mirror of
https://github.com/ghndrx/terraform-foundation.git
synced 2026-02-10 06:45:06 +00:00
Greg Hendrickson
6136cde9bb
Enterprise-grade multi-tenant AWS cloud foundation. Modules: - GitHub OIDC for keyless CI/CD authentication - IAM account settings and security baseline - AWS Config Rules for compliance - ABAC (Attribute-Based Access Control) - SCPs (Service Control Policies) Features: - Multi-account architecture - Cost optimization patterns - Security best practices - Comprehensive documentation Tech: Terraform, AWS Organizations, IAM Identity Center
207 lines
4.9 KiB
HCL
207 lines
4.9 KiB
HCL
################################################################################
|
|
# Account Baseline - Input Variables
|
|
################################################################################
|
|
|
|
variable "name" {
|
|
type = string
|
|
description = "Name prefix for resources"
|
|
}
|
|
|
|
# EBS Encryption
|
|
variable "enable_ebs_encryption" {
|
|
type = bool
|
|
default = true
|
|
description = "Enable EBS encryption by default"
|
|
}
|
|
|
|
variable "ebs_kms_key_arn" {
|
|
type = string
|
|
default = null
|
|
description = "KMS key ARN for EBS encryption (null = AWS managed)"
|
|
}
|
|
|
|
# S3 Public Access
|
|
variable "enable_s3_block_public" {
|
|
type = bool
|
|
default = true
|
|
description = "Block public access to S3 at account level"
|
|
}
|
|
|
|
# Password Policy
|
|
variable "enable_password_policy" {
|
|
type = bool
|
|
default = true
|
|
description = "Configure IAM password policy"
|
|
}
|
|
|
|
variable "password_policy" {
|
|
type = object({
|
|
minimum_length = optional(number, 14)
|
|
require_lowercase = optional(bool, true)
|
|
require_uppercase = optional(bool, true)
|
|
require_numbers = optional(bool, true)
|
|
require_symbols = optional(bool, true)
|
|
allow_users_to_change = optional(bool, true)
|
|
max_age_days = optional(number, 90)
|
|
reuse_prevention_count = optional(number, 24)
|
|
hard_expiry = optional(bool, false)
|
|
})
|
|
default = {}
|
|
description = "IAM password policy settings"
|
|
}
|
|
|
|
# Access Analyzer
|
|
variable "enable_access_analyzer" {
|
|
type = bool
|
|
default = true
|
|
description = "Enable IAM Access Analyzer"
|
|
}
|
|
|
|
variable "access_analyzer_type" {
|
|
type = string
|
|
default = "ACCOUNT"
|
|
description = "Access Analyzer type (ACCOUNT or ORGANIZATION)"
|
|
}
|
|
|
|
# Security Hub
|
|
variable "enable_securityhub" {
|
|
type = bool
|
|
default = false
|
|
description = "Enable Security Hub (set false if using delegated admin)"
|
|
}
|
|
|
|
variable "securityhub_enable_default_standards" {
|
|
type = bool
|
|
default = false
|
|
description = "Enable default Security Hub standards"
|
|
}
|
|
|
|
variable "securityhub_auto_enable_controls" {
|
|
type = bool
|
|
default = true
|
|
description = "Auto-enable new controls"
|
|
}
|
|
|
|
variable "securityhub_standards" {
|
|
type = list(string)
|
|
default = []
|
|
description = "Security Hub standard ARNs to enable"
|
|
}
|
|
|
|
# GuardDuty
|
|
variable "enable_guardduty" {
|
|
type = bool
|
|
default = false
|
|
description = "Enable GuardDuty (set false if using delegated admin)"
|
|
}
|
|
|
|
variable "guardduty_finding_frequency" {
|
|
type = string
|
|
default = "FIFTEEN_MINUTES"
|
|
description = "GuardDuty finding publishing frequency"
|
|
}
|
|
|
|
variable "guardduty_kubernetes_audit" {
|
|
type = bool
|
|
default = true
|
|
description = "Enable GuardDuty Kubernetes audit logs"
|
|
}
|
|
|
|
variable "guardduty_malware_protection" {
|
|
type = bool
|
|
default = true
|
|
description = "Enable GuardDuty malware protection"
|
|
}
|
|
|
|
# AWS Config
|
|
variable "enable_config" {
|
|
type = bool
|
|
default = false
|
|
description = "Enable AWS Config (set false if using org aggregator)"
|
|
}
|
|
|
|
variable "config_s3_bucket" {
|
|
type = string
|
|
default = ""
|
|
description = "S3 bucket for Config recordings"
|
|
}
|
|
|
|
variable "config_s3_prefix" {
|
|
type = string
|
|
default = "config"
|
|
description = "S3 key prefix for Config recordings"
|
|
}
|
|
|
|
variable "config_sns_topic_arn" {
|
|
type = string
|
|
default = null
|
|
description = "SNS topic for Config notifications"
|
|
}
|
|
|
|
variable "config_snapshot_frequency" {
|
|
type = string
|
|
default = "TwentyFour_Hours"
|
|
description = "Config snapshot delivery frequency"
|
|
}
|
|
|
|
variable "config_include_global_resources" {
|
|
type = bool
|
|
default = true
|
|
description = "Include global resources in Config"
|
|
}
|
|
|
|
# IAM Roles
|
|
variable "create_admin_role" {
|
|
type = bool
|
|
default = false
|
|
description = "Create admin IAM role"
|
|
}
|
|
|
|
variable "create_readonly_role" {
|
|
type = bool
|
|
default = false
|
|
description = "Create readonly IAM role"
|
|
}
|
|
|
|
variable "iam_role_path" {
|
|
type = string
|
|
default = "/"
|
|
description = "IAM role path"
|
|
}
|
|
|
|
variable "trusted_admin_principals" {
|
|
type = list(string)
|
|
default = []
|
|
description = "ARNs allowed to assume admin role"
|
|
}
|
|
|
|
variable "trusted_readonly_principals" {
|
|
type = list(string)
|
|
default = []
|
|
description = "ARNs allowed to assume readonly role"
|
|
}
|
|
|
|
variable "require_mfa" {
|
|
type = bool
|
|
default = true
|
|
description = "Require MFA for admin role assumption"
|
|
}
|
|
|
|
variable "admin_session_duration" {
|
|
type = number
|
|
default = 3600
|
|
description = "Admin role session duration in seconds"
|
|
}
|
|
|
|
variable "readonly_session_duration" {
|
|
type = number
|
|
default = 3600
|
|
description = "Readonly role session duration in seconds"
|
|
}
|
|
|
|
variable "tags" {
|
|
type = map(string)
|
|
default = {}
|
|
description = "Tags to apply to resources"
|
|
}
|