Skip to content

Latest commit

 

History

History
169 lines (154 loc) · 22.6 KB

README.md

File metadata and controls

169 lines (154 loc) · 22.6 KB
Raw

Terraform project for account bootstrapping on dxw's Dalmatian hosting platform

Terraform CI

This project creates and manages resources within an AWS account to bootstrap it for dxw's Dalmatian hosting platform.

Usage

Requirements

Name Version
terraform >= 1.5.3
archive >= 2.4.0
aws >= 5.11.0
datadog >= 3.46.0

Providers

Name Version
archive 2.6.0
aws 5.75.1
aws.useast1 5.75.1
datadog >= 3.46.0

Modules

Name Source Version
aws_tfvars_s3 github.com/dxw/terraform-aws-tfvars-s3 v0.2.6

Resources

Name Type
aws_athena_named_query.cloudtrail resource
aws_athena_workgroup.cloudtrail resource
aws_cloudtrail.cloudtrail resource
aws_cloudwatch_log_group.cloudtrail resource
aws_cloudwatch_log_group.cloudwatch_slack_alerts_lambda_log_group resource
aws_cloudwatch_log_group.delete_default_resources_lambda_log_group resource
aws_codestarconnections_connection.connections resource
aws_glue_catalog_database.cloudtrail resource
aws_glue_catalog_table.cloudtrail resource
aws_iam_policy.cloudtrail_cloudwatch_logs resource
aws_iam_policy.cloudwatch_slack_alerts_logs_lambda resource
aws_iam_policy.custom resource
aws_iam_policy.datadog_aws_integration resource
aws_iam_policy.datadog_aws_integration_resource_collection resource
aws_iam_policy.delete_default_resources_lambda resource
aws_iam_policy.delete_default_resources_vpc_delete_lambda resource
aws_iam_policy.ssm_dhmc resource
aws_iam_role.cloudtrail_cloudwatch_logs resource
aws_iam_role.cloudwatch_slack_alerts_lambda resource
aws_iam_role.custom resource
aws_iam_role.datadog_aws_integration resource
aws_iam_role.delete_default_resources_lambda resource
aws_iam_role.ssm_dhmc resource
aws_iam_role_policy_attachment.cloudtrail_cloudwatch_logs resource
aws_iam_role_policy_attachment.cloudwatch_slack_alerts_logs_lambda resource
aws_iam_role_policy_attachment.custom resource
aws_iam_role_policy_attachment.datadog_aws_integration resource
aws_iam_role_policy_attachment.datadog_aws_integration_resource_collection resource
aws_iam_role_policy_attachment.datadog_aws_integration_security_audit resource
aws_iam_role_policy_attachment.delete_default_resources_lambda resource
aws_iam_role_policy_attachment.delete_default_resources_vpc_delete_lambda resource
aws_iam_role_policy_attachment.ssm_dhmc resource
aws_kms_alias.athena_cloudtrail_output resource
aws_kms_alias.cloudtrail_cloudwatch_logs resource
aws_kms_alias.cloudwatch_opsgenie_alerts_sns resource
aws_kms_alias.cloudwatch_opsgenie_alerts_sns_us_east_1 resource
aws_kms_alias.cloudwatch_slack_alerts resource
aws_kms_alias.delete_default_resources_lambda resource
aws_kms_key.athena_cloudtrail_output resource
aws_kms_key.cloudtrail_cloudwatch_logs resource
aws_kms_key.cloudwatch_opsgenie_alerts_sns resource
aws_kms_key.cloudwatch_opsgenie_alerts_sns_us_east_1 resource
aws_kms_key.cloudwatch_slack_alerts resource
aws_kms_key.delete_default_resources_lambda resource
aws_lambda_function.cloudwatch_slack_alerts resource
aws_lambda_function.delete_default_resources resource
aws_lambda_permission.cloudwatch_slack_alerts_sns resource
aws_route53_zone.root resource
aws_s3_bucket.athena_cloudtrail_output resource
aws_s3_bucket.cloudtrail resource
aws_s3_bucket.logs resource
aws_s3_bucket_lifecycle_configuration.athena_cloudtrail_output resource
aws_s3_bucket_lifecycle_configuration.cloudtrail resource
aws_s3_bucket_lifecycle_configuration.logs resource
aws_s3_bucket_logging.athena_cloudtrail_output resource
aws_s3_bucket_logging.cloudtrail resource
aws_s3_bucket_policy.athena_cloudtrail_output resource
aws_s3_bucket_policy.cloudtrail resource
aws_s3_bucket_policy.logs resource
aws_s3_bucket_public_access_block.athena_cloudtrail_output resource
aws_s3_bucket_public_access_block.cloudtrail resource
aws_s3_bucket_public_access_block.logs resource
aws_s3_bucket_server_side_encryption_configuration.athena_cloudtrail_output resource
aws_s3_bucket_server_side_encryption_configuration.cloudtrail resource
aws_s3_bucket_server_side_encryption_configuration.logs resource
aws_s3_bucket_versioning.athena_cloudtrail_output resource
aws_s3_bucket_versioning.cloudtrail resource
aws_s3_bucket_versioning.logs resource
aws_sns_topic.cloudwatch_opsgenie_alerts resource
aws_sns_topic.cloudwatch_opsgenie_alerts_us_east_1 resource
aws_sns_topic.cloudwatch_slack_alerts resource
aws_sns_topic_policy.sns_cloudwatch_opsgenie_alerts resource
aws_sns_topic_policy.sns_cloudwatch_opsgenie_alerts_us_east_1 resource
aws_sns_topic_policy.sns_cloudwatch_slack_alerts resource
aws_sns_topic_subscription.cloudwatch_opsgenie_alerts_subscription resource
aws_sns_topic_subscription.cloudwatch_opsgenie_alerts_subscription_us_east_1 resource
aws_sns_topic_subscription.cloudwatch_slack_alerts_lambda_subscription resource
aws_ssm_service_setting.ssm_dhmc resource
datadog_integration_aws.aws resource
archive_file.cloudwatch_slack_alerts_lambda data source
archive_file.delete_default_resources_lambda data source
aws_caller_identity.current data source
aws_regions.current data source

Inputs

Name Description Type Default Required
aws_region AWS region in which to launch resources string n/a yes
cloudtrail_athena_glue_tables Create the Glue database and tables for CloudTrail to be used with Athena bool n/a yes
cloudtrail_athena_s3_output_kms_encryption Use KMS encryption with the CloudTrail Athena output S3 bucket bool n/a yes
cloudtrail_athena_s3_output_retention CloudTrail Athena Set to 0 to keep all logs number n/a yes
cloudtrail_kms_encryption Use KMS encryption with CloudTrail bool n/a yes
cloudtrail_log_prefix Cloudtrail log prefix string n/a yes
cloudtrail_log_retention Cloudtrail log retention in days. Set to 0 to keep all logs. number n/a yes
cloudtrail_s3_access_logs Enable CloudTrail S3 bucket access logging bool n/a yes
cloudwatch_opsgenie_alerts_sns_endpoint The Opsgenie SNS endpoint. https://support.atlassian.com/opsgenie/docs/integrate-opsgenie-with-incoming-amazon-sns/ string n/a yes
cloudwatch_opsgenie_alerts_sns_kms_encryption Use KMS encryption with the Opsgenie Alerts SNS topic bool n/a yes
cloudwatch_slack_alerts_channel The Slack channel for CloudWatch alerts string n/a yes
cloudwatch_slack_alerts_hook_url The Slack webhook URL for CloudWatch alerts string n/a yes
cloudwatch_slack_alerts_kms_encryption Use KMS encryption with the Slack Alerts SNS topic and logs bool n/a yes
cloudwatch_slack_alerts_log_retention Cloudwatch Slack Alerts log retention. Set to 0 to keep all logs number n/a yes
codestar_connections CodeStar connections to create 
map(
    object({
      provider_type = string,
    })
  )
 n/a yes
custom_iam_roles Configure custom IAM roles/policies 
map(object({
    description = string
    policies = map(object({
      description = string
      policy      = string
    }))
    assume_role_policy = string
  }))
 n/a yes
datadog_api_key Datadog API key string n/a yes
datadog_app_key Datadog App key string n/a yes
datadog_region Datadog region string n/a yes
delete_default_resources_lambda_kms_encryption Conditionally encrypt the Delete Default Resources Lambda logs with KMS bool n/a yes
delete_default_resources_log_retention Log retention for the Delete Default Resources Lambda number n/a yes
enable_cloudtrail Enable Cloudtrail bool n/a yes
enable_cloudwatch_opsgenie_alerts Enable CloudWatch Opsgenie alerts. This creates an SNS topic to which alerts and pipelines can send messages, which are then sent to the Opsgenie SNS endpoint. bool n/a yes
enable_cloudwatch_slack_alerts Enable CloudWatch Slack alerts. This creates an SNS topic to which alerts and pipelines can send messages, which are then picked up by a Lambda function that forwards them to a Slack webhook. bool n/a yes
enable_datadog_aws_integration Conditionally create the datadog AWS integration role (https://docs.datadoghq.com/integrations/guide/aws-terraform-setup/) and configure the datadog integration bool n/a yes
enable_delete_default_resources Creates a Lambda function which deletes all default VPCs and resources within them. This only needs to be ran once, either through the AWS console or via the AWS CLI bool n/a yes
enable_route53_root_hosted_zone Conditionally create Route53 hosted zone, which will contain the DNS records for resources launched within the account. bool n/a yes
enable_s3_tfvars enable_s3_tfvars bool n/a yes
enable_ssm_dhmc Enables SSM Default Host Management Configuration bool n/a yes
logging_bucket_retention Logging bucket retention in days. Set to 0 to keep all logs. number n/a yes
project_name Project name to be used as a prefix for all resources string n/a yes
route53_root_hosted_zone_domain_name Route53 root hosted zone domain name string n/a yes
tfvars_s3_enable_s3_bucket_logging Enable S3 bucket logging on the tfvars S3 bucket bool true no
tfvars_s3_logging_bucket_retention tfvars S3 Logging bucket retention in days. Set to 0 to keep all logs. number 30 no
tfvars_s3_tfvars_files Map of objects containing tfvar file paths 
map(
    object({
      path = string
      key  = optional(string, "")
      }
  ))
 {} no
tfvars_s3_tfvars_restrict_access_user_ids List of AWS User IDs that require access to the tfvars S3 bucket. If left empty, all users within the AWS account will have access list(string) [] no

Outputs

Name Description
resource_map Simplified map of resources and their dependencies, associations and attachments