_permitted_services - - A list of AWS services for which the developers from the accounts in var.allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. -

    -
    • -
  • -

    - - ebs_enable_encryption - - If set to true (default), all new EBS volumes will have encryption enabled by default -

    -
    • -
  • -

    - - ebs_kms_key_name - - The name of the KMS CMK to use by default for encrypting EBS volumes, if var.enable_encryption and var.use_existing_kms_keys are enabled. The name must match the name given the var.kms_customer_master_keys variable. -

    -
    • -
  • -

    - - ebs_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - ebs_use_existing_kms_keys - - If set to true, the KMS Customer Managed Keys (CMK) with the name in var.ebs_kms_key_name will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. -

    -
    • -
  • -

    - - enable_cloudtrail - - Set to true (default) to enable CloudTrail in this app account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default. -

    -
    • -
  • -

    - - enable_config - - Set to true to enable AWS Config in this app account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). -

    -
    • -
  • -

    - - enable_encrypted_volumes - - Checks whether the EBS volumes that are in an attached state are encrypted. -

    -
    • -
  • -

    - - enable_iam_access_analyzer - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_cross_account_roles - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_password_policy - - Checks whether the account password policy for IAM users meets the specified requirements. -

    -
    • -
  • -

    - - enable_iam_user_password_policy - - Set to true (default) to enable the IAM User Password Policies in this app account. Set to false to disable the policies. (Note: all other IAM User Password Policy variables will be ignored). -

    -
    • -
  • -

    - - enable_insecure_sg_rules - - Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. -

    -
    • -
  • -

    - - enable_rds_storage_encrypted - - Checks whether storage encryption is enabled for your RDS DB instances. -

    -
    • -
  • -

    - - enable_root_account_mfa - - Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. -

    -
    • -
  • -

    - - enable_s3_bucket_public_read_prohibited - - Checks that your Amazon S3 buckets do not allow public read access. -

    -
    • -
  • -

    - - enable_s3_bucket_public_write_prohibited - - Checks that your Amazon S3 buckets do not allow public write access. -

    -
    • -
  • -

    - - encrypted_volumes_kms_id - - ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. -

    -
    • -
  • -

    - - guardduty_cloudwatch_event_rule_name - - Name of the Cloudwatch event rules. -

    -
    • -
  • -

    - - guardduty_finding_publishing_frequency - - Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. -

    -
    • -
  • -

    - - guardduty_findings_sns_topic_name - - Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true. -

    -
    • -
  • -

    - - guardduty_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - guardduty_publish_findings_to_sns - - Send GuardDuty findings to SNS topics specified by findings_sns_topic_name. -

    -
    • -
  • -

    - - iam_access_analyzer_name - - The name of the IAM Access Analyzer module -

    -
    • -
  • -

    - - iam_access_analyzer_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - iam_access_analyzer_type - - If set to ORGANIZATION, the analyzer will be scanning the current organization and any policies that refer to linked resources such as S3, IAM, Lambda and SQS policies. -

    -
    • -
  • -

    - - iam_password_policy_allow_users_to_change_password - - Allow users to change their own password. -

    -
    • -
  • -

    - - iam_password_policy_hard_expiry - - Password expiration requires administrator reset. -

    -
    • -
  • -

    - - iam_password_policy_max_password_age - - Number of days before password expiration. -

    -
    • -
  • -

    - - iam_password_policy_minimum_password_length - - Password minimum length. -

    -
    • -
  • -

    - - iam_password_policy_password_reuse_prevention - - Number of passwords before allowing reuse. -

    -
    • -
  • -

    - - iam_password_policy_require_lowercase_characters - - Require at least one lowercase character in password. -

    -
    • -
  • -

    - - iam_password_policy_require_numbers - - Require at least one number in password. -

    -
    • -
  • -

    - - iam_password_policy_require_symbols - - Require at least one symbol in password. -

    -
    • -
  • -

    - - iam_password_policy_require_uppercase_characters - - Require at least one uppercase character in password. -

    -
    • -
  • -

    - - iam_role_tags - - The tags to apply to all the IAM role resources. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_tcp_ports - - Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_udp_ports - - Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. -

    -
    • -
  • -

    - - kms_cmk_global_tags - - A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - kms_cmk_opt_in_regions - - Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - kms_customer_master_keys - - You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key. -

    -
    • -
  • -

    - - kms_grant_regions - - The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources. -

    -
    • -
  • -

    - - kms_grants - - Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account. -

    -
    • -
  • -

    - - max_session_duration_human_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see var.max_session_duration_machine_users. -

    -
    • -
  • -

    - - max_session_duration_machine_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see var.max_session_duration_human_users. -

    -
    • -
  • -

    - - name_prefix - - The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. -

    -
    • -
  • -

    - - rds_storage_encrypted_kms_id - - KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. -

    -
    • -
  • -

    - - service_linked_roles - - Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles. -

    -
    • -
  • -

    - - should_require_mfa - - Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) -

    -
    • -
- - - - + + + + +* [**`additional_config_rules`**](#additional_config_rules) — Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details + + + +* [**`allow_auto_deploy_from_other_account_arns`**](#allow_auto_deploy_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in [`auto_deploy_permissions`](#auto_deploy_permissions). + + + +* [**`allow_billing_access_from_other_account_arns`**](#allow_billing_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. + + + +* [**`allow_cloudtrail_access_with_iam`**](#allow_cloudtrail_access_with_iam) — If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in [`kms_key_user_iam_arns`](#kms_key_user_iam_arns) will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) + + + +* [**`allow_dev_access_from_other_account_arns`**](#allow_dev_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in [`dev_permitted_services`](#dev_permitted_services). + + + +* [**`allow_full_access_from_other_account_arns`**](#allow_full_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. + + + +* [**`allow_logs_access_from_other_account_arns`**](#allow_logs_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If [`cloudtrail_kms_key_arn`](#cloudtrail_kms_key_arn) is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. + + + +* [**`allow_read_only_access_from_other_account_arns`**](#allow_read_only_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. + + + +* [**`allow_ssh_grunt_access_from_other_account_arns`**](#allow_ssh_grunt_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. + + + +* [**`allow_support_access_from_other_account_arns`**](#allow_support_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account. + + + +* [**`auto_deploy_permissions`**](#auto_deploy_permissions) — A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If [`should_create_iam_group_auto_deploy`](#should_create_iam_group_auto_deploy) is true, the list must have at least one element (e.g. '*'). + + + +* [**`aws_account_id`**](#aws_account_id) — The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. + + + +* [**`aws_region`**](#aws_region) — The AWS Region to use as the global config recorder and seed region for GuardDuty. + + + +* [**`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`**](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) — Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. + + + +* [**`cloudtrail_cloudwatch_logs_group_name`**](#cloudtrail_cloudwatch_logs_group_name) — Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. + + + +* [**`cloudtrail_data_logging_enabled`**](#cloudtrail_data_logging_enabled) — If true, logging of data events will be enabled. + + + +* [**`cloudtrail_data_logging_include_management_events`**](#cloudtrail_data_logging_include_management_events) — Specify if you want your event selector to include management events for your trail. + + + +* [**`cloudtrail_data_logging_read_write_type`**](#cloudtrail_data_logging_read_write_type) — Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. + + + +* [**`cloudtrail_data_logging_resources`**](#cloudtrail_data_logging_resources) — Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the [`'data_resource`](#'data_resource)' block within the [`'event_selector`](#'event_selector)' block of the [`'aws_cloudtrail`](#'aws_cloudtrail)' resource for context: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource). + + + +* [**`cloudtrail_external_aws_account_ids_with_write_access`**](#cloudtrail_external_aws_account_ids_with_write_access) — Provide a list of AWS account IDs that will be allowed to send CloudTrail logs to this account. This is only required if you are aggregating CloudTrail logs in this account (e.g., this is the logs account) from other accounts. + + + +* [**`cloudtrail_force_destroy`**](#cloudtrail_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`cloudtrail_kms_key_administrator_iam_arns`**](#cloudtrail_kms_key_administrator_iam_arns) — All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., if this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given administrator permissions for CMK, including the ability to change who can access this CMK and the extended log data it protects. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists (e.g., if this is the stage or prod account), set this parameter to an empty list. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists (e.g., if this is the stage or prod account and you want to use a CMK that already exists in the logs account), set this to the ARN of that CMK. Otherwise (e.g., if this is the logs account), set this to null, and a new CMK will be created. + + + +* [**`cloudtrail_kms_key_arn_is_alias`**](#cloudtrail_kms_key_arn_is_alias) — If the [`kms_key_arn`](#kms_key_arn) provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires [`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) to also be true for multi-account scenarios. + + + +* [**`cloudtrail_kms_key_user_iam_arns`**](#cloudtrail_kms_key_user_iam_arns) — All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If you are aggregating CloudTrail logs and creating the CMK in this account (e.g., this is the logs account), you MUST specify at least one IAM user (or other IAM ARN) that will be given user access to this CMK, which will allow this user to read CloudTrail Logs. If you are aggregating CloudTrail logs in another AWS account and the CMK already exists, set this parameter to an empty list (e.g., if this is the stage or prod account). + + + +* [**`cloudtrail_num_days_after_which_archive_log_data`**](#cloudtrail_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`cloudtrail_num_days_after_which_delete_log_data`**](#cloudtrail_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`cloudtrail_num_days_to_retain_cloudwatch_logs`**](#cloudtrail_num_days_to_retain_cloudwatch_logs) — After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. + + + +* [**`cloudtrail_s3_bucket_already_exists`**](#cloudtrail_s3_bucket_already_exists) — Set to false to create an S3 bucket of name [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) in this account for storing CloudTrail logs (e.g., if this is the logs account). Set to true to assume the bucket specified in [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) already exists in another AWS account (e.g., if this is the stage or prod account and [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) is the name of a bucket in the logs account). + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account (e.g., if this is the logs account) or the name of a bucket in another AWS account where logs should be sent (e.g., if this is the stage or prod account and you're specifying the name of a bucket in the logs account). + + + +* [**`cloudtrail_s3_mfa_delete`**](#cloudtrail_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`cloudtrail_tags`**](#cloudtrail_tags) — Tags to apply to the CloudTrail resources. + + + +* [**`config_aggregate_config_data_in_external_account`**](#config_aggregate_config_data_in_external_account) — Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the [`config_central_account_id`](#config_central_account_id) variable. This redundant variable has to exist because Terraform does not allow computed data in count and [`for_each`](#for_each) parameters and [`config_central_account_id`](#config_central_account_id) may be computed if its the ID of a newly-created AWS account. + + + +* [**`config_central_account_id`**](#config_central_account_id) — If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account (e.g., if this is the stage or prod account, set this to the ID of the logs account). If the S3 bucket and SNS topics live in this account (e.g., this is the logs account), set this variable to null. Only used if [`config_aggregate_config_data_in_external_account`](#config_aggregate_config_data_in_external_account) is true. + + + +* [**`config_create_account_rules`**](#config_create_account_rules) — Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts. + + + +* [**`config_force_destroy`**](#config_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`config_linked_accounts`**](#config_linked_accounts) — Provide a list of AWS account IDs that will be allowed to send AWS Config data to this account. This is only required if you are aggregating config data in this account (e.g., this is the logs account) from other accounts. + + + +* [**`config_num_days_after_which_archive_log_data`**](#config_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`config_num_days_after_which_delete_log_data`**](#config_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`config_opt_in_regions`**](#config_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. + + + +* [**`config_s3_bucket_name`**](#config_s3_bucket_name) — The name of the S3 Bucket where Config items will be stored. Can be in the same account or in another account. + + + +* [**`config_s3_mfa_delete`**](#config_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`config_should_create_s3_bucket`**](#config_should_create_s3_bucket) — Set to true to create an S3 bucket of name [`config_s3_bucket_name`](#config_s3_bucket_name) in this account for storing AWS Config data (e.g., if this is the logs account). Set to false to assume the bucket specified in [`config_s3_bucket_name`](#config_s3_bucket_name) already exists in another AWS account (e.g., if this is the stage or prod account and [`config_s3_bucket_name`](#config_s3_bucket_name) is the name of a bucket in the logs account). + + + +* [**`config_should_create_sns_topic`**](#config_should_create_sns_topic) — set to true to create an sns topic in this account for sending aws config notifications (e.g., if this is the logs account). set to false to assume the topic specified in [`config_sns_topic_name`](#config_sns_topic_name) already exists in another aws account (e.g., if this is the stage or prod account and [`config_sns_topic_name`](#config_sns_topic_name) is the name of an sns topic in the logs account). + + + +* [**`config_sns_topic_name`**](#config_sns_topic_name) — the name of the sns topic in where aws config notifications will be sent. can be in the same account or in another account. + + + +* [**`config_tags`**](#config_tags) — A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. + + + +* [**`configrules_maximum_execution_frequency`**](#configrules_maximum_execution_frequency) — The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See [`https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency`](#https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency) + + + +* [**`dev_permitted_services`**](#dev_permitted_services) — A list of AWS services for which the developers from the accounts in [`allow_dev_access_from_other_account_arns`](#allow_dev_access_from_other_account_arns) will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. + + + +* [**`ebs_enable_encryption`**](#ebs_enable_encryption) — If set to true (default), all new EBS volumes will have encryption enabled by default + + + +* [**`ebs_kms_key_name`**](#ebs_kms_key_name) — The name of the KMS CMK to use by default for encrypting EBS volumes, if [`enable_encryption`](#enable_encryption) and [`use_existing_kms_keys`](#use_existing_kms_keys) are enabled. The name must match the name given the [`kms_customer_master_keys`](#kms_customer_master_keys) variable. + + + +* [**`ebs_opt_in_regions`**](#ebs_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`ebs_use_existing_kms_keys`**](#ebs_use_existing_kms_keys) — If set to true, the KMS Customer Managed Keys (CMK) with the name in [`ebs_kms_key_name`](#ebs_kms_key_name) will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. + + + +* [**`enable_cloudtrail`**](#enable_cloudtrail) — Set to true (default) to enable CloudTrail in this app account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default. + + + +* [**`enable_config`**](#enable_config) — Set to true to enable AWS Config in this app account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). + + + +* [**`enable_encrypted_volumes`**](#enable_encrypted_volumes) — Checks whether the EBS volumes that are in an attached state are encrypted. + + + +* [**`enable_iam_access_analyzer`**](#enable_iam_access_analyzer) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_cross_account_roles`**](#enable_iam_cross_account_roles) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_password_policy`**](#enable_iam_password_policy) — Checks whether the account password policy for IAM users meets the specified requirements. + + + +* [**`enable_iam_user_password_policy`**](#enable_iam_user_password_policy) — Set to true (default) to enable the IAM User Password Policies in this app account. Set to false to disable the policies. (Note: all other IAM User Password Policy variables will be ignored). + + + +* [**`enable_insecure_sg_rules`**](#enable_insecure_sg_rules) — Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. + + + +* [**`enable_rds_storage_encrypted`**](#enable_rds_storage_encrypted) — Checks whether storage encryption is enabled for your RDS DB instances. + + + +* [**`enable_root_account_mfa`**](#enable_root_account_mfa) — Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. + + + +* [**`enable_s3_bucket_public_read_prohibited`**](#enable_s3_bucket_public_read_prohibited) — Checks that your Amazon S3 buckets do not allow public read access. + + + +* [**`enable_s3_bucket_public_write_prohibited`**](#enable_s3_bucket_public_write_prohibited) — Checks that your Amazon S3 buckets do not allow public write access. + + + +* [**`encrypted_volumes_kms_id`**](#encrypted_volumes_kms_id) — ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. + + + +* [**`guardduty_cloudwatch_event_rule_name`**](#guardduty_cloudwatch_event_rule_name) — Name of the Cloudwatch event rules. + + + +* [**`guardduty_finding_publishing_frequency`**](#guardduty_finding_publishing_frequency) — Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to [`SIX_HOURS`](#SIX_HOURS). For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: [`FIFTEEN_MINUTES`](#FIFTEEN_MINUTES), [`ONE_HOUR`](#ONE_HOUR), [`SIX_HOURS`](#SIX_HOURS). + + + +* [**`guardduty_findings_sns_topic_name`**](#guardduty_findings_sns_topic_name) — Specifies a name for the created SNS topics where findings are published. [`publish_findings_to_sns`](#publish_findings_to_sns) must be set to true. + + + +* [**`guardduty_opt_in_regions`**](#guardduty_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`guardduty_publish_findings_to_sns`**](#guardduty_publish_findings_to_sns) — Send GuardDuty findings to SNS topics specified by [`findings_sns_topic_name`](#findings_sns_topic_name). + + + +* [**`iam_access_analyzer_name`**](#iam_access_analyzer_name) — The name of the IAM Access Analyzer module + + + +* [**`iam_access_analyzer_opt_in_regions`**](#iam_access_analyzer_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`iam_access_analyzer_type`**](#iam_access_analyzer_type) — If set to ORGANIZATION, the analyzer will be scanning the current organization and any policies that refer to linked resources such as S3, IAM, Lambda and SQS policies. + + + +* [**`iam_password_policy_allow_users_to_change_password`**](#iam_password_policy_allow_users_to_change_password) — Allow users to change their own password. + + + +* [**`iam_password_policy_hard_expiry`**](#iam_password_policy_hard_expiry) — Password expiration requires administrator reset. + + + +* [**`iam_password_policy_max_password_age`**](#iam_password_policy_max_password_age) — Number of days before password expiration. + + + +* [**`iam_password_policy_minimum_password_length`**](#iam_password_policy_minimum_password_length) — Password minimum length. + + + +* [**`iam_password_policy_password_reuse_prevention`**](#iam_password_policy_password_reuse_prevention) — Number of passwords before allowing reuse. + + + +* [**`iam_password_policy_require_lowercase_characters`**](#iam_password_policy_require_lowercase_characters) — Require at least one lowercase character in password. + + + +* [**`iam_password_policy_require_numbers`**](#iam_password_policy_require_numbers) — Require at least one number in password. + + + +* [**`iam_password_policy_require_symbols`**](#iam_password_policy_require_symbols) — Require at least one symbol in password. + + + +* [**`iam_password_policy_require_uppercase_characters`**](#iam_password_policy_require_uppercase_characters) — Require at least one uppercase character in password. + + + +* [**`iam_role_tags`**](#iam_role_tags) — The tags to apply to all the IAM role resources. + + + +* [**`insecure_sg_rules_authorized_tcp_ports`**](#insecure_sg_rules_authorized_tcp_ports) — Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. + + + +* [**`insecure_sg_rules_authorized_udp_ports`**](#insecure_sg_rules_authorized_udp_ports) — Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. + + + +* [**`kms_cmk_global_tags`**](#kms_cmk_global_tags) — A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value. + + + +* [**`kms_cmk_opt_in_regions`**](#kms_cmk_opt_in_regions) — Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`kms_customer_master_keys`**](#kms_customer_master_keys) — You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key. + + + +* [**`kms_grant_regions`**](#kms_grant_regions) — The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the [`kms_grants`](#kms_grants) map. This is used to workaround a terraform limitation where the [`for_each`](#for_each) value can not depend on resources. + + + +* [**`kms_grants`**](#kms_grants) — Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account. + + + +* [**`max_session_duration_human_users`**](#max_session_duration_human_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see [`max_session_duration_machine_users`](#max_session_duration_machine_users). + + + +* [**`max_session_duration_machine_users`**](#max_session_duration_machine_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see [`max_session_duration_human_users`](#max_session_duration_human_users). + + + +* [**`name_prefix`**](#name_prefix) — The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. + + + +* [**`rds_storage_encrypted_kms_id`**](#rds_storage_encrypted_kms_id) — KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. + + + +* [**`service_linked_roles`**](#service_linked_roles) — Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See [`https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws`](#https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws)-services-that-work-with-iam.html for the list of services that support service-linked roles. + + + +* [**`should_require_mfa`**](#should_require_mfa) — Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) + + + + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_arn`**](#allow_auto_deploy_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_id`**](#allow_auto_deploy_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_arn`**](#allow_billing_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_id`**](#allow_billing_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_sign_in_url`**](#allow_billing_access_sign_in_url) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_arn`**](#allow_dev_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_id`**](#allow_dev_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_dev_access_sign_in_url`**](#allow_dev_access_sign_in_url) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_arn`**](#allow_full_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_id`**](#allow_full_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_full_access_sign_in_url`**](#allow_full_access_sign_in_url) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_arn`**](#allow_houston_cli_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_id`**](#allow_houston_cli_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_arn`**](#allow_iam_admin_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_id`**](#allow_iam_admin_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_sign_in_url`**](#allow_iam_admin_access_sign_in_url) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_arn`**](#allow_logs_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_id`**](#allow_logs_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_logs_access_sign_in_url`**](#allow_logs_access_sign_in_url) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_arn`**](#allow_read_only_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_id`**](#allow_read_only_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_read_only_access_sign_in_url`**](#allow_read_only_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_access_sign_in_url`**](#allow_ssh_grunt_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_houston_access_sign_in_url`**](#allow_ssh_grunt_houston_access_sign_in_url) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_arn`**](#allow_support_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_id`**](#allow_support_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_support_access_sign_in_url`**](#allow_support_access_sign_in_url) — + + + +* [**`aws_ebs_encryption_by_default_enabled`**](#aws_ebs_encryption_by_default_enabled) — A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region. + + + +* [**`aws_ebs_encryption_default_kms_key`**](#aws_ebs_encryption_default_kms_key) — A map from region to the ARN of the KMS key used for default EBS encryption for each region. + + + +* [**`cloudtrail_cloudwatch_group_arn`**](#cloudtrail_cloudwatch_group_arn) — The ARN of the cloudwatch log group. + + + +* [**`cloudtrail_cloudwatch_group_name`**](#cloudtrail_cloudwatch_group_name) — The name of the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_arn`**](#cloudtrail_iam_role_arn) — The ARN of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_name`**](#cloudtrail_iam_role_name) — The name of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_kms_key_alias_name`**](#cloudtrail_kms_key_alias_name) — The alias of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — The ARN of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_s3_access_logging_bucket_name`**](#cloudtrail_s3_access_logging_bucket_name) — The name of the S3 bucket where server access logs are delivered. + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 bucket where cloudtrail logs are delivered. + + + +* [**`cloudtrail_trail_arn`**](#cloudtrail_trail_arn) — The ARN of the cloudtrail trail. + + + +* [**`config_iam_role_arns`**](#config_iam_role_arns) — The ARNs of the IAM role used by the config recorder. + + + +* [**`config_recorder_names`**](#config_recorder_names) — The names of the configuration recorder. + + + +* [**`config_s3_bucket_names`**](#config_s3_bucket_names) — The names of the S3 bucket used by AWS Config to store configuration items. + + + +* [**`config_sns_topic_arns`**](#config_sns_topic_arns) — The ARNs of the SNS Topic used by the config notifications. + + + +* [**`guardduty_cloudwatch_event_rule_arns`**](#guardduty_cloudwatch_event_rule_arns) — The ARNs of the cloudwatch event rules used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_cloudwatch_event_target_arns`**](#guardduty_cloudwatch_event_target_arns) — The ARNs of the cloudwatch event targets used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_detector_ids`**](#guardduty_detector_ids) — The IDs of the GuardDuty detectors. + + + +* [**`guardduty_findings_sns_topic_arns`**](#guardduty_findings_sns_topic_arns) — The ARNs of the SNS topics where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_findings_sns_topic_names`**](#guardduty_findings_sns_topic_names) — The names of the SNS topic where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`invalid_cmk_inputs`**](#invalid_cmk_inputs) — Map of CMKs from the input [`customer_master_keys`](#customer_master_keys) that had an invalid region, and thus were not created. The structure of the map is the same as the input. This will only include KMS key inputs that were not created because the region attribute was invalid (either not a valid region identifier, the region is not enabled on the account, or the region is not included in the [`opt_in_regions`](#opt_in_regions) input). + + + +* [**`kms_key_aliases`**](#kms_key_aliases) — A map from region to aliases of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`customer_master_keys`](#customer_master_keys) input variable to the corresponding alias. + + + +* [**`kms_key_arns`**](#kms_key_arns) — A map from region to ARNs of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`kms_customer_master_keys`](#kms_customer_master_keys) input variable to the corresponding ARN. + + + +* [**`kms_key_ids`**](#kms_key_ids) — A map from region to IDs of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`kms_customer_master_keys`](#kms_customer_master_keys) input variable to the corresponding ID. + + + +* [**`service_linked_role_arns`**](#service_linked_role_arns) — A map of ARNs of the service linked roles created from [`service_linked_roles`](#service_linked_roles). + + diff --git a/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md index dfc0f8a35..ea2264ba0 100644 --- a/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md @@ -10,1517 +10,871 @@ A security baseline for AWS Landing Zone for configuring the root account (AKA m ### Reference - -
    - -
  • -

    - - additional_config_rules - - Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details -

    -
    • -
  • -

    - - allow_auto_deploy_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in var.auto_deploy_permissions. -

    -
    • -
  • -

    - - allow_billing_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. -

    -
    • -
  • -

    - - allow_cloudtrail_access_with_iam - - If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in var.kms_key_user_iam_arns will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) -

    -
    • -
  • -

    - - allow_dev_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in var.dev_permitted_services. -

    -
    • -
  • -

    - - allow_full_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. -

    -
    • -
  • -

    - - allow_logs_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If var.cloudtrail_kms_key_arn is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. -

    -
    • -
  • -

    - - allow_read_only_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. -

    -
    • -
  • -

    - - allow_ssh_grunt_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. -

    -
    • -
  • -

    - - allow_support_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account. -

    -
    • -
  • -

    - - auto_deploy_permissions - - A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If var.should_create_iam_group_auto_deploy is true, the list must have at least one element (e.g. '*'). -

    -
    • -
  • -

    - - aws_account_id - - The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. -

    -
    • -
  • -

    - - aws_region - - The AWS Region to use as the global config recorder and seed region for GuardDuty. -

    -
    • -
  • -

    - - child_accounts - - Map of child accounts to create. The map key is the name of the account and the value is an object containing account configuration variables. See the comments below for what keys and values this object should contain. -

    -
    • -
  • -

    - - cloudtrail_allow_kms_describe_key_to_external_aws_accounts - - Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. -

    -
    • -
  • -

    - - cloudtrail_cloudwatch_logs_group_name - - Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. -

    -
    • -
  • -

    - - cloudtrail_data_logging_enabled - - If true, logging of data events will be enabled. -

    -
    • -
  • -

    - - cloudtrail_data_logging_include_management_events - - Specify if you want your event selector to include management events for your trail. -

    -
    • -
  • -

    - - cloudtrail_data_logging_read_write_type - - Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. -

    -
    • -
  • -

    - - cloudtrail_data_logging_resources - - Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource' block within the 'event_selector' block of the 'aws_cloudtrail' resource for context: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource. -

    -
    • -
  • -

    - - cloudtrail_enable_key_rotation - - Whether or not to enable automatic annual rotation of the KMS key. Defaults to true. -

    -
    • -
  • -

    - - cloudtrail_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - cloudtrail_is_organization_trail - - Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the root account and all member accounts. Can only be created in the organization root account. (true or false) -

    -
    • -
  • -

    - - cloudtrail_kms_key_administrator_iam_arns - - All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data. Note that if you specify a logs account (by setting is_logs_account = true on one of the accounts in var.child_accounts), the KMS CMK will be created in that account, and the root of that account will automatically be made an admin of the CMK. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn - - All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists, set this to the ARN of that CMK. Otherwise, set this to null, and a new CMK will be created. If you set is_logs_account to true on one of the accounts in var.child_accounts, the KMS CMK will be created in that account (this is the recommended approach!). -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn_is_alias - - If the kms_key_arn provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires var.cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be true for multi-account scenarios. -

    -
    • -
  • -

    - - cloudtrail_kms_key_user_iam_arns - - All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_to_retain_cloudwatch_logs - - After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. -

    -
    • -
  • -

    - - cloudtrail_organization_id - - The ID of the organization. Required only if an organization wide CloudTrail is being setup and `create_organization` is set to false. The organization ID is required to ensure that the entire organization is whitelisted in the CloudTrail bucket write policy. -

    -
    • -
  • -

    - - cloudtrail_s3_bucket_name - - The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where CloudTrail logs should be sent. If you set is_logs_account on one of the accounts in var.child_accounts, the S3 bucket will be created in that account (this is the recommended approach!). -

    -
    • -
  • -

    - - cloudtrail_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - cloudtrail_should_create_s3_bucket - - If true, create an S3 bucket of name var.cloudtrail_s3_bucket_name for CloudTrail logs, either in the logs account—the account in var.child_accounts that has is_logs_account set to true (this is the recommended approach!)—or in this account if none of the child accounts are marked as a logs account. If false, assume var.cloudtrail_s3_bucket_name is an S3 bucket that already exists. We recommend setting this to true and setting is_logs_account to true on one of the accounts in var.child_accounts to use that account as a logs account where you aggregate all your CloudTrail data. In case you want to disable the CloudTrail module and the S3 bucket, you need to set both var.enable_cloudtrail and cloudtrail_should_create_s3_bucket to false. -

    -
    • -
  • -

    - - cloudtrail_tags - - Tags to apply to the CloudTrail resources. -

    -
    • -
  • -

    - - config_aggregate_config_data_in_external_account - - Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the config_central_account_id variable. Note that if one of the accounts in var.child_accounts has is_logs_account set to true (this is the approach we recommended!), this variable will be assumed to be true, so you don't have to pass any value for it. This redundant variable has to exist because Terraform does not allow computed data in count and for_each parameters and var.config_central_account_id may be computed if its the ID of a newly-created AWS account. -

    -
    • -
  • -

    - - config_central_account_id - - If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account. If the S3 bucket and SNS topics live in this account, set this variable to an empty string. Note that if one of the accounts in var.child_accounts has is_logs_account set to true (this is the approach we recommended!), that account's ID will be used automatically, and you can leave this variable null. -

    -
    • -
  • -

    - - config_create_account_rules - - Set to true to create account-level AWS Config rules directly in this account. Set false to create org-level rules that apply to this account and all child accounts. We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts (see this module's README for details). -

    -
    • -
  • -

    - - config_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - config_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - config_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - config_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. -

    -
    • -
  • -

    - - config_s3_bucket_name - - The name of the S3 Bucket where Config items will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where Config items should be sent. If you set is_logs_account to true on one of the accounts in var.child_accounts, the S3 bucket will be created in that account (this is the recommended approach!). -

    -
    • -
  • -

    - - config_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - config_should_create_s3_bucket - - If true, create an S3 bucket of name var.config_s3_bucket_name for AWS Config data, either in the logs account—the account in var.child_accounts that has is_logs_account set to true (this is the recommended approach!)—or in this account if none of the child accounts are marked as a logs account. If false, assume var.config_s3_bucket_name is an S3 bucket that already exists. We recommend setting this to true and setting is_logs_account to true on one of the accounts in var.child_accounts to use that account as a logs account where you aggregate all your AWS Config data. In case you want to disable the AWS Config module and the S3 bucket, you need to set both var.enable_config and config_should_create_s3_bucket to false. -

    -
    • -
  • -

    - - config_should_create_sns_topic - - Set to true to create an SNS topic in this account for sending AWS Config notifications. Set to false to assume the topic specified in var.config_sns_topic_name already exists in another AWS account (e.g the logs account). -

    -
    • -
  • -

    - - config_sns_topic_name - - The name of the SNS Topic in where AWS Config notifications will be sent. Can be in the same account or in another account. -

    -
    • -
  • -

    - - config_tags - - A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - configrules_excluded_accounts - - List of AWS account identifiers to exclude from org-level Config rules. Only used if var.config_create_account_rules is false (not recommended). -

    -
    • -
  • -

    - - configrules_maximum_execution_frequency - - The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency -

    -
    • -
  • -

    - - create_organization - - Set to true to create/configure AWS Organizations for the first time in this account. If you already configured AWS Organizations in your account, set this to false; alternatively, you could set it to true and run 'terraform import' to import you existing Organization. -

    -
    • -
  • -

    - - cross_account_access_all_group_name - - The name of the IAM group that will grant access to all external AWS accounts in var.iam_groups_for_cross_account_access. -

    -
    • -
  • -

    - - dev_permitted_services - - A list of AWS services for which the developers from the accounts in var.allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. -

    -
    • -
  • -

    - - ebs_enable_encryption - - If set to true (default), all new EBS volumes will have encryption enabled by default -

    -
    • -
  • -

    - - ebs_kms_key_arns - - Optional map of region names to KMS keys to use for EBS volume encryption when var.ebs_use_existing_kms_keys is enabled. -

    -
    • -
  • -

    - - ebs_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - ebs_use_existing_kms_keys - - If set to true, the KMS Customer Managed Keys (CMK) specified in var.ebs_kms_key_arns will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. -

    -
    • -
  • -

    - - enable_cloudtrail - - Set to true to enable CloudTrail in the root account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). In case you want to disable the CloudTrail module and the S3 bucket, you need to set both var.enable_cloudtrail and cloudtrail_should_create_s3_bucket to false. -

    -
    • -
  • -

    - - enable_cloudtrail_s3_server_access_logging - - Enables S3 server access logging which sends detailed records for the requests that are made to the bucket. Defaults to false. -

    -
    • -
  • -

    - - enable_config - - Set to true to enable AWS Config in the root account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). In case you want to disable the CloudTrail module and the S3 bucket, you need to set both var.enable_cloudtrail and cloudtrail_should_create_s3_bucket to false. -

    -
    • -
  • -

    - - enable_encrypted_volumes - - Checks whether the EBS volumes that are in an attached state are encrypted. -

    -
    • -
  • -

    - - enable_iam_access_analyzer - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_cross_account_roles - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_groups - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_password_policy - - Checks whether the account password policy for IAM users meets the specified requirements. -

    -
    • -
  • -

    - - enable_insecure_sg_rules - - Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. -

    -
    • -
  • -

    - - enable_rds_storage_encrypted - - Checks whether storage encryption is enabled for your RDS DB instances. -

    -
    • -
  • -

    - - enable_root_account_mfa - - Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. -

    -
    • -
  • -

    - - enable_s3_bucket_public_read_prohibited - - Checks that your Amazon S3 buckets do not allow public read access. -

    -
    • -
  • -

    - - enable_s3_bucket_public_write_prohibited - - Checks that your Amazon S3 buckets do not allow public write access. -

    -
    • -
  • -

    - - encrypted_volumes_kms_id - - ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. -

    -
    • -
  • -

    - - force_destroy_users - - When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. -

    -
    • -
  • -

    - - guardduty_cloudwatch_event_rule_name - - Name of the Cloudwatch event rules. -

    -
    • -
  • -

    - - guardduty_finding_publishing_frequency - - Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. -

    -
    • -
  • -

    - - guardduty_findings_sns_topic_name - - Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true. -

    -
    • -
  • -

    - - guardduty_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - guardduty_publish_findings_to_sns - - Send GuardDuty findings to SNS topics specified by findings_sns_topic_name. -

    -
    • -
  • -

    - - iam_access_analyzer_name - - The name of the IAM Access Analyzer module -

    -
    • -
  • -

    - - iam_access_analyzer_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - iam_access_analyzer_type - - If set to ORGANIZATION, the analyzer will be scanning the current organization and any policies that refer to linked resources such as S3, IAM, Lambda and SQS policies. -

    -
    • -
  • -

    - - iam_group_developers_permitted_services - - A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. -

    -
    • -
  • -

    - - iam_groups_for_cross_account_access - - This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields 'group_name', which will be used as the name of the IAM group, and 'iam_role_arns', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). -

    -
    • -
  • -

    - - iam_password_policy_allow_users_to_change_password - - Allow users to change their own password. -

    -
    • -
  • -

    - - iam_password_policy_hard_expiry - - Password expiration requires administrator reset. -

    -
    • -
  • -

    - - iam_password_policy_max_password_age - - Number of days before password expiration. -

    -
    • -
  • -

    - - iam_password_policy_minimum_password_length - - Password minimum length. -

    -
    • -
  • -

    - - iam_password_policy_password_reuse_prevention - - Number of passwords before allowing reuse. -

    -
    • -
  • -

    - - iam_password_policy_require_lowercase_characters - - Require at least one lowercase character in password. -

    -
    • -
  • -

    - - iam_password_policy_require_numbers - - Require at least one number in password. -

    -
    • -
  • -

    - - iam_password_policy_require_symbols - - Require at least one symbol in password. -

    -
    • -
  • -

    - - iam_password_policy_require_uppercase_characters - - Require at least one uppercase character in password. -

    -
    • -
  • -

    - - iam_role_tags - - The tags to apply to all the IAM role resources. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_tcp_ports - - Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_udp_ports - - Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. -

    -
    • -
  • -

    - - is_multi_region_trail - - Specifies whether CloudTrail will log only API calls in the current region or in all regions. (true or false) -

    -
    • -
  • -

    - - name_prefix - - The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. -

    -
    • -
  • -

    - - organizations_aws_service_access_principals - - List of AWS service principal names for which you want to enable integration with your organization. Must have `organizations_feature_set` set to ALL. See https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html -

    -
    • -
  • -

    - - organizations_default_iam_user_access_to_billing - - If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information. -

    -
    • -
  • -

    - - organizations_default_role_name - - The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. -

    -
    • -
  • -

    - - organizations_default_tags - - Default tags to add to accounts. Will be appended to ´child_account.*.tags´ -

    -
    • -
  • -

    - - organizations_enabled_policy_types - - List of Organizations policy types to enable in the Organization Root. See https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html -

    -
    • -
  • -

    - - organizations_feature_set - - Specify `ALL` or `CONSOLIDATED_BILLING`. -

    -
    • -
  • -

    - - password_reset_required - - Force the user to reset their password on initial login. Only used for users with create_login_profile set to true. -

    -
    • -
  • -

    - - rds_storage_encrypted_kms_id - - KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. -

    -
    • -
  • -

    - - should_create_iam_group_auto_deploy - - Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in var.auto_deploy_permissions. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_billing - - Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_developers - - Should we create the IAM Group for developers? The permissions of that group are specified via var.iam_group_developers_permitted_services. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_full_access - - Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_houston_cli_users - - Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. -

    -
    • -
  • -

    - - should_create_iam_group_logs - - Should we create the IAM Group for logs? Allows read access to logs in CloudTrail, AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_read_only - - Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_support - - Should we create the IAM Group for support? Allows access to AWS support. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_use_existing_iam_roles - - Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_user_self_mgmt - - Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) -

    -
    • -
  • -

    - - should_require_mfa - - Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) -

    -
    • -
  • -

    - - users - - A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user). -

    -
    • -
- - - - + + + + +* [**`additional_config_rules`**](#additional_config_rules) — Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details + + + +* [**`allow_auto_deploy_from_other_account_arns`**](#allow_auto_deploy_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in [`auto_deploy_permissions`](#auto_deploy_permissions). + + + +* [**`allow_billing_access_from_other_account_arns`**](#allow_billing_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. + + + +* [**`allow_cloudtrail_access_with_iam`**](#allow_cloudtrail_access_with_iam) — If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in [`kms_key_user_iam_arns`](#kms_key_user_iam_arns) will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) + + + +* [**`allow_dev_access_from_other_account_arns`**](#allow_dev_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in [`dev_permitted_services`](#dev_permitted_services). + + + +* [**`allow_full_access_from_other_account_arns`**](#allow_full_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. + + + +* [**`allow_logs_access_from_other_account_arns`**](#allow_logs_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. If [`cloudtrail_kms_key_arn`](#cloudtrail_kms_key_arn) is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. + + + +* [**`allow_read_only_access_from_other_account_arns`**](#allow_read_only_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. + + + +* [**`allow_ssh_grunt_access_from_other_account_arns`**](#allow_ssh_grunt_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. + + + +* [**`allow_support_access_from_other_account_arns`**](#allow_support_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed access to AWS support for this account. + + + +* [**`auto_deploy_permissions`**](#auto_deploy_permissions) — A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If [`should_create_iam_group_auto_deploy`](#should_create_iam_group_auto_deploy) is true, the list must have at least one element (e.g. '*'). + + + +* [**`aws_account_id`**](#aws_account_id) — The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. + + + +* [**`aws_region`**](#aws_region) — The AWS Region to use as the global config recorder and seed region for GuardDuty. + + + +* [**`child_accounts`**](#child_accounts) — Map of child accounts to create. The map key is the name of the account and the value is an object containing account configuration variables. See the comments below for what keys and values this object should contain. + + + +* [**`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`**](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) — Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. + + + +* [**`cloudtrail_cloudwatch_logs_group_name`**](#cloudtrail_cloudwatch_logs_group_name) — Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. + + + +* [**`cloudtrail_data_logging_enabled`**](#cloudtrail_data_logging_enabled) — If true, logging of data events will be enabled. + + + +* [**`cloudtrail_data_logging_include_management_events`**](#cloudtrail_data_logging_include_management_events) — Specify if you want your event selector to include management events for your trail. + + + +* [**`cloudtrail_data_logging_read_write_type`**](#cloudtrail_data_logging_read_write_type) — Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. + + + +* [**`cloudtrail_data_logging_resources`**](#cloudtrail_data_logging_resources) — Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the [`'data_resource`](#'data_resource)' block within the [`'event_selector`](#'event_selector)' block of the [`'aws_cloudtrail`](#'aws_cloudtrail)' resource for context: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource). + + + +* [**`cloudtrail_enable_key_rotation`**](#cloudtrail_enable_key_rotation) — Whether or not to enable automatic annual rotation of the KMS key. Defaults to true. + + + +* [**`cloudtrail_force_destroy`**](#cloudtrail_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`cloudtrail_is_organization_trail`**](#cloudtrail_is_organization_trail) — Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the root account and all member accounts. Can only be created in the organization root account. (true or false) + + + +* [**`cloudtrail_kms_key_administrator_iam_arns`**](#cloudtrail_kms_key_administrator_iam_arns) — All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data. Note that if you specify a logs account (by setting [`is_logs_account`](#is_logs_account) = true on one of the accounts in [`child_accounts`](#child_accounts)), the KMS CMK will be created in that account, and the root of that account will automatically be made an admin of the CMK. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists, set this to the ARN of that CMK. Otherwise, set this to null, and a new CMK will be created. If you set [`is_logs_account`](#is_logs_account) to true on one of the accounts in [`child_accounts`](#child_accounts), the KMS CMK will be created in that account (this is the recommended approach!). + + + +* [**`cloudtrail_kms_key_arn_is_alias`**](#cloudtrail_kms_key_arn_is_alias) — If the [`kms_key_arn`](#kms_key_arn) provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires [`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) to also be true for multi-account scenarios. + + + +* [**`cloudtrail_kms_key_user_iam_arns`**](#cloudtrail_kms_key_user_iam_arns) — All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data. + + + +* [**`cloudtrail_num_days_after_which_archive_log_data`**](#cloudtrail_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`cloudtrail_num_days_after_which_delete_log_data`**](#cloudtrail_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`cloudtrail_num_days_to_retain_cloudwatch_logs`**](#cloudtrail_num_days_to_retain_cloudwatch_logs) — After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. + + + +* [**`cloudtrail_organization_id`**](#cloudtrail_organization_id) — The ID of the organization. Required only if an organization wide CloudTrail is being setup and [``create_organization`](#`create_organization)` is set to false. The organization ID is required to ensure that the entire organization is whitelisted in the CloudTrail bucket write policy. + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where CloudTrail logs should be sent. If you set [`is_logs_account`](#is_logs_account) on one of the accounts in [`child_accounts`](#child_accounts), the S3 bucket will be created in that account (this is the recommended approach!). + + + +* [**`cloudtrail_s3_mfa_delete`**](#cloudtrail_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`cloudtrail_should_create_s3_bucket`**](#cloudtrail_should_create_s3_bucket) — If true, create an S3 bucket of name [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) for CloudTrail logs, either in the logs account—the account in [`child_accounts`](#child_accounts) that has [`is_logs_account`](#is_logs_account) set to true (this is the recommended approach!)—or in this account if none of the child accounts are marked as a logs account. If false, assume [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) is an S3 bucket that already exists. We recommend setting this to true and setting [`is_logs_account`](#is_logs_account) to true on one of the accounts in [`child_accounts`](#child_accounts) to use that account as a logs account where you aggregate all your CloudTrail data. In case you want to disable the CloudTrail module and the S3 bucket, you need to set both [`enable_cloudtrail`](#enable_cloudtrail) and [`cloudtrail_should_create_s3_bucket`](#cloudtrail_should_create_s3_bucket) to false. + + + +* [**`cloudtrail_tags`**](#cloudtrail_tags) — Tags to apply to the CloudTrail resources. + + + +* [**`config_aggregate_config_data_in_external_account`**](#config_aggregate_config_data_in_external_account) — Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the [`config_central_account_id`](#config_central_account_id) variable. Note that if one of the accounts in [`child_accounts`](#child_accounts) has [`is_logs_account`](#is_logs_account) set to true (this is the approach we recommended!), this variable will be assumed to be true, so you don't have to pass any value for it. This redundant variable has to exist because Terraform does not allow computed data in count and [`for_each`](#for_each) parameters and [`config_central_account_id`](#config_central_account_id) may be computed if its the ID of a newly-created AWS account. + + + +* [**`config_central_account_id`**](#config_central_account_id) — If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account. If the S3 bucket and SNS topics live in this account, set this variable to an empty string. Note that if one of the accounts in [`child_accounts`](#child_accounts) has [`is_logs_account`](#is_logs_account) set to true (this is the approach we recommended!), that account's ID will be used automatically, and you can leave this variable null. + + + +* [**`config_create_account_rules`**](#config_create_account_rules) — Set to true to create account-level AWS Config rules directly in this account. Set false to create org-level rules that apply to this account and all child accounts. We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts (see this module's README for details). + + + +* [**`config_force_destroy`**](#config_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`config_num_days_after_which_archive_log_data`**](#config_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`config_num_days_after_which_delete_log_data`**](#config_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`config_opt_in_regions`**](#config_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. + + + +* [**`config_s3_bucket_name`**](#config_s3_bucket_name) — The name of the S3 Bucket where Config items will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where Config items should be sent. If you set [`is_logs_account`](#is_logs_account) to true on one of the accounts in [`child_accounts`](#child_accounts), the S3 bucket will be created in that account (this is the recommended approach!). + + + +* [**`config_s3_mfa_delete`**](#config_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`config_should_create_s3_bucket`**](#config_should_create_s3_bucket) — If true, create an S3 bucket of name [`config_s3_bucket_name`](#config_s3_bucket_name) for AWS Config data, either in the logs account—the account in [`child_accounts`](#child_accounts) that has [`is_logs_account`](#is_logs_account) set to true (this is the recommended approach!)—or in this account if none of the child accounts are marked as a logs account. If false, assume [`config_s3_bucket_name`](#config_s3_bucket_name) is an S3 bucket that already exists. We recommend setting this to true and setting [`is_logs_account`](#is_logs_account) to true on one of the accounts in [`child_accounts`](#child_accounts) to use that account as a logs account where you aggregate all your AWS Config data. In case you want to disable the AWS Config module and the S3 bucket, you need to set both [`enable_config`](#enable_config) and [`config_should_create_s3_bucket`](#config_should_create_s3_bucket) to false. + + + +* [**`config_should_create_sns_topic`**](#config_should_create_sns_topic) — Set to true to create an SNS topic in this account for sending AWS Config notifications. Set to false to assume the topic specified in [`config_sns_topic_name`](#config_sns_topic_name) already exists in another AWS account (e.g the logs account). + + + +* [**`config_sns_topic_name`**](#config_sns_topic_name) — The name of the SNS Topic in where AWS Config notifications will be sent. Can be in the same account or in another account. + + + +* [**`config_tags`**](#config_tags) — A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. + + + +* [**`configrules_excluded_accounts`**](#configrules_excluded_accounts) — List of AWS account identifiers to exclude from org-level Config rules. Only used if [`config_create_account_rules`](#config_create_account_rules) is false (not recommended). + + + +* [**`configrules_maximum_execution_frequency`**](#configrules_maximum_execution_frequency) — The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See [`https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency`](#https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency) + + + +* [**`create_organization`**](#create_organization) — Set to true to create/configure AWS Organizations for the first time in this account. If you already configured AWS Organizations in your account, set this to false; alternatively, you could set it to true and run 'terraform import' to import you existing Organization. + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — The name of the IAM group that will grant access to all external AWS accounts in [`iam_groups_for_cross_account_access`](#iam_groups_for_cross_account_access). + + + +* [**`dev_permitted_services`**](#dev_permitted_services) — A list of AWS services for which the developers from the accounts in [`allow_dev_access_from_other_account_arns`](#allow_dev_access_from_other_account_arns) will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. + + + +* [**`ebs_enable_encryption`**](#ebs_enable_encryption) — If set to true (default), all new EBS volumes will have encryption enabled by default + + + +* [**`ebs_kms_key_arns`**](#ebs_kms_key_arns) — Optional map of region names to KMS keys to use for EBS volume encryption when [`ebs_use_existing_kms_keys`](#ebs_use_existing_kms_keys) is enabled. + + + +* [**`ebs_opt_in_regions`**](#ebs_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`ebs_use_existing_kms_keys`**](#ebs_use_existing_kms_keys) — If set to true, the KMS Customer Managed Keys (CMK) specified in [`ebs_kms_key_arns`](#ebs_kms_key_arns) will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. + + + +* [**`enable_cloudtrail`**](#enable_cloudtrail) — Set to true to enable CloudTrail in the root account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). In case you want to disable the CloudTrail module and the S3 bucket, you need to set both [`enable_cloudtrail`](#enable_cloudtrail) and [`cloudtrail_should_create_s3_bucket`](#cloudtrail_should_create_s3_bucket) to false. + + + +* [**`enable_cloudtrail_s3_server_access_logging`**](#enable_cloudtrail_s3_server_access_logging) — Enables S3 server access logging which sends detailed records for the requests that are made to the bucket. Defaults to false. + + + +* [**`enable_config`**](#enable_config) — Set to true to enable AWS Config in the root account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). In case you want to disable the CloudTrail module and the S3 bucket, you need to set both [`enable_cloudtrail`](#enable_cloudtrail) and [`cloudtrail_should_create_s3_bucket`](#cloudtrail_should_create_s3_bucket) to false. + + + +* [**`enable_encrypted_volumes`**](#enable_encrypted_volumes) — Checks whether the EBS volumes that are in an attached state are encrypted. + + + +* [**`enable_iam_access_analyzer`**](#enable_iam_access_analyzer) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_cross_account_roles`**](#enable_iam_cross_account_roles) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_groups`**](#enable_iam_groups) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_password_policy`**](#enable_iam_password_policy) — Checks whether the account password policy for IAM users meets the specified requirements. + + + +* [**`enable_insecure_sg_rules`**](#enable_insecure_sg_rules) — Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. + + + +* [**`enable_rds_storage_encrypted`**](#enable_rds_storage_encrypted) — Checks whether storage encryption is enabled for your RDS DB instances. + + + +* [**`enable_root_account_mfa`**](#enable_root_account_mfa) — Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. + + + +* [**`enable_s3_bucket_public_read_prohibited`**](#enable_s3_bucket_public_read_prohibited) — Checks that your Amazon S3 buckets do not allow public read access. + + + +* [**`enable_s3_bucket_public_write_prohibited`**](#enable_s3_bucket_public_write_prohibited) — Checks that your Amazon S3 buckets do not allow public write access. + + + +* [**`encrypted_volumes_kms_id`**](#encrypted_volumes_kms_id) — ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. + + + +* [**`force_destroy_users`**](#force_destroy_users) — When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without [`force_destroy`](#force_destroy) a user with non-Terraform-managed access keys and login profile will fail to be destroyed. + + + +* [**`guardduty_cloudwatch_event_rule_name`**](#guardduty_cloudwatch_event_rule_name) — Name of the Cloudwatch event rules. + + + +* [**`guardduty_finding_publishing_frequency`**](#guardduty_finding_publishing_frequency) — Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to [`SIX_HOURS`](#SIX_HOURS). For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: [`FIFTEEN_MINUTES`](#FIFTEEN_MINUTES), [`ONE_HOUR`](#ONE_HOUR), [`SIX_HOURS`](#SIX_HOURS). + + + +* [**`guardduty_findings_sns_topic_name`**](#guardduty_findings_sns_topic_name) — Specifies a name for the created SNS topics where findings are published. [`publish_findings_to_sns`](#publish_findings_to_sns) must be set to true. + + + +* [**`guardduty_opt_in_regions`**](#guardduty_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`guardduty_publish_findings_to_sns`**](#guardduty_publish_findings_to_sns) — Send GuardDuty findings to SNS topics specified by [`findings_sns_topic_name`](#findings_sns_topic_name). + + + +* [**`iam_access_analyzer_name`**](#iam_access_analyzer_name) — The name of the IAM Access Analyzer module + + + +* [**`iam_access_analyzer_opt_in_regions`**](#iam_access_analyzer_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`iam_access_analyzer_type`**](#iam_access_analyzer_type) — If set to ORGANIZATION, the analyzer will be scanning the current organization and any policies that refer to linked resources such as S3, IAM, Lambda and SQS policies. + + + +* [**`iam_group_developers_permitted_services`**](#iam_group_developers_permitted_services) — A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. + + + +* [**`iam_groups_for_cross_account_access`**](#iam_groups_for_cross_account_access) — This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields [`'group_name`](#'group_name)', which will be used as the name of the IAM group, and [`'iam_role_arns`](#'iam_role_arns)', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). + + + +* [**`iam_password_policy_allow_users_to_change_password`**](#iam_password_policy_allow_users_to_change_password) — Allow users to change their own password. + + + +* [**`iam_password_policy_hard_expiry`**](#iam_password_policy_hard_expiry) — Password expiration requires administrator reset. + + + +* [**`iam_password_policy_max_password_age`**](#iam_password_policy_max_password_age) — Number of days before password expiration. + + + +* [**`iam_password_policy_minimum_password_length`**](#iam_password_policy_minimum_password_length) — Password minimum length. + + + +* [**`iam_password_policy_password_reuse_prevention`**](#iam_password_policy_password_reuse_prevention) — Number of passwords before allowing reuse. + + + +* [**`iam_password_policy_require_lowercase_characters`**](#iam_password_policy_require_lowercase_characters) — Require at least one lowercase character in password. + + + +* [**`iam_password_policy_require_numbers`**](#iam_password_policy_require_numbers) — Require at least one number in password. + + + +* [**`iam_password_policy_require_symbols`**](#iam_password_policy_require_symbols) — Require at least one symbol in password. + + + +* [**`iam_password_policy_require_uppercase_characters`**](#iam_password_policy_require_uppercase_characters) — Require at least one uppercase character in password. + + + +* [**`iam_role_tags`**](#iam_role_tags) — The tags to apply to all the IAM role resources. + + + +* [**`insecure_sg_rules_authorized_tcp_ports`**](#insecure_sg_rules_authorized_tcp_ports) — Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. + + + +* [**`insecure_sg_rules_authorized_udp_ports`**](#insecure_sg_rules_authorized_udp_ports) — Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. + + + +* [**`is_multi_region_trail`**](#is_multi_region_trail) — Specifies whether CloudTrail will log only API calls in the current region or in all regions. (true or false) + + + +* [**`name_prefix`**](#name_prefix) — The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. + + + +* [**`organizations_aws_service_access_principals`**](#organizations_aws_service_access_principals) — List of AWS service principal names for which you want to enable integration with your organization. Must have [``organizations_feature_set`](#`organizations_feature_set)` set to ALL. See [`https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services`](#https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services).html + + + +* [**`organizations_default_iam_user_access_to_billing`**](#organizations_default_iam_user_access_to_billing) — If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information. + + + +* [**`organizations_default_role_name`**](#organizations_default_role_name) — The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. + + + +* [**`organizations_default_tags`**](#organizations_default_tags) — Default tags to add to accounts. Will be appended to [`´child_account`](#´child_account).*.tags´ + + + +* [**`organizations_enabled_policy_types`**](#organizations_enabled_policy_types) — List of Organizations policy types to enable in the Organization Root. See [`https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType`](#https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType).html + + + +* [**`organizations_feature_set`**](#organizations_feature_set) — Specify `ALL` or [``CONSOLIDATED_BILLING`](#`CONSOLIDATED_BILLING)`. + + + +* [**`password_reset_required`**](#password_reset_required) — Force the user to reset their password on initial login. Only used for users with [`create_login_profile`](#create_login_profile) set to true. + + + +* [**`rds_storage_encrypted_kms_id`**](#rds_storage_encrypted_kms_id) — KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. + + + +* [**`should_create_iam_group_auto_deploy`**](#should_create_iam_group_auto_deploy) — Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in [`auto_deploy_permissions`](#auto_deploy_permissions). (true or false) + + + +* [**`should_create_iam_group_billing`**](#should_create_iam_group_billing) — Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) + + + +* [**`should_create_iam_group_developers`**](#should_create_iam_group_developers) — Should we create the IAM Group for developers? The permissions of that group are specified via [`iam_group_developers_permitted_services`](#iam_group_developers_permitted_services). (true or false) + + + +* [**`should_create_iam_group_full_access`**](#should_create_iam_group_full_access) — Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_houston_cli_users`**](#should_create_iam_group_houston_cli_users) — Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. + + + +* [**`should_create_iam_group_logs`**](#should_create_iam_group_logs) — Should we create the IAM Group for logs? Allows read access to logs in CloudTrail, AWS Config, and CloudWatch. If [`cloudtrail_kms_key_arn`](#cloudtrail_kms_key_arn) is specified, will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. (true or false) + + + +* [**`should_create_iam_group_read_only`**](#should_create_iam_group_read_only) — Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_support`**](#should_create_iam_group_support) — Should we create the IAM Group for support? Allows access to AWS support. (true or false) + + + +* [**`should_create_iam_group_use_existing_iam_roles`**](#should_create_iam_group_use_existing_iam_roles) — Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) + + + +* [**`should_create_iam_group_user_self_mgmt`**](#should_create_iam_group_user_self_mgmt) — Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) + + + +* [**`should_require_mfa`**](#should_require_mfa) — Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) + + + +* [**`users`**](#users) — A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), [`'pgp_key`](#'pgp_key)' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if [`create_login_profile`](#create_login_profile) or [`create_access_keys`](#create_access_keys) is true), [`'create_login_profile`](#'create_login_profile)' (if set to true, create a password to login to the AWS Web Console), [`'create_access_keys`](#'create_access_keys)' (if set to true, create access keys for the user), 'path' (the path), and [`'permissions_boundary`](#'permissions_boundary)' (the ARN of the policy that is used to set the permissions boundary for the user). + + + + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_arn`**](#allow_auto_deploy_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_id`**](#allow_auto_deploy_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_arn`**](#allow_billing_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_id`**](#allow_billing_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_sign_in_url`**](#allow_billing_access_sign_in_url) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_arn`**](#allow_dev_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_id`**](#allow_dev_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_dev_access_sign_in_url`**](#allow_dev_access_sign_in_url) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_arn`**](#allow_full_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_id`**](#allow_full_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_full_access_sign_in_url`**](#allow_full_access_sign_in_url) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_arn`**](#allow_houston_cli_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_id`**](#allow_houston_cli_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_arn`**](#allow_iam_admin_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_id`**](#allow_iam_admin_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_sign_in_url`**](#allow_iam_admin_access_sign_in_url) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_arn`**](#allow_logs_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_id`**](#allow_logs_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_logs_access_sign_in_url`**](#allow_logs_access_sign_in_url) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_arn`**](#allow_read_only_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_id`**](#allow_read_only_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_read_only_access_sign_in_url`**](#allow_read_only_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_access_sign_in_url`**](#allow_ssh_grunt_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_houston_access_sign_in_url`**](#allow_ssh_grunt_houston_access_sign_in_url) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_arn`**](#allow_support_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_id`**](#allow_support_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_support_access_sign_in_url`**](#allow_support_access_sign_in_url) — + + + +* [**`aws_ebs_encryption_by_default_enabled`**](#aws_ebs_encryption_by_default_enabled) — A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region. + + + +* [**`aws_ebs_encryption_default_kms_key`**](#aws_ebs_encryption_default_kms_key) — A map from region to the ARN of the KMS key used for default EBS encryption for each region. + + + +* [**`billing_iam_group_arn`**](#billing_iam_group_arn) — + + + +* [**`billing_iam_group_name`**](#billing_iam_group_name) — + + + +* [**`child_accounts`**](#child_accounts) — A map of all accounts created by this module (NOT including the root account). The keys are the names of the accounts and the values are the attributes for the account as defined in the [`aws_organizations_account`](#aws_organizations_account) resource. + + + +* [**`cloudtrail_cloudwatch_group_arn`**](#cloudtrail_cloudwatch_group_arn) — The ARN of the cloudwatch log group. + + + +* [**`cloudtrail_cloudwatch_group_name`**](#cloudtrail_cloudwatch_group_name) — The name of the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_arn`**](#cloudtrail_iam_role_arn) — The ARN of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_name`**](#cloudtrail_iam_role_name) — The name of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_kms_key_alias_name`**](#cloudtrail_kms_key_alias_name) — The alias of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — The ARN of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_kms_key_arn_with_dependency`**](#cloudtrail_kms_key_arn_with_dependency) — The ARN of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_s3_access_logging_bucket_arn`**](#cloudtrail_s3_access_logging_bucket_arn) — The ARN of the S3 bucket where access logs for the CloudTrail S3 bucket are delivered. + + + +* [**`cloudtrail_s3_access_logging_bucket_name`**](#cloudtrail_s3_access_logging_bucket_name) — The name of the S3 bucket where access logs for the CloudTrail S3 bucket are delivered. + + + +* [**`cloudtrail_s3_bucket_arn`**](#cloudtrail_s3_bucket_arn) — The ARN of the S3 bucket where cloudtrail logs are delivered. + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 bucket where cloudtrail logs are delivered. + + + +* [**`cloudtrail_s3_bucket_name_with_dependency`**](#cloudtrail_s3_bucket_name_with_dependency) — The name of the S3 bucket where cloudtrail logs are delivered. Sources from 'data'. + + + +* [**`cloudtrail_trail_arn`**](#cloudtrail_trail_arn) — The ARN of the cloudtrail trail. + + + +* [**`config_iam_role_arns`**](#config_iam_role_arns) — The ARNs of the IAM role used by the config recorder. + + + +* [**`config_recorder_names`**](#config_recorder_names) — The names of the configuration recorder. + + + +* [**`config_s3_bucket_arn`**](#config_s3_bucket_arn) — The ARN of the S3 bucket used by AWS Config to store configuration items. + + + +* [**`config_s3_bucket_name`**](#config_s3_bucket_name) — The name of the S3 bucket used by AWS Config to store configuration items. + + + +* [**`config_s3_bucket_name_with_dependency`**](#config_s3_bucket_name_with_dependency) — The name of the S3 bucket used by AWS Config to store configuration items, sources from 'data'. + + + +* [**`config_sns_topic_arns`**](#config_sns_topic_arns) — The ARNs of the SNS Topic used by the config notifications. + + + +* [**`cross_account_access_all_group_arn`**](#cross_account_access_all_group_arn) — + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — + + + +* [**`cross_account_access_group_arns`**](#cross_account_access_group_arns) — + + + +* [**`cross_account_access_group_names`**](#cross_account_access_group_names) — + + + +* [**`developers_iam_group_arn`**](#developers_iam_group_arn) — + + + +* [**`developers_iam_group_name`**](#developers_iam_group_name) — + + + +* [**`full_access_iam_group_arn`**](#full_access_iam_group_arn) — + + + +* [**`full_access_iam_group_name`**](#full_access_iam_group_name) — + + + +* [**`guardduty_cloudwatch_event_rule_arns`**](#guardduty_cloudwatch_event_rule_arns) — The ARNs of the cloudwatch event rules used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_cloudwatch_event_target_arns`**](#guardduty_cloudwatch_event_target_arns) — The ARNs of the cloudwatch event targets used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_detector_ids`**](#guardduty_detector_ids) — The IDs of the GuardDuty detectors. + + + +* [**`guardduty_findings_sns_topic_arns`**](#guardduty_findings_sns_topic_arns) — The ARNs of the SNS topics where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_findings_sns_topic_names`**](#guardduty_findings_sns_topic_names) — The names of the SNS topic where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`houston_cli_users_iam_group_arn`**](#houston_cli_users_iam_group_arn) — + + + +* [**`houston_cli_users_iam_group_name`**](#houston_cli_users_iam_group_name) — + + + +* [**`iam_admin_iam_group_arn`**](#iam_admin_iam_group_arn) — + + + +* [**`iam_admin_iam_group_name`**](#iam_admin_iam_group_name) — + + + +* [**`iam_admin_iam_policy_arn`**](#iam_admin_iam_policy_arn) — + + + +* [**`iam_self_mgmt_iam_group_arn`**](#iam_self_mgmt_iam_group_arn) — + + + +* [**`iam_self_mgmt_iam_group_name`**](#iam_self_mgmt_iam_group_name) — + + + +* [**`iam_self_mgmt_iam_policy_arn`**](#iam_self_mgmt_iam_policy_arn) — + + + +* [**`logs_iam_group_arn`**](#logs_iam_group_arn) — + + + +* [**`logs_iam_group_name`**](#logs_iam_group_name) — + + + +* [**`master_account_arn`**](#master_account_arn) — ARN of the master account. + + + +* [**`master_account_email`**](#master_account_email) — Email address of the master account. + + + +* [**`master_account_id`**](#master_account_id) — Identifier of the master account. + + + +* [**`organization_arn`**](#organization_arn) — ARN of the organization. + + + +* [**`organization_id`**](#organization_id) — Identifier of the organization. + + + +* [**`organization_root_id`**](#organization_root_id) — Identifier of the root of this organization. + + + +* [**`read_only_iam_group_arn`**](#read_only_iam_group_arn) — + + + +* [**`read_only_iam_group_name`**](#read_only_iam_group_name) — + + + +* [**`require_mfa_policy`**](#require_mfa_policy) — + + + +* [**`ssh_grunt_sudo_users_group_arns`**](#ssh_grunt_sudo_users_group_arns) — + + + +* [**`ssh_grunt_sudo_users_group_names`**](#ssh_grunt_sudo_users_group_names) — + + + +* [**`ssh_grunt_users_group_arns`**](#ssh_grunt_users_group_arns) — + + + +* [**`ssh_grunt_users_group_names`**](#ssh_grunt_users_group_names) — + + + +* [**`support_iam_group_arn`**](#support_iam_group_arn) — + + + +* [**`support_iam_group_name`**](#support_iam_group_name) — + + + +* [**`use_existing_iam_roles_iam_group_arn`**](#use_existing_iam_roles_iam_group_arn) — + + + +* [**`use_existing_iam_roles_iam_group_name`**](#use_existing_iam_roles_iam_group_name) — + + + +* [**`user_access_keys`**](#user_access_keys) — A map of user name to that user's access keys (a map with keys [`access_key_id`](#access_key_id) and [`secret_access_key`](#secret_access_key)), with the [`secret_access_key`](#secret_access_key) encrypted with that user's PGP key (only shows up for users with [`create_access_keys`](#create_access_keys) = true). You can decrypt the [`secret_access_key`](#secret_access_key) on the CLI: echo [`<secret_access_key`](#<secret_access_key)> | base64 --decode | keybase pgp decrypt + + + +* [**`user_arns`**](#user_arns) — A map of user name to the ARN for that IAM user. + + + +* [**`user_passwords`**](#user_passwords) — A map of user name to that user's AWS Web Console password, encrypted with that user's PGP key (only shows up for users with [`create_login_profile`](#create_login_profile) = true). You can decrypt the password on the CLI: echo <password> | base64 --decode | keybase pgp decrypt + + diff --git a/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md index c1e25c522..9b9afc638 100644 --- a/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md @@ -10,1545 +10,887 @@ A security baseline for AWS Landing Zone for configuring the security account (t ### Reference - -
    - -
  • -

    - - additional_config_rules - - Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details -

    -
    • -
  • -

    - - allow_auto_deploy_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in var.auto_deploy_permissions. -

    -
    • -
  • -

    - - allow_billing_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. -

    -
    • -
  • -

    - - allow_cloudtrail_access_with_iam - - If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in var.kms_key_user_iam_arns will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) -

    -
    • -
  • -

    - - allow_dev_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in var.dev_permitted_services. -

    -
    • -
  • -

    - - allow_full_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. -

    -
    • -
  • -

    - - allow_logs_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. Will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. -

    -
    • -
  • -

    - - allow_read_only_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. -

    -
    • -
  • -

    - - allow_ssh_grunt_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. -

    -
    • -
  • -

    - - allow_support_access_from_other_account_arns - - A list of IAM ARNs from other AWS accounts that will be allowed support access (AWSSupportAccess) to this account. -

    -
    • -
  • -

    - - auto_deploy_permissions - - A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If var.should_create_iam_group_auto_deploy is true, the list must have at least one element (e.g. '*'). -

    -
    • -
  • -

    - - aws_account_id - - The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. -

    -
    • -
  • -

    - - aws_region - - The AWS Region to use as the global config recorder and seed region for GuardDuty. -

    -
    • -
  • -

    - - cloudtrail_allow_kms_describe_key_to_external_aws_accounts - - Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. -

    -
    • -
  • -

    - - cloudtrail_cloudwatch_logs_group_name - - Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. -

    -
    • -
  • -

    - - cloudtrail_data_logging_enabled - - If true, logging of data events will be enabled. -

    -
    • -
  • -

    - - cloudtrail_data_logging_include_management_events - - Specify if you want your event selector to include management events for your trail. -

    -
    • -
  • -

    - - cloudtrail_data_logging_read_write_type - - Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. -

    -
    • -
  • -

    - - cloudtrail_data_logging_resources - - Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the 'data_resource' block within the 'event_selector' block of the 'aws_cloudtrail' resource for context: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource. -

    -
    • -
  • -

    - - cloudtrail_external_aws_account_ids_with_write_access - - A list of external AWS accounts that should be given write access for CloudTrail logs to this S3 bucket. This is useful when aggregating CloudTrail logs for multiple AWS accounts in one common S3 bucket. -

    -
    • -
  • -

    - - cloudtrail_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - cloudtrail_kms_key_administrator_iam_arns - - All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn - - All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists, set this to the ARN of that CMK. Otherwise, set this to null, and a new CMK will be created. We recommend setting this to the ARN of a CMK that already exists in a separate logs account. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn_is_alias - - If the kms_key_arn provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires var.cloudtrail_allow_kms_describe_key_to_external_aws_accounts to also be true for multi-account scenarios. -

    -
    • -
  • -

    - - cloudtrail_kms_key_user_iam_arns - - All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - cloudtrail_num_days_to_retain_cloudwatch_logs - - After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. -

    -
    • -
  • -

    - - cloudtrail_s3_bucket_already_exists - - Set to false to create an S3 bucket of name var.cloudtrail_s3_bucket_name in this account for storing CloudTrail logs. Set to true to assume the bucket specified in var.cloudtrail_s3_bucket_name already exists in another AWS account. We recommend setting this to true and setting var.cloudtrail_s3_bucket_name to the name of a bucket that already exists in a separate logs account. -

    -
    • -
  • -

    - - cloudtrail_s3_bucket_name - - The name of the S3 Bucket where CloudTrail logs will be stored. If value is `null`, defaults to `var.name_prefix`-cloudtrail -

    -
    • -
  • -

    - - cloudtrail_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - cloudtrail_tags - - Tags to apply to the CloudTrail resources. -

    -
    • -
  • -

    - - config_aggregate_config_data_in_external_account - - Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the config_central_account_id variable. This redundant variable has to exist because Terraform does not allow computed data in count and for_each parameters and var.config_central_account_id may be computed if its the ID of a newly-created AWS account. -

    -
    • -
  • -

    - - config_central_account_id - - If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account. If the S3 bucket and SNS topics live in this account, set this variable to null. We recommend setting this to the ID of a separate logs account. Only used if var.config_aggregate_config_data_in_external_account is true. -

    -
    • -
  • -

    - - config_create_account_rules - - Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts. -

    -
    • -
  • -

    - - config_force_destroy - - If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! -

    -
    • -
  • -

    - - config_linked_accounts - - Provide a list of AWS account IDs that will send Config data to this account. This is useful if your aggregating config data in this account for other accounts. -

    -
    • -
  • -

    - - config_num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - config_num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - config_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. -

    -
    • -
  • -

    - - config_s3_bucket_name - - The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where logs should be sent. We recommend setting this to the name of a bucket in a separate logs account. -

    -
    • -
  • -

    - - config_s3_mfa_delete - - Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. -

    -
    • -
  • -

    - - config_should_create_s3_bucket - - Set to true to create an S3 bucket of name var.config_s3_bucket_name in this account for storing AWS Config data. Set to false to assume the bucket specified in var.config_s3_bucket_name already exists in another AWS account. We recommend setting this to false and setting var.config_s3_bucket_name to the name off an S3 bucket that already exists in a separate logs account. -

    -
    • -
  • -

    - - config_should_create_sns_topic - - Set to true to create an SNS topic in this account for sending AWS Config notifications (e.g., if this is the logs account). Set to false to assume the topic specified in var.config_sns_topic_name already exists in another AWS account (e.g., if this is the stage or prod account and var.config_sns_topic_name is the name of an SNS topic in the logs account). -

    -
    • -
  • -

    - - config_sns_topic_name - - The name of the SNS Topic in where AWS Config notifications will be sent. Can be in the same account or in another account. -

    -
    • -
  • -

    - - config_tags - - A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - configrules_maximum_execution_frequency - - The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency -

    -
    • -
  • -

    - - cross_account_access_all_group_name - - The name of the IAM group that will grant access to all external AWS accounts in var.iam_groups_for_cross_account_access. -

    -
    • -
  • -

    - - dev_permitted_services - - A list of AWS services for which the developers from the accounts in var.allow_dev_access_from_other_account_arns will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. -

    -
    • -
  • -

    - - ebs_enable_encryption - - If set to true (default), all new EBS volumes will have encryption enabled by default -

    -
    • -
  • -

    - - ebs_kms_key_name - - The name of the KMS CMK to use by default for encrypting EBS volumes, if var.ebs_enable_encryption and var.ebs_use_existing_kms_keys are enabled. The name must match a name given the var.kms_customer_master_keys variable. -

    -
    • -
  • -

    - - ebs_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - ebs_use_existing_kms_keys - - If set to true, the KMS Customer Managed Keys (CMK) with the name in var.ebs_kms_key_name will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. -

    -
    • -
  • -

    - - enable_cloudtrail - - Set to true (default) to enable CloudTrail in the security account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default. -

    -
    • -
  • -

    - - enable_config - - Set to true to enable AWS Config in the security account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). -

    -
    • -
  • -

    - - enable_encrypted_volumes - - Checks whether the EBS volumes that are in an attached state are encrypted. -

    -
    • -
  • -

    - - enable_iam_access_analyzer - - A feature flag to enable or disable this module. -

    -
    • -
  • -

    - - enable_iam_cross_account_roles - - A feature flag to enable or disable the Cross Account Iam Roles module. -

    -
    • -
  • -

    - - enable_iam_groups - - A feature flag to enable or disable the IAM Groups module. -

    -
    • -
  • -

    - - enable_iam_password_policy - - Checks whether the account password policy for IAM users meets the specified requirements. -

    -
    • -
  • -

    - - enable_insecure_sg_rules - - Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. -

    -
    • -
  • -

    - - enable_rds_storage_encrypted - - Checks whether storage encryption is enabled for your RDS DB instances. -

    -
    • -
  • -

    - - enable_root_account_mfa - - Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. -

    -
    • -
  • -

    - - enable_s3_bucket_public_read_prohibited - - Checks that your Amazon S3 buckets do not allow public read access. -

    -
    • -
  • -

    - - enable_s3_bucket_public_write_prohibited - - Checks that your Amazon S3 buckets do not allow public write access. -

    -
    • -
  • -

    - - encrypted_volumes_kms_id - - ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. -

    -
    • -
  • -

    - - force_destroy_users - - When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. -

    -
    • -
  • -

    - - guardduty_cloudwatch_event_rule_name - - Name of the Cloudwatch event rules. -

    -
    • -
  • -

    - - guardduty_finding_publishing_frequency - - Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to SIX_HOURS. For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. -

    -
    • -
  • -

    - - guardduty_findings_sns_topic_name - - Specifies a name for the created SNS topics where findings are published. publish_findings_to_sns must be set to true. -

    -
    • -
  • -

    - - guardduty_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - guardduty_publish_findings_to_sns - - Send GuardDuty findings to SNS topics specified by findings_sns_topic_name. -

    -
    • -
  • -

    - - iam_access_analyzer_name - - The name of the IAM Access Analyzer module -

    -
    • -
  • -

    - - iam_access_analyzer_opt_in_regions - - Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - iam_access_analyzer_type - - If set to ACCOUNT, the analyzer will only be scanning the current AWS account it's in. If set to ORGANIZATION - will scan the organization AWS account and the child accounts. -

    -
    • -
  • -

    - - iam_group_developers_permitted_services - - A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. -

    -
    • -
  • -

    - - iam_group_name_auto_deploy - - The name of the IAM Group that allows automated deployment by graning the permissions specified in var.auto_deploy_permissions. -

    -
    • -
  • -

    - - iam_group_name_billing - - The name to be used for the IAM Group that grants read/write access to all billing features in AWS. -

    -
    • -
  • -

    - - iam_group_name_developers - - The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers. -

    -
    • -
  • -

    - - iam_group_name_full_access - - The name to be used for the IAM Group that grants full access to all AWS resources. -

    -
    • -
  • -

    - - iam_group_name_houston_cli - - The name of the IAM Group that allows access to houston CLI. -

    -
    • -
  • -

    - - iam_group_name_iam_admin - - The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access. -

    -
    • -
  • -

    - - iam_group_name_iam_user_self_mgmt - - The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account. -

    -
    • -
  • -

    - - iam_group_name_logs - - The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS. -

    -
    • -
  • -

    - - iam_group_name_read_only - - The name to be used for the IAM Group that grants read-only access to all AWS resources. -

    -
    • -
  • -

    - - iam_group_name_support - - The name of the IAM Group that allows access to AWS Support. -

    -
    • -
  • -

    - - iam_group_name_use_existing_iam_roles - - The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles. -

    -
    • -
  • -

    - - iam_group_names_ssh_grunt_sudo_users - - The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. -

    -
    • -
  • -

    - - iam_group_names_ssh_grunt_users - - The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. -

    -
    • -
  • -

    - - iam_groups_for_cross_account_access - - This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields 'group_name', which will be used as the name of the IAM group, and 'iam_role_arns', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). -

    -
    • -
  • -

    - - iam_password_policy_allow_users_to_change_password - - Allow users to change their own password. -

    -
    • -
  • -

    - - iam_password_policy_hard_expiry - - Password expiration requires administrator reset. -

    -
    • -
  • -

    - - iam_password_policy_max_password_age - - Number of days before password expiration. -

    -
    • -
  • -

    - - iam_password_policy_minimum_password_length - - Password minimum length. -

    -
    • -
  • -

    - - iam_password_policy_password_reuse_prevention - - Number of passwords before allowing reuse. -

    -
    • -
  • -

    - - iam_password_policy_require_lowercase_characters - - Require at least one lowercase character in password. -

    -
    • -
  • -

    - - iam_password_policy_require_numbers - - Require at least one number in password. -

    -
    • -
  • -

    - - iam_password_policy_require_symbols - - Require at least one symbol in password. -

    -
    • -
  • -

    - - iam_password_policy_require_uppercase_characters - - Require at least one uppercase character in password. -

    -
    • -
  • -

    - - iam_policy_iam_user_self_mgmt - - The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account. -

    -
    • -
  • -

    - - iam_role_tags - - The tags to apply to all the IAM role resources. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_tcp_ports - - Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. -

    -
    • -
  • -

    - - insecure_sg_rules_authorized_udp_ports - - Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. -

    -
    • -
  • -

    - - kms_cmk_global_tags - - A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - kms_cmk_opt_in_regions - - Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for global_recorder_region must be in this list. -

    -
    • -
  • -

    - - kms_customer_master_keys - - You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key. -

    -
    • -
  • -

    - - kms_grant_regions - - The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the kms_grants map. This is used to workaround a terraform limitation where the for_each value can not depend on resources. -

    -
    • -
  • -

    - - kms_grants - - Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account. -

    -
    • -
  • -

    - - max_session_duration_human_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see var.max_session_duration_machine_users. -

    -
    • -
  • -

    - - max_session_duration_machine_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see var.max_session_duration_human_users. -

    -
    • -
  • -

    - - name_prefix - - The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. -

    -
    • -
  • -

    - - password_reset_required - - Force the user to reset their password on initial login. Only used for users with create_login_profile set to true. -

    -
    • -
  • -

    - - rds_storage_encrypted_kms_id - - KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. -

    -
    • -
  • -

    - - service_linked_roles - - Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html for the list of services that support service-linked roles. -

    -
    • -
  • -

    - - should_create_iam_group_auto_deploy - - Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in var.auto_deploy_permissions. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_billing - - Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_cross_account_access_all - - Should we create the IAM Group for access to all external AWS accounts? -

    -
    • -
  • -

    - - should_create_iam_group_developers - - Should we create the IAM Group for developers? The permissions of that group are specified via var.iam_group_developers_permitted_services. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_full_access - - Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_houston_cli_users - - Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. -

    -
    • -
  • -

    - - should_create_iam_group_iam_admin - - Should we create the IAM Group for IAM administrator access? Allows users to manage all IAM entities, effectively granting administrator access. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_logs - - Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also give decrypt access to a KMS CMK. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_read_only - - Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_support - - Should we create the IAM Group for support? Allows support access (AWSupportAccess). (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_use_existing_iam_roles - - Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_user_self_mgmt - - Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) -

    -
    • -
  • -

    - - should_require_mfa - - Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) -

    -
    • -
  • -

    - - users - - A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user). -

    -
    • -
- - - - + + + + +* [**`additional_config_rules`**](#additional_config_rules) — Map of additional managed rules to add. The key is the name of the rule (e.g. ´acm-certificate-expiration-check´) and the value is an object specifying the rule details + + + +* [**`allow_auto_deploy_from_other_account_arns`**](#allow_auto_deploy_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed to assume the auto deploy IAM role that has the permissions in [`auto_deploy_permissions`](#auto_deploy_permissions). + + + +* [**`allow_billing_access_from_other_account_arns`**](#allow_billing_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the billing info for this account. + + + +* [**`allow_cloudtrail_access_with_iam`**](#allow_cloudtrail_access_with_iam) — If true, an IAM Policy that grants access to CloudTrail will be honored. If false, only the ARNs listed in [`kms_key_user_iam_arns`](#kms_key_user_iam_arns) will have access to CloudTrail and any IAM Policy grants will be ignored. (true or false) + + + +* [**`allow_dev_access_from_other_account_arns`**](#allow_dev_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to the services in this account specified in [`dev_permitted_services`](#dev_permitted_services). + + + +* [**`allow_full_access_from_other_account_arns`**](#allow_full_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed full (read and write) access to this account. + + + +* [**`allow_logs_access_from_other_account_arns`**](#allow_logs_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed access to the logs in CloudTrail, AWS Config, and CloudWatch for this account. Will also be given permissions to decrypt with the KMS CMK that is used to encrypt CloudTrail logs. + + + +* [**`allow_read_only_access_from_other_account_arns`**](#allow_read_only_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read-only access to this account. + + + +* [**`allow_ssh_grunt_access_from_other_account_arns`**](#allow_ssh_grunt_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed read access to IAM groups and publish SSH keys. This is used for ssh-grunt. + + + +* [**`allow_support_access_from_other_account_arns`**](#allow_support_access_from_other_account_arns) — A list of IAM ARNs from other AWS accounts that will be allowed support access (AWSSupportAccess) to this account. + + + +* [**`auto_deploy_permissions`**](#auto_deploy_permissions) — A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If [`should_create_iam_group_auto_deploy`](#should_create_iam_group_auto_deploy) is true, the list must have at least one element (e.g. '*'). + + + +* [**`aws_account_id`**](#aws_account_id) — The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. + + + +* [**`aws_region`**](#aws_region) — The AWS Region to use as the global config recorder and seed region for GuardDuty. + + + +* [**`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`**](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) — Whether or not to allow kms:DescribeKey to external AWS accounts with write access to the CloudTrail bucket. This is useful during deployment so that you don't have to pass around the KMS key ARN. + + + +* [**`cloudtrail_cloudwatch_logs_group_name`**](#cloudtrail_cloudwatch_logs_group_name) — Specify the name of the CloudWatch Logs group to publish the CloudTrail logs to. This log group exists in the current account. Set this value to `null` to avoid publishing the trail logs to the logs group. The recommended configuration for CloudTrail is (a) for each child account to aggregate its logs in an S3 bucket in a single central account, such as a logs account and (b) to also store 14 days work of logs in CloudWatch in the child account itself for local debugging. + + + +* [**`cloudtrail_data_logging_enabled`**](#cloudtrail_data_logging_enabled) — If true, logging of data events will be enabled. + + + +* [**`cloudtrail_data_logging_include_management_events`**](#cloudtrail_data_logging_include_management_events) — Specify if you want your event selector to include management events for your trail. + + + +* [**`cloudtrail_data_logging_read_write_type`**](#cloudtrail_data_logging_read_write_type) — Specify if you want your trail to log read-only events, write-only events, or all. Possible values are: ReadOnly, WriteOnly, All. + + + +* [**`cloudtrail_data_logging_resources`**](#cloudtrail_data_logging_resources) — Data resources for which to log data events. This should be a map, where each key is a data resource type, and each value is a list of data resource values. Possible values for data resource types are: AWS::S3::Object, AWS::Lambda::Function and AWS::DynamoDB::Table. See the [`'data_resource`](#'data_resource)' block within the [`'event_selector`](#'event_selector)' block of the [`'aws_cloudtrail`](#'aws_cloudtrail)' resource for context: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#data_resource). + + + +* [**`cloudtrail_external_aws_account_ids_with_write_access`**](#cloudtrail_external_aws_account_ids_with_write_access) — A list of external AWS accounts that should be given write access for CloudTrail logs to this S3 bucket. This is useful when aggregating CloudTrail logs for multiple AWS accounts in one common S3 bucket. + + + +* [**`cloudtrail_force_destroy`**](#cloudtrail_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`cloudtrail_kms_key_administrator_iam_arns`**](#cloudtrail_kms_key_administrator_iam_arns) — All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — All CloudTrail Logs will be encrypted with a KMS CMK (Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. If that CMK already exists, set this to the ARN of that CMK. Otherwise, set this to null, and a new CMK will be created. We recommend setting this to the ARN of a CMK that already exists in a separate logs account. + + + +* [**`cloudtrail_kms_key_arn_is_alias`**](#cloudtrail_kms_key_arn_is_alias) — If the [`kms_key_arn`](#kms_key_arn) provided is an alias or alias ARN, then this must be set to true so that the module will exchange the alias for a CMK ARN. Setting this to true and using aliases requires [`cloudtrail_allow_kms_describe_key_to_external_aws_accounts`](#cloudtrail_allow_kms_describe_key_to_external_aws_accounts) to also be true for multi-account scenarios. + + + +* [**`cloudtrail_kms_key_user_iam_arns`**](#cloudtrail_kms_key_user_iam_arns) — All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data. + + + +* [**`cloudtrail_num_days_after_which_archive_log_data`**](#cloudtrail_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`cloudtrail_num_days_after_which_delete_log_data`**](#cloudtrail_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`cloudtrail_num_days_to_retain_cloudwatch_logs`**](#cloudtrail_num_days_to_retain_cloudwatch_logs) — After this number of days, logs stored in CloudWatch will be deleted. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0 (default). When set to 0, logs will be retained indefinitely. + + + +* [**`cloudtrail_s3_bucket_already_exists`**](#cloudtrail_s3_bucket_already_exists) — Set to false to create an S3 bucket of name [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) in this account for storing CloudTrail logs. Set to true to assume the bucket specified in [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) already exists in another AWS account. We recommend setting this to true and setting [`cloudtrail_s3_bucket_name`](#cloudtrail_s3_bucket_name) to the name of a bucket that already exists in a separate logs account. + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 Bucket where CloudTrail logs will be stored. If value is `null`, defaults to [``var.name_prefix`](#`var.name_prefix)`-cloudtrail + + + +* [**`cloudtrail_s3_mfa_delete`**](#cloudtrail_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage Cloudtrail data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`cloudtrail_tags`**](#cloudtrail_tags) — Tags to apply to the CloudTrail resources. + + + +* [**`config_aggregate_config_data_in_external_account`**](#config_aggregate_config_data_in_external_account) — Set to true to send the AWS Config data to another account (e.g., a logs account) for aggregation purposes. You must set the ID of that other account via the [`config_central_account_id`](#config_central_account_id) variable. This redundant variable has to exist because Terraform does not allow computed data in count and [`for_each`](#for_each) parameters and [`config_central_account_id`](#config_central_account_id) may be computed if its the ID of a newly-created AWS account. + + + +* [**`config_central_account_id`**](#config_central_account_id) — If the S3 bucket and SNS topics used for AWS Config live in a different AWS account, set this variable to the ID of that account. If the S3 bucket and SNS topics live in this account, set this variable to null. We recommend setting this to the ID of a separate logs account. Only used if [`config_aggregate_config_data_in_external_account`](#config_aggregate_config_data_in_external_account) is true. + + + +* [**`config_create_account_rules`**](#config_create_account_rules) — Set to true to create AWS Config rules directly in this account. Set false to not create any Config rules in this account (i.e., if you created the rules at the organization level already). We recommend setting this to true to use account-level rules because org-level rules create a chicken-and-egg problem with creating new accounts. + + + +* [**`config_force_destroy`**](#config_force_destroy) — If set to true, when you run 'terraform destroy', delete all objects from the bucket so that the bucket can be destroyed without error. Warning: these objects are not recoverable so only use this if you're absolutely sure you want to permanently delete everything! + + + +* [**`config_linked_accounts`**](#config_linked_accounts) — Provide a list of AWS account IDs that will send Config data to this account. This is useful if your aggregating config data in this account for other accounts. + + + +* [**`config_num_days_after_which_archive_log_data`**](#config_num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`config_num_days_after_which_delete_log_data`**](#config_num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`config_opt_in_regions`**](#config_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable AWS Config in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. + + + +* [**`config_s3_bucket_name`**](#config_s3_bucket_name) — The name of the S3 Bucket where CloudTrail logs will be stored. This could be a bucket in this AWS account or the name of a bucket in another AWS account where logs should be sent. We recommend setting this to the name of a bucket in a separate logs account. + + + +* [**`config_s3_mfa_delete`**](#config_s3_mfa_delete) — Enable MFA delete for either 'Change the versioning state of your bucket' or 'Permanently delete an object version'. This setting only applies to the bucket used to storage AWS Config data. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS. For instructions on how to enable MFA Delete, check out the README from the terraform-aws-security/private-s3-bucket module. + + + +* [**`config_should_create_s3_bucket`**](#config_should_create_s3_bucket) — Set to true to create an S3 bucket of name [`config_s3_bucket_name`](#config_s3_bucket_name) in this account for storing AWS Config data. Set to false to assume the bucket specified in [`config_s3_bucket_name`](#config_s3_bucket_name) already exists in another AWS account. We recommend setting this to false and setting [`config_s3_bucket_name`](#config_s3_bucket_name) to the name off an S3 bucket that already exists in a separate logs account. + + + +* [**`config_should_create_sns_topic`**](#config_should_create_sns_topic) — Set to true to create an SNS topic in this account for sending AWS Config notifications (e.g., if this is the logs account). Set to false to assume the topic specified in [`config_sns_topic_name`](#config_sns_topic_name) already exists in another AWS account (e.g., if this is the stage or prod account and [`config_sns_topic_name`](#config_sns_topic_name) is the name of an SNS topic in the logs account). + + + +* [**`config_sns_topic_name`**](#config_sns_topic_name) — The name of the SNS Topic in where AWS Config notifications will be sent. Can be in the same account or in another account. + + + +* [**`config_tags`**](#config_tags) — A map of tags to apply to the S3 Bucket. The key is the tag name and the value is the tag value. + + + +* [**`configrules_maximum_execution_frequency`**](#configrules_maximum_execution_frequency) — The maximum frequency with which AWS Config runs evaluations for the ´PERIODIC´ rules. See [`https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency`](#https://www.terraform.io/docs/providers/aws/r/config_organization_managed_rule.html#maximum_execution_frequency) + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — The name of the IAM group that will grant access to all external AWS accounts in [`iam_groups_for_cross_account_access`](#iam_groups_for_cross_account_access). + + + +* [**`dev_permitted_services`**](#dev_permitted_services) — A list of AWS services for which the developers from the accounts in [`allow_dev_access_from_other_account_arns`](#allow_dev_access_from_other_account_arns) will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. + + + +* [**`ebs_enable_encryption`**](#ebs_enable_encryption) — If set to true (default), all new EBS volumes will have encryption enabled by default + + + +* [**`ebs_kms_key_name`**](#ebs_kms_key_name) — The name of the KMS CMK to use by default for encrypting EBS volumes, if [`ebs_enable_encryption`](#ebs_enable_encryption) and [`ebs_use_existing_kms_keys`](#ebs_use_existing_kms_keys) are enabled. The name must match a name given the [`kms_customer_master_keys`](#kms_customer_master_keys) variable. + + + +* [**`ebs_opt_in_regions`**](#ebs_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable EBS Encryption in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`ebs_use_existing_kms_keys`**](#ebs_use_existing_kms_keys) — If set to true, the KMS Customer Managed Keys (CMK) with the name in [`ebs_kms_key_name`](#ebs_kms_key_name) will be set as the default for EBS encryption. When false (default), the AWS-managed aws/ebs key will be used. + + + +* [**`enable_cloudtrail`**](#enable_cloudtrail) — Set to true (default) to enable CloudTrail in the security account. Set to false to disable CloudTrail (note: all other CloudTrail variables will be ignored). Note that if you have enabled organization trail in the root (parent) account, you should set this to false; the organization trail will enable CloudTrail on child accounts by default. + + + +* [**`enable_config`**](#enable_config) — Set to true to enable AWS Config in the security account. Set to false to disable AWS Config (note: all other AWS config variables will be ignored). + + + +* [**`enable_encrypted_volumes`**](#enable_encrypted_volumes) — Checks whether the EBS volumes that are in an attached state are encrypted. + + + +* [**`enable_iam_access_analyzer`**](#enable_iam_access_analyzer) — A feature flag to enable or disable this module. + + + +* [**`enable_iam_cross_account_roles`**](#enable_iam_cross_account_roles) — A feature flag to enable or disable the Cross Account Iam Roles module. + + + +* [**`enable_iam_groups`**](#enable_iam_groups) — A feature flag to enable or disable the IAM Groups module. + + + +* [**`enable_iam_password_policy`**](#enable_iam_password_policy) — Checks whether the account password policy for IAM users meets the specified requirements. + + + +* [**`enable_insecure_sg_rules`**](#enable_insecure_sg_rules) — Checks whether the security group with 0.0.0.0/0 of any Amazon Virtual Private Cloud (Amazon VPC) allows only specific inbound TCP or UDP traffic. + + + +* [**`enable_rds_storage_encrypted`**](#enable_rds_storage_encrypted) — Checks whether storage encryption is enabled for your RDS DB instances. + + + +* [**`enable_root_account_mfa`**](#enable_root_account_mfa) — Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root credentials. + + + +* [**`enable_s3_bucket_public_read_prohibited`**](#enable_s3_bucket_public_read_prohibited) — Checks that your Amazon S3 buckets do not allow public read access. + + + +* [**`enable_s3_bucket_public_write_prohibited`**](#enable_s3_bucket_public_write_prohibited) — Checks that your Amazon S3 buckets do not allow public write access. + + + +* [**`encrypted_volumes_kms_id`**](#encrypted_volumes_kms_id) — ID or ARN of the KMS key that is used to encrypt the volume. Used for configuring the encrypted volumes config rule. + + + +* [**`force_destroy_users`**](#force_destroy_users) — When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without [`force_destroy`](#force_destroy) a user with non-Terraform-managed access keys and login profile will fail to be destroyed. + + + +* [**`guardduty_cloudwatch_event_rule_name`**](#guardduty_cloudwatch_event_rule_name) — Name of the Cloudwatch event rules. + + + +* [**`guardduty_finding_publishing_frequency`**](#guardduty_finding_publishing_frequency) — Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty master account and cannot be modified, otherwise defaults to [`SIX_HOURS`](#SIX_HOURS). For standalone and GuardDuty master accounts, it must be configured in Terraform to enable drift detection. Valid values for standalone and master accounts: [`FIFTEEN_MINUTES`](#FIFTEEN_MINUTES), [`ONE_HOUR`](#ONE_HOUR), [`SIX_HOURS`](#SIX_HOURS). + + + +* [**`guardduty_findings_sns_topic_name`**](#guardduty_findings_sns_topic_name) — Specifies a name for the created SNS topics where findings are published. [`publish_findings_to_sns`](#publish_findings_to_sns) must be set to true. + + + +* [**`guardduty_opt_in_regions`**](#guardduty_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable GuardDuty in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`guardduty_publish_findings_to_sns`**](#guardduty_publish_findings_to_sns) — Send GuardDuty findings to SNS topics specified by [`findings_sns_topic_name`](#findings_sns_topic_name). + + + +* [**`iam_access_analyzer_name`**](#iam_access_analyzer_name) — The name of the IAM Access Analyzer module + + + +* [**`iam_access_analyzer_opt_in_regions`**](#iam_access_analyzer_opt_in_regions) — Creates resources in the specified regions. The best practice is to enable IAM Access Analyzer in all enabled regions in your AWS account. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`iam_access_analyzer_type`**](#iam_access_analyzer_type) — If set to ACCOUNT, the analyzer will only be scanning the current AWS account it's in. If set to ORGANIZATION - will scan the organization AWS account and the child accounts. + + + +* [**`iam_group_developers_permitted_services`**](#iam_group_developers_permitted_services) — A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. + + + +* [**`iam_group_name_auto_deploy`**](#iam_group_name_auto_deploy) — The name of the IAM Group that allows automated deployment by graning the permissions specified in [`auto_deploy_permissions`](#auto_deploy_permissions). + + + +* [**`iam_group_name_billing`**](#iam_group_name_billing) — The name to be used for the IAM Group that grants read/write access to all billing features in AWS. + + + +* [**`iam_group_name_developers`**](#iam_group_name_developers) — The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers. + + + +* [**`iam_group_name_full_access`**](#iam_group_name_full_access) — The name to be used for the IAM Group that grants full access to all AWS resources. + + + +* [**`iam_group_name_houston_cli`**](#iam_group_name_houston_cli) — The name of the IAM Group that allows access to houston CLI. + + + +* [**`iam_group_name_iam_admin`**](#iam_group_name_iam_admin) — The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access. + + + +* [**`iam_group_name_iam_user_self_mgmt`**](#iam_group_name_iam_user_self_mgmt) — The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account. + + + +* [**`iam_group_name_logs`**](#iam_group_name_logs) — The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS. + + + +* [**`iam_group_name_read_only`**](#iam_group_name_read_only) — The name to be used for the IAM Group that grants read-only access to all AWS resources. + + + +* [**`iam_group_name_support`**](#iam_group_name_support) — The name of the IAM Group that allows access to AWS Support. + + + +* [**`iam_group_name_use_existing_iam_roles`**](#iam_group_name_use_existing_iam_roles) — The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles. + + + +* [**`iam_group_names_ssh_grunt_sudo_users`**](#iam_group_names_ssh_grunt_sudo_users) — The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. + + + +* [**`iam_group_names_ssh_grunt_users`**](#iam_group_names_ssh_grunt_users) — The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. + + + +* [**`iam_groups_for_cross_account_access`**](#iam_groups_for_cross_account_access) — This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields [`'group_name`](#'group_name)', which will be used as the name of the IAM group, and [`'iam_role_arns`](#'iam_role_arns)', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). + + + +* [**`iam_password_policy_allow_users_to_change_password`**](#iam_password_policy_allow_users_to_change_password) — Allow users to change their own password. + + + +* [**`iam_password_policy_hard_expiry`**](#iam_password_policy_hard_expiry) — Password expiration requires administrator reset. + + + +* [**`iam_password_policy_max_password_age`**](#iam_password_policy_max_password_age) — Number of days before password expiration. + + + +* [**`iam_password_policy_minimum_password_length`**](#iam_password_policy_minimum_password_length) — Password minimum length. + + + +* [**`iam_password_policy_password_reuse_prevention`**](#iam_password_policy_password_reuse_prevention) — Number of passwords before allowing reuse. + + + +* [**`iam_password_policy_require_lowercase_characters`**](#iam_password_policy_require_lowercase_characters) — Require at least one lowercase character in password. + + + +* [**`iam_password_policy_require_numbers`**](#iam_password_policy_require_numbers) — Require at least one number in password. + + + +* [**`iam_password_policy_require_symbols`**](#iam_password_policy_require_symbols) — Require at least one symbol in password. + + + +* [**`iam_password_policy_require_uppercase_characters`**](#iam_password_policy_require_uppercase_characters) — Require at least one uppercase character in password. + + + +* [**`iam_policy_iam_user_self_mgmt`**](#iam_policy_iam_user_self_mgmt) — The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account. + + + +* [**`iam_role_tags`**](#iam_role_tags) — The tags to apply to all the IAM role resources. + + + +* [**`insecure_sg_rules_authorized_tcp_ports`**](#insecure_sg_rules_authorized_tcp_ports) — Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '443,1020-1025'. + + + +* [**`insecure_sg_rules_authorized_udp_ports`**](#insecure_sg_rules_authorized_udp_ports) — Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by a dash; for example, '500,1020-1025'. + + + +* [**`kms_cmk_global_tags`**](#kms_cmk_global_tags) — A map of tags to apply to all KMS Keys to be created. In this map variable, the key is the tag name and the value is the tag value. + + + +* [**`kms_cmk_opt_in_regions`**](#kms_cmk_opt_in_regions) — Creates resources in the specified regions. This variable must NOT be set to null or empty. Otherwise, we won't know which regions to use and authenticate to, and may use some not enabled in your AWS account (e.g., GovCloud, China, etc). To get the list of regions enabled in your AWS account, you can use the AWS CLI: aws ec2 describe-regions. The value provided for [`global_recorder_region`](#global_recorder_region) must be in this list. + + + +* [**`kms_customer_master_keys`**](#kms_customer_master_keys) — You can use this variable to create account-level KMS Customer Master Keys (CMKs) for encrypting and decrypting data. This variable should be a map where the keys are the names of the CMK and the values are an object that defines the configuration for that CMK. See the comment below for the configuration options you can set for each key. + + + +* [**`kms_grant_regions`**](#kms_grant_regions) — The map of names of KMS grants to the region where the key resides in. There should be a one to one mapping between entries in this map and the entries of the [`kms_grants`](#kms_grants) map. This is used to workaround a terraform limitation where the [`for_each`](#for_each) value can not depend on resources. + + + +* [**`kms_grants`**](#kms_grants) — Create the specified KMS grants to allow entities to use the KMS key without modifying the KMS policy or IAM. This is necessary to allow AWS services (e.g. ASG) to use CMKs encrypt and decrypt resources. The input is a map of grant name to grant properties. The name must be unique per account. + + + +* [**`max_session_duration_human_users`**](#max_session_duration_human_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see [`max_session_duration_machine_users`](#max_session_duration_machine_users). + + + +* [**`max_session_duration_machine_users`**](#max_session_duration_machine_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see [`max_session_duration_human_users`](#max_session_duration_human_users). + + + +* [**`name_prefix`**](#name_prefix) — The name used to prefix AWS Config and Cloudtrail resources, including the S3 bucket names and SNS topics used for each. + + + +* [**`password_reset_required`**](#password_reset_required) — Force the user to reset their password on initial login. Only used for users with [`create_login_profile`](#create_login_profile) set to true. + + + +* [**`rds_storage_encrypted_kms_id`**](#rds_storage_encrypted_kms_id) — KMS key ID or ARN used to encrypt the storage. Used for configuring the RDS storage encryption config rule. + + + +* [**`service_linked_roles`**](#service_linked_roles) — Create service-linked roles for this set of services. You should pass in the URLs of the services, but without the protocol (e.g., http://) in front: e.g., use elasticbeanstalk.amazonaws.com for Elastic Beanstalk or es.amazonaws.com for Amazon Elasticsearch. Service-linked roles are predefined by the service, can typically only be assumed by that service, and include all the permissions that the service requires to call other AWS services on your behalf. You can typically only create one such role per AWS account, which is why this parameter exists in the account baseline. See [`https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws`](#https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws)-services-that-work-with-iam.html for the list of services that support service-linked roles. + + + +* [**`should_create_iam_group_auto_deploy`**](#should_create_iam_group_auto_deploy) — Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in [`auto_deploy_permissions`](#auto_deploy_permissions). (true or false) + + + +* [**`should_create_iam_group_billing`**](#should_create_iam_group_billing) — Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) + + + +* [**`should_create_iam_group_cross_account_access_all`**](#should_create_iam_group_cross_account_access_all) — Should we create the IAM Group for access to all external AWS accounts? + + + +* [**`should_create_iam_group_developers`**](#should_create_iam_group_developers) — Should we create the IAM Group for developers? The permissions of that group are specified via [`iam_group_developers_permitted_services`](#iam_group_developers_permitted_services). (true or false) + + + +* [**`should_create_iam_group_full_access`**](#should_create_iam_group_full_access) — Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_houston_cli_users`**](#should_create_iam_group_houston_cli_users) — Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. + + + +* [**`should_create_iam_group_iam_admin`**](#should_create_iam_group_iam_admin) — Should we create the IAM Group for IAM administrator access? Allows users to manage all IAM entities, effectively granting administrator access. (true or false) + + + +* [**`should_create_iam_group_logs`**](#should_create_iam_group_logs) — Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If [`cloudtrail_kms_key_arn`](#cloudtrail_kms_key_arn) is set, will also give decrypt access to a KMS CMK. (true or false) + + + +* [**`should_create_iam_group_read_only`**](#should_create_iam_group_read_only) — Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_support`**](#should_create_iam_group_support) — Should we create the IAM Group for support? Allows support access (AWSupportAccess). (true or false) + + + +* [**`should_create_iam_group_use_existing_iam_roles`**](#should_create_iam_group_use_existing_iam_roles) — Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) + + + +* [**`should_create_iam_group_user_self_mgmt`**](#should_create_iam_group_user_self_mgmt) — Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) + + + +* [**`should_require_mfa`**](#should_require_mfa) — Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) + + + +* [**`users`**](#users) — A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), [`'pgp_key`](#'pgp_key)' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if [`create_login_profile`](#create_login_profile) or [`create_access_keys`](#create_access_keys) is true), [`'create_login_profile`](#'create_login_profile)' (if set to true, create a password to login to the AWS Web Console), [`'create_access_keys`](#'create_access_keys)' (if set to true, create access keys for the user), 'path' (the path), and [`'permissions_boundary`](#'permissions_boundary)' (the ARN of the policy that is used to set the permissions boundary for the user). + + + + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_arn`**](#allow_auto_deploy_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_auto_deploy_access_from_other_accounts_iam_role_id`**](#allow_auto_deploy_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_arn`**](#allow_billing_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_billing_access_from_other_accounts_iam_role_id`**](#allow_billing_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_billing_access_sign_in_url`**](#allow_billing_access_sign_in_url) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_arn`**](#allow_dev_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_dev_access_from_other_accounts_iam_role_id`**](#allow_dev_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_dev_access_sign_in_url`**](#allow_dev_access_sign_in_url) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_arn`**](#allow_full_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_full_access_from_other_accounts_iam_role_id`**](#allow_full_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_full_access_sign_in_url`**](#allow_full_access_sign_in_url) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_arn`**](#allow_houston_cli_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_houston_cli_access_from_other_accounts_iam_role_id`**](#allow_houston_cli_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_arn`**](#allow_iam_admin_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_iam_admin_access_from_other_accounts_iam_role_id`**](#allow_iam_admin_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_iam_admin_access_sign_in_url`**](#allow_iam_admin_access_sign_in_url) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_arn`**](#allow_logs_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_logs_access_from_other_accounts_iam_role_id`**](#allow_logs_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_logs_access_sign_in_url`**](#allow_logs_access_sign_in_url) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_arn`**](#allow_read_only_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_read_only_access_from_other_accounts_iam_role_id`**](#allow_read_only_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_read_only_access_sign_in_url`**](#allow_read_only_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_access_sign_in_url`**](#allow_ssh_grunt_access_sign_in_url) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id`**](#allow_ssh_grunt_houston_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_ssh_grunt_houston_access_sign_in_url`**](#allow_ssh_grunt_houston_access_sign_in_url) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_arn`**](#allow_support_access_from_other_accounts_iam_role_arn) — + + + +* [**`allow_support_access_from_other_accounts_iam_role_id`**](#allow_support_access_from_other_accounts_iam_role_id) — + + + +* [**`allow_support_access_sign_in_url`**](#allow_support_access_sign_in_url) — + + + +* [**`aws_ebs_encryption_by_default_enabled`**](#aws_ebs_encryption_by_default_enabled) — A map from region to a boolean indicating whether or not EBS encryption is enabled by default for each region. + + + +* [**`aws_ebs_encryption_default_kms_key`**](#aws_ebs_encryption_default_kms_key) — A map from region to the ARN of the KMS key used for default EBS encryption for each region. + + + +* [**`billing_iam_group_arn`**](#billing_iam_group_arn) — + + + +* [**`billing_iam_group_name`**](#billing_iam_group_name) — + + + +* [**`cloudtrail_cloudwatch_group_arn`**](#cloudtrail_cloudwatch_group_arn) — The ARN of the cloudwatch log group. + + + +* [**`cloudtrail_cloudwatch_group_name`**](#cloudtrail_cloudwatch_group_name) — The name of the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_arn`**](#cloudtrail_iam_role_arn) — The ARN of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_iam_role_name`**](#cloudtrail_iam_role_name) — The name of the IAM role used by the cloudwatch log group. + + + +* [**`cloudtrail_kms_key_alias_name`**](#cloudtrail_kms_key_alias_name) — The alias of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — The ARN of the KMS key used by the S3 bucket to encrypt cloudtrail logs. + + + +* [**`cloudtrail_s3_access_logging_bucket_name`**](#cloudtrail_s3_access_logging_bucket_name) — The name of the S3 bucket where server access logs are delivered. + + + +* [**`cloudtrail_s3_bucket_name`**](#cloudtrail_s3_bucket_name) — The name of the S3 bucket where cloudtrail logs are delivered. + + + +* [**`cloudtrail_trail_arn`**](#cloudtrail_trail_arn) — The ARN of the cloudtrail trail. + + + +* [**`config_iam_role_arns`**](#config_iam_role_arns) — The ARNs of the IAM role used by the config recorder. + + + +* [**`config_recorder_names`**](#config_recorder_names) — The names of the configuration recorder. + + + +* [**`config_s3_bucket_names`**](#config_s3_bucket_names) — The names of the S3 bucket used by AWS Config to store configuration items. + + + +* [**`config_sns_topic_arns`**](#config_sns_topic_arns) — The ARNs of the SNS Topic used by the config notifications. + + + +* [**`cross_account_access_all_group_arn`**](#cross_account_access_all_group_arn) — + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — + + + +* [**`cross_account_access_group_arns`**](#cross_account_access_group_arns) — + + + +* [**`cross_account_access_group_names`**](#cross_account_access_group_names) — + + + +* [**`developers_iam_group_arn`**](#developers_iam_group_arn) — + + + +* [**`developers_iam_group_name`**](#developers_iam_group_name) — + + + +* [**`full_access_iam_group_arn`**](#full_access_iam_group_arn) — + + + +* [**`full_access_iam_group_name`**](#full_access_iam_group_name) — + + + +* [**`guardduty_cloudwatch_event_rule_arns`**](#guardduty_cloudwatch_event_rule_arns) — The ARNs of the cloudwatch event rules used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_cloudwatch_event_target_arns`**](#guardduty_cloudwatch_event_target_arns) — The ARNs of the cloudwatch event targets used to publish findings to sns if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_detector_ids`**](#guardduty_detector_ids) — The IDs of the GuardDuty detectors. + + + +* [**`guardduty_findings_sns_topic_arns`**](#guardduty_findings_sns_topic_arns) — The ARNs of the SNS topics where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`guardduty_findings_sns_topic_names`**](#guardduty_findings_sns_topic_names) — The names of the SNS topic where findings are published if [`publish_findings_to_sns`](#publish_findings_to_sns) is set to true. + + + +* [**`houston_cli_users_iam_group_arn`**](#houston_cli_users_iam_group_arn) — + + + +* [**`houston_cli_users_iam_group_name`**](#houston_cli_users_iam_group_name) — + + + +* [**`iam_admin_iam_group_arn`**](#iam_admin_iam_group_arn) — + + + +* [**`iam_admin_iam_group_name`**](#iam_admin_iam_group_name) — + + + +* [**`iam_admin_iam_policy_arn`**](#iam_admin_iam_policy_arn) — + + + +* [**`iam_self_mgmt_iam_group_arn`**](#iam_self_mgmt_iam_group_arn) — + + + +* [**`iam_self_mgmt_iam_group_name`**](#iam_self_mgmt_iam_group_name) — + + + +* [**`iam_self_mgmt_iam_policy_arn`**](#iam_self_mgmt_iam_policy_arn) — + + + +* [**`invalid_cmk_inputs`**](#invalid_cmk_inputs) — Map of CMKs from the input [`customer_master_keys`](#customer_master_keys) that had an invalid region, and thus were not created. The structure of the map is the same as the input. This will only include KMS key inputs that were not created because the region attribute was invalid (either not a valid region identifier, the region is not enabled on the account, or the region is not included in the [`opt_in_regions`](#opt_in_regions) input). + + + +* [**`kms_key_aliases`**](#kms_key_aliases) — A map from region to aliases of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`customer_master_keys`](#customer_master_keys) input variable to the corresponding alias. + + + +* [**`kms_key_arns`**](#kms_key_arns) — A map from region to ARNs of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`kms_customer_master_keys`](#kms_customer_master_keys) input variable to the corresponding ARN. + + + +* [**`kms_key_ids`**](#kms_key_ids) — A map from region to IDs of the KMS CMKs that were created. The value will also be a map mapping the keys from the [`kms_customer_master_keys`](#kms_customer_master_keys) input variable to the corresponding ID. + + + +* [**`logs_iam_group_arn`**](#logs_iam_group_arn) — + + + +* [**`logs_iam_group_name`**](#logs_iam_group_name) — + + + +* [**`read_only_iam_group_arn`**](#read_only_iam_group_arn) — + + + +* [**`read_only_iam_group_name`**](#read_only_iam_group_name) — + + + +* [**`require_mfa_policy`**](#require_mfa_policy) — + + + +* [**`service_linked_role_arns`**](#service_linked_role_arns) — A map of ARNs of the service linked roles created from [`service_linked_roles`](#service_linked_roles). + + + +* [**`ssh_grunt_sudo_users_group_arns`**](#ssh_grunt_sudo_users_group_arns) — + + + +* [**`ssh_grunt_sudo_users_group_names`**](#ssh_grunt_sudo_users_group_names) — + + + +* [**`ssh_grunt_users_group_arns`**](#ssh_grunt_users_group_arns) — + + + +* [**`ssh_grunt_users_group_names`**](#ssh_grunt_users_group_names) — + + + +* [**`support_iam_group_arn`**](#support_iam_group_arn) — + + + +* [**`support_iam_group_name`**](#support_iam_group_name) — + + + +* [**`use_existing_iam_roles_iam_group_arn`**](#use_existing_iam_roles_iam_group_arn) — + + + +* [**`use_existing_iam_roles_iam_group_name`**](#use_existing_iam_roles_iam_group_name) — + + + +* [**`user_access_keys`**](#user_access_keys) — A map of usernames to that user's access keys (a map with keys [`access_key_id`](#access_key_id) and [`secret_access_key`](#secret_access_key)), with the [`secret_access_key`](#secret_access_key) encrypted with that user's PGP key (only shows up for users with [`create_access_keys`](#create_access_keys) = true). You can decrypt the [`secret_access_key`](#secret_access_key) on the CLI: echo [`<secret_access_key`](#<secret_access_key)> | base64 --decode | keybase pgp decrypt + + + +* [**`user_arns`**](#user_arns) — A map of usernames to the ARN for that IAM user. + + + +* [**`user_passwords`**](#user_passwords) — A map of usernames to that user's AWS Web Console password, encrypted with that user's PGP key (only shows up for users with [`create_login_profile`](#create_login_profile) = true). You can decrypt the password on the CLI: echo <password> | base64 --decode | keybase pgp decrypt + + diff --git a/docs/reference/services/landing-zone/gruntwork-access.md b/docs/reference/services/landing-zone/gruntwork-access.md index ebe95b370..9d41ae9c4 100644 --- a/docs/reference/services/landing-zone/gruntwork-access.md +++ b/docs/reference/services/landing-zone/gruntwork-access.md @@ -10,82 +10,51 @@ Grant the Gruntwork team access to one of your AWS accounts so we can deploy a R ### Reference - -
    - -
  • -

    - - grant_security_account_access - - Set to true to grant your security account, with the account ID specified in var.security_account_id, access to the IAM role. This is required for deploying a Reference Architecture. -

    -
    • -
  • -

    - - gruntwork_aws_account_id - - The ID of the AWS account that will be allowed to assume the IAM role. -

    -
    • -
  • -

    - - iam_role_name - - The name to use for the IAM role -

    -
    • -
  • -

    - - managed_policy_name - - The name of the AWS Managed Policy to attach to the IAM role. To deploy a Reference Architecture, the Gruntwork team needs AdministratorAccess, so this is the default. -

    -
    • -
  • -

    - - require_mfa - - If set to true, require MFA to assume the IAM role from the Gruntwork account. -

    -
    • -
  • -

    - - security_account_id - - The ID of your security account (where IAM users are defined). Required for deploying a Reference Architecture, as the Gruntwork team deploys an EC2 instance in the security account, and that instance assumes this IAM role to get access to all the other child accounts and bootstrap the deployment process. -

    -
    • -
  • -

    - - tags - - Tags to apply to all resources created by this module -

    -
    • -
- - - - + + + + +* [**`grant_security_account_access`**](#grant_security_account_access) — Set to true to grant your security account, with the account ID specified in [`security_account_id`](#security_account_id), access to the IAM role. This is required for deploying a Reference Architecture. + + + +* [**`gruntwork_aws_account_id`**](#gruntwork_aws_account_id) — The ID of the AWS account that will be allowed to assume the IAM role. + + + +* [**`iam_role_name`**](#iam_role_name) — The name to use for the IAM role + + + +* [**`managed_policy_name`**](#managed_policy_name) — The name of the AWS Managed Policy to attach to the IAM role. To deploy a Reference Architecture, the Gruntwork team needs AdministratorAccess, so this is the default. + + + +* [**`require_mfa`**](#require_mfa) — If set to true, require MFA to assume the IAM role from the Gruntwork account. + + + +* [**`security_account_id`**](#security_account_id) — The ID of your security account (where IAM users are defined). Required for deploying a Reference Architecture, as the Gruntwork team deploys an EC2 instance in the security account, and that instance assumes this IAM role to get access to all the other child accounts and bootstrap the deployment process. + + + +* [**`tags`**](#tags) — Tags to apply to all resources created by this module + + + + + + +* [**`iam_role_arn`**](#iam_role_arn) — The ARN of the IAM role + + + +* [**`iam_role_name`**](#iam_role_name) — The name of the IAM role + + diff --git a/docs/reference/services/landing-zone/iam-users-and-iam-groups.md b/docs/reference/services/landing-zone/iam-users-and-iam-groups.md index ed5f89f48..e5155e6b7 100644 --- a/docs/reference/services/landing-zone/iam-users-and-iam-groups.md +++ b/docs/reference/services/landing-zone/iam-users-and-iam-groups.md @@ -10,544 +10,315 @@ Convenient module to manage best practices set of IAM Groups for permissions man ### Reference - -
    - -
  • -

    - - auto_deploy_permissions - - A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If var.should_create_iam_group_auto_deploy is true, the list must have at least one element (e.g. '*'). -

    -
    • -
  • -

    - - aws_account_id - - The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. -

    -
    • -
  • -

    - - cloudtrail_kms_key_arn - - The ARN of a KMS CMK used to encrypt CloudTrail logs. If set, the logs group will include permissions to decrypt using this CMK. -

    -
    • -
  • -

    - - cross_account_access_all_group_name - - The name of the IAM group that will grant access to all external AWS accounts in var.iam_groups_for_cross_account_access. -

    -
    • -
  • -

    - - enable_iam_groups - - A feature flag to enable or disable the IAM Groups module. -

    -
    • -
  • -

    - - force_destroy_users - - When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. -

    -
    • -
  • -

    - - iam_group_developers_permitted_services - - A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. -

    -
    • -
  • -

    - - iam_group_name_auto_deploy - - The name of the IAM Group that allows automated deployment by graning the permissions specified in var.auto_deploy_permissions. -

    -
    • -
  • -

    - - iam_group_name_billing - - The name to be used for the IAM Group that grants read/write access to all billing features in AWS. -

    -
    • -
  • -

    - - iam_group_name_developers - - The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers. -

    -
    • -
  • -

    - - iam_group_name_full_access - - The name to be used for the IAM Group that grants full access to all AWS resources. -

    -
    • -
  • -

    - - iam_group_name_houston_cli - - The name of the IAM Group that allows access to houston CLI. -

    -
    • -
  • -

    - - iam_group_name_iam_admin - - The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access. -

    -
    • -
  • -

    - - iam_group_name_iam_user_self_mgmt - - The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account. -

    -
    • -
  • -

    - - iam_group_name_logs - - The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS. -

    -
    • -
  • -

    - - iam_group_name_read_only - - The name to be used for the IAM Group that grants read-only access to all AWS resources. -

    -
    • -
  • -

    - - iam_group_name_support - - The name of the IAM Group that allows access to AWS Support. -

    -
    • -
  • -

    - - iam_group_name_use_existing_iam_roles - - The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles. -

    -
    • -
  • -

    - - iam_group_names_ssh_grunt_sudo_users - - The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. -

    -
    • -
  • -

    - - iam_group_names_ssh_grunt_users - - The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. -

    -
    • -
  • -

    - - iam_groups_for_cross_account_access - - This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields 'group_name', which will be used as the name of the IAM group, and 'iam_role_arns', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). -

    -
    • -
  • -

    - - iam_policy_iam_user_self_mgmt - - The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account. -

    -
    • -
  • -

    - - iam_role_tags - - The tags to apply to all the IAM role resources. -

    -
    • -
  • -

    - - max_session_duration_human_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see var.max_session_duration_machine_users. -

    -
    • -
  • -

    - - max_session_duration_machine_users - - The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see var.max_session_duration_human_users. -

    -
    • -
  • -

    - - minimum_password_length - - Password minimum length. -

    -
    • -
  • -

    - - password_reset_required - - Force the user to reset their password on initial login. Only used for users with create_login_profile set to true. -

    -
    • -
  • -

    - - should_create_iam_group_auto_deploy - - Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in var.auto_deploy_permissions. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_billing - - Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_cross_account_access_all - - Should we create the IAM Group for access to all external AWS accounts? -

    -
    • -
  • -

    - - should_create_iam_group_developers - - Should we create the IAM Group for developers? The permissions of that group are specified via var.iam_group_developers_permitted_services. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_full_access - - Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_houston_cli_users - - Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. -

    -
    • -
  • -

    - - should_create_iam_group_iam_admin - - Should we create the IAM Group for IAM administrator access? Allows users to manage all IAM entities, effectively granting administrator access. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_logs - - Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If var.cloudtrail_kms_key_arn is set, will also give decrypt access to a KMS CMK. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_read_only - - Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_support - - Should we create the IAM Group for support? Allows support access (AWSupportAccess). (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_use_existing_iam_roles - - Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) -

    -
    • -
  • -

    - - should_create_iam_group_user_self_mgmt - - Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) -

    -
    • -
  • -

    - - should_require_mfa - - Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) -

    -
    • -
  • -

    - - users - - A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), 'pgp_key' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if create_login_profile or create_access_keys is true), 'create_login_profile' (if set to true, create a password to login to the AWS Web Console), 'create_access_keys' (if set to true, create access keys for the user), 'path' (the path), and 'permissions_boundary' (the ARN of the policy that is used to set the permissions boundary for the user). -

    -
    • -
- - - - + + + + +* [**`auto_deploy_permissions`**](#auto_deploy_permissions) — A list of IAM permissions (e.g. ec2:*) that will be added to an IAM Group for doing automated deployments. NOTE: If [`should_create_iam_group_auto_deploy`](#should_create_iam_group_auto_deploy) is true, the list must have at least one element (e.g. '*'). + + + +* [**`aws_account_id`**](#aws_account_id) — The AWS Account ID the template should be operated on. This avoids misconfiguration errors caused by environment variables. + + + +* [**`cloudtrail_kms_key_arn`**](#cloudtrail_kms_key_arn) — The ARN of a KMS CMK used to encrypt CloudTrail logs. If set, the logs group will include permissions to decrypt using this CMK. + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — The name of the IAM group that will grant access to all external AWS accounts in [`iam_groups_for_cross_account_access`](#iam_groups_for_cross_account_access). + + + +* [**`enable_iam_groups`**](#enable_iam_groups) — A feature flag to enable or disable the IAM Groups module. + + + +* [**`force_destroy_users`**](#force_destroy_users) — When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile, or MFA devices. Without [`force_destroy`](#force_destroy) a user with non-Terraform-managed access keys and login profile will fail to be destroyed. + + + +* [**`iam_group_developers_permitted_services`**](#iam_group_developers_permitted_services) — A list of AWS services for which the developers IAM Group will receive full permissions. See https://goo.gl/ZyoHlz to find the IAM Service name. For example, to grant developers access only to EC2 and Amazon Machine Learning, use the value ["ec2","machinelearning"]. Do NOT add iam to the list of services, or that will grant Developers de facto admin access. If you need to grant iam privileges, just grant the user Full Access. + + + +* [**`iam_group_name_auto_deploy`**](#iam_group_name_auto_deploy) — The name of the IAM Group that allows automated deployment by graning the permissions specified in [`auto_deploy_permissions`](#auto_deploy_permissions). + + + +* [**`iam_group_name_billing`**](#iam_group_name_billing) — The name to be used for the IAM Group that grants read/write access to all billing features in AWS. + + + +* [**`iam_group_name_developers`**](#iam_group_name_developers) — The name to be used for the IAM Group that grants IAM Users a reasonable set of permissions for developers. + + + +* [**`iam_group_name_full_access`**](#iam_group_name_full_access) — The name to be used for the IAM Group that grants full access to all AWS resources. + + + +* [**`iam_group_name_houston_cli`**](#iam_group_name_houston_cli) — The name of the IAM Group that allows access to houston CLI. + + + +* [**`iam_group_name_iam_admin`**](#iam_group_name_iam_admin) — The name to be used for the IAM Group that grants IAM administrative access. Effectively grants administrator access. + + + +* [**`iam_group_name_iam_user_self_mgmt`**](#iam_group_name_iam_user_self_mgmt) — The name to be used for the IAM Group that grants IAM Users the permissions to manage their own IAM User account. + + + +* [**`iam_group_name_logs`**](#iam_group_name_logs) — The name to be used for the IAM Group that grants read access to CloudTrail, AWS Config, and CloudWatch in AWS. + + + +* [**`iam_group_name_read_only`**](#iam_group_name_read_only) — The name to be used for the IAM Group that grants read-only access to all AWS resources. + + + +* [**`iam_group_name_support`**](#iam_group_name_support) — The name of the IAM Group that allows access to AWS Support. + + + +* [**`iam_group_name_use_existing_iam_roles`**](#iam_group_name_use_existing_iam_roles) — The name to be used for the IAM Group that grants IAM Users the permissions to use existing IAM Roles when launching AWS Resources. This does NOT grant the permission to create new IAM Roles. + + + +* [**`iam_group_names_ssh_grunt_sudo_users`**](#iam_group_names_ssh_grunt_sudo_users) — The list of names to be used for the IAM Group that enables its members to SSH as a sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. + + + +* [**`iam_group_names_ssh_grunt_users`**](#iam_group_names_ssh_grunt_users) — The name to be used for the IAM Group that enables its members to SSH as a non-sudo user into any server configured with the ssh-grunt Gruntwork module. Pass in multiple to configure multiple different IAM groups to control different groupings of access at the server level. Pass in empty list to disable creation of the IAM groups. + + + +* [**`iam_groups_for_cross_account_access`**](#iam_groups_for_cross_account_access) — This variable is used to create groups that allow IAM users to assume roles in your other AWS accounts. It should be a list of objects, where each object has the fields [`'group_name`](#'group_name)', which will be used as the name of the IAM group, and [`'iam_role_arns`](#'iam_role_arns)', which is a list of ARNs of IAM Roles that you can assume when part of that group. For each entry in the list of objects, we will create an IAM group that allows users to assume the given IAM role(s) in the other AWS account. This allows you to define all your IAM users in one account (e.g. the users account) and to grant them access to certain IAM roles in other accounts (e.g. the stage, prod, audit accounts). + + + +* [**`iam_policy_iam_user_self_mgmt`**](#iam_policy_iam_user_self_mgmt) — The name to be used for the IAM Policy that grants IAM Users the permissions to manage their own IAM User account. + + + +* [**`iam_role_tags`**](#iam_role_tags) — The tags to apply to all the IAM role resources. + + + +* [**`max_session_duration_human_users`**](#max_session_duration_human_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for people to use, such as allow-read-only-access-from-other-accounts. For IAM roles that are intended for machine users, such as allow-auto-deploy-from-other-accounts, see [`max_session_duration_machine_users`](#max_session_duration_machine_users). + + + +* [**`max_session_duration_machine_users`**](#max_session_duration_machine_users) — The maximum allowable session duration, in seconds, for the credentials you get when assuming the IAM roles created by this module. This variable applies to all IAM roles created by this module that are intended for machine users, such as allow-auto-deploy-from-other-accounts. For IAM roles that are intended for human users, such as allow-read-only-access-from-other-accounts, see [`max_session_duration_human_users`](#max_session_duration_human_users). + + + +* [**`minimum_password_length`**](#minimum_password_length) — Password minimum length. + + + +* [**`password_reset_required`**](#password_reset_required) — Force the user to reset their password on initial login. Only used for users with [`create_login_profile`](#create_login_profile) set to true. + + + +* [**`should_create_iam_group_auto_deploy`**](#should_create_iam_group_auto_deploy) — Should we create the IAM Group for auto-deploy? Allows automated deployment by granting the permissions specified in [`auto_deploy_permissions`](#auto_deploy_permissions). (true or false) + + + +* [**`should_create_iam_group_billing`**](#should_create_iam_group_billing) — Should we create the IAM Group for billing? Allows read-write access to billing features only. (true or false) + + + +* [**`should_create_iam_group_cross_account_access_all`**](#should_create_iam_group_cross_account_access_all) — Should we create the IAM Group for access to all external AWS accounts? + + + +* [**`should_create_iam_group_developers`**](#should_create_iam_group_developers) — Should we create the IAM Group for developers? The permissions of that group are specified via [`iam_group_developers_permitted_services`](#iam_group_developers_permitted_services). (true or false) + + + +* [**`should_create_iam_group_full_access`**](#should_create_iam_group_full_access) — Should we create the IAM Group for full access? Allows full access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_houston_cli_users`**](#should_create_iam_group_houston_cli_users) — Should we create the IAM Group for houston CLI users? Allows users to use the houston CLI for managing and deploying services. + + + +* [**`should_create_iam_group_iam_admin`**](#should_create_iam_group_iam_admin) — Should we create the IAM Group for IAM administrator access? Allows users to manage all IAM entities, effectively granting administrator access. (true or false) + + + +* [**`should_create_iam_group_logs`**](#should_create_iam_group_logs) — Should we create the IAM Group for logs? Allows read access to CloudTrail, AWS Config, and CloudWatch. If [`cloudtrail_kms_key_arn`](#cloudtrail_kms_key_arn) is set, will also give decrypt access to a KMS CMK. (true or false) + + + +* [**`should_create_iam_group_read_only`**](#should_create_iam_group_read_only) — Should we create the IAM Group for read-only? Allows read-only access to all AWS resources. (true or false) + + + +* [**`should_create_iam_group_support`**](#should_create_iam_group_support) — Should we create the IAM Group for support? Allows support access (AWSupportAccess). (true or false) + + + +* [**`should_create_iam_group_use_existing_iam_roles`**](#should_create_iam_group_use_existing_iam_roles) — Should we create the IAM Group for use-existing-iam-roles? Allow launching AWS resources with existing IAM Roles, but no ability to create new IAM Roles. (true or false) + + + +* [**`should_create_iam_group_user_self_mgmt`**](#should_create_iam_group_user_self_mgmt) — Should we create the IAM Group for user self-management? Allows users to manage their own IAM user accounts, but not other IAM users. (true or false) + + + +* [**`should_require_mfa`**](#should_require_mfa) — Should we require that all IAM Users use Multi-Factor Authentication for both AWS API calls and the AWS Web Console? (true or false) + + + +* [**`users`**](#users) — A map of users to create. The keys are the user names and the values are an object with the optional keys 'groups' (a list of IAM groups to add the user to), 'tags' (a map of tags to apply to the user), [`'pgp_key`](#'pgp_key)' (either a base-64 encoded PGP public key, or a keybase username in the form keybase:username, used to encrypt the user's credentials; required if [`create_login_profile`](#create_login_profile) or [`create_access_keys`](#create_access_keys) is true), [`'create_login_profile`](#'create_login_profile)' (if set to true, create a password to login to the AWS Web Console), [`'create_access_keys`](#'create_access_keys)' (if set to true, create access keys for the user), 'path' (the path), and [`'permissions_boundary`](#'permissions_boundary)' (the ARN of the policy that is used to set the permissions boundary for the user). + + + + + + +* [**`billing_iam_group_arn`**](#billing_iam_group_arn) — + + + +* [**`billing_iam_group_name`**](#billing_iam_group_name) — + + + +* [**`cross_account_access_all_group_arn`**](#cross_account_access_all_group_arn) — + + + +* [**`cross_account_access_all_group_name`**](#cross_account_access_all_group_name) — + + + +* [**`cross_account_access_group_arns`**](#cross_account_access_group_arns) — + + + +* [**`cross_account_access_group_names`**](#cross_account_access_group_names) — + + + +* [**`developers_iam_group_arn`**](#developers_iam_group_arn) — + + + +* [**`developers_iam_group_name`**](#developers_iam_group_name) — + + + +* [**`full_access_iam_group_arn`**](#full_access_iam_group_arn) — + + + +* [**`full_access_iam_group_name`**](#full_access_iam_group_name) — + + + +* [**`houston_cli_users_iam_group_arn`**](#houston_cli_users_iam_group_arn) — + + + +* [**`houston_cli_users_iam_group_name`**](#houston_cli_users_iam_group_name) — + + + +* [**`iam_admin_iam_group_arn`**](#iam_admin_iam_group_arn) — + + + +* [**`iam_admin_iam_group_name`**](#iam_admin_iam_group_name) — + + + +* [**`iam_admin_iam_policy_arn`**](#iam_admin_iam_policy_arn) — + + + +* [**`iam_self_mgmt_iam_group_arn`**](#iam_self_mgmt_iam_group_arn) — + + + +* [**`iam_self_mgmt_iam_group_name`**](#iam_self_mgmt_iam_group_name) — + + + +* [**`iam_self_mgmt_iam_policy_arn`**](#iam_self_mgmt_iam_policy_arn) — + + + +* [**`logs_iam_group_arn`**](#logs_iam_group_arn) — + + + +* [**`logs_iam_group_name`**](#logs_iam_group_name) — + + + +* [**`read_only_iam_group_arn`**](#read_only_iam_group_arn) — + + + +* [**`read_only_iam_group_name`**](#read_only_iam_group_name) — + + + +* [**`require_mfa_policy`**](#require_mfa_policy) — + + + +* [**`ssh_grunt_sudo_users_group_arns`**](#ssh_grunt_sudo_users_group_arns) — + + + +* [**`ssh_grunt_sudo_users_group_names`**](#ssh_grunt_sudo_users_group_names) — + + + +* [**`ssh_grunt_users_group_arns`**](#ssh_grunt_users_group_arns) — + + + +* [**`ssh_grunt_users_group_names`**](#ssh_grunt_users_group_names) — + + + +* [**`support_iam_group_arn`**](#support_iam_group_arn) — + + + +* [**`support_iam_group_name`**](#support_iam_group_name) — + + + +* [**`use_existing_iam_roles_iam_group_arn`**](#use_existing_iam_roles_iam_group_arn) — + + + +* [**`use_existing_iam_roles_iam_group_name`**](#use_existing_iam_roles_iam_group_name) — + + + +* [**`user_access_keys`**](#user_access_keys) — A map of usernames to that user's access keys (a map with keys [`access_key_id`](#access_key_id) and [`secret_access_key`](#secret_access_key)), with the [`secret_access_key`](#secret_access_key) encrypted with that user's PGP key (only shows up for users with [`create_access_keys`](#create_access_keys) = true). You can decrypt the [`secret_access_key`](#secret_access_key) on the CLI: echo [`<secret_access_key`](#<secret_access_key)> | base64 --decode | keybase pgp decrypt + + + +* [**`user_arns`**](#user_arns) — A map of usernames to the ARN for that IAM user. + + + +* [**`user_passwords`**](#user_passwords) — A map of usernames to that user's AWS Web Console password, encrypted with that user's PGP key (only shows up for users with [`create_login_profile`](#create_login_profile) = true). You can decrypt the password on the CLI: echo <password> | base64 --decode | keybase pgp decrypt + + diff --git a/docs/reference/services/networking/elastic-load-balancer-elb.md b/docs/reference/services/networking/elastic-load-balancer-elb.md index 0e86161c6..e649cf946 100644 --- a/docs/reference/services/networking/elastic-load-balancer-elb.md +++ b/docs/reference/services/networking/elastic-load-balancer-elb.md @@ -10,292 +10,171 @@ Deploy the Application Load Balancer (ALB) for load balancing HTTP and HTTPS, wi ### Reference - -
    - -
  • -

    - - access_logs_s3_bucket_name - - The name to use for the S3 bucket where the ALB access logs will be stored. If you set this to null, a name will be generated automatically based on var.alb_name. -

    -
    • -
  • -

    - - acm_cert_statuses - - When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs with the given statuses. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. -

    -
    • -
  • -

    - - acm_cert_types - - When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs of the given types. Valid values are AMAZON_ISSUED and IMPORTED. -

    -
    • -
  • -

    - - alb_name - - The name of the ALB. -

    -
    • -
  • -

    - - allow_all_outbound - - Set to true to enable all outbound traffic on this ALB. If set to false, the ALB will allow no outbound traffic by default. This will make the ALB unusuable, so some other code must then update the ALB Security Group to enable outbound access! -

    -
    • -
  • -

    - - allow_inbound_from_cidr_blocks - - The CIDR-formatted IP Address range from which this ALB will allow incoming requests. If var.is_internal_alb is false, use the default value. If var.is_internal_alb is true, consider setting this to the VPC's CIDR Block, or something even more restrictive. -

    -
    • -
  • -

    - - allow_inbound_from_security_group_ids - - The list of IDs of security groups that should have access to the ALB -

    -
    • -
  • -

    - - create_route53_entry - - Set to true to create a Route 53 DNS A record for this ALB? -

    -
    • -
  • -

    - - custom_tags - - A map of custom tags to apply to the ALB and its Security Group. The key is the tag name and the value is the tag value. -

    -
    • -
  • -

    - - default_action_body - - If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this body. -

    -
    • -
  • -

    - - default_action_content_type - - If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this content type. -

    -
    • -
  • -

    - - default_action_status_code - - If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this status code. -

    -
    • -
  • -

    - - domain_names - - The list of domain names for the DNS A record to add for the ALB (e.g. alb.foo.com). Only used if var.create_route53_entry is true. -

    -
    • -
  • -

    - - drop_invalid_header_fields - - If true, the ALB will drop invalid headers. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. -

    -
    • -
  • -

    - - enable_deletion_protection - - Enable deletion protection on the ALB instance. If this is enabled, the load balancer cannot be deleted prior to disabling -

    -
    • -
  • -

    - - force_destroy - - A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false. -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the hosted zone for the DNS A record to add for the ALB. Only used if var.create_route53_entry is true. -

    -
    • -
  • -

    - - http_listener_ports - - A list of ports for which an HTTP Listener should be created on the ALB. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. -

    -
    • -
  • -

    - - https_listener_ports_and_acm_ssl_certs - - A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_domain_name', the domain name of an SSL/TLS certificate issued by the Amazon Certificate Manager (ACM) to associate with the Listener to be created. If your certificate isn't issued by ACM, specify var.https_listener_ports_and_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. -

    -
    • -
  • -

    - - https_listener_ports_and_ssl_certs - - A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_arn', the Amazon Resource Name (ARN) of the SSL/TLS certificate to associate with the Listener to be created. If your certificate is issued by the Amazon Certificate Manager (ACM), specify var.https_listener_ports_and_acm_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. -

    -
    • -
  • -

    - - idle_timeout - - The time in seconds that the client TCP connection to the ALB is allowed to be idle before the ALB closes the TCP connection. -

    -
    • -
  • -

    - - is_internal_alb - - If the ALB should only accept traffic from within the VPC, set this to true. If it should accept traffic from the public Internet, set it to false. -

    -
    • -
  • -

    - - num_days_after_which_archive_log_data - - After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. -

    -
    • -
  • -

    - - num_days_after_which_delete_log_data - - After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. -

    -
    • -
  • -

    - - should_create_access_logs_bucket - - If true, create a new S3 bucket for access logs with the name in var.access_logs_s3_bucket_name. If false, assume the S3 bucket for access logs with the name in var.access_logs_s3_bucket_name already exists, and don't create a new one. Note that if you set this to false, it's up to you to ensure that the S3 bucket has a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket. -

    -
    • -
  • -

    - - ssl_policy - - The AWS predefined TLS/SSL policy for the ALB. A List of policies can be found here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. AWS recommends ELBSecurityPolicy-2016-08 policy for general use but this policy includes TLSv1.0 which is rapidly being phased out. ELBSecurityPolicy-TLS-1-1-2017-01 is the next policy up that doesn't include TLSv1.0. -

    -
    • -
  • -

    - - vpc_id - - ID of the VPC where the ALB will be deployed -

    -
    • -
  • -

    - - vpc_subnet_ids - - The ids of the subnets that the ALB can use to source its IP -

    -
    • -
- - - - + + + + +* [**`access_logs_s3_bucket_name`**](#access_logs_s3_bucket_name) — The name to use for the S3 bucket where the ALB access logs will be stored. If you set this to null, a name will be generated automatically based on [`alb_name`](#alb_name). + + + +* [**`acm_cert_statuses`**](#acm_cert_statuses) — When looking up the ACM certs passed in via [`https_listener_ports_and_acm_ssl_certs`](#https_listener_ports_and_acm_ssl_certs), only match certs with the given statuses. Valid values are [`PENDING_VALIDATION`](#PENDING_VALIDATION), ISSUED, INACTIVE, EXPIRED, [`VALIDATION_TIMED_OUT`](#VALIDATION_TIMED_OUT), REVOKED and FAILED. + + + +* [**`acm_cert_types`**](#acm_cert_types) — When looking up the ACM certs passed in via [`https_listener_ports_and_acm_ssl_certs`](#https_listener_ports_and_acm_ssl_certs), only match certs of the given types. Valid values are [`AMAZON_ISSUED`](#AMAZON_ISSUED) and IMPORTED. + + + +* [**`alb_name`**](#alb_name) — The name of the ALB. + + + +* [**`allow_all_outbound`**](#allow_all_outbound) — Set to true to enable all outbound traffic on this ALB. If set to false, the ALB will allow no outbound traffic by default. This will make the ALB unusuable, so some other code must then update the ALB Security Group to enable outbound access! + + + +* [**`allow_inbound_from_cidr_blocks`**](#allow_inbound_from_cidr_blocks) — The CIDR-formatted IP Address range from which this ALB will allow incoming requests. If [`is_internal_alb`](#is_internal_alb) is false, use the default value. If [`is_internal_alb`](#is_internal_alb) is true, consider setting this to the VPC's CIDR Block, or something even more restrictive. + + + +* [**`allow_inbound_from_security_group_ids`**](#allow_inbound_from_security_group_ids) — The list of IDs of security groups that should have access to the ALB + + + +* [**`create_route53_entry`**](#create_route53_entry) — Set to true to create a Route 53 DNS A record for this ALB? + + + +* [**`custom_tags`**](#custom_tags) — A map of custom tags to apply to the ALB and its Security Group. The key is the tag name and the value is the tag value. + + + +* [**`default_action_body`**](#default_action_body) — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this body. + + + +* [**`default_action_content_type`**](#default_action_content_type) — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this content type. + + + +* [**`default_action_status_code`**](#default_action_status_code) — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this status code. + + + +* [**`domain_names`**](#domain_names) — The list of domain names for the DNS A record to add for the ALB (e.g. alb.foo.com). Only used if [`create_route53_entry`](#create_route53_entry) is true. + + + +* [**`drop_invalid_header_fields`**](#drop_invalid_header_fields) — If true, the ALB will drop invalid headers. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. + + + +* [**`enable_deletion_protection`**](#enable_deletion_protection) — Enable deletion protection on the ALB instance. If this is enabled, the load balancer cannot be deleted prior to disabling + + + +* [**`force_destroy`**](#force_destroy) — A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false. + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the hosted zone for the DNS A record to add for the ALB. Only used if [`create_route53_entry`](#create_route53_entry) is true. + + + +* [**`http_listener_ports`**](#http_listener_ports) — A list of ports for which an HTTP Listener should be created on the ALB. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. + + + +* [**`https_listener_ports_and_acm_ssl_certs`**](#https_listener_ports_and_acm_ssl_certs) — A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and [`'tls_domain_name`](#'tls_domain_name)', the domain name of an SSL/TLS certificate issued by the Amazon Certificate Manager (ACM) to associate with the Listener to be created. If your certificate isn't issued by ACM, specify [`https_listener_ports_and_ssl_certs`](#https_listener_ports_and_ssl_certs) instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. + + + +* [**`https_listener_ports_and_ssl_certs`**](#https_listener_ports_and_ssl_certs) — A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and [`'tls_arn`](#'tls_arn)', the Amazon Resource Name (ARN) of the SSL/TLS certificate to associate with the Listener to be created. If your certificate is issued by the Amazon Certificate Manager (ACM), specify [`https_listener_ports_and_acm_ssl_certs`](#https_listener_ports_and_acm_ssl_certs) instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group. + + + +* [**`idle_timeout`**](#idle_timeout) — The time in seconds that the client TCP connection to the ALB is allowed to be idle before the ALB closes the TCP connection. + + + +* [**`is_internal_alb`**](#is_internal_alb) — If the ALB should only accept traffic from within the VPC, set this to true. If it should accept traffic from the public Internet, set it to false. + + + +* [**`num_days_after_which_archive_log_data`**](#num_days_after_which_archive_log_data) — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data. + + + +* [**`num_days_after_which_delete_log_data`**](#num_days_after_which_delete_log_data) — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data. + + + +* [**`should_create_access_logs_bucket`**](#should_create_access_logs_bucket) — If true, create a new S3 bucket for access logs with the name in [`access_logs_s3_bucket_name`](#access_logs_s3_bucket_name). If false, assume the S3 bucket for access logs with the name in [`access_logs_s3_bucket_name`](#access_logs_s3_bucket_name) already exists, and don't create a new one. Note that if you set this to false, it's up to you to ensure that the S3 bucket has a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket. + + + +* [**`ssl_policy`**](#ssl_policy) — The AWS predefined TLS/SSL policy for the ALB. A List of policies can be found here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. AWS recommends ELBSecurityPolicy-2016-08 policy for general use but this policy includes TLSv1.0 which is rapidly being phased out. ELBSecurityPolicy-TLS-1-1-2017-01 is the next policy up that doesn't include TLSv1.0. + + + +* [**`vpc_id`**](#vpc_id) — ID of the VPC where the ALB will be deployed + + + +* [**`vpc_subnet_ids`**](#vpc_subnet_ids) — The ids of the subnets that the ALB can use to source its IP + + + + + + +* [**`alb_access_logs_bucket`**](#alb_access_logs_bucket) — The name of the S3 bucket containing the ALB access logs + + + +* [**`alb_arn`**](#alb_arn) — The ARN of the ALB resource. + + + +* [**`alb_dns_names`**](#alb_dns_names) — The list of DNS records for the ALB as specified in the input. + + + +* [**`alb_hosted_zone_id`**](#alb_hosted_zone_id) — The AWS-managed zone ID for the ALB's DNS record. + + + +* [**`alb_name`**](#alb_name) — A human friendly name for the ALB. + + + +* [**`alb_security_group_id`**](#alb_security_group_id) — The ID of the security group associated with the ALB. + + + +* [**`http_listener_arns`**](#http_listener_arns) — The map of HTTP listener ports to ARNs. There will be one listener per entry in [`http_listener_ports`](#http_listener_ports). + + + +* [**`https_listener_acm_cert_arns`**](#https_listener_acm_cert_arns) — The map of HTTPS listener ports to ARNs. There will be one listener per entry in [`https_listener_ports_and_acm_ssl_certs`](#https_listener_ports_and_acm_ssl_certs). + + + +* [**`https_listener_non_acm_cert_arns`**](#https_listener_non_acm_cert_arns) — The map of HTTPS listener ports to ARNs. There will be one listener per entry in [`https_listener_ports_and_ssl_certs`](#https_listener_ports_and_ssl_certs). + + + +* [**`listener_arns`**](#listener_arns) — The map of listener ports to ARNs. This will include all listeners both HTTP and HTTPS. + + + +* [**`original_alb_dns_name`**](#original_alb_dns_name) — The AWS-managed DNS name assigned to the ALB. + + diff --git a/docs/reference/services/networking/management-vpc.md b/docs/reference/services/networking/management-vpc.md index aa7414c8b..d7008d1cd 100644 --- a/docs/reference/services/networking/management-vpc.md +++ b/docs/reference/services/networking/management-vpc.md @@ -10,271 +10,159 @@ Deploy a VPC on AWS for administrative and management functions. ### Reference - -
    - -
  • -

    - - availability_zone_exclude_ids - - List of excluded Availability Zone IDs. -

    -
    • -
  • -

    - - availability_zone_exclude_names - - List of excluded Availability Zone names. -

    -
    • -
  • -

    - - availability_zone_state - - Allows to filter list of Availability Zones based on their current state. Can be either "available", "information", "impaired" or "unavailable". By default the list includes a complete set of Availability Zones to which the underlying AWS account has access, regardless of their state. -

    -
    • -
  • -

    - - aws_region - - The AWS region to deploy into -

    -
    • -
  • -

    - - cidr_block - - The IP address range of the VPC in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27. Examples include '10.100.0.0/16', '10.200.0.0/16', etc. -

    -
    • -
  • -

    - - create_flow_logs - - If you set this variable to false, this module will not create VPC Flow Logs resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module. -

    -
    • -
  • -

    - - create_network_acls - - If set to false, this module will NOT create Network ACLs. This is useful if you don't want to use Network ACLs or you want to provide your own Network ACLs outside of this module. -

    -
    • -
  • -

    - - custom_tags - - A map of tags to apply to the VPC, Subnets, Route Tables, and Internet Gateway. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable. -

    -
    • -
  • -

    - - custom_tags_vpc_only - - A map of tags to apply just to the VPC itself, but not any of the other resources. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - kms_key_arn - - The ARN of a KMS key to use for encrypting VPC the flow log. A new KMS key will be created if this is not supplied. -

    -
    • -
  • -

    - - kms_key_user_iam_arns - - VPC Flow Logs will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have access to this key. -

    -
    • -
  • -

    - - nat_gateway_custom_tags - - A map of tags to apply to the NAT gateways, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - num_availability_zones - - How many AWS Availability Zones (AZs) to use. One subnet of each type (public, private app) will be created in each AZ. Note that this must be less than or equal to the total number of AZs in a region. A value of null means all AZs should be used. For example, if you specify 3 in a region with 5 AZs, subnets will be created in just 3 AZs instead of all 5. Defaults to 3. -

    -
    • -
  • -

    - - num_nat_gateways - - The number of NAT Gateways to launch for this VPC. The management VPC defaults to 1 NAT Gateway to save on cost, but to increase redundancy, you can adjust this to add additional NAT Gateways. -

    -
    • -
  • -

    - - private_subnet_bits - - Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. -

    -
    • -
  • -

    - - private_subnet_cidr_blocks - - A map listing the specific CIDR blocks desired for each private subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. -

    -
    • -
  • -

    - - private_subnet_custom_tags - - A map of tags to apply to the private Subnet, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - public_subnet_bits - - Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. -

    -
    • -
  • -

    - - public_subnet_cidr_blocks - - A map listing the specific CIDR blocks desired for each public subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. -

    -
    • -
  • -

    - - public_subnet_custom_tags - - A map of tags to apply to the public Subnet, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - subnet_spacing - - The amount of spacing between the different subnet types -

    -
    • -
  • -

    - - vpc_name - - The name of the VPC. Defaults to mgmt. -

    -
    • -
- - - - + + + + +* [**`availability_zone_exclude_ids`**](#availability_zone_exclude_ids) — List of excluded Availability Zone IDs. + + + +* [**`availability_zone_exclude_names`**](#availability_zone_exclude_names) — List of excluded Availability Zone names. + + + +* [**`availability_zone_state`**](#availability_zone_state) — Allows to filter list of Availability Zones based on their current state. Can be either "available", "information", "impaired" or "unavailable". By default the list includes a complete set of Availability Zones to which the underlying AWS account has access, regardless of their state. + + + +* [**`aws_region`**](#aws_region) — The AWS region to deploy into + + + +* [**`cidr_block`**](#cidr_block) — The IP address range of the VPC in CIDR notation. A prefix of /16 is recommended. Do not use a prefix higher than /27. Examples include '10.100.0.0/16', '10.200.0.0/16', etc. + + + +* [**`create_flow_logs`**](#create_flow_logs) — If you set this variable to false, this module will not create VPC Flow Logs resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module. + + + +* [**`create_network_acls`**](#create_network_acls) — If set to false, this module will NOT create Network ACLs. This is useful if you don't want to use Network ACLs or you want to provide your own Network ACLs outside of this module. + + + +* [**`custom_tags`**](#custom_tags) — A map of tags to apply to the VPC, Subnets, Route Tables, and Internet Gateway. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable. + + + +* [**`custom_tags_vpc_only`**](#custom_tags_vpc_only) — A map of tags to apply just to the VPC itself, but not any of the other resources. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`kms_key_arn`**](#kms_key_arn) — The ARN of a KMS key to use for encrypting VPC the flow log. A new KMS key will be created if this is not supplied. + + + +* [**`kms_key_user_iam_arns`**](#kms_key_user_iam_arns) — VPC Flow Logs will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have access to this key. + + + +* [**`nat_gateway_custom_tags`**](#nat_gateway_custom_tags) — A map of tags to apply to the NAT gateways, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`num_availability_zones`**](#num_availability_zones) — How many AWS Availability Zones (AZs) to use. One subnet of each type (public, private app) will be created in each AZ. Note that this must be less than or equal to the total number of AZs in a region. A value of null means all AZs should be used. For example, if you specify 3 in a region with 5 AZs, subnets will be created in just 3 AZs instead of all 5. Defaults to 3. + + + +* [**`num_nat_gateways`**](#num_nat_gateways) — The number of NAT Gateways to launch for this VPC. The management VPC defaults to 1 NAT Gateway to save on cost, but to increase redundancy, you can adjust this to add additional NAT Gateways. + + + +* [**`private_subnet_bits`**](#private_subnet_bits) — Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. + + + +* [**`private_subnet_cidr_blocks`**](#private_subnet_cidr_blocks) — A map listing the specific CIDR blocks desired for each private subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. + + + +* [**`private_subnet_custom_tags`**](#private_subnet_custom_tags) — A map of tags to apply to the private Subnet, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`public_subnet_bits`**](#public_subnet_bits) — Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. + + + +* [**`public_subnet_cidr_blocks`**](#public_subnet_cidr_blocks) — A map listing the specific CIDR blocks desired for each public subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. + + + +* [**`public_subnet_custom_tags`**](#public_subnet_custom_tags) — A map of tags to apply to the public Subnet, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`subnet_spacing`**](#subnet_spacing) — The amount of spacing between the different subnet types + + + +* [**`vpc_name`**](#vpc_name) — The name of the VPC. Defaults to mgmt. + + + + + + +* [**`nat_gateway_public_ips`**](#nat_gateway_public_ips) — The public IP address(es) of the NAT gateway(s) of the mgmt VPC. + + + +* [**`num_availability_zones`**](#num_availability_zones) — The number of availability zones used by the mgmt VPC. + + + +* [**`private_subnet_arns`**](#private_subnet_arns) — The private subnet ARNs of the mgmt VPC. + + + +* [**`private_subnet_cidr_blocks`**](#private_subnet_cidr_blocks) — The private subnet CIDR blocks of the mgmt VPC. + + + +* [**`private_subnet_ids`**](#private_subnet_ids) — The private subnet IDs of the mgmt VPC. + + + +* [**`private_subnet_route_table_ids`**](#private_subnet_route_table_ids) — The ID of the private subnet route table of the mgmt VPC. + + + +* [**`public_subnet_arns`**](#public_subnet_arns) — The public subnet ARNs of the mgmt VPC. + + + +* [**`public_subnet_cidr_blocks`**](#public_subnet_cidr_blocks) — The public subnet CIDR blocks of the mgmt VPC. + + + +* [**`public_subnet_ids`**](#public_subnet_ids) — The public subnet IDs of the mgmt VPC. + + + +* [**`public_subnet_route_table_id`**](#public_subnet_route_table_id) — The ID of the public subnet route table of the mgmt VPC. + + + +* [**`vpc_cidr_block`**](#vpc_cidr_block) — The CIDR block of the mgmt VPC. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the mgmt VPC. + + + +* [**`vpc_name`**](#vpc_name) — The name of the mgmt VPC. + + + +* [**`vpc_ready`**](#vpc_ready) — Indicates whether or not the VPC has finished creating + + diff --git a/docs/reference/services/networking/route-53-hosted-zones.md b/docs/reference/services/networking/route-53-hosted-zones.md index ed19af7ac..1b3328069 100644 --- a/docs/reference/services/networking/route-53-hosted-zones.md +++ b/docs/reference/services/networking/route-53-hosted-zones.md @@ -10,117 +10,71 @@ Manage DNS entries using https://aws.amazon.com/route53/:Amazon Route 53 ### Reference - -
    - -
  • -

    - - private_zones - - A map of private Route 53 Hosted Zones. In this map, the key should be the domain name. See examples below. -

    -
    • -
  • -

    - - public_zones - - A map of public Route 53 Hosted Zones. In this map, the key should be the domain name. See examples below. -

    -
    • -
  • -

    - - service_discovery_private_namespaces - - A map of domain names to configurations for setting up a new private namespace in AWS Cloud Map. -

    -
    • -
  • -

    - - service_discovery_public_namespaces - - A map of domain names to configurations for setting up a new public namespace in AWS Cloud Map. Note that the domain name must be registered with Route 53. -

    -
    • -
- - - - + + + + +* [**`private_zones`**](#private_zones) — A map of private Route 53 Hosted Zones. In this map, the key should be the domain name. See examples below. + + + +* [**`public_zones`**](#public_zones) — A map of public Route 53 Hosted Zones. In this map, the key should be the domain name. See examples below. + + + +* [**`service_discovery_private_namespaces`**](#service_discovery_private_namespaces) — A map of domain names to configurations for setting up a new private namespace in AWS Cloud Map. + + + +* [**`service_discovery_public_namespaces`**](#service_discovery_public_namespaces) — A map of domain names to configurations for setting up a new public namespace in AWS Cloud Map. Note that the domain name must be registered with Route 53. + + + + + + +* [**`acm_tls_certificates`**](#acm_tls_certificates) — A list of ARNs of the wildcard and service discovery certificates that were provisioned along with the Route 53 zone. + + + +* [**`private_domain_names`**](#private_domain_names) — The names of the internal-only Route 53 Hosted Zones + + + +* [**`private_zones_ids`**](#private_zones_ids) — The IDs of the internal-only Route 53 Hosted Zones + + + +* [**`private_zones_name_servers`**](#private_zones_name_servers) — The name servers associated with the internal-only Route 53 Hosted Zones + + + +* [**`public_domain_names`**](#public_domain_names) — The names of the public Route 53 Hosted Zones + + + +* [**`public_hosted_zone_map`**](#public_hosted_zone_map) — A map of domains to their zone IDs. IDs are user inputs, when supplied, and otherwise resource IDs + + + +* [**`public_hosted_zones_ids`**](#public_hosted_zones_ids) — The IDs of the public Route 53 Hosted Zones + + + +* [**`public_hosted_zones_name_servers`**](#public_hosted_zones_name_servers) — The name servers associated with the public Route 53 Hosted Zones + + + +* [**`service_discovery_private_namespaces`**](#service_discovery_private_namespaces) — A map of domains to resource arns and hosted zones of the created Service Discovery Private Namespaces. + + + +* [**`service_discovery_public_namespaces`**](#service_discovery_public_namespaces) — A map of domains to resource arns and hosted zones of the created Service Discovery Public Namespaces. + + diff --git a/docs/reference/services/networking/sns-topics.md b/docs/reference/services/networking/sns-topics.md index 399009aa3..44fb2d610 100644 --- a/docs/reference/services/networking/sns-topics.md +++ b/docs/reference/services/networking/sns-topics.md @@ -10,89 +10,55 @@ Create Amazon Simple Notification Service topics ### Reference - -
    - -
  • -

    - - allow_publish_accounts - - A list of IAM ARNs that will be given the rights to publish to the SNS topic. -

    -
    • -
  • -

    - - allow_publish_services - - A list of AWS services that will be given the rights to publish to the SNS topic. -

    -
    • -
  • -

    - - allow_subscribe_accounts - - A list of IAM ARNs that will be given the rights to subscribe to the SNS topic. -

    -
    • -
  • -

    - - allow_subscribe_protocols - - A list of protocols that can be used to subscribe to the SNS topic. -

    -
    • -
  • -

    - - create_resources - - Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources should be created or not. -

    -
    • -
  • -

    - - display_name - - The display name of the SNS topic -

    -
    • -
  • -

    - - kms_master_key_id - - The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK -

    -
    • -
  • -

    - - name - - The name of the SNS topic -

    -
    • -
  • -

    - - slack_webhook_url - - Send topic notifications to this Slack Webhook URL (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ). -

    -
    • -
- - - - + + + + +* [**`allow_publish_accounts`**](#allow_publish_accounts) — A list of IAM ARNs that will be given the rights to publish to the SNS topic. + + + +* [**`allow_publish_services`**](#allow_publish_services) — A list of AWS services that will be given the rights to publish to the SNS topic. + + + +* [**`allow_subscribe_accounts`**](#allow_subscribe_accounts) — A list of IAM ARNs that will be given the rights to subscribe to the SNS topic. + + + +* [**`allow_subscribe_protocols`**](#allow_subscribe_protocols) — A list of protocols that can be used to subscribe to the SNS topic. + + + +* [**`create_resources`**](#create_resources) — Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources should be created or not. + + + +* [**`display_name`**](#display_name) — The display name of the SNS topic + + + +* [**`kms_master_key_id`**](#kms_master_key_id) — The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK + + + +* [**`name`**](#name) — The name of the SNS topic + + + +* [**`slack_webhook_url`**](#slack_webhook_url) — Send topic notifications to this Slack Webhook URL (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ). + + + + + + +* [**`topic_arn`**](#topic_arn) — The ARN of the SNS topic. + + diff --git a/docs/reference/services/networking/virtual-private-cloud-vpc.md b/docs/reference/services/networking/virtual-private-cloud-vpc.md index e748691f2..be48228c8 100644 --- a/docs/reference/services/networking/virtual-private-cloud-vpc.md +++ b/docs/reference/services/networking/virtual-private-cloud-vpc.md @@ -10,593 +10,343 @@ Deploy a VPC on AWS. ### Reference - -
    - -
  • -

    - - allow_private_persistence_internet_access - - Should the private persistence subnet be allowed outbound access to the internet? -

    -
    • -
  • -

    - - apply_default_nacl_rules - - If true, will apply the default NACL rules in var.default_nacl_ingress_rules and var.default_nacl_egress_rules to the public, private, and persistence subnets created by this module. Note that every VPC has default NACL rules that apply to subnets. When this is false, the original default NACL rules managed by AWS will be used. If you are managing NACLs for the subnets using another module or for some reason do not want to use the default NACLs, set this to false. -

    -
    • -
  • -

    - - availability_zone_exclude_names - - Specific Availability Zones in which subnets SHOULD NOT be created. Useful for when features / support is missing from a given AZ. -

    -
    • -
  • -

    - - aws_region - - The AWS region in which all resources will be created -

    -
    • -
  • -

    - - cidr_block - - The IP address range of the VPC in CIDR notation. A prefix of /18 is recommended. Do not use a prefix higher than /27. Examples include '10.100.0.0/18', '10.200.0.0/18', etc. -

    -
    • -
  • -

    - - create_dns_forwarder - - Whether or not to create DNS forwarders from the Mgmt VPC to the App VPC to resolve private Route 53 endpoints. This is most useful when you want to keep your EKS Kubernetes API endpoint private to the VPC, but want to access it from the Mgmt VPC (where your VPN/Bastion servers are). -

    -
    • -
  • -

    - - create_flow_logs - - If you set this variable to false, this module will not create VPC Flow Logs resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module. -

    -
    • -
  • -

    - - create_network_acls - - If set to false, this module will NOT create Network ACLs. This is useful if you don't want to use Network ACLs or you want to provide your own Network ACLs outside of this module. -

    -
    • -
  • -

    - - create_peering_connection - - Whether or not to create a peering connection to another VPC. -

    -
    • -
  • -

    - - create_private_app_subnet_nacls - - If set to false, this module will NOT create the NACLs for the private app subnet tier. -

    -
    • -
  • -

    - - create_private_app_subnets - - If set to false, this module will NOT create the private app subnet tier. -

    -
    • -
  • -

    - - create_private_persistence_subnet_nacls - - If set to false, this module will NOT create the NACLs for the private persistence subnet tier. -

    -
    • -
  • -

    - - create_private_persistence_subnets - - If set to false, this module will NOT create the private persistence subnet tier. -

    -
    • -
  • -

    - - create_public_subnet_nacls - - If set to false, this module will NOT create the NACLs for the public subnet tier. This is useful for VPCs that only need private subnets. -

    -
    • -
  • -

    - - create_public_subnets - - If set to false, this module will NOT create the public subnet tier. This is useful for VPCs that only need private subnets. Note that setting this to false also means the module will NOT create an Internet Gateway or the NAT gateways, so if you want any public Internet access in the VPC (even outbound access—e.g., to run apt get), you'll need to provide it yourself via some other mechanism (e.g., via VPC peering, a Transit Gateway, Direct Connect, etc). -

    -
    • -
  • -

    - - create_vpc_endpoints - - Create VPC endpoints for S3 and DynamoDB. -

    -
    • -
  • -

    - - custom_tags - - A map of tags to apply to the VPC, Subnets, Route Tables, Internet Gateway, default security group, and default NACLs. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable. -

    -
    • -
  • -

    - - default_nacl_egress_rules - - The egress rules to apply to the default NACL in the VPC. This is the security group that is used by any subnet that doesn't have its own NACL attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the egress block in the aws_default_network_acl resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl. -

    -
    • -
  • -

    - - default_nacl_ingress_rules - - The ingress rules to apply to the default NACL in the VPC. This is the NACL that is used by any subnet that doesn't have its own NACL attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the ingress block in the aws_default_network_acl resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl. -

    -
    • -
  • -

    - - default_security_group_egress_rules - - The egress rules to apply to the default security group in the VPC. This is the security group that is used by any resource that doesn't have its own security group attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the egress block in the aws_default_security_group resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#egress-block. -

    -
    • -
  • -

    - - default_security_group_ingress_rules - - The ingress rules to apply to the default security group in the VPC. This is the security group that is used by any resource that doesn't have its own security group attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the ingress block in the aws_default_security_group resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group#ingress-block. -

    -
    • -
  • -

    - - destination_vpc_resolver_name - - Name to set for the destination VPC resolver (inbound from origin VPC to destination VPC). If null (default), defaults to 'DESTINATION_VPC_NAME-from-ORIGIN_VPC_NAME-in'. -

    -
    • -
  • -

    - - eks_cluster_names - - The names of EKS clusters that will be deployed into the VPC, if var.tag_for_use_with_eks is true. -

    -
    • -
  • -

    - - enable_default_security_group - - If set to false, the default security groups will NOT be created. -

    -
    • -
  • -

    - - flow_log_cloudwatch_iam_role_name - - The name to use for the flow log IAM role. This can be useful if you provision the VPC without admin privileges which needs setting IAM:PassRole on deployment role. When null, a default name based on the VPC name will be chosen. -

    -
    • -
  • -

    - - flow_log_cloudwatch_log_group_name - - The name to use for the CloudWatch Log group used for storing flow log. When null, a default name based on the VPC name will be chosen. -

    -
    • -
  • -

    - - flow_logs_traffic_type - - The type of traffic to capture in the VPC flow log. Valid values include ACCEPT, REJECT, or ALL. Defaults to REJECT. Only used if create_flow_logs is true. -

    -
    • -
  • -

    - - kms_key_arn - - The ARN of a KMS key to use for encrypting VPC the flow log. A new KMS key will be created if this is not supplied. -

    -
    • -
  • -

    - - kms_key_user_iam_arns - - VPC Flow Logs will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have access to this key. -

    -
    • -
  • -

    - - nat_gateway_custom_tags - - A map of tags to apply to the NAT gateways, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - num_availability_zones - - How many AWS Availability Zones (AZs) to use. One subnet of each type (public, private app) will be created in each AZ. Note that this must be less than or equal to the total number of AZs in a region. A value of null means all AZs should be used. For example, if you specify 3 in a region with 5 AZs, subnets will be created in just 3 AZs instead of all 5. Defaults to all AZs in a region. -

    -
    • -
  • -

    - - num_nat_gateways - - The number of NAT Gateways to launch for this VPC. For production VPCs, a NAT Gateway should be placed in each Availability Zone (so likely 3 total), whereas for non-prod VPCs, just one Availability Zone (and hence 1 NAT Gateway) will suffice. -

    -
    • -
  • -

    - - origin_vpc_cidr_block - - The CIDR block of the origin VPC. -

    -
    • -
  • -

    - - origin_vpc_id - - The ID of the origin VPC to use when creating peering connections and DNS forwarding. -

    -
    • -
  • -

    - - origin_vpc_name - - The name of the origin VPC to use when creating peering connections and DNS forwarding. -

    -
    • -
  • -

    - - origin_vpc_public_subnet_ids - - The public subnets in the origin VPC to use when creating route53 resolvers. These are public subnets due to network ACLs restrictions. Although the forwarder is addressable publicly, access is blocked by security groups. -

    -
    • -
  • -

    - - origin_vpc_resolver_name - - Name to set for the origin VPC resolver (outbound from origin VPC to destination VPC). If null (default), defaults to 'ORIGIN_VPC_NAME-to-DESTINATION_VPC_NAME-out'. -

    -
    • -
  • -

    - - origin_vpc_route_table_ids - - A list of route tables from the origin VPC that should have routes to this app VPC. -

    -
    • -
  • -

    - - persistence_subnet_bits - - Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. -

    -
    • -
  • -

    - - persistence_subnet_spacing - - The amount of spacing between the private persistence subnets. Default: 2 times the value of private_subnet_spacing. -

    -
    • -
  • -

    - - private_app_allow_inbound_ports_from_cidr - - A map of unique names to client IP CIDR block and inbound ports that should be exposed in the private app subnet tier nACLs. This is useful when exposing your service on a privileged port with an NLB, where the address isn't translated. -

    -
    • -
  • -

    - - private_app_subnet_cidr_blocks - - A map listing the specific CIDR blocks desired for each private-app subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. -

    -
    • -
  • -

    - - private_app_subnet_custom_tags - - A map of tags to apply to the private-app Subnet, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - private_persistence_subnet_cidr_blocks - - A map listing the specific CIDR blocks desired for each private-persistence subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. -

    -
    • -
  • -

    - - private_persistence_subnet_custom_tags - - A map of tags to apply to the private-persistence Subnet, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - private_subnet_bits - - Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. -

    -
    • -
  • -

    - - private_subnet_spacing - - The amount of spacing between private app subnets. Defaults to subnet_spacing in vpc-app module if not set. -

    -
    • -
  • -

    - - public_subnet_bits - - Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. -

    -
    • -
  • -

    - - public_subnet_cidr_blocks - - A map listing the specific CIDR blocks desired for each public subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. -

    -
    • -
  • -

    - - public_subnet_custom_tags - - A map of tags to apply to the public Subnet, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - security_group_tags - - A map of tags to apply to the default Security Group, on top of the custom_tags. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - subnet_spacing - - The amount of spacing between the different subnet types -

    -
    • -
  • -

    - - tag_for_use_with_eks - - The VPC resources need special tags for discoverability by Kubernetes to use with certain features, like deploying ALBs. -

    -
    • -
  • -

    - - tenancy - - The allowed tenancy of instances launched into the selected VPC. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_custom_tags - - A map of tags to apply just to the VPC itself, but not any of the other resources. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as custom_tags in case of conflict. -

    -
    • -
  • -

    - - vpc_name - - Name of the VPC. Examples include 'prod', 'dev', 'mgmt', etc. -

    -
    • -
- - - - + + + + +* [**`allow_private_persistence_internet_access`**](#allow_private_persistence_internet_access) — Should the private persistence subnet be allowed outbound access to the internet? + + + +* [**`apply_default_nacl_rules`**](#apply_default_nacl_rules) — If true, will apply the default NACL rules in [`default_nacl_ingress_rules`](#default_nacl_ingress_rules) and [`default_nacl_egress_rules`](#default_nacl_egress_rules) to the public, private, and persistence subnets created by this module. Note that every VPC has default NACL rules that apply to subnets. When this is false, the original default NACL rules managed by AWS will be used. If you are managing NACLs for the subnets using another module or for some reason do not want to use the default NACLs, set this to false. + + + +* [**`availability_zone_exclude_names`**](#availability_zone_exclude_names) — Specific Availability Zones in which subnets SHOULD NOT be created. Useful for when features / support is missing from a given AZ. + + + +* [**`aws_region`**](#aws_region) — The AWS region in which all resources will be created + + + +* [**`cidr_block`**](#cidr_block) — The IP address range of the VPC in CIDR notation. A prefix of /18 is recommended. Do not use a prefix higher than /27. Examples include '10.100.0.0/18', '10.200.0.0/18', etc. + + + +* [**`create_dns_forwarder`**](#create_dns_forwarder) — Whether or not to create DNS forwarders from the Mgmt VPC to the App VPC to resolve private Route 53 endpoints. This is most useful when you want to keep your EKS Kubernetes API endpoint private to the VPC, but want to access it from the Mgmt VPC (where your VPN/Bastion servers are). + + + +* [**`create_flow_logs`**](#create_flow_logs) — If you set this variable to false, this module will not create VPC Flow Logs resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module. + + + +* [**`create_network_acls`**](#create_network_acls) — If set to false, this module will NOT create Network ACLs. This is useful if you don't want to use Network ACLs or you want to provide your own Network ACLs outside of this module. + + + +* [**`create_peering_connection`**](#create_peering_connection) — Whether or not to create a peering connection to another VPC. + + + +* [**`create_private_app_subnet_nacls`**](#create_private_app_subnet_nacls) — If set to false, this module will NOT create the NACLs for the private app subnet tier. + + + +* [**`create_private_app_subnets`**](#create_private_app_subnets) — If set to false, this module will NOT create the private app subnet tier. + + + +* [**`create_private_persistence_subnet_nacls`**](#create_private_persistence_subnet_nacls) — If set to false, this module will NOT create the NACLs for the private persistence subnet tier. + + + +* [**`create_private_persistence_subnets`**](#create_private_persistence_subnets) — If set to false, this module will NOT create the private persistence subnet tier. + + + +* [**`create_public_subnet_nacls`**](#create_public_subnet_nacls) — If set to false, this module will NOT create the NACLs for the public subnet tier. This is useful for VPCs that only need private subnets. + + + +* [**`create_public_subnets`**](#create_public_subnets) — If set to false, this module will NOT create the public subnet tier. This is useful for VPCs that only need private subnets. Note that setting this to false also means the module will NOT create an Internet Gateway or the NAT gateways, so if you want any public Internet access in the VPC (even outbound access—e.g., to run apt get), you'll need to provide it yourself via some other mechanism (e.g., via VPC peering, a Transit Gateway, Direct Connect, etc). + + + +* [**`create_vpc_endpoints`**](#create_vpc_endpoints) — Create VPC endpoints for S3 and DynamoDB. + + + +* [**`custom_tags`**](#custom_tags) — A map of tags to apply to the VPC, Subnets, Route Tables, Internet Gateway, default security group, and default NACLs. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable. + + + +* [**`default_nacl_egress_rules`**](#default_nacl_egress_rules) — The egress rules to apply to the default NACL in the VPC. This is the security group that is used by any subnet that doesn't have its own NACL attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the egress block in the [`aws_default_network_acl`](#aws_default_network_acl) resource: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl). + + + +* [**`default_nacl_ingress_rules`**](#default_nacl_ingress_rules) — The ingress rules to apply to the default NACL in the VPC. This is the NACL that is used by any subnet that doesn't have its own NACL attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the ingress block in the [`aws_default_network_acl`](#aws_default_network_acl) resource: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl). + + + +* [**`default_security_group_egress_rules`**](#default_security_group_egress_rules) — The egress rules to apply to the default security group in the VPC. This is the security group that is used by any resource that doesn't have its own security group attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the egress block in the [`aws_default_security_group`](#aws_default_security_group) resource: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group)#egress-block. + + + +* [**`default_security_group_ingress_rules`**](#default_security_group_ingress_rules) — The ingress rules to apply to the default security group in the VPC. This is the security group that is used by any resource that doesn't have its own security group attached. The value for this variable must be a map where the keys are a unique name for each rule and the values are objects with the same fields as the ingress block in the [`aws_default_security_group`](#aws_default_security_group) resource: [`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group`](#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group)#ingress-block. + + + +* [**`destination_vpc_resolver_name`**](#destination_vpc_resolver_name) — Name to set for the destination VPC resolver (inbound from origin VPC to destination VPC). If null (default), defaults to [`'DESTINATION_VPC_NAME-from-ORIGIN_VPC_NAME`](#'DESTINATION_VPC_NAME-from-ORIGIN_VPC_NAME)-in'. + + + +* [**`eks_cluster_names`**](#eks_cluster_names) — The names of EKS clusters that will be deployed into the VPC, if [`tag_for_use_with_eks`](#tag_for_use_with_eks) is true. + + + +* [**`enable_default_security_group`**](#enable_default_security_group) — If set to false, the default security groups will NOT be created. + + + +* [**`flow_log_cloudwatch_iam_role_name`**](#flow_log_cloudwatch_iam_role_name) — The name to use for the flow log IAM role. This can be useful if you provision the VPC without admin privileges which needs setting IAM:PassRole on deployment role. When null, a default name based on the VPC name will be chosen. + + + +* [**`flow_log_cloudwatch_log_group_name`**](#flow_log_cloudwatch_log_group_name) — The name to use for the CloudWatch Log group used for storing flow log. When null, a default name based on the VPC name will be chosen. + + + +* [**`flow_logs_traffic_type`**](#flow_logs_traffic_type) — The type of traffic to capture in the VPC flow log. Valid values include ACCEPT, REJECT, or ALL. Defaults to REJECT. Only used if [`create_flow_logs`](#create_flow_logs) is true. + + + +* [**`kms_key_arn`**](#kms_key_arn) — The ARN of a KMS key to use for encrypting VPC the flow log. A new KMS key will be created if this is not supplied. + + + +* [**`kms_key_user_iam_arns`**](#kms_key_user_iam_arns) — VPC Flow Logs will be encrypted with a KMS Key (a Customer Master Key). The IAM Users specified in this list will have access to this key. + + + +* [**`nat_gateway_custom_tags`**](#nat_gateway_custom_tags) — A map of tags to apply to the NAT gateways, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`num_availability_zones`**](#num_availability_zones) — How many AWS Availability Zones (AZs) to use. One subnet of each type (public, private app) will be created in each AZ. Note that this must be less than or equal to the total number of AZs in a region. A value of null means all AZs should be used. For example, if you specify 3 in a region with 5 AZs, subnets will be created in just 3 AZs instead of all 5. Defaults to all AZs in a region. + + + +* [**`num_nat_gateways`**](#num_nat_gateways) — The number of NAT Gateways to launch for this VPC. For production VPCs, a NAT Gateway should be placed in each Availability Zone (so likely 3 total), whereas for non-prod VPCs, just one Availability Zone (and hence 1 NAT Gateway) will suffice. + + + +* [**`origin_vpc_cidr_block`**](#origin_vpc_cidr_block) — The CIDR block of the origin VPC. + + + +* [**`origin_vpc_id`**](#origin_vpc_id) — The ID of the origin VPC to use when creating peering connections and DNS forwarding. + + + +* [**`origin_vpc_name`**](#origin_vpc_name) — The name of the origin VPC to use when creating peering connections and DNS forwarding. + + + +* [**`origin_vpc_public_subnet_ids`**](#origin_vpc_public_subnet_ids) — The public subnets in the origin VPC to use when creating route53 resolvers. These are public subnets due to network ACLs restrictions. Although the forwarder is addressable publicly, access is blocked by security groups. + + + +* [**`origin_vpc_resolver_name`**](#origin_vpc_resolver_name) — Name to set for the origin VPC resolver (outbound from origin VPC to destination VPC). If null (default), defaults to [`'ORIGIN_VPC_NAME-to-DESTINATION_VPC_NAME`](#'ORIGIN_VPC_NAME-to-DESTINATION_VPC_NAME)-out'. + + + +* [**`origin_vpc_route_table_ids`**](#origin_vpc_route_table_ids) — A list of route tables from the origin VPC that should have routes to this app VPC. + + + +* [**`persistence_subnet_bits`**](#persistence_subnet_bits) — Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. + + + +* [**`persistence_subnet_spacing`**](#persistence_subnet_spacing) — The amount of spacing between the private persistence subnets. Default: 2 times the value of [`private_subnet_spacing`](#private_subnet_spacing). + + + +* [**`private_app_allow_inbound_ports_from_cidr`**](#private_app_allow_inbound_ports_from_cidr) — A map of unique names to client IP CIDR block and inbound ports that should be exposed in the private app subnet tier nACLs. This is useful when exposing your service on a privileged port with an NLB, where the address isn't translated. + + + +* [**`private_app_subnet_cidr_blocks`**](#private_app_subnet_cidr_blocks) — A map listing the specific CIDR blocks desired for each private-app subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. + + + +* [**`private_app_subnet_custom_tags`**](#private_app_subnet_custom_tags) — A map of tags to apply to the private-app Subnet, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`private_persistence_subnet_cidr_blocks`**](#private_persistence_subnet_cidr_blocks) — A map listing the specific CIDR blocks desired for each private-persistence subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. + + + +* [**`private_persistence_subnet_custom_tags`**](#private_persistence_subnet_custom_tags) — A map of tags to apply to the private-persistence Subnet, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`private_subnet_bits`**](#private_subnet_bits) — Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. + + + +* [**`private_subnet_spacing`**](#private_subnet_spacing) — The amount of spacing between private app subnets. Defaults to [`subnet_spacing`](#subnet_spacing) in vpc-app module if not set. + + + +* [**`public_subnet_bits`**](#public_subnet_bits) — Takes the CIDR prefix and adds these many bits to it for calculating subnet ranges. MAKE SURE if you change this you also change the CIDR spacing or you may hit errors. See cidrsubnet interpolation in terraform config for more information. + + + +* [**`public_subnet_cidr_blocks`**](#public_subnet_cidr_blocks) — A map listing the specific CIDR blocks desired for each public subnet. The key must be in the form AZ-0, AZ-1, ... AZ-n where n is the number of Availability Zones. If left blank, we will compute a reasonable CIDR block for each subnet. + + + +* [**`public_subnet_custom_tags`**](#public_subnet_custom_tags) — A map of tags to apply to the public Subnet, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`security_group_tags`**](#security_group_tags) — A map of tags to apply to the default Security Group, on top of the [`custom_tags`](#custom_tags). The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`subnet_spacing`**](#subnet_spacing) — The amount of spacing between the different subnet types + + + +* [**`tag_for_use_with_eks`**](#tag_for_use_with_eks) — The VPC resources need special tags for discoverability by Kubernetes to use with certain features, like deploying ALBs. + + + +* [**`tenancy`**](#tenancy) — The allowed tenancy of instances launched into the selected VPC. Must be one of: default, dedicated, or host. + + + +* [**`vpc_custom_tags`**](#vpc_custom_tags) — A map of tags to apply just to the VPC itself, but not any of the other resources. The key is the tag name and the value is the tag value. Note that tags defined here will override tags defined as [`custom_tags`](#custom_tags) in case of conflict. + + + +* [**`vpc_name`**](#vpc_name) — Name of the VPC. Examples include 'prod', 'dev', 'mgmt', etc. + + + + + + +* [**`availability_zones`**](#availability_zones) — The availability zones of the VPC + + + +* [**`default_security_group_id`**](#default_security_group_id) — The ID of the default security group of this VPC. + + + +* [**`dynamodb_vpc_endpoint_id`**](#dynamodb_vpc_endpoint_id) — + + + +* [**`nat_gateway_public_ip_count`**](#nat_gateway_public_ip_count) — Count of public IPs from the NAT Gateway + + + +* [**`nat_gateway_public_ips`**](#nat_gateway_public_ips) — A list of public IPs from the NAT Gateway + + + +* [**`num_availability_zones`**](#num_availability_zones) — The number of availability zones of the VPC + + + +* [**`private_app_subnet_cidr_blocks`**](#private_app_subnet_cidr_blocks) — The private IP address range of the VPC in CIDR notation. + + + +* [**`private_app_subnet_ids`**](#private_app_subnet_ids) — A list of IDs of the private app subnets in the VPC + + + +* [**`private_app_subnet_route_table_ids`**](#private_app_subnet_route_table_ids) — A list of IDs of the private app subnet routing table. + + + +* [**`private_app_subnets`**](#private_app_subnets) — A map of all private-app subnets, with the subnet name as key, and all `aws-subnet` properties as the value. + + + +* [**`private_app_subnets_network_acl_id`**](#private_app_subnets_network_acl_id) — The ID of the private subnet's ACL + + + +* [**`private_persistence_route_table_ids`**](#private_persistence_route_table_ids) — A list of IDs of the private persistence subnet routing table. + + + +* [**`private_persistence_subnet_cidr_blocks`**](#private_persistence_subnet_cidr_blocks) — The private IP address range of the VPC Persistence tier in CIDR notation. + + + +* [**`private_persistence_subnet_ids`**](#private_persistence_subnet_ids) — The IDs of the private persistence tier subnets of the VPC. + + + +* [**`private_persistence_subnets`**](#private_persistence_subnets) — A map of all private-persistence subnets, with the subnet name as key, and all `aws-subnet` properties as the value. + + + +* [**`private_persistence_subnets_network_acl_id`**](#private_persistence_subnets_network_acl_id) — The ID of the private persistence subnet's ACL + + + +* [**`public_subnet_cidr_blocks`**](#public_subnet_cidr_blocks) — The public IP address range of the VPC in CIDR notation. + + + +* [**`public_subnet_ids`**](#public_subnet_ids) — A list of IDs of the public subnets of the VPC. + + + +* [**`public_subnet_route_table_id`**](#public_subnet_route_table_id) — The ID of the public routing table. + + + +* [**`public_subnets`**](#public_subnets) — A map of all public subnets, with the subnet name as key, and all `aws-subnet` properties as the value. + + + +* [**`public_subnets_network_acl_id`**](#public_subnets_network_acl_id) — The ID of the public subnet's ACL + + + +* [**`s3_vpc_endpoint_id`**](#s3_vpc_endpoint_id) — + + + +* [**`vpc_cidr_block`**](#vpc_cidr_block) — The IP address range of the VPC in CIDR notation. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC. + + + +* [**`vpc_name`**](#vpc_name) — The name configured for VPC. + + + +* [**`vpc_ready`**](#vpc_ready) — Indicates whether or not the VPC has finished creating + + diff --git a/docs/reference/services/security/bastion.md b/docs/reference/services/security/bastion.md index 38cb26ba5..73612bef9 100644 --- a/docs/reference/services/security/bastion.md +++ b/docs/reference/services/security/bastion.md @@ -10,236 +10,139 @@ Deploy a Bastion host on to your AWS VPC network. ### Reference - -
    - -
  • -

    - - additional_security_group_ids - - A list of optional additional security group ids to assign to the bastion server. -

    -
    • -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_ssh_from_cidr_list - - A list of IP address ranges in CIDR format from which SSH access will be permitted. Attempts to access the bastion host from all other IP addresses will be blocked. This is only used if var.allow_ssh_from_cidr is true. -

    -
    • -
  • -

    - - ami - - The AMI to run on the bastion host. This should be built from the Packer template under bastion-host.json. One of var.ami or var.ami_filters is required. Set to null if looking up the ami with filters. -

    -
    • -
  • -

    - - ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with the Bastion Host. You can build the AMI using the Packer template bastion-host.json. Only used if var.ami is null. One of var.ami or var.ami_filters is required. Set to null if passing the ami ID directly. -

    -
    • -
  • -

    - - base_domain_name_tags - - Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name) -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the bastion host while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. -

    -
    • -
  • -

    - - create_dns_record - - Set to true to create a DNS record in Route53 pointing to the bastion. If true, be sure to set var.domain_name. -

    -
    • -
  • -

    - - default_user - - The default OS user for the Bastion Host AMI. For AWS Ubuntu AMIs, which is what the Packer template in bastion-host.json uses, the default OS user is 'ubuntu'. -

    -
    • -
  • -

    - - domain_name - - The apex domain of the hostname for the bastion server (e.g., example.com). The complete hostname for the bastion server will be var.name.var.domain_name (e.g., bastion.example.com). Only used if create_dns_record is true. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true. -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true. -

    -
    • -
  • -

    - - enable_ssh_grunt - - Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). -

    -
    • -
  • -

    - - instance_type - - The type of instance to run for the bastion host -

    -
    • -
  • -

    - - keypair_name - - The name of a Key Pair that can be used to SSH to this instance. -

    -
    • -
  • -

    - - name - - The name of the bastion host and the other resources created by these templates -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host with sudo permissions. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - subnet_id - - The ID of the subnet in which to deploy the bastion. Must be a subnet in var.vpc_id. -

    -
    • -
  • -

    - - tenancy - - The tenancy of this server. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy the bastion. -

    -
    • -
- - - - + + + + +* [**`additional_security_group_ids`**](#additional_security_group_ids) — A list of optional additional security group ids to assign to the bastion server. + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_ssh_from_cidr_list`**](#allow_ssh_from_cidr_list) — A list of IP address ranges in CIDR format from which SSH access will be permitted. Attempts to access the bastion host from all other IP addresses will be blocked. This is only used if [`allow_ssh_from_cidr`](#allow_ssh_from_cidr) is true. + + + +* [**`ami`**](#ami) — The AMI to run on the bastion host. This should be built from the Packer template under bastion-host.json. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if looking up the ami with filters. + + + +* [**`ami_filters`**](#ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with the Bastion Host. You can build the AMI using the Packer template bastion-host.json. Only used if var.ami is null. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if passing the ami ID directly. + + + +* [**`base_domain_name_tags`**](#base_domain_name_tags) — Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name) + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the bastion host while it boots. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. + + + +* [**`create_dns_record`**](#create_dns_record) — Set to true to create a DNS record in Route53 pointing to the bastion. If true, be sure to set [`domain_name`](#domain_name). + + + +* [**`default_user`**](#default_user) — The default OS user for the Bastion Host AMI. For AWS Ubuntu AMIs, which is what the Packer template in bastion-host.json uses, the default OS user is 'ubuntu'. + + + +* [**`domain_name`**](#domain_name) — The apex domain of the hostname for the bastion server (e.g., example.com). The complete hostname for the bastion server will be [`name.var.domain_name`](#name.var.domain_name) (e.g., bastion.example.com). Only used if [`create_dns_record`](#create_dns_record) is true. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host. + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true. + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true. + + + +* [**`enable_ssh_grunt`**](#enable_ssh_grunt) — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain). + + + +* [**`instance_type`**](#instance_type) — The type of instance to run for the bastion host + + + +* [**`keypair_name`**](#keypair_name) — The name of a Key Pair that can be used to SSH to this instance. + + + +* [**`name`**](#name) — The name of the bastion host and the other resources created by these templates + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host with sudo permissions. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`subnet_id`**](#subnet_id) — The ID of the subnet in which to deploy the bastion. Must be a subnet in [`vpc_id`](#vpc_id). + + + +* [**`tenancy`**](#tenancy) — The tenancy of this server. Must be one of: default, dedicated, or host. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy the bastion. + + + + + + +* [**`bastion_host_iam_role_arn`**](#bastion_host_iam_role_arn) — The ARN of the bastion host's IAM role. + + + +* [**`bastion_host_instance_id`**](#bastion_host_instance_id) — The EC2 instance ID of the bastion host. + + + +* [**`bastion_host_private_ip`**](#bastion_host_private_ip) — The private IP address of the bastion host. + + + +* [**`bastion_host_public_ip`**](#bastion_host_public_ip) — The public IP address of the bastion host. + + + +* [**`bastion_host_security_group_id`**](#bastion_host_security_group_id) — The ID of the bastion hosts's security group. + + + +* [**`dns_name`**](#dns_name) — The fully qualified name of the bastion host. + + diff --git a/docs/reference/services/security/open-vpn.md b/docs/reference/services/security/open-vpn.md index 75c1540bc..0585018b8 100644 --- a/docs/reference/services/security/open-vpn.md +++ b/docs/reference/services/security/open-vpn.md @@ -10,418 +10,243 @@ Deploy an OpenVPN Server on AWS. ### Reference - -
    - -
  • -

    - - alarms_sns_topic_arn - - The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. -

    -
    • -
  • -

    - - allow_manage_key_permissions_with_iam - - If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient. -

    -
    • -
  • -

    - - allow_ssh_from_cidr_list - - The IP address ranges in CIDR format from which to allow incoming SSH requests to the OpenVPN server. -

    -
    • -
  • -

    - - allow_ssh_from_security_group_ids - - The IDs of security groups from which to allow incoming SSH requests to the OpenVPN server. -

    -
    • -
  • -

    - - allow_vpn_from_cidr_list - - A list of IP address ranges in CIDR format from which VPN access will be permitted. Attempts to access the OpenVPN Server from all other IP addresses will be blocked. -

    -
    • -
  • -

    - - ami - - The AMI to run on the OpenVPN Server. This should be built from the Packer template under openvpn-server.json. One of var.ami or var.ami_filters is required. Set to null if looking up the ami with filters. -

    -
    • -
  • -

    - - ami_filters - - Properties on the AMI that can be used to lookup a prebuilt AMI for use with the OpenVPN server. You can build the AMI using the Packer template openvpn-server.json. Only used if var.ami is null. One of var.ami or var.ami_filters is required. Set to null if passing the ami ID directly. -

    -
    • -
  • -

    - - backup_bucket_name - - The name of the S3 bucket that will be used to backup PKI secrets. This is a required variable because bucket names must be globally unique across all AWS customers. -

    -
    • -
  • -

    - - base_domain_name - - The base domain name to use for the OpenVPN server. Used to lookup the Hosted Zone ID to use for creating the Route 53 domain entry. Only used if var.create_route53_entry is true. -

    -
    • -
  • -

    - - base_domain_name_tags - - Tags to use to filter the Route 53 Hosted Zones that might match var.domain_name. -

    -
    • -
  • -

    - - ca_cert_fields - - An object with fields for the country, state, locality, organization, organizational unit, and email address to use with the OpenVPN CA certificate. -

    -
    • -
  • -

    - - cloud_init_parts - - Cloud init scripts to run on the OpenVPN server while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax. -

    -
    • -
  • -

    - - cmk_administrator_iam_arns - - A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and var.kms_key_arn is null, the ARN of the current user will be used. -

    -
    • -
  • -

    - - cmk_external_user_iam_arns - - A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root). -

    -
    • -
  • -

    - - cmk_user_iam_arns - - A list of IAM ARNs for users who should be given permissions to use this KMS Master Key (e.g. arn:aws:iam::1234567890:user/foo). -

    -
    • -
  • -

    - - create_route53_entry - - Set to true to add var.domain_name as a Route 53 DNS A record for the OpenVPN server -

    -
    • -
  • -

    - - default_user - - The default OS user for the OpenVPN AMI. For AWS Ubuntu AMIs, which is what the Packer template in openvpn-server.json uses, the default OS user is 'ubuntu'. -

    -
    • -
  • -

    - - domain_name - - The domain name to use for the OpenVPN server. Only used if var.create_route53_entry is true. If null, set to <NAME>.<BASE_DOMAIN_NAME>. -

    -
    • -
  • -

    - - enable_cloudwatch_alarms - - Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using var.alarms_sns_topic_arn. -

    -
    • -
  • -

    - - enable_cloudwatch_log_aggregation - - Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. -

    -
    • -
  • -

    - - enable_cloudwatch_metrics - - Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your OpenVPN server. -

    -
    • -
  • -

    - - enable_fail2ban - - Enable fail2ban to block brute force log in attempts. Defaults to true. -

    -
    • -
  • -

    - - enable_ip_lockdown - - Enable ip-lockdown to block access to the instance metadata. Defaults to true. -

    -
    • -
  • -

    - - enable_ssh_grunt - - Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. -

    -
    • -
  • -

    - - external_account_arns - - The ARNs of external AWS accounts where your IAM users are defined. This module will create IAM roles that users in those accounts will be able to assume to get access to the request/revocation SQS queues. -

    -
    • -
  • -

    - - external_account_ssh_grunt_role_arn - - Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. -

    -
    • -
  • -

    - - force_destroy - - When a terraform destroy is run, should the backup s3 bucket be destroyed even if it contains files. Should only be set to true for testing/development -

    -
    • -
  • -

    - - hosted_zone_id - - The ID of the Route 53 Hosted Zone in which the domain should be created. Only used if var.create_route53_entry is true. If null, lookup the hosted zone ID using the var.base_domain_name. -

    -
    • -
  • -

    - - instance_type - - The type of instance to run for the OpenVPN Server -

    -
    • -
  • -

    - - keypair_name - - The name of a Key Pair that can be used to SSH to this instance. Leave blank if you don't want to enable Key Pair auth. -

    -
    • -
  • -

    - - kms_key_arn - - The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK) that will be used to encrypt/decrypt backup files. If null, a key will be created with permissions assigned by the following variables: cmk_administrator_iam_arns, cmk_user_iam_arns, cmk_external_user_iam_arns, allow_manage_key_permissions. -

    -
    • -
  • -

    - - name - - The name of the OpenVPN Server and the other resources created by these templates -

    -
    • -
  • -

    - - request_queue_name - - The name of the sqs queue that will be used to receive new certificate requests. -

    -
    • -
  • -

    - - revocation_queue_name - - The name of the sqs queue that will be used to receive certification revocation requests. Note that the queue name will be automatically prefixed with 'openvpn-requests-'. -

    -
    • -
  • -

    - - ssh_grunt_iam_group - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - ssh_grunt_iam_group_sudo - - If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server with sudo permissions. This value is only used if enable_ssh_grunt=true. -

    -
    • -
  • -

    - - subnet_ids - - The ids of the subnets where this server should be deployed. -

    -
    • -
  • -

    - - tenancy - - The tenancy of this server. Must be one of: default, dedicated, or host. -

    -
    • -
  • -

    - - vpc_id - - The ID of the VPC in which to deploy the OpenVPN server. -

    -
    • -
  • -

    - - vpn_route_cidr_blocks - - A list of CIDR ranges to be routed over the VPN. -

    -
    • -
  • -

    - - vpn_search_domains - - A list of domains to push down to the client to resolve over VPN. This will configure the OpenVPN server to pass through domains that should be resolved over the VPN connection (as opposed to the locally configured resolver) to the client. Note that for each domain, all subdomains will be resolved as well. E.g., if you pass in 'mydomain.local', subdomains such as 'hello.world.mydomain.local' and 'example.mydomain.local' will also be forwarded to through the VPN server. -

    -
    • -
  • -

    - - vpn_subnet - - The subnet IP and mask vpn clients will be assigned addresses from. For example, 172.16.1.0 255.255.255.0. This is a non-routed network that only exists between the VPN server and the client. Therefore, it should NOT overlap with VPC addressing, or the client won't be able to access any of the VPC IPs. In general, we recommend using internal, non-RFC 1918 IP addresses, such as 172.16.xx.yy. -

    -
    • -
- - - - + + + + +* [**`alarms_sns_topic_arn`**](#alarms_sns_topic_arn) — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. + + + +* [**`allow_manage_key_permissions_with_iam`**](#allow_manage_key_permissions_with_iam) — If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient. + + + +* [**`allow_ssh_from_cidr_list`**](#allow_ssh_from_cidr_list) — The IP address ranges in CIDR format from which to allow incoming SSH requests to the OpenVPN server. + + + +* [**`allow_ssh_from_security_group_ids`**](#allow_ssh_from_security_group_ids) — The IDs of security groups from which to allow incoming SSH requests to the OpenVPN server. + + + +* [**`allow_vpn_from_cidr_list`**](#allow_vpn_from_cidr_list) — A list of IP address ranges in CIDR format from which VPN access will be permitted. Attempts to access the OpenVPN Server from all other IP addresses will be blocked. + + + +* [**`ami`**](#ami) — The AMI to run on the OpenVPN Server. This should be built from the Packer template under openvpn-server.json. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if looking up the ami with filters. + + + +* [**`ami_filters`**](#ami_filters) — Properties on the AMI that can be used to lookup a prebuilt AMI for use with the OpenVPN server. You can build the AMI using the Packer template openvpn-server.json. Only used if var.ami is null. One of var.ami or [`ami_filters`](#ami_filters) is required. Set to null if passing the ami ID directly. + + + +* [**`backup_bucket_name`**](#backup_bucket_name) — The name of the S3 bucket that will be used to backup PKI secrets. This is a required variable because bucket names must be globally unique across all AWS customers. + + + +* [**`base_domain_name`**](#base_domain_name) — The base domain name to use for the OpenVPN server. Used to lookup the Hosted Zone ID to use for creating the Route 53 domain entry. Only used if [`create_route53_entry`](#create_route53_entry) is true. + + + +* [**`base_domain_name_tags`**](#base_domain_name_tags) — Tags to use to filter the Route 53 Hosted Zones that might match [`domain_name`](#domain_name). + + + +* [**`ca_cert_fields`**](#ca_cert_fields) — An object with fields for the country, state, locality, organization, organizational unit, and email address to use with the OpenVPN CA certificate. + + + +* [**`cloud_init_parts`**](#cloud_init_parts) — Cloud init scripts to run on the OpenVPN server while it boots. See the part blocks in [`https://www.terraform.io/docs/providers/template/d/cloudinit_config`](#https://www.terraform.io/docs/providers/template/d/cloudinit_config).html for syntax. + + + +* [**`cmk_administrator_iam_arns`**](#cmk_administrator_iam_arns) — A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and [`kms_key_arn`](#kms_key_arn) is null, the ARN of the current user will be used. + + + +* [**`cmk_external_user_iam_arns`**](#cmk_external_user_iam_arns) — A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root). + + + +* [**`cmk_user_iam_arns`**](#cmk_user_iam_arns) — A list of IAM ARNs for users who should be given permissions to use this KMS Master Key (e.g. arn:aws:iam::1234567890:user/foo). + + + +* [**`create_route53_entry`**](#create_route53_entry) — Set to true to add [`domain_name`](#domain_name) as a Route 53 DNS A record for the OpenVPN server + + + +* [**`default_user`**](#default_user) — The default OS user for the OpenVPN AMI. For AWS Ubuntu AMIs, which is what the Packer template in openvpn-server.json uses, the default OS user is 'ubuntu'. + + + +* [**`domain_name`**](#domain_name) — The domain name to use for the OpenVPN server. Only used if [`create_route53_entry`](#create_route53_entry) is true. If null, set to [`<NAME>.<BASE_DOMAIN_NAME`](#<NAME>.<BASE_DOMAIN_NAME)>. + + + +* [**`enable_cloudwatch_alarms`**](#enable_cloudwatch_alarms) — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using [`alarms_sns_topic_arn`](#alarms_sns_topic_arn). + + + +* [**`enable_cloudwatch_log_aggregation`**](#enable_cloudwatch_log_aggregation) — Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch. + + + +* [**`enable_cloudwatch_metrics`**](#enable_cloudwatch_metrics) — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your OpenVPN server. + + + +* [**`enable_fail2ban`**](#enable_fail2ban) — Enable fail2ban to block brute force log in attempts. Defaults to true. + + + +* [**`enable_ip_lockdown`**](#enable_ip_lockdown) — Enable ip-lockdown to block access to the instance metadata. Defaults to true. + + + +* [**`enable_ssh_grunt`**](#enable_ssh_grunt) — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups. + + + +* [**`external_account_arns`**](#external_account_arns) — The ARNs of external AWS accounts where your IAM users are defined. This module will create IAM roles that users in those accounts will be able to assume to get access to the request/revocation SQS queues. + + + +* [**`external_account_ssh_grunt_role_arn`**](#external_account_ssh_grunt_role_arn) — Since our IAM users are defined in a separate AWS account, this variable is used to specify the ARN of an IAM role that allows ssh-grunt to retrieve IAM group and public SSH key info from that account. + + + +* [**`force_destroy`**](#force_destroy) — When a terraform destroy is run, should the backup s3 bucket be destroyed even if it contains files. Should only be set to true for testing/development + + + +* [**`hosted_zone_id`**](#hosted_zone_id) — The ID of the Route 53 Hosted Zone in which the domain should be created. Only used if [`create_route53_entry`](#create_route53_entry) is true. If null, lookup the hosted zone ID using the [`base_domain_name`](#base_domain_name). + + + +* [**`instance_type`**](#instance_type) — The type of instance to run for the OpenVPN Server + + + +* [**`keypair_name`**](#keypair_name) — The name of a Key Pair that can be used to SSH to this instance. Leave blank if you don't want to enable Key Pair auth. + + + +* [**`kms_key_arn`**](#kms_key_arn) — The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK) that will be used to encrypt/decrypt backup files. If null, a key will be created with permissions assigned by the following variables: [`cmk_administrator_iam_arns`](#cmk_administrator_iam_arns), [`cmk_user_iam_arns`](#cmk_user_iam_arns), [`cmk_external_user_iam_arns`](#cmk_external_user_iam_arns), [`allow_manage_key_permissions`](#allow_manage_key_permissions). + + + +* [**`name`**](#name) — The name of the OpenVPN Server and the other resources created by these templates + + + +* [**`request_queue_name`**](#request_queue_name) — The name of the sqs queue that will be used to receive new certificate requests. + + + +* [**`revocation_queue_name`**](#revocation_queue_name) — The name of the sqs queue that will be used to receive certification revocation requests. Note that the queue name will be automatically prefixed with 'openvpn-requests-'. + + + +* [**`ssh_grunt_iam_group`**](#ssh_grunt_iam_group) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`ssh_grunt_iam_group_sudo`**](#ssh_grunt_iam_group_sudo) — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this OpenVPN server with sudo permissions. This value is only used if [`enable_ssh_grunt`](#enable_ssh_grunt)=true. + + + +* [**`subnet_ids`**](#subnet_ids) — The ids of the subnets where this server should be deployed. + + + +* [**`tenancy`**](#tenancy) — The tenancy of this server. Must be one of: default, dedicated, or host. + + + +* [**`vpc_id`**](#vpc_id) — The ID of the VPC in which to deploy the OpenVPN server. + + + +* [**`vpn_route_cidr_blocks`**](#vpn_route_cidr_blocks) — A list of CIDR ranges to be routed over the VPN. + + + +* [**`vpn_search_domains`**](#vpn_search_domains) — A list of domains to push down to the client to resolve over VPN. This will configure the OpenVPN server to pass through domains that should be resolved over the VPN connection (as opposed to the locally configured resolver) to the client. Note that for each domain, all subdomains will be resolved as well. E.g., if you pass in 'mydomain.local', subdomains such as 'hello.world.mydomain.local' and 'example.mydomain.local' will also be forwarded to through the VPN server. + + + +* [**`vpn_subnet`**](#vpn_subnet) — The subnet IP and mask vpn clients will be assigned addresses from. For example, 172.16.1.0 255.255.255.0. This is a non-routed network that only exists between the VPN server and the client. Therefore, it should NOT overlap with VPC addressing, or the client won't be able to access any of the VPC IPs. In general, we recommend using internal, non-RFC 1918 IP addresses, such as 172.16.xx.yy. + + + + + + +* [**`allow_certificate_requests_for_external_accounts_iam_role_arn`**](#allow_certificate_requests_for_external_accounts_iam_role_arn) — The ARN of the IAM role that can be assumed from external accounts to request certificates. + + + +* [**`allow_certificate_requests_for_external_accounts_iam_role_id`**](#allow_certificate_requests_for_external_accounts_iam_role_id) — The name of the IAM role that can be assumed from external accounts to request certificates. + + + +* [**`allow_certificate_revocations_for_external_accounts_iam_role_arn`**](#allow_certificate_revocations_for_external_accounts_iam_role_arn) — The ARN of the IAM role that can be assumed from external accounts to revoke certificates. + + + +* [**`allow_certificate_revocations_for_external_accounts_iam_role_id`**](#allow_certificate_revocations_for_external_accounts_iam_role_id) — The name of the IAM role that can be assumed from external accounts to revoke certificates. + + + +* [**`autoscaling_group_id`**](#autoscaling_group_id) — The AutoScaling Group ID of the OpenVPN server. + + + +* [**`backup_bucket_name`**](#backup_bucket_name) — The S3 bucket used for backing up the OpenVPN PKI. + + + +* [**`client_request_queue`**](#client_request_queue) — The SQS queue used by the openvpn-admin tool for certificate requests. + + + +* [**`client_revocation_queue`**](#client_revocation_queue) — The SQS queue used by the openvpn-admin tool for certificate revocations. + + + +* [**`elastic_ip`**](#elastic_ip) — The elastic IP address of the OpenVPN server. + + + +* [**`iam_role_id`**](#iam_role_id) — The ID of the IAM role used by the OpenVPN server. + + + +* [**`openvpn_admins_group_name`**](#openvpn_admins_group_name) — The name of the OpenVPN admins IAM group (to request and revoke certificates). + + + +* [**`openvpn_users_group_name`**](#openvpn_users_group_name) — The name of the OpenVPN users IAM group (to request certificates). + + + +* [**`private_ip`**](#private_ip) — The private IP address of the OpenVPN server. + + + +* [**`public_ip`**](#public_ip) — The public IP address of the OpenVPN server. + + + +* [**`security_group_id`**](#security_group_id) — The security group ID of the OpenVPN server. + + diff --git a/docs/reference/services/security/tls-scripts.md b/docs/reference/services/security/tls-scripts.md index bb2e9639b..9b28c18bc 100644 --- a/docs/reference/services/security/tls-scripts.md +++ b/docs/reference/services/security/tls-scripts.md @@ -10,19 +10,19 @@ Create TLS certificates, download CA certs for RDS, and generate JVM trust store ### Reference - -
    - -
- - -
    - -
- + + + + + + + + + +