The purpose of this module is to provision the baseline requirements for a landing zone environment, and to provide a pattern moving forward for pipeline access.
Add example usage here
## Provision the Landing Zone Access permissions
module "landing_zone" {
source = "appvia/cloudaccess-lza/aws"
version = "0.0.1"
aws_accounts = {
network = var.aws_accounts["network"]
management = var.aws_accounts["management"]
}
repositories = {
accelerator_repository_url = var.landing_zone_repositories.accelerator_repository_url
connectivity_repository_url = var.landing_zone_repositories.connectivity_repository_url
firewall_repository_url = var.landing_zone_repositories.firewall_repository_url
identity_repository_url = var.landing_zone_repositories.identity_repository_url
}
tags = var.tags
providers = {
management = aws.management
network = aws.network
}
}
This module can configure CIS alarms and notifications. To enable this functionality, set the enable_cis_alarms
variable to true
. These will use a CloudWatch log group, defaulting to the AWS Control Tower organizational trail. In order to receive notifications on this events
- Use the
notifications_emails
variable to specify a list of email addresses to send notifications to.
enable_cis_alarms = true
enable_email_notifications = true
notifications = {
email = {
addresses = ["security@example.com"]
}
}
For notifications to slack
- Configuration the notifications block accordingly
enable_email_notifications = true
notifications = {
slack = {
webhook_url = "https://hooks.slack.com/services/..."
channel = "cloud-notifications"
}
}
The terraform-docs
utility is used to generate this README. Follow the below steps to update:
- Make changes to the
.terraform-docs.yml
file - Fetch the
terraform-docs
binary (https://terraform-docs.io/user-guide/installation/) - Run
terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .
Name | Version |
---|---|
terraform | >= 1.1.4 |
archive | ~> 2.0 |
aws | ~> 5.0 |
Name | Version |
---|---|
archive | 2.4.2 |
aws | 5.50.0 |
aws.audit | 5.50.0 |
aws.management | 5.50.0 |
aws.network | 5.50.0 |
Name | Source | Version |
---|---|---|
alarm_baseline | appvia/alarm-baseline/aws | 0.2.0 |
cost_management | appvia/oidc/aws//modules/role | 1.3.0 |
default_boundary | appvia/boundary-stack/aws | 0.1.6 |
management_landing_zone | appvia/oidc/aws//modules/role | 1.3.0 |
management_sso_identity | appvia/oidc/aws//modules/role | 1.3.0 |
network_inspection_vpc_admin | appvia/oidc/aws//modules/role | 1.3.0 |
network_transit_gateway_admin | appvia/oidc/aws//modules/role | 1.3.0 |
permissive_boundary | appvia/boundary-stack/aws | 0.1.6 |
securityhub_notifications | appvia/notifications/aws | 0.1.6 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_accounts | Map of AWS account names to their account IDs | object({ |
n/a | yes |
aws_support_role_name | Name of the AWS Support role | string |
"AWSSupportAccess" |
no |
breakglass_users | The number of breakglass users to create | number |
2 |
no |
cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-ro" |
no |
cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role | string |
"lza-cloudaccess-tfstate-rw" |
no |
costs_boundary_name | Name of the IAM policy to use as a permissions boundary for cost-related roles | string |
"lza-costs-boundary" |
no |
default_permissions_boundary_name | Name of the default IAM policy to use as a permissions boundary | string |
"lza-default-boundary" |
no |
enable_aws_support | Indicates if we should enable AWS Support role | bool |
true |
no |
enable_breakglass | Indicates if we should enable breakglass users and group | bool |
false |
no |
enable_cis_alarms | Indicates if we should enable CIS alerts | bool |
true |
no |
enable_securityhub_alarms | Indicates if we should enable SecurityHub alarms | bool |
true |
no |
notifications | Configuration for the notifications | object({ |
{ |
no |
permissive_permissions_boundary_name | Name of the permissive IAM policy to use as a permissions boundary | string |
"lza-permissive-boundary" |
no |
repositories | List of repository locations for the pipelines | object({ |
{} |
no |
scm_name | Name of the source control management system (github or gitlab) | string |
"github" |
no |
securityhub_event_bridge_rule_name | Display name of the EventBridge rule for Security Hub findings | string |
"lza-securityhub-alerts" |
no |
securityhub_lambda_function_name | Name of the Security Hub Lambda function | string |
"lza-securityhub-lambda-forwarder" |
no |
securityhub_lambda_log_group_kms_alias | Name of the KMS alias for the CloudWatch log group | string |
"alias/accelerator/kms/cloudwatch/key" |
no |
securityhub_lambda_role_name | Name of the IAM role for the Security Hub Lambda function | string |
"lza-securityhub-lambda-role" |
no |
securityhub_lambda_runtime | Runtime for the Security Hub Lambda function | string |
"python3.12" |
no |
securityhub_severity_filter | Indicates if we should enable SecurityHub | list(string) |
[ |
no |
securityhub_sns_topic_name | Name of the SNS topic to send Security Hub findings to | string |
"lza-securityhub-alerts" |
no |
tags | Tags to apply to all resources | map(string) |
n/a | yes |
Name | Description |
---|---|
cloudaccess_terraform_state_ro_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
cloudaccess_terraform_state_rw_policy_name | Name of the IAM policy to attach to the CloudAccess Terraform state role |
default_permission_boundary_name | The name of the default permissions iam boundary |
default_permissive_boundary_name | The name of the default permissive iam boundary |
identity_role_ro_name | The name of the IAM readonly role which can be assumed by the identity stack in all accounts |
identity_role_rw_name | The name of the IAM readwrite role which can be assumed by the identity stack in all accounts |
identity_stack_name | The name of the identity stack |