terraform-aws-mcaf-landing-zone

Terraform module to setup and manage various components of the SBP AWS Landing Zone.

Overview of Landing Zone tools & services:

The SBP AWS Landing Zone consists of 3 repositories:

• MCAF Landing Zone module (current repository): the foundation of the Landing Zone and manages the 3 core accounts: audit, logging, management
• MCAF Account Vending Machine (AVM) module: providing an AWS AVM. This module sets up an AWS account with one or more Terraform Cloud/Enterprise (TFE) workspace(s) backed by a VCS project
• MCAF Account Baseline module: optional module providing baseline configuration for AWS accounts

Pre-Requisites

Important

Before deploying this module, ensure the following pre-requisites are met:

• AWS Control Tower is deployed in the core-management account.
• AWS Control Tower governed regions include at least us-east-1 (and your designated home region).

Basic configuration

Refer to examples/basic for an example of minimal setup.

Specifying the correct regions

Home Region

The mandatory regions.home_region variable specifies the AWS Control Tower home region. This must match the region defined in your AWS provider that deploys this module.

To find your home region:

1. Log in to the core-management account.
2. Navigate to AWS Control Tower → Landing Zone Settings.
3. The home region is listed under Home Region.

Linked Regions

The optional regions.linked_regions variable defines the AWS Control Tower governed regions. This module ensures proper configuration of AWS Security Hub and AWS Config for all specified linked regions to collect data from them.

To find your linked regions:

1. Log in to the core-management account.
2. Navigate to AWS Control Tower → Landing Zone Settings.
3. Linked regions are listed under Landing Zone Regions.

Note: By default, us-east-1 is included as a linked region to ensure data collection from global services. To restrict deployment of non-global resources in this region, use the allowed_regions functionality described in the section below.

Important

All specified linked regions need to be an AWS Control Tower governed region. This ensures that an AWS Config recorder is enabled by AWS Control Tower in all governed regions. AWS Security Hub will only function correctly if an AWS Config recorder exists in all linked regions.

Allowed Regions

The optional regions.allowed_regions variable defines the allowed regions within your AWS Organization. This triggers the deployment of a Service Control Policy (SCP), which is attached to the root of your AWS Organization.

Configuration Scenarios

Scenario 1: Home region only (no deployment in other regions)

• Home region: eu-central-1
• Requirement: Prevent deployment in all other regions.

You need to configure the regions variable as follows:

regions = {
  allowed_regions = ["eu-central-1"]
  home_region     = "eu-central-1"
}

Note: Ensure that us-east-1 is included as a governed region in AWS Control Tower since the linked_region variable defaults to this value.

Scenario 2: Home region with additional governed regions

• Home region: eu-central-1
• Requirement: Also allow deploying resources in eu-west-1.

You need to configure the regions variable as follows:

regions = {
  allowed_regions = ["eu-central-1", "eu-west-1]
  home_region     = "eu-central-1"
  linked_regions = ["eu-west-1", "us-east-1"]
}

Detailed configuration

AWS SES Root Accounts mail forwarder

Setting the ses_root_accounts_mail_forward variable creates the necessary AWS Simple Email Service (SES) resources to accept mail sent to an AWS hosted domain and forward it to an external recipient or recipients. This can be used to enable secure mailboxes/IT service catalog aliases for all root accounts. Emails are received via AWS SES and forwarded to an email forwarder lambda which sends the email to the destination email server as specified in the recipient_mapping variable of ses_root_accounts_mail_forward.

Before setting the ses_root_accounts_mail_forward variable, make sure that an AWS Route53 hosted zone is created. For example aws.yourcompany.com. Pass this domain using the domain variable of ses_root_accounts_mail_forward.

Example:

ses_root_accounts_mail_forward = {
  domain     = "aws.yourcompany.com"
  from_email = "root@aws.yourcompany.com"

  recipient_mapping = {
    "root@aws.yourcompany.com" = [
      "inbox@yourcompany.com"
    ]
  }
}

By default, you have to create the email addresses for the accounts created using the MCAF Account Vending Machine (AVM) module yourself. Using this functionality you can pass aliases of the mailbox created. E.g. root+<account-name>@aws.yourcompany.com.

AWS CloudTrail

By default, all CloudTrail logs will be stored in a S3 bucket in the logging account of your AWS Organization. However, this module also supports creating an additional CloudTrail configuration to publish logs to any S3 bucket chosen by you. This trail will be set at the Organization level, meaning that logs from all accounts will be published to the provided bucket.

NOTE: Before enabling this feature, make sure that the bucket policy authorizing CloudTrail to deliver logs is in place and that you have enabled trusted access between AWS Organizations and CloudTrail. If these two steps are not in place, Terraform will fail to create the trail.

Example:

additional_auditing_trail = {
  name   = "additional_auditing_trail"
  bucket = "bucket_name"
}

AWS Config Rules

This module provisions by default a set of basic AWS Config Rules. In order to add extra rules, a list of rule identifiers can be passed via the variable aws_config.rule_identifiers.

If you would like to authorize other accounts to aggregate AWS Config data, the account IDs can also be passed via the variable aws_config.aggregator_account_ids.

NOTE: This module already authorizes the audit account to aggregate Config data from all other accounts in the organization, so there is no need to specify the audit account ID in the aggregator_account_ids list.

Example:

aws_config = {
  aggregator_account_ids = ["123456789012"]
  rule_identifiers       = ["ACCESS_KEYS_ROTATED", "ALB_WAF_ENABLED"]
}

AWS GuardDuty

This module supports enabling GuardDuty at the organization level which means that all new accounts that are created in, or added to, the organization are added as member accounts to the audit account GuardDuty detector.

The feature can be controlled via the aws_guardduty variable and is enabled by default.

Note: In case you are migrating an existing AWS organization to this module, all existing accounts except for the management and logging accounts have to be enabled like explained here.

AWS KMS

The module creates 3 AWS KMS keys, one for the management account, one for the audit account, and one for the log archive account. We recommend to further scope down the AWS KMS key policy in the management account by providing a secure policy using kms_key_policy. The default policy "Base Permissions" can be overwritten and should be limited to the root account only, for example by using the statement below:

  statement {
    sid       = "Base Permissions"
    actions   = ["kms:*"]
    effect    = "Allow"
    resources = ["*"]

    condition {
      test     = "StringEquals"
      variable = "aws:PrincipalType"
      values   = ["Account"]
    }

    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::${data.aws_caller_identity.management.account_id}:root"
      ]
    }
  }

Note that you have to add additional policies allowing for example access to the pipeline user or role. Only applying this policy will result in a The new key policy will not allow you to update the key policy in the future exception.

AWS Security Hub

This module supports enabling Security Hub at an organization level, meaning all accounts that are created in or enrolled to the organization will be added as member accounts to the audit account Security Hub delegated administrator.

The feature can be controlled via the aws_security_hub variable and is enabled by default.

Note: by default auto-enable default standards has been turned off since the default standards are not updated regularly enough. At time of writing only the AWS Foundational Security Best Practices v1.0.0 standard and the CIS AWS Foundations Benchmark v1.2.0 standard are enabled by by default while this module enables the following standards:

• AWS Foundational Security Best Practices v1.0.0
• CIS AWS Foundations Benchmark v1.4.0
• PCI DSS v3.2.1

The enabling of the standards in all member account is controlled via mcaf-account-baseline.

AWS SSO

This module supports managing AWS SSO resources to control user access to all accounts belonging to the AWS Organization.

This feature can be controlled via the aws_sso_permission_sets variable by passing a map (key-value pair) where every key corresponds to an AWS SSO Permission Set name and the value follows the structure below:

• assignments: list of maps (key-value pair) of AWS Account IDs as keys and a list of AWS SSO Group names that should have access to the account using the permission set defined
• inline_policy: valid IAM policy in JSON format (maximum length of 10240 characters)
• managed_policy_arns: list of strings that contain the ARN's of the managed policies that should be attached to the permission set
• session_duration: length of time in the ISO-8601 standard

Example:

  aws_sso_permission_sets = {
    PlatformAdmin = {
      inline_policy    = file("${path.module}/template_files/sso/platform_admin.json")
      session_duration = "PT2H"

      managed_policy_arns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess"
      ]

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name
          ]
        },
        {
          for account in [ 925556789012 ] : account => [
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]
    }
    PlatformUser = {
      session_duration = "PT12H"

      managed_policy_arns = [
        "arn:aws:iam::aws:policy/ReadOnlyAccess",
        "arn:aws:iam::aws:policy/AWSSupportAccess"
      ]

      assignments = [
        {
          for account in [ 123456789012, 012456789012 ] : account => [
            okta_group.aws["AWSPlatformAdmins"].name,
            okta_group.aws["AWSPlatformUsers"].name
          ]
        }
      ]

      inline_policy = jsonencode(
        {
          Version = "2012-10-17",
          Statement = concat(
            [
              {
                Effect   = "Allow",
                Action   = "support:*",
                Resource = "*"
              }
            ],
            jsondecode(data.aws_iam_policy.lambda_readonly.policy).Statement
          )
        }
      )
    }
  }

Datadog Integration

This module supports an optional Datadog-AWS integration. This integration makes it easier for you to forward metrics and logs from your AWS account to Datadog.

In order to enable the integration, you can pass an object to the variable datadog containing the following attributes:

• api_key: sets the Datadog API key
• enable_integration: set to true to configure the Datadog AWS integration
• install_log_forwarder: set to true to install the Datadog Forwarder

In case you don't want to use the integration, you can configure the Datadog provider like in the example below:

provider "datadog" {
  validate = false
}

This should prevent the provider from asking you for a Datadog API Key and allow the module to be provisioned without the integration resources.

Monitoring IAM Activity

By default, this module monitors and notifies activities performed by the root user of all core accounts and AWS SSO Roles. All notifications will be sent to the SNS Topic LandingZone-IAMActivity in the audit account.

These are the type of events that will be monitored:

• Any activity made by the root user of the account.
• Any manual changes made by AWS SSO roles (read-only operations and console logins are not taken into account).

In case you would like to disable this functionality, you can set the variable monitor_iam_activity to false.

Organizations Policies: Service Control Policies (SCPs)

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. See this page for an introduction to SCPs and the value they add.

This module allows using various SCPs as described below. We try to adhere to best practices of not attaching SCPs to the root of the organization when possible; in the event you need to pass a list of OU names, be sure to have the exact name as the matching is case sensitive.

SCP: Deny ability to disable Security Hub

Enabling this SCP removes a member account's ability to disable Security Hub.

This is SCP is enabled by default, but can be disabled by setting aws_deny_disabling_security_hub attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_deny_disabling_security_hub = false
}

SCP: Deny ability to leave Organization

Enabling this SCP removes a member account's ability to leave the AWS organization.

This is SCP is enabled by default, but can be disabled by setting aws_deny_leaving_org attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_deny_leaving_org = false
}

SCP: Require the use of Instance Metadata Service Version 2

By default, all EC2s still allow access to the original metadata service, which means that if an attacker finds an EC2 running a proxy or WAF, or finds and SSRF vulnerability, they likely can steal the IAM role of the EC2. By enforcing IMDSv2, you can mitigate that risk. Be aware that this potentially could break some applications that have not yet been updated to work with the new IMDSv2.

This is SCP is enabled by default, but can be disabled by setting aws_require_imdsv2 attribute to false in aws_service_control_policies.

Example:

aws_service_control_policies = {
  aws_require_imdsv2 = false
}

SCP: Restricting AWS Regions

See the section Specifying the correct regions.

SCP: Restricting Root User Access

If you would like to restrict the root user's ability to log into accounts in an OU, you can pass a list of OU names to the aws_deny_root_user_ous attribute in aws_service_control_policies.

Example showing SCP applied to all OUs except the Root OU:

data "aws_organizations_organization" "default" {}

data "aws_organizations_organizational_units" "default" {
  parent_id = data.aws_organizations_organization.default.roots[0].id
}

module "landing_zone" {
  ...
  aws_service_control_policies {
    aws_deny_root_user_ous = [
      for ou in data.aws_organizations_organizational_units.default.children : ou.name if ou.name != "Root"
    ]
  }

AWS Principal exceptions

In case you would like to exempt specific IAM entities from the region restriction, leave the AWS organization and from the ability to disable Security Hub SCP's, you can pass a list of ARN patterns using the principal_exceptions attribute in aws_service_control_policies. This can be useful for roles used by AWS ControlTower, for example. Example:

aws_service_control_policies = {
  principal_exceptions = ["arn:aws:iam::*:role/RoleAllowedToBypassRestrictions"]
}

Organizations Policies: Tag Policies

Tag policies are a type of policy that can help you standardize tags across resources in your organization's accounts. In a tag policy, you specify tagging rules applicable to resources when they are tagged. See this page for an introduction to tag policies and the value they add.

To create a tag policy, set the aws_required_tags variable using a map of OU names and their tag policies. To enforce a tag for all services and resource types that support enforcement, set enforced_for to ["all"].

Please note the OU path key is case sensitive and tag policies will be created per tag key.

Example:

module "landing_zone" {
  ...

  aws_required_tags = {
    "Root/Environments/Production" = [
      {
        name         = "Tag1"
        values       = ["A", "B"]
        enforced_for = ["all"]
      }
    ]
    "Root/Environments/Non-Production" = [
      {
        name         = "Tag2"
        enforced_for = ["secretsmanager:*"]
      }
    ]
  }
}

SNS topic subscription

Topic Name	Variable	Content
aws-controltower-AggregateSecurityNotifications	aws_config_sns_subscription	Aggregated AWS Config notifications
LandingZone-SecurityHubFindings	aws_security_hub_sns_subscription	Aggregated Security Hub findings
LandingZone-IAMActivity	monitor_iam_activity_sns_subscription	IAM activity findings

Example for https protocol and specified webhook endpoint:

module "landing_zone" {
  ...

  aws_config_sns_subscription = {
    endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
    protocol = "https"
  }
}

Requirements

Name	Version
terraform	>= 1.6
aws	>= 5.54.0
datadog	> 3.0.0
mcaf	>= 0.4.2

Providers

Name	Version
aws	>= 5.54.0
aws.audit	>= 5.54.0
aws.logging	>= 5.54.0
mcaf	>= 0.4.2

Modules

Name	Source	Version
audit_manager_reports	schubergphilis/mcaf-s3/aws	~> 0.14.1
aws_config_s3	schubergphilis/mcaf-s3/aws	~> 0.14.1
aws_sso_permission_sets	./modules/permission-set	n/a
datadog_audit	schubergphilis/mcaf-datadog/aws	~> 0.8.5
datadog_logging	schubergphilis/mcaf-datadog/aws	~> 0.8.5
datadog_master	schubergphilis/mcaf-datadog/aws	~> 0.8.5
kms_key	schubergphilis/mcaf-kms/aws	~> 0.3.0
kms_key_audit	schubergphilis/mcaf-kms/aws	~> 0.3.0
kms_key_logging	schubergphilis/mcaf-kms/aws	~> 0.3.0
ses-root-accounts-mail-alias	schubergphilis/mcaf-ses/aws	~> 0.1.4
ses-root-accounts-mail-forward	schubergphilis/mcaf-ses-forwarder/aws	~> 0.3.0
tag_policy_assignment	./modules/tag-policy-assignment	n/a

Resources

Name	Type
aws_auditmanager_account_registration.default	resource
aws_cloudtrail.additional_auditing_trail	resource
aws_cloudwatch_event_rule.security_hub_findings	resource
aws_cloudwatch_event_target.security_hub_findings	resource
aws_cloudwatch_log_metric_filter.iam_activity_master	resource
aws_cloudwatch_metric_alarm.iam_activity_master	resource
aws_config_aggregate_authorization.audit	resource
aws_config_aggregate_authorization.logging	resource
aws_config_aggregate_authorization.master	resource
aws_config_aggregate_authorization.master_to_audit	resource
aws_config_configuration_aggregator.audit	resource
aws_config_configuration_recorder.default	resource
aws_config_configuration_recorder_status.default	resource
aws_config_delivery_channel.default	resource
aws_config_organization_managed_rule.default	resource
aws_ebs_encryption_by_default.audit	resource
aws_ebs_encryption_by_default.logging	resource
aws_ebs_encryption_by_default.master	resource
aws_guardduty_detector.audit	resource
aws_guardduty_organization_admin_account.audit	resource
aws_guardduty_organization_configuration.default	resource
aws_guardduty_organization_configuration_feature.ebs_malware_protection	resource
aws_guardduty_organization_configuration_feature.eks_audit_logs	resource
aws_guardduty_organization_configuration_feature.lambda_network_logs	resource
aws_guardduty_organization_configuration_feature.rds_login_events	resource
aws_guardduty_organization_configuration_feature.runtime_monitoring	resource
aws_guardduty_organization_configuration_feature.s3_data_events	resource
aws_iam_account_password_policy.audit	resource
aws_iam_account_password_policy.logging	resource
aws_iam_account_password_policy.master	resource
aws_iam_role.sns_feedback	resource
aws_iam_role_policy.sns_feedback_policy	resource
aws_iam_service_linked_role.config	resource
aws_inspector2_delegated_admin_account.default	resource
aws_inspector2_enabler.audit_account	resource
aws_inspector2_enabler.member_accounts	resource
aws_inspector2_member_association.default	resource
aws_inspector2_organization_configuration.default	resource
aws_organizations_policy.deny_root_user	resource
aws_organizations_policy.lz_root_policies	resource
aws_organizations_policy_attachment.deny_root_user	resource
aws_organizations_policy_attachment.lz_root_policies	resource
aws_s3_account_public_access_block.audit	resource
aws_s3_account_public_access_block.logging	resource
aws_s3_account_public_access_block.master	resource
aws_securityhub_account.default	resource
aws_securityhub_account.management	resource
aws_securityhub_configuration_policy.default	resource
aws_securityhub_configuration_policy_association.root	resource
aws_securityhub_finding_aggregator.default	resource
aws_securityhub_member.logging	resource
aws_securityhub_member.management	resource
aws_securityhub_organization_admin_account.default	resource
aws_securityhub_organization_configuration.default	resource
aws_sns_topic.iam_activity	resource
aws_sns_topic.security_hub_findings	resource
aws_sns_topic_policy.iam_activity	resource
aws_sns_topic_policy.security_hub_findings	resource
aws_sns_topic_subscription.aws_config	resource
aws_sns_topic_subscription.iam_activity	resource
aws_sns_topic_subscription.security_hub_findings	resource
aws_caller_identity.audit	data source
aws_caller_identity.logging	data source
aws_caller_identity.management	data source
aws_cloudwatch_log_group.cloudtrail_master	data source
aws_iam_policy_document.aws_config_s3	data source
aws_iam_policy_document.kms_key	data source
aws_iam_policy_document.kms_key_audit	data source
aws_iam_policy_document.kms_key_logging	data source
aws_iam_policy_document.sns_feedback	data source
aws_organizations_organization.default	data source
aws_organizations_organizational_units.default	data source
aws_region.current	data source
aws_sns_topic.all_config_notifications	data source
mcaf_aws_all_organizational_units.default	data source

Inputs

Name	Description	Type	Default	Required
control_tower_account_ids	Control Tower core account IDs	object({ audit = string logging = string })	n/a	yes
regions	Region configuration. See the README for more information on the configuration options.	object({ allowed_regions = list(string) home_region = string linked_regions = optional(list(string), ["us-east-1"]) })	n/a	yes
additional_auditing_trail	CloudTrail configuration for additional auditing trail	object({ name = string bucket = string kms_key_id = string event_selector = optional(object({ data_resource = optional(object({ type = string values = list(string) })) exclude_management_event_sources = optional(set(string), null) include_management_events = optional(bool, true) read_write_type = optional(string, "All") })) })	null	no
aws_account_password_policy	AWS account password policy parameters for the audit, logging and master account	object({ allow_users_to_change = bool max_age = number minimum_length = number require_lowercase_characters = bool require_numbers = bool require_symbols = bool require_uppercase_characters = bool reuse_prevention_history = number })	{ "allow_users_to_change": true, "max_age": 90, "minimum_length": 14, "require_lowercase_characters": true, "require_numbers": true, "require_symbols": true, "require_uppercase_characters": true, "reuse_prevention_history": 24 }	no
aws_auditmanager	AWS Audit Manager config settings	object({ enabled = bool reports_bucket_prefix = string })	{ "enabled": true, "reports_bucket_prefix": "audit-manager-reports" }	no
aws_config	AWS Config settings	object({ aggregator_account_ids = optional(list(string), []) delivery_channel_s3_bucket_name = optional(string, null) delivery_channel_s3_key_prefix = optional(string, null) delivery_frequency = optional(string, "TwentyFour_Hours") rule_identifiers = optional(list(string), []) })	{ "aggregator_account_ids": [], "delivery_channel_s3_bucket_name": null, "delivery_channel_s3_key_prefix": null, "delivery_frequency": "TwentyFour_Hours", "rule_identifiers": [] }	no
aws_config_sns_subscription	Subscription options for the aws-controltower-AggregateSecurityNotifications (AWS Config) SNS topic	map(object({ endpoint = string protocol = string }))	{}	no
aws_ebs_encryption_by_default	Set to true to enable AWS Elastic Block Store encryption by default	bool	true	no
aws_guardduty	AWS GuardDuty settings	object({ enabled = optional(bool, true) finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES") ebs_malware_protection_status = optional(bool, true) eks_audit_logs_status = optional(bool, true) lambda_network_logs_status = optional(bool, true) rds_login_events_status = optional(bool, true) s3_data_events_status = optional(bool, true) runtime_monitoring_status = optional(object({ enabled = optional(bool, true) eks_addon_management_status = optional(bool, true) ecs_fargate_agent_management_status = optional(bool, true) ec2_agent_management_status = optional(bool, true) }), {}) })	{}	no
aws_inspector	AWS Inspector settings, at least one of the scan options must be enabled	object({ enabled = optional(bool, false) enable_scan_ec2 = optional(bool, true) enable_scan_ecr = optional(bool, true) enable_scan_lambda = optional(bool, true) enable_scan_lambda_code = optional(bool, true) resource_create_timeout = optional(string, "15m") })	{ "enable_scan_ec2": true, "enable_scan_ecr": true, "enable_scan_lambda": true, "enable_scan_lambda_code": true, "enabled": false, "resource_create_timeout": "15m" }	no
aws_required_tags	AWS Required tags settings	map(list(object({ name = string values = optional(list(string)) enforced_for = optional(list(string)) })))	null	no
aws_security_hub	AWS Security Hub settings	object({ aggregator_linking_mode = optional(string, "SPECIFIED_REGIONS") auto_enable_controls = optional(bool, true) control_finding_generator = optional(string, "SECURITY_CONTROL") create_cis_metric_filters = optional(bool, true) disabled_control_identifiers = optional(list(string), null) enabled_control_identifiers = optional(list(string), null) product_arns = optional(list(string), []) standards_arns = optional(list(string), null) })	{}	no
aws_security_hub_sns_subscription	Subscription options for the LandingZone-SecurityHubFindings SNS topic	map(object({ endpoint = string protocol = string }))	{}	no
aws_service_control_policies	AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction	object({ aws_deny_disabling_security_hub = optional(bool, true) aws_deny_leaving_org = optional(bool, true) aws_deny_root_user_ous = optional(list(string), []) aws_require_imdsv2 = optional(bool, true) principal_exceptions = optional(list(string), []) })	{}	no
aws_sso_permission_sets	Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account	map(object({ assignments = list(map(list(string))) inline_policy = optional(string, null) managed_policy_arns = optional(list(string), []) session_duration = optional(string, "PT4H") }))	{}	no
datadog	Datadog integration options for the core accounts	object({ api_key = string cspm_resource_collection_enabled = optional(bool, false) enable_integration = bool extended_resource_collection_enabled = optional(bool, false) install_log_forwarder = optional(bool, false) log_collection_services = optional(list(string), []) log_forwarder_version = optional(string) metric_tag_filters = optional(map(string), {}) namespace_rules = optional(list(string), []) site_url = string })	null	no
datadog_excluded_regions	List of regions where metrics collection will be disabled.	list(string)	[]	no
kms_key_policy	A list of valid KMS key policy JSON documents	list(string)	[]	no
kms_key_policy_audit	A list of valid KMS key policy JSON document for use with audit KMS key	list(string)	[]	no
kms_key_policy_logging	A list of valid KMS key policy JSON document for use with logging KMS key	list(string)	[]	no
monitor_iam_activity	Whether IAM activity should be monitored	bool	true	no
monitor_iam_activity_sns_subscription	Subscription options for the LandingZone-IAMActivity SNS topic	map(object({ endpoint = string protocol = string }))	{}	no
path	Optional path for all IAM users, user groups, roles, and customer managed policies created by this module	string	"/"	no
ses_root_accounts_mail_forward	SES config to receive and forward root account emails	object({ domain = string from_email = string recipient_mapping = map(any) dmarc = object({ policy = optional(string) rua = optional(string) ruf = optional(string) }) })	null	no
tags	Map of tags	map(string)	{}	no

Outputs

Name	Description
aws_config_s3_bucket_arn	ARN of the AWS Config S3 bucket
kms_key_arn	ARN of KMS key for master account
kms_key_audit_arn	ARN of KMS key for audit account
kms_key_audit_id	ID of KMS key for audit account
kms_key_id	ID of KMS key for master account
kms_key_logging_arn	ARN of KMS key for logging account
kms_key_logging_id	ID of KMS key for logging account
monitor_iam_activity_sns_topic_arn	ARN of the SNS Topic in the Audit account for IAM activity monitoring notifications

License

Copyright: Schuberg Philis

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Using Pre-commit

To make local development easier, we have added a pre-commit configuration to the repo. to use it, follow these steps:

Install the following tools:

brew install tflint

Install pre-commit:

pip3 install pre-commit --upgrade

To run the pre-commit hooks to see if everything working as expected, (the first time run might take a few minutes):

pre-commit run -a

To install the pre-commit hooks to run before each commit:

pre-commit install