ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 14:54:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Terraform Foundation - AWS Landing Zone

Browse Source 
Enterprise-grade multi-tenant AWS cloud foundation.

Modules:
- GitHub OIDC for keyless CI/CD authentication
- IAM account settings and security baseline
- AWS Config Rules for compliance
- ABAC (Attribute-Based Access Control)
- SCPs (Service Control Policies)

Features:
- Multi-account architecture
- Cost optimization patterns
- Security best practices
- Comprehensive documentation

Tech: Terraform, AWS Organizations, IAM Identity Center
This commit is contained in:
Greg Hendrickson
2026-02-01 20:06:28 +00:00
commit 6136cde9bb
145 changed files with 30832 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
terraform/modules/tenant-security-group/README.md Normal file
View File

@@ -0,0 +1,51 @@
# tenant-security-group
Tenant Security Group Module Creates isolated security groups for tenant workloads in shared VPC }
## Usage
```hcl
module "tenant_security_group" {
source = "../modules/tenant-security-group"
# Required variables
tenant = ""
environment = ""
vpc_id = ""
# Optional: see variables.tf for all options
}
```
## Requirements
| Name | Version |
|------|---------|
| terraform | >= 1.5.0 |
| aws | >= 5.0 |
## Inputs
| Name | Description | Type | Required |
|------|-------------|------|----------|
| tenant | Tenant identifier | `string` | yes |
| environment | Environment (prod, staging, dev) | `string` | yes |
| vpc_id | VPC ID for the security groups | `string` | yes |
| create_web_sg | Create web tier security group | `bool` | no |
| create_app_sg | Create app tier security group | `bool` | no |
| create_db_sg | Create database tier security group | `bool` | no |
| app_port | Application port | `number` | no |
| db_port | Database port | `number` | no |
## Outputs
| Name | Description |
|------|-------------|
| base_sg_id | |
| web_sg_id | |
| app_sg_id | |
| db_sg_id | |
## License
Apache 2.0 - See LICENSE for details.

201
terraform/modules/tenant-security-group/main.tf Normal file
View File

@@ -0,0 +1,201 @@
################################################################################
# Tenant Security Group Module
# Creates isolated security groups for tenant workloads in shared VPC
################################################################################
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
################################################################################
# Base Tenant Security Group
################################################################################
resource "aws_security_group" "tenant_base" {
name = "${var.tenant}-base-sg"
description = "Base security group for tenant ${var.tenant}"
vpc_id = var.vpc_id
# Allow all traffic within same tenant (same SG)
ingress {
description = "Allow intra-tenant traffic"
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
# Allow outbound internet
egress {
description = "Allow all outbound"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.tenant}-base-sg"
Tenant = var.tenant
Environment = var.environment
}
}
################################################################################
# Web Tier Security Group
################################################################################
resource "aws_security_group" "tenant_web" {
count = var.create_web_sg ? 1 : 0
name = "${var.tenant}-web-sg"
description = "Web tier security group for tenant ${var.tenant}"
vpc_id = var.vpc_id
# HTTPS from anywhere
ingress {
description = "HTTPS from anywhere"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# HTTP from anywhere (redirect to HTTPS)
ingress {
description = "HTTP from anywhere"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Allow from tenant base SG
ingress {
description = "Allow from tenant base"
from_port = 0
to_port = 0
protocol = "-1"
security_groups = [aws_security_group.tenant_base.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.tenant}-web-sg"
Tenant = var.tenant
Environment = var.environment
Tier = "web"
}
}
################################################################################
# App Tier Security Group
################################################################################
resource "aws_security_group" "tenant_app" {
count = var.create_app_sg ? 1 : 0
name = "${var.tenant}-app-sg"
description = "App tier security group for tenant ${var.tenant}"
vpc_id = var.vpc_id
# Allow from web tier
ingress {
description = "Allow from web tier"
from_port = var.app_port
to_port = var.app_port
protocol = "tcp"
security_groups = var.create_web_sg ? [aws_security_group.tenant_web[0].id] : []
}
# Allow from tenant base SG
ingress {
description = "Allow from tenant base"
from_port = 0
to_port = 0
protocol = "-1"
security_groups = [aws_security_group.tenant_base.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.tenant}-app-sg"
Tenant = var.tenant
Environment = var.environment
Tier = "app"
}
}
################################################################################
# Database Tier Security Group
################################################################################
resource "aws_security_group" "tenant_db" {
count = var.create_db_sg ? 1 : 0
name = "${var.tenant}-db-sg"
description = "Database tier security group for tenant ${var.tenant}"
vpc_id = var.vpc_id
# Allow from app tier only
ingress {
description = "Allow from app tier"
from_port = var.db_port
to_port = var.db_port
protocol = "tcp"
security_groups = var.create_app_sg ? [aws_security_group.tenant_app[0].id] : [aws_security_group.tenant_base.id]
}
# No direct outbound (DB shouldn't initiate connections)
egress {
description = "Allow response to app tier"
from_port = 0
to_port = 0
protocol = "-1"
security_groups = var.create_app_sg ? [aws_security_group.tenant_app[0].id] : [aws_security_group.tenant_base.id]
}
tags = {
Name = "${var.tenant}-db-sg"
Tenant = var.tenant
Environment = var.environment
Tier = "database"
}
}
################################################################################
# Outputs
################################################################################
output "base_sg_id" {
value = aws_security_group.tenant_base.id
}
output "web_sg_id" {
value = var.create_web_sg ? aws_security_group.tenant_web[0].id : null
}
output "app_sg_id" {
value = var.create_app_sg ? aws_security_group.tenant_app[0].id : null
}
output "db_sg_id" {
value = var.create_db_sg ? aws_security_group.tenant_db[0].id : null
}

44
terraform/modules/tenant-security-group/variables.tf Normal file
View File

@@ -0,0 +1,44 @@
variable "tenant" {
description = "Tenant identifier"
type = string
}
variable "environment" {
description = "Environment (prod, staging, dev)"
type = string
}
variable "vpc_id" {
description = "VPC ID for the security groups"
type = string
}
variable "create_web_sg" {
description = "Create web tier security group"
type = bool
default = true
}
variable "create_app_sg" {
description = "Create app tier security group"
type = bool
default = true
}
variable "create_db_sg" {
description = "Create database tier security group"
type = bool
default = true
}
variable "app_port" {
description = "Application port"
type = number
default = 8080
}
variable "db_port" {
description = "Database port"
type = number
default = 5432
}