ghndrx/terraform-foundation
1
0
Fork 0
mirror of https://github.com/ghndrx/terraform-foundation.git synced 2026-02-10 06:45:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a4e07796b892cf21d45cd7e3494824340ef9d6f5
terraform-foundation/terraform/modules/feature-flags/examples/organization-baseline/main.tf
Greg Hendrickson a4e07796b8 feat(feature-flags): centralized tenant-wide feature toggles 
Add feature-flags module for organization-wide security controls:
- Environment presets (production/staging/development)
- Security toggles (GuardDuty, Security Hub, Config, CloudTrail)
- Compliance toggles (CIS, PCI, HIPAA, NIST, SOC2)
- IAM toggles (password policy, MFA enforcement)
- Alerting toggles (severity routing, thresholds)
- Cost management toggles (budgets, thresholds)
- Networking toggles (VPC, endpoints, NAT)
- Backup toggles (schedules, retention)

All features are OPT-IN by default. User input overrides presets.
Includes example wiring into security-baseline and alerting modules.
2026-02-03 20:03:09 +00:00

171 lines
5.7 KiB
HCL
Raw Blame History

################################################################################
# Example: Organization Baseline with Feature Flags
#
# Demonstrates wiring feature flags into security and compliance modules.
# Copy and adapt for your organization's needs.
################################################################################
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
################################################################################
# Feature Flags - Single Source of Truth
################################################################################
module "feature_flags" {
source = "../../"
# Use production preset with customizations
environment_preset = "production"
# Override: Also enable PCI compliance
compliance = {
pci_dss_enabled = true
}
# Override: Configure alerting thresholds
alerting = {
guardduty_min_severity = 7.0 # Only alert on HIGH+ findings
critical_to_pagerduty = true # Page for critical issues
}
}
################################################################################
# Security Baseline - Consumes Feature Flags
################################################################################
resource "aws_s3_bucket" "config" {
bucket_prefix = "org-config-"
force_destroy = true
}
resource "aws_s3_bucket_versioning" "config" {
bucket = aws_s3_bucket.config.id
versioning_configuration {
status = "Enabled"
}
}
module "security_baseline" {
source = "../../../security-baseline"
name = "org-security"
# Wire feature flags
enable_guardduty = module.feature_flags.security.guardduty_enabled
enable_securityhub = module.feature_flags.security.securityhub_enabled
enable_config = module.feature_flags.security.config_enabled
enable_access_analyzer = module.feature_flags.security.access_analyzer_enabled
config_bucket_name = aws_s3_bucket.config.id
# Security Hub standards based on compliance flags
securityhub_standards = concat(
module.feature_flags.compliance.aws_foundational_enabled ? ["aws-foundational-security-best-practices/v/1.0.0"] : [],
module.feature_flags.compliance.cis_benchmark_enabled ? ["cis-aws-foundations-benchmark/v/1.4.0"] : [],
module.feature_flags.compliance.pci_dss_enabled ? ["pci-dss/v/3.2.1"] : []
)
tags = {
Environment = module.feature_flags.environment_preset
ManagedBy = "terraform"
}
}
################################################################################
# Alerting - Consumes Feature Flags
################################################################################
module "alerting" {
source = "../../../alerting"
name = "org-alerts"
email_endpoints = ["security@example.com"]
# Wire feature flags
enable_guardduty_events = module.feature_flags.alerting.guardduty_alerts_enabled
enable_securityhub_events = module.feature_flags.alerting.securityhub_alerts_enabled
enable_aws_health_events = module.feature_flags.alerting.health_alerts_enabled
tags = {
Environment = module.feature_flags.environment_preset
}
}
################################################################################
# IAM Account Settings - Consumes Feature Flags
################################################################################
module "iam_settings" {
source = "../../../iam-account-settings"
account_alias = "my-org-prod"
enable_password_policy = module.feature_flags.iam.password_policy_enabled
enforce_mfa = module.feature_flags.iam.mfa_enforcement_enabled
password_policy = {
minimum_length = module.feature_flags.iam.password_minimum_length
require_symbols = module.feature_flags.iam.password_require_symbols
require_numbers = module.feature_flags.iam.password_require_numbers
require_uppercase_characters = module.feature_flags.iam.password_require_uppercase
require_lowercase_characters = module.feature_flags.iam.password_require_lowercase
max_password_age = module.feature_flags.iam.password_max_age_days
password_reuse_prevention = module.feature_flags.iam.password_reuse_prevention
}
tags = {
Environment = module.feature_flags.environment_preset
}
}
################################################################################
# CloudTrail - Consumes Feature Flags
################################################################################
module "cloudtrail" {
source = "../../../cloudtrail"
count = module.feature_flags.security.cloudtrail_enabled ? 1 : 0
name = "org-trail"
is_multi_region = module.feature_flags.security.cloudtrail_multi_region
enable_log_file_validation = module.feature_flags.security.cloudtrail_log_validation
enable_insights = module.feature_flags.security.cloudtrail_insights
enable_data_events = module.feature_flags.security.cloudtrail_data_events
tags = {
Environment = module.feature_flags.environment_preset
}
}
################################################################################
# Outputs
################################################################################
output "feature_flags" {
value = {
preset = module.feature_flags.environment_preset
is_production = module.feature_flags.is_production
encryption_required = module.feature_flags.encryption_required
compliance_strict = module.feature_flags.compliance_strict
}
description = "Active feature flags summary"
}
output "enabled_services" {
value = module.security_baseline.enabled_services
}
Reference in New Issue View Git Blame Copy Permalink