The purpose of this module is to provision the baseline requirements for a landing zone environment, and to provide a pattern moving forward for pipeline access.
Add example usage here
## Provision the Landing Zone Access permissions
module "landing_zone" {
source = "appvia/cloudaccess-lza/aws"
version = "0.0.1"
aws_accounts = {
network = var.aws_accounts["network"]
management = var.aws_accounts["management"]
}
repositories = {
accelerator_repository_url = var.landing_zone_repositories.accelerator_repository_url
connectivity_repository_url = var.landing_zone_repositories.connectivity_repository_url
firewall_repository_url = var.landing_zone_repositories.firewall_repository_url
identity_repository_url = var.landing_zone_repositories.identity_repository_url
}
tags = var.tags
providers = {
management = aws.management
network = aws.network
}
}
This module can configure CIS alarms and notifications. To enable this functionality, set the enable_cis_alarms
variable to true
. These will use a CloudWatch log group, defaulting to the AWS Control Tower organizational trail. In order to receive notifications on this events
- Use the
notifications_emails
variable to specify a list of email addresses to send notifications to.
enable_cis_alarms = true
notifications_emails = ["security@example.com"]
For notifications to slack
- Create a JSON secret
lza/cloudaccess/alarms
in AWS Secrets Manager with the following format:
{
"webhook_url": "https://hooks.slack.com/services/..."
"channel": "cloud-notifications"
}
- Use the
slack_notification_secret_name
variable to specify the name of the secret in AWS Secrets Manager that contains the Slack webhook URL.
enable_cis_alarms = true
notification_secret_name = "lza/cloudaccess/alarms"
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Version |
---|---|
terraform | >= 1.1.4 |
aws | ~> 5.0 |
Name | Version |
---|---|
aws | 5.47.0 |
aws.management | 5.47.0 |
aws.network | 5.47.0 |
Name | Source | Version |
---|---|---|
alarm_baseline | appvia/alarm-baseline/aws | 0.1.6 |
cost_management | appvia/oidc/aws//modules/role | 1.2.1 |
default_boundary | appvia/boundary-stack/aws | 0.1.5 |
management_landing_zone | appvia/oidc/aws//modules/role | 1.2.1 |
management_sso_identity | appvia/oidc/aws//modules/role | 1.2.1 |
network_inspection_vpc_admin | appvia/oidc/aws//modules/role | 1.2.1 |
network_transit_gateway_admin | appvia/oidc/aws//modules/role | 1.2.1 |
permissive_boundary | appvia/boundary-stack/aws | 0.1.5 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_accounts | Map of AWS account names to their account IDs | object({ |
n/a | yes |
aws_support_role_name | Name of the AWS Support role | string |
"AWSSupportAccess" |
no |
breakglass_users | The number of breakglass users to create | number |
2 |
no |
cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-ro" |
no |
cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-rw" |
no |
costs_boundary_name | Name of the IAM policy to use as a permissions boundary for cost-related roles | string |
"lza-costs-boundary" |
no |
default_permissions_boundary_name | Name of the default IAM policy to use as a permissions boundary | string |
"lza-default-boundary" |
no |
enable_aws_support | Indicates if we should enable AWS Support role | bool |
true |
no |
enable_breakglass | Indicates if we should enable breakglass users and group | bool |
false |
no |
enable_cis_alarms | Indicates if we should enable CIS alerts | bool |
true |
no |
enable_slack_notifications | Indicates if we should enable Slack notifications | bool |
false |
no |
enable_teams_notifications | Indicates if we should enable Teams notifications | bool |
false |
no |
notification_emails | List of email addresses to send notifications to | list(string) |
[] |
no |
notification_secret_name | Name of the secret in AWS Secrets Manager that contains the secrets for notifications | string |
"" |
no |
permissive_permissions_boundary_name | Name of the permissive IAM policy to use as a permissions boundary | string |
"lza-permissive-boundary" |
no |
repositories | List of repository locations for the pipelines | object({ |
{} |
no |
scm_name | Name of the source control management system (github or gitlab) | string |
"github" |
no |
tags | Tags to apply to all resources | map(string) |
n/a | yes |
Name | Description |
---|---|
cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
default_permission_boundary_name | The name of the default permissions iam boundary |
default_permissive_boundary_name | The name of the default permissive iam boundary |
identity_role_ro_name | The name of the IAM readonly role which can be assumed by the identity stack in all accounts |
identity_role_rw_name | The name of the IAM readwrite role which can be assumed by the identity stack in all accounts |
identity_stack_name | The name of the identity stack |