feat: Terraform Foundation - AWS Landing Zone

Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-10 06:45:06 +00:00 · 2026-02-01 20:06:28 +00:00
commit 6136cde9bb
145 changed files with 30832 additions and 0 deletions
--- a/terraform/modules/account-baseline/variables.tf
+++ b/terraform/modules/account-baseline/variables.tf
@@ -0,0 +1,206 @@
+################################################################################
+# Account Baseline - Input Variables
+################################################################################
+
+variable "name" {
+  type        = string
+  description = "Name prefix for resources"
+}
+
+# EBS Encryption
+variable "enable_ebs_encryption" {
+  type        = bool
+  default     = true
+  description = "Enable EBS encryption by default"
+}
+
+variable "ebs_kms_key_arn" {
+  type        = string
+  default     = null
+  description = "KMS key ARN for EBS encryption (null = AWS managed)"
+}
+
+# S3 Public Access
+variable "enable_s3_block_public" {
+  type        = bool
+  default     = true
+  description = "Block public access to S3 at account level"
+}
+
+# Password Policy
+variable "enable_password_policy" {
+  type        = bool
+  default     = true
+  description = "Configure IAM password policy"
+}
+
+variable "password_policy" {
+  type = object({
+    minimum_length          = optional(number, 14)
+    require_lowercase       = optional(bool, true)
+    require_uppercase       = optional(bool, true)
+    require_numbers         = optional(bool, true)
+    require_symbols         = optional(bool, true)
+    allow_users_to_change   = optional(bool, true)
+    max_age_days            = optional(number, 90)
+    reuse_prevention_count  = optional(number, 24)
+    hard_expiry             = optional(bool, false)
+  })
+  default     = {}
+  description = "IAM password policy settings"
+}
+
+# Access Analyzer
+variable "enable_access_analyzer" {
+  type        = bool
+  default     = true
+  description = "Enable IAM Access Analyzer"
+}
+
+variable "access_analyzer_type" {
+  type        = string
+  default     = "ACCOUNT"
+  description = "Access Analyzer type (ACCOUNT or ORGANIZATION)"
+}
+
+# Security Hub
+variable "enable_securityhub" {
+  type        = bool
+  default     = false
+  description = "Enable Security Hub (set false if using delegated admin)"
+}
+
+variable "securityhub_enable_default_standards" {
+  type        = bool
+  default     = false
+  description = "Enable default Security Hub standards"
+}
+
+variable "securityhub_auto_enable_controls" {
+  type        = bool
+  default     = true
+  description = "Auto-enable new controls"
+}
+
+variable "securityhub_standards" {
+  type        = list(string)
+  default     = []
+  description = "Security Hub standard ARNs to enable"
+}
+
+# GuardDuty
+variable "enable_guardduty" {
+  type        = bool
+  default     = false
+  description = "Enable GuardDuty (set false if using delegated admin)"
+}
+
+variable "guardduty_finding_frequency" {
+  type        = string
+  default     = "FIFTEEN_MINUTES"
+  description = "GuardDuty finding publishing frequency"
+}
+
+variable "guardduty_kubernetes_audit" {
+  type        = bool
+  default     = true
+  description = "Enable GuardDuty Kubernetes audit logs"
+}
+
+variable "guardduty_malware_protection" {
+  type        = bool
+  default     = true
+  description = "Enable GuardDuty malware protection"
+}
+
+# AWS Config
+variable "enable_config" {
+  type        = bool
+  default     = false
+  description = "Enable AWS Config (set false if using org aggregator)"
+}
+
+variable "config_s3_bucket" {
+  type        = string
+  default     = ""
+  description = "S3 bucket for Config recordings"
+}
+
+variable "config_s3_prefix" {
+  type        = string
+  default     = "config"
+  description = "S3 key prefix for Config recordings"
+}
+
+variable "config_sns_topic_arn" {
+  type        = string
+  default     = null
+  description = "SNS topic for Config notifications"
+}
+
+variable "config_snapshot_frequency" {
+  type        = string
+  default     = "TwentyFour_Hours"
+  description = "Config snapshot delivery frequency"
+}
+
+variable "config_include_global_resources" {
+  type        = bool
+  default     = true
+  description = "Include global resources in Config"
+}
+
+# IAM Roles
+variable "create_admin_role" {
+  type        = bool
+  default     = false
+  description = "Create admin IAM role"
+}
+
+variable "create_readonly_role" {
+  type        = bool
+  default     = false
+  description = "Create readonly IAM role"
+}
+
+variable "iam_role_path" {
+  type        = string
+  default     = "/"
+  description = "IAM role path"
+}
+
+variable "trusted_admin_principals" {
+  type        = list(string)
+  default     = []
+  description = "ARNs allowed to assume admin role"
+}
+
+variable "trusted_readonly_principals" {
+  type        = list(string)
+  default     = []
+  description = "ARNs allowed to assume readonly role"
+}
+
+variable "require_mfa" {
+  type        = bool
+  default     = true
+  description = "Require MFA for admin role assumption"
+}
+
+variable "admin_session_duration" {
+  type        = number
+  default     = 3600
+  description = "Admin role session duration in seconds"
+}
+
+variable "readonly_session_duration" {
+  type        = number
+  default     = 3600
+  description = "Readonly role session duration in seconds"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "Tags to apply to resources"
+}