secure-base
appzen-oss/secure-base/aws
AWS multi-account, multi-region organization secure base
terraform-aws-secure-base  Terraform Module Registry A terraform module to set up an AWS multi-account, multi-region organization with account/region security setting and security services. *Module is still a Work in Progress* Features - Designed to delegate management of all security services to dedicated administrator account - Designed to send all logs to a dedicated log account Usage Submodules This module is composed of several submodules, all of which can be used independently. - submodules Examples - examples Requirements | Name | Version | |------|---------| | terraform | >= 1.1.4 | | aws | >= 4.1.0 | | time | >= 0.7.2 | Providers | Name | Version | |------|---------| | aws | 4.2.0 | Modules | N
| Name | Type | Description | Default |
|---|---|---|---|
| account_type | string | AWS account type (master, administrator, log, member) | |
| cloudtrail_s3_bucket | string | CloudTrail S3 bucket | |
| security_administrator_account_id | number | AWS Security Administrator Account ID | |
| cloudtrail_enable_logging | bool | Enable logging for the trail | true |
| force_destroy | bool | Allow destroy of S3 bucket with objects | false |
| enable_config | bool | Enable AWS Config service | true |
| enable_guardduty | bool | Enable AWS GuardDuty service | true |
| ecr_scan_type | string | ECR scanning type (BASIC or ENHANCED) | "BASIC" |
| iam_minimum_password_length | number | Minimum length to require for user passwords. | 14 |
| iam_password_reuse_prevention | number | The number of previous passwords that users are prevented from reusing. | 24 |
| cloudtrail_s3_key_prefix | string | S3 key prefix for CloudTrail | "cloudtrail" |
| enable_ecr_baseline | bool | Enable ECR image scanning | true |
| s3_block_public_policy | bool | Whether Amazon S3 should block public bucket policies for buckets in this accoun | true |
| cloudtrail_enable_log_file_validation | bool | Specifies whether log file integrity validation is enabled. Creates signed diges | true |
| cloudtrail_insight_selector | list(object({ insight_type | Specifies an insight selector for identifying unusual operational activity. See: | [
{
"insight_type": "ApiCallRateIn |
| cloudtrail_is_organization_trail | bool | The trail is an AWS Organizations trail | true |
| ecr_scanning_rules | list(map(string)) | List of ECR scanning rules | [
{
"filter": "*",
"frequency" |
| enable_iam_baseline | bool | Boolean whether iam-baseline is enabled. | true |
| iam_require_numbers | bool | Whether to require numbers for user passwords. | true |
| s3_block_public_acls | bool | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults | true |
| cloudtrail_include_global_service_events | bool | Specifies whether the trail is publishing events from global services such as IA | true |
| enable_firewall_manager | bool | Enable AWS Firewall Manager service | true |
| tags | map(any) | Specifies object tags key and value. This applies to all resources created by th | {
"Environment": "infra",
"Product": |
| … and 4 more inputs | |||
s3_bucket_arns — S3 Bucket ARNss3_bucket_names — S3 Bucket Namess3_bucket_region_arn_map — Map of regions and S3 ARNss3_bucket_region_name_map — Map of regions and S3 namesAzure landing zones Terraform module
Terraform supermodule for the Terraform platform engineering for Azure
Terraform module to deploy landing zone subscriptions (and much more) in Azure
Terraform Module to define a consistent naming convention by (namespace, stage,