mirror of
https://github.com/ghndrx/terraform-foundation.git
synced 2026-02-10 06:45:06 +00:00
Greg Hendrickson
6136cde9bb
Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
103 lines
2.7 KiB
HCL
103 lines
2.7 KiB
HCL
################################################################################
|
|
# Tenant Baseline Module
|
|
#
|
|
# Composite module that provisions a complete tenant environment:
|
|
# - Tenant IAM roles with permissions boundary
|
|
# - Tenant budget alerts
|
|
# - Tenant VPC (optional)
|
|
# - Standard tagging
|
|
################################################################################
|
|
|
|
terraform {
|
|
required_version = ">= 1.5.0"
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
version = ">= 5.0"
|
|
}
|
|
}
|
|
}
|
|
|
|
data "aws_caller_identity" "current" {}
|
|
|
|
locals {
|
|
account_id = data.aws_caller_identity.current.account_id
|
|
|
|
# Standard tenant tags
|
|
tenant_tags = merge(var.tags, {
|
|
Tenant = var.tenant_name
|
|
TenantId = var.tenant_id
|
|
Environment = var.environment
|
|
CostCenter = var.cost_center
|
|
Owner = var.owner_email
|
|
ManagedBy = "terraform"
|
|
})
|
|
}
|
|
|
|
################################################################################
|
|
# Tenant IAM
|
|
################################################################################
|
|
|
|
module "tenant_iam" {
|
|
source = "../tenant-iam"
|
|
|
|
tenant_name = var.tenant_name
|
|
tenant_id = var.tenant_id
|
|
|
|
create_permissions_boundary = var.create_permissions_boundary
|
|
create_admin_role = var.create_admin_role
|
|
create_developer_role = var.create_developer_role
|
|
create_readonly_role = var.create_readonly_role
|
|
|
|
trusted_principals = var.trusted_principals
|
|
allowed_services = var.allowed_services
|
|
require_mfa = var.require_mfa
|
|
|
|
tags = local.tenant_tags
|
|
}
|
|
|
|
################################################################################
|
|
# Tenant Budget
|
|
################################################################################
|
|
|
|
module "tenant_budget" {
|
|
source = "../tenant-budget"
|
|
|
|
name = var.tenant_name
|
|
budget_limit = var.budget_limit
|
|
|
|
alert_thresholds = var.budget_alert_thresholds
|
|
enable_forecasted_alerts = var.enable_forecasted_alerts
|
|
notification_emails = var.budget_notification_emails
|
|
|
|
cost_filter_tags = {
|
|
Tenant = var.tenant_name
|
|
}
|
|
|
|
tags = local.tenant_tags
|
|
}
|
|
|
|
################################################################################
|
|
# Tenant VPC (Optional)
|
|
################################################################################
|
|
|
|
module "tenant_vpc" {
|
|
source = "../tenant-vpc"
|
|
count = var.create_vpc ? 1 : 0
|
|
|
|
tenant_name = var.tenant_name
|
|
cidr = var.vpc_cidr
|
|
azs = var.vpc_azs
|
|
|
|
public_subnets = var.vpc_public_subnets
|
|
private_subnets = var.vpc_private_subnets
|
|
|
|
enable_nat = var.vpc_enable_nat
|
|
nat_mode = var.vpc_nat_mode
|
|
|
|
transit_gateway_id = var.transit_gateway_id
|
|
enable_flow_logs = var.enable_flow_logs
|
|
|
|
tags = local.tenant_tags
|
|
}
|