Name		Name	Last commit message	Last commit date
parent directory ..
README.md		README.md
logging.tf		logging.tf
main.tf		main.tf
outputs.tf		outputs.tf
policies.tf		policies.tf
ram-share.tf		ram-share.tf
resource-group.tf		resource-group.tf
variables.tf		variables.tf
versions.tf		versions.tf

README.md

lattice-service-network

This module creates following resources.

aws_vpclattice_service_network
aws_vpclattice_auth_policy (optional)
aws_vpclattice_resource_policy (optional)
aws_vpclattice_service_network_vpc_association (optional)
aws_vpclattice_service_network_service_association (optional)
aws_vpclattice_access_log_subscription (optional)

Requirements

Name	Version
terraform	>= 1.5
aws	>= 5.21

Providers

Name	Version
aws	5.22.0

Modules

Name	Source	Version
resource_group	tedilabs/misc/aws//modules/resource-group	~> 0.10.0
share	tedilabs/account/aws//modules/ram-share	~> 0.27.0

Resources

Name	Type
aws_vpclattice_access_log_subscription.cloudwatch	resource
aws_vpclattice_access_log_subscription.kinesis_data_firehose	resource
aws_vpclattice_access_log_subscription.s3	resource
aws_vpclattice_auth_policy.this	resource
aws_vpclattice_resource_policy.this	resource
aws_vpclattice_service_network.this	resource
aws_vpclattice_service_network_service_association.this	resource
aws_vpclattice_service_network_vpc_association.this	resource
aws_vpclattice_service_network.this	data source

Inputs

Name	Description	Type	Default	Required
name	(Required) The name of the service network. The name must be between 3 and 63 characters. You can use lowercase letters, numbers, and hyphens. The name must begin and end with a letter or number. Do not use consecutive hyphens.	`string`	n/a	yes
auth_policy	(Optional) The auth policy. Authorization decisions are made based on this policy, the service-level policy (if present), and IAM permissions attached to the client identity (if referencing IAM identities in this policy). The policy string in JSON must not contain newlines or blank lines.	`string`	`null`	no
auth_type	(Optional) The type of authentication and authorization that manages client access to the service network. Valid values are `AWS_IAM` or `NONE`. Defaults to `NONE`. `NONE` - The service network will not authenticate or authorize client access. If an auth policy is present, it is inactive. Resources within associated VPCs will have access to services in this network, unless service-level policies restrict access. `AWS_IAM` - Applies an IAM resource policy on the service network. This provides administrators the ability to enforce authentication and write fine-grained permissions for the services in the network.	`string`	`"NONE"`	no
description	(Optional) The description of the service network. This creates a tag with a key of `Description` and a value that you specify.	`string`	`"Managed by Terraform."`	no
logging_to_cloudwatch	(Optional) The configuration to enable access logs to be sent to Amazon CloudWatch Log Group. The service network owner can use the access logs to audit the services in the network. The service network owner will only see access logs from clients and services that are associated with their service network. Access log entries represent traffic originated from VPCs associated with that network. `logging_to_cloudwatch` as defined below. (Optional) `enabled` - Whether to enable access logs to be sent to Amazon CloudWatch Log Group. (Optional) `log_group` - The ARN (Amazon Resource Name) of the CloudWatch Log Group.	object({ enabled = optional(bool, false) log_group = optional(string, "") })	`{}`	no
logging_to_kinesis_data_firehose	(Optional) The configuration to enable access logs to be sent to Amazon Kinesis Data Firehose. The service network owner can use the access logs to audit the services in the network. The service network owner will only see access logs from clients and services that are associated with their service network. Access log entries represent traffic originated from VPCs associated with that network. `logging_to_kinesis_data_firehose` as defined below. (Optional) `enabled` - Whether to enable access logs to be sent to Amazon Kinesis Data Firehose. (Optional) `delivery_stream` - The ARN (Amazon Resource Name) of the Kinesis Data Firehose delivery stream.	object({ enabled = optional(bool, false) delivery_stream = optional(string, "") })	`{}`	no
logging_to_s3	(Optional) The configuration to enable access logs to be sent to Amazon S3 Bucket. The service network owner can use the access logs to audit the services in the network. The service network owner will only see access logs from clients and services that are associated with their service network. Access log entries represent traffic originated from VPCs associated with that network. `logging_to_s3` as defined below. (Optional) `enabled` - Whether to enable access logs to be sent to Amazon S3 Bucket. (Optional) `bucket` - The ARN (Amazon Resource Name) of the S3 Bucket.	object({ enabled = optional(bool, false) bucket = optional(string, "") })	`{}`	no
module_tags_enabled	(Optional) Whether to create AWS Resource Tags for the module informations.	`bool`	`true`	no
policy	(Optional) A resource-based permission policy for the service network. The policy must contain the same actions and condition statements as the Amazon Web Services Resource Access Manager permission for sharing services and service networks.	`string`	`null`	no
resource_group_description	(Optional) The description of Resource Group.	`string`	`"Managed by Terraform."`	no
resource_group_enabled	(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module.	`bool`	`true`	no
resource_group_name	(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`.	`string`	`""`	no
service_associations	(Optional) The configuration for the service associations with the service network. To facilitate network client access to your service, you will need to associate your service to the relevant service networks. Only service networks created in the same account, or that have been shared with you (by way of Resource Access Manager), are available for you to create associations with. Each block of `service_associations` as defined below. (Required) `name` - The name of the service association. (Required) `service` - The ID or ARN (Amazon Resource Name) of the service. (Optional) `tags` - A map of tags to add to the service association.	list(object({ name = string service = string tags = optional(map(string), {}) }))	`[]`	no
shares	(Optional) A list of resource shares via RAM (Resource Access Manager).	list(object({ name = optional(string) permissions = optional(set(string), ["AWSRAMPermissionVpcLatticeServiceNetworkReadWrite"]) external_principals_allowed = optional(bool, false) principals = optional(set(string), []) tags = optional(map(string), {}) }))	`[]`	no
tags	(Optional) A map of tags to add to all resources.	`map(string)`	`{}`	no
vpc_associations	(Optional) The configuration for VPC associations with the service network. It enables all the resources within that VPC to be clients and communicate with other services in the service network. Each block of `vpc_associations` as defined below. (Required) `vpc` - The ID of the VPC. (Optional) `security_groups` - A list of the IDs of the security groups. (Optional) `tags` - A map of tags to add to the vpc association.	list(object({ vpc = string security_groups = optional(set(string), []) tags = optional(map(string), {}) }))	`[]`	no

Outputs

Name	Description
arn	The ARN of the service network.
auth_type	The type of authentication and authorization that manages client access to the service network.
created_at	Date and time that the service network was created, specified in ISO-8601 format.
description	The description of the service network.
id	The ID of the service network.
logging	The configuration for access logs of the service network. Firehose Delivery Stream, Amazon S3 Bucket. `cloudwatch` - The configuration for access logs to be sent to Amazon CloudWatch Log Group. `kinesis_data_firehose` - The configuration for access logs to be sent to Amazon Kinesis Data Firehose Delivery Stream. `s3` - The configuration for access logs to be sent to Amazon S3 BUcket.
name	The name of the service network.
service_associations	The list of the service associations with the service network. `id` - The ID of the association. `arn` - The ARN of the Association. `status` - The operations status. Valid Values are `CREATE_IN_PROGRESS`, `ACTIVE`, `DELETE_IN_PROGRESS`, `CREATE_FAILED`, `DELETE_FAILED`. `created_by` - The principal that created the association. `service` - The ARN (Amazon Resource Name) of the service.
sharing	The configuration for sharing of the Lattice service network. `status` - An indication of whether the Lattice service network is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are `NOT_SHARED`, `SHARED_BY_ME` or `SHARED_WITH_ME`. `shares` - The list of resource shares via RAM (Resource Access Manager).
updated_at	Date and time that the service network was last updated, specified in ISO-8601 format.
vpc_associations	The list of VPC associations with the service network. `id` - The ID of the association. `arn` - The ARN of the Association. `status` - The operations status. Valid Values are `CREATE_IN_PROGRESS`, `ACTIVE`, `DELETE_IN_PROGRESS`, `CREATE_FAILED`, `DELETE_FAILED`. `created_by` - The principal that created the association. `vpc` - The ID of the VPC. `security_groups` - A list of the IDs of the security groups.