-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig_example.yml
56 lines (47 loc) · 2.72 KB
/
config_example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# All the necessary information to deploy to AWS
aws:
# The accounts we will be deploying resources to. Each account will have an IAM policy and role created, in addition
# to an AWS config rule created in EACH region specified under aws.regions
accounts:
- account_name: "my-account-1"
account_id: "1234567890"
role: "arn:aws:iam::ACCOUNT_ID:(user/role)/MY_USER_OR_ROLE"
- account_name: "my-account-2"
account_id: "0987654321"
role: "arn:aws:iam::ACCOUNT_ID:(user/role)/MY_USER_OR_ROLE"
# These are the regions that we will be deploying resources in. Every account in aws.accounts will have policies created
# in EACH region noted below.
regions:
- "us-east-1"
- "us-east-2"
- "us-west-1"
- "us-west-2"
# Where Terraform's state will be remotely stored and accessed. The bucket and path need to be created in advance
# to deploying other resources. The bucket needs to be in the region specified under the 'provider' field. The
# Custodian variables will be imported into the Makefile to execute c7n-org with the correct variable inputs.
remote_S3_bucket_name: "my_bucket"
remote_S3_terraform_key: "path/to/terraform/key"
remote_S3_custodian_key: "path/to/custodian/key"
# The role Terraform will be creating, and custodian will be assuming to deploy resources. This is a prefix, the suffix
# will be the account name
IAM_role_prefix: "cloud_enforcer_role_"
# The policy that Terraform will be creating, and gives IAM_role_name sufficient privileges. This is a prefix, the suffix
# will be the account name
IAM_policy_prefix: "cloud_enforcer_policy_"
# The policy prefix for custodian resources, the suffix will be the resource type, defined in aws.resources (such as s3/ec2/ebs)
custodian_policy_prefix: "mandatory_tag_enforcer_"
# This is the name of the tag that will be placed on resources to be deleted
custodian_marking_tag: "no_owner_tag_deletion"
# The resources that the custodian policies will be watching, each resource listed below requires its own policy resource
# until further progress is made on https://github.com/cloud-custodian/cloud-custodian/issues/1244
resources:
- "s3"
# Resources should be tagged with an owner
resource_owner: "[email protected]"
# AWS access and secret keys should be passed as environment variables (see Terraform docs,
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables) when
# executing the templates. There is no need to specify environment variables when generating the templates.
# provider.principal will be a resource allowed to assume the generated IAM roles.
provider:
region: "us-east-1"
principal: "arn:aws:iam::ACCOUNT_ID:(user/role)/MY_USER_OR_ROLE"