Terraform AWS Landing Zone

Description

Note, this module is not intended to be used outside of the organization, as the template provides a consistent blueprint for the provisioning of accounts with the Appvia AWS estate.

Usage

Please refer to one of the application, platform or sandbox pipelines for an example of how to use this module.

Notification Features

Tenants are able to provision notifications within the designated region. This first step to ensure notifications is enabled.

notifications = {
  email = {
    addresses = ["MY_EMAIL_ADDRESS"]
  }
  slack = {
    webhook = "MY_SLACK_WEBHOOK"
  }
}

Security Features

The notifications can used to send notifications to users via email or slack, for events related to costs, security and budgets.

Service Control Policies

Additional service control policies can be applied to the account. This is useful for ensuring that the account is compliant with the organization's security policies, specific to the accounts requirements.

You can configure additional service control policies using the var.service_control_policies variable, such as the below example

data "aws_iam_policy_document" "deny_s3" {
  statement {
    effect    = "Deny"
    actions = ["s3:*"]
    resources = ["*"]
  }
}

module "account" {
  service_control_policies = {
    "MY_POLICY_NAME" = {
      name   = "deny-s3"
      policy = data.aws_iam_policy_document.deny_s3.json
    }
  }
}

AWS Config Compliance Packs

You can configure additional compliance packs using the var.aws_config variable, such as the below example

data "http" "security_hub_enabled" {
  url = "https://s3.amazonaws.com/aws-service-catalog-reference-architectures/AWS_Config_Rules/Security/SecurityHub/SecurityHub-Enabled.json"
}

module "account" {
  aws_config = {
    enable = true
    compliance_packs = {
      "MY_COMPLIANCE_PACK" = {
        parameter_overrides = {
          "MY_PARAMETER" = "MY_VALUE"
        }
        template_url = data.http.security_hub_enabled.body
      }
    }
  }
}

IAM Password Policy

The IAM password policy can be configured to enforce password policies on the account. This is useful for ensuring that the account is compliant with the organization's security policies, specific to the accounts requirements.

iam_password_policy = {
  enabled = true
  allow_users_to_change_password = true
  hard_expiry = false
  max_password_age = 90
  minimum_password_length = 8
  password_reuse_prevention = 24
  require_lowercase_characters = true
  require_numbers = true
  require_symbols = true
  require_uppercase_characters = true
}

IAM Access Analyzer

The IAM access analyzer can be configured to analyze access to resources within your account and produce findings related to excessive permissions and or permissions which carry a high risk.

iam_access_analyzer = {
  enabled = true
  analyzer_name = "lza-iam-access-analyzer" # optional
  analyzer_type = "ORGANIZATION" # optional but default
}

AWS Inspector

You can control the enable for disabling of the AWS Inspector service via the var.inspector variable, such as the below example

module "account" {
  inspector = {
    enable = true
    delegate_account_id = "123456789012" # Usually the security account
  }
}

EBS Encryption

The EBS encryption can be configured to encrypt all EBS volumes within the account. The feature ensures all volumes are automatically encrypted.

ebs_encryption = {
  enabled = true
  create_kms_key = true
  key_alias = "lza/ebs/default"
}

S3 Block Public Access

The S3 block public access can be configured to block public access to S3 buckets within the account. The feature ensures all buckets are automatically blocked from public access.

s3_block_public_access = {
  enabled = true
  enable_block_public_policy = true
  enable_block_public_acls = true
  enable_ignore_public_acls = true
  enable_restrict_public_buckets = true
}

IAM Customers Managed Policies

This module can ensure a set of IAM policies are created within the account. This is useful for ensuring that the account is preloaded with any required policy sets.

You can configure additional IAM policies using the var.iam_policies variable, such as the below example

module "account" {
  iam_policies = {
    "deny_s3" = {
      name = "deny-s3"
      description = "Used to deny access to S3"
      policy = data.aws_iam_policy_document.deny_s3.json
    }
    "deny_s3_with_prefix" = {
      name_prefix = "deny-s3-"
      policy = data.aws_iam_policy_document.deny_s3.json
      description = "Used to deny access to S3"
      path   = "/"
    }
  }
}

IAM Roles

This module can ensure a set of IAM roles are created within the account. This is useful for ensuring that the account is compliant with the organization's security policies, specific to the accounts requirements. Note, the IAM role have an automatic dependency on any IAM policies defined above to ensure ordering.

You can configure additional IAM roles using the var.iam_roles variable, such as the below example

module "account" {
  iam_roles = {
    "s3_administrator" = {
      name = "MY_ROLE_NAME"
      assume_roles = ["arn:aws:iam::123456789012:role/role-name"]
      description = "Administrator role for S3"
      path = "/"
      permissions_boundary_arn = null
      permissions_arns = [
        "arn:aws:iam::aws:policy/AmazonS3FullAccess"
      ]
      #policies = [data.aws_iam_policy_document.deny_s3.json]
    }
    "ec2_instance_profile" {
      name = "lza-ssm-instance-profile"
      assume_services = ["ec2.amazonaws.com"]
      description = "Instance profiles for ec2 compute machine"
      path = "/"
      permissions_arns = [
        "arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess",
        "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
        "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
      ]
    }
    "kms_admin" = {
      name = "kms-admin"
      assume_accounts = ["123456789012"]
      description = "Administrator role for KMS"
      path = "/"
      permissions_arns = [
        "arn:aws:iam::aws:policy/AmazonKMSFullAccess"
      ]
    }
  }
}

RBAC & Identity Center Assignment

This module provides the ability for tenants to manage the assignment of prescribed roles to users and groups within the account. The sso_assignment module is used to manage the assignment of roles to users and groups within the account.

Note, the roles permitted for assignment can be found within local.sso_permitted_permission_sets, an example of the permitted roles can be found below:

sso_permitted_permission_sets = {
  "devops_engineer"   = "DevOpsEngineer"
  "finops_engineer"   = "FinOpsEngineer"
  "network_engineer"  = "NetworkEngineer"
  "network_viewer"    = "NetworkViewer"
  "platform_engineer" = "PlatformEngineer"
  "security_auditor"  = "SecurityAuditor"
}

This maps the exposed name used in the var.rbac to the name of the role within the AWS Identity Center.

Tenants can assign roles to users and groups by providing a map of users and groups to roles within the var.rbac variable. An example of this can be found below:

rbac = {
  "devops_engineer" = {
    users  = ["MY_SSO_USER"]
    groups = ["MY_SSO_GROUP"]
  }
}

GitHub Repository Management

This module includes comprehensive GitHub repository management capabilities through the modules/github_repository module. This allows tenants to create and manage GitHub repositories with enterprise-grade security and compliance features.

GitHub Repository Features

• Repository Creation: Create GitHub repositories with customizable names, descriptions, and visibility
• Security & Compliance: Branch protection, required reviews, status checks, vulnerability alerts
• Collaboration Management: User and team access control, environment protection
• Automation: Repository templates, merge strategies, and automated workflows

Basic GitHub Repository Usage

module "my_repository" {
  source = "./modules/github_repository"

  repository  = "my-project"
  description = "My awesome project"
  visibility  = "private"
}

Advanced GitHub Repository Configuration

module "enterprise_repository" {
  source = "./modules/github_repository"

  repository  = "enterprise-critical-system"
  description = "Enterprise critical system with strict controls"
  
  # Security settings
  visibility = "private"
  
  # Branch protection
  enforce_branch_protection_for_admins = true
  required_approving_review_count      = 3
  dismiss_stale_reviews                = true
  prevent_self_review                  = true
  
  # Status checks
  required_status_checks = [
    "CI / Build and Test",
    "Security / Security Scan",
    "Compliance / Compliance Check"
  ]
  
  # Environments
  repository_environments          = ["staging", "production"]
  default_environment_review_users = ["senior-dev1", "senior-dev2"]
  
  # Collaborators
  repository_collaborators = [
    {
      username   = "senior-dev1"
      permission = "admin"
    }
  ]
  
  # Topics
  repository_topics = ["enterprise", "terraform", "aws", "critical"]
}

For complete GitHub repository management examples, see the examples/github_repository/ directory.

Cost Management Features

Tenants are able to receive budgets notifications related to the services. Once notifications have been configured they will automatically receive daily, weekly or monthly reports and notifications on where they sit in the budget.

Anomaly Detection

Tenants are able to provision anomaly detection rules within the designated region. This is useful for ensure cost awareness and alerting on any unexpected costs.

cost_anomaly_detection = {
  enabled = true
  monitors = [
    {
      name      = lower("lza-${local.region}")
      frequency = "IMMEDIATE"
      threshold_expression = [
        {
          and = {
            dimension = {
              key           = "ANOMALY_TOTAL_IMPACT_ABSOLUTE"
              match_options = ["GREATER_THAN_OR_EQUAL"]
              values        = ["100"]
            }
          }
        },
        {
          and = {
            dimension = {
              key           = "ANOMALY_TOTAL_IMPACT_PERCENTAGE"
              match_options = ["GREATER_THAN_OR_EQUAL"]
              values        = ["50"]
            }
          }
        }
      ]

      specification = jsonencode({
        "And" : [
          {
            "Dimensions" : {
              "Key" : "REGION"
              "Values" : [local.region]
            }
          }
        ]
      })
    }
  ]
}

Networking Features

Tenants are able to provision networks within the designated region, while allowing the platform to decide how these are wired up into the network topology of the organization i.e. ensuring the are using IPAM, connected to the transit gateway, egress via the central vpc and so forth.

All networks are defined within the var.networks variable, an example of this can be found below:

networks = {
  my_vpc_name = {
    subnets = {
      private = {
        netmask = 28
      }
      database = {
        netmask = 22
      }
    }

    vpc = {
      availability_zones     = 2
      enable_ipam            = true
      enable_transit_gateway = true
    }
  }

  my_second_vpc = {
    subnets = {
      private = {
        netmask = 28
      }
    }

    vpc = {
      enable_ipam            = true
      enable_transit_gateway = true
    }
  }
}

Transit Gateway Connectivity

When network have defined the enable_transit_gateway boolean it is the responsibility of the consumer of this module to have defined the correct transit gateway id and any default routing requirements.

Assuming the following configuration

module "my_account" {
  ...
  networks = {
    dev = {
      vpc = {
        enable_transit_gateway = true
        ipam_pool_name = "development"
        netmask        = 21
      }

      transit_gateway = {
        gateway_id = "tgw-1234567890"
        gateway_routes = {
          private = "10.0.0.0/8"
        }
      }

      subnets = {
        private = {
          netmask = 24
        }
      }
    },
  }

We can also create transit gateway route table associations by extending the above configuration

module "my_account" {
  ...
  networks = {
    dev = {
      vpc = {
        enable_transit_gateway = true
        ipam_pool_name = "development"
        netmask        = 21
      }

      transit_gateway = {
        gateway_id = "tgw-1234567890"
        gateway_routes = {
          private = "10.0.0.0/8"
        }
        gateway_route_table_id = "rtb-1234567890"
      }
    }
  }
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

1. Make changes to the .terraform-docs.yml file
2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Providers

Name	Version
aws	>= 5.0.0
aws.identity	>= 5.0.0
aws.management	>= 5.0.0
aws.network	>= 5.0.0
aws.tenant	>= 5.0.0

Inputs

Name	Description	Type	Default	Required
environment	The environment in which to provision resources	string	n/a	yes
git_repository	The git repository to use for the account	string	n/a	yes
home_region	The home region in which to provision global resources	string	n/a	yes
owner	The owner of the product, and injected into all resource tags	string	n/a	yes
product	The name of the product to provision resources and inject into all resource tags	string	n/a	yes
tags	A collection of tags to apply to resources	map(string)	n/a	yes
account_alias	The account alias to apply to the account	string	null	no
aws_config	Account specific configuration for AWS Config	object({ enable = optional(bool, false) # A flag indicating if AWS Config should be enabled compliance_packs = map(object({ parameter_overrides = optional(map(string), {}) # A map of parameter overrides to apply to the compliance pack template_url = optional(string, "") # The URL of the compliance pack template_body = optional(string, "") })) ## A list of compliance packs to provision in the account })	{ "compliance_packs": {}, "enable": false }	no
budgets	A collection of budgets to provision	list(object({ name = string budget_type = optional(string, "COST") limit_amount = optional(string, "100.0") limit_unit = optional(string, "PERCENTAGE") time_unit = optional(string, "MONTHLY") notifications = optional(map(object({ comparison_operator = string notification_type = string threshold = number threshold_type = string })), null) auto_adjust_data = optional(list(object({ auto_adjust_type = string })), []) cost_filter = optional(map(object({ values = list(string) })), {}) cost_types = optional(object({ include_credit = optional(bool, false) include_discount = optional(bool, false) include_other_subscription = optional(bool, false) include_recurring = optional(bool, false) include_refund = optional(bool, false) include_subscription = optional(bool, false) include_support = optional(bool, false) include_tax = optional(bool, false) include_upfront = optional(bool, false) use_blended = optional(bool, false) }), { include_credit = false include_discount = false include_other_subscription = false include_recurring = false include_refund = false include_subscription = true include_support = false include_tax = false include_upfront = false use_blended = false }) tags = optional(map(string), {}) }))	[]	no
central_dns	Configuration for the hub used to centrally resolved dns requests	object({ enable = optional(bool, false) # The domain name to use for the central DNS vpc_id = optional(string, null) })	{ "enable": false, "vpc_id": null }	no
cost_anomaly_detection	A collection of cost anomaly detection monitors to apply to the account	object({ enable = optional(bool, true) # A flag indicating if the default monitors should be enabled monitors = optional(list(object({ name = string # The name of the anomaly detection rule frequency = optional(string, "IMMEDIATE") # The dimension of the anomaly detection rule, either SERVICE or DIMENSIONAL threshold_expression = optional(list(object({ and = object({ dimension = object({ key = string # The key of the dimension match_options = list(string) # The match options of the dimension values = list(string) # The values of the dimension }) }) # The expression to apply to the cost anomaly detection monitor })), []) # The expression to apply to the anomaly detection rule # see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_anomaly_monitor specification = optional(string, "") # The specification to anomaly detection monitor # see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_anomaly_monitor })), []) })	{ "enable": true, "monitors": [] }	no
cost_center	The cost center of the product, and injected into all resource tags	string	null	no
dns	A collection of DNS zones to provision and associate with networks	map(object({ comment = optional(string, "Managed by zone created by terraform") # A comment associated with the DNS zone network = string # A list of network names to associate with the DNS zone private = optional(bool, true) # A flag indicating if the DNS zone is private or public }))	{}	no
ebs_encryption	A collection of EBS encryption settings to apply to the account	object({ enable = optional(bool, false) # A flag indicating if EBS encryption should be enabled create_kms_key = optional(bool, true) # A flag indicating if an EBS encryption key should be created key_deletion_window_in_days = optional(number, 10) # The number of days to retain the key before deletion when the key is removed key_alias = optional(string, "lza/ebs/default") # The alias of the EBS encryption key when provisioning a new key key_arn = optional(string, null) # The ARN of an existing EBS encryption key to use for EBS encryption })	null	no
guardduty	A collection of GuardDuty settings to apply to the account	object({ # A flag indicating if GuardDuty should be created finding_publishing_frequency = optional(string, "FIFTEEN_MINUTES") # The frequency of finding publishing detectors = optional(list(object({ name = string # The name of the detector enable = optional(bool, true) # The frequency of finding publishing additional_configuration = optional(list(object({ name = string # The name of the additional configuration enable = optional(bool, true) # The status of the additional configuration })), []) })), []) # Configuration for the detector filters = optional(map(object({ # The name of the filter action = string # The action of the filter rank = number # The rank of the filter description = string # The description of the filter criterion = list(object({ field = string # The field of the criterion equals = optional(string, null) # The equals of the criterion not_equals = optional(string, null) # The not equals of the criterion greater_than = optional(string, null) # The greater than of the criterion greater_than_or_equal = optional(string, null) # The greater than or equal of the criterion less_than = optional(string, null) # The less than of the criterion less_than_or_equal = optional(string, null) # The less than or equal of the criterion })) # The criterion of the filter })), {}) })	null	no
iam_access_analyzer	The IAM access analyzer configuration to apply to the account	object({ enable = optional(bool, false) # A flag indicating if IAM access analyzer should be enabled analyzer_name = optional(string, "lza-iam-access-analyzer") # The name of the IAM access analyzer analyzer_type = optional(string, "ORGANIZATION") # The type of the IAM access analyzer })	{ "analyzer_name": "lza-iam-access-analyzer", "analyzer_type": "ORGANIZATION", "enable": true }	no
iam_groups	A collection of IAM groups to apply to the account	list(object({ enforce_mfa = optional(bool, true) # A flag indicating if MFA should be enforced name = optional(string, null) # The name prefix of the IAM group path = optional(string, "/") # The path of the IAM group policies = optional(list(string), []) # A list of policies to apply to the IAM group users = optional(list(string), []) # A list of users to apply to the IAM group }))	[]	no
iam_instance_profiles	A collection of IAM instance profiles to apply to the account	map(object({ name = optional(string, null) # The name prefix of the IAM instance profile path = optional(string, "/") # The path of the IAM instance profile permission_arns = optional(list(string), []) # A list of roles to apply to the IAM instance profile }))	{}	no
iam_password_policy	The IAM password policy to apply to the account	object({ enable = optional(bool, false) # A flag indicating if IAM password policy should be enabled allow_users_to_change_password = optional(bool, true) # A flag indicating if users can change their password hard_expiry = optional(bool, false) # A flag indicating if a hard expiry should be enforced max_password_age = optional(number, 90) # The maximum password age minimum_password_length = optional(number, 16) # The minimum password length password_reuse_prevention = optional(number, 24) # The number of passwords to prevent reuse require_lowercase_characters = optional(bool, true) # A flag indicating if lowercase characters are required require_numbers = optional(bool, true) # A flag indicating if numbers are required require_symbols = optional(bool, true) # A flag indicating if symbols are required require_uppercase_characters = optional(bool, true) # A flag indicating if uppercase characters are required })	{}	no
iam_policies	A collection of IAM policies to apply to the account	map(object({ name = optional(string, null) # The name of the IAM policy name_prefix = optional(string, null) # The name prefix of the IAM policy description = string # The description of the IAM policy path = optional(string, "/") # The path of the IAM policy policy = string # The policy document to apply to the IAM policy }))	{}	no
iam_roles	A collection of IAM roles to apply to the account	map(object({ name = optional(string, null) # The name of the IAM role name_prefix = optional(string, null) # The name prefix of the IAM role assume_accounts = optional(list(string), []) # List of accounts to assume the role assume_roles = optional(list(string), []) # List of principals to assume the role assume_services = optional(list(string), []) # List of services to assume the role description = string # The description of the IAM role path = optional(string, "/") # The path of the IAM role permission_boundary_arn = optional(string, "") # A collection of tags to apply to the IAM role permission_arns = optional(list(string), []) # A list of additional permissions to apply to the IAM role policies = optional(any, []) }))	{}	no
iam_service_linked_roles	A collection of service linked roles to apply to the account	list(string)	[ "autoscaling.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com" ]	no
iam_users	A collection of IAM users to apply to the account	list(object({ name = optional(string, null) # The name of the IAM user name_prefix = optional(string, null) # The name prefix of the IAM user path = optional(string, "/") # The path of the IAM user permission_boundary_name = optional(string, null) # A list of additional permissions to apply to the IAM user policy_arns = optional(list(string), []) }))	[]	no
identity_center_permitted_roles	A map of permitted SSO roles, with the name of the permitted SSO role as the key, and value the permissionset	map(string)	{ "network_viewer": "NetworkViewer", "security_auditor": "SecurityAuditor" }	no
include_iam_roles	Collection of IAM roles to include in the account	object({ security_auditor = optional(object({ enable = optional(bool, false) name = optional(string, "lza-security-auditor") }), {}) ssm_instance = optional(object({ enable = optional(bool, false) name = optional(string, "lza-ssm-instance") }), {}) })	{ "security_auditor": { "enable": false, "name": "lza-security-auditor" }, "ssm_instance": { "enable": false, "name": "lza-ssm-instance" } }	no
infrastructure_repository	The infrastructure repository provisions and configures a pipeline repository for the landing zone	object({ name = optional(string, null) # The name prefix of the repository create = optional(bool, true) # A flag indicating if the repository should be created visibility = optional(string, "private") # The visibility of the repository default_branch = optional(string, "main") # The default branch of the repository template = optional(object({ owner = string # The owner of the repository template repository = string # The repository template to use for the repository }), null ) # The repository template to use for the repository branch_protection = optional(object({ dismissal_apps = list(string) # The apps to dismiss reviews dismiss_stale_reviews = bool # A flag indicating if the stale reviews should be dismissed dismissal_teams = list(string) # The teams to dismiss reviews dismissal_users = list(string) # The users to dismiss reviews enforce_branch_protection_for_admins = bool # A flag indicating if the branch protection should be enforced for admins prevent_self_review = bool # A flag indicating if the self review should be prevented required_approving_review_count = number # The number of approving reviews required }), { dismiss_stale_reviews = true dismissal_apps = [] dismissal_teams = [] dismissal_users = [] enforce_branch_protection_for_admins = true prevent_self_review = true required_approving_review_count = 2 }) # The branch protection to use for the repository permissions = optional(object({ read_only_policy_arns = list(string) # The policy ARNs to associate with the repository read_write_policy_arns = list(string) # The policy ARNs to associate with the repository }), { read_only_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] read_write_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] }) # The permissions to use for the repository permissions_boundary = optional(object({ arn = optional(string, null) # The ARN of the permissions boundary to use for the repository policy = optional(string, null) # The policy of the permissions boundary to use for the repository }), null) # The permissions boundary to use for the repository })	null	no
inspector	Configuration for the AWS Inspector service	object({ enable = optional(bool, false) # A flag indicating if AWS Inspector should be enabled delegate_account_id = optional(string, null) # The account ID we should associate the service to })	null	no
kms_administrator	Configuration for the default kms administrator role to use for the account	object({ # The domain name to use for the central DNS assume_accounts = optional(list(string), []) # A list of roles to assume the kms administrator role assume_roles = optional(list(string), []) # A list of roles to assume the kms administrator role assume_services = optional(list(string), []) # A list of services to assume the kms administrator role description = optional(string, "Provides access to administer the KMS keys for the account") # The description of the default kms administrator role enable = optional(bool, false) # A flag indicating if the default kms administrator role should be enabled enable_account_root = optional(bool, false) # A flag indicating if the account root should be enabled name = optional(string, "lza-kms-adminstrator") # The name of the default kms administrator role })	{ "assume_accounts": [], "assume_roles": [], "assume_services": [], "description": "Provides access to administer the KMS keys for the account", "enable": false, "enable_account_root": false, "name": "lza-kms-adminstrator" }	no
kms_key	Configuration for the default kms encryption key to use for the account (per region)	object({ enable = optional(bool, false) # A flag indicating if account encryption should be enabled key_deletion_window_in_days = optional(number, 7) # The number of days to retain the key before deletion when the key is removed key_alias = optional(string, null) # The alias of the account encryption key when provisioning a new key key_administrators = optional(list(string), []) # A list of ARN of the key administrators key_owners = optional(list(string), []) # A list of ARN of the key owners key_users = optional(list(string), []) # A list of ARN of the key users - if unset, it will default to the account })	{ "enable": false, "key_administrators": [], "key_alias": "lza/account/default", "key_deletion_window_in_days": 7, "key_owners": [], "key_users": [] }	no
macie	A collection of Macie settings to apply to the account	object({ enable = optional(bool, false) # A flag indicating if Macie should be enabled frequency = optional(string, "FIFTEEN_MINUTES") # The frequency of Macie findings admin_account_id = optional(string, null) # Is defined the member account will accept any invitations from the management account })	null	no
networks	A collection of networks to provision within the designated region	map(object({ firewall = optional(object({ capacity = number # The capacity of the firewall rule group rules_source = string # The content of the suracata rules ip_sets = map(list(string)) # A map of IP sets to apply to the firewall rule ie. WEBSERVERS = ["100.0.0.0/16"] port_sets = map(list(number)) # A map of port sets to apply to the firewall rule ie. WEBSERVERS = [80, 443] domains_whitelist = list(string) }), null) subnets = map(object({ cidr = optional(string, null) # The CIDR block of the subnet netmask = optional(number, 0) })) tags = optional(map(string), {}) # A collection of tags to apply to the network - these will be merged with the global tags transit_gateway = optional(object({ gateway_id = optional(string, null) # The transit gateway ID to associate with the network gateway_route_table_id = optional(string, null) ## Optional id of the transit gateway route table to associate with the network gateway_routes = optional(map(string), null) # A map used to associate routes with subnets provisioned by the module - i.e ensure # all private subnets push }), { gateway_id = null gateway_route_table_id = null gateway_routes = null }) ## Configuration for the transit gateway for this network vpc = object({ availability_zones = optional(string, 2) # The availability zone in which to provision the network, defaults to 2 cidr = optional(string, null) # The CIDR block of the VPC network if not using IPAM enable_private_endpoints = optional(list(string), []) # An optional list of private endpoints to associate with the network i.e ["s3", "dynamodb"] enable_shared_endpoints = optional(bool, true) # Indicates if the network should accept shared endpoints enable_transit_gateway = optional(bool, true) # A flag indicating if the network should be associated with the transit gateway enable_transit_gateway_appliance_mode = optional(bool, false) # A flag indicating if the transit gateway should be in appliance mode enable_default_route_table_association = optional(bool, true) # A flag indicating if the default route table should be associated with the network enable_default_route_table_propagation = optional(bool, true) # A flag indicating if the default route table should be propagated to the network ipam_pool_name = optional(string, null) # The name of the IPAM pool to use for the network nat_gateway_mode = optional(string, "none") # The NAT gateway mode to use for the network, defaults to none netmask = optional(number, null) # The netmask of the VPC network if using IPAM transit_gateway_routes = optional(map(string), null) # A list of routes to associate with the transit gateway, optional }) }))	{}	no
notifications	Configuration for the notifications to the owner of the account	object({ email = optional(object({ addresses = optional(list(string), []) # A list of email addresses to send notifications to }), { addresses = [] }) slack = optional(object({ webhook_url = optional(string, "") # The slack webhook_url to send notifications to }), { webhook_url = null }) teams = optional(object({ webhook_url = optional(string, "") # The teams webhook_url to send notifications to }), { webhook_url = null }) services = optional(object({ securityhub = object({ enable = optional(bool, false) # A flag indicating if security hub notifications should be enabled eventbridge_rule_name = optional(string, "lza-securityhub-eventbridge") # The sns topic name which is created per region in the account, # this is used to receive notifications, and forward them on via email or other means. lambda_name = optional(string, "lza-securityhub-slack-forwarder") # The name of the lambda which will be used to forward the security hub events to slack lambda_role_name = optional(string, "lza-securityhub-slack-forwarder") # The name of the eventbridge rule which is used to forward the security hub events to the lambda severity = optional(list(string), ["CRITICAL"]) }) }), { securityhub = { enable = false } }) })	{ "email": { "addresses": [] }, "services": { "securityhub": { "enable": false, "eventbridge_rule_name": "lza-securityhub-eventbridge", "lambda_name": "lza-securityhub-slack-forwarder", "lambda_role_name": "lza-securityhub-slack-forwarder", "severity": [ "CRITICAL" ] } }, "slack": { "webhook_url": null }, "teams": { "webhook_url": null } }	no
rbac	Provides the ability to associate one of more groups with a sso role in the account	map(object({ users = optional(list(string), []) # A list of users to associate with the developer role groups = optional(list(string), []) # A list of groups to associate with the developer role }))	{}	no
s3_block_public_access	A collection of S3 public block access settings to apply to the account	object({ enable = optional(bool, false) # A flag indicating if S3 block public access should be enabled enable_block_public_policy = optional(bool, true) # A flag indicating if S3 block public policy should be enabled enable_block_public_acls = optional(bool, true) # A flag indicating if S3 block public ACLs should be enabled enable_ignore_public_acls = optional(bool, true) # A flag indicating if S3 ignore public ACLs should be enabled enable_restrict_public_buckets = optional(bool, true) # A flag indicating if S3 restrict public buckets should be enabled })	{ "enable": false, "enable_block_public_acls": true, "enable_block_public_policy": true, "enable_ignore_public_acls": true, "enable_restrict_public_buckets": true }	no
service_control_policies	Provides the ability to associate one of more service control policies with an account	map(object({ name = string # The policy name to associate with the account policy = string # The policy document to associate with the account }))	{}	no

Outputs

Name	Description
account_id	The account id where the pipeline is running
auditor_account_id	The account id for the audit account
environment	The environment name for the tenant
ipam_pools_by_name	A map of the ipam pool name to id
log_archive_account_id	The account id for the log archive account
networks	A map of the network name to network details
private_hosted_zones	A map of the private hosted zones
private_hosted_zones_by_id	A map of the hosted zone name to id
sns_notification_arn	The SNS topic ARN for notifications
sns_notification_name	Name of the SNS topic used to channel notifications
tags	The tags to apply to all resources
tenant_account_id	The region of the tenant account
vpc_ids	A map of the network name to vpc id