forked from philips-software/terraform-aws-account-setup
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathvariables.tf
249 lines (201 loc) · 6.65 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
variable "enable_mfa" {
description = "Enable to force MFA usages."
default = true
}
variable "enable_admin_group" {
description = "Create an admin group."
default = true
}
variable "enable_account_password_policy" {
description = "Enable custom (strict) password policy."
default = true
}
variable "admin_group_name" {
description = "Name of the admin group."
default = "admins"
}
variable "password_reuse_prevention" {
type = number
description = "The number of previous passwords that users are prevented from reusing."
default = 1
}
variable "minimum_password_length" {
description = "Minimum length to require for user passwords."
default = 32
}
variable "require_lowercase_characters" {
description = "Whether to require lowercase characters for user passwords."
default = true
}
variable "require_numbers" {
description = "Whether to require numbers for user passwords."
default = true
}
variable "require_uppercase_characters" {
description = "Whether to require uppercase characters for user passwords."
default = true
}
variable "require_symbols" {
description = "Whether to require symbols for user passwords."
default = true
}
variable "allow_users_to_change_password" {
description = "Whether to allow users to change their own password"
default = true
}
variable "max_password_age" {
description = "The number of days that an user password is valid."
default = 33
}
variable "hard_expiry" {
description = "Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)"
default = false
}
variable "enable_read_only_group" {
description = "Creates a group with read-only IAM policy assigned to it."
default = false
}
variable "read_only_group_name" {
description = "Name for read-only group."
default = "read-only"
}
### CLOUDTRAIL
variable "cloudtrail_bucket_region" {
type = string
description = "The region where the cloudtrail bucket will be created or is located, required if cloudtrail is enabled"
default = ""
}
variable "cloudtrail_bucket" {
type = string
description = "The name of the cloudtrail bucket"
default = ""
}
variable "tags" {
type = map(string)
description = "Map of tags to apply on the resources"
default = {}
}
variable "trail_name" {
description = "Name of the cloud trail. Required if the cloudtrail is enabled."
default = ""
}
variable "include_global_service_events" {
description = "Specifies whether the trail is publishing events from global services such as IAM to the log files. "
default = true
}
variable "enable_log_file_validation" {
description = "Specifies whether log file integrity validation is enabled."
default = true
}
variable "is_multi_region_trail" {
description = "Specifies whether the trail is created in the current region or in all regions. "
default = true
}
variable "event_selector" {
type = list(string)
description = "Specifies an event selector for enabling data event logging, It needs to be a list of map values. See: https://www.terraform.io/docs/providers/aws/r/cloudtrail.html for details on this map variable"
default = []
}
variable "enable_cloudtrail" {
description = "Create a default cloudtrail for the account."
default = false
}
variable "enable_cloudwatch_logs" {
description = "Enable Cloudwatch Logs for Cloudtrail."
default = false
}
variable "cloudwatch_log_group_name" {
description = "The name of the cloudwatch log name"
default = "CloudTrail/DefaultLogGroup"
}
variable "cloudwatch_iam_policy_name" {
description = "The name of the policy which is used for the cloudtrail cloudwatch role"
default = "terraform-cloudwatch-policy"
}
variable "cloudwatch_iam_role_name" {
description = "The name of the role which of the cloudtrail cloudwatch role"
default = "terraform-cloudwatch-role"
}
variable "enable_monitor_readonly_user" {
description = "Create a user that can read monitor metrics (e.g. for grafana)"
default = false
}
variable "monitor_readonly_user_name" {
description = "The user name for the monitor read only user"
default = "monitor_readonly"
}
variable "kms_key_id" {
description = "The arn of the CMK key which is used for encrypting cloudtrail logs"
default = ""
}
### AWS Config
variable "aws_config_notification_emails" {
description = "A list of email addresses for that will receive AWS Config changes notifications"
default = []
type = list(string)
}
variable "enable_aws_config" {
description = "Specifies if the AWS Config should be enabled"
default = false
}
variable "tag1Key" {
description = "Specifies value of the Key for Tag1"
default = ""
}
variable "enable_rule_require_tag" {
description = "Specifies if 'Require Tag' rule should be enabled"
default = false
}
variable "enable_rule_require_root_account_MFA" {
description = "Specifies if 'Require root account MFA enabled' rule should be enabled"
default = false
}
variable "enable_rule_require_cloud_trail" {
description = "Specifies if 'Cloud Trail enabled' rule should be enabled"
default = false
}
variable "enable_rule_iam_password_policy" {
description = "Specifies if 'IAM password policy' rule should be enabled"
default = false
}
### SSM Session Manager
variable "enable_ssm_session_manager" {
description = "Specifies if the ssm session manager should be enabled"
default = false
}
variable "s3_bucket_name" {
default = ""
description = "(Optional) The name of bucket to store session logs. Specifying this enables writing session output to an Amazon S3 bucket."
}
variable "s3_key_prefix" {
default = ""
description = "(Optional) To write output to a sub-folder, enter a sub-folder name."
}
variable "s3_encryption_enabled" {
default = false
description = "(Optional) Encrypt log data."
}
variable "cloudwatch_encryption_enabled" {
default = false
description = "(Optional) Encrypt log data."
}
variable "s3_bucket_state_file_creation" {
type = bool
default = false
description = "Whether to create S3 bucket in the AWS Account to store terraform state file"
}
variable "s3_bucket_state_file_name" {
type = string
default = ""
description = "The S3 bucket name which store the terraform state file"
}
variable "dynamodb_tables_creation" {
type = bool
default = false
description = "Whether to create dynamodb tables for terraform state file"
}
variable "dynamodb_tables_name" {
type = string
default = ""
description = "The dynamodb tables name"
}