-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathvariables.tf
545 lines (491 loc) · 13.8 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
variable "account_type" {
description = "AWS account type (master, administrator, log, member)"
type = string
validation {
condition = contains(
["master", "administrator", "log", "member"],
var.account_type
)
error_message = "Must be one of: master, administrator, log, member."
}
}
variable "region_list" {
description = "Overriding list of region to apply at"
type = list
default = []
}
variable "region_exclude" {
description = "Remove these regions from the data.aws_region.enabled.names list"
type = list
default = []
}
variable "deletion_window_in_days" {
description = "Duration in days after which the key is deleted after destruction of the resource"
type = number
default = 7
validation {
condition = 7 <= var.deletion_window_in_days && var.deletion_window_in_days <= 30
error_message = "Must be between 7 and 30, inclusive."
}
}
#variable "aws_region" {
# description = "AWS region"
# type = string
# default = "us-east-1"
#}
#variable "enable_artifact" {
# description = "Enable AWS Artifact service"
# type = bool
# default = false
#}
variable "enable_alarm" {
description = "Enable AWS CloudTrail service"
type = bool
default = true
}
variable "enable_cloudtrail" {
description = "Enable AWS CloudTrail service"
type = bool
default = true
}
#variable "enable_compute_optimzer" {
# description = "Enable AWS Compute Optimizer service"
# type = bool
# default = true
#}
variable "enable_config" {
description = "Enable AWS Config service"
type = bool
default = true
}
#variable "enable_detective" {
# description = "Enable AWS Detective service"
# type = bool
# default = false
#}
variable "enable_firewall_manager" {
description = "Enable AWS Firewall Manager service"
type = bool
default = true
}
variable "enable_guardduty" {
description = "Enable AWS GuardDuty service"
type = bool
default = true
}
variable "enable_iam_access_analyzer" {
description = "Enable AWS IAM Access Analyzer"
type = bool
default = true
}
variable "enable_inspector" {
description = "Enable AWS Inspector"
type = bool
default = true
}
variable "enable_kms" {
description = "Enable KMS at org level for CloudTrail and other services"
type = bool
# Disabled on purpose as policy always forces a destroy and recreate"
default = false
}
#variable "enable_ram" {
# description = "Enable AWS RAM service"
# type = bool
# default = true
#}
#variable "enable_s3_storage_lens" {
# description = "Enable AWS S3 Storage Lens service"
# type = bool
# default = true
#}
variable "enable_scp" {
description = "Manage organization SCP policies"
type = bool
default = true
}
variable "enable_securityhub" {
description = "Enable AWS Security Hub service"
type = bool
default = true
}
#variable "enable_tag_policies" {
# description = "Enable AWS Tag Policies"
# type = bool
# default = true
#}
variable "tags" {
description = "Specifies object tags key and value. This applies to all resources created by this module."
type = map(any)
default = {}
}
variable "target_regions" {
description = "A list of regions to set up with this module."
type = list(string)
default = [
"eu-west-1",
"us-east-1",
"us-east-2"
]
}
### -----------------------------
### Baseline ECR
### -----------------------------
variable "enable_ecr_baseline" {
description = "Enable ECR image scanning"
type = bool
default = true
}
# scan_frequency = "SCAN_ON_PUSH" "CONTINUOUS_SCAN" "MANUAL"
variable "ecr_scanning_rules" {
description = "List of ECR scanning rules"
type = list(map(string))
default = [
{
frequency = "SCAN_ON_PUSH"
filter = "*"
}
]
}
variable "ecr_scan_type" {
description = "ECR scanning type (BASIC or ENHANCED)"
type = string
validation {
condition = contains(
["BASIC", "ENHANCED"],
var.ecr_scan_type
)
error_message = "Must be one of: BASIC, ENHANCED."
}
#default = "BASIC"
default = "ENHANCED" # Need inspector2 to collect data
}
### -----------------------------
### Baseline EBS
### -----------------------------
variable "enable_ebs_baseline" {
description = "Boolean whether ebs-baseline is enabled."
type = bool
default = true
}
### -----------------------------
### Baseline IAM
### -----------------------------
variable "enable_iam_baseline" {
description = "Boolean whether iam-baseline is enabled."
type = bool
default = true
}
variable "iam_create_password_policy" {
type = bool
description = "Define if the password policy should be created."
default = true
}
#variable "iam_create_master_role" {
# type = bool
# description = "Define if the master role should be created."
# default = true
#}
#
#variable "iam_create_manager_role" {
# type = bool
# description = "Define if the manager role should be created."
# default = true
#}
variable "iam_create_support_role" {
type = bool
description = "Define if the support role should be created."
default = true
}
#variable "iam_master_iam_role_name" {
# description = "The name of the IAM Master role."
# default = "IAM-Master"
#}
#
#variable "iam_master_iam_role_policy_name" {
# description = "The name of the IAM Master role policy."
# default = "IAM-Master-Policy"
#}
#
#variable "iam_manager_iam_role_name" {
# description = "The name of the IAM Manager role."
# default = "IAM-Manager"
#}
#
#variable "iam_manager_iam_role_policy_name" {
# description = "The name of the IAM Manager role policy."
# default = "IAM-Manager-Policy"
#}
#variable "iam_support_iam_role_name" {
# description = "The name of the the support role."
# default = "IAM-Support"
#}
#
#variable "iam_support_iam_role_policy_name" {
# description = "The name of the support role policy."
# default = "IAM-Support-Role"
#}
#
#variable "iam_support_iam_role_principal_arns" {
# type = list(any)
# description = "List of ARNs of the IAM principal elements by which the support role could be assumed."
#}
variable "iam_max_password_age" {
description = "The number of days that an user password is valid."
type = number
default = 0
}
variable "iam_minimum_password_length" {
description = "Minimum length to require for user passwords."
type = number
default = 14
}
variable "iam_password_reuse_prevention" {
description = "The number of previous passwords that users are prevented from reusing."
type = number
default = 24
}
variable "iam_require_lowercase_characters" {
description = "Whether to require lowercase characters for user passwords."
type = bool
default = true
}
variable "iam_require_numbers" {
description = "Whether to require numbers for user passwords."
type = bool
default = true
}
variable "iam_require_uppercase_characters" {
description = "Whether to require uppercase characters for user passwords."
type = bool
default = true
}
variable "iam_require_symbols" {
description = "Whether to require symbols for user passwords."
type = bool
default = true
}
variable "iam_allow_users_to_change_password" {
description = "Whether to allow users to change their own password."
type = bool
default = true
}
### -----------------------------
### Baseline S3
### -----------------------------
variable "enable_s3_baseline" {
description = "Enable S3 baseline?"
type = bool
default = true
}
variable "s3_block_public_acls" {
description = "Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true."
type = bool
default = true
}
variable "s3_block_public_policy" {
description = "Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true."
type = bool
default = true
}
variable "s3_ignore_public_acls" {
description = "Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true."
type = bool
default = true
}
variable "s3_restrict_public_buckets" {
description = "Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true."
type = bool
default = true
}
### -----------------------------
### CloudTrail
### -----------------------------
variable "cloudtrail_enable_log_file_validation" {
description = "Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs"
type = bool
default = true
}
variable "cloudtrail_enable_logging" {
description = "Enable logging for the trail"
type = bool
default = true
}
variable "cloudtrail_enable_cloudwatch_logs" {
description = "Enable logging for the trail"
type = bool
default = true
}
variable "cloudtrail_include_global_service_events" {
description = "Specifies whether the trail is publishing events from global services such as IAM to the log files"
type = bool
default = true
}
variable "cloudtrail_insight_selector" {
description = "Specifies an insight selector for identifying unusual operational activity. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#insight_type details for this variable"
type = list(object({
insight_type = string
}))
default = [
{ insight_type = "ApiCallRateInsight" },
{ insight_type = "ApiErrorRateInsight" }
]
}
variable "cloudtrail_is_multi_region_trail" {
description = "Specifies whether the trail is created in the current region or in all regions"
type = bool
default = true
}
variable "cloudtrail_is_organization_trail" {
description = "The trail is an AWS Organizations trail"
type = bool
default = true
}
variable "cloudtrail_name" {
description = "CloudTrail trail name"
type = string
default = "org"
}
variable "cloudtrail_s3_bucket" {
description = "CloudTrail S3 bucket"
type = string
default = null
}
### -----------------------------
### S3 Bucket
### -----------------------------
variable "enable_s3_buckets" {
description = "Enable S3 buckets?"
type = bool
default = false
}
variable "bucket_custom_policy_json" {
description = "Custom S3 bucket policy override JSON"
type = string
default = ""
}
variable "cloudtrail_s3_key_prefix" {
description = "S3 key prefix for CloudTrail"
type = string
default = "cloudtrail"
}
variable "config_s3_bucket_key_prefix" {
description = "S3 key prefix for Config"
type = string
default = "config"
}
variable "vpc_flow_logs_s3_key_prefix" {
description = "S3 key prefix for VPC Flow Logs"
type = string
default = "flow-logs"
}
variable "force_destroy" {
description = "Allow destroy of S3 bucket with objects"
type = bool
default = false
}
#variable "kms_master_key_arn" {
# description = "The AWS KMS master key ARN used for the `SSE-KMS` encryption. The default aws/s3 AWS AES256 master key is used if this element is absent"
# type = string
# default = ""
#}
### -----------------------------
### Config
### -----------------------------
variable "config_s3_key_prefix" {
description = "Config log S3 bucket prefix"
default = "config"
}
variable "sns_encryption_key_id" {
description = "Config log S3 bucket prefix"
default = "alias/aws/sns"
}
#variable "enable_config_recorder" {
# description = "Config log S3 bucket prefix"
# type = bool
# default = true
#}
### -----------------------------
### Security Hub Settings
### -----------------------------
variable "securityhub_enable_products" {
description = "Subscribe Security Hub to Products"
type = list(string)
default = []
}
### -----------------------------
### Organization Settings
### -----------------------------
variable "kms_key_id" {
description = "Organization KMS id"
type = string
default = ""
}
variable "org_master_account_id" {
description = "AWS Organization Account ID"
type = number
}
variable "org_account_active" {
description = "AWS Organization Account ID"
type = list
default = []
}
variable "org_account_active_map" {
description = "AWS Organization by Account ID"
type = map
default = {}
}
variable "security_administrator_account_id" {
description = "AWS Security Administrator Account ID"
type = number
}
variable "log_administrator_account_id" {
description = "AWS Log Administrator Account ID"
type = number
}
variable "log_s3_bucket" {
description = "AWS log s3 bucket"
type = string
}
variable "org_primary_region" {
description = "AWS primary region"
type = string
default = "us-east-1"
}
# Policy Types
#variable "enable_org_policy_aiservices" {
# description = "Enable organization policy type for AI services opt-out"
# type = bool
# default = true
#}
#
#variable "enable_org_policy_backup" {
# description = "Enable organization policy type for backup"
# type = bool
# default = false
#}
#
#variable "enable_org_policy_scp" {
# description = "Enable organization policy type for service cache_control"
# type = bool
# default = true
#}
### -----------------------------
### Alarm
### -----------------------------
variable "sns_report" {
description = "AWS sns Topic name"
type = string
}
variable "sns_info" {
description = "AWS sns Topic name"
type = string
}
variable "sns_warn" {
description = "AWS sns Topic name"
type = string
}
variable "sns_error" {
description = "AWS sns Topic name"
type = string
}