This project creates and manages resources within an AWS account for infrastructures on dxw's Dalmatian hosting platform.
| Name | Version |
|---|---|
| terraform | >= 1.6.5 |
| archive | >= 2.4.1 |
| aws | >= 5.30.0 |
| external | >= 2.3.2 |
| null | >= 3.2.2 |
| random | >= 3.6.0 |
| Name | Version |
|---|---|
| archive | 2.4.2 |
| aws | 5.47.0 |
| aws.awsroute53root | 5.47.0 |
| aws.useast1 | 5.47.0 |
| external | 2.3.3 |
| null | >= 3.2.2 |
| random | >= 3.6.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_profile_name_route53_root | AWS Profile name which is configured for the account in which the root Route53 Hosted Zone exists. | string |
n/a | yes |
| aws_region | AWS region in which to launch resources | string |
n/a | yes |
| custom_cloudformation_stacks | Map of CloudFormation stacks to deploy { stack-name = { s3_template_store_key: The filename of a CloudFormation template that is stored within the S3 bucket, created by the enable_cloudformatian_s3_template_storetemplate_body: (Optional - use of s3_template_store_key is preferred) The CloudFormation template body parameters: The CloudFormation template parameters ({ parameter-name = parameter-value, ... }) on_failure: What to do on failure, either 'DO_NOTHING', 'ROLLBACK' or 'DELETE' capabilities: A list of capabilities. Valid values: CAPABILITY_NAMED_IAM, CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND} } |
map(object({ |
n/a | yes |
| custom_route53_hosted_zones | Map of Route53 Hosted Zone configurations to create { example.com = { ns_records: Map of NS records to create ({ "domain.example.com" = { values = ["ns1.example.com", "ns2.example.com"], ttl = 300 }) a_records: Map of A records to create ({ "domain.example.com" = { values = ["1.2.3.4", "5.6.7.8"], ttl = 300 }) alias_records: Map of ALIAS records to create ({ "domain.example.com" = { value = "example.cloudfront.com", zone_id = "Z2FDTNDATAQYW2" }) cname_records: Map of CNAME records to create ({ "domain.example.com" = { values = ["external1.example.com", "external2.example.com"], ttl = 60 }) mx_records: Map of MX records to create ({ "example.com" = { values = ["1 mail.example.com", "5 mail2.example.com"], ttl = 60 }) txt_records: Map of TXT records to create ({ "example.com" = { values = ["v=spf1 include:spf.example.com -all"], ttl = 60 }) } } |
map(object({ |
n/a | yes |
| custom_s3_buckets | Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction." { bucket-name = { create_dedicated_kms_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts. transition_to_ia_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days transition_to_glacier_days: Conditionally transition objects to 'Glacier' storage in N days cloudfront_dedicated_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket. cloudfront_s3_root: Sets the S3 document root when being served from CloudFront. By default this will be '/'. If cloudfront_infrastructure_ecs_cluster_service_path has been set, this helps by modifying the request from /sub-directory-path to / by use of a CloudFront function.cloudfront_infrastructure_ecs_cluster_service: Conditionally create an Origin on a CloudFront distribution that is serving the given Infrastructure ECS Cluster Service name cloudfront_infrastructure_ecs_cluster_service_path: If cloudfront_infrastructure_ecs_cluster_service, set this to the path that objects will be served from.} } |
map(object({ |
n/a | yes |
| ecs_cluster_efs_directories | ECS cluster EFS directories to create | list(string) |
n/a | yes |
| ecs_cluster_efs_infrequent_access_transition | ECS cluser EFS IA transiton in days. Set to 0 to disable IA transition. | number |
n/a | yes |
| ecs_cluster_efs_performance_mode | ECS cluser EFS performance mode | string |
n/a | yes |
| ecs_cluster_efs_throughput_mode | ECS cluser EFS throughput mode | string |
n/a | yes |
| enable_cloudformatian_s3_template_store | Creates an S3 bucket to store custom CloudFormation templates, which can then be referenced in custom_cloudformation_stacks. A user with RW access to the bucket is also created. |
bool |
n/a | yes |
| enable_infrastructure_ecs_cluster | Enable creation of infrastructure ECS cluster, to place ECS services | bool |
n/a | yes |
| enable_infrastructure_ecs_cluster_efs | Conditionally create and mount EFS to the ECS cluster instances | bool |
n/a | yes |
| enable_infrastructure_ecs_cluster_services_alb_logs | Enable Infrastructure ECS cluster services ALB logs | bool |
n/a | yes |
| enable_infrastructure_route53_hosted_zone | Creates a Route53 hosted zone, where DNS records will be created for resources launched within this module. | bool |
n/a | yes |
| environment | The environment name to be used as part of the resource prefix | string |
n/a | yes |
| infrastructure_dockerhub_email | Dockerhub email | string |
n/a | yes |
| infrastructure_dockerhub_token | Dockerhub token which has permissions to pull images | string |
n/a | yes |
| infrastructure_dockerhub_username | Dockerhub username | string |
n/a | yes |
| infrastructure_ecs_cluster_ami_version | AMI version for ECS cluster instances (amzn2-ami-ecs-hvm-) | string |
n/a | yes |
| infrastructure_ecs_cluster_autoscaling_time_based_custom | List of objects with min/max sizes and cron expressions to scale the ECS cluster. Min size will be used as desired. | list( |
n/a | yes |
| infrastructure_ecs_cluster_autoscaling_time_based_max | List of cron expressions to scale the ECS cluster to the configured max size | list(string) |
n/a | yes |
| infrastructure_ecs_cluster_autoscaling_time_based_min | List of cron expressions to scale the ECS cluster to the configured min size | list(string) |
n/a | yes |
| infrastructure_ecs_cluster_draining_lambda_enabled | Enable the Lambda which ensures all containers have drained before terminating ECS cluster instances | bool |
n/a | yes |
| infrastructure_ecs_cluster_draining_lambda_log_retention | Log retention for the ECS cluster draining Lambda | number |
n/a | yes |
| infrastructure_ecs_cluster_ebs_docker_storage_volume_size | Size of EBS volume for Docker storage on the infrastructure ECS instances | number |
n/a | yes |
| infrastructure_ecs_cluster_ebs_docker_storage_volume_type | Type of EBS volume for Docker storage on the infrastructure ECS instances (eg. gp3) | string |
n/a | yes |
| infrastructure_ecs_cluster_instance_type | The instance type for EC2 instances launched in the ECS cluster | string |
n/a | yes |
| infrastructure_ecs_cluster_max_instance_lifetime | Maximum lifetime in seconds of an instance within the ECS cluster | number |
n/a | yes |
| infrastructure_ecs_cluster_max_size | Maximum number of instances for the ECS cluster | number |
n/a | yes |
| infrastructure_ecs_cluster_min_size | Minimum number of instances for the ECS cluster | number |
n/a | yes |
| infrastructure_ecs_cluster_publicly_avaialble | Conditionally launch the ECS cluster EC2 instances into the Public subnet | bool |
n/a | yes |
| infrastructure_ecs_cluster_service_defaults | Default values for ECS Cluster Services | object({ |
n/a | yes |
| infrastructure_ecs_cluster_services | Map of ECS Cluster Services (The key will be the service name). Values in here will override infrastructure_ecs_cluster_service_defaults values if set."{ service-name = { github_v1_source: Conditionally use GitHubV1 for the CodePipeline source (CodeStar will be used by default) github_v1_oauth_token: If github_v1_source is set to true, provide the GitHub OAuthToken herecodestar_connection_arn: The CodeStar Connection ARN to use in the CodePipeline source github_owner: The GitHub Owner of the repository to be pulled by the CodePipeline source github_repo: The GitHub repo name to be pulled by the CodePipeline source github_track_revision: The branch/revision of the GitHub repository to be pulled by the CodePipeline source buildspec: The filename of the buildspec to use for the CodePipeline build phase, stored within the 'codepipeline buildspec store' S3 bucket buildspec_from_github_repo: Conditionally use the 'buildspec' filename stored within the GitHub repo as the buildspec ecr_scan_target_sns_topic_arn: An SNS topic ARN to publish ECR scan results to deployment_type: The service deployment type - Can be one of 'rolling' or 'blue-green' enable_cloudwatch_logs: Conditionally enable cloudwatch logs for the service cloudwatch_logs_retention: CloudWatch log retention in days enable_execute_command: Enable Amazon ECS Exec to directly interact with containers deregistration_delay: Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused container_entrypoint: The container entrypoint container_port: The service container port container_volumes: List of maps containing volume mappings eg. [ { "name" = "my-volume", "host_path" = "/mnt/efs/my-dir", "container_path" = "/mnt/my-dir" } ] container_extra_hosts: List of maps containing extra hosts eg. [ { "hostname" = "my.host", "ip_address" = "10.1.2.3" } ] container_count: Number of containers to launch for the service container_heath_check_path: Destination for the health check request container_heath_grace_period: Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown enable_cloudfront: Enable cloadfront for the service cloudfront_access_logging_enabled: Enable access logging for the distribution to the infrastructure S3 logs bucket cloudfront_bypass_protection_enabled: This adds a secret header at the CloudFront level, which is then checked by the ALB listener rules. Requests are only forwarded if the header matches, preventing requests going directly to the ALB. cloudfront_bypass_protection_excluded_domains: A list of domains to exclude from the bypass protection cloudfront_origin_shield_enabled: Enable CloudFront Origin Shield cloudfront_managed_cache_policy: Conditionally specify a CloudFront Managed Cache Policy for the distribution cloudfront_managed_origin_request_policy: Conditionally specify a CloudFront Managed Origin Request Policy for the distribution cloudfront_managed_response_headers_policy: Conditionally specify a CloudFront Managed Response Headers Policy for the distribution } } |
map(object({ |
n/a | yes |
| infrastructure_ecs_cluster_services_alb_enable_global_accelerator | Enable Global Accelerator (GA) for the infrastructure ECS cluster services ALB. If cloudfront_bypass_protection_enabled is set for a service, any domain pointing towards the GA must be added to the cloudfront_bypass_protection_excluded_domains list. It is recommended that the GA only be used for apex domains that redirect to the domain associated with CloudFront. Ideally, apex domains would use an ALIAS record pointing towards the CloudFront distribution. |
bool |
n/a | yes |
| infrastructure_ecs_cluster_services_alb_ip_allow_list | IP allow list for ingress traffic to the infrastructure ECS cluster services ALB | list(string) |
n/a | yes |
| infrastructure_ecs_cluster_services_alb_logs_retention | Retention in days for the infrasrtucture ecs cluster ALB logs | number |
n/a | yes |
| infrastructure_ecs_cluster_termination_timeout | The timeout for the terminiation lifecycle hook | number |
n/a | yes |
| infrastructure_elasticache | Map of Elasticaches (The key will be the elasticache name). Values in here will override infrastructure_elasticache_defaults values if set."{ elasticache-name = { type: Choose either cluster or serverlessengine: ElastiCache engine (Only redis is currently supported)engine_version: ElastiCache Engine version (For serverless, Specify the major version only) parameters: Map of Parameters for the ElastiCache parameter group ({ parameter-name = parameter-value, ... }) cluster_node_type: ElastiCache Cluster node type cluster_node_count: ElastiCache Cluster node count serverless_max_storage: Serverless maximum storage serverless_max_ecpu: Serverless maximum number of ECPUs the cache can consume per second (1000 - 15000000) snapshot_retention_limit: Snapshot retention limit } } |
map(object({ |
n/a | yes |
| infrastructure_elasticache_defaults | Default values for ElastiCaches | object({ |
n/a | yes |
| infrastructure_kms_encryption | Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption. | bool |
n/a | yes |
| infrastructure_logging_bucket_retention | Retention in days for the infrasrtucture S3 logs. This is for the default S3 logs bucket, where all AWS service logs will be delivered | number |
n/a | yes |
| infrastructure_name | The infrastructure name to be used as part of the resource prefix | string |
n/a | yes |
| infrastructure_rds | Map of RDSs (The key will be the rds name). Values in here will override infrastructure_rds_defaults values if set."{ rds-name = { type: Choose either instance for RDS instance, or cluster for RDS Auroraengine: RDS engine (Either mysql or postgres)engine_version: RDS Engine version (Specify the major version only, to prevent terraform attempting to downgrade minor versions) parameters: Map of Parameters for the DB parameter group ({ parameter-name = parameter-value, ... }) instance_class: RDS instance class allocated_storage: RDS allocated storage storage_type: RDS storage type iops: RDS iops (When type is instance, this is only required for storage type of io1 or gp3 - When cluster, this must be a multiple between .5 and 50 of the storage amount for the DB cluster.)<br> storage_throughput: RDS storage throughput (Only required when storage_typeisgp3. Only applicable for typeofinstance)<br> multi_az: Enable Multi-AZ RDS (Not applicable for typeofcluster. For cluster - set storage_type, allocated_storage, iops and instance_class)monitoring_interval: The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. Valid Values: 0, 1, 5, 10, 15, 30, 60. cloudwatch_logs_export_types: List of log types to enable for exporting to CloudWatch Logs. See EnableCloudwatchLogsExports.member.N (https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) for valid values.cluster_instance_count: Number of instances to launch within the Aurora DB cluster cluster_serverlessv2_min_capacity: Minimum capacity for an Aurora DB cluster cluster_serverlessv2_max_capacity: Maximum capacity for an Aurora DB cluster } } |
map(object({ |
n/a | yes |
| infrastructure_rds_defaults | Default values for RDSs | object({ |
n/a | yes |
| infrastructure_vpc | Enable infrastructure VPC | bool |
n/a | yes |
| infrastructure_vpc_assign_generated_ipv6_cidr_block | Assign generated IPv6 CIDR block on infrastructure VPC | bool |
n/a | yes |
| infrastructure_vpc_cidr_block | Infrastructure VPC CIDR block | string |
n/a | yes |
| infrastructure_vpc_enable_dns_hostnames | Enable DNS hostnames on infrastructure VPC | bool |
n/a | yes |
| infrastructure_vpc_enable_dns_support | Enable DNS support on infrastructure VPC | bool |
n/a | yes |
| infrastructure_vpc_enable_network_address_usage_metrics | Enable network address usage metrics on infrastructure VPC | bool |
n/a | yes |
| infrastructure_vpc_flow_logs_cloudwatch_logs | Enable VPC logs on infrastructure VPC to CloudWatch Logs | bool |
n/a | yes |
| infrastructure_vpc_flow_logs_retention | VPC flow logs retention in days | number |
n/a | yes |
| infrastructure_vpc_flow_logs_s3_key_prefix | Flow Logs by default will go into the infrastructure S3 logs bucket. This is the key prefix used to isolate them from other logs | string |
n/a | yes |
| infrastructure_vpc_flow_logs_s3_with_athena | Enable VPC flow logs in infrastructure VPC to the S3 logs bucket. A compatible Glue table/database and Athena workgroup will also be created to allow querying the logs. | bool |
n/a | yes |
| infrastructure_vpc_flow_logs_traffic_type | Infrastructure VPC flow logs traffic type | string |
n/a | yes |
| infrastructure_vpc_instance_tenancy | Infrastructure VPC instance tenancy | string |
n/a | yes |
| infrastructure_vpc_network_acl_egress_custom_rules_private | Infrastructure vpc egress custom rules for the private subnets. These will be evaluated before any automatically added rules. | list(object({ |
n/a | yes |
| infrastructure_vpc_network_acl_egress_custom_rules_public | Infrastructure vpc egress custom rules for the public subnets. These will be evaluated before any automatically added rules. | list(object({ |
n/a | yes |
| infrastructure_vpc_network_acl_egress_lockdown_private | Creates a network ACL for the private subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. | bool |
n/a | yes |
| infrastructure_vpc_network_acl_egress_lockdown_public | Creates a network ACL for the public subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. | bool |
n/a | yes |
| infrastructure_vpc_network_acl_ingress_custom_rules_private | Infrastructure vpc ingress custom rules for the private subnets. These will be evaluated before any automatically added rules. | list(object({ |
n/a | yes |
| infrastructure_vpc_network_acl_ingress_custom_rules_public | Infrastructure vpc ingress custom rules for the public subnets. These will be evaluated before any automatically added rules. | list(object({ |
n/a | yes |
| infrastructure_vpc_network_acl_ingress_lockdown_private | Creates a network ACL for the private subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. | bool |
n/a | yes |
| infrastructure_vpc_network_acl_ingress_lockdown_public | Creates a network ACL for the public subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. | bool |
n/a | yes |
| infrastructure_vpc_network_availability_zones | A list of availability zone characters (eg. ["a", "b", "c"]) | list(string) |
n/a | yes |
| infrastructure_vpc_network_enable_private | Enable private networking on Infrastructure VPC. This will create subnets with a route to a NAT Gateway (If Public networking has been enabled) | bool |
n/a | yes |
| infrastructure_vpc_network_enable_public | Enable public networking on Infrastructure VPC. This will create subnets with a route to an Internet Gateway | bool |
n/a | yes |
| project_name | Project name to be used as a prefix for all resources | string |
n/a | yes |
| route53_root_hosted_zone_domain_name | Route53 Hosted Zone in which to delegate Infrastructure Route53 Hosted Zones. | string |
n/a | yes |
| Name | Description |
|---|---|
| resource_map | Simplified map of resources and their dependencies, associations and attachments |