feat: Terraform Foundation - AWS Landing Zone

Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
2026-02-10 14:54:56 +00:00 · 2026-02-01 20:06:28 +00:00
commit 6136cde9bb
145 changed files with 30832 additions and 0 deletions
--- a/terraform/modules/tenant-baseline/main.tf
+++ b/terraform/modules/tenant-baseline/main.tf
@@ -0,0 +1,102 @@
+################################################################################
+# Tenant Baseline Module
+#
+# Composite module that provisions a complete tenant environment:
+# - Tenant IAM roles with permissions boundary
+# - Tenant budget alerts
+# - Tenant VPC (optional)
+# - Standard tagging
+################################################################################
+
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+
+  # Standard tenant tags
+  tenant_tags = merge(var.tags, {
+    Tenant      = var.tenant_name
+    TenantId    = var.tenant_id
+    Environment = var.environment
+    CostCenter  = var.cost_center
+    Owner       = var.owner_email
+    ManagedBy   = "terraform"
+  })
+}
+
+################################################################################
+# Tenant IAM
+################################################################################
+
+module "tenant_iam" {
+  source = "../tenant-iam"
+
+  tenant_name = var.tenant_name
+  tenant_id   = var.tenant_id
+
+  create_permissions_boundary = var.create_permissions_boundary
+  create_admin_role           = var.create_admin_role
+  create_developer_role       = var.create_developer_role
+  create_readonly_role        = var.create_readonly_role
+
+  trusted_principals = var.trusted_principals
+  allowed_services   = var.allowed_services
+  require_mfa        = var.require_mfa
+
+  tags = local.tenant_tags
+}
+
+################################################################################
+# Tenant Budget
+################################################################################
+
+module "tenant_budget" {
+  source = "../tenant-budget"
+
+  name         = var.tenant_name
+  budget_limit = var.budget_limit
+
+  alert_thresholds         = var.budget_alert_thresholds
+  enable_forecasted_alerts = var.enable_forecasted_alerts
+  notification_emails      = var.budget_notification_emails
+
+  cost_filter_tags = {
+    Tenant = var.tenant_name
+  }
+
+  tags = local.tenant_tags
+}
+
+################################################################################
+# Tenant VPC (Optional)
+################################################################################
+
+module "tenant_vpc" {
+  source = "../tenant-vpc"
+  count  = var.create_vpc ? 1 : 0
+
+  tenant_name = var.tenant_name
+  cidr        = var.vpc_cidr
+  azs         = var.vpc_azs
+
+  public_subnets  = var.vpc_public_subnets
+  private_subnets = var.vpc_private_subnets
+
+  enable_nat = var.vpc_enable_nat
+  nat_mode   = var.vpc_nat_mode
+
+  transit_gateway_id = var.transit_gateway_id
+  enable_flow_logs   = var.enable_flow_logs
+
+  tags = local.tenant_tags
+}