From c1d3b8c27eee5a97ab433608c49d4053e054e070 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 12:46:06 -0800 Subject: [PATCH 01/11] added prettier --- .pre-commit-config.yaml | 9 + modules/account-map/README.md | 19 +- .../modules/team-assume-role-policy/README.md | 11 +- modules/account-quotas/README.md | 33 +- modules/account-settings/README.md | 15 +- modules/account/README.md | 156 +++++--- modules/acm/README.md | 21 +- modules/alb/README.md | 9 +- modules/amplify/README.md | 31 +- .../api-gateway-account-settings/README.md | 14 +- modules/api-gateway-rest-api/README.md | 6 +- modules/argocd-repo/README.md | 11 +- modules/athena/README.md | 33 +- modules/aurora-mysql-resources/README.md | 21 +- modules/aurora-mysql/README.md | 34 +- modules/aurora-postgres-resources/README.md | 61 ++- modules/aurora-postgres/README.md | 35 +- modules/aws-backup/README.md | 61 +-- modules/aws-config/README.md | 78 ++-- modules/aws-inspector/README.md | 57 ++- modules/aws-inspector2/README.md | 19 +- modules/aws-saml/README.md | 10 +- modules/aws-shield/README.md | 28 +- modules/aws-sso/README.md | 214 ++++++----- modules/aws-ssosync/README.md | 97 +++-- modules/aws-team-roles/README.md | 108 +++--- modules/aws-teams/README.md | 104 +++--- modules/bastion/README.md | 37 +- modules/cloudtrail-bucket/README.md | 12 +- modules/cloudtrail/README.md | 12 +- modules/cloudwatch-logs/README.md | 6 +- modules/cognito/README.md | 20 +- modules/config-bucket/README.md | 12 +- modules/datadog-configuration/README.md | 30 +- .../modules/datadog_keys/README.md | 2 + modules/datadog-integration/README.md | 18 +- modules/datadog-lambda-forwarder/README.md | 15 +- modules/datadog-monitor/README.md | 40 +- .../datadog-private-location-ecs/README.md | 7 +- .../README.md | 21 +- modules/datadog-synthetics/README.md | 48 ++- modules/dms/endpoint/README.md | 6 +- modules/dms/iam/README.md | 6 +- modules/dms/replication-instance/README.md | 6 +- modules/dms/replication-task/README.md | 6 +- modules/dns-delegated/README.md | 69 ++-- modules/dns-primary/README.md | 54 ++- modules/documentdb/README.md | 6 +- modules/dynamodb/README.md | 7 +- modules/ec2-client-vpn/README.md | 48 ++- modules/ecr/README.md | 25 +- modules/ecs-service/README.md | 65 ++-- modules/ecs/README.md | 8 +- modules/efs/README.md | 10 +- .../eks/actions-runner-controller/README.md | 214 ++++++----- .../alb-controller-ingress-class/README.md | 12 +- .../alb-controller-ingress-group/README.md | 17 +- modules/eks/alb-controller/README.md | 21 +- modules/eks/argocd/README.md | 149 ++++---- .../aws-node-termination-handler/README.md | 10 +- modules/eks/cert-manager/README.md | 68 ++-- modules/eks/cluster/README.md | 118 +++--- modules/eks/datadog-agent/README.md | 53 ++- modules/eks/echo-server/README.md | 76 ++-- modules/eks/external-dns/README.md | 6 +- .../eks/external-secrets-operator/README.md | 22 +- modules/eks/github-actions-runner/README.md | 353 +++++++++--------- modules/eks/idp-roles/README.md | 8 +- modules/eks/karpenter-provisioner/README.md | 103 ++--- modules/eks/karpenter/README.md | 270 +++++++------- modules/eks/keda/README.md | 7 +- modules/eks/metrics-server/README.md | 5 +- modules/eks/platform/README.md | 12 +- modules/eks/redis-operator/README.md | 12 +- modules/eks/redis/README.md | 9 +- modules/eks/reloader/README.md | 12 +- modules/eks/storage-class/README.md | 83 ++-- modules/elasticache-redis/README.md | 9 +- modules/elasticsearch/README.md | 9 +- modules/eventbridge/README.md | 14 +- modules/github-action-token-rotator/README.md | 15 +- modules/github-oidc-provider/README.md | 34 +- modules/github-oidc-role/README.md | 60 +-- modules/github-runners/README.md | 163 +++++--- modules/github-webhook/README.md | 14 +- modules/gitops/README.md | 12 +- .../README.md | 9 +- modules/global-accelerator/README.md | 6 +- modules/glue/catalog-database/README.md | 5 +- modules/glue/catalog-table/README.md | 5 +- modules/glue/connection/README.md | 5 +- modules/glue/crawler/README.md | 5 +- modules/glue/iam/README.md | 5 +- modules/glue/job/README.md | 5 +- modules/glue/registry/README.md | 5 +- modules/glue/schema/README.md | 5 +- modules/glue/trigger/README.md | 5 +- modules/glue/workflow/README.md | 5 +- modules/guardduty/README.md | 20 +- modules/iam-role/README.md | 10 +- modules/iam-service-linked-roles/README.md | 18 +- modules/ipam/README.md | 6 +- modules/kinesis-stream/README.md | 9 +- modules/lakeformation/README.md | 11 +- modules/lambda/README.md | 8 +- modules/macie/README.md | 20 +- modules/mq-broker/README.md | 6 +- modules/msk/README.md | 7 +- modules/mwaa/README.md | 10 +- modules/network-firewall/README.md | 21 +- modules/opsgenie-team/README.md | 91 +++-- .../modules/escalation/README.md | 6 +- .../modules/integration/README.md | 2 + .../opsgenie-team/modules/routing/README.md | 7 +- modules/philips-labs-github-runners/README.md | 44 ++- modules/rds/README.md | 36 +- modules/redshift/README.md | 10 +- .../route53-resolver-dns-firewall/README.md | 11 +- modules/s3-bucket/README.md | 9 +- modules/security-hub/README.md | 14 +- modules/ses/README.md | 8 +- modules/sftp/README.md | 5 +- modules/snowflake-account/README.md | 31 +- modules/snowflake-database/README.md | 9 +- modules/sns-topic/README.md | 10 +- modules/spa-s3-cloudfront/README.md | 37 +- modules/spacelift/admin-stack/README.md | 5 +- modules/spacelift/spaces/README.md | 2 + modules/spacelift/worker-pool/README.md | 27 +- modules/sqs-queue/README.md | 6 +- modules/ssm-parameters/README.md | 9 +- modules/strongdm/README.md | 7 +- modules/tfstate-backend/README.md | 142 +++---- .../tgw/cross-region-hub-connector/README.md | 17 +- modules/tgw/hub/README.md | 8 +- modules/tgw/spoke/README.md | 8 +- modules/vpc-flow-logs-bucket/README.md | 9 +- modules/vpc-peering/README.md | 80 ++-- modules/vpc/README.md | 9 +- modules/waf/README.md | 36 +- modules/zscaler/README.md | 16 +- 141 files changed, 2836 insertions(+), 1947 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e73fb4263..0740390ad 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,6 +36,7 @@ repos: - id: terraform_fmt - id: terraform_docs args: ["--args=--lockfile=false"] + - repo: local hooks: - id: rebuild-mixins-docs @@ -45,3 +46,11 @@ repos: types: ["text"] files: (mixins\/.*|bin\/rebuild-mixins-docs\.sh) pass_filenames: false + + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v2.7.1 + hooks: + - id: prettier + name: prettier + entry: prettier --write --prose-wrap always --print-width 120 + types: ["markdown"] diff --git a/modules/account-map/README.md b/modules/account-map/README.md index 7e207c9c7..893586de3 100644 --- a/modules/account-map/README.md +++ b/modules/account-map/README.md @@ -1,18 +1,21 @@ # Component: `account-map` -This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs. +This component is responsible for provisioning information only: it simply populates Terraform state with data (account +ids, groups, and roles) that other root modules need via outputs. ## Pre-requisites -- [account](https://docs.cloudposse.com/components/library/aws/account) must be provisioned before [account-map](https://docs.cloudposse.com/components/library/aws/account-map) component +- [account](https://docs.cloudposse.com/components/library/aws/account) must be provisioned before + [account-map](https://docs.cloudposse.com/components/library/aws/account-map) component ## Usage **Stack Level**: Global -Here is an example snippet for how to use this component. Include this snippet in the stack configuration for the management account -(typically `root`) in the management tenant/OU (usually something like `mgmt` or `core`) in the global region (`gbl`). You can include -the content directly, or create a `stacks/catalog/account-map.yaml` file and import it from there. +Here is an example snippet for how to use this component. Include this snippet in the stack configuration for the +management account (typically `root`) in the management tenant/OU (usually something like `mgmt` or `core`) in the +global region (`gbl`). You can include the content directly, or create a `stacks/catalog/account-map.yaml` file and +import it from there. ```yaml components: @@ -44,9 +47,9 @@ components: iam_role_arn_template_template: "arn:%s:iam::%s:role/%s-%s-%s-%s-%%s" # `profile_template` is the template used to render AWS Profile names. profile_template: "%s-%s-%s-%s-%s" - ``` + ## Requirements @@ -149,9 +152,11 @@ components: | [terraform\_role\_name\_map](#output\_terraform\_role\_name\_map) | Mapping of Terraform action (plan or apply) to aws-team-role name to assume for that action | | [terraform\_roles](#output\_terraform\_roles) | A list of all IAM roles used to run terraform updates | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-map) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-map) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/account-map/modules/team-assume-role-policy/README.md b/modules/account-map/modules/team-assume-role-policy/README.md index 7a22501fc..f309bf33c 100644 --- a/modules/account-map/modules/team-assume-role-policy/README.md +++ b/modules/account-map/modules/team-assume-role-policy/README.md @@ -2,13 +2,14 @@ This submodule generates a JSON-encoded IAM Policy Document suitable for use as an "Assume Role Policy". -You can designate both who is allowed to assume a role and who is explicitly denied permission -to assume a role. The value of this submodule is that it allows for many ways -to specify the "who" while at the same time limiting the "who" to assumed IAM roles: +You can designate both who is allowed to assume a role and who is explicitly denied permission to assume a role. The +value of this submodule is that it allows for many ways to specify the "who" while at the same time limiting the "who" +to assumed IAM roles: - All assumed roles in the `dev` account: `allowed_roles = { dev = ["*"] }` - Only the `admin` role in the dev account: `allowed_roles = { dev = ["admin"] }` -- A specific principal in any account (though it must still be an assumed role): `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` +- A specific principal in any account (though it must still be an assumed role): + `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` - A user of a specific AWS SSO Permission Set: `allowed_permission_sets = { dev = ["DeveloperAccess"] }` ## Usage @@ -30,6 +31,7 @@ resource "aws_iam_role" "default" { } ``` + ## Requirements @@ -100,3 +102,4 @@ No requirements. | [github\_assume\_role\_policy](#output\_github\_assume\_role\_policy) | JSON encoded string representing the "Assume Role" policy configured by the inputs | | [policy\_document](#output\_policy\_document) | JSON encoded string representing the "Assume Role" policy configured by the inputs | + diff --git a/modules/account-quotas/README.md b/modules/account-quotas/README.md index 59a6e7831..a442dddac 100644 --- a/modules/account-quotas/README.md +++ b/modules/account-quotas/README.md @@ -1,19 +1,19 @@ # Component: `account-quotas` -This component is responsible for requesting service quota increases. We recommend -making requests here rather than in `account-settings` because `account-settings` -is a restricted component that can only be applied by SuperAdmin. - +This component is responsible for requesting service quota increases. We recommend making requests here rather than in +`account-settings` because `account-settings` is a restricted component that can only be applied by SuperAdmin. ## Usage **Stack Level**: Global and Regional (depending on quota) -Global resources must be provisioned in `us-east-1`. Put them in the `gbl` stack, but set `region: us-east-1` in the `vars` section. +Global resources must be provisioned in `us-east-1`. Put them in the `gbl` stack, but set `region: us-east-1` in the +`vars` section. -You can refer to services either by their exact full name (e.g. `service_name: "Amazon Elastic Compute Cloud (Amazon EC2)"`) or by the -service code (e.g. `service_code: "ec2"`). Similarly, you can refer to quota names either by their exact full name -(e.g. `quota_name: "EC2-VPC Elastic IPs"`) or by the quota code (e.g. `quota_code: "L-0263D0A3"`). +You can refer to services either by their exact full name (e.g. +`service_name: "Amazon Elastic Compute Cloud (Amazon EC2)"`) or by the service code (e.g. `service_code: "ec2"`). +Similarly, you can refer to quota names either by their exact full name (e.g. `quota_name: "EC2-VPC Elastic IPs"`) or by +the quota code (e.g. `quota_code: "L-0263D0A3"`). You can find service codes and full names via the AWS CLI (be sure to use the correct region): @@ -21,17 +21,18 @@ You can find service codes and full names via the AWS CLI (be sure to use the co aws --region us-east-1 service-quotas list-services ``` -You can find quota codes and full names, and also whether the quotas are adjustable or global, via the AWS CLI, -but you will need the service code from the previous step: +You can find quota codes and full names, and also whether the quotas are adjustable or global, via the AWS CLI, but you +will need the service code from the previous step: ```bash aws --region us-east-1 service-quotas list-service-quotas --service-code ec2 ``` -If you make a request to raise a quota, the output will show the requested value as `value` while the request is pending. +If you make a request to raise a quota, the output will show the requested value as `value` while the request is +pending. -Even though the Terraform will submit the support request, you may need to follow up with AWS support to get the request approved, -via the AWS console or email. +Even though the Terraform will submit the support request, you may need to follow up with AWS support to get the request +approved, via the AWS console or email. Here's an example snippet for how to use this component. @@ -51,6 +52,7 @@ components: value: 10 ``` + ## Requirements @@ -111,10 +113,13 @@ components: |------|-------------| | [quotas](#output\_quotas) | Full report on all service quotas managed by this component. | + ## References - [AWS Service Quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) -- AWS CLI [command to list service codes](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/service-quotas/list-services.html): `aws service-quotas list-services` +- AWS CLI + [command to list service codes](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/service-quotas/list-services.html): + `aws service-quotas list-services` [](https://cpco.io/component) diff --git a/modules/account-settings/README.md b/modules/account-settings/README.md index 7fcd021df..a7e6a0d5e 100644 --- a/modules/account-settings/README.md +++ b/modules/account-settings/README.md @@ -1,14 +1,15 @@ # Component: `account-settings` -This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS encryption, and Service Quotas. +This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS +encryption, and Service Quotas. ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts, -so create a file `stacks/catalog/account-settings.yaml` with the following content and then import -that file in each account's global stack (overriding any parameters as needed): +Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts, so +create a file `stacks/catalog/account-settings.yaml` with the following content and then import that file in each +account's global stack (overriding any parameters as needed): ```yaml components: @@ -68,6 +69,7 @@ components: value: null ``` + ## Requirements @@ -138,8 +140,11 @@ components: |------|-------------| | [account\_alias](#output\_account\_alias) | Account alias | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-settings) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-settings) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/account/README.md b/modules/account/README.md index c3c2d50cb..b9f6fa874 100644 --- a/modules/account/README.md +++ b/modules/account/README.md @@ -1,32 +1,45 @@ # Component: `account` -This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It includes the ability to associate Service Control Policies (SCPs) to the Organization, each Organizational Unit and account. +This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It +includes the ability to associate Service Control Policies (SCPs) to the Organization, each Organizational Unit and +account. -:::info -Part of a [cold start](https://docs.cloudposse.com/reference-architecture/how-to-guides/implementation/enterprise/implement-aws-cold-start) so it has to be initially run with `SuperAdmin` role. +:::info Part of a +[cold start](https://docs.cloudposse.com/reference-architecture/how-to-guides/implementation/enterprise/implement-aws-cold-start) +so it has to be initially run with `SuperAdmin` role. ::: -In addition, it enables [AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html), which helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. For each instance of a resource that is shared outside of your account, Access Analyzer generates a finding. Findings include information about the access and the external principal that it is granted to. You can review findings to determine whether the access is intended and safe, or the access is unintended and a security risk. +In addition, it enables +[AWS IAM Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html), which helps +you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared +with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. +Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze +the resource-based policies in your AWS environment. For each instance of a resource that is shared outside of your +account, Access Analyzer generates a finding. Findings include information about the access and the external principal +that it is granted to. You can review findings to determine whether the access is intended and safe, or the access is +unintended and a security risk. ## Usage **Stack Level**: Global -**IMPORTANT**: Account Name building blocks (such as tenant, stage, environment) must not contain dashes. Doing so will lead to unpredictable resource names as a `-` is the default delimiter. Additionally, account names must be lower case alpha-numeric with no special characters. -For example: +**IMPORTANT**: Account Name building blocks (such as tenant, stage, environment) must not contain dashes. Doing so will +lead to unpredictable resource names as a `-` is the default delimiter. Additionally, account names must be lower case +alpha-numeric with no special characters. For example: | Key | Value | Correctness | -|------------------|-----------------|-------------| -| **Tenant** | foo | ✅ | -| **Tenant** | foo-bar | ❌ | -| **Environment** | use1 | ✅ | -| **Environment** | us-east-1 | ❌ | -| **Account Name** | `core-identity` | ✅ | - -Here is an example snippet for how to use this component. Include this snippet in the stack configuration for the management account -(typically `root`) in the management tenant/OU (usually something like `mgmt` or `core`) in the global region (`gbl`). You can insert -the content directly, or create a `stacks/catalog/account.yaml` file and import it from there. +| ---------------- | --------------- | ----------- | +| **Tenant** | foo | ✅ | +| **Tenant** | foo-bar | ❌ | +| **Environment** | use1 | ✅ | +| **Environment** | us-east-1 | ❌ | +| **Account Name** | `core-identity` | ✅ | + +Here is an example snippet for how to use this component. Include this snippet in the stack configuration for the +management account (typically `root`) in the management tenant/OU (usually something like `mgmt` or `core`) in the +global region (`gbl`). You can insert the content directly, or create a `stacks/catalog/account.yaml` file and import it +from there. ```yaml components: @@ -152,16 +165,22 @@ components: Your AWS Organization is managed by the `account` component, along with accounts and organizational units. -However, because the AWS defaults for an Organization and its accounts are not exactly what we want, and there is no way to change them via Terraform, we have to first provision the AWS Organization, then take some steps on the AWS console, and then we can provision the rest. +However, because the AWS defaults for an Organization and its accounts are not exactly what we want, and there is no way +to change them via Terraform, we have to first provision the AWS Organization, then take some steps on the AWS console, +and then we can provision the rest. ### Use AWS Console to create and set up the Organization -Unfortunately, there are some tasks that need to be done via the console. Log into the AWS Console with the root (not SuperAdmin) credentials you have saved in 1Password. +Unfortunately, there are some tasks that need to be done via the console. Log into the AWS Console with the root (not +SuperAdmin) credentials you have saved in 1Password. #### Request an increase in the maximum number of accounts allowed -:::caution -Make sure your support plan for the _root_ account was upgraded to the "Business" level (or Higher). This is necessary to expedite the quota increase requests, which could take several days on a basic support plan. Without it, AWS support will claim that since we’re not currently utilizing any of the resources, so they do not want to approve the requests. AWS support is not aware of your other organization. If AWS still gives you problems, please escalate to your AWS TAM. See [AWS](https://docs.cloudposse.com/reference-architecture/reference/aws). +:::caution Make sure your support plan for the _root_ account was upgraded to the "Business" level (or Higher). This is +necessary to expedite the quota increase requests, which could take several days on a basic support plan. Without it, +AWS support will claim that since we’re not currently utilizing any of the resources, so they do not want to approve the +requests. AWS support is not aware of your other organization. If AWS still gives you problems, please escalate to your +AWS TAM. See [AWS](https://docs.cloudposse.com/reference-architecture/reference/aws). ::: @@ -179,13 +198,19 @@ Make sure your support plan for the _root_ account was upgraded to the "Business 7. Click on "Request quota increase" on the right side of the view, which should pop us a request form -8. At the bottom of the form, under "Change quota value", enter the number you decided on in the previous step (probably "20") and click "Request" +8. At the bottom of the form, under "Change quota value", enter the number you decided on in the previous step (probably + "20") and click "Request" #### (Optional) Create templates to request other quota increases -New accounts start with a low limit on the number of instances you can create. However, as you add accounts, and use more instances, the numbers automatically adjust up. So you may or may not want to create a template to generate automatic quota increase requests, depending on how many instances per account you expect to want to provision right away. +New accounts start with a low limit on the number of instances you can create. However, as you add accounts, and use +more instances, the numbers automatically adjust up. So you may or may not want to create a template to generate +automatic quota increase requests, depending on how many instances per account you expect to want to provision right +away. -Create a [Quota request template](https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html) for the organization. From the Sidebar, click "Quota request template" +Create a +[Quota request template](https://docs.aws.amazon.com/servicequotas/latest/userguide/organization-templates.html) for the +organization. From the Sidebar, click "Quota request template" Add each EC2 quota increase request you want to make: @@ -213,19 +238,25 @@ After you have added all the templates, click "Enable" on the Quota request temp #### Enable resource sharing with AWS Organization -[AWS Resource Access Manager (RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) lets you share your resources with any AWS account or through AWS Organizations. +[AWS Resource Access Manager (RAM)](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html) lets you share your +resources with any AWS account or through AWS Organizations.
-If you have multiple AWS accounts, you can create resources centrally and use AWS RAM to share those resources with other accounts. +If you have multiple AWS accounts, you can create resources centrally and use AWS RAM to share those resources with +other accounts. -Resource sharing through AWS Organization will be used to share the Transit Gateway deployed in the `network` account with other accounts to connect their VPCs to the shared Transit Gateway. +Resource sharing through AWS Organization will be used to share the Transit Gateway deployed in the `network` account +with other accounts to connect their VPCs to the shared Transit Gateway. -This is a one-time manual step in the AWS Resource Access Manager console. When you share resources within your organization, AWS RAM does not send invitations to principals. Principals in your organization get access to shared resources without exchanging invitations. +This is a one-time manual step in the AWS Resource Access Manager console. When you share resources within your +organization, AWS RAM does not send invitations to principals. Principals in your organization get access to shared +resources without exchanging invitations. To enable resource sharing with AWS Organization via AWS Management Console -- Open the Settings page of AWS Resource Access Manager console at [https://console.aws.amazon.com/ram/home#Settings](https://console.aws.amazon.com/ram/home#Settings) +- Open the Settings page of AWS Resource Access Manager console at + [https://console.aws.amazon.com/ram/home#Settings](https://console.aws.amazon.com/ram/home#Settings) - Choose "Enable sharing with AWS Organizations" @@ -248,9 +279,11 @@ For more information, see: ### Import the organization into Terraform using the `account` component -After we are done with the above ClickOps and the Service Quota Increase for maximum number of accounts has been granted, we can then do the rest via Terraform. +After we are done with the above ClickOps and the Service Quota Increase for maximum number of accounts has been +granted, we can then do the rest via Terraform. -In the Geodesic shell, as SuperAdmin, execute the following command to get the AWS Organization ID that will be used to import the organization: +In the Geodesic shell, as SuperAdmin, execute the following command to get the AWS Organization ID that will be used to +import the organization: ``` aws organizations describe-organization @@ -268,7 +301,9 @@ From the output, identify the _organization-id_: Using the example above, the _organization-id_ is o-7qcakq6zxw. -In the Geodesic shell, as SuperAdmin, execute the following command to import the AWS Organization, changing the stack name `core-gbl-root` if needed, to reflect the stack where the organization management account is defined, and changing the last argument to reflect the _organization-id_ from the output of the previous command. +In the Geodesic shell, as SuperAdmin, execute the following command to import the AWS Organization, changing the stack +name `core-gbl-root` if needed, to reflect the stack where the organization management account is defined, and changing +the last argument to reflect the _organization-id_ from the output of the previous command. ``` atmos terraform import account --stack core-gbl-root 'aws_organizations_organization.this[0]' 'o-7qcakq6zxw' @@ -276,16 +311,18 @@ atmos terraform import account --stack core-gbl-root 'aws_organizations_organiza ### Provision AWS OUs and Accounts using the `account` component -AWS accounts and organizational units are generated dynamically by the `terraform/account` component using the configuration in the `gbl-root` stack. +AWS accounts and organizational units are generated dynamically by the `terraform/account` component using the +configuration in the `gbl-root` stack. -:::info -_**Special note:**_ **** In the rare case where you will need to be enabling non-default AWS Regions, temporarily comment out the `DenyRootAccountAccess` service control policy setting in `gbl-root.yaml`. You will restore it later, after enabling the optional Regions. -See related: [Decide on Opting Into Non-default Regions](https://docs.cloudposse.com/reference-architecture/design-decisions/cold-start/decide-on-opting-into-non-default-regions) +:::info _**Special note:**_ \*\*\*\* In the rare case where you will need to be enabling non-default AWS Regions, +temporarily comment out the `DenyRootAccountAccess` service control policy setting in `gbl-root.yaml`. You will restore +it later, after enabling the optional Regions. See related: +[Decide on Opting Into Non-default Regions](https://docs.cloudposse.com/reference-architecture/design-decisions/cold-start/decide-on-opting-into-non-default-regions) ::: -:::caution -**You must wait until your quota increase request has been granted.** If you try to create the accounts before the quota increase is granted, you can expect to see failures like `ACCOUNT_NUMBER_LIMIT_EXCEEDED`. +:::caution **You must wait until your quota increase request has been granted.** If you try to create the accounts +before the quota increase is granted, you can expect to see failures like `ACCOUNT_NUMBER_LIMIT_EXCEEDED`. ::: @@ -295,40 +332,60 @@ In the Geodesic shell, execute the following commands to provision AWS Organizat atmos terraform apply account --stack gbl-root ``` -Review the Terraform plan, _**ensure that no new organization will be created**_ (look for `aws_organizations_organization.this[0]`), type "yes" to approve and apply. This creates the AWS organizational units and AWS accounts. +Review the Terraform plan, _**ensure that no new organization will be created**_ (look for +`aws_organizations_organization.this[0]`), type "yes" to approve and apply. This creates the AWS organizational units +and AWS accounts. ### Configure root account credentials for each account -Note: unless you need to enable non-default AWS regions (see next step), this step can be done later or in parallel with other steps, for example while waiting for Terraform to create resources. +Note: unless you need to enable non-default AWS regions (see next step), this step can be done later or in parallel with +other steps, for example while waiting for Terraform to create resources. **For** _**each**_ **new account:** -1. Perform a password reset by attempting to [log in to the AWS console](https://signin.aws.amazon.com/signin) as a "root user", using that account's email address, and then clicking the "Forgot password?" link. You will receive a password reset link via email, which should be forwarded to the shared Slack channel for automated messages. Click the link and enter a new password. (Use 1Password or [Random.org](https://www.random.org/passwords) to create a password 26-38 characters long, including at least 3 of each class of character: lower case, uppercase, digit, and symbol. You may need to manually combine or add to the generated password to ensure 3 symbols and digits are present.) Save the email address and generated password as web login credentials in 1Password. While you are at it, save the account number in a separate field. +1. Perform a password reset by attempting to [log in to the AWS console](https://signin.aws.amazon.com/signin) as a + "root user", using that account's email address, and then clicking the "Forgot password?" link. You will receive a + password reset link via email, which should be forwarded to the shared Slack channel for automated messages. Click + the link and enter a new password. (Use 1Password or [Random.org](https://www.random.org/passwords) to create a + password 26-38 characters long, including at least 3 of each class of character: lower case, uppercase, digit, and + symbol. You may need to manually combine or add to the generated password to ensure 3 symbols and digits are + present.) Save the email address and generated password as web login credentials in 1Password. While you are at it, + save the account number in a separate field. -2. Log in using the new password, choose "My Security Credentials" from the account dropdown menu and set up Multi-Factor Authentication (MFA) to use a Virutal MFA device. Save the MFA TOTP key in 1Password by using 1Password's TOTP field and built-in screen scanner. Also, save the Virutal MFA ARN (sometimes shown as "serial number"). +2. Log in using the new password, choose "My Security Credentials" from the account dropdown menu and set up + Multi-Factor Authentication (MFA) to use a Virutal MFA device. Save the MFA TOTP key in 1Password by using + 1Password's TOTP field and built-in screen scanner. Also, save the Virutal MFA ARN (sometimes shown as "serial + number"). 3. While logged in, enable optional regions as described in the next step, if needed. -4. (Optional, but highly recommended): [Unsubscribe](https://pages.awscloud.com/communication-preferences.html) the account's email address from all marketing emails. +4. (Optional, but highly recommended): [Unsubscribe](https://pages.awscloud.com/communication-preferences.html) the + account's email address from all marketing emails. ### (Optional) Enable regions -Most AWS regions are enabled by default. If you are using a region that is not enabled by default (such as Middle East/Bahrain), you need to take extra steps. +Most AWS regions are enabled by default. If you are using a region that is not enabled by default (such as Middle +East/Bahrain), you need to take extra steps. -1. While logged in using root credentials (see the previous step), in the account dropdown menu, select "My Account" to get to the [Billing home page](https://console.aws.amazon.com/billing/home?#/account). +1. While logged in using root credentials (see the previous step), in the account dropdown menu, select "My Account" to + get to the [Billing home page](https://console.aws.amazon.com/billing/home?#/account). 2. In the "AWS Regions" section, enable the regions you want to enable. -3. Go to the IAM [account settings page](https://console.aws.amazon.com/iam/home?#/account_settings) and edit the STS Global endpoint to create session tokens valid in all AWS regions. +3. Go to the IAM [account settings page](https://console.aws.amazon.com/iam/home?#/account_settings) and edit the STS + Global endpoint to create session tokens valid in all AWS regions. -You will need to wait a few minutes for the regions to be enabled before you can proceed to the next step. Until they are enabled, you may get what look like AWS authentication or permissions errors. +You will need to wait a few minutes for the regions to be enabled before you can proceed to the next step. Until they +are enabled, you may get what look like AWS authentication or permissions errors. -After enabling the regions in all accounts, re-enable the `DenyRootAccountAccess` service control policy setting in `gbl-root.yaml` and rerun +After enabling the regions in all accounts, re-enable the `DenyRootAccountAccess` service control policy setting in +`gbl-root.yaml` and rerun ``` atmos terraform apply account --stack gbl-root ``` + ## Requirements @@ -422,8 +479,11 @@ atmos terraform apply account --stack gbl-root | [organizational\_unit\_names\_organizational\_unit\_scp\_arns](#output\_organizational\_unit\_names\_organizational\_unit\_scp\_arns) | Map of OU names to SCP ARNs | | [organizational\_unit\_names\_organizational\_unit\_scp\_ids](#output\_organizational\_unit\_names\_organizational\_unit\_scp\_ids) | Map of OU names to SCP IDs | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/acm/README.md b/modules/acm/README.md index 38f60328d..bdd7d25a0 100644 --- a/modules/acm/README.md +++ b/modules/acm/README.md @@ -1,10 +1,19 @@ # Component: `acm` -This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone to complete certificate validation. +This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone +to complete certificate validation. -The ACM component is to manage an unlimited number of certificates, predominantly for vanity domains. While the [dns-primary](https://docs.cloudposse.com/components/library/aws/dns-primary) component has the ability to generate ACM certificates, it is very opinionated and can only manage one zone. In reality, companies have many branded domains associated with a load balancer, so we need to be able to generate more complicated certificates. +The ACM component is to manage an unlimited number of certificates, predominantly for vanity domains. While the +[dns-primary](https://docs.cloudposse.com/components/library/aws/dns-primary) component has the ability to generate ACM +certificates, it is very opinionated and can only manage one zone. In reality, companies have many branded domains +associated with a load balancer, so we need to be able to generate more complicated certificates. -We have, as a convenience, the ability to create an ACM certificate as part of creating a DNS zone, whether primary or delegated. That convenience is limited to creating `example.com` and `*.example.com` when creating a zone for `example.com`. For example, Acme has delegated `acct.acme.com` and in addition to `*.acct.acme.com` needed an ACM certificate for `*.usw2.acct.acme.com`, so we use the ACM component to provision that, rather than extend the DNS primary or delegated components to take a list of additional certificates. Both are different views on the Single Responsibility Principle. +We have, as a convenience, the ability to create an ACM certificate as part of creating a DNS zone, whether primary or +delegated. That convenience is limited to creating `example.com` and `*.example.com` when creating a zone for +`example.com`. For example, Acme has delegated `acct.acme.com` and in addition to `*.acct.acme.com` needed an ACM +certificate for `*.usw2.acct.acme.com`, so we use the ACM component to provision that, rather than extend the DNS +primary or delegated components to take a list of additional certificates. Both are different views on the Single +Responsibility Principle. ## Usage @@ -50,6 +59,7 @@ components: certificate_authority_component_key: subordinate ``` + ## Requirements @@ -130,8 +140,11 @@ components: | [domain\_validation\_options](#output\_domain\_validation\_options) | CNAME records that are added to the DNS zone to complete certificate validation | | [id](#output\_id) | The ID of the certificate | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/acm) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/acm) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/alb/README.md b/modules/alb/README.md index 0905867c7..25e47e977 100644 --- a/modules/alb/README.md +++ b/modules/alb/README.md @@ -1,6 +1,7 @@ # Component: `alb` -This component is responsible for provisioning a generic Application Load Balancer. It depends on the `vpc` and `dns-delegated` components. +This component is responsible for provisioning a generic Application Load Balancer. It depends on the `vpc` and +`dns-delegated` components. ## Usage @@ -17,6 +18,7 @@ components: health_check_path: /api/healthz ``` + ## Requirements @@ -125,10 +127,11 @@ No resources. | [listener\_arns](#output\_listener\_arns) | A list of all the listener ARNs | | [security\_group\_id](#output\_security\_group\_id) | The security group ID of the ALB | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/alb) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/amplify/README.md b/modules/amplify/README.md index 50e5b12f5..b64597941 100644 --- a/modules/amplify/README.md +++ b/modules/amplify/README.md @@ -1,7 +1,7 @@ # Component: `amplify` -This component is responsible for provisioning -AWS Amplify apps, backend environments, branches, domain associations, and webhooks. +This component is responsible for provisioning AWS Amplify apps, backend environments, branches, domain associations, +and webhooks. ## Usage @@ -101,24 +101,25 @@ components: certificate_verification_dns_record_enabled: false ``` -The `amplify/example` YAML configuration defines an Amplify app in AWS. -The app is set up to use the `Next.js` framework with SSR (server-side rendering) and is linked to the -GitHub repository "https://github.com/cloudposse/amplify-test2". +The `amplify/example` YAML configuration defines an Amplify app in AWS. The app is set up to use the `Next.js` framework +with SSR (server-side rendering) and is linked to the GitHub repository "https://github.com/cloudposse/amplify-test2". -The app is set up to have two environments: `main` and `develop`. -Each environment has different configuration settings, such as the branch name, framework, and stage. -The `main` environment is set up for production, while the `develop` environments is set up for development. +The app is set up to have two environments: `main` and `develop`. Each environment has different configuration settings, +such as the branch name, framework, and stage. The `main` environment is set up for production, while the `develop` +environments is set up for development. -The app is also configured to have custom subdomains for each environment, with prefixes such as `example-prod` and `example-dev`. -The subdomains are configured to use DNS records, which are enabled through the `subdomains_dns_records_enabled` variable. +The app is also configured to have custom subdomains for each environment, with prefixes such as `example-prod` and +`example-dev`. The subdomains are configured to use DNS records, which are enabled through the +`subdomains_dns_records_enabled` variable. -The app also has an IAM service role configured with specific IAM actions, and environment variables set up for each environment. -Additionally, the app is configured to use the Atmos Spacelift workspace, as indicated by the `workspace_enabled: true` setting. +The app also has an IAM service role configured with specific IAM actions, and environment variables set up for each +environment. Additionally, the app is configured to use the Atmos Spacelift workspace, as indicated by the +`workspace_enabled: true` setting. The `amplify/example` Atmos component extends the `amplify/defaults` component. -The `amplify/example` configuration is imported into the `stacks/mixins/stage/dev.yaml` stack config file to be provisioned -in the `dev` account. +The `amplify/example` configuration is imported into the `stacks/mixins/stage/dev.yaml` stack config file to be +provisioned in the `dev` account. ```yaml # stacks/mixins/stage/dev.yaml @@ -132,6 +133,7 @@ You can execute the following command to provision the Amplify app using Atmos: atmos terraform apply amplify/example -s ``` + ## Requirements @@ -225,5 +227,6 @@ atmos terraform apply amplify/example -s | [sub\_domains](#output\_sub\_domains) | DNS records and the verified status for the subdomains | | [webhooks](#output\_webhooks) | Created webhooks | + [](https://cpco.io/component) diff --git a/modules/api-gateway-account-settings/README.md b/modules/api-gateway-account-settings/README.md index 04571f694..70a4a008b 100644 --- a/modules/api-gateway-account-settings/README.md +++ b/modules/api-gateway-account-settings/README.md @@ -1,8 +1,13 @@ # Component: `api-gateway-account-settings` -This component is responsible for setting the global, regional settings required to allow API Gateway to write to CloudWatch logs. +This component is responsible for setting the global, regional settings required to allow API Gateway to write to +CloudWatch logs. -Every AWS region you want to deploy an API Gateway to must be configured with an IAM Role that gives API Gateway permissions to create and write to CloudWatch logs. Without this configuration, API Gateway will not be able to send logs to CloudWatch. This configuration is done once per region regardless of the number of API Gateways deployed in that region. This module creates an IAM role, assigns it the necessary permissions to write logs and sets it as the "CloudWatch log role ARN" in the API Gateway configuration. +Every AWS region you want to deploy an API Gateway to must be configured with an IAM Role that gives API Gateway +permissions to create and write to CloudWatch logs. Without this configuration, API Gateway will not be able to send +logs to CloudWatch. This configuration is done once per region regardless of the number of API Gateways deployed in that +region. This module creates an IAM role, assigns it the necessary permissions to write logs and sets it as the +"CloudWatch log role ARN" in the API Gateway configuration. ## Usage @@ -23,6 +28,7 @@ components: Service: api-gateway ``` + ## Requirements @@ -77,9 +83,11 @@ No resources. |------|-------------| | [role\_arn](#output\_role\_arn) | Role ARN of the API Gateway logging role | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/api-gateway-settings) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/api-gateway-settings) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/api-gateway-rest-api/README.md b/modules/api-gateway-rest-api/README.md index d18e1efd4..7f347f130 100644 --- a/modules/api-gateway-rest-api/README.md +++ b/modules/api-gateway-rest-api/README.md @@ -1,6 +1,7 @@ # Component: `api-gateway-rest-api` This component is responsible for deploying an API Gateway REST API. + ## Usage **Stack Level**: Regional @@ -36,6 +37,7 @@ components: uri: https://api.ipify.org ``` + ## Requirements @@ -118,9 +120,11 @@ components: | [invoke\_url](#output\_invoke\_url) | The URL to invoke the REST API | | [root\_resource\_id](#output\_root\_resource\_id) | The resource ID of the REST API's root | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/argocd-repo/README.md b/modules/argocd-repo/README.md index ac1931c07..c5342a2de 100644 --- a/modules/argocd-repo/README.md +++ b/modules/argocd-repo/README.md @@ -57,9 +57,8 @@ components: ```yaml # stacks/mgmt-gbl-corp.yaml import: -... - - catalog/argocd/repo/non-prod -... +--- +- catalog/argocd/repo/non-prod ``` If the repository already exists, it will need to be imported (replace names of IAM profile var file accordingly): @@ -76,6 +75,7 @@ $ cd components/terraform/argocd-repo $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file="mgmt-gbl-corp-argocd-deploy-non-prod.terraform.tfvars.json" "github_branch_default.default[0]" argocd-deploy-non-prod ``` + ## Requirements @@ -179,10 +179,11 @@ $ terraform import -var "import_profile_name=eg-mgmt-gbl-corp-admin" -var-file=" | [repository\_ssh\_clone\_url](#output\_repository\_ssh\_clone\_url) | Repository SSH clone URL | | [repository\_url](#output\_repository\_url) | Repository URL | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/argocd-repo) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/argocd-repo) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/athena/README.md b/modules/athena/README.md index ce1e8cc69..3e6ee7ed9 100644 --- a/modules/athena/README.md +++ b/modules/athena/README.md @@ -34,12 +34,11 @@ components: s3_output_path: "" workgroup_state: "ENABLED" database: [] - ``` ```yaml import: -- catalog/athena/defaults + - catalog/athena/defaults components: terraform: @@ -59,15 +58,16 @@ components: ### CloudTrail Integration -Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. This component supports creating -a CloudTrail table for each account and setting up queries to read CloudTrail logs from a centralized location. +Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. This component +supports creating a CloudTrail table for each account and setting up queries to read CloudTrail logs from a centralized +location. -To set up the CloudTrail Integration, first create the `create` and `alter` queries in Athena with this component. When `var.cloudtrail_database` -is defined, this component will create these queries. +To set up the CloudTrail Integration, first create the `create` and `alter` queries in Athena with this component. When +`var.cloudtrail_database` is defined, this component will create these queries. ```yaml import: -- catalog/athena/defaults + - catalog/athena/defaults components: terraform: @@ -80,7 +80,7 @@ components: enabled: true name: athena-audit workgroup_description: "Athena Workgroup for Auditing" - cloudtrail_database : audit + cloudtrail_database: audit databases: audit: comment: "Auditor database for Athena" @@ -97,20 +97,20 @@ components: eventtime FROM %s.platform_dev_cloudtrail_logs LIMIT 100; - ``` -Once those are created, run the `create` and then the `alter` queries in the AWS Console to create and then fill the tables in Athena. +Once those are created, run the `create` and then the `alter` queries in the AWS Console to create and then fill the +tables in Athena. :::info Athena runs queries with the permissions of the user executing the query. In order to be able to query CloudTrail logs, -the `audit` account must have access to the KMS key used to encrypt CloudTrails logs. Set `var.audit_access_enabled` to `true` in the `cloudtrail` -component +the `audit` account must have access to the KMS key used to encrypt CloudTrails logs. Set `var.audit_access_enabled` to +`true` in the `cloudtrail` component ::: - + ## Requirements @@ -195,9 +195,12 @@ component | [s3\_bucket\_id](#output\_s3\_bucket\_id) | ID of S3 bucket used for Athena query results. | | [workgroup\_id](#output\_workgroup\_id) | ID of newly created Athena workgroup. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/athena) - Cloud Posse's upstream component -* [Querying AWS CloudTrail logs with AWS Athena](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html) + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/athena) - + Cloud Posse's upstream component +- [Querying AWS CloudTrail logs with AWS Athena](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html) [](https://cpco.io/component) diff --git a/modules/aurora-mysql-resources/README.md b/modules/aurora-mysql-resources/README.md index e958d130c..455544728 100644 --- a/modules/aurora-mysql-resources/README.md +++ b/modules/aurora-mysql-resources/README.md @@ -1,8 +1,10 @@ # Component: `aurora-mysql-resources` -This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants, etc. +This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants, +etc. -NOTE: Creating additional users (including read-only users) and databases requires Spacelift, since that action to be done via the mysql provider, and by default only the automation account is whitelisted by the Aurora cluster. +NOTE: Creating additional users (including read-only users) and databases requires Spacelift, since that action to be +done via the mysql provider, and by default only the automation account is whitelisted by the Aurora cluster. ## Usage @@ -10,7 +12,8 @@ NOTE: Creating additional users (including read-only users) and databases requir Here's an example snippet for how to use this component. -`stacks/catalog/aurora-mysql/resources/defaults.yaml` file (base component for Aurora MySQL Resources with default settings): +`stacks/catalog/aurora-mysql/resources/defaults.yaml` file (base component for Aurora MySQL Resources with default +settings): ```yaml components: @@ -22,8 +25,8 @@ components: enabled: true ``` -Example (not actual) -`stacks/uw2-dev.yaml` file (override the default settings for the cluster resources in the `dev` account, create an additional database and user): +Example (not actual) `stacks/uw2-dev.yaml` file (override the default settings for the cluster resources in the `dev` +account, create an additional database and user): ```yaml import: @@ -43,12 +46,13 @@ components: db_user: example db_password: "" grants: - - grant: [ "ALL" ] + - grant: ["ALL"] db: example object_type: database schema: null ``` + ## Requirements @@ -124,10 +128,11 @@ components: | [additional\_grants](#output\_additional\_grants) | Additional DB users created | | [additional\_users](#output\_additional\_users) | Additional DB users created | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-mysql-resources) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-mysql-resources) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aurora-mysql/README.md b/modules/aurora-mysql/README.md index 2662da0de..ff8ad6570 100644 --- a/modules/aurora-mysql/README.md +++ b/modules/aurora-mysql/README.md @@ -1,7 +1,7 @@ # Component: `aurora-mysql` -This component is responsible for provisioning Aurora MySQL RDS clusters. -It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store. +This component is responsible for provisioning Aurora MySQL RDS clusters. It seeds relevant database information +(hostnames, username, password, etc.) into AWS SSM Parameter Store. ## Usage @@ -78,17 +78,22 @@ components: mysql_db_name: main ``` -Example deployment with primary cluster deployed to us-east-1 in a `platform-dev` account: `atmos terraform apply aurora-mysql/dev -s platform-use1-dev` +Example deployment with primary cluster deployed to us-east-1 in a `platform-dev` account: +`atmos terraform apply aurora-mysql/dev -s platform-use1-dev` ## Disaster Recovery with Cross-Region Replication -This component is designed to support cross-region replication with continuous replication. If enabled and deployed, a secondary cluster will be deployed in a different region than the primary cluster. This approach is highly aggresive and costly, but in a disaster scenario where the primary cluster fails, the secondary cluster can be promoted to take its place. Follow these steps to handle a Disaster Recovery. +This component is designed to support cross-region replication with continuous replication. If enabled and deployed, a +secondary cluster will be deployed in a different region than the primary cluster. This approach is highly aggresive and +costly, but in a disaster scenario where the primary cluster fails, the secondary cluster can be promoted to take its +place. Follow these steps to handle a Disaster Recovery. ### Usage To deploy a secondary cluster for cross-region replication, add the following catalog entries to an alternative region: -Default settings for a secondary, replica cluster. For this example, this file is saved as `stacks/catalog/aurora-mysql/replica/defaults.yaml` +Default settings for a secondary, replica cluster. For this example, this file is saved as +`stacks/catalog/aurora-mysql/replica/defaults.yaml` ```yaml import: @@ -136,19 +141,23 @@ components: ### Promoting the Read Replica -Promoting an existing RDS Replicate cluster to a fully standalone cluster is not currently supported by Terraform: https://github.com/hashicorp/terraform-provider-aws/issues/6749 +Promoting an existing RDS Replicate cluster to a fully standalone cluster is not currently supported by Terraform: +https://github.com/hashicorp/terraform-provider-aws/issues/6749 -Instead, promote the Replicate cluster with the AWS CLI command: `aws rds promote-read-replica-db-cluster --db-cluster-identifier ` +Instead, promote the Replicate cluster with the AWS CLI command: +`aws rds promote-read-replica-db-cluster --db-cluster-identifier ` -After promoting the replica, update the stack configuration to prevent future Terrafrom runs from re-enabling replication. In this example, modify `stacks/catalog/aurora-mysql/replica/defaults.yaml` +After promoting the replica, update the stack configuration to prevent future Terrafrom runs from re-enabling +replication. In this example, modify `stacks/catalog/aurora-mysql/replica/defaults.yaml` ```yaml is_promoted_read_replica: true ``` -Reploying the component should show no changes. For example, `atmos terraform apply aurora-mysql/dev -s platform-use2-dev` - +Reploying the component should show no changes. For example, +`atmos terraform apply aurora-mysql/dev -s platform-use2-dev` + ## Requirements @@ -266,10 +275,11 @@ Reploying the component should show no changes. For example, `atmos terraform ap | [cluster\_domain](#output\_cluster\_domain) | Cluster DNS name | | [kms\_key\_arn](#output\_kms\_key\_arn) | KMS key ARN for Aurora MySQL | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-mysql) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-mysql) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aurora-postgres-resources/README.md b/modules/aurora-postgres-resources/README.md index ff041f3ba..1c6bc4a95 100644 --- a/modules/aurora-postgres-resources/README.md +++ b/modules/aurora-postgres-resources/README.md @@ -1,6 +1,7 @@ # Component: `aurora-postgres-resources` -This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, grants, etc. +This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, +grants, etc. ## Usage @@ -19,7 +20,7 @@ components: db_user: example db_password: "" grants: - - grant: [ "ALL" ] + - grant: ["ALL"] db: example object_type: database schema: "" @@ -27,21 +28,45 @@ components: ## PostgreSQL Quick Reference on Grants -GRANTS can be on database, schema, role, table, and other database objects (e.g. columns in a table for fine control). Database and schema do not have much to grant. The `object_type` field in the input determines which kind of object the grant is being applied to. The `db` field is always required. The `schema` field is required unless the `object_type` is `db`, in which case it should be set to the empty string (`""`). - -The keyword PUBLIC indicates that the privileges are to be granted to all roles, including those that might be created later. PUBLIC can be thought of as an implicitly defined group that always includes all roles. Any particular role will have the sum of privileges granted directly to it, privileges granted to any role it is presently a member of, and privileges granted to PUBLIC. - -When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To allow other roles to use it, privileges must be granted. (When using AWS managed RDS, you cannot have access to any superuser roles; superuser is reserved for AWS to use to manage the cluster.) - -PostgreSQL grants privileges on some types of objects to PUBLIC by default when the objects are created. No privileges are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large objects, schemas, or tablespaces. For other types of objects, the default privileges granted to PUBLIC are as follows: CONNECT and TEMPORARY (create temporary tables) privileges for databases; EXECUTE privilege for functions and procedures; and USAGE privilege for languages and data types (including domains). The object owner can, of course, REVOKE both default and expressly granted privileges. (For maximum security, issue the REVOKE in the same transaction that creates the object; then there is no window in which another user can use the object.) Also, these default privilege settings can be overridden using the ALTER DEFAULT PRIVILEGES command. +GRANTS can be on database, schema, role, table, and other database objects (e.g. columns in a table for fine control). +Database and schema do not have much to grant. The `object_type` field in the input determines which kind of object the +grant is being applied to. The `db` field is always required. The `schema` field is required unless the `object_type` is +`db`, in which case it should be set to the empty string (`""`). + +The keyword PUBLIC indicates that the privileges are to be granted to all roles, including those that might be created +later. PUBLIC can be thought of as an implicitly defined group that always includes all roles. Any particular role will +have the sum of privileges granted directly to it, privileges granted to any role it is presently a member of, and +privileges granted to PUBLIC. + +When an object is created, it is assigned an owner. The owner is normally the role that executed the creation statement. +For most kinds of objects, the initial state is that only the owner (or a superuser) can do anything with the object. To +allow other roles to use it, privileges must be granted. (When using AWS managed RDS, you cannot have access to any +superuser roles; superuser is reserved for AWS to use to manage the cluster.) + +PostgreSQL grants privileges on some types of objects to PUBLIC by default when the objects are created. No privileges +are granted to PUBLIC by default on tables, table columns, sequences, foreign data wrappers, foreign servers, large +objects, schemas, or tablespaces. For other types of objects, the default privileges granted to PUBLIC are as follows: +CONNECT and TEMPORARY (create temporary tables) privileges for databases; EXECUTE privilege for functions and +procedures; and USAGE privilege for languages and data types (including domains). The object owner can, of course, +REVOKE both default and expressly granted privileges. (For maximum security, issue the REVOKE in the same transaction +that creates the object; then there is no window in which another user can use the object.) Also, these default +privilege settings can be overridden using the ALTER DEFAULT PRIVILEGES command. The CREATE privilege: -- For databases, allows new schemas and publications to be created within the database, and allows trusted extensions to be installed within the database. -- For schemas, allows new objects to be created within the schema. To rename an existing object, you must own the object and have this privilege for the containing schema. -For databases and schemas, there are not a lot of other privileges to grant, and all but CREATE are granted by default, so you might as well grant "ALL". For tables etc., the creator has full control. You grant access to other users via explicit grants. This component does not allow fine-grained grants. You have to specify the database, and unless the grant is on the database, you have to specify the schema. For any other object type (table, sequence, function, procedure, routine, foreign_data_wrapper, foreign_server, column), the component applies the grants to all objects of that type in the specified schema. +- For databases, allows new schemas and publications to be created within the database, and allows trusted extensions to + be installed within the database. +- For schemas, allows new objects to be created within the schema. To rename an existing object, you must own the object + and have this privilege for the containing schema. +For databases and schemas, there are not a lot of other privileges to grant, and all but CREATE are granted by default, +so you might as well grant "ALL". For tables etc., the creator has full control. You grant access to other users via +explicit grants. This component does not allow fine-grained grants. You have to specify the database, and unless the +grant is on the database, you have to specify the schema. For any other object type (table, sequence, function, +procedure, routine, foreign_data_wrapper, foreign_server, column), the component applies the grants to all objects of +that type in the specified schema. + ## Requirements @@ -121,13 +146,15 @@ For databases and schemas, there are not a lot of other privileges to grant, and | [additional\_schemas](#output\_additional\_schemas) | Additional schemas | | [additional\_users](#output\_additional\_users) | Additional users | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-postgres-resources) - Cloud Posse's upstream component -* PostgreSQL references (select the correct version of PostgreSQL at the top of the page): - * [GRANT command](https://www.postgresql.org/docs/14/sql-grant.html) - * [Privileges that can be GRANTed](https://www.postgresql.org/docs/14/ddl-priv.html) +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-postgres-resources) - + Cloud Posse's upstream component + +- PostgreSQL references (select the correct version of PostgreSQL at the top of the page): + - [GRANT command](https://www.postgresql.org/docs/14/sql-grant.html) + - [Privileges that can be GRANTed](https://www.postgresql.org/docs/14/ddl-priv.html) [](https://cpco.io/component) diff --git a/modules/aurora-postgres/README.md b/modules/aurora-postgres/README.md index 1d7c22f6e..4a2ac2e9c 100644 --- a/modules/aurora-postgres/README.md +++ b/modules/aurora-postgres/README.md @@ -1,7 +1,7 @@ # Component: `aurora-postgres` -This component is responsible for provisioning Aurora Postgres RDS clusters. -It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store. +This component is responsible for provisioning Aurora Postgres RDS clusters. It seeds relevant database information +(hostnames, username, password, etc.) into AWS SSM Parameter Store. ## Usage @@ -9,7 +9,8 @@ It seeds relevant database information (hostnames, username, password, etc.) int Here's an example for how to use this component. -`stacks/catalog/aurora-postgres/defaults.yaml` file (base component for all Aurora Postgres clusters with default settings): +`stacks/catalog/aurora-postgres/defaults.yaml` file (base component for all Aurora Postgres clusters with default +settings): ```yaml components: @@ -54,10 +55,10 @@ components: allow_ingress_from_vpc_accounts: - tenant: core stage: auto - ``` -Example (not actual) -`stacks/uw2-dev.yaml` file (override the default settings for the cluster in the `dev` account, create an additional database and user): + +Example (not actual) `stacks/uw2-dev.yaml` file (override the default settings for the cluster in the `dev` account, +create an additional database and user): ```yaml import: @@ -72,12 +73,12 @@ components: - aurora-postgres/defaults vars: enabled: true - ``` ### Finding Aurora Engine Version -Use the following to query the AWS API by `engine-mode`. Both provisioned and Serverless v2 use the `privisoned` engine mode, whereas only Serverless v1 uses the `serverless` engine mode. +Use the following to query the AWS API by `engine-mode`. Both provisioned and Serverless v2 use the `privisoned` engine +mode, whereas only Serverless v1 uses the `serverless` engine mode. ```bash aws rds describe-db-engine-versions \ @@ -86,7 +87,8 @@ aws rds describe-db-engine-versions \ --filters 'Name=engine-mode,Values=serverless' ``` -Use the following to query AWS API by `db-instance-class`. Use this query to find supported versions for a specific instance class, such as `db.serverless` with Serverless v2. +Use the following to query AWS API by `db-instance-class`. Use this query to find supported versions for a specific +instance class, such as `db.serverless` with Serverless v2. ```bash aws rds describe-orderable-db-instance-options \ @@ -115,7 +117,8 @@ Generally there are three different engine configurations for Aurora: provisione Serverless v1 requires `engine-mode` set to `serverless` uses `scaling_configuration` to configure scaling options. -For valid values, see [ModifyCurrentDBClusterCapacity](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyCurrentDBClusterCapacity.html). +For valid values, see +[ModifyCurrentDBClusterCapacity](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyCurrentDBClusterCapacity.html). ```yaml components: @@ -174,9 +177,11 @@ components: ### Serverless v2 Aurora Postgres -Aurora Postgres Serverless v2 uses the `provisioned` engine mode with `db.serverless` instances. In order to configure scaling with Serverless v2, use `var.serverlessv2_scaling_configuration`. +Aurora Postgres Serverless v2 uses the `provisioned` engine mode with `db.serverless` instances. In order to configure +scaling with Serverless v2, use `var.serverlessv2_scaling_configuration`. -For more on valid scaling configurations, see [Performance and scaling for Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.setting-capacity.html). +For more on valid scaling configurations, see +[Performance and scaling for Aurora Serverless v2](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.setting-capacity.html). ```yaml components: @@ -230,6 +235,7 @@ components: additional_users: {} ``` + ## Requirements @@ -355,10 +361,11 @@ components: | [replicas\_hostname](#output\_replicas\_hostname) | Postgres replicas hostname | | [ssm\_key\_paths](#output\_ssm\_key\_paths) | Names (key paths) of all SSM parameters stored for this cluster | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-postgres) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aurora-postgres) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aws-backup/README.md b/modules/aws-backup/README.md index 66cdc0748..be1f946b9 100644 --- a/modules/aws-backup/README.md +++ b/modules/aws-backup/README.md @@ -10,7 +10,8 @@ Here's an example snippet for how to use this component. ### Component Abstraction and Separation -By separating the "common" settings from the component, we can first provision the IAM Role and AWS Backup Vault to prepare resources for future use without incuring cost. +By separating the "common" settings from the component, we can first provision the IAM Role and AWS Backup Vault to +prepare resources for future use without incuring cost. For example, `stacks/catalog/aws-backup/common`: @@ -37,8 +38,7 @@ components: iam_role_enabled: true # this will be reused vault_enabled: true # this will be reused plan_enabled: false - -## Please be careful when enabling backup_vault_lock_configuration, +## Please be careful when enabling backup_vault_lock_configuration, # backup_vault_lock_configuration: ## `changeable_for_days` enables compliance mode and once the lock is set, the retention policy cannot be changed unless through account deletion! # changeable_for_days: 36500 @@ -46,9 +46,11 @@ components: # min_retention_days: 1 ``` -Then if we would like to deploy the component into a given stacks we can import the following to deploy our backup plans. +Then if we would like to deploy the component into a given stacks we can import the following to deploy our backup +plans. -Since most of these values are shared and common, we can put them in a `catalog/aws-backup/` yaml file and share them across environments. +Since most of these values are shared and common, we can put them in a `catalog/aws-backup/` yaml file and share them +across environments. This makes deploying the same configuration to multiple environments easy. @@ -160,7 +162,8 @@ The above configuration can be used to deploy a new backup to a new region. ### Adding Resources to the Backup - Adding Tags -Once an `aws-backup` with a plan and `selection_tags` has been established we can begin adding resources for it to backup by using the tagging method. +Once an `aws-backup` with a plan and `selection_tags` has been established we can begin adding resources for it to +backup by using the tagging method. This only requires that we add tags to the resources we wish to backup, which can be done with the following snippet: @@ -175,11 +178,13 @@ components: Just ensure the tag key-value pair matches what was added to your backup plan and aws will take care of the rest. - ### Copying across regions -If we want to create a backup vault in another region that we can copy to, then we need to create another vault, and then specify that we want to copy to it. + +If we want to create a backup vault in another region that we can copy to, then we need to create another vault, and +then specify that we want to copy to it. To create a vault in a region simply: + ```yaml components: terraform: @@ -188,7 +193,9 @@ components: plan_enabled: false # disables the plan (which schedules resource backups) ``` -This will output an ARN - which you can then use as the destination in the rule object's `copy_action` (it will be specific to that particular plan), as seen in the following snippet: +This will output an ARN - which you can then use as the destination in the rule object's `copy_action` (it will be +specific to that particular plan), as seen in the following snippet: + ```yaml components: terraform: @@ -217,31 +224,38 @@ components: To enable backup lock configuration, you can use the following snippet: -* [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) +- [AWS Backup Vault Lock](https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html) #### Compliance Mode -Vaults locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires. During grace time, you can still remove the vault lock and change the lock configuration. -To enable **Compliance Mode**, set `changeable_for_days` to a value greater than 0. Once the lock is set, the retention policy cannot be changed unless through account deletion! +Vaults locked in compliance mode cannot be deleted once the cooling-off period ("grace time") expires. During grace +time, you can still remove the vault lock and change the lock configuration. + +To enable **Compliance Mode**, set `changeable_for_days` to a value greater than 0. Once the lock is set, the retention +policy cannot be changed unless through account deletion! + ```yaml -# Please be careful when enabling backup_vault_lock_configuration, - backup_vault_lock_configuration: -# `changeable_for_days` enables compliance mode and once the lock is set, the retention policy cannot be changed unless through account deletion! - changeable_for_days: 36500 - max_retention_days: 365 - min_retention_days: 1 +# Please be careful when enabling backup_vault_lock_configuration, +backup_vault_lock_configuration: + # `changeable_for_days` enables compliance mode and once the lock is set, the retention policy cannot be changed unless through account deletion! + changeable_for_days: 36500 + max_retention_days: 365 + min_retention_days: 1 ``` #### Governance Mode + Vaults locked in governance mode can have the lock removed by users with sufficient IAM permissions. To enable **governance mode** + ```yaml - backup_vault_lock_configuration: - max_retention_days: 365 - min_retention_days: 1 +backup_vault_lock_configuration: + max_retention_days: 365 + min_retention_days: 1 ``` + ## Requirements @@ -311,11 +325,12 @@ No resources. | [backup\_vault\_arn](#output\_backup\_vault\_arn) | Backup Vault ARN | | [backup\_vault\_id](#output\_backup\_vault\_id) | Backup Vault ID | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-backup) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-backup) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aws-config/README.md b/modules/aws-config/README.md index c63e3b6d7..481850a1c 100644 --- a/modules/aws-config/README.md +++ b/modules/aws-config/README.md @@ -2,40 +2,51 @@ This component is responsible for configuring AWS Config. -AWS Config service enables you to track changes to your AWS resources over time. It continuously monitors and records configuration changes to your AWS resources and provides you with a detailed view of the relationships between those resources. With AWS Config, you can assess, audit, and evaluate the configurations of your AWS resources for compliance, security, and governance purposes. +AWS Config service enables you to track changes to your AWS resources over time. It continuously monitors and records +configuration changes to your AWS resources and provides you with a detailed view of the relationships between those +resources. With AWS Config, you can assess, audit, and evaluate the configurations of your AWS resources for compliance, +security, and governance purposes. Some of the key features of AWS Config include: -- Configuration history: AWS Config maintains a detailed history of changes to your AWS resources, allowing you to see when changes were made, who made them, and what the changes were. -- Configuration snapshots: AWS Config can take periodic snapshots of your AWS resources configurations, giving you a point-in-time view of their configuration. -- Compliance monitoring: AWS Config provides a range of pre-built rules and checks to monitor your resources for compliance with best practices and industry standards. -- Relationship mapping: AWS Config can map the relationships between your AWS resources, enabling you to see how changes to one resource can impact others. -- Notifications and alerts: AWS Config can send notifications and alerts when changes are made to your AWS resources that could impact their compliance or security posture. -Overall, AWS Config provides you with a powerful toolset to help you monitor and manage the configurations of your AWS resources, ensuring that they remain compliant, secure, and properly configured over time. +- Configuration history: AWS Config maintains a detailed history of changes to your AWS resources, allowing you to see + when changes were made, who made them, and what the changes were. +- Configuration snapshots: AWS Config can take periodic snapshots of your AWS resources configurations, giving you a + point-in-time view of their configuration. +- Compliance monitoring: AWS Config provides a range of pre-built rules and checks to monitor your resources for + compliance with best practices and industry standards. +- Relationship mapping: AWS Config can map the relationships between your AWS resources, enabling you to see how changes + to one resource can impact others. +- Notifications and alerts: AWS Config can send notifications and alerts when changes are made to your AWS resources + that could impact their compliance or security posture. + +Overall, AWS Config provides you with a powerful toolset to help you monitor and manage the configurations of your AWS +resources, ensuring that they remain compliant, secure, and properly configured over time. ## Prerequisites -As part of [CIS AWS Foundations 1.20](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20), this component assumes that a designated support IAM role with the following permissions has been deployed to every account in the organization: +As part of +[CIS AWS Foundations 1.20](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20), +this component assumes that a designated support IAM role with the following permissions has been deployed to every +account in the organization: ```json { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowSupport", - "Effect": "Allow", - "Action": [ - "support:*" - ], - "Resource": "*" - }, - { - "Sid": "AllowTrustedAdvisor", - "Effect": "Allow", - "Action": "trustedadvisor:Describe*", - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSupport", + "Effect": "Allow", + "Action": ["support:*"], + "Resource": "*" + }, + { + "Sid": "AllowTrustedAdvisor", + "Effect": "Allow", + "Action": "trustedadvisor:Describe*", + "Resource": "*" + } + ] } ``` @@ -47,7 +58,8 @@ Before deploying this AWS Config component `config-bucket` and `cloudtrail-bucke _**NOTE**: Since AWS Config is regional AWS service, this component needs to be deployed to all regions._ -At the AWS Organizational level, the Components designate an account to be the `central collection account` and a single region to be the `central collection region` so that compliance information can be aggregated into a central location. +At the AWS Organizational level, the Components designate an account to be the `central collection account` and a single +region to be the `central collection region` so that compliance information can be aggregated into a central location. Logs are typically written to the `audit` account and AWS Config deployed into to the `security` account. @@ -58,7 +70,7 @@ components: terraform: aws-config: vars: - enabled: true + enabled: true account_map_tenant: core az_abbreviation_type: fixed # In each AWS account, an IAM role should be created in the main region. @@ -110,6 +122,7 @@ Apply aws-config to all stacks in all stages. atmos terraform plan aws-config-{each region} --stack {each region}-{each stage} ``` + ## Requirements @@ -197,12 +210,13 @@ atmos terraform plan aws-config-{each region} --stack {each region}-{each stage} | [storage\_bucket\_arn](#output\_storage\_bucket\_arn) | Storage Config bucket ARN | | [storage\_bucket\_id](#output\_storage\_bucket\_id) | Storage Config bucket ID | - + ## References -* [AWS Config Documentation](https://docs.aws.amazon.com/config/index.html) -* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-config) -* [Conformance Packs documentation](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) -* [AWS Managed Sample Conformance Packs](https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs) + +- [AWS Config Documentation](https://docs.aws.amazon.com/config/index.html) +- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-config) +- [Conformance Packs documentation](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) +- [AWS Managed Sample Conformance Packs](https://github.com/awslabs/aws-config-rules/tree/master/aws-config-conformance-packs) [](https://cpco.io/component) diff --git a/modules/aws-inspector/README.md b/modules/aws-inspector/README.md index 5f75652c4..679d122d5 100644 --- a/modules/aws-inspector/README.md +++ b/modules/aws-inspector/README.md @@ -1,21 +1,36 @@ # Component: `aws-inspector` -This component is responsible for provisioning an [AWS Inspector](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) by installing the [Inspector agent](https://repost.aws/knowledge-center/set-up-amazon-inspector) across all EC2 instances and applying the Inspector rules. +This component is responsible for provisioning an +[AWS Inspector](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) by installing the +[Inspector agent](https://repost.aws/knowledge-center/set-up-amazon-inspector) across all EC2 instances and applying the +Inspector rules. -AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security vulnerabilities and deviations from security best practices. +AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate +the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically +assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security vulnerabilities +and deviations from security best practices. Here are some key features and functionalities of AWS Inspector: -- **Security Assessments:** AWS Inspector performs security assessments by analyzing the behavior of your resources and identifying potential security vulnerabilities. It examines the network configuration, operating system settings, and installed software to detect common security issues. -- **Vulnerability Detection:** AWS Inspector uses a predefined set of rules to identify common vulnerabilities, misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously updates its knowledge base to stay current with emerging threats. +- **Security Assessments:** AWS Inspector performs security assessments by analyzing the behavior of your resources and + identifying potential security vulnerabilities. It examines the network configuration, operating system settings, and + installed software to detect common security issues. -- **Agent-Based Architecture:** AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS Inspector, and allows for more accurate and detailed assessments. +- **Vulnerability Detection:** AWS Inspector uses a predefined set of rules to identify common vulnerabilities, + misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously + updates its knowledge base to stay current with emerging threats. -- **Security Findings:** After performing an assessment, AWS Inspector generates detailed findings that highlight security vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you prioritize and address security issues within your AWS environment. - -- **Integration with AWS Services:** AWS Inspector seamlessly integrates with other AWS services, such as AWS CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage findings, and centralize security information across your AWS infrastructure. +- **Agent-Based Architecture:** AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on + your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS + Inspector, and allows for more accurate and detailed assessments. +- **Security Findings:** After performing an assessment, AWS Inspector generates detailed findings that highlight + security vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you + prioritize and address security issues within your AWS environment. +- **Integration with AWS Services:** AWS Inspector seamlessly integrates with other AWS services, such as AWS + CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage + findings, and centralize security information across your AWS infrastructure. ## Usage @@ -32,13 +47,23 @@ components: enabled_rules: - cis ``` -The `aws-inspector` component can be included in your Terraform stack configuration. In the provided example, it is enabled with the `enabled` variable set to `true`. The `enabled_rules` variable specifies a list of rules to enable, and in this case, it includes the `cis` rule. -To simplify rule selection, the short forms of the rules are used for the `enabled_rules` key. These short forms automatically retrieve the appropriate ARN for the rule package based on the region being used. You can find a list of available short forms and their corresponding rule packages in the [var.enabled_rules](https://github.com/cloudposse/terraform-aws-inspector#input_enabled_rules) input documentation. -For a comprehensive list of rules and their corresponding ARNs, you can refer to the [Amazon Inspector ARNs for rules packages](https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rules-arns.html) documentation. This resource provides detailed information on various rules that can be used with AWS Inspector and their unique identifiers (ARNs). +The `aws-inspector` component can be included in your Terraform stack configuration. In the provided example, it is +enabled with the `enabled` variable set to `true`. The `enabled_rules` variable specifies a list of rules to enable, and +in this case, it includes the `cis` rule. To simplify rule selection, the short forms of the rules are used for the +`enabled_rules` key. These short forms automatically retrieve the appropriate ARN for the rule package based on the +region being used. You can find a list of available short forms and their corresponding rule packages in the +[var.enabled_rules](https://github.com/cloudposse/terraform-aws-inspector#input_enabled_rules) input documentation. + +For a comprehensive list of rules and their corresponding ARNs, you can refer to the +[Amazon Inspector ARNs for rules packages](https://docs.aws.amazon.com/inspector/latest/userguide/inspector_rules-arns.html) +documentation. This resource provides detailed information on various rules that can be used with AWS Inspector and +their unique identifiers (ARNs). -By customizing the configuration with the appropriate rules, you can tailor the security assessments performed by AWS Inspector to meet the specific requirements and compliance standards of your applications and infrastructure. +By customizing the configuration with the appropriate rules, you can tailor the security assessments performed by AWS +Inspector to meet the specific requirements and compliance standards of your applications and infrastructure. + ## Requirements @@ -98,6 +123,10 @@ By customizing the configuration with the appropriate rules, you can tailor the |------|-------------| | [inspector](#output\_inspector) | The AWS Inspector module outputs | + + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component -[](https://cpco.io/component) + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component + [](https://cpco.io/component) diff --git a/modules/aws-inspector2/README.md b/modules/aws-inspector2/README.md index ba6324d68..e40a45838 100644 --- a/modules/aws-inspector2/README.md +++ b/modules/aws-inspector2/README.md @@ -8,13 +8,19 @@ This component is responsible for configuring Inspector V2 within an AWS Organiz ## Deployment Overview -The deployment of this component requires multiple runs with different variable settings to properly configure the AWS Organization. First, you delegate Inspector V2 central management to the Administrator account (usually `security` account). After the Adminstrator account is delegated, we configure the it to manage Inspector V2 across all the Organization accounts and send all their findings to that account. +The deployment of this component requires multiple runs with different variable settings to properly configure the AWS +Organization. First, you delegate Inspector V2 central management to the Administrator account (usually `security` +account). After the Adminstrator account is delegated, we configure the it to manage Inspector V2 across all the +Organization accounts and send all their findings to that account. -In the examples below, we assume that the AWS Organization Management account is `root` and the AWS Organization Delegated Administrator account is `security`. +In the examples below, we assume that the AWS Organization Management account is `root` and the AWS Organization +Delegated Administrator account is `security`. ### Deploy to Organization Management Account -First, the component is deployed to the AWS Organization Management account `root` in each region in order to configure the [AWS Delegated Administrator account](https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html) that operates Amazon Inspector V2. +First, the component is deployed to the AWS Organization Management account `root` in each region in order to configure +the [AWS Delegated Administrator account](https://docs.aws.amazon.com/inspector/latest/user/designating-admin.html) that +operates Amazon Inspector V2. ```yaml # ue1-root @@ -30,7 +36,10 @@ components: ### Deploy Organization Settings in Delegated Administrator Account -Now the component can be deployed to the Delegated Administrator Account `security` to create the organization-wide configuration for all the Organization accounts. Note that `var.admin_delegated` set to `true` indicates that the delegation has already been performed from the Organization Management account, and only the resources required for organization-wide configuration will be created. +Now the component can be deployed to the Delegated Administrator Account `security` to create the organization-wide +configuration for all the Organization accounts. Note that `var.admin_delegated` set to `true` indicates that the +delegation has already been performed from the Organization Management account, and only the resources required for +organization-wide configuration will be created. ```yaml # ue1-security @@ -45,6 +54,7 @@ components: admin_delegated: true ``` + ## Requirements @@ -120,6 +130,7 @@ components: |------|-------------| | [aws\_inspector2\_member\_association](#output\_aws\_inspector2\_member\_association) | The Inspector2 member association resource. | + ## References diff --git a/modules/aws-saml/README.md b/modules/aws-saml/README.md index 67e14c855..94f2ccece 100644 --- a/modules/aws-saml/README.md +++ b/modules/aws-saml/README.md @@ -1,6 +1,8 @@ # Component: `aws-saml` -This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM. +This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an +Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user +and corresponding Access Key pair which is pushed into AWS SSM. ## Usage @@ -22,6 +24,7 @@ components: example-gsuite: GoogleIDPMetadata-example.com.xml ``` + ## Requirements @@ -85,10 +88,11 @@ components: | [saml\_provider\_arns](#output\_saml\_provider\_arns) | Map of SAML provider names to provider ARNs | | [saml\_provider\_assume\_role\_policy](#output\_saml\_provider\_assume\_role\_policy) | JSON "assume role" policy document to use for roles allowed to log in via SAML | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sso) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sso) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aws-shield/README.md b/modules/aws-shield/README.md index 78fd384a0..500f9785b 100644 --- a/modules/aws-shield/README.md +++ b/modules/aws-shield/README.md @@ -2,16 +2,16 @@ This component is responsible for enabling AWS Shield Advanced Protection for the following resources: -* Application Load Balancers (ALBs) -* CloudFront Distributions -* Elastic IPs -* Route53 Hosted Zones +- Application Load Balancers (ALBs) +- CloudFront Distributions +- Elastic IPs +- Route53 Hosted Zones -This component assumes that resources it is configured to protect are not already protected by other components -that have their `xxx_aws_shield_protection_enabled` variable set to `true`. +This component assumes that resources it is configured to protect are not already protected by other components that +have their `xxx_aws_shield_protection_enabled` variable set to `true`. -This component also requires that the account where the component is being provisioned to has -been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). +This component also requires that the account where the component is being provisioned to has been +[subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). ## Usage @@ -80,10 +80,12 @@ components: - 35.171.70.50 ``` -Stack configurations which rely on components with a `xxx_aws_shield_protection_enabled` variable should set that variable to `true` -and leave the corresponding variable for this component as empty, relying on that component's AWS Shield Advanced functionality instead. -This leads to more simplified inter-component dependencies and minimizes the need for maintaining the provisioning order during a cold-start. +Stack configurations which rely on components with a `xxx_aws_shield_protection_enabled` variable should set that +variable to `true` and leave the corresponding variable for this component as empty, relying on that component's AWS +Shield Advanced functionality instead. This leads to more simplified inter-component dependencies and minimizes the need +for maintaining the provisioning order during a cold-start. + ## Requirements @@ -159,9 +161,11 @@ This leads to more simplified inter-component dependencies and minimizes the nee | [elastic\_ip\_protections](#output\_elastic\_ip\_protections) | AWS Shield Advanced Protections for Elastic IPs | | [route53\_hosted\_zone\_protections](#output\_route53\_hosted\_zone\_protections) | AWS Shield Advanced Protections for Route53 Hosted Zones | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-shield) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-shield) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aws-sso/README.md b/modules/aws-sso/README.md index bcdb80a90..e351537be 100644 --- a/modules/aws-sso/README.md +++ b/modules/aws-sso/README.md @@ -1,8 +1,10 @@ # Component: `aws-sso` -This component is responsible for creating [AWS SSO Permission Sets][1] and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts. +This component is responsible for creating [AWS SSO Permission Sets][1] and creating AWS SSO Account Assignments, that +is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts. -This component assumes that AWS SSO has already been enabled via the AWS Console (there isn't terraform or AWS CLI support for this currently) and that the IdP has been configured to sync users and groups to AWS SSO. +This component assumes that AWS SSO has already been enabled via the AWS Console (there isn't terraform or AWS CLI +support for this currently) and that the IdP has been configured to sync users and groups to AWS SSO. ## Usage @@ -16,27 +18,34 @@ This component assumes that AWS SSO has already been enabled via the AWS Console #### Delegation no longer recommended Previously, Cloud Posse recommended delegating SSO to the identity account by following the next 2 steps: + 1. Click Settings > Management 1. Delegate Identity as an administrator. This can take up to 30 minutes to take effect. -However, this is no longer recommended. Because the delegated SSO administrator cannot make changes in the `root` account -and this component needs to be able to make changes in the `root` account, any purported security advantage achieved by -delegating SSO to the `identity` account is lost. +However, this is no longer recommended. Because the delegated SSO administrator cannot make changes in the `root` +account and this component needs to be able to make changes in the `root` account, any purported security advantage +achieved by delegating SSO to the `identity` account is lost. -Nevertheless, it is also not worth the effort to remove the delegation. If you have already delegated SSO to the `identity`, -continue on, leaving the stack configuration in the `gbl-identity` stack rather than the currently recommended `gbl-root` stack. +Nevertheless, it is also not worth the effort to remove the delegation. If you have already delegated SSO to the +`identity`, continue on, leaving the stack configuration in the `gbl-identity` stack rather than the currently +recommended `gbl-root` stack. ### Google Workspace :::important -> Your identity source is currently configured as 'External identity provider'. To add new groups or edit their memberships, you must do this using your external identity provider. +> Your identity source is currently configured as 'External identity provider'. To add new groups or edit their +> memberships, you must do this using your external identity provider. Groups _cannot_ be created with ClickOps in the AWS console and instead must be created with AWS API. ::: -Google Workspace is now supported by AWS Identity Center, but Group creation is not automatically handled. After [configuring SAML and SCIM with Google Workspace and IAM Identity Center following the AWS documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html), add any Group name to `var.groups` to create the Group with Terraform. Once the setup steps as described in the AWS documentation have been completed and the Groups are created with Terraform, Users should automatically populate each created Group. +Google Workspace is now supported by AWS Identity Center, but Group creation is not automatically handled. After +[configuring SAML and SCIM with Google Workspace and IAM Identity Center following the AWS documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html), +add any Group name to `var.groups` to create the Group with Terraform. Once the setup steps as described in the AWS +documentation have been completed and the Groups are created with Terraform, Users should automatically populate each +created Group. ```yaml components: @@ -50,13 +59,14 @@ components: ### Atmos -**Stack Level**: Global -**Deployment**: Must be deployed by root-admin using `atmos` CLI +**Stack Level**: Global **Deployment**: Must be deployed by root-admin using `atmos` CLI Add catalog to `gbl-root` root stack. #### `account_assignments` -The `account_assignments` setting configures access to permission sets for users and groups in accounts, in the following structure: + +The `account_assignments` setting configures access to permission sets for users and groups in accounts, in the +following structure: ```yaml : @@ -71,11 +81,17 @@ The `account_assignments` setting configures access to permission sets for users ``` - The account names (a.k.a. "stages") must already be configured via the `accounts` component. -- The user and group names must already exist in AWS SSO. Usually this is accomplished by configuring them in Okta and syncing Okta with AWS SSO. -- The permission sets are defined (by convention) in files names `policy-.tf` in the `aws-sso` component. The definition includes the name of the permission set. See `components/terraform/aws-sso/policy-AdminstratorAccess.tf` for an example. +- The user and group names must already exist in AWS SSO. Usually this is accomplished by configuring them in Okta and + syncing Okta with AWS SSO. +- The permission sets are defined (by convention) in files names `policy-.tf` in the `aws-sso` + component. The definition includes the name of the permission set. See + `components/terraform/aws-sso/policy-AdminstratorAccess.tf` for an example. #### `identity_roles_accessible` -The `identity_roles_accessible` element provides a list of role names corresponding to roles created in the `iam-primary-roles` component. For each named role, a corresponding permission set will be created which allows the user to assume that role. The permission set name is generated in Terraform from the role name using this statement: + +The `identity_roles_accessible` element provides a list of role names corresponding to roles created in the +`iam-primary-roles` component. For each named role, a corresponding permission set will be created which allows the user +to assume that role. The permission set name is generated in Terraform from the role name using this statement: ``` format("Identity%sTeamAccess", replace(title(role), "-", "")) @@ -83,53 +99,57 @@ format("Identity%sTeamAccess", replace(title(role), "-", "")) ### Defining a new permission set -1. Give the permission set a name, capitalized, in CamelCase, e.g. `AuditManager`. We will use `NAME` as a - placeholder for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. +1. Give the permission set a name, capitalized, in CamelCase, e.g. `AuditManager`. We will use `NAME` as a placeholder + for the name in the instructions below. In Terraform, convert the name to lowercase snake case, e.g. `audit_manager`. 2. Create a file in the `aws-sso` directory with the name `policy-NAME.tf`. 3. In that file, create a policy as follows: - ```hcl - data "aws_iam_policy_document" "TerraformUpdateAccess" { - # Define the custom policy here - } - - locals { - NAME_permission_set = { # e.g. audit_manager_permission_set - name = "NAME", # e.g. AuditManager - description = "", - relay_state = "", - session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles - tags = {}, - inline_policy = data.aws_iam_policy_document.NAME.json, - policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess - customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach - } - } - ``` -4. Create a file named `additional-permission-sets-list_override.tf` in the `aws-sso` directory (if it does not already exist). - This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), meaning its - contents will be merged with the main terraform file, and any locals defined in it will override locals defined in other files. - Having your code in this separate override file makes it possible for the component to provide a placeholder local variable - so that it works without customization, while allowing you to customize the component and still update it without losing your customizations. + ```hcl + data "aws_iam_policy_document" "TerraformUpdateAccess" { + # Define the custom policy here + } + + locals { + NAME_permission_set = { # e.g. audit_manager_permission_set + name = "NAME", # e.g. AuditManager + description = "", + relay_state = "", + session_duration = "PT1H", # One hour, maximum allowed for chained assumed roles + tags = {}, + inline_policy = data.aws_iam_policy_document.NAME.json, + policy_attachments = [] # ARNs of AWS managed IAM policies to attach, e.g. arn:aws:iam::aws:policy/ReadOnlyAccess + customer_managed_policy_attachments = [] # ARNs of customer managed IAM policies to attach + } + } + ``` + +4. Create a file named `additional-permission-sets-list_override.tf` in the `aws-sso` directory (if it does not already + exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), + meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals + defined in other files. Having your code in this separate override file makes it possible for the component to + provide a placeholder local variable so that it works without customization, while allowing you to customize the + component and still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_permission_sets` as follows: - ```hcl - locals { - overridable_additional_permission_sets = [ - local.NAME_permission_set, - ] - } - ``` + ```hcl + locals { + overridable_additional_permission_sets = [ + local.NAME_permission_set, + ] + } + ``` If you have multiple custom policies, add each one to the list. -6. With that done, the new permission set will be created when the changes are applied. - You can then use it just like the others. -7. If you want the permission set to be able to use Terraform, enable access to the - Terraform state read/write (default) role in `tfstate-backend`. +6. With that done, the new permission set will be created when the changes are applied. You can then use it just like + the others. +7. If you want the permission set to be able to use Terraform, enable access to the Terraform state read/write (default) + role in `tfstate-backend`. #### Example -The example snippet below shows how to use this module with various combinations (plain YAML, YAML Anchors and a combination of the two): + +The example snippet below shows how to use this module with various combinations (plain YAML, YAML Anchors and a +combination of the two): ```yaml prod-cloud-engineers: &prod-cloud-engineers @@ -171,12 +191,13 @@ components: - AdministratorAccess - ReadOnlyAccess aws_teams_accessible: - - "developers" - - "devops" - - "managers" - - "support" + - "developers" + - "devops" + - "managers" + - "support" ``` + ## Requirements @@ -254,6 +275,7 @@ components: | [permission\_sets](#output\_permission\_sets) | Permission sets | | [sso\_account\_assignments](#output\_sso\_account\_assignments) | SSO account assignments | + ## References @@ -261,43 +283,43 @@ components: [][40] -[1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html -[2]: #requirement%5C_terraform -[3]: #requirement%5C_aws -[4]: #requirement%5C_external -[5]: #requirement%5C_local -[6]: #requirement%5C_template -[7]: #requirement%5C_utils -[8]: #provider%5C_aws -[9]: #module%5C_account%5C_map -[10]: #module%5C_permission%5C_sets -[11]: #module%5C_role%5C_prefix -[12]: #module%5C_sso%5C_account%5C_assignments -[13]: #module%5C_this -[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[17]: #input%5C_account%5C_assignments -[18]: #input%5C_additional%5C_tag%5C_map -[19]: #input%5C_attributes -[20]: #input%5C_context -[21]: #input%5C_delimiter -[22]: #input%5C_enabled -[23]: #input%5C_environment -[24]: #input%5C_global%5C_environment%5C_name -[25]: #input%5C_iam%5C_primary%5C_roles%5C_stage%5C_name -[26]: #input%5C_id%5C_length%5C_limit -[27]: #input%5C_identity%5C_roles%5C_accessible -[28]: #input%5C_label%5C_key%5C_case -[29]: #input%5C_label%5C_order -[30]: #input%5C_label%5C_value%5C_case -[31]: #input%5C_name -[32]: #input%5C_namespace -[33]: #input%5C_privileged -[34]: #input%5C_regex%5C_replace%5C_chars -[35]: #input%5C_region -[36]: #input%5C_root%5C_account%5C_stage%5C_name -[37]: #input%5C_stage -[38]: #input%5C_tags -[39]: https://github.com/cloudposse/terraform-aws-sso -[40]: https://cpco.io/component +[1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html +[2]: #requirement%5C_terraform +[3]: #requirement%5C_aws +[4]: #requirement%5C_external +[5]: #requirement%5C_local +[6]: #requirement%5C_template +[7]: #requirement%5C_utils +[8]: #provider%5C_aws +[9]: #module%5C_account%5C_map +[10]: #module%5C_permission%5C_sets +[11]: #module%5C_role%5C_prefix +[12]: #module%5C_sso%5C_account%5C_assignments +[13]: #module%5C_this +[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[17]: #input%5C_account%5C_assignments +[18]: #input%5C_additional%5C_tag%5C_map +[19]: #input%5C_attributes +[20]: #input%5C_context +[21]: #input%5C_delimiter +[22]: #input%5C_enabled +[23]: #input%5C_environment +[24]: #input%5C_global%5C_environment%5C_name +[25]: #input%5C_iam%5C_primary%5C_roles%5C_stage%5C_name +[26]: #input%5C_id%5C_length%5C_limit +[27]: #input%5C_identity%5C_roles%5C_accessible +[28]: #input%5C_label%5C_key%5C_case +[29]: #input%5C_label%5C_order +[30]: #input%5C_label%5C_value%5C_case +[31]: #input%5C_name +[32]: #input%5C_namespace +[33]: #input%5C_privileged +[34]: #input%5C_regex%5C_replace%5C_chars +[35]: #input%5C_region +[36]: #input%5C_root%5C_account%5C_stage%5C_name +[37]: #input%5C_stage +[38]: #input%5C_tags +[39]: https://github.com/cloudposse/terraform-aws-sso +[40]: https://cpco.io/component diff --git a/modules/aws-ssosync/README.md b/modules/aws-ssosync/README.md index f02653193..d4bc7384a 100644 --- a/modules/aws-ssosync/README.md +++ b/modules/aws-ssosync/README.md @@ -4,17 +4,20 @@ Deploys [AWS ssosync](https://github.com/awslabs/ssosync) to sync Google Groups AWS `ssosync` is a Lambda application that regularly manages Identity Store users. -This component requires manual deployment by a privileged user because it deploys a role in the root or identity management account. +This component requires manual deployment by a privileged user because it deploys a role in the root or identity +management account. ## Usage -You should be able to deploy the `aws-ssosync` component to the same account as `aws-sso`. Typically that is the `core-gbl-root` or `gbl-root` stack. -**Stack Level**: Global -**Deployment**: Must be deployed by `managers` or SuperAdmin using `atmos` CLI +You should be able to deploy the `aws-ssosync` component to the same account as `aws-sso`. Typically that is the +`core-gbl-root` or `gbl-root` stack. + +**Stack Level**: Global **Deployment**: Must be deployed by `managers` or SuperAdmin using `atmos` CLI The following is an example snippet for how to use this component: (`stacks/catalog/aws-ssosync.yaml`) + ```yaml components: terraform: @@ -31,8 +34,8 @@ components: schedule_expression: "rate(15 minutes)" ``` -We recommend following a similar process to what the [AWS ssosync](https://github.com/awslabs/ssosync) -documentation recommends. +We recommend following a similar process to what the [AWS ssosync](https://github.com/awslabs/ssosync) documentation +recommends. ### Deployment @@ -44,24 +47,22 @@ Overview of steps: 1. Deploy the `aws-ssosync` component 1. Deploy the `aws-sso` component - #### 1. Configure AWS IAM Identity Center (AWS SSO) -Follow [AWS documentation to configure SAML and SCIM with Google Workspace and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html). +Follow +[AWS documentation to configure SAML and SCIM with Google Workspace and IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html). -As part of this process, save the SCIM endpoint token and URL. Then in AWS SSM Parameter Store, -create two `SecureString` parameters in the same account used for AWS SSO. -This is usually the root account in the primary region. +As part of this process, save the SCIM endpoint token and URL. Then in AWS SSM Parameter Store, create two +`SecureString` parameters in the same account used for AWS SSO. This is usually the root account in the primary region. ``` /ssosync/scim_endpoint_access_token /ssosync/scim_endpoint_url ``` -One more parameter you'll need is your Identity Store ID. -To obtain your Identity Store ID, go to the AWS Identity Center console and -select `Settings`. Under the `Identity Source` section, copy the Identity Store ID. -In the same account used for AWS SSO, create the following parameter: +One more parameter you'll need is your Identity Store ID. To obtain your Identity Store ID, go to the AWS Identity +Center console and select `Settings`. Under the `Identity Source` section, copy the Identity Store ID. In the same +account used for AWS SSO, create the following parameter: ``` /ssosync/identity_store_id @@ -69,24 +70,30 @@ In the same account used for AWS SSO, create the following parameter: #### 2. Configure Google Cloud console -Within the Google Cloud console, we need to create a new Google Project and Service Account and enable the Admin SDK API. -Follow these steps: +Within the Google Cloud console, we need to create a new Google Project and Service Account and enable the Admin SDK +API. Follow these steps: 1. Open the Google Cloud
console: https://console.cloud.google.com 2. Create a new project. Give the project a descriptive name such as `AWS SSO Sync` 3. Enable Admin SDK in APIs: `APIs & Services > Enabled APIs & Services > + ENABLE APIS AND SERVICES` -![Enable Admin SDK](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/admin_sdk.png) # use raw URL so that this works in both GitHub and docusaurus +![Enable Admin SDK](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/admin_sdk.png) # +use raw URL so that this works in both GitHub and docusaurus -4. Create Service Account: `IAM & Admin > Service Accounts > Create Service Account` [(ref)](https://cloud.google.com/iam/docs/service-accounts-create). +4. Create Service Account: `IAM & Admin > Service Accounts > Create Service Account` + [(ref)](https://cloud.google.com/iam/docs/service-accounts-create). -![Create Service Account](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/create_service_account.png) # use raw URL so that this works in both GitHub and docusaurus +![Create Service Account](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/create_service_account.png) # +use raw URL so that this works in both GitHub and docusaurus -5. Download credentials for the new Service Account: `IAM & Admin > Service Accounts > select Service Account > Keys > ADD KEY > Create new key > JSON` +5. Download credentials for the new Service Account: + `IAM & Admin > Service Accounts > select Service Account > Keys > ADD KEY > Create new key > JSON` -![Download Credentials](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/dl_service_account_creds.png) # use raw URL so that this works in both GitHub and docusaurus +![Download Credentials](https://raw.githubusercontent.com/cloudposse/terraform-aws-components/main/modules/aws-ssosync/docs/img/dl_service_account_creds.png) # +use raw URL so that this works in both GitHub and docusaurus -6. Save the JSON credentials as a new `SecureString` AWS SSM parameter in the same account used for AWS SSO. Use the full JSON string as the value for the parameter. +6. Save the JSON credentials as a new `SecureString` AWS SSM parameter in the same account used for AWS SSO. Use the + full JSON string as the value for the parameter. ``` /ssosync/google_credentials @@ -95,11 +102,13 @@ Follow these steps: #### 3. Configure Google Admin console - Open the Google Admin console -- From your domain’s Admin console, go to `Main menu menu > Security > Access and data control > API controls` [(ref)](https://developers.google.com/cloud-search/docs/guides/delegation) +- From your domain’s Admin console, go to `Main menu menu > Security > Access and data control > API controls` + [(ref)](https://developers.google.com/cloud-search/docs/guides/delegation) - In the Domain wide delegation pane, select `Manage Domain Wide Delegation`. - Click `Add new`. - In the Client ID field, enter the client ID obtained from the service account creation steps above. -- In the OAuth Scopes field, enter a comma-delimited list of the scopes required for your application. Use the scope `https://www.googleapis.com/auth/cloud_search.query` for search applications using the Query API. +- In the OAuth Scopes field, enter a comma-delimited list of the scopes required for your application. Use the scope + `https://www.googleapis.com/auth/cloud_search.query` for search applications using the Query API. - Add the following permission: [(ref)](https://github.com/awslabs/ssosync?tab=readme-ov-file#google) ```console @@ -108,37 +117,43 @@ https://www.googleapis.com/auth/admin.directory.group.member.readonly https://www.googleapis.com/auth/admin.directory.user.readonly ``` - #### 4. Deploy the `aws-ssosync` component Make sure that all four of the following SSM parameters exist in the target account and region: -* `/ssosync/scim_endpoint_url` -* `/ssosync/scim_endpoint_access_token` -* `/ssosync/identity_store_id` -* `/ssosync/google_credentials` +- `/ssosync/scim_endpoint_url` +- `/ssosync/scim_endpoint_access_token` +- `/ssosync/identity_store_id` +- `/ssosync/google_credentials` -If deployed successfully, Groups and Users should be programmatically copied from the Google Workspace into AWS IAM Identity Center on the given schedule. +If deployed successfully, Groups and Users should be programmatically copied from the Google Workspace into AWS IAM +Identity Center on the given schedule. -If these Groups are not showing up, check the CloudWatch logs for the new Lambda function and refer the [FAQs](#FAQ) included below. +If these Groups are not showing up, check the CloudWatch logs for the new Lambda function and refer the [FAQs](#FAQ) +included below. #### 5. Deploy the `aws-sso` component -Use the names of the Groups now provisioned programmatically in the `aws-sso` component catalog. Follow the [aws-sso](../aws-sso/) component documentation to deploy the `aws-sso` component. +Use the names of the Groups now provisioned programmatically in the `aws-sso` component catalog. Follow the +[aws-sso](../aws-sso/) component documentation to deploy the `aws-sso` component. ### FAQ #### Why is the tool forked by `Benbentwo`? -The `awslabs` tool requires AWS Secrets Managers for the Google Credentials. However, we would prefer to use AWS SSM to store all credentials consistency and not require AWS Secrets Manager. Therefore we've created a Pull Request and will point to a fork until the PR is merged. +The `awslabs` tool requires AWS Secrets Managers for the Google Credentials. However, we would prefer to use AWS SSM to +store all credentials consistency and not require AWS Secrets Manager. Therefore we've created a Pull Request and will +point to a fork until the PR is merged. Ref: + - https://github.com/awslabs/ssosync/pull/133 - https://github.com/awslabs/ssosync/issues/93 #### What should I use for the Google Admin Email Address? -The Service Account created will assume the User given by `--google-admin` / `SSOSYNC_GOOGLE_ADMIN` / `var.google_admin_email`. Therefore, this user email must be a valid Google admin user in your organization. +The Service Account created will assume the User given by `--google-admin` / `SSOSYNC_GOOGLE_ADMIN` / +`var.google_admin_email`. Therefore, this user email must be a valid Google admin user in your organization. This is not the same email as the Service Account. @@ -150,7 +165,8 @@ Notifying Lambda and mark this execution as Failure: googleapi: Error 404: Domai #### Common Group Name Query Error -If filtering group names using query strings, make sure the provided string is valid. For example, `google_group_match: "name:aws*"` is incorrect. Instead use `google_group_match: "Name:aws*"` +If filtering group names using query strings, make sure the provided string is valid. For example, +`google_group_match: "name:aws*"` is incorrect. Instead use `google_group_match: "Name:aws*"` If not, you may again see the same error message: @@ -160,11 +176,12 @@ Notifying Lambda and mark this execution as Failure: googleapi: Error 404: Domai Ref: -> The specific error you are seeing is because the google api doesn't like the query string you provided for the -g parameter. try -g "Name:Fuel*" +> The specific error you are seeing is because the google api doesn't like the query string you provided for the -g +> parameter. try -g "Name:Fuel\*" https://github.com/awslabs/ssosync/issues/91 - + ## Requirements @@ -254,9 +271,11 @@ https://github.com/awslabs/ssosync/issues/91 | [invoke\_arn](#output\_invoke\_arn) | Invoke ARN of the lambda function | | [qualified\_arn](#output\_qualified\_arn) | ARN identifying your Lambda Function Version (if versioning is enabled via publish = true) | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-ssosync) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/aws-ssosync) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/aws-team-roles/README.md b/modules/aws-team-roles/README.md index 67d6908cc..3ae6961c6 100644 --- a/modules/aws-team-roles/README.md +++ b/modules/aws-team-roles/README.md @@ -1,59 +1,58 @@ # Component: `aws-team-roles` -This component is responsible for provisioning user and system IAM roles outside the `identity` account. -It sets them up to be assumed from the "team" roles defined in the `identity` account by -[the `aws-teams` component](../aws-teams) and/or the AWS SSO permission sets -defined in [the `aws-sso` component](../aws-sso), and/or be directly accessible via SAML logins. - +This component is responsible for provisioning user and system IAM roles outside the `identity` account. It sets them up +to be assumed from the "team" roles defined in the `identity` account by [the `aws-teams` component](../aws-teams) +and/or the AWS SSO permission sets defined in [the `aws-sso` component](../aws-sso), and/or be directly accessible via +SAML logins. ### Privileges are Granted to Users via IAM Policies -Each role is granted permissions by attaching a list of IAM policies to the IAM role -via its `role_policy_arns` list. You can configure AWS managed policies by entering the ARNs of the policies -directly into the list, or you can create a custom policy as follows: +Each role is granted permissions by attaching a list of IAM policies to the IAM role via its `role_policy_arns` list. +You can configure AWS managed policies by entering the ARNs of the policies directly into the list, or you can create a +custom policy as follows: 1. Give the policy a name, e.g. `eks-admin`. We will use `NAME` as a placeholder for the name in the instructions below. 2. Create a file in the `aws-teams` directory with the name `policy-NAME.tf`. 3. In that file, create a policy as follows: - ```hcl - data "aws_iam_policy_document" "NAME" { - # Define the policy here - } - - resource "aws_iam_policy" "NAME" { - name = format("%s-NAME", module.this.id) - policy = data.aws_iam_policy_document.NAME.json - - tags = module.this.tags - } - ``` - -4. Create a file named `additional-policy-map_override.tf` in the `aws-team-roles` directory (if it does not already exist). - This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), meaning its - contents will be merged with the main terraform file, and any locals defined in it will override locals defined in other files. - Having your code in this separate override file makes it possible for the component to provide a placeholder local variable - so that it works without customization, while allowing you to customize the component and still update it without losing your customizations. + ```hcl + data "aws_iam_policy_document" "NAME" { + # Define the policy here + } + + resource "aws_iam_policy" "NAME" { + name = format("%s-NAME", module.this.id) + policy = data.aws_iam_policy_document.NAME.json + + tags = module.this.tags + } + ``` + +4. Create a file named `additional-policy-map_override.tf` in the `aws-team-roles` directory (if it does not already + exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), + meaning its contents will be merged with the main terraform file, and any locals defined in it will override locals + defined in other files. Having your code in this separate override file makes it possible for the component to + provide a placeholder local variable so that it works without customization, while allowing you to customize the + component and still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_custom_policy_map` map as follows: - ```hcl - locals { - overridable_additional_custom_policy_map = { - NAME = aws_iam_policy.NAME.arn - } - } - ``` + ```hcl + locals { + overridable_additional_custom_policy_map = { + NAME = aws_iam_policy.NAME.arn + } + } + ``` If you have multiple custom policies, add each one to the map in the form `NAME = aws_iam_policy.NAME.arn`. -6. With that done, you can now attach that policy by adding the name to the `role_policy_arns` list. For example: - - ```yaml - role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "NAME" - ``` +6. With that done, you can now attach that policy by adding the name to the `role_policy_arns` list. For example: + ```yaml + role_policy_arns: + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "NAME" + ``` ## Usage @@ -61,14 +60,19 @@ directly into the list, or you can create a custom policy as follows: **Deployment**: Must be deployed by _SuperAdmin_ using `atmos` CLI -Here's an example snippet for how to use this component. This specific usage is an example only, and not intended for production use. -You set the defaults in one YAML file, and import that file into each account's Global stack (except for the `identity` account itself). -If desired, you can make account-specific changes by overriding settings, for example +Here's an example snippet for how to use this component. This specific usage is an example only, and not intended for +production use. You set the defaults in one YAML file, and import that file into each account's Global stack (except for +the `identity` account itself). If desired, you can make account-specific changes by overriding settings, for example + - Disable entire roles in the account by setting `enabled: false` - Limit who can access the role by setting a different value for `trusted_teams` -- Change the permissions available to that role by overriding the `role_policy_arns` (not recommended, limit access to the role or create a different role with the desired set of permissions instead). +- Change the permissions available to that role by overriding the `role_policy_arns` (not recommended, limit access to + the role or create a different role with the desired set of permissions instead). -Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the list, too, or they will lose access. +Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting +of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to +allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the +list, too, or they will lose access. ```yaml components: @@ -84,8 +88,7 @@ components: # `template` serves as the default configuration for other roles via the YAML anchor. # However, `atmos` does not support "import" of YAML anchors, so if you define a new role # in another file, you will not be able to reference this anchor. - template: &user-template - # If `enabled: false`, the role will not be created in this account + template: &user-template # If `enabled: false`, the role will not be created in this account enabled: false # `max_session_duration` set the maximum session duration (in seconds) for the IAM roles. @@ -137,7 +140,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Full administration of this account" trusted_teams: ["admin"] @@ -150,12 +153,12 @@ components: # administrative permissions and use a more restrictive role # for Terraform, such as PowerUser (further restricted to deny AWS SSO changes). role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Role for Terraform administration of this account" trusted_teams: ["admin", "spacelift"] - ``` + ## Requirements @@ -235,6 +238,9 @@ components: |------|-------------| | [role\_name\_role\_arn\_map](#output\_role\_name\_role\_arn\_map) | Map of role names to role ARNs | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components) - Cloud Posse's upstream components + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components) - Cloud Posse's upstream + components diff --git a/modules/aws-teams/README.md b/modules/aws-teams/README.md index edf7929f4..38b71abf1 100644 --- a/modules/aws-teams/README.md +++ b/modules/aws-teams/README.md @@ -1,53 +1,54 @@ # Component: `aws-teams` This component is responsible for provisioning all primary user and system roles into the centralized identity account. -This is expected to be used alongside [the `aws-team-roles` component](../aws-team-roles) to provide -fine-grained role delegation across the account hierarchy. +This is expected to be used alongside [the `aws-team-roles` component](../aws-team-roles) to provide fine-grained role +delegation across the account hierarchy. ### Teams Function Like Groups and are Implemented as Roles -The "teams" created in the `identity` account by this module can be thought of as access control "groups": -a user who is allowed access one of these teams gets access to a set of roles (and corresponding permissions) -across a set of accounts. Generally, there is nothing else provisioned in the `identity` account, -so the teams have limited access to resources in the `identity` account by design. -Teams are implemented as IAM Roles in each account. Access to the "teams" in the `identity` -account is controlled by the `aws-saml` and `aws-sso` components. Access to the roles in all the -other accounts is controlled by the "assume role" policies of those roles, which allow the "team" -or AWS SSO Permission set to assume the role (or not). +The "teams" created in the `identity` account by this module can be thought of as access control "groups": a user who is +allowed access one of these teams gets access to a set of roles (and corresponding permissions) across a set of +accounts. Generally, there is nothing else provisioned in the `identity` account, so the teams have limited access to +resources in the `identity` account by design. + +Teams are implemented as IAM Roles in each account. Access to the "teams" in the `identity` account is controlled by the +`aws-saml` and `aws-sso` components. Access to the roles in all the other accounts is controlled by the "assume role" +policies of those roles, which allow the "team" or AWS SSO Permission set to assume the role (or not). ### Privileges are Defined for Each Role in Each Account by `aws-team-roles` -Every account besides the `identity` account has a set of IAM roles created by the -`aws-team-roles` component. In that component, the account's roles are assigned privileges, -and those privileges ultimately determine what a user can do in that account. +Every account besides the `identity` account has a set of IAM roles created by the `aws-team-roles` component. In that +component, the account's roles are assigned privileges, and those privileges ultimately determine what a user can do in +that account. -Access to the roles can be granted in a number of ways. -One way is by listing "teams" created by this component as "trusted" (`trusted_teams`), -meaning that users who have access to the team role in the `identity` account are -allowed (trusted) to assume the role configured in the target account. -Another is by listing an AWS SSO Permission Set in the account (`trusted_permission_sets`). +Access to the roles can be granted in a number of ways. One way is by listing "teams" created by this component as +"trusted" (`trusted_teams`), meaning that users who have access to the team role in the `identity` account are allowed +(trusted) to assume the role configured in the target account. Another is by listing an AWS SSO Permission Set in the +account (`trusted_permission_sets`). ### Role Access is Enabled by SAML and/or AWS SSO configuration + Users can again access to a role in the `identity` account through either (or both) of 2 mechanisms: #### SAML Access -- SAML access is globally configured via the `aws-saml` component, enabling an external -SAML Identity Provider (IdP) to control access to roles in the `identity` account. -(SAML access can be separately configured for other accounts, see the `aws-saml` and `aws-team-roles` components for more on that.) + +- SAML access is globally configured via the `aws-saml` component, enabling an external SAML Identity Provider (IdP) to + control access to roles in the `identity` account. (SAML access can be separately configured for other accounts, see + the `aws-saml` and `aws-team-roles` components for more on that.) - Individual roles are enabled for SAML access by setting `aws_saml_login_enabled: true` in the role configuration. - Individual users are granted access to these roles by configuration in the SAML IdP. #### AWS SSO Access -The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles -in the `identity` account. See the `aws-sso` component for details. + +The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles in the `identity` +account. See the `aws-sso` component for details. ## Usage -**Stack Level**: Global -**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Global **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -Here's an example snippet for how to use this component. The component should only be applied once, -which is typically done via the identity stack (e.g. `gbl-identity.yaml`). +Here's an example snippet for how to use this component. The component should only be applied once, which is typically +done via the identity stack (e.g. `gbl-identity.yaml`). ```yaml components: @@ -87,47 +88,48 @@ components: # If a role is both trusted and denied, it will not be able to access this role. # Permission sets specify users operating from the given AWS SSO permission set in this account. - trusted_permission_sets: [ ] - denied_permission_sets: [ ] + trusted_permission_sets: [] + denied_permission_sets: [] # Primary roles specify the short role names of roles in the primary (identity) # account that are allowed to assume this role. - trusted_teams: [ ] - denied_teams: [ "viewer" ] + trusted_teams: [] + denied_teams: ["viewer"] # Role ARNs specify Role ARNs in any account that are allowed to assume this role. # BE CAREFUL: there is nothing limiting these Role ARNs to roles within our organization. - trusted_role_arns: [ ] - denied_role_arns: [ ] + trusted_role_arns: [] + denied_role_arns: [] admin: <<: *user-template - role_description: "Team with PowerUserAccess permissions in `identity` and AdministratorAccess to all other accounts except `root`" + role_description: + "Team with PowerUserAccess permissions in `identity` and AdministratorAccess to all other accounts except + `root`" # Limit `admin` to Power User to prevent accidentally destroying the admin role itself # Use SuperAdmin to administer IAM access - role_policy_arns: [ "arn:aws:iam::aws:policy/PowerUserAccess" ] + role_policy_arns: ["arn:aws:iam::aws:policy/PowerUserAccess"] # TODO Create a "security" team with AdministratorAccess to audit and security, remove "admin" write access to those accounts aws_saml_login_enabled: true # list of roles in primary that can assume into this role in delegated accounts # primary admin can assume delegated admin - trusted_teams: [ "admin" ] + trusted_teams: ["admin"] # GH runner should be moved to its own `ghrunner` role - trusted_permission_sets: [ "IdentityAdminTeamAccess" ] - + trusted_permission_sets: ["IdentityAdminTeamAccess"] spacelift: <<: *user-template role_description: Team for our privileged Spacelift server role_policy_arns: - - team_role_access + - team_role_access aws_saml_login_enabled: false trusted_teams: - - admin + - admin trusted_role_arns: ["arn:aws:iam::123456789012:role/eg-ue2-auto-spacelift-worker-pool-admin"] - ``` + ## Requirements @@ -205,29 +207,34 @@ components: | [team\_names](#output\_team\_names) | List of team names | | [teams\_config](#output\_teams\_config) | Map of team config with name, target arn, and description | - + ## Known Problems ### Error: `assume role policy: LimitExceeded: Cannot exceed quota for ACLSizePerRole: 2048` -The `aws-teams` architecture, when enabling access to a role via lots of AWS SSO Profiles, can create large "assume role" policies, large enough to exceed the default quota of 2048 characters. If you run into this limitation, you will get an error like this: +The `aws-teams` architecture, when enabling access to a role via lots of AWS SSO Profiles, can create large "assume +role" policies, large enough to exceed the default quota of 2048 characters. If you run into this limitation, you will +get an error like this: ``` Error: error updating IAM Role (acme-gbl-root-tfstate-backend-analytics-ro) assume role policy: LimitExceeded: Cannot exceed quota for ACLSizePerRole: 2048 ``` -This can happen in either/both the `identity` and `root` accounts (for Terraform state access). So far, we have always been able to resolve this by requesting a quota increase, which is automatically granted a few minutes after making the request. To request the quota increase: +This can happen in either/both the `identity` and `root` accounts (for Terraform state access). So far, we have always +been able to resolve this by requesting a quota increase, which is automatically granted a few minutes after making the +request. To request the quota increase: - Log in to the AWS Web console as admin in the affected account -- Set your region to N. Virginia `us-east-1` +- Set your region to N. Virginia `us-east-1` - Navigate to the Service Quotas page via the account dropdown menu - Click on AWS Services in the left sidebar -- Search for "IAM" and select "AWS Identity and Access Management (IAM)". (If you don't find that option, make sure you have selected the `us-east-1` region. +- Search for "IAM" and select "AWS Identity and Access Management (IAM)". (If you don't find that option, make sure you + have selected the `us-east-1` region. - Find and select "Role trust policy length" @@ -235,6 +242,7 @@ This can happen in either/both the `identity` and `root` accounts (for Terraform - Wait for the request to be approved, usually less than a few minutes - ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components)- Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components)- Cloud Posse's upstream + component diff --git a/modules/bastion/README.md b/modules/bastion/README.md index 2c99962bb..4af775ebf 100644 --- a/modules/bastion/README.md +++ b/modules/bastion/README.md @@ -1,10 +1,15 @@ # Component: `bastion` -This component is responsible for provisioning a generic Bastion host within an ASG with parameterized `user_data` and support for AWS SSM Session Manager for remote access with IAM authentication. +This component is responsible for provisioning a generic Bastion host within an ASG with parameterized `user_data` and +support for AWS SSM Session Manager for remote access with IAM authentication. -If a special `container.sh` script is desired to run, set `container_enabled` to `true`, and set the `image_repository` and `image_container` variables. +If a special `container.sh` script is desired to run, set `container_enabled` to `true`, and set the `image_repository` +and `image_container` variables. -By default, this component acts as an "SSM Bastion", which is deployed to a private subnet and has SSM Enabled, allowing access via the AWS Console, AWS CLI, or SSM Session tools such as [aws-gate](https://github.com/xen0l/aws-gate). Alternatively, this component can be used as a regular SSH Bastion, deployed to a public subnet with Security Group Rules allowing inbound traffic over port 22. +By default, this component acts as an "SSM Bastion", which is deployed to a private subnet and has SSM Enabled, allowing +access via the AWS Console, AWS CLI, or SSM Session tools such as [aws-gate](https://github.com/xen0l/aws-gate). +Alternatively, this component can be used as a regular SSH Bastion, deployed to a public subnet with Security Group +Rules allowing inbound traffic over port 22. ## Usage @@ -41,18 +46,19 @@ components: custom_bastion_hostname: bastion vanity_domain: example.com security_group_rules: - - type : "ingress" - from_port : 22 - to_port : 22 - protocol : tcp - cidr_blocks : ["1.2.3.4/32"] - - type : "egress" - from_port : 0 - to_port : 0 - protocol : -1 - cidr_blocks : ["0.0.0.0/0"] + - type: "ingress" + from_port: 22 + to_port: 22 + protocol: tcp + cidr_blocks: ["1.2.3.4/32"] + - type: "egress" + from_port: 0 + to_port: 0 + protocol: -1 + cidr_blocks: ["0.0.0.0/0"] ``` + ## Requirements @@ -132,8 +138,11 @@ components: | [iam\_instance\_profile](#output\_iam\_instance\_profile) | Name of AWS IAM Instance Profile | | [security\_group\_id](#output\_security\_group\_id) | ID on the AWS Security Group associated with the ASG | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/bastion) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/cloudtrail-bucket/README.md b/modules/cloudtrail-bucket/README.md index 633101aed..a38604932 100644 --- a/modules/cloudtrail-bucket/README.md +++ b/modules/cloudtrail-bucket/README.md @@ -1,12 +1,15 @@ # Component: `cloudtrail-bucket` -This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected to be used alongside [the `cloudtrail` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail). +This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected +to be used alongside +[the `cloudtrail` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail). ## Usage **Stack Level**: Regional -Here's an example snippet for how to use this component. It's suggested to apply this component to only the centralized `audit` account. +Here's an example snippet for how to use this component. It's suggested to apply this component to only the centralized +`audit` account. ```yaml components: @@ -22,6 +25,7 @@ components: expiration_days: 365 ``` + ## Requirements @@ -87,9 +91,11 @@ No resources. | [cloudtrail\_bucket\_domain\_name](#output\_cloudtrail\_bucket\_domain\_name) | CloudTrail S3 bucket domain name | | [cloudtrail\_bucket\_id](#output\_cloudtrail\_bucket\_id) | CloudTrail S3 bucket ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail-bucket) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail-bucket) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/cloudtrail/README.md b/modules/cloudtrail/README.md index 47175bc07..715cdc696 100644 --- a/modules/cloudtrail/README.md +++ b/modules/cloudtrail/README.md @@ -1,11 +1,12 @@ # Component: `cloudtrail` -This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used alongside +This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used +alongside [the `cloudtrail-bucket` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail-bucket) as it utilizes that bucket via remote state. -This component can either be deployed selectively to various accounts with `is_organization_trail=false`, or alternatively -created in all accounts if deployed to the management account `is_organization_trail=true`. +This component can either be deployed selectively to various accounts with `is_organization_trail=false`, or +alternatively created in all accounts if deployed to the management account `is_organization_trail=true`. ## Usage @@ -27,6 +28,7 @@ components: is_organization_trail: true ``` + ## Requirements @@ -113,9 +115,11 @@ components: | [cloudtrail\_logs\_role\_arn](#output\_cloudtrail\_logs\_role\_arn) | CloudTrail Logs role ARN | | [cloudtrail\_logs\_role\_name](#output\_cloudtrail\_logs\_role\_name) | CloudTrail Logs role name | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudtrail) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/cloudwatch-logs/README.md b/modules/cloudwatch-logs/README.md index 128a10cba..9a78855af 100644 --- a/modules/cloudwatch-logs/README.md +++ b/modules/cloudwatch-logs/README.md @@ -21,6 +21,7 @@ components: - app-2 ``` + ## Requirements @@ -90,8 +91,11 @@ components: | [role\_name](#output\_role\_name) | Name of role to assume | | [stream\_arns](#output\_stream\_arns) | ARN of the log stream | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudwatch-logs) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cloudwatch-logs) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/cognito/README.md b/modules/cognito/README.md index b87c3ae04..a9219970b 100644 --- a/modules/cognito/README.md +++ b/modules/cognito/README.md @@ -4,13 +4,12 @@ This component is responsible for provisioning and managing AWS Cognito resource This component can provision the following resources: - - [Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) - - [Cognito User Pool Clients](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html) - - [Cognito User Pool Domains](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html) - - [Cognito User Pool Identity Providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html) - - [Cognito User Pool Resource Servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) - - [Cognito User Pool User Groups](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) - +- [Cognito User Pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) +- [Cognito User Pool Clients](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html) +- [Cognito User Pool Domains](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html) +- [Cognito User Pool Identity Providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html) +- [Cognito User Pool Resource Servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html) +- [Cognito User Pool User Groups](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html) ## Usage @@ -37,6 +36,7 @@ components: required: true ``` + ## Requirements @@ -204,9 +204,11 @@ components: | [last\_modified\_date](#output\_last\_modified\_date) | The date the User Pool was last modified | | [resource\_servers\_scope\_identifiers](#output\_resource\_servers\_scope\_identifiers) | A list of all scopes configured in the format identifier/scope\_name | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cognito) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/cognito) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/config-bucket/README.md b/modules/config-bucket/README.md index 9d9151732..72f36c015 100644 --- a/modules/config-bucket/README.md +++ b/modules/config-bucket/README.md @@ -2,8 +2,8 @@ This module creates an S3 bucket suitable for storing `AWS Config` data. -It implements a configurable log retention policy, which allows you to efficiently manage logs across different -storage classes (_e.g._ `Glacier`) and ultimately expire the data altogether. +It implements a configurable log retention policy, which allows you to efficiently manage logs across different storage +classes (_e.g._ `Glacier`) and ultimately expire the data altogether. It enables server-side encryption by default. https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html @@ -15,7 +15,8 @@ It blocks public access to the bucket by default. **Stack Level**: Regional -Here's an example snippet for how to use this component. It's suggested to apply this component to only the centralized `audit` account. +Here's an example snippet for how to use this component. It's suggested to apply this component to only the centralized +`audit` account. ```yaml components: @@ -31,6 +32,7 @@ components: expiration_days: 365 ``` + ## Requirements @@ -96,9 +98,11 @@ No resources. | [config\_bucket\_domain\_name](#output\_config\_bucket\_domain\_name) | Config bucket FQDN | | [config\_bucket\_id](#output\_config\_bucket\_id) | Config bucket ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/config-bucket) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/config-bucket) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-configuration/README.md b/modules/datadog-configuration/README.md index de47b95ee..90736c474 100644 --- a/modules/datadog-configuration/README.md +++ b/modules/datadog-configuration/README.md @@ -2,10 +2,12 @@ This component is responsible for provisioning SSM or ASM entries for Datadog API keys. -It's required that the DataDog API and APP secret keys are available in the `var.datadog_secrets_source_store_account` account -in AWS SSM Parameter Store at the `/datadog/%v/datadog_app_key` paths (where `%v` are the corresponding account names). +It's required that the DataDog API and APP secret keys are available in the `var.datadog_secrets_source_store_account` +account in AWS SSM Parameter Store at the `/datadog/%v/datadog_app_key` paths (where `%v` are the corresponding account +names). -This component copies keys from the source account (e.g. `auto`) to the destination account where this is being deployed. The purpose of using this formatted copying of keys handles a couple of problems. +This component copies keys from the source account (e.g. `auto`) to the destination account where this is being +deployed. The purpose of using this formatted copying of keys handles a couple of problems. 1. The keys are needed in each account where datadog resources will be deployed. 1. The keys might need to be different per account or tenant, or any subset of accounts. @@ -13,17 +15,21 @@ This component copies keys from the source account (e.g. `auto`) to the destinat This module also has a submodule which allows other resources to quickly use it to create a datadog provider. -See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for more information. +See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for +more information. ## Usage **Stack Level**: Global -This component should be deployed to every account where you want to provision datadog resources. This is usually every account except `root` and `identity` +This component should be deployed to every account where you want to provision datadog resources. This is usually every +account except `root` and `identity` -Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts which you want to track AWS metrics with DataDog. -In this example we use the key paths `/datadog/%v/datadog_api_key` and `/datadog/%v/datadog_app_key` where `%v` is `default`, this can be changed through `datadog_app_secret_key` & `datadog_api_secret_key` variables. -The output Keys in the deployed account will be `/datadog/datadog_api_key` and `/datadog/datadog_app_key`. +Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts which +you want to track AWS metrics with DataDog. In this example we use the key paths `/datadog/%v/datadog_api_key` and +`/datadog/%v/datadog_app_key` where `%v` is `default`, this can be changed through `datadog_app_secret_key` & +`datadog_api_secret_key` variables. The output Keys in the deployed account will be `/datadog/datadog_api_key` and +`/datadog/datadog_app_key`. ```yaml components: @@ -57,6 +63,7 @@ provider "datadog" { } ``` + ## Requirements @@ -137,11 +144,12 @@ provider "datadog" { | [datadog\_site](#output\_datadog\_site) | The Datadog site to use | | [region](#output\_region) | The region where the keys will be created | - + ## References -* Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-configuration) - Cloud Posse's upstream component +- Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-configuration) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-configuration/modules/datadog_keys/README.md b/modules/datadog-configuration/modules/datadog_keys/README.md index cc930cb2f..56325b4e0 100644 --- a/modules/datadog-configuration/modules/datadog_keys/README.md +++ b/modules/datadog-configuration/modules/datadog_keys/README.md @@ -19,6 +19,7 @@ provider "datadog" { } ``` + ## Requirements @@ -88,3 +89,4 @@ provider "datadog" { | [datadog\_site](#output\_datadog\_site) | Datadog Site | | [datadog\_tags](#output\_datadog\_tags) | The Context Tags in datadog tag format (list of strings formated as 'key:value') | + diff --git a/modules/datadog-integration/README.md b/modules/datadog-integration/README.md index 123027d84..d27d078ae 100644 --- a/modules/datadog-integration/README.md +++ b/modules/datadog-integration/README.md @@ -1,15 +1,17 @@ # Component: `datadog-integration` -This component is responsible for provisioning Datadog AWS integrations. It depends on -the `datadog-configuration` component to get the Datadog API keys. +This component is responsible for provisioning Datadog AWS integrations. It depends on the `datadog-configuration` +component to get the Datadog API keys. -See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for more information. +See Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) for +more information. ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts which you want to track AWS metrics with DataDog. +Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts which +you want to track AWS metrics with DataDog. ```yaml components: @@ -22,6 +24,7 @@ components: enabled: true ``` + ## Requirements @@ -96,11 +99,12 @@ components: | [aws\_role\_name](#output\_aws\_role\_name) | Name of the AWS IAM Role for the Datadog integration | | [datadog\_external\_id](#output\_datadog\_external\_id) | Datadog integration external ID | - + ## References -* Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-integration) - Cloud Posse's upstream component +- Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys) +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-integration) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-lambda-forwarder/README.md b/modules/datadog-lambda-forwarder/README.md index 7d856d77d..6de150851 100644 --- a/modules/datadog-lambda-forwarder/README.md +++ b/modules/datadog-lambda-forwarder/README.md @@ -1,9 +1,8 @@ # Component: `datadog-lambda-forwarder` -This component is responsible for provision all the necessary infrastructure to -deploy [Datadog Lambda forwarders](https://github.com/DataDog/datadog-serverless-functions/tree/master/aws/logs_monitoring). It depends on -the `datadog-configuration` component to get the Datadog API keys. - +This component is responsible for provision all the necessary infrastructure to deploy +[Datadog Lambda forwarders](https://github.com/DataDog/datadog-serverless-functions/tree/master/aws/logs_monitoring). It +depends on the `datadog-configuration` component to get the Datadog API keys. ## Usage @@ -44,6 +43,7 @@ components: filter_pattern: "" ``` + ## Requirements @@ -150,11 +150,12 @@ components: | [lambda\_forwarder\_vpc\_log\_function\_arn](#output\_lambda\_forwarder\_vpc\_log\_function\_arn) | Datadog Lambda forwarder VPC Flow Logs function ARN | | [lambda\_forwarder\_vpc\_log\_function\_name](#output\_lambda\_forwarder\_vpc\_log\_function\_name) | Datadog Lambda forwarder VPC Flow Logs function name | - + ## References -* Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-lambda-forwarder) - Cloud Posse's upstream component +- Datadog's [documentation about provisioning keys](https://docs.datadoghq.com/account_management/api-app-keys +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-lambda-forwarder) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-monitor/README.md b/modules/datadog-monitor/README.md index 968cf5e09..95774e6c3 100644 --- a/modules/datadog-monitor/README.md +++ b/modules/datadog-monitor/README.md @@ -24,14 +24,20 @@ components: ``` ## Conventions -- Treat datadog like a separate cloud provider with integrations ([datadog-integration](https://docs.cloudposse.com/components/library/aws/datadog-integration)) into your accounts. + +- Treat datadog like a separate cloud provider with integrations + ([datadog-integration](https://docs.cloudposse.com/components/library/aws/datadog-integration)) into your accounts. - Use the `catalog` convention to define a step of alerts. You can use ours or define your own. [https://github.com/cloudposse/terraform-datadog-platform/tree/master/catalog/monitors](https://github.com/cloudposse/terraform-datadog-platform/tree/master/catalog/monitors) ## Adjust Thresholds per Stack -Since there are so many parameters that may be adjusted for a given monitor, we define all monitors through YAML. By convention, we define the **default monitors** that should apply to all environments, and then adjust the thresholds per environment. This is accomplished using the `datadog-monitor` components variable `datadog_monitors_config_paths` which defines the path to the YAML configuration files. By passing a path for `dev` and `prod`, we can define configurations that are different per environment. +Since there are so many parameters that may be adjusted for a given monitor, we define all monitors through YAML. By +convention, we define the **default monitors** that should apply to all environments, and then adjust the thresholds per +environment. This is accomplished using the `datadog-monitor` components variable `datadog_monitors_config_paths` which +defines the path to the YAML configuration files. By passing a path for `dev` and `prod`, we can define configurations +that are different per environment. For example, you might have the following settings defined for `prod` and `dev` stacks that override the defaults. @@ -47,6 +53,7 @@ components: - catalog/monitors/*.yaml - catalog/monitors/dev/*.yaml # note this line ``` + For `prod` stack: ``` @@ -60,7 +67,8 @@ components: - catalog/monitors/prod/*.yaml # note this line ``` -Behind the scenes (with `atmos`) we fetch all files from these glob patterns, template them, and merge them by key. If we peek into the `*.yaml` and `dev/*.yaml` files above you could see an example like this: +Behind the scenes (with `atmos`) we fetch all files from these glob patterns, template them, and merge them by key. If +we peek into the `*.yaml` and `dev/*.yaml` files above you could see an example like this: **components/terraform/datadog-monitor/catalog/monitors/elb.yaml** @@ -105,6 +113,7 @@ elb-lb-httpcode-5xx-notify: critical: 50 warning: 20 ``` + **components/terraform/datadog-monitor/catalog/monitors/dev/elb.yaml** ``` @@ -120,10 +129,16 @@ elb-lb-httpcode-5xx-notify: ## Key Notes ### Inheritance -The important thing to note here is that the default yaml is applied to every stage that it's deployed to. For dev specifically however, we want to override the thresholds and priority for this monitor. This merging is done by key of the monitor, in this case `elb-lb-httpcode-5xx-notify`. + +The important thing to note here is that the default yaml is applied to every stage that it's deployed to. For dev +specifically however, we want to override the thresholds and priority for this monitor. This merging is done by key of +the monitor, in this case `elb-lb-httpcode-5xx-notify`. ### Templating -The second thing to note is `${ dd_env }`. This is **terraform** templating in action. While double braces (`{{ env }}`) refers to datadog templating, `${ dd_env }` is a template variable we pass into our monitors. in this example we use it to specify a grouping int he message. This value is passed in and can be overridden via stacks. + +The second thing to note is `${ dd_env }`. This is **terraform** templating in action. While double braces (`{{ env }}`) +refers to datadog templating, `${ dd_env }` is a template variable we pass into our monitors. in this example we use it +to specify a grouping int he message. This value is passed in and can be overridden via stacks. We pass a value via: @@ -140,6 +155,7 @@ components: datadog_monitors_config_parameters: dd_env: "dev" ``` + This allows us to further use inheritance from stack configuration to keep our monitors dry, but configurable. Another available option is to use our catalog as base monitors and then override them with your specific fine tuning. @@ -156,10 +172,14 @@ components: ## Other Gotchas -Our integration action that checks for `'source_type_name' equals 'Monitor Alert'` will also be true for synthetics. Whereas if we check for `'event_type' equals 'query_alert_monitor'`, that's only true for monitors, because synthetics will only be picked up by an integration action when `event_type` is `synthetics_alert`. +Our integration action that checks for `'source_type_name' equals 'Monitor Alert'` will also be true for synthetics. +Whereas if we check for `'event_type' equals 'query_alert_monitor'`, that's only true for monitors, because synthetics +will only be picked up by an integration action when `event_type` is `synthetics_alert`. -This is important if we need to distinguish between monitors and synthetics in OpsGenie, which is the case when we want to ensure clean messaging on OpsGenie incidents in Statuspage. +This is important if we need to distinguish between monitors and synthetics in OpsGenie, which is the case when we want +to ensure clean messaging on OpsGenie incidents in Statuspage. + ## Requirements @@ -230,7 +250,7 @@ No resources. |------|-------------| | [datadog\_monitor\_names](#output\_datadog\_monitor\_names) | Names of the created Datadog monitors | - + ## Related How-to Guides @@ -240,10 +260,12 @@ No resources. - [How to Implement SRE with Datadog](https://docs.cloudposse.com/reference-architecture/how-to-guides/tutorials/how-to-implement-sre-with-datadog) ## Component Dependencies + - [datadog-integration](https://docs.cloudposse.com/components/library/aws/datadog-integration/) ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-monitor) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-monitor) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-private-location-ecs/README.md b/modules/datadog-private-location-ecs/README.md index 06b594330..3d75f2286 100644 --- a/modules/datadog-private-location-ecs/README.md +++ b/modules/datadog-private-location-ecs/README.md @@ -55,9 +55,9 @@ components: logDriver: awslogs options: {} port_mappings: [] - ``` + ## Requirements @@ -132,8 +132,11 @@ components: | [vpc\_id](#output\_vpc\_id) | Selected VPC ID | | [vpc\_sg\_id](#output\_vpc\_sg\_id) | Selected VPC SG ID | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs-service) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs-service) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/datadog-synthetics-private-location/README.md b/modules/datadog-synthetics-private-location/README.md index 8567d102f..3e79812f7 100644 --- a/modules/datadog-synthetics-private-location/README.md +++ b/modules/datadog-synthetics-private-location/README.md @@ -2,7 +2,8 @@ This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster. -Private locations allow you to monitor internal-facing applications or any private URLs that are not accessible from the public internet. +Private locations allow you to monitor internal-facing applications or any private URLs that are not accessible from the +public internet. ## Usage @@ -116,11 +117,12 @@ Environment variables: ## References -* https://docs.datadoghq.com/synthetics/private_locations -* https://docs.datadoghq.com/synthetics/private_locations/configuration/ -* https://github.com/DataDog/helm-charts/tree/main/charts/synthetics-private-location -* https://github.com/DataDog/helm-charts/blob/main/charts/synthetics-private-location/values.yaml +- https://docs.datadoghq.com/synthetics/private_locations +- https://docs.datadoghq.com/synthetics/private_locations/configuration/ +- https://github.com/DataDog/helm-charts/tree/main/charts/synthetics-private-location +- https://github.com/DataDog/helm-charts/blob/main/charts/synthetics-private-location/values.yaml + ## Requirements @@ -213,10 +215,11 @@ Environment variables: | [metadata](#output\_metadata) | Block status of the deployed release | | [synthetics\_private\_location\_id](#output\_synthetics\_private\_location\_id) | Synthetics private location ID | + ## References -* https://docs.datadoghq.com/getting_started/synthetics/private_location -* https://docs.datadoghq.com/synthetics/private_locations/configuration -* https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_private_location -* https://github.com/DataDog/helm-charts/tree/main/charts/synthetics-private-location +- https://docs.datadoghq.com/getting_started/synthetics/private_location +- https://docs.datadoghq.com/synthetics/private_locations/configuration +- https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_private_location +- https://github.com/DataDog/helm-charts/tree/main/charts/synthetics-private-location diff --git a/modules/datadog-synthetics/README.md b/modules/datadog-synthetics/README.md index 26eccb1db..a18461c1e 100644 --- a/modules/datadog-synthetics/README.md +++ b/modules/datadog-synthetics/README.md @@ -1,10 +1,11 @@ # Component: `datadog-synthetics` -This component provides the ability to implement [Datadog synthetic tests](https://docs.datadoghq.com/synthetics/guide/). +This component provides the ability to implement +[Datadog synthetic tests](https://docs.datadoghq.com/synthetics/guide/). -Synthetic tests allow you to observe how your systems and applications are performing using simulated requests and actions -from the AWS managed locations around the globe, and to monitor internal endpoints -from [Private Locations](https://docs.datadoghq.com/synthetics/private_locations). +Synthetic tests allow you to observe how your systems and applications are performing using simulated requests and +actions from the AWS managed locations around the globe, and to monitor internal endpoints from +[Private Locations](https://docs.datadoghq.com/synthetics/private_locations). ## Usage @@ -39,13 +40,14 @@ components: Below are examples of Datadog browser and API synthetic tests. -The synthetic tests are defined in YAML using either the [Datadog Terraform provider](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_test) schema -or the [Datadog Synthetics API](https://docs.datadoghq.com/api/latest/synthetics) schema. -See the `terraform-datadog-platform` Terraform module [README](https://github.com/cloudposse/terraform-datadog-platform/blob/main/modules/synthetics/README.md) for more details. -We recommend using the API schema so you can more create and edit tests using the Datadog -web API and then import them into this module by downloading the test using -the Datadog REST API. (See the Datadog API documentation for the appropriate -`curl` commands to use.) +The synthetic tests are defined in YAML using either the +[Datadog Terraform provider](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_test) +schema or the [Datadog Synthetics API](https://docs.datadoghq.com/api/latest/synthetics) schema. See the +`terraform-datadog-platform` Terraform module +[README](https://github.com/cloudposse/terraform-datadog-platform/blob/main/modules/synthetics/README.md) for more +details. We recommend using the API schema so you can more create and edit tests using the Datadog web API and then +import them into this module by downloading the test using the Datadog REST API. (See the Datadog API documentation for +the appropriate `curl` commands to use.) ```yaml # API schema @@ -124,24 +126,31 @@ my-api-test: jsonpath: foo.bar ``` -These configuration examples are defined in the YAML files in the [catalog/synthetics/examples](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-synthetics/catalog/synthetics/examples) folder. +These configuration examples are defined in the YAML files in the +[catalog/synthetics/examples](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-synthetics/catalog/synthetics/examples) +folder. -You can use different subfolders for your use-case. -For example, you can have `dev` and `prod` subfolders to define different synthetic tests for the `dev` and `prod` environments. +You can use different subfolders for your use-case. For example, you can have `dev` and `prod` subfolders to define +different synthetic tests for the `dev` and `prod` environments. Then use the `synthetic_paths` variable to point the component to the synthetic test configuration files. The configuration files are processed and transformed in the following order: -- The `datadog-synthetics` component loads the YAML configuration files from the filesystem paths specified by the `synthetics_paths` variable +- The `datadog-synthetics` component loads the YAML configuration files from the filesystem paths specified by the + `synthetics_paths` variable -- Then, in the [synthetics](https://github.com/cloudposse/terraform-datadog-platform/blob/master/modules/synthetics/main.tf) module, - the YAML configuration files are merged and transformed from YAML into - the [Datadog Terraform provider](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_test) schema +- Then, in the + [synthetics](https://github.com/cloudposse/terraform-datadog-platform/blob/master/modules/synthetics/main.tf) module, + the YAML configuration files are merged and transformed from YAML into the + [Datadog Terraform provider](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/synthetics_test) + schema - And finally, the Datadog Terraform provider uses the - [Datadog Synthetics API](https://docs.datadoghq.com/api/latest/synthetics) specifications to call the Datadog API and provision the synthetic tests + [Datadog Synthetics API](https://docs.datadoghq.com/api/latest/synthetics) specifications to call the Datadog API and + provision the synthetic tests + ## Requirements @@ -214,6 +223,7 @@ No resources. | [datadog\_synthetics\_test\_monitor\_ids](#output\_datadog\_synthetics\_test\_monitor\_ids) | IDs of the monitors associated with the Datadog synthetics tests | | [datadog\_synthetics\_test\_names](#output\_datadog\_synthetics\_test\_names) | Names of the created Datadog synthetic tests | + ## References diff --git a/modules/dms/endpoint/README.md b/modules/dms/endpoint/README.md index 264580caa..b65dfc542 100644 --- a/modules/dms/endpoint/README.md +++ b/modules/dms/endpoint/README.md @@ -69,6 +69,7 @@ components: - target ``` + ## Requirements @@ -151,10 +152,11 @@ components: | [dms\_endpoint\_arn](#output\_dms\_endpoint\_arn) | DMS endpoint ARN | | [dms\_endpoint\_id](#output\_dms\_endpoint\_id) | DMS endpoint ID | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-endpoint) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-endpoint) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dms/iam/README.md b/modules/dms/iam/README.md index 21eb4e22b..021da144d 100644 --- a/modules/dms/iam/README.md +++ b/modules/dms/iam/README.md @@ -23,6 +23,7 @@ components: name: dms ``` + ## Requirements @@ -79,10 +80,11 @@ No resources. | [dms\_redshift\_s3\_role\_arn](#output\_dms\_redshift\_s3\_role\_arn) | DMS Redshift S3 role ARN | | [dms\_vpc\_management\_role\_arn](#output\_dms\_vpc\_management\_role\_arn) | DMS VPC management role ARN | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-iam) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-iam) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dms/replication-instance/README.md b/modules/dms/replication-instance/README.md index 42b1b31b0..fade7e38c 100644 --- a/modules/dms/replication-instance/README.md +++ b/modules/dms/replication-instance/README.md @@ -42,6 +42,7 @@ components: allocated_storage: 50 ``` + ## Requirements @@ -114,10 +115,11 @@ No resources. | [dms\_replication\_instance\_arn](#output\_dms\_replication\_instance\_arn) | DMS replication instance ARN | | [dms\_replication\_instance\_id](#output\_dms\_replication\_instance\_id) | DMS replication instance ID | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-replication-instance) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-replication-instance) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dms/replication-task/README.md b/modules/dms/replication-task/README.md index f7968c246..4732e9072 100644 --- a/modules/dms/replication-task/README.md +++ b/modules/dms/replication-task/README.md @@ -37,6 +37,7 @@ components: table_mappings_file: "config/replication-task-table-mappings-example.json" ``` + ## Requirements @@ -104,10 +105,11 @@ No resources. | [dms\_replication\_task\_arn](#output\_dms\_replication\_task\_arn) | DMS replication task ARN | | [dms\_replication\_task\_id](#output\_dms\_replication\_task\_id) | DMS replication task ID | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-replication-task) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dms/modules/dms-replication-task) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dns-delegated/README.md b/modules/dns-delegated/README.md index c608b8a3c..ed73c60a6 100644 --- a/modules/dns-delegated/README.md +++ b/modules/dns-delegated/README.md @@ -1,6 +1,8 @@ # Component: `dns-delegated` -This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS account. The primary DNS zone is expected to already be provisioned via [the `dns-primary` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary). +This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS +account. The primary DNS zone is expected to already be provisioned via +[the `dns-primary` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary). This component also provisions a wildcard ACM certificate for the given subdomain. @@ -8,9 +10,12 @@ This component also provisions a wildcard ACM certificate for the given subdomai **Stack Level**: Global or Regional -Here's an example snippet for how to use this component. Use this component in global or regional stacks for any accounts where you host services that need DNS records on a given subdomain (e.g. delegated zone) of the root domain (e.g. primary zone). +Here's an example snippet for how to use this component. Use this component in global or regional stacks for any +accounts where you host services that need DNS records on a given subdomain (e.g. delegated zone) of the root domain +(e.g. primary zone). -Public Hosted Zone `devplatform.example.net` will be created and `example.net` HZ in the dns primary account will contain a record delegating DNS to the new HZ +Public Hosted Zone `devplatform.example.net` will be created and `example.net` HZ in the dns primary account will +contain a record delegating DNS to the new HZ This will create an ACM record @@ -20,8 +25,8 @@ components: dns-delegated: vars: zone_config: - - subdomain: devplatform - zone_name: example.net + - subdomain: devplatform + zone_name: example.net request_acm_certificate: true dns_private_zone_enabled: false # dns_soa_config configures the SOA record for the zone:: @@ -33,10 +38,10 @@ components: # - 60 ; nxdomain TTL, or time in seconds for secondary DNS servers to cache negative responses # See [SOA Record Documentation](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html) for more information. dns_soa_config: "awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60" - ``` -Private Hosted Zone `devplatform.example.net` will be created and `example.net` HZ in the dns primary account will contain a record delegating DNS to the new HZ +Private Hosted Zone `devplatform.example.net` will be created and `example.net` HZ in the dns primary account will +contain a record delegating DNS to the new HZ This will create an ACM record using a Private CA @@ -46,8 +51,8 @@ components: dns-delegated: vars: zone_config: - - subdomain: devplatform - zone_name: example.net + - subdomain: devplatform + zone_name: example.net request_acm_certificate: true dns_private_zone_enabled: true vpc_region_abbreviation_type: short @@ -60,13 +65,19 @@ components: ### Limitations -Switching a hosted zone from public to private can cause issues because the provider will try to do an update instead of a ForceNew. +Switching a hosted zone from public to private can cause issues because the provider will try to do an update instead of +a ForceNew. See: https://github.com/hashicorp/terraform-provider-aws/issues/7614 -It's not possible to toggle between public and private so if switching from public to private and downtime is acceptable, delete the records of the hosted zone, delete the hosted zone, destroy the terraform component, and deploy with the new settings. +It's not possible to toggle between public and private so if switching from public to private and downtime is +acceptable, delete the records of the hosted zone, delete the hosted zone, destroy the terraform component, and deploy +with the new settings. -NOTE: With each of these workarounds, you may have an issue connecting to the service specific provider e.g. for `auroro-postgres` you may get an error of the host set to `localhost` on the `postgresql` provider resulting in an error. To get around this, dump the endpoint using `atmos terraform show`, hardcode the `host` input on the provider, and re-run the apply. +NOTE: With each of these workarounds, you may have an issue connecting to the service specific provider e.g. for +`auroro-postgres` you may get an error of the host set to `localhost` on the `postgresql` provider resulting in an +error. To get around this, dump the endpoint using `atmos terraform show`, hardcode the `host` input on the provider, +and re-run the apply. #### Workaround if downtime is fine @@ -84,12 +95,15 @@ NOTE: With each of these workarounds, you may have an issue connecting to the se 1. Deploy the new dns-delegated-private component 1. Move aurora-postgres, msk, external-dns, echo-server, etc to the new hosted zone by re-deploying - ## Caveats -- Do not create a delegation for subdomain of a domain in a zone for which that zone is not authoritative for the subdomain (usually because you already delegated a parent subdomain). Though Amazon Route 53 will allow you to, you should not do it. For historic reasons, Route 53 Public DNS allows customers to create two NS delegations within a hosted zone which creates a conflict (and can return either set to resolvers depending on the query). +- Do not create a delegation for subdomain of a domain in a zone for which that zone is not authoritative for the + subdomain (usually because you already delegated a parent subdomain). Though Amazon Route 53 will allow you to, you + should not do it. For historic reasons, Route 53 Public DNS allows customers to create two NS delegations within a + hosted zone which creates a conflict (and can return either set to resolvers depending on the query). -For example, in a single hosted zone with the domain name `example.com`, it is possible to create two NS delegations which are parent and child of each other as follows: +For example, in a single hosted zone with the domain name `example.com`, it is possible to create two NS delegations +which are parent and child of each other as follows: ``` a.example.com. 172800 IN NS ns-1084.awsdns-07.org. @@ -105,21 +119,29 @@ b.a.example.com. 172800 IN NS ns-338.awsdns-42.com. This configuration creates two discrete possible resolution paths. -1. If a resolver directly queries the `example.com` nameservers for `c.b.a.example.com`, it will receive the second set of nameservers. +1. If a resolver directly queries the `example.com` nameservers for `c.b.a.example.com`, it will receive the second set + of nameservers. 2. If a resolver queries `example.com` for `a.example.com`, it will receive the first set of nameservers. -If the resolver then proceeds to query the `a.example.com` nameservers for `c.b.a.example.com`, the response is driven by the contents of the `a.example.com` zone, which may be different than the results returned by the `b.a.example.com` nameservers. `c.b.a.example.com` may not have an entry in the `a.example.com` nameservers, resulting in an error (`NXDOMAIN`) being returned. +If the resolver then proceeds to query the `a.example.com` nameservers for `c.b.a.example.com`, the response is driven +by the contents of the `a.example.com` zone, which may be different than the results returned by the `b.a.example.com` +nameservers. `c.b.a.example.com` may not have an entry in the `a.example.com` nameservers, resulting in an error +(`NXDOMAIN`) being returned. -From 15th May 2020, Route 53 Resolver has been enabling a modern DNS resolver standard called "QName Minimization"[*]. This change causes the resolver to more strictly use recursion path [2] described above where path [1] was common before. [*] [https://tools.ietf.org/html/rfc7816](https://tools.ietf.org/html/rfc7816) +From 15th May 2020, Route 53 Resolver has been enabling a modern DNS resolver standard called "QName Minimization"[*]. +This change causes the resolver to more strictly use recursion path [2] described above where path [1] was common +before. [*] [https://tools.ietf.org/html/rfc7816](https://tools.ietf.org/html/rfc7816) -As of January 2022, you can observe the different query strategies in use by Google DNS at `8.8.8.8` (strategy 1) and Cloudflare DNS at `1.1.1.1` (strategy 2). You should verify that both DNS servers resolve your host records properly. +As of January 2022, you can observe the different query strategies in use by Google DNS at `8.8.8.8` (strategy 1) and +Cloudflare DNS at `1.1.1.1` (strategy 2). You should verify that both DNS servers resolve your host records properly. Takeaway -1. In order to ensure DNS resolution is consistent no matter the resolver, it is important to always create NS delegations only authoritative zones. - +1. In order to ensure DNS resolution is consistent no matter the resolver, it is important to always create NS + delegations only authoritative zones. + ## Requirements @@ -208,10 +230,11 @@ Takeaway | [route53\_hosted\_zone\_protections](#output\_route53\_hosted\_zone\_protections) | List of AWS Shield Advanced Protections for Route53 Hosted Zones. | | [zones](#output\_zones) | Subdomain and zone config | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-delegated) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-delegated) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dns-primary/README.md b/modules/dns-primary/README.md index 32e53470b..668dd0bf0 100644 --- a/modules/dns-primary/README.md +++ b/modules/dns-primary/README.md @@ -1,37 +1,59 @@ # Component: `dns-primary` -This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically provision the primary DNS zones in the `dns` account. The primary account for branded zones (e.g. `example.com`), however, would be in the `prod` account, while staging zone (e.g. `example.qa`) might be in the `staging` account. +This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically +provision the primary DNS zones in the `dns` account. The primary account for branded zones (e.g. `example.com`), +however, would be in the `prod` account, while staging zone (e.g. `example.qa`) might be in the `staging` account. -The zones from the primary DNS zone are then expected to be delegated to other accounts via [the `dns-delegated` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-delegated). Additionally, external records can be created on the primary DNS zones via the `record_config` variable. +The zones from the primary DNS zone are then expected to be delegated to other accounts via +[the `dns-delegated` component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-delegated). +Additionally, external records can be created on the primary DNS zones via the `record_config` variable. ## Architecture ### Summary -The `dns` account gets a single `dns-primary` component deployed. Every other account that needs DNS entries gets a single `dns-delegated` component, chaining off the domains in the `dns` account. Optionally, accounts can have a single `dns-primary` component of their own, to have apex domains (which Cloud Posse calls "vanity domains"). Typically, these domains are configured with CNAME (or apex alias) records to point to service domain entries. +The `dns` account gets a single `dns-primary` component deployed. Every other account that needs DNS entries gets a +single `dns-delegated` component, chaining off the domains in the `dns` account. Optionally, accounts can have a single +`dns-primary` component of their own, to have apex domains (which Cloud Posse calls "vanity domains"). Typically, these +domains are configured with CNAME (or apex alias) records to point to service domain entries. ### Details -The purpose of the `dns` account is to host root domains shared by several accounts (with each account being delegated its own subdomain) and to be the owner of domain registrations purchased from Amazon. +The purpose of the `dns` account is to host root domains shared by several accounts (with each account being delegated +its own subdomain) and to be the owner of domain registrations purchased from Amazon. -The purpose of the `dns-primary` component is to provision AWS Route53 zones for the root domains. These zones, once provisioned, must be manually configured into the Domain Name Registrar's records as name servers. A single component can provision multiple domains and, optionally, associated ACM (SSL) certificates in a single account. +The purpose of the `dns-primary` component is to provision AWS Route53 zones for the root domains. These zones, once +provisioned, must be manually configured into the Domain Name Registrar's records as name servers. A single component +can provision multiple domains and, optionally, associated ACM (SSL) certificates in a single account. -Cloud Posse's architecture expects root domains shared by several accounts to be provisioned in the `dns` account with `dns-primary` and delegated to other accounts using the `dns-delegated` component, with each account getting its own subdomain corresponding to a Route 53 zone in the delegated account. Cloud Posse's architecture requires at least one such domain, called "the service domain", be provisioned. The service domain is not customer facing, and is provisioned to allow fully automated construction of host names without any concerns about how they look. Although they are not secret, the public will never see them. +Cloud Posse's architecture expects root domains shared by several accounts to be provisioned in the `dns` account with +`dns-primary` and delegated to other accounts using the `dns-delegated` component, with each account getting its own +subdomain corresponding to a Route 53 zone in the delegated account. Cloud Posse's architecture requires at least one +such domain, called "the service domain", be provisioned. The service domain is not customer facing, and is provisioned +to allow fully automated construction of host names without any concerns about how they look. Although they are not +secret, the public will never see them. -Root domains used by a single account are provisioned with the `dns-primary` component directly in that account. Cloud Posse calls these "vanity domains". These can be whatever the marketing or PR or other stakeholders want to be. +Root domains used by a single account are provisioned with the `dns-primary` component directly in that account. Cloud +Posse calls these "vanity domains". These can be whatever the marketing or PR or other stakeholders want to be. -After a domain is provisioned in the `dns` account, the `dns-delegated` component can provision one or more subdomains for each account, and, optionally, associated ACM certificates. For the service domain, Cloud Posse recommends using the account name as the delegated subdomain (either directly, e.g. "plat-dev", or as multiple subdomains, e.g. "dev.plat") because that allows `dns-delegated` to automatically provision any required host name in that zone. +After a domain is provisioned in the `dns` account, the `dns-delegated` component can provision one or more subdomains +for each account, and, optionally, associated ACM certificates. For the service domain, Cloud Posse recommends using the +account name as the delegated subdomain (either directly, e.g. "plat-dev", or as multiple subdomains, e.g. "dev.plat") +because that allows `dns-delegated` to automatically provision any required host name in that zone. -There is no automated support for `dns-primary` to provision root domains outside of the `dns` account that are to be shared by multiple accounts, and such usage is not recommended. If you must, `dns-primary` can provision a subdomain of a root domain that is provisioned in another account (not `dns`). In this case, the delegation of the subdomain must be done manually by entering the name servers into the parent domain's records (instead of in the Registrar's records). +There is no automated support for `dns-primary` to provision root domains outside of the `dns` account that are to be +shared by multiple accounts, and such usage is not recommended. If you must, `dns-primary` can provision a subdomain of +a root domain that is provisioned in another account (not `dns`). In this case, the delegation of the subdomain must be +done manually by entering the name servers into the parent domain's records (instead of in the Registrar's records). The architecture does not support other configurations, or non-standard component names. - ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. This component should only be applied once as the DNS zones it creates are global. This is typically done via the DNS stack (e.g. `gbl-dns.yaml`). +Here's an example snippet for how to use this component. This component should only be applied once as the DNS zones it +creates are global. This is typically done via the DNS stack (e.g. `gbl-dns.yaml`). ```yaml components: @@ -71,11 +93,12 @@ components: YourVeryLongStringGoesHere ``` -:::info -Use the [acm](https://docs.cloudposse.com/components/library/aws/acm) component for more advanced certificate requirements. +:::info Use the [acm](https://docs.cloudposse.com/components/library/aws/acm) component for more advanced certificate +requirements. ::: + ## Requirements @@ -143,8 +166,11 @@ Use the [acm](https://docs.cloudposse.com/components/library/aws/acm) component | [acms](#output\_acms) | ACM certificates for domains | | [zones](#output\_zones) | DNS zones | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dns-primary) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/documentdb/README.md b/modules/documentdb/README.md index fb43cab53..cdea391ee 100644 --- a/modules/documentdb/README.md +++ b/modules/documentdb/README.md @@ -24,6 +24,7 @@ components: retention_period: 35 ``` + ## Requirements @@ -118,10 +119,11 @@ components: | [security\_group\_id](#output\_security\_group\_id) | ID of the DocumentDB cluster Security Group | | [security\_group\_name](#output\_security\_group\_name) | Name of the DocumentDB cluster Security Group | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/documentdb) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/documentdb) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/dynamodb/README.md b/modules/dynamodb/README.md index eec46b957..50e3b06cc 100644 --- a/modules/dynamodb/README.md +++ b/modules/dynamodb/README.md @@ -25,9 +25,9 @@ components: point_in_time_recovery_enabled: true streams_enabled: false ttl_enabled: false - ``` + ## Requirements @@ -113,10 +113,11 @@ No resources. | [table\_stream\_arn](#output\_table\_stream\_arn) | DynamoDB table stream ARN | | [table\_stream\_label](#output\_table\_stream\_label) | DynamoDB table stream label | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dynamodb) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/dynamodb) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/ec2-client-vpn/README.md b/modules/ec2-client-vpn/README.md index e71633a2c..41db52018 100644 --- a/modules/ec2-client-vpn/README.md +++ b/modules/ec2-client-vpn/README.md @@ -6,7 +6,9 @@ This component is responsible for provisioning VPN Client Endpoints. **Stack Level**: Regional -Here's an example snippet for how to use this component. This component should only be applied once as the resources it creates are regional. This is typically done via the corp stack (e.g. `uw2-corp.yaml`). This is because a vpc endpoint requires a vpc and the network stack does not have a vpc. +Here's an example snippet for how to use this component. This component should only be applied once as the resources it +creates are regional. This is typically done via the corp stack (e.g. `uw2-corp.yaml`). This is because a vpc endpoint +requires a vpc and the network stack does not have a vpc. ```yaml components: @@ -24,23 +26,24 @@ components: organization_name: acme split_tunnel: true availability_zones: - - us-west-2a - - us-west-2b - - us-west-2c + - us-west-2a + - us-west-2b + - us-west-2c associated_security_group_ids: [] additional_routes: - - destination_cidr_block: 0.0.0.0/0 - description: Internet Route + - destination_cidr_block: 0.0.0.0/0 + description: Internet Route authorization_rules: - - name: Internet Rule - authorize_all_groups: true - description: Allows routing to the internet" - target_network_cidr: 0.0.0.0/0 + - name: Internet Rule + authorize_all_groups: true + description: Allows routing to the internet" + target_network_cidr: 0.0.0.0/0 ``` ## Deploying -NOTE: This module uses the `aws_ec2_client_vpn_route` resource which throws an error if too many API calls come from a single host. Ignore this error and repeat the terraform command. It usually takes 3 deploys (or destroys) to complete. +NOTE: This module uses the `aws_ec2_client_vpn_route` resource which throws an error if too many API calls come from a +single host. Ignore this error and repeat the terraform command. It usually takes 3 deploys (or destroys) to complete. Error on create (See issue https://github.com/hashicorp/terraform-provider-aws/issues/19750) @@ -56,9 +59,12 @@ timeout while waiting for resource to be gone (last state: 'deleting', timeout: ## Testing -NOTE: The `GoogleIDPMetadata-cloudposse.com.xml` in this repo is equivalent to the one in the `sso` component and is used for testing. This component can only specify a single SAML document. The customer SAML xml should be placed in this directory side-by-side the CloudPosse SAML xml. +NOTE: The `GoogleIDPMetadata-cloudposse.com.xml` in this repo is equivalent to the one in the `sso` component and is +used for testing. This component can only specify a single SAML document. The customer SAML xml should be placed in this +directory side-by-side the CloudPosse SAML xml. -Prior to testing, the component needs to be deployed and the AWS client app needs to be setup by the IdP admin otherwise the following steps will result in an error similar to `app_not_configured_for_user`. +Prior to testing, the component needs to be deployed and the AWS client app needs to be setup by the IdP admin otherwise +the following steps will result in an error similar to `app_not_configured_for_user`. 1. Deploy the component in a regional account with a VPC like `ue2-corp`. 1. Copy the contents of `client_configuration` into a file called `client_configuration.ovpn` @@ -74,15 +80,17 @@ Prior to testing, the component needs to be deployed and the AWS client app need A browser will launch and allow you to connect to the VPN. -1. Make a note of where this component is deployed -1. Ensure that the resource to connect to is in a VPC that is connected by the transit gateway -1. Ensure that the resource to connect to contains a security group with a rule that allows ingress from where the client vpn is deployed (e.g. `ue2-corp`) -1. Use `nmap` to test if the port is `open`. If the port is `filtered` then it's not open. +1. Make a note of where this component is deployed +1. Ensure that the resource to connect to is in a VPC that is connected by the transit gateway +1. Ensure that the resource to connect to contains a security group with a rule that allows ingress from where the + client vpn is deployed (e.g. `ue2-corp`) +1. Use `nmap` to test if the port is `open`. If the port is `filtered` then it's not open. nmap -p Successful tests have been seen with MSK and RDS. + ## Requirements @@ -159,10 +167,12 @@ No resources. | [vpn\_endpoint\_dns\_name](#output\_vpn\_endpoint\_dns\_name) | The DNS Name of the Client VPN Endpoint Connection. | | [vpn\_endpoint\_id](#output\_vpn\_endpoint\_id) | The ID of the Client VPN Endpoint Connection. | + ## References -* [cloudposse/terraform-aws-ec2-client-vpn](https://github.com/cloudposse/terraform-aws-ec2-client-vpn) - Cloud Posse's upstream component -* [cloudposse/awsutils](https://github.com/cloudposse/terraform-provider-awsutils) - Cloud Posse's awsutils provider +- [cloudposse/terraform-aws-ec2-client-vpn](https://github.com/cloudposse/terraform-aws-ec2-client-vpn) - Cloud Posse's + upstream component +- [cloudposse/awsutils](https://github.com/cloudposse/terraform-provider-awsutils) - Cloud Posse's awsutils provider [](https://cpco.io/component) diff --git a/modules/ecr/README.md b/modules/ecr/README.md index 46c209cd1..413b40394 100644 --- a/modules/ecr/README.md +++ b/modules/ecr/README.md @@ -1,13 +1,13 @@ # Component: `ecr` This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage. -This utilizes [the roles-to-principals submodule](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-map/modules/roles-to-principals) +This utilizes +[the roles-to-principals submodule](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/account-map/modules/roles-to-principals) to assign accounts to various roles. It is also compatible with the [GitHub Actions IAM Role mixin](https://github.com/cloudposse/terraform-aws-components/blob/master/mixins/github-actions-iam-role/README-github-action-iam-role.md). - -:::caution -Older versions of our reference architecture have an`eks-iam` component that needs to be updated to provide sufficient IAM roles to allow pods to pull from ECR repos +:::caution Older versions of our reference architecture have an`eks-iam` component that needs to be updated to provide +sufficient IAM roles to allow pods to pull from ECR repos ::: @@ -16,9 +16,9 @@ Older versions of our reference architecture have an`eks-iam` component that nee **Stack Level**: Regional Here's an example snippet for how to use this component. This component is normally only applied once as the resources -it creates are globally accessible, but you may want to create ECRs in multiple regions for redundancy. -This is typically provisioned via the stack for the "artifact" account (typically `auto`, `artifact`, or `corp`) -in the primary region. +it creates are globally accessible, but you may want to create ECRs in multiple regions for redundancy. This is +typically provisioned via the stack for the "artifact" account (typically `auto`, `artifact`, or `corp`) in the primary +region. ```yaml components: @@ -40,10 +40,10 @@ components: - microservice-c read_write_account_role_map: identity: - - admin - - cicd + - admin + - cicd automation: - - admin + - admin read_only_account_role_map: corp: ["*"] dev: ["*"] @@ -51,6 +51,7 @@ components: stage: ["*"] ``` + ## Requirements @@ -129,6 +130,7 @@ components: | [ecr\_user\_unique\_id](#output\_ecr\_user\_unique\_id) | ECR user unique ID assigned by AWS | | [repository\_host](#output\_repository\_host) | ECR repository name | + ## Related @@ -137,7 +139,8 @@ components: - [Decide on ECR Strategy](https://docs.cloudposse.com/reference-architecture/design-decisions/foundational-platform/decide-on-ecr-strategy) ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecr) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecr) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/ecs-service/README.md b/modules/ecs-service/README.md index d96f3ca89..567f832bd 100644 --- a/modules/ecs-service/README.md +++ b/modules/ecs-service/README.md @@ -101,7 +101,10 @@ components: hostPort: 80 protocol: tcp command: - - '/bin/sh -c "echo '' Amazon ECS Sample App

Amazon ECS Sample App

Congratulations!

Your application is now running on a container in Amazon ECS.

'' > /usr/local/apache2/htdocs/index.html && httpd-foreground"' + - '/bin/sh -c "echo '' Amazon ECS Sample App

Amazon ECS + Sample App

Congratulations!

Your application is now running on a container in Amazon + ECS.

'' > /usr/local/apache2/htdocs/index.html && httpd-foreground"' entrypoint: ["sh", "-c"] task: desired_count: 1 @@ -147,19 +150,23 @@ components: #### Other Domains This component supports alternate service names for your ECS Service through a couple of variables: - - `vanity_domain` & `vanity_alias` - This will create a route to the service in the listener rules of the ALB. This will also create a Route 53 alias record in the hosted zone in this account. The hosted zone is looked up by the `vanity_domain` input. - - `additional_targets` - This will create a route to the service in the listener rules of the ALB. This will not create a Route 53 alias record. + +- `vanity_domain` & `vanity_alias` - This will create a route to the service in the listener rules of the ALB. This will + also create a Route 53 alias record in the hosted zone in this account. The hosted zone is looked up by the + `vanity_domain` input. +- `additional_targets` - This will create a route to the service in the listener rules of the ALB. This will not create + a Route 53 alias record. Examples: ```yaml - ecs/platform/service/echo-server: - vars: - vanity_domain: "dev-acme.com" - vanity_alias: - - "echo-server.dev-acme.com" - additional_targets: - - "echo.acme.com" +ecs/platform/service/echo-server: + vars: + vanity_domain: "dev-acme.com" + vanity_alias: + - "echo-server.dev-acme.com" + additional_targets: + - "echo.acme.com" ``` This then creates the following listener rules: @@ -171,33 +178,35 @@ echo-server.public-platform.use2.dev.plat.service-discovery.com OR echo.acme.com ``` -It will also create the record in Route53 to point `"echo-server.dev-acme.com"` to the ALB. Thus `"echo-server.dev-acme.com"` should resolve. +It will also create the record in Route53 to point `"echo-server.dev-acme.com"` to the ALB. Thus +`"echo-server.dev-acme.com"` should resolve. We can then create a pointer to this service in the `acme.come` hosted zone. ```yaml - dns-primary: - vars: - domain_names: - - acme.com - record_config: - - root_zone: acme.com - name: echo. - type: CNAME - ttl: 60 - records: - - echo-server.dev-acme.com +dns-primary: + vars: + domain_names: + - acme.com + record_config: + - root_zone: acme.com + name: echo. + type: CNAME + ttl: 60 + records: + - echo-server.dev-acme.com ``` This will create a CNAME record in the `acme.com` hosted zone that points `echo.acme.com` to `echo-server.dev-acme.com`. ### EFS -EFS is supported by this ecs service, you can use either `efs_volumes` or `efs_component_volumes` in your task definition. +EFS is supported by this ecs service, you can use either `efs_volumes` or `efs_component_volumes` in your task +definition. +This example shows how to use `efs_component_volumes` which remote looks up efs component and uses the `efs_id` to mount +the volume. And how to use `efs_volumes` -This example shows how to use `efs_component_volumes` which remote looks up efs component and uses the `efs_id` to mount the volume. -And how to use `efs_volumes` ```yaml components: terraform: @@ -243,7 +252,7 @@ components: authorization_config: [] ``` - + ## Requirements @@ -450,9 +459,11 @@ components: | [vpc\_id](#output\_vpc\_id) | Selected VPC ID | | [vpc\_sg\_id](#output\_vpc\_sg\_id) | Selected VPC SG ID | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs-service) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs-service) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/ecs/README.md b/modules/ecs/README.md index b7ce3168c..aeb446def 100644 --- a/modules/ecs/README.md +++ b/modules/ecs/README.md @@ -12,7 +12,7 @@ The following will create - ecs cluster - load balancer with an ACM cert placed on example.com -- r53 record on all *.example.com which will point to the load balancer +- r53 record on all \*.example.com which will point to the load balancer ```yaml components: @@ -50,6 +50,7 @@ components: - "my-vanity-domain.com" ``` + ## Requirements @@ -144,8 +145,11 @@ components: | [security\_group\_id](#output\_security\_group\_id) | Security group id | | [vpc\_id](#output\_vpc\_id) | VPC ID | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/efs/README.md b/modules/efs/README.md index 722714068..34981e144 100644 --- a/modules/efs/README.md +++ b/modules/efs/README.md @@ -1,6 +1,8 @@ # Component: `efs` -This component is responsible for provisioning an [EFS](https://aws.amazon.com/efs/) Network File System with KMS encryption-at-rest. EFS is an excellent choice as the default block storage for EKS clusters so that volumes are not zone-locked. +This component is responsible for provisioning an [EFS](https://aws.amazon.com/efs/) Network File System with KMS +encryption-at-rest. EFS is an excellent choice as the default block storage for EKS clusters so that volumes are not +zone-locked. ## Usage @@ -27,6 +29,7 @@ components: # cidr_blocks: ["0.0.0.0/0"] ``` + ## Requirements @@ -109,10 +112,11 @@ components: | [security\_group\_id](#output\_security\_group\_id) | EFS Security Group ID | | [security\_group\_name](#output\_security\_group\_name) | EFS Security Group name | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/efs) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/efs) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/eks/actions-runner-controller/README.md b/modules/eks/actions-runner-controller/README.md index 6940f7c5b..bedb6ddd9 100644 --- a/modules/eks/actions-runner-controller/README.md +++ b/modules/eks/actions-runner-controller/README.md @@ -1,6 +1,7 @@ # Component: `actions-runner-controller` -This component creates a Helm release for [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) on an EKS cluster. +This component creates a Helm release for +[actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) on an EKS cluster. ## Usage @@ -165,7 +166,6 @@ components: # - "amd64" # - "AMD64" # - "core-auto" - ``` ### Generating Required Secrets @@ -174,25 +174,27 @@ AWS SSM is used to store and retrieve secrets. Decide on the SSM path for the GitHub secret (PAT or Application private key) and GitHub webhook secret. -Since the secret is automatically scoped by AWS to the account and region where the secret is stored, -we recommend the secret be stored at `/github_runners/controller_github_app_secret` unless you -plan on running multiple instances of the controller. If you plan on running multiple instances of the controller, -and want to give them different access (otherwise they could share the same secret), then you can add -a path component to the SSM path. For example `/github_runners/cicd/controller_github_app_secret`. +Since the secret is automatically scoped by AWS to the account and region where the secret is stored, we recommend the +secret be stored at `/github_runners/controller_github_app_secret` unless you plan on running multiple instances of the +controller. If you plan on running multiple instances of the controller, and want to give them different access +(otherwise they could share the same secret), then you can add a path component to the SSM path. For example +`/github_runners/cicd/controller_github_app_secret`. ``` ssm_github_secret_path: "/github_runners/controller_github_app_secret" ``` -The preferred way to authenticate is by _creating_ and _installing_ a GitHub App. -This is the recommended approach as it allows for more much more restricted access than using a personal access token, -at least until [fine-grained personal access token permissions](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) are generally available. -Follow the instructions [here](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/docs/detailed-docs.md#deploying-using-github-app-authentication) to create and install the GitHub App. +The preferred way to authenticate is by _creating_ and _installing_ a GitHub App. This is the recommended approach as it +allows for more much more restricted access than using a personal access token, at least until +[fine-grained personal access token permissions](https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/) +are generally available. Follow the instructions +[here](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/docs/detailed-docs.md#deploying-using-github-app-authentication) +to create and install the GitHub App. -At the creation stage, you will be asked to generate a private key. This is the private key that will be used to authenticate -the Action Runner Controller. Download the file and store the contents in SSM using the following command, adjusting the profile -and file name. The profile should be the `admin` role in the account to which you are deploying the runner controller. -The file name should be the name of the private key file you downloaded. +At the creation stage, you will be asked to generate a private key. This is the private key that will be used to +authenticate the Action Runner Controller. Download the file and store the contents in SSM using the following command, +adjusting the profile and file name. The profile should be the `admin` role in the account to which you are deploying +the runner controller. The file name should be the name of the private key file you downloaded. ``` AWS_PROFILE=acme-mgmt-use2-auto-admin chamber write github_runners controller_github_app_secret -- "$(cat APP_NAME.DATE.private-key.pem)" @@ -204,15 +206,15 @@ You can verify the file was correctly written to SSM by matching the private key AWS_PROFILE=acme-mgmt-use2-auto-admin chamber read -q github_runners controller_github_app_secret | openssl rsa -in - -pubout -outform DER | openssl sha256 -binary | openssl base64 ``` -At this stage, record the Application ID and the private key fingerprint in your secrets manager (e.g. 1Password). -You will need the Application ID to configure the runner controller, and want the fingerprint to verify the private key. +At this stage, record the Application ID and the private key fingerprint in your secrets manager (e.g. 1Password). You +will need the Application ID to configure the runner controller, and want the fingerprint to verify the private key. -Proceed to install the GitHub App in the organization or repository you want to use the runner controller for, -and record the Installation ID (the final numeric part of the URL, as explained in the instructions -linked above) in your secrets manager. You will need the Installation ID to configure the runner controller. +Proceed to install the GitHub App in the organization or repository you want to use the runner controller for, and +record the Installation ID (the final numeric part of the URL, as explained in the instructions linked above) in your +secrets manager. You will need the Installation ID to configure the runner controller. -In your stack configuration, set the following variables, making sure to quote the values so they are -treated as strings, not numbers. +In your stack configuration, set the following variables, making sure to quote the values so they are treated as +strings, not numbers. ``` github_app_id: "12345" @@ -220,44 +222,52 @@ github_app_installation_id: "12345" ``` OR (obsolete) -- A PAT with the scope outlined in [this document](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication). - Save this to the value specified by `ssm_github_token_path` using the following command, adjusting the - AWS\_PROFILE to refer to the `admin` role in the account to which you are deploying the runner controller: + +- A PAT with the scope outlined in + [this document](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication). + Save this to the value specified by `ssm_github_token_path` using the following command, adjusting the AWS_PROFILE to + refer to the `admin` role in the account to which you are deploying the runner controller: ``` AWS_PROFILE=acme-mgmt-use2-auto-admin chamber write github_runners controller_github_app_secret -- "" ``` -2. If using the Webhook Driven autoscaling (recommended), generate a random string to use as the Secret when creating the webhook in GitHub. +2. If using the Webhook Driven autoscaling (recommended), generate a random string to use as the Secret when creating + the webhook in GitHub. Generate the string using 1Password (no special characters, length 45) or by running + ```bash dd if=/dev/random bs=1 count=33 2>/dev/null | base64 ``` Store this key in AWS SSM under the same path specified by `ssm_github_webhook_secret_token_path` + ``` ssm_github_webhook_secret_token_path: "/github_runners/github_webhook_secret" ``` ### Using Runner Groups -GitHub supports grouping runners into distinct [Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups), which allow you to have different access controls -for different runners. Read the linked documentation about creating and configuring Runner Groups, which you must do -through the GitHub Web UI. If you choose to create Runner Groups, you can assign one or more Runner pools (from the -`runners` map) to groups (only one group per runner pool) by including `group: ` in the runner -configuration. We recommend including it immediately after `scope`. +GitHub supports grouping runners into distinct +[Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups), +which allow you to have different access controls for different runners. Read the linked documentation about creating +and configuring Runner Groups, which you must do through the GitHub Web UI. If you choose to create Runner Groups, you +can assign one or more Runner pools (from the `runners` map) to groups (only one group per runner pool) by including +`group: ` in the runner configuration. We recommend including it immediately after `scope`. ### Using Webhook Driven Autoscaling (recommended) -We recommend using Webhook Driven Autoscaling until GitHub releases their own autoscaling solution (said to be "in the works" as of April 2023). +We recommend using Webhook Driven Autoscaling until GitHub releases their own autoscaling solution (said to be "in the +works" as of April 2023). -To use the Webhook Driven Autoscaling, in addition to setting `webhook_driven_scaling_enabled` to `true`, you must -also install the GitHub organization-level webhook after deploying the component (specifically, the webhook server). -The URL for the webhook is determined by the `webhook.hostname_template` and where -it is deployed. Recommended URL is `https://gha-webhook.[environment].[stage].[tenant].[service-discovery-domain]`. +To use the Webhook Driven Autoscaling, in addition to setting `webhook_driven_scaling_enabled` to `true`, you must also +install the GitHub organization-level webhook after deploying the component (specifically, the webhook server). The URL +for the webhook is determined by the `webhook.hostname_template` and where it is deployed. Recommended URL is +`https://gha-webhook.[environment].[stage].[tenant].[service-discovery-domain]`. As a GitHub organization admin, go to `https://github.com/organizations/[organization]/settings/hooks`, and then: + - Click"Add webhook" and create a new webhook with the following settings: - Payload URL: copy from Terraform output `webhook_payload_url` - Content type: `application/json` @@ -269,62 +279,62 @@ As a GitHub organization admin, go to `https://github.com/organizations/[organiz - Ensure that "Active" is checked (should be checked by default) - Click "Add webhook" at the bottom of the settings page -After the webhook is created, select "edit" for the webhook and go to the "Recent Deliveries" tab and verify that there is a delivery -(of a "ping" event) with a green check mark. If not, verify all the settings and consult -the logs of the `actions-runner-controller-github-webhook-server` pod. +After the webhook is created, select "edit" for the webhook and go to the "Recent Deliveries" tab and verify that there +is a delivery (of a "ping" event) with a green check mark. If not, verify all the settings and consult the logs of the +`actions-runner-controller-github-webhook-server` pod. ### Configuring Webhook Driven Autoscaling -The `HorizontalRunnerAutoscaler scaleUpTriggers.duration` (see [Webhook Driven Scaling documentation](https://github. com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#webhook-driven-scaling)) is -controlled by the `webhook_startup_timeout` setting for each Runner. The purpose of this timeout is to ensure, in -case a job cancellation or termination event gets missed, that the resulting idle runner eventually gets terminated. +The `HorizontalRunnerAutoscaler scaleUpTriggers.duration` (see [Webhook Driven Scaling documentation](https://github. +com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#webhook-driven-scaling)) is +controlled by the `webhook_startup_timeout` setting for each Runner. The purpose of this timeout is to ensure, in case a +job cancellation or termination event gets missed, that the resulting idle runner eventually gets terminated. #### How the Autoscaler Determines the Desired Runner Pool Size -When a job is queued, a `capacityReservation` is created for it. The HRA (Horizontal Runner Autoscaler) sums up all -the capacity reservations to calculate the desired size of the runner pool, subject to the limits of `minReplicas` -and `maxReplicas`. The idea is that a `capacityReservation` is deleted when a job is completed or canceled, and the -pool size will be equal to `jobsStarted - jobsFinished`. However, it can happen that a job will finish without the -HRA being successfully notified about it, so as a safety measure, the `capacityReservation` will expire after a -configurable amount of time, at which point it will be deleted without regard to the job being finished. This -ensures that eventually an idle runner pool will scale down to `minReplicas`. - -If it happens that the capacity reservation expires before the job is finished, the Horizontal Runner Autoscaler (HRA) will scale down the pool -by 2 instead of 1: once because the capacity reservation expired, and once because the job finished. This will -also cause starvation of waiting jobs, because the next in line will have its timeout timer started but will not -actually start running because no runner is available. And if `minReplicas` is set to zero, the pool will scale down -to zero before finishing all the jobs, leaving some waiting indefinitely. This is why it is important to set the -`webhook_startup_timeout` to a time long enough to cover the full time a job may have to wait between the time it is +When a job is queued, a `capacityReservation` is created for it. The HRA (Horizontal Runner Autoscaler) sums up all the +capacity reservations to calculate the desired size of the runner pool, subject to the limits of `minReplicas` and +`maxReplicas`. The idea is that a `capacityReservation` is deleted when a job is completed or canceled, and the pool +size will be equal to `jobsStarted - jobsFinished`. However, it can happen that a job will finish without the HRA being +successfully notified about it, so as a safety measure, the `capacityReservation` will expire after a configurable +amount of time, at which point it will be deleted without regard to the job being finished. This ensures that eventually +an idle runner pool will scale down to `minReplicas`. + +If it happens that the capacity reservation expires before the job is finished, the Horizontal Runner Autoscaler (HRA) +will scale down the pool by 2 instead of 1: once because the capacity reservation expired, and once because the job +finished. This will also cause starvation of waiting jobs, because the next in line will have its timeout timer started +but will not actually start running because no runner is available. And if `minReplicas` is set to zero, the pool will +scale down to zero before finishing all the jobs, leaving some waiting indefinitely. This is why it is important to set +the `webhook_startup_timeout` to a time long enough to cover the full time a job may have to wait between the time it is queued and the time it finishes, assuming that the HRA scales up the pool by 1 and runs the job on the new runner. -:::info -If there are more jobs queued than there are runners allowed by `maxReplicas`, the timeout timer does not start on the -capacity reservation until enough reservations ahead of it are removed for it to be considered as representing +:::info If there are more jobs queued than there are runners allowed by `maxReplicas`, the timeout timer does not start +on the capacity reservation until enough reservations ahead of it are removed for it to be considered as representing and active job. Although there are some edge cases regarding `webhook_startup_timeout` that seem not to be covered -properly (see [actions-runner-controller issue #2466](https://github.com/actions/actions-runner-controller/issues/2466)), -they only merit adding a few extra minutes to the timeout. -::: - +properly (see +[actions-runner-controller issue #2466](https://github.com/actions/actions-runner-controller/issues/2466)), they only +merit adding a few extra minutes to the timeout. ::: ### Recommended `webhook_startup_timeout` Duration #### Consequences of Too Short of a `webhook_startup_timeout` Duration If you set `webhook_startup_timeout` to too short a duration, the Horizontal Runner Autoscaler will cancel capacity -reservations for jobs that have not yet finished, and the pool will become too small. This will be most serious if you have -set `minReplicas = 0` because in this case, jobs will be left in the queue indefinitely. With a higher value of -`minReplicas`, the pool will eventually make it through all the queued jobs, but not as quickly as intended due to -the incorrectly reduced capacity. +reservations for jobs that have not yet finished, and the pool will become too small. This will be most serious if you +have set `minReplicas = 0` because in this case, jobs will be left in the queue indefinitely. With a higher value of +`minReplicas`, the pool will eventually make it through all the queued jobs, but not as quickly as intended due to the +incorrectly reduced capacity. #### Consequences of Too Long of a `webhook_startup_timeout` Duration If the Horizontal Runner Autoscaler misses a scale-down event (which can happen because events do not have delivery -guarantees), a runner may be left running idly for as long as the `webhook_startup_timeout` duration. The only -problem with this is the added expense of leaving the idle runner running. +guarantees), a runner may be left running idly for as long as the `webhook_startup_timeout` duration. The only problem +with this is the added expense of leaving the idle runner running. #### Recommendation As a result, we recommend setting `webhook_startup_timeout` to a period long enough to cover: + - The time it takes for the HRA to scale up the pool and make a new runner available - The time it takes for the runner to pick up the job from GitHub - The time it takes for the job to start running on the new runner @@ -332,21 +342,21 @@ As a result, we recommend setting `webhook_startup_timeout` to a period long eno Because the consequences of expiring a capacity reservation before the job is finished are so severe, we recommend setting `webhook_startup_timeout` to a period at least 30 minutes longer than you expect the longest job to take. -Remember, when everything works properly, the HRA will scale down the pool as jobs finish, so there is little cost -to setting a long duration, and the cost looks even smaller by comparison to the cost of having too short a duration. +Remember, when everything works properly, the HRA will scale down the pool as jobs finish, so there is little cost to +setting a long duration, and the cost looks even smaller by comparison to the cost of having too short a duration. -For lightly used runner pools expecting only short jobs, you can set `webhook_startup_timeout` to `"30m"`. -As a rule of thumb, we recommend setting `maxReplicas` high enough that jobs never wait on the queue more than an hour. +For lightly used runner pools expecting only short jobs, you can set `webhook_startup_timeout` to `"30m"`. As a rule of +thumb, we recommend setting `maxReplicas` high enough that jobs never wait on the queue more than an hour. ### Interaction with Karpenter or other EKS autoscaling solutions -Kubernetes cluster autoscaling solutions generally expect that a Pod runs a service that can be terminated on one -Node and restarted on another with only a short duration needed to finish processing any in-flight requests. When -the cluster is resized, the cluster autoscaler will do just that. However, GitHub Action Runner Jobs do not fit this -model. If a Pod is terminated in the middle of a job, the job is lost. The likelihood of this happening is increased -by the fact that the Action Runner Controller Autoscaler is expanding and contracting the size of the Runner Pool on -a regular basis, causing the cluster autoscaler to more frequently want to scale up or scale down the EKS cluster, -and, consequently, to move Pods around. +Kubernetes cluster autoscaling solutions generally expect that a Pod runs a service that can be terminated on one Node +and restarted on another with only a short duration needed to finish processing any in-flight requests. When the cluster +is resized, the cluster autoscaler will do just that. However, GitHub Action Runner Jobs do not fit this model. If a Pod +is terminated in the middle of a job, the job is lost. The likelihood of this happening is increased by the fact that +the Action Runner Controller Autoscaler is expanding and contracting the size of the Runner Pool on a regular basis, +causing the cluster autoscaler to more frequently want to scale up or scale down the EKS cluster, and, consequently, to +move Pods around. To handle these kinds of situations, Karpenter respects an annotation on the Pod: @@ -358,42 +368,44 @@ spec: karpenter.sh/do-not-evict: "true" ``` -When you set this annotation on the Pod, Karpenter will not evict it. This means that the Pod will stay on the Node -it is on, and the Node it is on will not be considered for eviction. This is good because it means that the Pod -will not be terminated in the middle of a job. However, it also means that the Node the Pod is on will not be considered -for termination, which means that the Node will not be removed from the cluster, which means that the cluster will -not shrink in size when you would like it to. +When you set this annotation on the Pod, Karpenter will not evict it. This means that the Pod will stay on the Node it +is on, and the Node it is on will not be considered for eviction. This is good because it means that the Pod will not be +terminated in the middle of a job. However, it also means that the Node the Pod is on will not be considered for +termination, which means that the Node will not be removed from the cluster, which means that the cluster will not +shrink in size when you would like it to. Since the Runner Pods terminate at the end of the job, this is not a problem for the Pods actually running jobs. However, if you have set `minReplicas > 0`, then you have some Pods that are just idling, waiting for jobs to be -assigned to them. These Pods are exactly the kind of Pods you want terminated and moved when the cluster is underutilized. -Therefore, when you set `minReplicas > 0`, you should **NOT** set `karpenter.sh/do-not-evict: "true"` on the Pod. +assigned to them. These Pods are exactly the kind of Pods you want terminated and moved when the cluster is +underutilized. Therefore, when you set `minReplicas > 0`, you should **NOT** set `karpenter.sh/do-not-evict: "true"` on +the Pod. -We have [requested a feature](https://github.com/actions/actions-runner-controller/issues/2562) -that will allow you to set `karpenter.sh/do-not-evict: "true"` and `minReplicas > 0` at the same time by only -annotating Pods running jobs. Meanwhile, another option is to set `minReplicas = 0` on a schedule using an ARC -Autoscaler [scheduled override](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#scheduled-overrides). -At present, this component does not support that option, but it could be added in the future if our preferred -solution is not implemented. +We have [requested a feature](https://github.com/actions/actions-runner-controller/issues/2562) that will allow you to +set `karpenter.sh/do-not-evict: "true"` and `minReplicas > 0` at the same time by only annotating Pods running jobs. +Meanwhile, another option is to set `minReplicas = 0` on a schedule using an ARC Autoscaler +[scheduled override](https://github.com/actions/actions-runner-controller/blob/master/docs/automatically-scaling-runners.md#scheduled-overrides). +At present, this component does not support that option, but it could be added in the future if our preferred solution +is not implemented. ### Updating CRDs When updating the chart or application version of `actions-runner-controller`, it is possible you will need to install -new CRDs. Such a requirement should be indicated in the `actions-runner-controller` release notes and may require some adjustment to our -custom chart or configuration. +new CRDs. Such a requirement should be indicated in the `actions-runner-controller` release notes and may require some +adjustment to our custom chart or configuration. -This component uses `helm` to manage the deployment, and `helm` will not auto-update CRDs. -If new CRDs are needed, install them manually via a command like +This component uses `helm` to manage the deployment, and `helm` will not auto-update CRDs. If new CRDs are needed, +install them manually via a command like ``` kubectl create -f https://raw.githubusercontent.com/actions-runner-controller/actions-runner-controller/master/charts/actions-runner-controller/crds/actions.summerwind.dev_horizontalrunnerautoscalers.yaml ``` - ### Useful Reference -Consult [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) documentation for further details. +Consult [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) +documentation for further details. + ## Requirements @@ -497,10 +509,12 @@ Consult [actions-runner-controller](https://github.com/actions-runner-controller | [metadata\_action\_runner\_releases](#output\_metadata\_action\_runner\_releases) | Block statuses of the deployed actions-runner chart releases | | [webhook\_payload\_url](#output\_webhook\_payload\_url) | Payload URL for GitHub webhook | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) - + Cloud Posse's upstream component - [alb-controller](https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller) - Helm Chart - [alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) - AWS Load Balancer Controller - [actions-runner-controller Webhook Driven Scaling](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/docs/detailed-docs.md#webhook-driven-scaling) diff --git a/modules/eks/alb-controller-ingress-class/README.md b/modules/eks/alb-controller-ingress-class/README.md index 8df9c1549..e0fa8c847 100644 --- a/modules/eks/alb-controller-ingress-class/README.md +++ b/modules/eks/alb-controller-ingress-class/README.md @@ -1,10 +1,10 @@ # Component: `eks/alb-controller-ingress-class` -This component deploys a Kubernetes `IngressClass` resource for the AWS Load Balancer Controller. -This is not often needed, as the default IngressClass deployed by the `eks/alb-controller` component -is sufficient for most use cases, and when it is not, a service can deploy its own IngressClass. -This is for the rare case where you want to deploy an additional IngressClass deploying an additional -ALB that you nevertheless want to be shared by some services, with none of them explicitly owning it. +This component deploys a Kubernetes `IngressClass` resource for the AWS Load Balancer Controller. This is not often +needed, as the default IngressClass deployed by the `eks/alb-controller` component is sufficient for most use cases, and +when it is not, a service can deploy its own IngressClass. This is for the rare case where you want to deploy an +additional IngressClass deploying an additional ALB that you nevertheless want to be shared by some services, with none +of them explicitly owning it. ## Usage @@ -21,6 +21,7 @@ components: scheme: internet-facing ``` + ## Requirements @@ -101,6 +102,7 @@ components: No outputs. + ## References diff --git a/modules/eks/alb-controller-ingress-group/README.md b/modules/eks/alb-controller-ingress-group/README.md index f9c20227e..80066889c 100644 --- a/modules/eks/alb-controller-ingress-group/README.md +++ b/modules/eks/alb-controller-ingress-group/README.md @@ -2,7 +2,8 @@ This component provisions a Kubernetes Service that creates an ALB for a specific [IngressGroup]. -An [IngressGroup] is a feature of the [alb-controller] which allows multiple Kubernetes Ingresses to share the same Application Load Balancer. +An [IngressGroup] is a feature of the [alb-controller] which allows multiple Kubernetes Ingresses to share the same +Application Load Balancer. ## Usage @@ -15,8 +16,8 @@ import: - catalog/eks/alb-controller-ingress-group ``` -The default catalog values `e.g. stacks/catalog/eks/alb-controller-ingress-group.yaml` -will create a Kubernetes Service in the `default` namespace with an [IngressGroup] named `alb-controller-ingress-group`. +The default catalog values `e.g. stacks/catalog/eks/alb-controller-ingress-group.yaml` will create a Kubernetes Service +in the `default` namespace with an [IngressGroup] named `alb-controller-ingress-group`. ```yaml components: @@ -33,6 +34,7 @@ components: name: alb-controller-ingress-group ``` + ## Requirements @@ -139,12 +141,15 @@ components: | [load\_balancer\_scheme](#output\_load\_balancer\_scheme) | The value of the `alb.ingress.kubernetes.io/scheme` annotation of the Kubernetes Ingress | | [message\_body\_length](#output\_message\_body\_length) | The length of the message body to ensure it's lower than the maximum limit | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/alb-controller-ingress-group) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/alb-controller-ingress-group) - + Cloud Posse's upstream component [](https://cpco.io/component) -[IngressGroup]: -[alb-controller]: +[ingressgroup]: + https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#ingressgroup +[alb-controller]: https://github.com/kubernetes-sigs/aws-load-balancer-controller diff --git a/modules/eks/alb-controller/README.md b/modules/eks/alb-controller/README.md index 3b6ca1e98..64d6f6c86 100644 --- a/modules/eks/alb-controller/README.md +++ b/modules/eks/alb-controller/README.md @@ -1,18 +1,19 @@ # Component: `eks/alb-controller` -This component creates a Helm release for [alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) on an EKS cluster. +This component creates a Helm release for +[alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) on an EKS cluster. -[alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) is a Kubernetes addon that, -in the context of AWS, provisions and manages ALBs and NLBs based on Service and Ingress annotations. -This module also can (and is recommended to) provision a default IngressClass. +[alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) is a Kubernetes addon that, in the +context of AWS, provisions and manages ALBs and NLBs based on Service and Ingress annotations. This module also can (and +is recommended to) provision a default IngressClass. ### Special note about upgrading -When upgrading the chart version, check to see if the IAM policy for the service account needs to be updated. -If it does, update the policy in the `distributed-iam-policy.tf` file. -Probably the easiest way to check if it needs updating is to simply download the policy from -https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json -and compare it to the policy in `distributed-iam-policy.tf`. +When upgrading the chart version, check to see if the IAM policy for the service account needs to be updated. If it +does, update the policy in the `distributed-iam-policy.tf` file. Probably the easiest way to check if it needs updating +is to simply download the policy from +https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json and +compare it to the policy in `distributed-iam-policy.tf`. ## Usage @@ -57,6 +58,7 @@ components: chart_values: {} ``` + ## Requirements @@ -149,6 +151,7 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References diff --git a/modules/eks/argocd/README.md b/modules/eks/argocd/README.md index 1c0be446a..47bc24a74 100644 --- a/modules/eks/argocd/README.md +++ b/modules/eks/argocd/README.md @@ -4,7 +4,9 @@ This component is responsible for provisioning [Argo CD](https://argoproj.github Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. -> :warning::warning::warning: ArgoCD CRDs must be installed separately from this component/helm release. :warning::warning::warning: +> :warning::warning::warning: ArgoCD CRDs must be installed separately from this component/helm release. +> :warning::warning::warning: + ```shell kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=" @@ -16,11 +18,10 @@ kubectl apply -k "https://github.com/argoproj/argo-cd/manifests/crds?ref=v2.4.9" ### Preparing AppProject repos: -First, make sure you have a GitHub repo ready to go. We have a component for this -called the `argocd-repo` component. It will create a GitHub repo and adds -some secrets and code owners. Most importantly, it configures an `applicationset.yaml` -that includes all the details for helm to create ArgoCD CRDs. These CRDs -let ArgoCD know how to fulfill changes to its repo. +First, make sure you have a GitHub repo ready to go. We have a component for this called the `argocd-repo` component. It +will create a GitHub repo and adds some secrets and code owners. Most importantly, it configures an +`applicationset.yaml` that includes all the details for helm to create ArgoCD CRDs. These CRDs let ArgoCD know how to +fulfill changes to its repo. ```yaml components: @@ -34,9 +35,9 @@ components: github_user_email: infra@acme.com github_organization: ACME github_codeowner_teams: - - "@ACME/acme-admins" - - "@ACME/CloudPosse" - - "@ACME/developers" + - "@ACME/acme-admins" + - "@ACME/CloudPosse" + - "@ACME/developers" gitignore_entries: - "**/.DS_Store" - ".DS_Store" @@ -54,11 +55,10 @@ components: ``` ### Injecting infrastructure details into applications -Second, your application repos could use values to best configure their -helm releases. We have an `eks/platform` component for exposing various -infra outputs. It takes remote state lookups and stores them into SSM. -We demonstrate how to pull the platform SSM parameters later. Here's an -example `eks/platform` config: + +Second, your application repos could use values to best configure their helm releases. We have an `eks/platform` +component for exposing various infra outputs. It takes remote state lookups and stores them into SSM. We demonstrate how +to pull the platform SSM parameters later. Here's an example `eks/platform` config: ```yaml components: @@ -127,13 +127,13 @@ components: certificate_authority_enabled: false ``` -In the previous sample we create platform settings for a `dev` platform and a -`qa2` platform. Understand that these are arbitrary titles that are used to separate -the SSM parameters so that if, say, a particular hostname is needed, we can safely -select the right hostname using a moniker such as `qa2`. These otherwise are meaningless -and do not need to align with any particular stage or tenant. +In the previous sample we create platform settings for a `dev` platform and a `qa2` platform. Understand that these are +arbitrary titles that are used to separate the SSM parameters so that if, say, a particular hostname is needed, we can +safely select the right hostname using a moniker such as `qa2`. These otherwise are meaningless and do not need to align +with any particular stage or tenant. ### ArgoCD on SAML / AWS Identity Center (formerly aws-sso) + Here's an example snippet for how to use this component: ```yaml @@ -191,50 +191,48 @@ components: groupsAttr: groups ``` -Note, if you set up `sso-saml-provider`, you will need to restart DEX on your EKS cluster -manually: +Note, if you set up `sso-saml-provider`, you will need to restart DEX on your EKS cluster manually: + ```bash kubectl delete pod -n argocd ``` -The configuration above will work for AWS Identity Center if you have -the following attributes in a +The configuration above will work for AWS Identity Center if you have the following attributes in a [Custom SAML 2.0 application](https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html): | attribute name | value | type | -|:---------------|:----------------|:------------| +| :------------- | :-------------- | :---------- | | Subject | ${user:subject} | persistent | | email | ${user:email} | unspecified | | groups | ${user:groups} | unspecified | -You will also need to assign AWS Identity Center groups to your Custom SAML 2.0 -application. Make a note of each group and replace the IDs in the `argocd_rbac_groups` -var accordingly. +You will also need to assign AWS Identity Center groups to your Custom SAML 2.0 application. Make a note of each group +and replace the IDs in the `argocd_rbac_groups` var accordingly. ### Google Workspace OIDC To use Google OIDC: ```yaml - oidc_enabled: true - saml_enabled: false - oidc_providers: - google: - uses_dex: true - type: google - id: google - name: Google - serviceAccountAccess: - enabled: true - key: googleAuth.json - value: /sso/oidc/google/serviceaccount - admin_email: an_actual_user@acme.com - config: - # This filters emails when signing in with Google to only this domain. helpful for picking the right one. - hostedDomains: - - acme.com - clientID: /sso/saml/google/clientid - clientSecret: /sso/saml/google/clientsecret +oidc_enabled: true +saml_enabled: false +oidc_providers: + google: + uses_dex: true + type: google + id: google + name: Google + serviceAccountAccess: + enabled: true + key: googleAuth.json + value: /sso/oidc/google/serviceaccount + admin_email: an_actual_user@acme.com + config: + # This filters emails when signing in with Google to only this domain. helpful for picking the right one. + hostedDomains: + - acme.com + clientID: /sso/saml/google/clientid + clientSecret: /sso/saml/google/clientsecret ``` ### Working with ArgoCD and GitHub @@ -289,8 +287,8 @@ jobs: ``` In the above example, we make a few assumptions: -- You've already made the app in ArgoCD by creating a YAML file - in your non-prod ArgoCD repo at the path + +- You've already made the app in ArgoCD by creating a YAML file in your non-prod ArgoCD repo at the path `plat/use2-dev/apps/my-preview-acme-app/config.yaml` with contents: ```yaml @@ -303,20 +301,19 @@ manifests: plat/use2-dev/apps/my-preview-acme-app/manifests ``` - you have set up `ecr` with permissions for github to push docker images to it -- you already have your `ApplicationSet` and `AppProject` crd's in - `plat/use2-dev/argocd/applicationset.yaml`, which should be generated by our `argocd-repo` - component. -- your app has a [helmfile template](https://helmfile.readthedocs.io/en/latest/#templating) - in `deploy/app/release.yaml` -- that helmfile template can accept both the `eks/platform` config which is pulled from - ssm at the path configured in `eks/platform/defaults` +- you already have your `ApplicationSet` and `AppProject` crd's in `plat/use2-dev/argocd/applicationset.yaml`, which + should be generated by our `argocd-repo` component. +- your app has a [helmfile template](https://helmfile.readthedocs.io/en/latest/#templating) in `deploy/app/release.yaml` +- that helmfile template can accept both the `eks/platform` config which is pulled from ssm at the path configured in + `eks/platform/defaults` - the helmfile template can update container resources using the output of `docker image inspect` ### Notifications Here's a configuration for letting argocd send notifications back to GitHub: -1. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) with scope `repo:status` +1. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) + with scope `repo:status` 2. Save the PAT to SSM `/argocd/notifications/notifiers/common/github-token` 3. Use this atmos stack configuration @@ -334,7 +331,8 @@ components: Here's a configuration Github notify ArgoCD on commit: -1. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) with scope `admin:repo_hook` +1. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) + with scope `admin:repo_hook` 2. Save the PAT to SSM `/argocd/github/api_key` 3. Use this atmos stack configuration @@ -350,7 +348,9 @@ components: #### Creating Webhooks with `github-webhook` -If you are creating webhooks for ArgoCD deployment repos in multiple GitHub Organizations, you cannot use the same Terraform GitHub provider. Instead, we can use Atmos to deploy multiple component. To do this, disable the webhook creation in this component and deploy the webhook with the `github-webhook` component as such: +If you are creating webhooks for ArgoCD deployment repos in multiple GitHub Organizations, you cannot use the same +Terraform GitHub provider. Instead, we can use Atmos to deploy multiple component. To do this, disable the webhook +creation in this component and deploy the webhook with the `github-webhook` component as such: ```yaml components: @@ -396,37 +396,43 @@ components: ArgoCD supports Slack notifications on application deployments. -1. In order to enable Slack notifications, first create a Slack Application following the [ArgoCD documentation](https://argocd-notifications.readthedocs.io/en/stable/services/slack/). +1. In order to enable Slack notifications, first create a Slack Application following the + [ArgoCD documentation](https://argocd-notifications.readthedocs.io/en/stable/services/slack/). 1. Create an OAuth token for the new Slack App -1. Save the OAuth token to AWS SSM Parameter Store in the same account and region as Github tokens. For example, `core-use2-auto` +1. Save the OAuth token to AWS SSM Parameter Store in the same account and region as Github tokens. For example, + `core-use2-auto` 1. Add the app to the chosen Slack channel. _If not added, notifications will not work_ -1. For this component, enable Slack integrations for each Application with `var.slack_notifications_enabled` and `var.slack_notifications`: +1. For this component, enable Slack integrations for each Application with `var.slack_notifications_enabled` and + `var.slack_notifications`: ```yaml - slack_notifications_enabled: true - slack_notifications: - channel: argocd-updates +slack_notifications_enabled: true +slack_notifications: + channel: argocd-updates ``` -6. In the `argocd-repo` component, set `var.slack_notifications_channel` to the name of the Slack notification channel to add the relevant ApplicationSet annotations +6. In the `argocd-repo` component, set `var.slack_notifications_channel` to the name of the Slack notification channel + to add the relevant ApplicationSet annotations ## Troubleshooting ## Login to ArgoCD admin UI -For ArgoCD v1.9 and later, the initial admin password is available from a Kubernetes secret named `argocd-initial-admin-secret`. -To get the initial password, execute the following command: +For ArgoCD v1.9 and later, the initial admin password is available from a Kubernetes secret named +`argocd-initial-admin-secret`. To get the initial password, execute the following command: ```shell kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 --decode ``` -Then open the ArgoCD admin UI and use the username `admin` and the password obtained in the previous step to log in to the ArgoCD admin. +Then open the ArgoCD admin UI and use the username `admin` and the password obtained in the previous step to log in to +the ArgoCD admin. ## Error "server.secretkey is missing" -If you provision a new version of the `eks/argocd` component, and some Helm Chart values get updated, you might encounter the error -"server.secretkey is missing" in the ArgoCD admin UI. To fix the error, execute the following commands: +If you provision a new version of the `eks/argocd` component, and some Helm Chart values get updated, you might +encounter the error "server.secretkey is missing" in the ArgoCD admin UI. To fix the error, execute the following +commands: ```shell # Download `kubeconfig` and set EKS cluster @@ -438,8 +444,10 @@ kubectl rollout restart deploy/argocd-server -n argocd # Get the new admin password from the Kubernetes secret kubectl get secret -n argocd argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 --decode ``` + Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-secretkey-is-missing + ## Requirements @@ -592,6 +600,7 @@ Reference: https://stackoverflow.com/questions/75046330/argo-cd-error-server-sec |------|-------------| | [github\_webhook\_value](#output\_github\_webhook\_value) | The value of the GitHub webhook secret used for ArgoCD | + ## References diff --git a/modules/eks/aws-node-termination-handler/README.md b/modules/eks/aws-node-termination-handler/README.md index 59155bbf8..15a838604 100644 --- a/modules/eks/aws-node-termination-handler/README.md +++ b/modules/eks/aws-node-termination-handler/README.md @@ -1,7 +1,11 @@ # Component: `aws-node-termination-handler` -This component creates a Helm release for [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) on a Kubernetes cluster. [aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) is a Kubernetes addon that (by default) monitors the EC2 IMDS endpoint for scheduled maintenance events, spot instance termination events, and rebalance recommendation events, and drains and/or cordons nodes upon such events. -This ensures that workloads on Kubernetes are evicted gracefully when a node needs to be terminated. +This component creates a Helm release for +[aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) on a Kubernetes cluster. +[aws-node-termination-handler](https://github.com/aws/aws-node-termination-handler) is a Kubernetes addon that (by +default) monitors the EC2 IMDS endpoint for scheduled maintenance events, spot instance termination events, and +rebalance recommendation events, and drains and/or cordons nodes upon such events. This ensures that workloads on +Kubernetes are evicted gracefully when a node needs to be terminated. ## Usage @@ -38,6 +42,7 @@ components: chart_values: {} ``` + ## Requirements @@ -126,6 +131,7 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References diff --git a/modules/eks/cert-manager/README.md b/modules/eks/cert-manager/README.md index 354008796..d7302cc6b 100644 --- a/modules/eks/cert-manager/README.md +++ b/modules/eks/cert-manager/README.md @@ -1,6 +1,8 @@ # Component: `eks/cert-manager` -This component creates a Helm release for [cert-manager](https://github.com/jetstack/cert-manager) on a Kubernetes cluster. [cert-manager](https://github.com/jetstack/cert-manager) is a Kubernetes addon that provisions X.509 certificates. +This component creates a Helm release for [cert-manager](https://github.com/jetstack/cert-manager) on a Kubernetes +cluster. [cert-manager](https://github.com/jetstack/cert-manager) is a Kubernetes addon that provisions X.509 +certificates. ## Usage @@ -17,38 +19,39 @@ import: The default catalog values `e.g. stacks/catalog/eks/cert-manager.yaml` ```yaml - enabled: true - name: cert-manager - kubernetes_namespace: cert-manager - # `helm_manifest_experiment_enabled` does not work with cert-manager or any Helm chart that uses CRDs - helm_manifest_experiment_enabled: false - # Use the cert-manager as a private CA (Certificate Authority) - # to issue certificates for use within the Kubernetes cluster. - # Something like this is required for the ALB Ingress Controller. - cert_manager_issuer_selfsigned_enabled: true - # Use Let's Encrypt to issue certificates for use outside the Kubernetes cluster, - # ones that will be trusted by browsers. - # These do not (yet) work with the ALB Ingress Controller, - # which require ACM certificates, so we have no use for them. - letsencrypt_enabled: true - # cert_manager_issuer_support_email_template is only used if letsencrypt_enabled is true. - # If it were true, we would want to set it at the organization level. - cert_manager_issuer_support_email_template: "aws+%s@acme.com" - cert_manager_repository: https://charts.jetstack.io - cert_manager_chart: cert-manager - cert_manager_chart_version: v1.5.4 - - # use a local chart to provision Certificate Issuers - cert_manager_issuer_chart: ./cert-manager-issuer/ - cert_manager_resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi +enabled: true +name: cert-manager +kubernetes_namespace: cert-manager +# `helm_manifest_experiment_enabled` does not work with cert-manager or any Helm chart that uses CRDs +helm_manifest_experiment_enabled: false +# Use the cert-manager as a private CA (Certificate Authority) +# to issue certificates for use within the Kubernetes cluster. +# Something like this is required for the ALB Ingress Controller. +cert_manager_issuer_selfsigned_enabled: true +# Use Let's Encrypt to issue certificates for use outside the Kubernetes cluster, +# ones that will be trusted by browsers. +# These do not (yet) work with the ALB Ingress Controller, +# which require ACM certificates, so we have no use for them. +letsencrypt_enabled: true +# cert_manager_issuer_support_email_template is only used if letsencrypt_enabled is true. +# If it were true, we would want to set it at the organization level. +cert_manager_issuer_support_email_template: "aws+%s@acme.com" +cert_manager_repository: https://charts.jetstack.io +cert_manager_chart: cert-manager +cert_manager_chart_version: v1.5.4 + +# use a local chart to provision Certificate Issuers +cert_manager_issuer_chart: ./cert-manager-issuer/ +cert_manager_resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi ``` + ## Requirements @@ -148,9 +151,10 @@ The default catalog values `e.g. stacks/catalog/eks/cert-manager.yaml` | [cert\_manager\_issuer\_metadata](#output\_cert\_manager\_issuer\_metadata) | Block status of the deployed release | | [cert\_manager\_metadata](#output\_cert\_manager\_metadata) | Block status of the deployed release | + ## References -* [cert-manager](https://github.com/jetstack/cert-manager) +- [cert-manager](https://github.com/jetstack/cert-manager) [](https://cpco.io/component) diff --git a/modules/eks/cluster/README.md b/modules/eks/cluster/README.md index a880aca45..d000e4bd5 100644 --- a/modules/eks/cluster/README.md +++ b/modules/eks/cluster/README.md @@ -1,14 +1,15 @@ # Component: `eks/cluster` -This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate profiles. +This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate +profiles. :::warning -This component should only be deployed after logging into AWS via Federated login with SAML (e.g. GSuite) or -assuming an IAM role (e.g. from a CI/CD system). It should not be deployed if you log into AWS via AWS SSO, the -reason being that on initial deployment, the EKS cluster will be owned by the assumed role that provisioned it, -and AWS SSO roles are ephemeral (replaced on every configuration change). If this were to be the AWS SSO Role, then -we risk losing access to the EKS cluster once the ARN of the AWS SSO Role eventually changes. +This component should only be deployed after logging into AWS via Federated login with SAML (e.g. GSuite) or assuming an +IAM role (e.g. from a CI/CD system). It should not be deployed if you log into AWS via AWS SSO, the reason being that on +initial deployment, the EKS cluster will be owned by the assumed role that provisioned it, and AWS SSO roles are +ephemeral (replaced on every configuration change). If this were to be the AWS SSO Role, then we risk losing access to +the EKS cluster once the ARN of the AWS SSO Role eventually changes. ::: @@ -20,13 +21,14 @@ Here's an example snippet for how to use this component. This example expects the [Cloud Posse Reference Architecture](https://docs.cloudposse.com/reference-architecture/) Identity and Network designs deployed for mapping users to EKS service roles and granting access in a private network. -In addition, this example has the GitHub OIDC integration added and makes use of Karpenter to dynamically scale cluster nodes. +In addition, this example has the GitHub OIDC integration added and makes use of Karpenter to dynamically scale cluster +nodes. For more on these requirements, see [Identity Reference Architecture](https://docs.cloudposse.com/reference-architecture/quickstart/iam-identity/), -[Network Reference Architecture](https://docs.cloudposse.com/reference-architecture/scaffolding/setup/network/), -the [GitHub OIDC component](https://docs.cloudposse.com/components/catalog/aws/github-oidc-provider/), -and the [Karpenter component](https://docs.cloudposse.com/components/catalog/aws/eks/karpenter/). +[Network Reference Architecture](https://docs.cloudposse.com/reference-architecture/scaffolding/setup/network/), the +[GitHub OIDC component](https://docs.cloudposse.com/components/catalog/aws/github-oidc-provider/), and the +[Karpenter component](https://docs.cloudposse.com/components/catalog/aws/eks/karpenter/). ```yaml components: @@ -67,7 +69,7 @@ components: # Allows GitHub OIDC role github_actions_iam_role_enabled: true - github_actions_iam_role_attributes: [ "eks" ] + github_actions_iam_role_attributes: ["eks"] github_actions_allowed_repos: - acme/infra @@ -114,8 +116,8 @@ components: aws_sso_permission_sets_rbac: - aws_sso_permission_set: PowerUserAccess groups: - - idp:poweruser - - system:authenticated + - idp:poweruser + - system:authenticated # Fargate Profiles for Karpenter fargate_profiles: @@ -139,18 +141,18 @@ components: addons: # https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html vpc-cni: - addon_version: v1.13.4-eksbuild.1 # set `addon_version` to `null` to use the latest version + addon_version: v1.13.4-eksbuild.1 # set `addon_version` to `null` to use the latest version # https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html kube-proxy: - addon_version: "v1.27.1-eksbuild.1" # set `addon_version` to `null` to use the latest version + addon_version: "v1.27.1-eksbuild.1" # set `addon_version` to `null` to use the latest version # https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html coredns: - addon_version: "v1.10.1-eksbuild.1" # set `addon_version` to `null` to use the latest version + addon_version: "v1.10.1-eksbuild.1" # set `addon_version` to `null` to use the latest version # https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons # https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html # https://github.com/kubernetes-sigs/aws-ebs-csi-driver aws-ebs-csi-driver: - addon_version: "v1.20.0-eksbuild.1" # set `addon_version` to `null` to use the latest version + addon_version: "v1.20.0-eksbuild.1" # set `addon_version` to `null` to use the latest version # If you are not using [volume snapshots](https://kubernetes.io/blog/2020/12/10/kubernetes-1.20-volume-snapshot-moves-to-ga/#how-to-use-volume-snapshots) # (and you probably are not), disable the EBS Snapshotter with: configuration_values: '{"sidecars":{"snapshotter":{"forceEnable":false}}}' @@ -166,10 +168,11 @@ components: ### Amazon EKS End-of-Life Dates -When picking a Kubernetes version, be sure to review the [end-of-life dates for Amazon EKS](https://endoflife.date/amazon-eks). Refer to the chart below: +When picking a Kubernetes version, be sure to review the +[end-of-life dates for Amazon EKS](https://endoflife.date/amazon-eks). Refer to the chart below: | cycle | release | latest | latest release | eol | -|:------|:----------:|:------------|:--------------:|:----------:| +| :---- | :--------: | :---------- | :------------: | :--------: | | 1.28 | 2023-09-26 | 1.28-eks-1 | 2023-09-26 | 2024-11-01 | | 1.27 | 2023-05-24 | 1.27-eks-5 | 2023-08-30 | 2024-07-01 | | 1.26 | 2023-04-11 | 1.26-eks-6 | 2023-08-30 | 2024-06-01 | @@ -182,21 +185,23 @@ When picking a Kubernetes version, be sure to review the [end-of-life dates for | 1.19 | 2021-02-16 | 1.19-eks-11 | 2022-08-15 | 2022-08-01 | | 1.18 | 2020-10-13 | 1.18-eks-13 | 2022-08-15 | 2022-08-15 | -*This Chart was updated as of 10/16/2023 and is generated with [the `eol` tool](https://github.com/hugovk/norwegianblue). Check the latest updates by running `eol amazon-eks` locally or [on the website directly](https://endoflife.date/amazon-eks). +\*This Chart was updated as of 10/16/2023 and is generated with +[the `eol` tool](https://github.com/hugovk/norwegianblue). Check the latest updates by running `eol amazon-eks` locally +or [on the website directly](https://endoflife.date/amazon-eks). -You can also view the release and support timeline for [the Kubernetes project itself](https://endoflife.date/kubernetes). +You can also view the release and support timeline for +[the Kubernetes project itself](https://endoflife.date/kubernetes). ### Usage with Node Groups -The `eks/cluster` component also supports managed Node Groups. In order to add a set of nodes to -provision with the cluster, provide values for `var.managed_node_groups_enabled` and `var.node_groups`. +The `eks/cluster` component also supports managed Node Groups. In order to add a set of nodes to provision with the +cluster, provide values for `var.managed_node_groups_enabled` and `var.node_groups`. :::info -You can use managed Node Groups in conjunction with Karpenter. We recommend provisioning a -managed node group with as many nodes as Availability Zones used by your cluster (typically 3), to ensure a -minimum support for a high-availability set of daemons, and then using Karpenter to provision additional nodes -as needed. +You can use managed Node Groups in conjunction with Karpenter. We recommend provisioning a managed node group with as +many nodes as Availability Zones used by your cluster (typically 3), to ensure a minimum support for a high-availability +set of daemons, and then using Karpenter to provision additional nodes as needed. ::: @@ -243,14 +248,15 @@ node_groups: # for most attributes, setting null here means use setting from nod ### Using Addons -EKS clusters support “Addons” that can be automatically installed on a cluster. -Install these addons with the [`var.addons` input](https://docs.cloudposse.com/components/library/aws/eks/cluster/#input_addons). +EKS clusters support “Addons” that can be automatically installed on a cluster. Install these addons with the +[`var.addons` input](https://docs.cloudposse.com/components/library/aws/eks/cluster/#input_addons). :::info -Run the following command to see all available addons, their type, and their publisher. -You can also see the URL for addons that are available through the AWS Marketplace. Replace 1.27 with the version of your cluster. -See [Creating an addon](https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html#creating-an-add-on) for more details. +Run the following command to see all available addons, their type, and their publisher. You can also see the URL for +addons that are available through the AWS Marketplace. Replace 1.27 with the version of your cluster. See +[Creating an addon](https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html#creating-an-add-on) for more +details. ::: @@ -262,8 +268,8 @@ aws eks describe-addon-versions --kubernetes-version $EKS_K8S_VERSION \ :::info -You can see which versions are available for each addon by executing the following commands. -Replace 1.27 with the version of your cluster. +You can see which versions are available for each addon by executing the following commands. Replace 1.27 with the +version of your cluster. ::: @@ -286,7 +292,8 @@ echo "aws-efs-csi-driver:" && aws eks describe-addon-versions --kubernetes-versi ``` Some add-ons accept additional configuration. For example, the `vpc-cni` addon accepts a `disableNetworking` parameter. -View the available configuration options (as JSON Schema) via the `aws eks describe-addon-configuration` command. For example: +View the available configuration options (as JSON Schema) via the `aws eks describe-addon-configuration` command. For +example: ```shell aws eks describe-addon-configuration \ @@ -313,13 +320,13 @@ addons: # https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-role # https://aws.github.io/aws-eks-best-practices/networking/vpc-cni/#deploy-vpc-cni-managed-add-on vpc-cni: - addon_version: "v1.12.2-eksbuild.1" # set `addon_version` to `null` to use the latest version + addon_version: "v1.12.2-eksbuild.1" # set `addon_version` to `null` to use the latest version # https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html kube-proxy: - addon_version: "v1.25.6-eksbuild.1" # set `addon_version` to `null` to use the latest version + addon_version: "v1.25.6-eksbuild.1" # set `addon_version` to `null` to use the latest version # https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html coredns: - addon_version: "v1.9.3-eksbuild.2" # set `addon_version` to `null` to use the latest version + addon_version: "v1.9.3-eksbuild.2" # set `addon_version` to `null` to use the latest version # Uncomment to override default replica count of 2 # configuration_values: '{"replicaCount": 3}' # https://docs.aws.amazon.com/eks/latest/userguide/csi-iam-role.html @@ -327,15 +334,15 @@ addons: # https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html#csi-iam-role # https://github.com/kubernetes-sigs/aws-ebs-csi-driver aws-ebs-csi-driver: - addon_version: "v1.19.0-eksbuild.2" # set `addon_version` to `null` to use the latest version + addon_version: "v1.19.0-eksbuild.2" # set `addon_version` to `null` to use the latest version # If you are not using [volume snapshots](https://kubernetes.io/blog/2020/12/10/kubernetes-1.20-volume-snapshot-moves-to-ga/#how-to-use-volume-snapshots) # (and you probably are not), disable the EBS Snapshotter with: configuration_values: '{"sidecars":{"snapshotter":{"forceEnable":false}}}' ``` -Some addons, such as CoreDNS, require at least one node to be fully provisioned first. -See [issue #170](https://github.com/cloudposse/terraform-aws-eks-cluster/issues/170) for more details. -Set `var.addons_depends_on` to `true` to require the Node Groups to be provisioned before addons. +Some addons, such as CoreDNS, require at least one node to be fully provisioned first. See +[issue #170](https://github.com/cloudposse/terraform-aws-eks-cluster/issues/170) for more details. Set +`var.addons_depends_on` to `true` to require the Node Groups to be provisioned before addons. ```yaml addons_depends_on: true @@ -346,15 +353,14 @@ addons: :::warning -Addons may not be suitable for all use-cases! For example, if you are using Karpenter to provision nodes, -these nodes will never be available before the cluster component is deployed. +Addons may not be suitable for all use-cases! For example, if you are using Karpenter to provision nodes, these nodes +will never be available before the cluster component is deployed. ::: For more information on upgrading EKS Addons, see ["How to Upgrade EKS Cluster Addons"](https://docs.cloudposse.com/reference-architecture/how-to-guides/upgrades/how-to-upgrade-eks-cluster-addons/) - ### Adding and Configuring a new EKS Addon Add a new EKS addon to the `addons` map (`addons` variable): @@ -369,8 +375,8 @@ If the new addon requires an EKS IAM Role for Kubernetes Service Account, perfor - Add a file `addons-custom.tf` to the `eks/cluster` folder -- In the file, add an IAM policy document with the permissions required for the addon, - and use the `eks-iam-role` module to provision an IAM Role for Kubernetes Service Account for the addon: +- In the file, add an IAM policy document with the permissions required for the addon, and use the `eks-iam-role` module + to provision an IAM Role for Kubernetes Service Account for the addon: ```hcl data "aws_iam_policy_document" "my_addon" { @@ -405,7 +411,8 @@ If the new addon requires an EKS IAM Role for Kubernetes Service Account, perfor - Add a file `additional-addon-support_override.tf` to the `eks/cluster` folder -- In the file, add the IAM Role for Kubernetes Service Account for the addon to the `overridable_additional_addon_service_account_role_arn_map` map: +- In the file, add the IAM Role for Kubernetes Service Account for the addon to the + `overridable_additional_addon_service_account_role_arn_map` map: ```hcl locals { @@ -415,13 +422,14 @@ If the new addon requires an EKS IAM Role for Kubernetes Service Account, perfor } ``` -- This map will override the default map in the [additional-addon-support.tf](additional-addon-support.tf) file, - and will be merged into the final map together with the default EKS addons `vpc-cni` and `aws-ebs-csi-driver` - (which this component configures and creates IAM Roles for Kubernetes Service Accounts) +- This map will override the default map in the [additional-addon-support.tf](additional-addon-support.tf) file, and + will be merged into the final map together with the default EKS addons `vpc-cni` and `aws-ebs-csi-driver` (which this + component configures and creates IAM Roles for Kubernetes Service Accounts) -- Follow the instructions in the [additional-addon-support.tf](additional-addon-support.tf) file - if the addon may need to be deployed to Fargate, or has dependencies that Terraform cannot detect automatically. +- Follow the instructions in the [additional-addon-support.tf](additional-addon-support.tf) file if the addon may need + to be deployed to Fargate, or has dependencies that Terraform cannot detect automatically. + ## Requirements @@ -580,6 +588,7 @@ If the new addon requires an EKS IAM Role for Kubernetes Service Account, perfor | [karpenter\_iam\_role\_name](#output\_karpenter\_iam\_role\_name) | Karpenter IAM Role name | | [vpc\_cidr](#output\_vpc\_cidr) | The CIDR of the VPC where this cluster is deployed. | + ## Related How-to Guides @@ -593,6 +602,7 @@ If the new addon requires an EKS IAM Role for Kubernetes Service Account, perfor ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/eks/datadog-agent/README.md b/modules/eks/datadog-agent/README.md index 136f8848d..d212a078c 100644 --- a/modules/eks/datadog-agent/README.md +++ b/modules/eks/datadog-agent/README.md @@ -52,7 +52,6 @@ components: env: - name: DD_EC2_PREFER_IMDSV2 # this merges ec2 instances and the node in the hostmap section value: "true" - ``` Deploy this to a particular environment such as dev, prod, etc. @@ -78,30 +77,39 @@ components: ## Cluster Checks -Cluster Checks are configurations that allow us to setup external URLs to be monitored. They can be configured through the datadog agent or annotations on kubernetes services. +Cluster Checks are configurations that allow us to setup external URLs to be monitored. They can be configured through +the datadog agent or annotations on kubernetes services. -Cluster Checks are similar to synthetics checks, they are not as indepth, but significantly cheaper. Use Cluster Checks when you need a simple health check beyond the kubernetes pod health check. +Cluster Checks are similar to synthetics checks, they are not as indepth, but significantly cheaper. Use Cluster Checks +when you need a simple health check beyond the kubernetes pod health check. -Public addresses that test endpoints must use the agent configuration, whereas service addresses internal to the cluster can be tested by annotations. +Public addresses that test endpoints must use the agent configuration, whereas service addresses internal to the cluster +can be tested by annotations. ### Adding Cluster Checks Cluster Checks can be enabled or disabled via the `cluster_checks_enabled` variable. We recommend this be set to true. -New Cluster Checks can be added to defaults to be applied in every account. Alternatively they can be placed in an individual stage folder which will be applied to individual stages. This is controlled by the `datadog_cluster_check_config_parameters` variable, which determines the paths of yaml files to look for cluster checks per stage. +New Cluster Checks can be added to defaults to be applied in every account. Alternatively they can be placed in an +individual stage folder which will be applied to individual stages. This is controlled by the +`datadog_cluster_check_config_parameters` variable, which determines the paths of yaml files to look for cluster checks +per stage. -Once they are added, and properly configured, the new checks show up in the network monitor creation under `ssl` and `Http` +Once they are added, and properly configured, the new checks show up in the network monitor creation under `ssl` and +`Http` -**Please note:** the yaml file name doesn't matter, but the root key inside which is `something.yaml` does matter. this is following [datadogs docs](https://docs.datadoghq.com/agent/cluster_agent/clusterchecks/?tab=helm#configuration-from-static-configuration-files) for `.yaml`. +**Please note:** the yaml file name doesn't matter, but the root key inside which is `something.yaml` does matter. this +is following +[datadogs docs](https://docs.datadoghq.com/agent/cluster_agent/clusterchecks/?tab=helm#configuration-from-static-configuration-files) +for `.yaml`. #### Sample Yaml -:::caution -The key of a filename must match datadog docs, which is `.yaml` +:::caution The key of a filename must match datadog docs, which is `.yaml` [Datadog Cluster Checks](https://docs.datadoghq.com/agent/cluster_agent/clusterchecks/?tab=helm#configuration-from-static-configuration-files) -::: -Cluster Checks **can** be used for external URL testing (loadbalancer endpoints), whereas annotations **must** be used for kubernetes services. +::: Cluster Checks **can** be used for external URL testing (loadbalancer endpoints), whereas annotations **must** be +used for kubernetes services. ``` http_check.yaml: @@ -119,7 +127,8 @@ http_check.yaml: ### Monitoring Cluster Checks -Using Cloudposse's `datadog-monitor` component. The following yaml snippet will monitor all HTTP Cluster Checks, this can be added to each stage (usually via a defaults folder). +Using Cloudposse's `datadog-monitor` component. The following yaml snippet will monitor all HTTP Cluster Checks, this +can be added to each stage (usually via a defaults folder). ```yaml https-checks: @@ -146,7 +155,7 @@ https-checks: new_host_delay: 0 new_group_delay: 0 no_data_timeframe: 2 - threshold_windows: { } + threshold_windows: {} thresholds: critical: 1 warning: 1 @@ -155,12 +164,13 @@ https-checks: ## References -* https://github.com/DataDog/helm-charts/tree/main/charts/datadog -* https://github.com/DataDog/helm-charts/blob/main/charts/datadog/values.yaml -* https://github.com/DataDog/helm-charts/blob/main/examples/datadog/agent_basic_values.yaml -* https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release -* https://docs.datadoghq.com/agent/cluster_agent/clusterchecks/?tab=helm +- https://github.com/DataDog/helm-charts/tree/main/charts/datadog +- https://github.com/DataDog/helm-charts/blob/main/charts/datadog/values.yaml +- https://github.com/DataDog/helm-charts/blob/main/examples/datadog/agent_basic_values.yaml +- https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release +- https://docs.datadoghq.com/agent/cluster_agent/clusterchecks/?tab=helm + ## Requirements @@ -256,7 +266,10 @@ https-checks: | [cluster\_checks](#output\_cluster\_checks) | Cluster Checks for the cluster | | [metadata](#output\_metadata) | Block status of the deployed release | + ## References -* Datadog's [Kubernetes Agent documentation](https://docs.datadoghq.com/containers/kubernetes/) -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-agent) - Cloud Posse's upstream component + +- Datadog's [Kubernetes Agent documentation](https://docs.datadoghq.com/containers/kubernetes/) +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/datadog-agent) - + Cloud Posse's upstream component diff --git a/modules/eks/echo-server/README.md b/modules/eks/echo-server/README.md index 6e065874d..7add6693e 100644 --- a/modules/eks/echo-server/README.md +++ b/modules/eks/echo-server/README.md @@ -1,38 +1,42 @@ # Component: `eks/echo-server` -This is copied from [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/echo-server). +This is copied from +[cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/echo-server). -This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. -The echo server is a server that sends it back to the client a JSON representation of all the data -the server received, which is a combination of information sent by the client and information sent -by the web server infrastructure. For further details, please consult the [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). +This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. The echo server +is a server that sends it back to the client a JSON representation of all the data the server received, which is a +combination of information sent by the client and information sent by the web server infrastructure. For further +details, please consult the [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). ## Prerequisites -Echo server is intended to provide end-to-end testing of everything needed -to deploy an application or service with a public HTTPS endpoint. It uses -defaults where possible, such as using the default IngressClass, in order -to verify that the defaults are sufficient for a typical application. +Echo server is intended to provide end-to-end testing of everything needed to deploy an application or service with a +public HTTPS endpoint. It uses defaults where possible, such as using the default IngressClass, in order to verify that +the defaults are sufficient for a typical application. -In order to minimize the impact of the echo server on the rest of the cluster, -it does not set any configuration that would affect other ingresses, such -as WAF rules, logging, or redirecting HTTP to HTTPS. Those settings should -be configured in the IngressClass where possible. +In order to minimize the impact of the echo server on the rest of the cluster, it does not set any configuration that +would affect other ingresses, such as WAF rules, logging, or redirecting HTTP to HTTPS. Those settings should be +configured in the IngressClass where possible. Therefore, it requires several other components. At the moment, it supports 2 configurations: 1. ALB with ACM Certificate - - AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled - - A default IngressClass, which can be provisioned by the `alb-controller` component as part of deploying - the controller, or can be provisioned separately, for example by the `alb-controller-ingress-class` component. - - Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all hosts in the domain) + +- AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled +- A default IngressClass, which can be provisioned by the `alb-controller` component as part of deploying the + controller, or can be provisioned separately, for example by the `alb-controller-ingress-class` component. +- Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all + hosts in the domain) + 2. Nginx with Cert Manager Certificate - - Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` - should work with any version that supports Ingress API version `networking.k8s.io/v1`. - - `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates via a Cluster Issuer - (by default, named `letsEncrypt-prod`). + +- Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` + should work with any version that supports Ingress API version `networking.k8s.io/v1`. +- `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates + via a Cluster Issuer (by default, named `letsEncrypt-prod`). In both configurations, it has these common requirements: + - EKS component deployed, with component name specified in `eks_component_name` (defaults to "eks/cluster") - Kubernetes version 1.19 or later - Ingress API version `networking.k8s.io/v1` @@ -42,10 +46,9 @@ In both configurations, it has these common requirements: ## Warnings A Terraform plan may fail to apply, giving a Kubernetes authentication failure. This is due to a known issue with -Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes -authentication token and caches it, and then tries to use it during "apply". If the token has expired by -the time you try to run "apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without -a "plan" file. +Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes authentication +token and caches it, and then tries to use it during "apply". If the token has expired by the time you try to run +"apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without a "plan" file. ## Usage @@ -57,6 +60,7 @@ Set `ingress_type` to "alb" if using `alb-controller` or "nginx" if using `ingre Normally, you should not set the IngressClass or IngressGroup, as this component is intended to test the defaults. However, if you need to, set them in `chart_values`: + ```yaml chart_values: ingress: @@ -66,13 +70,11 @@ chart_values: group_name: "other-ingress-group" ``` -Note that if you follow recommendations and do not set the ingress class name, -the deployed Ingress will have the ingressClassName setting injected by the -Ingress controller, set to the then-current default. This means that if later -you change the default IngressClass, the Ingress will be NOT be updated to use -the new default. Furthermore, because of limitations in the Helm provider, this -will not be detected as drift. You will need to destroy and re-deploy the -echo server to update the Ingress to the new default. +Note that if you follow recommendations and do not set the ingress class name, the deployed Ingress will have the +ingressClassName setting injected by the Ingress controller, set to the then-current default. This means that if later +you change the default IngressClass, the Ingress will be NOT be updated to use the new default. Furthermore, because of +limitations in the Helm provider, this will not be detected as drift. You will need to destroy and re-deploy the echo +server to update the Ingress to the new default. ```yaml components: @@ -97,10 +99,10 @@ components: hostname_template: "echo.%[3]v.%[2]v.%[1]v.sample-domain.net" ``` -In rare cases where some ingress controllers do not support the `ingressClassName` field, -you can restore the old `kubernetes.io/ingress.class` annotation by setting -`ingress.use_ingress_class_annotation: true` in `chart_values`. +In rare cases where some ingress controllers do not support the `ingressClassName` field, you can restore the old +`kubernetes.io/ingress.class` annotation by setting `ingress.use_ingress_class_annotation: true` in `chart_values`. + ## Requirements @@ -188,6 +190,8 @@ you can restore the old `kubernetes.io/ingress.class` annotation by setting | [hostname](#output\_hostname) | Hostname of the deployed echo server | | [metadata](#output\_metadata) | Block status of the deployed release | + ## References -* https://github.com/Ealenn/Echo-Server + +- https://github.com/Ealenn/Echo-Server diff --git a/modules/eks/external-dns/README.md b/modules/eks/external-dns/README.md index ff4ef476e..d4b630c06 100644 --- a/modules/eks/external-dns/README.md +++ b/modules/eks/external-dns/README.md @@ -1,6 +1,8 @@ # Component: `eks/external-dns` -This component creates a Helm deployment for [external-dns](https://github.com/bitnami/bitnami-docker-external-dns) on a Kubernetes cluster. [external-dns](https://github.com/bitnami/bitnami-docker-external-dns) is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable. +This component creates a Helm deployment for [external-dns](https://github.com/bitnami/bitnami-docker-external-dns) on a +Kubernetes cluster. [external-dns](https://github.com/bitnami/bitnami-docker-external-dns) is a Kubernetes addon that +configures public DNS servers with information about exposed Kubernetes services to make them discoverable. ## Usage @@ -45,6 +47,7 @@ components: chart_values: {} ``` + ## Requirements @@ -142,6 +145,7 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References diff --git a/modules/eks/external-secrets-operator/README.md b/modules/eks/external-secrets-operator/README.md index d7381ec7c..e2a0d2332 100644 --- a/modules/eks/external-secrets-operator/README.md +++ b/modules/eks/external-secrets-operator/README.md @@ -1,8 +1,11 @@ # Component: `external-secrets-operator` -This component (ESO) is used to create an external `SecretStore` configured to synchronize secrets from AWS SSM Parameter store as Kubernetes Secrets within the cluster. Per the operator pattern, the `external-secret-operator` pods will watch for any `ExternalSecret` resources which reference the `SecretStore` to pull secrets from. +This component (ESO) is used to create an external `SecretStore` configured to synchronize secrets from AWS SSM +Parameter store as Kubernetes Secrets within the cluster. Per the operator pattern, the `external-secret-operator` pods +will watch for any `ExternalSecret` resources which reference the `SecretStore` to pull secrets from. -In practice, this means apps will define an `ExternalSecret` that pulls all env into a single secret as part of a helm chart; e.g.: +In practice, this means apps will define an `ExternalSecret` that pulls all env into a single secret as part of a helm +chart; e.g.: ``` # Part of the charts in `/releases @@ -29,15 +32,15 @@ spec: target: "$1" ``` -This component assumes secrets are prefixed by "service" in parameter store (e.g. `/app/my_secret`). The `SecretStore`. The component is designed to pull secrets from a `path` prefix (defaulting to `"app"`). This should work nicely along `chamber` which uses this same path (called a "service" in Chamber). For example, developers should store keys like so. - +This component assumes secrets are prefixed by "service" in parameter store (e.g. `/app/my_secret`). The `SecretStore`. +The component is designed to pull secrets from a `path` prefix (defaulting to `"app"`). This should work nicely along +`chamber` which uses this same path (called a "service" in Chamber). For example, developers should store keys like so. ```bash assume-role acme-platform-gbl-sandbox-admin chamber write app MY_KEY my-value ``` - See `docs/recipies.md` for more information on managing secrets. ## Usage @@ -88,6 +91,7 @@ components: chart_values: {} ``` + ## Requirements @@ -181,8 +185,10 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References -* [Secrets Management Strategy](https://docs.cloudposse.com/reference-architecture/design-decisions/cold-start/decide-on-secrets-management-strategy-for-terraform/) -* https://external-secrets.io/v0.5.9/ -* https://external-secrets.io/v0.5.9/provider-aws-parameter-store/ + +- [Secrets Management Strategy](https://docs.cloudposse.com/reference-architecture/design-decisions/cold-start/decide-on-secrets-management-strategy-for-terraform/) +- https://external-secrets.io/v0.5.9/ +- https://external-secrets.io/v0.5.9/provider-aws-parameter-store/ diff --git a/modules/eks/github-actions-runner/README.md b/modules/eks/github-actions-runner/README.md index 36bf50d53..d6fde7712 100644 --- a/modules/eks/github-actions-runner/README.md +++ b/modules/eks/github-actions-runner/README.md @@ -1,97 +1,92 @@ # Component: `github-actions-runner` -This component deploys self-hosted GitHub Actions Runners and a [Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller#introduction) -on an EKS cluster, using "[runner scale sets](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)". +This component deploys self-hosted GitHub Actions Runners and a +[Controller](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/quickstart-for-actions-runner-controller#introduction) +on an EKS cluster, using +"[runner scale sets](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#runner-scale-set)". -This solution is supported by GitHub and supersedes the [actions-runner-controller](https://github.com/actions/actions-runner-controller/blob/master/docs/about-arc.md) developed -by Summerwind and deployed by Cloud Posse's [actions-runner-controller](https://docs.cloudposse.com/components/library/aws/eks/actions-runner-controller/) component. +This solution is supported by GitHub and supersedes the +[actions-runner-controller](https://github.com/actions/actions-runner-controller/blob/master/docs/about-arc.md) +developed by Summerwind and deployed by Cloud Posse's +[actions-runner-controller](https://docs.cloudposse.com/components/library/aws/eks/actions-runner-controller/) +component. ### Current limitations -The runner image used by Runner Sets contains [no more packages than are necessary](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image) -to run the runner. This is in contrast to the Summerwind implementation, which -contains some commonly needed packages like `build-essential`, `curl`, `wget`, -`git`, and `jq`, and the GitHub hosted images which contain a robust set of tools. -(This is a limitation of the official Runner Sets implementation, not this -component per se.) You will need to -install any tools you need in your workflows, either as part of your workflow -(recommended), by maintaining a [custom runner image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image), or by running -such steps in a [separate container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) -that has the tools pre-installed. Many tools have publicly available actions -to install them, such as `actions/setup-node` to install NodeJS or `dcarbone/install-jq-action` -to install `jq`. You can also install packages using `awalsh128/cache-apt-pkgs-action`, -which has the advantage of being able to skip the installation if the package -is already installed, so you can more efficiently run the same workflow on -GitHub hosted as well as self-hosted runners. - -:::info -There are (as of this writing) open feature requests to add some -commonly needed packages to the official Runner Sets runner image. You can -upvote these -requests [here](https://github.com/actions/actions-runner-controller/discussions/3168) -and [here](https://github.com/orgs/community/discussions/80868) to help get them -implemented. +The runner image used by Runner Sets contains +[no more packages than are necessary](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image) +to run the runner. This is in contrast to the Summerwind implementation, which contains some commonly needed packages +like `build-essential`, `curl`, `wget`, `git`, and `jq`, and the GitHub hosted images which contain a robust set of +tools. (This is a limitation of the official Runner Sets implementation, not this component per se.) You will need to +install any tools you need in your workflows, either as part of your workflow (recommended), by maintaining a +[custom runner image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image), +or by running such steps in a +[separate container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) that has the tools +pre-installed. Many tools have publicly available actions to install them, such as `actions/setup-node` to install +NodeJS or `dcarbone/install-jq-action` to install `jq`. You can also install packages using +`awalsh128/cache-apt-pkgs-action`, which has the advantage of being able to skip the installation if the package is +already installed, so you can more efficiently run the same workflow on GitHub hosted as well as self-hosted runners. + +:::info There are (as of this writing) open feature requests to add some commonly needed packages to the official Runner +Sets runner image. You can upvote these requests +[here](https://github.com/actions/actions-runner-controller/discussions/3168) and +[here](https://github.com/orgs/community/discussions/80868) to help get them implemented. ::: -In the current version of this component, only "dind" (Docker in Docker) mode has been tested. -Support for "kubernetes" mode is provided, but has not been validated. +In the current version of this component, only "dind" (Docker in Docker) mode has been tested. Support for "kubernetes" +mode is provided, but has not been validated. -Many elements in the Controller chart are not directly configurable by named inputs. -To configure them, you can use the `controller.chart_values` input or create a -`resources/values-controller.yaml` file in the component to supply values. +Many elements in the Controller chart are not directly configurable by named inputs. To configure them, you can use the +`controller.chart_values` input or create a `resources/values-controller.yaml` file in the component to supply values. + +Almost all the features of the Runner Scale Set chart are configurable by named inputs. The exceptions are: -Almost all the features of the Runner Scale Set chart are configurable by named inputs. -The exceptions are: - There is no specific input for specifying an outbound HTTP proxy. -- There is no specific input for supplying a [custom certificate authority (CA) certificate](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#custom-tls-certificates) +- There is no specific input for supplying a + [custom certificate authority (CA) certificate](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#custom-tls-certificates) to use when connecting to GitHub Enterprise Server. -You can specify these values by creating a `resources/values-runner.yaml` file -in the component and setting values as shown by the default Helm [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml), +You can specify these values by creating a `resources/values-runner.yaml` file in the component and setting values as +shown by the default Helm +[values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml), and they will be applied to all runners. Currently, this component has some additional limitations. In particular: -- The controller and all runners and listeners share the Image Pull Secrets. -You cannot use different ones for different runners. -- All the runners use the same GitHub secret (app or PAT). Using a GitHub app - is preferred anyway, and the single GitHub app serves the entire organization. + +- The controller and all runners and listeners share the Image Pull Secrets. You cannot use different ones for different + runners. +- All the runners use the same GitHub secret (app or PAT). Using a GitHub app is preferred anyway, and the single GitHub + app serves the entire organization. - Only one controller is supported per cluster, though it can have multiple replicas. -These limitations could be addressed if there is demand. Contact [Cloud Posse Professional Services](https://cloudposse.com/professional-services/) -if you would be interested in sponsoring the development of any of these features. +These limitations could be addressed if there is demand. Contact +[Cloud Posse Professional Services](https://cloudposse.com/professional-services/) if you would be interested in +sponsoring the development of any of these features. ### Ephemeral work storage -The runners are configured to use ephemeral storage for workspaces, but the -details and defaults can be a bit confusing. - -When running in "dind" ("Docker in Docker") mode, the default is to use `emptyDir`, which -means space on the `kubelet` base directory, which is usually the root disk. You -can manage the amount of storage allowed to be used with `ephemeral_storage` requests and limits, -or you can just let it use whatever free space there is on the root disk. +The runners are configured to use ephemeral storage for workspaces, but the details and defaults can be a bit confusing. -When running in `kubernetes` mode, the only supported local disk storage is an -ephemeral `PersistentVolumeClaim`, which causes a separate disk to be allocated -for the runner pod. This disk is ephemeral, and will be deleted when the runner -pod is deleted. When combined with the recommended ephemeral runner -configuration, this means that a new disk will be created for each job, and -deleted when the job is complete. That is a lot of overhead and will slow things -down somewhat. +When running in "dind" ("Docker in Docker") mode, the default is to use `emptyDir`, which means space on the `kubelet` +base directory, which is usually the root disk. You can manage the amount of storage allowed to be used with +`ephemeral_storage` requests and limits, or you can just let it use whatever free space there is on the root disk. +When running in `kubernetes` mode, the only supported local disk storage is an ephemeral `PersistentVolumeClaim`, which +causes a separate disk to be allocated for the runner pod. This disk is ephemeral, and will be deleted when the runner +pod is deleted. When combined with the recommended ephemeral runner configuration, this means that a new disk will be +created for each job, and deleted when the job is complete. That is a lot of overhead and will slow things down +somewhat. -The size of the attached PersistentVolume is controlled -by `ephemeral_pvc_storage` (a Kubernetes size string like "1G") and the kind of -storage is controlled by `ephemeral_pvc_storage_class` -(which can be omitted to use the cluster default storage class). +The size of the attached PersistentVolume is controlled by `ephemeral_pvc_storage` (a Kubernetes size string like "1G") +and the kind of storage is controlled by `ephemeral_pvc_storage_class` (which can be omitted to use the cluster default +storage class). -This mode is also optionally available when using `dind`. To enable it, set -`ephemeral_pvc_storage` to the desired size. Leave `ephemeral_pvc_storage` at -the default value of `null` to use `emptyDir` storage (recommended). +This mode is also optionally available when using `dind`. To enable it, set `ephemeral_pvc_storage` to the desired size. +Leave `ephemeral_pvc_storage` at the default value of `null` to use `emptyDir` storage (recommended). -Beware that using a PVC may significantly increase the startup of the runner. -If you are using a PVC, you may want to keep idle runners available so that -jobs can be started without waiting for a new runner to start. +Beware that using a PVC may significantly increase the startup of the runner. If you are using a PVC, you may want to +keep idle runners available so that jobs can be started without waiting for a new runner to start. ## Usage @@ -183,61 +178,51 @@ components: cpu: 4000m memory: 7680Mi ephemeral-storage: 40G - ``` ### Authentication and Secrets -The GitHub Action Runners need to authenticate to GitHub in order to do such -things as register runners and pickup jobs. You can authenticate using either -a [GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) -or a [Personal Access Token (classic)](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-personal-access-token-classic). -The preferred way to authenticate is by _creating_ and _installing_ a GitHub -App. This is the recommended approach as it allows for much more restricted -access than using a Personal Access Token (classic), and the Action Runners do -not currently support using a fine-grained Personal Access Token. - +The GitHub Action Runners need to authenticate to GitHub in order to do such things as register runners and pickup jobs. +You can authenticate using either a +[GitHub App](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) +or a +[Personal Access Token (classic)](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-personal-access-token-classic). +The preferred way to authenticate is by _creating_ and _installing_ a GitHub App. This is the recommended approach as it +allows for much more restricted access than using a Personal Access Token (classic), and the Action Runners do not +currently support using a fine-grained Personal Access Token. #### Site note about SSM and Regions -This component supports using AWS SSM to store and retrieve secrets. SSM -parameters are regional, so if you want to deploy to multiple regions -you have 2 choices: - -1. Create the secrets in each region. This is the most robust approach, but - requires you to create the secrets in each region and keep them in sync. -2. Create the secrets in one region and use the `ssm_region` input to specify - the region where they are stored. This is the easiest approach, but does add - some obstacles to managing deployments during a region outage. If the region - where the secrets are stored goes down, there will be no impact on runners in - other regions, but you will not be able to deploy new runners or modify - existing runners until the SSM region is restored or until you set up SSM - parameters in a new region. - -Alternatively, you can create Kubernetes secrets outside of this component -(perhaps using [SOPS](https://github.com/getsops/sops)) and reference them by -name. We describe here how to save the secrets to SSM, but you can save the -secrets wherever and however you want to, as long as you deploy them as -Kubernetes secret the runners can reference. If you store them in SSM, this -component will take care of the rest, but the standard Terraform caveat applies: -any secrets referenced by Terraform will be stored unencrypted in the Terraform -state file. +This component supports using AWS SSM to store and retrieve secrets. SSM parameters are regional, so if you want to +deploy to multiple regions you have 2 choices: + +1. Create the secrets in each region. This is the most robust approach, but requires you to create the secrets in each + region and keep them in sync. +2. Create the secrets in one region and use the `ssm_region` input to specify the region where they are stored. This is + the easiest approach, but does add some obstacles to managing deployments during a region outage. If the region where + the secrets are stored goes down, there will be no impact on runners in other regions, but you will not be able to + deploy new runners or modify existing runners until the SSM region is restored or until you set up SSM parameters in + a new region. + +Alternatively, you can create Kubernetes secrets outside of this component (perhaps using +[SOPS](https://github.com/getsops/sops)) and reference them by name. We describe here how to save the secrets to SSM, +but you can save the secrets wherever and however you want to, as long as you deploy them as Kubernetes secret the +runners can reference. If you store them in SSM, this component will take care of the rest, but the standard Terraform +caveat applies: any secrets referenced by Terraform will be stored unencrypted in the Terraform state file. #### Creating and Using a GitHub App -Follow the instructions [here](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) to create and install a GitHub App -for the runners to use for authentication. +Follow the instructions +[here](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-github-app) +to create and install a GitHub App for the runners to use for authentication. -At the App creation stage, you will be asked to generate a private key. This is -the private key that will be used to authenticate the Action Runner. Download -the file and store the contents in SSM using the following command, adjusting -the profile, region, and file name. The profile should be the `terraform` role in the -account to which you are deploying the runner controller. The region should be -the region where you are deploying the primary runner controller. If you are -deploying runners to multiple regions, they can all reference the same SSM -parameter by using the `ssm_region` input to specify the region where they are -stored. The file name (argument to `cat`) should be the name of the private key -file you downloaded. +At the App creation stage, you will be asked to generate a private key. This is the private key that will be used to +authenticate the Action Runner. Download the file and store the contents in SSM using the following command, adjusting +the profile, region, and file name. The profile should be the `terraform` role in the account to which you are deploying +the runner controller. The region should be the region where you are deploying the primary runner controller. If you are +deploying runners to multiple regions, they can all reference the same SSM parameter by using the `ssm_region` input to +specify the region where they are stored. The file name (argument to `cat`) should be the name of the private key file +you downloaded. ``` # Adjust profile name and region to suit your environment, use file name you chose for key @@ -250,17 +235,17 @@ You can verify the file was correctly written to SSM by matching the private key AWS_PROFILE=acme-core-gbl-auto-terraform AWS_REGION=us-west-2 chamber read -q github-action-runners github-auth-secret | openssl rsa -in - -pubout -outform DER | openssl sha256 -binary | openssl base64 ``` -At this stage, record the Application ID and the private key fingerprint in your secrets manager (e.g. 1Password). -You may want to record the private key as well, or you may consider it sufficient to have it in SSM. -You will need the Application ID to configure the runner controller, and want the fingerprint to verify the private key. -(You can see the fingerprint in the GitHub App settings, under "Private keys".) +At this stage, record the Application ID and the private key fingerprint in your secrets manager (e.g. 1Password). You +may want to record the private key as well, or you may consider it sufficient to have it in SSM. You will need the +Application ID to configure the runner controller, and want the fingerprint to verify the private key. (You can see the +fingerprint in the GitHub App settings, under "Private keys".) -Proceed to install the GitHub App in the organization or repository you want to use the runner controller for, -and record the Installation ID (the final numeric part of the URL, as explained in the instructions -linked above) in your secrets manager. You will need the Installation ID to configure the runner controller. +Proceed to install the GitHub App in the organization or repository you want to use the runner controller for, and +record the Installation ID (the final numeric part of the URL, as explained in the instructions linked above) in your +secrets manager. You will need the Installation ID to configure the runner controller. -In your stack configuration, set the following variables, making sure to quote the values so they are -treated as strings, not numbers. +In your stack configuration, set the following variables, making sure to quote the values so they are treated as +strings, not numbers. ``` github_app_id: "12345" @@ -269,10 +254,11 @@ github_app_installation_id: "12345" #### OR (obsolete): Creating and Using a Personal Access Token (classic) -Though not recommended, you can use a Personal Access Token (classic) to -authenticate the runners. To do so, create a PAT (classic) as described in the [GitHub Documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-personal-access-token-classic). -Save this to the value specified by `ssm_github_token_path` using the following command, adjusting the - AWS profile and region as explained above: +Though not recommended, you can use a Personal Access Token (classic) to authenticate the runners. To do so, create a +PAT (classic) as described in the +[GitHub Documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/authenticating-to-the-github-api#authenticating-arc-with-a-personal-access-token-classic). +Save this to the value specified by `ssm_github_token_path` using the following command, adjusting the AWS profile and +region as explained above: ``` AWS_PROFILE=acme-core-gbl-auto-terraform AWS_REGION=us-west-2 chamber write github-action-runners github-auth-secret -- "" @@ -280,22 +266,23 @@ AWS_PROFILE=acme-core-gbl-auto-terraform AWS_REGION=us-west-2 chamber write gith ### Using Runner Groups -GitHub supports grouping runners into distinct [Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups), which allow you to have different access controls -for different runners. Read the linked documentation about creating and configuring Runner Groups, which you must do -through the GitHub Web UI. If you choose to create Runner Groups, you can assign one or more Runner Sets (from the -`runners` map) to groups (only one group per runner set, but multiple sets can be in the same group) by including -`group: ` in the runner configuration. We recommend including it immediately after `github_url`. - +GitHub supports grouping runners into distinct +[Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups), +which allow you to have different access controls for different runners. Read the linked documentation about creating +and configuring Runner Groups, which you must do through the GitHub Web UI. If you choose to create Runner Groups, you +can assign one or more Runner Sets (from the `runners` map) to groups (only one group per runner set, but multiple sets +can be in the same group) by including `group: ` in the runner configuration. We recommend including +it immediately after `github_url`. ### Interaction with Karpenter or other EKS autoscaling solutions -Kubernetes cluster autoscaling solutions generally expect that a Pod runs a service that can be terminated on one -Node and restarted on another with only a short duration needed to finish processing any in-flight requests. When -the cluster is resized, the cluster autoscaler will do just that. However, GitHub Action Runner Jobs do not fit this -model. If a Pod is terminated in the middle of a job, the job is lost. The likelihood of this happening is increased -by the fact that the Action Runner Controller Autoscaler is expanding and contracting the size of the Runner Pool on -a regular basis, causing the cluster autoscaler to more frequently want to scale up or scale down the EKS cluster, -and, consequently, to move Pods around. +Kubernetes cluster autoscaling solutions generally expect that a Pod runs a service that can be terminated on one Node +and restarted on another with only a short duration needed to finish processing any in-flight requests. When the cluster +is resized, the cluster autoscaler will do just that. However, GitHub Action Runner Jobs do not fit this model. If a Pod +is terminated in the middle of a job, the job is lost. The likelihood of this happening is increased by the fact that +the Action Runner Controller Autoscaler is expanding and contracting the size of the Runner Pool on a regular basis, +causing the cluster autoscaler to more frequently want to scale up or scale down the EKS cluster, and, consequently, to +move Pods around. To handle these kinds of situations, Karpenter respects an annotation on the Pod: @@ -307,63 +294,61 @@ spec: karpenter.sh/do-not-evict: "true" ``` -When you set this annotation on the Pod, Karpenter will not voluntarily evict it. This means that the Pod will stay on the Node -it is on, and the Node it is on will not be considered for deprovisioning (scale down). This is good because it means that the Pod -will not be terminated in the middle of a job. However, it also means that the Node the Pod is on will remain running -until the Pod is terminated, even if the node is underutilized and Karpenter would like to get rid of it. +When you set this annotation on the Pod, Karpenter will not voluntarily evict it. This means that the Pod will stay on +the Node it is on, and the Node it is on will not be considered for deprovisioning (scale down). This is good because it +means that the Pod will not be terminated in the middle of a job. However, it also means that the Node the Pod is on +will remain running until the Pod is terminated, even if the node is underutilized and Karpenter would like to get rid +of it. Since the Runner Pods terminate at the end of the job, this is not a problem for the Pods actually running jobs. However, if you have set `minReplicas > 0`, then you have some Pods that are just idling, waiting for jobs to be -assigned to them. These Pods are exactly the kind of Pods you want terminated and moved when the cluster is underutilized. -Therefore, when you set `minReplicas > 0`, you should **NOT** set `karpenter.sh/do-not-evict: "true"` on the Pod. - +assigned to them. These Pods are exactly the kind of Pods you want terminated and moved when the cluster is +underutilized. Therefore, when you set `minReplicas > 0`, you should **NOT** set `karpenter.sh/do-not-evict: "true"` on +the Pod. ### Updating CRDs -When updating the chart or application version -of `gha-runner-scale-set-controller`, it is possible you will need to install -new CRDs. Such a requirement should be indicated in -the `gha-runner-scale-set-controller` release notes and may require some -adjustment to this component. - -This component uses `helm` to manage the deployment, and `helm` will not auto-update CRDs. -If new CRDs are needed, follow the instructions in the release notes for the Helm chart -or `gha-runner-scale-set-controller` itself. - +When updating the chart or application version of `gha-runner-scale-set-controller`, it is possible you will need to +install new CRDs. Such a requirement should be indicated in the `gha-runner-scale-set-controller` release notes and may +require some adjustment to this component. +This component uses `helm` to manage the deployment, and `helm` will not auto-update CRDs. If new CRDs are needed, +follow the instructions in the release notes for the Helm chart or `gha-runner-scale-set-controller` itself. ### Useful Reference -- Runner Scale Set Controller's Helm chart [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set-controller/values.yaml) -- Runner Scale Set's Helm chart [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) -- Runner Scale Set's [Docker image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image) and [how to create your own](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image) - -When reviewing documentation, code, issues, etc. for self-hosted GitHub action runners -or the Actions Runner Controller (ARC), keep in mind that there are 2 implementations -going by that name. The original implementation, which is now deprecated, uses -the `actions.summerwind.dev` API group, and is at times called the Summerwind -or Legacy implementation. It is primarily described by documentation in the -[actions/actions-runner-controller](https://github.com/actions/actions-runner-controller) -GitHub repository itself. - -The new implementation, which is the one this component -uses, uses the `actions.github.com` API group, and is at times called the GitHub -implementation or "Runner Scale Sets" implementation. The new implementation is -described in the official [GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller). - -Feature requests about the new implementation are officially -directed to the [Actions category of GitHub community discussion](https://github.com/orgs/community/discussions/categories/actions). -However, Q&A and community support is directed to the `actions/actions-runner-controller` -repo's [Discussion section](https://github.com/actions/actions-runner-controller/discussions), -though beware that discussions about the old implementation are mixed in with -discussions about the new implementation. - -Bug reports for the new implementation are still filed under the `actions/actions-runner-controller` -repo's [Issues](https://github.com/actions/actions-runner-controller/issues) tab, -though again, these are mixed in with bug reports for the old implementation. -Look for the `gha-runner-scale-set` label to find issues specific to the new +- Runner Scale Set Controller's Helm chart + [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set-controller/values.yaml) +- Runner Scale Set's Helm chart + [values.yaml](https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/values.yaml) +- Runner Scale Set's + [Docker image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image) + and + [how to create your own](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image) + +When reviewing documentation, code, issues, etc. for self-hosted GitHub action runners or the Actions Runner Controller +(ARC), keep in mind that there are 2 implementations going by that name. The original implementation, which is now +deprecated, uses the `actions.summerwind.dev` API group, and is at times called the Summerwind or Legacy implementation. +It is primarily described by documentation in the +[actions/actions-runner-controller](https://github.com/actions/actions-runner-controller) GitHub repository itself. + +The new implementation, which is the one this component uses, uses the `actions.github.com` API group, and is at times +called the GitHub implementation or "Runner Scale Sets" implementation. The new implementation is described in the +official +[GitHub documentation](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller). + +Feature requests about the new implementation are officially directed to the +[Actions category of GitHub community discussion](https://github.com/orgs/community/discussions/categories/actions). +However, Q&A and community support is directed to the `actions/actions-runner-controller` repo's +[Discussion section](https://github.com/actions/actions-runner-controller/discussions), though beware that discussions +about the old implementation are mixed in with discussions about the new implementation. + +Bug reports for the new implementation are still filed under the `actions/actions-runner-controller` repo's +[Issues](https://github.com/actions/actions-runner-controller/issues) tab, though again, these are mixed in with bug +reports for the old implementation. Look for the `gha-runner-scale-set` label to find issues specific to the new implementation. + ## Requirements @@ -462,10 +447,12 @@ implementation. | [metadata](#output\_metadata) | Block status of the deployed release | | [runners](#output\_runners) | Human-readable summary of the deployed runners | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) - + Cloud Posse's upstream component - [alb-controller](https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller) - Helm Chart - [alb-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) - AWS Load Balancer Controller - [actions-runner-controller Webhook Driven Scaling](https://github.com/actions-runner-controller/actions-runner-controller/blob/master/docs/detailed-docs.md#webhook-driven-scaling) diff --git a/modules/eks/idp-roles/README.md b/modules/eks/idp-roles/README.md index d173a768b..a1acb1f44 100644 --- a/modules/eks/idp-roles/README.md +++ b/modules/eks/idp-roles/README.md @@ -1,6 +1,7 @@ # Component: `eks/idp-roles` -This component installs the `idp-roles` for EKS clusters. These identity provider roles specify severl pre-determined permission levels for cluster users and come with bindings that make them easy to assign to Users and Groups. +This component installs the `idp-roles` for EKS clusters. These identity provider roles specify severl pre-determined +permission levels for cluster users and come with bindings that make them easy to assign to Users and Groups. ## Usage @@ -21,6 +22,7 @@ components: kubeconfig_exec_auth_api_version: "client.authentication.k8s.io/v1beta1" ``` + ## Requirements @@ -105,6 +107,8 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References -* https://kubernetes.io/docs/reference/access-authn-authz/authentication/ + +- https://kubernetes.io/docs/reference/access-authn-authz/authentication/ diff --git a/modules/eks/karpenter-provisioner/README.md b/modules/eks/karpenter-provisioner/README.md index eb2323119..88dbdc0ef 100644 --- a/modules/eks/karpenter-provisioner/README.md +++ b/modules/eks/karpenter-provisioner/README.md @@ -6,7 +6,8 @@ This component deploys [Karpenter provisioners](https://karpenter.sh/v0.18.0/aws **Stack Level**: Regional -If provisioning more than one provisioner, it is [best practice](https://aws.github.io/aws-eks-best-practices/karpenter/#create-provisioners-that-are-mutually-exclusive-or-weighted) +If provisioning more than one provisioner, it is +[best practice](https://aws.github.io/aws-eks-best-practices/karpenter/#create-provisioners-that-are-mutually-exclusive-or-weighted) to create provisioners that are mutually exclusive or weighted. ```yaml @@ -42,63 +43,64 @@ components: # and capacity type (such as AWS spot or on-demand). # See https://karpenter.sh/v0.18.0/provisioner/#specrequirements for more details requirements: - - key: "karpenter.k8s.aws/instance-category" - operator: "In" - values: ["c", "m", "r"] - - key: "karpenter.k8s.aws/instance-generation" - operator: "Gt" - values: ["2"] - - key: "karpenter.sh/capacity-type" - operator: "In" - values: - - "on-demand" - - "spot" - - key: "node.kubernetes.io/instance-type" - operator: "In" - # See https://aws.amazon.com/ec2/instance-explorer/ and https://aws.amazon.com/ec2/instance-types/ - # Values limited by DenyEC2InstancesWithoutEncryptionInTransit service control policy - # See https://github.com/cloudposse/terraform-aws-service-control-policies/blob/master/catalog/ec2-policies.yaml - # Karpenter recommends allowing at least 20 instance types to ensure availability. - values: - - "c5n.2xlarge" - - "c5n.xlarge" - - "c5n.large" - - "c6i.2xlarge" - - "c6i.xlarge" - - "c6i.large" - - "m5n.2xlarge" - - "m5n.xlarge" - - "m5n.large" - - "m5zn.2xlarge" - - "m5zn.xlarge" - - "m5zn.large" - - "m6i.2xlarge" - - "m6i.xlarge" - - "m6i.large" - - "r5n.2xlarge" - - "r5n.xlarge" - - "r5n.large" - - "r6i.2xlarge" - - "r6i.xlarge" - - "r6i.large" - - key: "kubernetes.io/arch" - operator: "In" - values: - - "amd64" + - key: "karpenter.k8s.aws/instance-category" + operator: "In" + values: ["c", "m", "r"] + - key: "karpenter.k8s.aws/instance-generation" + operator: "Gt" + values: ["2"] + - key: "karpenter.sh/capacity-type" + operator: "In" + values: + - "on-demand" + - "spot" + - key: "node.kubernetes.io/instance-type" + operator: "In" + # See https://aws.amazon.com/ec2/instance-explorer/ and https://aws.amazon.com/ec2/instance-types/ + # Values limited by DenyEC2InstancesWithoutEncryptionInTransit service control policy + # See https://github.com/cloudposse/terraform-aws-service-control-policies/blob/master/catalog/ec2-policies.yaml + # Karpenter recommends allowing at least 20 instance types to ensure availability. + values: + - "c5n.2xlarge" + - "c5n.xlarge" + - "c5n.large" + - "c6i.2xlarge" + - "c6i.xlarge" + - "c6i.large" + - "m5n.2xlarge" + - "m5n.xlarge" + - "m5n.large" + - "m5zn.2xlarge" + - "m5zn.xlarge" + - "m5zn.large" + - "m6i.2xlarge" + - "m6i.xlarge" + - "m6i.large" + - "r5n.2xlarge" + - "r5n.xlarge" + - "r5n.large" + - "r6i.2xlarge" + - "r6i.xlarge" + - "r6i.large" + - key: "kubernetes.io/arch" + operator: "In" + values: + - "amd64" # The AMI used by Karpenter provisioner when provisioning nodes. Based on the value set for amiFamily, Karpenter will automatically query for the appropriate EKS optimized AMI via AWS Systems Manager (SSM) # Bottlerocket, AL2, Ubuntu # https://karpenter.sh/v0.18.0/aws/provisioning/#amazon-machine-image-ami-family ami_family: AL2 # Karpenter provisioner block device mappings. block_device_mappings: - - deviceName: /dev/xvda - ebs: - volumeSize: 200Gi - volumeType: gp3 - encrypted: true - deleteOnTermination: true + - deviceName: /dev/xvda + ebs: + volumeSize: 200Gi + volumeType: gp3 + encrypted: true + deleteOnTermination: true ``` + ## Requirements @@ -177,6 +179,7 @@ components: | [providers](#output\_providers) | Deployed Karpenter AWSNodeTemplates | | [provisioners](#output\_provisioners) | Deployed Karpenter provisioners | + ## References diff --git a/modules/eks/karpenter/README.md b/modules/eks/karpenter/README.md index b4be40954..1437929e2 100644 --- a/modules/eks/karpenter/README.md +++ b/modules/eks/karpenter/README.md @@ -1,22 +1,19 @@ # Component: `eks/karpenter` -This component provisions [Karpenter](https://karpenter.sh) on an EKS cluster. -It requires at least version 0.19.0 of Karpenter, though you are encouraged to -use the latest version. +This component provisions [Karpenter](https://karpenter.sh) on an EKS cluster. It requires at least version 0.19.0 of +Karpenter, though you are encouraged to use the latest version. ## Usage **Stack Level**: Regional -These instructions assume you are provisioning 2 EKS clusters in the same account -and region, named "blue" and "green", and alternating between them. -If you are only using a single cluster, you can ignore the "blue" and "green" -references and remove the `metadata` block from the `karpenter` module. +These instructions assume you are provisioning 2 EKS clusters in the same account and region, named "blue" and "green", +and alternating between them. If you are only using a single cluster, you can ignore the "blue" and "green" references +and remove the `metadata` block from the `karpenter` module. ```yaml components: terraform: - # Base component of all `karpenter` components eks/karpenter: metadata: @@ -63,26 +60,24 @@ components: ## Provision Karpenter on EKS cluster -Here we describe how to provision Karpenter on an EKS cluster. -We will be using the `plat-ue2-dev` stack as an example. +Here we describe how to provision Karpenter on an EKS cluster. We will be using the `plat-ue2-dev` stack as an example. ### Provision Service-Linked Roles for EC2 Spot and EC2 Spot Fleet -__Note:__ If you want to use EC2 Spot for the instances launched by Karpenter, -you may need to provision the following Service-Linked Role for EC2 Spot: +**Note:** If you want to use EC2 Spot for the instances launched by Karpenter, you may need to provision the following +Service-Linked Role for EC2 Spot: - Service-Linked Role for EC2 Spot -This is only necessary if this is the first time you're using EC2 Spot in the account. -Since this is a one-time operation, we recommend you do this manually via -the AWS CLI: +This is only necessary if this is the first time you're using EC2 Spot in the account. Since this is a one-time +operation, we recommend you do this manually via the AWS CLI: ```bash aws --profile --gbl--admin iam create-service-linked-role --aws-service-name spot.amazonaws.com ``` -Note that if the Service-Linked Roles already exist in the AWS account (if you used EC2 Spot or Spot Fleet before), -and you try to provision them again, you will see the following errors: +Note that if the Service-Linked Roles already exist in the AWS account (if you used EC2 Spot or Spot Fleet before), and +you try to provision them again, you will see the following errors: ```text An error occurred (InvalidInput) when calling the CreateServiceLinkedRole operation: @@ -90,14 +85,16 @@ Service role name AWSServiceRoleForEC2Spot has been taken in this account, pleas ``` For more details, see: - - https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html - - https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html + +- https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html +- https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html The process of provisioning Karpenter on an EKS cluster consists of 3 steps. ### 1. Provision EKS Fargate Profile for Karpenter and IAM Role for Nodes Launched by Karpenter -EKS Fargate Profile for Karpenter and IAM Role for Nodes launched by Karpenter are provisioned by the `eks/cluster` component: +EKS Fargate Profile for Karpenter and IAM Role for Nodes launched by Karpenter are provisioned by the `eks/cluster` +component: ```yaml components: @@ -124,9 +121,12 @@ components: karpenter_iam_role_enabled: true ``` -__Notes__: - - Fargate Profile role ARNs need to be added to the `aws-auth` ConfigMap to allow the Fargate Profile nodes to join the EKS cluster (this is done by EKS) - - Karpenter IAM role ARN needs to be added to the `aws-auth` ConfigMap to allow the nodes launched by Karpenter to join the EKS cluster (this is done by the `eks/cluster` component) +**Notes**: + +- Fargate Profile role ARNs need to be added to the `aws-auth` ConfigMap to allow the Fargate Profile nodes to join the + EKS cluster (this is done by EKS) +- Karpenter IAM role ARN needs to be added to the `aws-auth` ConfigMap to allow the nodes launched by Karpenter to join + the EKS cluster (this is done by the `eks/cluster` component) We use EKS Fargate Profile for Karpenter because It is recommended to run Karpenter on an EKS Fargate Profile. @@ -140,7 +140,8 @@ karpenter namespace. Doing so will cause all pods deployed into this namespace t Do not run Karpenter on a node that is managed by Karpenter. ``` -See [Run Karpenter Controller on EKS Fargate](https://aws.github.io/aws-eks-best-practices/karpenter/#run-the-karpenter-controller-on-eks-fargate-or-on-a-worker-node-that-belongs-to-a-node-group) +See +[Run Karpenter Controller on EKS Fargate](https://aws.github.io/aws-eks-best-practices/karpenter/#run-the-karpenter-controller-on-eks-fargate-or-on-a-worker-node-that-belongs-to-a-node-group) for more details. We provision IAM Role for Nodes launched by Karpenter because they must run with an Instance Profile that grants @@ -148,10 +149,11 @@ permissions necessary to run containers and configure networking. We define the IAM role for the Instance Profile in `components/terraform/eks/cluster/karpenter.tf`. -Note that we provision the EC2 Instance Profile for the Karpenter IAM role in the `components/terraform/eks/karpenter` component (see the next step). +Note that we provision the EC2 Instance Profile for the Karpenter IAM role in the `components/terraform/eks/karpenter` +component (see the next step). -Run the following commands to provision the EKS Fargate Profile for Karpenter and the IAM role for instances launched by Karpenter -on the blue EKS cluster and add the role ARNs to the `aws-auth` ConfigMap: +Run the following commands to provision the EKS Fargate Profile for Karpenter and the IAM role for instances launched by +Karpenter on the blue EKS cluster and add the role ARNs to the `aws-auth` ConfigMap: ```bash atmos terraform plan eks/cluster-blue -s plat-ue2-dev @@ -163,14 +165,14 @@ For more details, refer to: - https://karpenter.sh/v0.18.0/getting-started/getting-started-with-terraform - https://karpenter.sh/v0.18.0/getting-started/getting-started-with-eksctl - ### 2. Provision `karpenter` component In this step, we provision the `components/terraform/eks/karpenter` component, which deploys the following resources: - - EC2 Instance Profile for the nodes launched by Karpenter (note that the IAM role for the Instance Profile is provisioned in the previous step in the `eks/cluster` component) - - Karpenter Kubernetes controller using the Karpenter Helm Chart and the `helm_release` Terraform resource - - EKS IAM role for Kubernetes Service Account for the Karpenter controller (with all the required permissions) +- EC2 Instance Profile for the nodes launched by Karpenter (note that the IAM role for the Instance Profile is + provisioned in the previous step in the `eks/cluster` component) +- Karpenter Kubernetes controller using the Karpenter Helm Chart and the `helm_release` Terraform resource +- EKS IAM role for Kubernetes Service Account for the Karpenter controller (with all the required permissions) Run the following commands to provision the Karpenter component on the blue EKS cluster: @@ -182,22 +184,22 @@ atmos terraform apply eks/karpenter-blue -s plat-ue2-dev Note that the stack config for the blue Karpenter component is defined in `stacks/catalog/eks/clusters/blue.yaml`. ```yaml - eks/karpenter-blue: - metadata: - component: eks/karpenter - inherits: - - eks/karpenter - vars: - eks_component_name: eks/cluster-blue +eks/karpenter-blue: + metadata: + component: eks/karpenter + inherits: + - eks/karpenter + vars: + eks_component_name: eks/cluster-blue ``` ### 3. Provision `karpenter-provisioner` component -In this step, we provision the `components/terraform/eks/karpenter-provisioner` component, which deploys Karpenter [Provisioners](https://karpenter.sh/v0.18.0/aws/provisioning) -using the `kubernetes_manifest` resource. +In this step, we provision the `components/terraform/eks/karpenter-provisioner` component, which deploys Karpenter +[Provisioners](https://karpenter.sh/v0.18.0/aws/provisioning) using the `kubernetes_manifest` resource. -__NOTE:__ We deploy the provisioners in a separate step as a separate component since it uses `kind: Provisioner` CRD which itself is created by -the `karpenter` component in the previous step. +**NOTE:** We deploy the provisioners in a separate step as a separate component since it uses `kind: Provisioner` CRD +which itself is created by the `karpenter` component in the previous step. Run the following commands to deploy the Karpenter provisioners on the blue EKS cluster: @@ -206,84 +208,90 @@ atmos terraform plan eks/karpenter-provisioner-blue -s plat-ue2-dev atmos terraform apply eks/karpenter-provisioner-blue -s plat-ue2-dev ``` -Note that the stack config for the blue Karpenter provisioner component is defined in `stacks/catalog/eks/clusters/blue.yaml`. +Note that the stack config for the blue Karpenter provisioner component is defined in +`stacks/catalog/eks/clusters/blue.yaml`. ```yaml - eks/karpenter-provisioner-blue: - metadata: - component: eks/karpenter-provisioner - inherits: - - eks/karpenter-provisioner - vars: - attributes: - - blue - eks_component_name: eks/cluster-blue +eks/karpenter-provisioner-blue: + metadata: + component: eks/karpenter-provisioner + inherits: + - eks/karpenter-provisioner + vars: + attributes: + - blue + eks_component_name: eks/cluster-blue ``` You can override the default values from the `eks/karpenter-provisioner` base component. -For your cluster, you will need to review the following configurations for the Karpenter provisioners and update it according to your requirements: - - - [requirements](https://karpenter.sh/v0.18.0/provisioner/#specrequirements): - - ```yaml - requirements: - - key: "karpenter.sh/capacity-type" - operator: "In" - values: - - "on-demand" - - "spot" - - key: "node.kubernetes.io/instance-type" - operator: "In" - values: - - "m5.xlarge" - - "m5.large" - - "m5.medium" - - "c5.xlarge" - - "c5.large" - - "c5.medium" - - key: "kubernetes.io/arch" - operator: "In" - values: - - "amd64" - ``` - - - `taints`, `startup_taints`, `ami_family` - - - Resource limits/requests for the Karpenter controller itself: - - ```yaml - resources: - limits: - cpu: "300m" - memory: "1Gi" - requests: - cpu: "100m" - memory: "512Mi" - ``` - - - Total CPU and memory limits for all pods running on the EC2 instances launched by Karpenter: - - ```yaml - total_cpu_limit: "1k" - total_memory_limit: "1000Gi" - ``` - - - Config to terminate empty nodes after the specified number of seconds. This behavior can be disabled by setting the value to `null` (never scales down if not set): - - ```yaml - ttl_seconds_after_empty: 30 - ``` - - - Config to terminate nodes when a maximum age is reached. This behavior can be disabled by setting the value to `null` (never expires if not set): - - ```yaml - ttl_seconds_until_expired: 2592000 - ``` +For your cluster, you will need to review the following configurations for the Karpenter provisioners and update it +according to your requirements: + +- [requirements](https://karpenter.sh/v0.18.0/provisioner/#specrequirements): + + ```yaml + requirements: + - key: "karpenter.sh/capacity-type" + operator: "In" + values: + - "on-demand" + - "spot" + - key: "node.kubernetes.io/instance-type" + operator: "In" + values: + - "m5.xlarge" + - "m5.large" + - "m5.medium" + - "c5.xlarge" + - "c5.large" + - "c5.medium" + - key: "kubernetes.io/arch" + operator: "In" + values: + - "amd64" + ``` + +- `taints`, `startup_taints`, `ami_family` + +- Resource limits/requests for the Karpenter controller itself: + + ```yaml + resources: + limits: + cpu: "300m" + memory: "1Gi" + requests: + cpu: "100m" + memory: "512Mi" + ``` + +- Total CPU and memory limits for all pods running on the EC2 instances launched by Karpenter: + + ```yaml + total_cpu_limit: "1k" + total_memory_limit: "1000Gi" + ``` + +- Config to terminate empty nodes after the specified number of seconds. This behavior can be disabled by setting the + value to `null` (never scales down if not set): + + ```yaml + ttl_seconds_after_empty: 30 + ``` + +- Config to terminate nodes when a maximum age is reached. This behavior can be disabled by setting the value to `null` + (never expires if not set): + + ```yaml + ttl_seconds_until_expired: 2592000 + ``` ## Node Interruption -Karpenter also supports listening for and responding to Node Interruption events. If interruption handling is enabled, Karpenter will watch for upcoming involuntary interruption events that would cause disruption to your workloads. These interruption events include: +Karpenter also supports listening for and responding to Node Interruption events. If interruption handling is enabled, +Karpenter will watch for upcoming involuntary interruption events that would cause disruption to your workloads. These +interruption events include: - Spot Interruption Warnings - Scheduled Change Health Events (Maintenance Events) @@ -292,25 +300,29 @@ Karpenter also supports listening for and responding to Node Interruption events :::info -The Node Interruption Handler is not the same as the Node Termination Handler. The latter is always enabled and cleanly shuts down the node in 2 minutes in response to a Node Termination event. The former gets advance notice that a node will soon be terminated, so it can have 5-10 minutes to shut down a node. +The Node Interruption Handler is not the same as the Node Termination Handler. The latter is always enabled and cleanly +shuts down the node in 2 minutes in response to a Node Termination event. The former gets advance notice that a node +will soon be terminated, so it can have 5-10 minutes to shut down a node. ::: -For more details, see refer to the [Karpenter docs](https://karpenter.sh/v0.32/concepts/disruption/#interruption) and [FAQ](https://karpenter.sh/v0.32/faq/#interruption-handling) +For more details, see refer to the [Karpenter docs](https://karpenter.sh/v0.32/concepts/disruption/#interruption) and +[FAQ](https://karpenter.sh/v0.32/faq/#interruption-handling) -To enable Node Interruption handling, set `var.interruption_handler_enabled` to `true`. This will create an SQS queue and a set of Event Bridge rules to deliver interruption events to Karpenter. +To enable Node Interruption handling, set `var.interruption_handler_enabled` to `true`. This will create an SQS queue +and a set of Event Bridge rules to deliver interruption events to Karpenter. ## Custom Resource Definition (CRD) Management -Karpenter ships with a few Custom Resource Definitions (CRDs). In earlier versions -of this component, when installing a new version of the `karpenter` helm chart, CRDs -were not be upgraded at the same time, requiring manual steps to upgrade CRDs after deploying the latest chart. -However Karpenter now supports an additional, independent helm chart for CRD management. -This helm chart, `karpenter-crd`, can be installed alongside the `karpenter` helm chart to automatically manage the lifecycle of these CRDs. +Karpenter ships with a few Custom Resource Definitions (CRDs). In earlier versions of this component, when installing a +new version of the `karpenter` helm chart, CRDs were not be upgraded at the same time, requiring manual steps to upgrade +CRDs after deploying the latest chart. However Karpenter now supports an additional, independent helm chart for CRD +management. This helm chart, `karpenter-crd`, can be installed alongside the `karpenter` helm chart to automatically +manage the lifecycle of these CRDs. -To deploy the `karpenter-crd` helm chart, set `var.crd_chart_enabled` to `true`. -(Installing the `karpenter-crd` chart is recommended. `var.crd_chart_enabled` defaults -to `false` to preserve backward compatibility with older versions of this component.) +To deploy the `karpenter-crd` helm chart, set `var.crd_chart_enabled` to `true`. (Installing the `karpenter-crd` chart +is recommended. `var.crd_chart_enabled` defaults to `false` to preserve backward compatibility with older versions of +this component.) ## Troubleshooting @@ -320,14 +332,13 @@ For Karpenter issues, checkout the [Karpenter Troubleshooting Guide](https://kar For more details, refer to: - - https://karpenter.sh/v0.28.0/provisioner/#specrequirements - - https://karpenter.sh/v0.28.0/aws/provisioning - - https://aws.github.io/aws-eks-best-practices/karpenter/#creating-provisioners - - https://aws.github.io/aws-eks-best-practices/karpenter - - https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html - - +- https://karpenter.sh/v0.28.0/provisioner/#specrequirements +- https://karpenter.sh/v0.28.0/aws/provisioning +- https://aws.github.io/aws-eks-best-practices/karpenter/#creating-provisioners +- https://aws.github.io/aws-eks-best-practices/karpenter +- https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html + ## Requirements @@ -430,6 +441,7 @@ For more details, refer to: | [instance\_profile](#output\_instance\_profile) | Provisioned EC2 Instance Profile for nodes launched by Karpenter | | [metadata](#output\_metadata) | Block status of the deployed release | + ## References diff --git a/modules/eks/keda/README.md b/modules/eks/keda/README.md index ca8ede1fc..b0dd0b847 100644 --- a/modules/eks/keda/README.md +++ b/modules/eks/keda/README.md @@ -24,9 +24,9 @@ components: chart_version: "2.11.2" chart_values: {} timeout: 180 - ``` + ## Requirements @@ -120,6 +120,9 @@ components: | [service\_account\_role\_name](#output\_service\_account\_role\_name) | IAM role name | | [service\_account\_role\_unique\_id](#output\_service\_account\_role\_unique\_id) | IAM role unique ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/keda) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/keda) - + Cloud Posse's upstream component diff --git a/modules/eks/metrics-server/README.md b/modules/eks/metrics-server/README.md index 087dff862..000c4347c 100644 --- a/modules/eks/metrics-server/README.md +++ b/modules/eks/metrics-server/README.md @@ -1,6 +1,7 @@ # Component: `metrics-server` -This component creates a Helm release for [metrics-server](https://github.com/kubernetes-sigs/metrics-server) is a Kubernetes addon that provides resource usage metrics used in particular by other addons such Horizontal Pod Autoscaler. +This component creates a Helm release for [metrics-server](https://github.com/kubernetes-sigs/metrics-server) is a +Kubernetes addon that provides resource usage metrics used in particular by other addons such Horizontal Pod Autoscaler. ## Usage @@ -37,6 +38,7 @@ components: chart_values: {} ``` + ## Requirements @@ -125,6 +127,7 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References diff --git a/modules/eks/platform/README.md b/modules/eks/platform/README.md index a089db808..9c26a6c25 100644 --- a/modules/eks/platform/README.md +++ b/modules/eks/platform/README.md @@ -1,7 +1,7 @@ # Component: `eks/platform` -This component maps another components' outputs into SSM parameter store to declare -platform context used by CI/CD workflows. +This component maps another components' outputs into SSM parameter store to declare platform context used by CI/CD +workflows. ## Usage @@ -20,7 +20,7 @@ The default catalog values `e.g. stacks/catalog/eks/platform.yaml` ```yaml components: terraform: - eks/platform: + eks/platform: metadata: component: eks/platform backend: @@ -43,9 +43,10 @@ components: output: group_name ``` -That would read `group_name` from `eks/alb-controller-ingress-group` component outputs and -put it into `/platform/{eks cluster name}/default/default_alb_ingress_group` +That would read `group_name` from `eks/alb-controller-ingress-group` component outputs and put it into +`/platform/{eks cluster name}/default/default_alb_ingress_group` + ## Requirements @@ -110,5 +111,6 @@ put it into `/platform/{eks cluster name}/default/default_alb_ingress_group` No outputs. + [](https://cpco.io/component) diff --git a/modules/eks/redis-operator/README.md b/modules/eks/redis-operator/README.md index 366f618d0..478124de9 100644 --- a/modules/eks/redis-operator/README.md +++ b/modules/eks/redis-operator/README.md @@ -1,6 +1,7 @@ # Component: `eks/redis-operator` -This component installs `redis-operator` for EKS clusters. Redis Operator creates/configures/manages high availability redis with sentinel automatic failover atop Kubernetes. +This component installs `redis-operator` for EKS clusters. Redis Operator creates/configures/manages high availability +redis with sentinel automatic failover atop Kubernetes. ## Usage @@ -46,7 +47,6 @@ components: image: repository: quay.io/spotahome/redis-operator tag: v1.1.1 - ``` `stacks/catalog/eks/redis-operator/dev` file (derived component for "dev" specific settings): @@ -63,8 +63,9 @@ components: inherits: - eks/redis-operator/defaults vars: {} - ``` + + ## Requirements @@ -153,6 +154,9 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/redis-operator) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/redis-operator) - + Cloud Posse's upstream component diff --git a/modules/eks/redis/README.md b/modules/eks/redis/README.md index 6ac863987..e46c5ea41 100644 --- a/modules/eks/redis/README.md +++ b/modules/eks/redis/README.md @@ -8,7 +8,6 @@ This component installs `redis` for EKS clusters. This is a Self Hosted Redis Cl Use this in the catalog or use these variables to overwrite the catalog values. - `stacks/catalog/eks/redis/defaults` file (base component for default Redis settings): ```yaml @@ -51,7 +50,6 @@ components: # Disabling Manifest Experiment disables stored metadata with Terraform state # Otherwise, the state will show changes on all plans helm_manifest_experiment_enabled: false - ``` `stacks/catalog/eks/redis/dev` file (derived component for "dev" specific settings): @@ -68,9 +66,9 @@ components: inherits: - eks/redis/defaults vars: {} - ``` + ## Requirements @@ -159,6 +157,9 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/redis) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/redis) - + Cloud Posse's upstream component diff --git a/modules/eks/reloader/README.md b/modules/eks/reloader/README.md index f84ccc99c..8198f4fb2 100644 --- a/modules/eks/reloader/README.md +++ b/modules/eks/reloader/README.md @@ -1,8 +1,7 @@ # Component: `eks/reloader` -This component installs the [Stakater Reloader](https://github.com/stakater/Reloader) for EKS clusters. -`reloader` can watch `ConfigMap`s and `Secret`s for changes -and use these to trigger rolling upgrades on pods and their associated +This component installs the [Stakater Reloader](https://github.com/stakater/Reloader) for EKS clusters. `reloader` can +watch `ConfigMap`s and `Secret`s for changes and use these to trigger rolling upgrades on pods and their associated `DeploymentConfig`s, `Deployment`s, `Daemonset`s `Statefulset`s and `Rollout`s. ## Usage @@ -29,6 +28,7 @@ components: timeout: 180 ``` + ## Requirements @@ -116,7 +116,9 @@ components: |------|-------------| | [metadata](#output\_metadata) | Block status of the deployed release | + ## References -* https://github.com/stakater/Reloader -* https://github.com/stakater/Reloader/tree/master/deployments/kubernetes/chart/reloader + +- https://github.com/stakater/Reloader +- https://github.com/stakater/Reloader/tree/master/deployments/kubernetes/chart/reloader diff --git a/modules/eks/storage-class/README.md b/modules/eks/storage-class/README.md index 9ecb30238..29cf8f602 100644 --- a/modules/eks/storage-class/README.md +++ b/modules/eks/storage-class/README.md @@ -1,36 +1,34 @@ # Component: `eks/storage-class` -This component is responsible for provisioning `StorageClasses` in an EKS cluster. -See the list of guides and references linked at the bottom of this README for more information. +This component is responsible for provisioning `StorageClasses` in an EKS cluster. See the list of guides and references +linked at the bottom of this README for more information. -A StorageClass provides part of the configuration for a PersistentVolumeClaim, -which copies the configuration when it is created. Thus, you can delete a StorageClass -without affecting existing PersistentVolumeClaims, and changes to a StorageClass -do not propagate to existing PersistentVolumeClaims. +A StorageClass provides part of the configuration for a PersistentVolumeClaim, which copies the configuration when it is +created. Thus, you can delete a StorageClass without affecting existing PersistentVolumeClaims, and changes to a +StorageClass do not propagate to existing PersistentVolumeClaims. ## Usage **Stack Level**: Regional, per cluster -This component can create storage classes backed by EBS or EFS, and is intended to be used -with the corresponding EKS add-ons `aws-ebs-csi-driver` and `aws-efs-csi-driver` respectively. -In the case of EFS, this component also requires that you have provisioned an EFS filesystem -in the same region as your cluster, and expects you have used the `efs` (previously `eks/efs`) component to do so. -The EFS storage classes will get the file system ID from the EFS component's output. +This component can create storage classes backed by EBS or EFS, and is intended to be used with the corresponding EKS +add-ons `aws-ebs-csi-driver` and `aws-efs-csi-driver` respectively. In the case of EFS, this component also requires +that you have provisioned an EFS filesystem in the same region as your cluster, and expects you have used the `efs` +(previously `eks/efs`) component to do so. The EFS storage classes will get the file system ID from the EFS component's +output. ### Note: Default Storage Class -Exactly one StorageClass can be designated as the default StorageClass for a cluster. -This default StorageClass is then used by PersistentVolumeClaims that do not specify a storage class. +Exactly one StorageClass can be designated as the default StorageClass for a cluster. This default StorageClass is then +used by PersistentVolumeClaims that do not specify a storage class. -Prior to Kubernetes 1.26, if more than one StorageClass is marked as default, -a PersistentVolumeClaim without `storageClassName` explicitly specified cannot be created. -In Kubernetes 1.26 and later, if more than one StorageClass is marked as default, -the last one created will be used, which means you can get by with just ignoring -the default "gp2" StorageClass that EKS creates for you. +Prior to Kubernetes 1.26, if more than one StorageClass is marked as default, a PersistentVolumeClaim without +`storageClassName` explicitly specified cannot be created. In Kubernetes 1.26 and later, if more than one StorageClass +is marked as default, the last one created will be used, which means you can get by with just ignoring the default "gp2" +StorageClass that EKS creates for you. -EKS always creates a default storage class for the cluster, typically an EBS backed class named `gp2`. Find out -what the default storage class is for your cluster by running this command: +EKS always creates a default storage class for the cluster, typically an EBS backed class named `gp2`. Find out what the +default storage class is for your cluster by running this command: ```bash # You only need to run `set-cluster` when you are changing target clusters @@ -83,28 +81,29 @@ ebs_storage_classes: Here's an example snippet for how to use this component. ```yaml - eks/storage-class: - vars: - ebs_storage_classes: - gp2: - make_default_storage_class: false - include_tags: false - # Preserve values originally set by eks/cluster. - # Set to "" to omit. - provisioner: kubernetes.io/aws-ebs - parameters: - type: gp2 - encrypted: "" - gp3: - make_default_storage_class: true - parameters: - type: gp3 - efs_storage_classes: - efs-sc: - make_default_storage_class: false - efs_component_name: "efs" # Replace with the name of the EFS component, previously "eks/efs" +eks/storage-class: + vars: + ebs_storage_classes: + gp2: + make_default_storage_class: false + include_tags: false + # Preserve values originally set by eks/cluster. + # Set to "" to omit. + provisioner: kubernetes.io/aws-ebs + parameters: + type: gp2 + encrypted: "" + gp3: + make_default_storage_class: true + parameters: + type: gp3 + efs_storage_classes: + efs-sc: + make_default_storage_class: false + efs_component_name: "efs" # Replace with the name of the EFS component, previously "eks/efs" ``` + ## Requirements @@ -183,6 +182,7 @@ Here's an example snippet for how to use this component. |------|-------------| | [storage\_classes](#output\_storage\_classes) | Storage classes created by this module | + ## Related How-to Guides @@ -200,6 +200,7 @@ Here's an example snippet for how to use this component. - [EFS CSI driver (Amazon)](https://docs.aws.amazon.com/eks/latest/userguide/efs-csi.html) - [EFS CSI driver (GitHub)](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/README.md#examples) - [EFS CSI StorageClass Parameters](https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/docs#storage-class-parameters-for-dynamic-provisioning) -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/cluster) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/elasticache-redis/README.md b/modules/elasticache-redis/README.md index 73d0a0942..1f33e1a24 100644 --- a/modules/elasticache-redis/README.md +++ b/modules/elasticache-redis/README.md @@ -18,8 +18,8 @@ components: enabled: true name: "elasticache-redis" family: redis6.x - ingress_cidr_blocks: [ ] - egress_cidr_blocks: [ "0.0.0.0/0" ] + ingress_cidr_blocks: [] + egress_cidr_blocks: ["0.0.0.0/0"] port: 6379 at_rest_encryption_enabled: true transit_encryption_enabled: false @@ -61,6 +61,7 @@ components: value: lK ``` + ## Requirements @@ -134,9 +135,11 @@ No resources. |------|-------------| | [redis\_clusters](#output\_redis\_clusters) | Redis cluster objects | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/elasticache-redis) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/elasticache-redis) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/elasticsearch/README.md b/modules/elasticsearch/README.md index a55401b8b..0458a7433 100644 --- a/modules/elasticsearch/README.md +++ b/modules/elasticsearch/README.md @@ -1,6 +1,7 @@ # Component: `elasticsearch` -This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and Logstash. +This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and +Logstash. ## Usage @@ -27,6 +28,7 @@ components: domain_hostname_enabled: true ``` + ## Requirements @@ -118,8 +120,11 @@ components: | [master\_password\_ssm\_key](#output\_master\_password\_ssm\_key) | SSM key of Elasticsearch master password | | [security\_group\_id](#output\_security\_group\_id) | Security Group ID to control access to the Elasticsearch domain | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/elasticsearch) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/elasticsearch) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/eventbridge/README.md b/modules/eventbridge/README.md index 302d4d009..bbd1c0a95 100644 --- a/modules/eventbridge/README.md +++ b/modules/eventbridge/README.md @@ -1,7 +1,7 @@ # Component: `eventbridge` -The `eventbridge` component is a Terraform module that defines a CloudWatch EventBridge rule. -The rule is pointed at cloudwatch by default. +The `eventbridge` component is a Terraform module that defines a CloudWatch EventBridge rule. The rule is pointed at +cloudwatch by default. ## Usage @@ -28,13 +28,14 @@ components: - WARN - ERROR - agentConnected: - - false + - false - containers: exitCode: - anything-but: - - 0 + - 0 ``` + ## Requirements @@ -101,8 +102,11 @@ components: | [cloudwatch\_logs\_log\_group\_arn](#output\_cloudwatch\_logs\_log\_group\_arn) | The ARN of the CloudWatch Log Group | | [cloudwatch\_logs\_log\_group\_name](#output\_cloudwatch\_logs\_log\_group\_name) | The name of the CloudWatch Log Group | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eventbridge) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eventbridge) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/github-action-token-rotator/README.md b/modules/github-action-token-rotator/README.md index 080320c2a..cdff9ec74 100644 --- a/modules/github-action-token-rotator/README.md +++ b/modules/github-action-token-rotator/README.md @@ -1,6 +1,7 @@ # Component: `github-action-token-rotator` -This component is responsible for provisioning [Github Action Token Rotator](https://github.com/cloudposse/terraform-aws-github-action-token-rotator). +This component is responsible for provisioning +[Github Action Token Rotator](https://github.com/cloudposse/terraform-aws-github-action-token-rotator). This component creates a Lambda to rotate Github Action tokens in SSM Parameter Store. @@ -8,7 +9,8 @@ This component creates a Lambda to rotate Github Action tokens in SSM Parameter **Stack Level**: Regional -Here's an example snippet for how to use this component. This is generally deployed once and to the automation account's primary region. +Here's an example snippet for how to use this component. This is generally deployed once and to the automation account's +primary region. `stacks/catalog/github-action-token-rotator.yaml` file: @@ -25,8 +27,11 @@ components: parameter_store_token_path: /github/runners/my-org/registrationToken ``` -Follow the manual steps using the [guide in the upstream module](https://github.com/cloudposse/terraform-aws-github-action-token-rotator#quick-start) and use `chamber` to add the secrets to the appropriate stage. +Follow the manual steps using the +[guide in the upstream module](https://github.com/cloudposse/terraform-aws-github-action-token-rotator#quick-start) and +use `chamber` to add the secrets to the appropriate stage. + ## Requirements @@ -86,9 +91,11 @@ No resources. |------|-------------| | [github\_action\_token\_rotator](#output\_github\_action\_token\_rotator) | GitHub action token rotator module outputs. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-action-token-rotator) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-action-token-rotator) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/github-oidc-provider/README.md b/modules/github-oidc-provider/README.md index 08968f5c2..59c17f515 100644 --- a/modules/github-oidc-provider/README.md +++ b/modules/github-oidc-provider/README.md @@ -1,18 +1,17 @@ # Component: `github-oidc-provider` -This component is responsible for authorizing the GitHub OIDC provider -as an Identity provider for an AWS account. It is meant to be used -in concert with `aws-teams` and `aws-team-roles` and/or with -`github-actions-iam-role.mixin.tf` +This component is responsible for authorizing the GitHub OIDC provider as an Identity provider for an AWS account. It is +meant to be used in concert with `aws-teams` and `aws-team-roles` and/or with `github-actions-iam-role.mixin.tf` ## Usage **Stack Level**: Global Here's an example snippet for how to use this component. + - This must be installed in the `identity` account in order to use standard SAML roles with role chaining. -- This must be installed in each individual account where you want to provision a service role for a GitHub action - that will be assumed directly by the action. +- This must be installed in each individual account where you want to provision a service role for a GitHub action that + will be assumed directly by the action. For security, since this component adds an identity provider, only SuperAdmin can install it. @@ -26,17 +25,16 @@ components: ## Configuring the Github OIDC Provider -This component was created to add the Github OIDC provider so that Github Actions can safely assume roles -without the need to store static credentials in the environment. -The details of the GitHub OIDC provider are hard coded in the component, however at some point -the provider's thumbprint may change, at which point you can use +This component was created to add the Github OIDC provider so that Github Actions can safely assume roles without the +need to store static credentials in the environment. The details of the GitHub OIDC provider are hard coded in the +component, however at some point the provider's thumbprint may change, at which point you can use [get_github_oidc_thumbprint.sh](https://github.com/cloudposse/terraform-aws-components/blob/main/modules/github-oidc-provider/scripts/get_github_oidc_thumbprint.sh) to get the new thumbprint and add it to the list in `var.thumbprint_list`. This script will pull one of two thumbprints. There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by the GitHub servers, requiring customers to trust both. This is a known -behavior when the intermediary certificates are cross-signed by the CA. Therefore, run this script until both values -are retrieved. Add both to `var.thumbprint_list`. +behavior when the intermediary certificates are cross-signed by the CA. Therefore, run this script until both values are +retrieved. Add both to `var.thumbprint_list`. For more, see https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ @@ -50,15 +48,16 @@ The following error is very common if the GitHub workflow is missing proper perm Error: User: arn:aws:sts::***:assumed-role/acme-core-use1-auto-actions-runner@actions-runner-system/token-file-web-identity is not authorized to perform: sts:TagSession on resource: arn:aws:iam::999999999999:role/acme-plat-use1-dev-gha ``` -In order to use a web identity, GitHub Action pipelines must have the following permission. -See [GitHub Action documentation for more](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings). +In order to use a web identity, GitHub Action pipelines must have the following permission. See +[GitHub Action documentation for more](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings). ```yaml permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout ``` + ## Requirements @@ -118,10 +117,11 @@ permissions: |------|-------------| | [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | GitHub OIDC provider ARN | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-oidc-provider) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-oidc-provider) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/github-oidc-role/README.md b/modules/github-oidc-role/README.md index 7d21a02f4..4c003e77d 100644 --- a/modules/github-oidc-role/README.md +++ b/modules/github-oidc-role/README.md @@ -42,7 +42,7 @@ components: # Note: inherited lists are not merged, they are replaced github_actions_allowed_repos: - "MyOrg/infrastructure" - attributes: [ "gitops" ] + attributes: ["gitops"] iam_policies: - gitops gitops_policy_configuration: @@ -68,7 +68,7 @@ components: enabled: true github_actions_allowed_repos: - MyOrg/example-app-on-lambda-with-gha - attributes: [ "lambda-cicd" ] + attributes: ["lambda-cicd"] iam_policies: - lambda-cicd lambda_cicd_policy_configuration: @@ -98,7 +98,7 @@ components: enabled: true github_actions_allowed_repos: - MyOrg/example-app-on-lambda-with-gha - attributes: [ "custom" ] + attributes: ["custom"] iam_policies: - arn:aws:iam::aws:policy/AdministratorAccess iam_policy: @@ -120,29 +120,33 @@ There are two methods for adding custom policies to the IAM role. #### Defining Custom Policies in Terraform -1. Give the policy a unique name, e.g. `docker-publish`. We will use `NAME` as a placeholder for the name in the instructions below. +1. Give the policy a unique name, e.g. `docker-publish`. We will use `NAME` as a placeholder for the name in the + instructions below. 2. Create a file in the component directory (i.e. `github-oidc-role`) with the name `policy_NAME.tf`. 3. In that file, conditionally (based on need) create a policy document as follows: - ```hcl - locals { - NAME_policy_enabled = contains(var.iam_policies, "NAME") - NAME_policy = local.NAME_policy_enabled ? one(data.aws_iam_policy_document.NAME.*.json) : null - } + ```hcl + locals { + NAME_policy_enabled = contains(var.iam_policies, "NAME") + NAME_policy = local.NAME_policy_enabled ? one(data.aws_iam_policy_document.NAME.*.json) : null + } - data "aws_iam_policy_document" "NAME" { - count = local.NAME_policy_enabled ? 1 : 0 + data "aws_iam_policy_document" "NAME" { + count = local.NAME_policy_enabled ? 1 : 0 + + # Define the policy here + } + ``` - # Define the policy here - } - ``` + Note that you can also add input variables and outputs to this file if desired. Just make sure that all inputs are + optional. - Note that you can also add input variables and outputs to this file if desired. Just make sure that all inputs are optional. 4. Create a file named `additional-policy-map_override.tf` in the component directory (if it does not already exist). This is a [terraform override file](https://developer.hashicorp.com/terraform/language/files/override), meaning its - contents will be merged with the main terraform file, and any locals defined in it will override locals defined in other files. - Having your code in this separate override file makes it possible for the component to provide a placeholder local variable - so that it works without customization, while allowing you to customize the component and still update it without losing your customizations. + contents will be merged with the main terraform file, and any locals defined in it will override locals defined in + other files. Having your code in this separate override file makes it possible for the component to provide a + placeholder local variable so that it works without customization, while allowing you to customize the component and + still update it without losing your customizations. 5. In that file, redefine the local variable `overridable_additional_custom_policy_map` map as follows: ```hcl @@ -153,15 +157,18 @@ There are two methods for adding custom policies to the IAM role. } ``` - If you have multiple custom policies, using just this one file, add each policy document to the map in the form `NAME = local.NAME_policy`. + If you have multiple custom policies, using just this one file, add each policy document to the map in the form + `NAME = local.NAME_policy`. + 6. With that done, you can now attach that policy by adding the name to the `iam_policies` list. For example: - ```yaml - iam_policies: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "NAME" - ``` + ```yaml + iam_policies: + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "NAME" + ``` + ## Requirements @@ -232,8 +239,11 @@ There are two methods for adding custom policies to the IAM role. | [github\_actions\_iam\_role\_arn](#output\_github\_actions\_iam\_role\_arn) | ARN of IAM role for GitHub Actions | | [github\_actions\_iam\_role\_name](#output\_github\_actions\_iam\_role\_name) | Name of IAM role for GitHub Actions | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-oidc-role) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-oidc-role) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/github-runners/README.md b/modules/github-runners/README.md index 933199baa..90fe4d50a 100644 --- a/modules/github-runners/README.md +++ b/modules/github-runners/README.md @@ -2,12 +2,11 @@ This component is responsible for provisioning EC2 instances for GitHub runners. -:::info -We also have a similar component based on [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) for Kubernetes. +:::info We also have a similar component based on +[actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) for Kubernetes. ::: - ## Requirements ## Usage @@ -68,21 +67,27 @@ components: Prior to deployment, the API Token must exist in SSM. -To generate the token, please follow [these instructions](https://cloudposse.atlassian.net/l/c/N4dH05ud). Once generated, write the API token to the SSM key store at the following location within the same AWS account and region where the GitHub Actions runner pool will reside. +To generate the token, please follow [these instructions](https://cloudposse.atlassian.net/l/c/N4dH05ud). Once +generated, write the API token to the SSM key store at the following location within the same AWS account and region +where the GitHub Actions runner pool will reside. ``` assume-role chamber write github/runners/ registration-token ghp_secretstring ``` - ## Background ### Registration -Github Actions Self-Hosted runners can be scoped to the Github Organization, a Single Repository, or a group of Repositories (Github Enterprise-Only). Upon startup, each runner uses a `REGISTRATION_TOKEN` to call the Github API to register itself with the Organization, Repository, or Runner Group (Github Enterprise). + +Github Actions Self-Hosted runners can be scoped to the Github Organization, a Single Repository, or a group of +Repositories (Github Enterprise-Only). Upon startup, each runner uses a `REGISTRATION_TOKEN` to call the Github API to +register itself with the Organization, Repository, or Runner Group (Github Enterprise). ### Running Workflows -Once a Self-Hosted runner is registered, you will have to update your workflow with the `runs-on` attribute specify it should run on a self-hosted runner: + +Once a Self-Hosted runner is registered, you will have to update your workflow with the `runs-on` attribute specify it +should run on a self-hosted runner: ``` name: Test Self Hosted Runners @@ -95,11 +100,25 @@ jobs: ``` ### Workflow Github Permissions (GITHUB_TOKEN) -Each run of the Github Actions Workflow is assigned a GITHUB_TOKEN, which allows your workflow to perform actions against Github itself such as cloning a repo, updating the checks API status, etc., and expires at the end of the workflow run. The GITHUB_TOKEN has two permission "modes" it can operate in `Read and write permissions` ("Permissive" or "Full Access") and `Read repository contents permission` ("Restricted" or "Read-Only"). By default, the GITHUB_TOKEN is granted Full Access permissions, but you can change this via the Organization or Repo settings. If you opt for the Read-Only permissions, you can optionally grant or revoke access to specific APIs via the workflow `yaml` file and a full list of APIs that can be accessed can be found in the [documentation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) and is shown below in the table. It should be noted that the downside to this permissions model is that any user with write access to the repository can escalate permissions for the workflow by updating the `yaml` file, however, the APIs available via this token are limited. Most notably the GITHUB_TOKEN does not have access to the `users`, `repos`, `apps`, `billing`, or `collaborators` APIs, so the tokens do not have access to modify sensitive settings or add/remove users from the Organization/Repository. + +Each run of the Github Actions Workflow is assigned a GITHUB_TOKEN, which allows your workflow to perform actions +against Github itself such as cloning a repo, updating the checks API status, etc., and expires at the end of the +workflow run. The GITHUB_TOKEN has two permission "modes" it can operate in `Read and write permissions` ("Permissive" +or "Full Access") and `Read repository contents permission` ("Restricted" or "Read-Only"). By default, the GITHUB_TOKEN +is granted Full Access permissions, but you can change this via the Organization or Repo settings. If you opt for the +Read-Only permissions, you can optionally grant or revoke access to specific APIs via the workflow `yaml` file and a +full list of APIs that can be accessed can be found in the +[documentation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) +and is shown below in the table. It should be noted that the downside to this permissions model is that any user with +write access to the repository can escalate permissions for the workflow by updating the `yaml` file, however, the APIs +available via this token are limited. Most notably the GITHUB_TOKEN does not have access to the `users`, `repos`, +`apps`, `billing`, or `collaborators` APIs, so the tokens do not have access to modify sensitive settings or add/remove +users from the Organization/Repository.
> Example of using escalated permissions for the entire workflow + ``` name: Pull request labeler on: [ pull_request_target ] @@ -116,6 +135,7 @@ jobs: ``` > Example of using escalated permissions for a job + ``` name: Create issue on commit on: [ push ] @@ -139,10 +159,17 @@ jobs: ``` ### Pre-Requisites for Using This Component -In order to use this component, you will have to obtain the `REGISTRATION_TOKEN` mentioned above from your Github Organization or Repository and store it in SSM Parameter store. In addition, it is recommended that you set the permissions “mode” for Self-hosted runners to Read-Only. The instructions for doing both are below. + +In order to use this component, you will have to obtain the `REGISTRATION_TOKEN` mentioned above from your Github +Organization or Repository and store it in SSM Parameter store. In addition, it is recommended that you set the +permissions “mode” for Self-hosted runners to Read-Only. The instructions for doing both are below. #### Workflow Permissions -1. Browse to [https://github.com/organizations/{Org}/settings/actions](https://github.com/organizations/{Org}/settings/actions) (Organization) or [https://github.com/{Org}/{Repo}/settings/actions](https://github.com/{Org}/{Repo}/settings/actions) (Repository) + +1. Browse to + [https://github.com/organizations/{Org}/settings/actions](https://github.com/organizations/{Org}/settings/actions) + (Organization) or + [https://github.com/{Org}/{Repo}/settings/actions](https://github.com/{Org}/{Repo}/settings/actions) (Repository) 2. Set the default permissions for the GITHUB_TOKEN to Read Only @@ -150,16 +177,19 @@ In order to use this component, you will have to obtain the `REGISTRATION_TOKEN` ### Creating Registration Token -:::info -We highly recommend using a GitHub Application with the github-action-token-rotator module to generate the Registration Token. This will ensure that the token is rotated and that the token is stored in SSM Parameter Store encrypted with KMS. -::: +:::info We highly recommend using a GitHub Application with the github-action-token-rotator module to generate the +Registration Token. This will ensure that the token is rotated and that the token is stored in SSM Parameter Store +encrypted with KMS. ::: #### GitHub Application -Follow the quickstart with the upstream module, [cloudposse/terraform-aws-github-action-token-rotator](https://github.com/cloudposse/terraform-aws-github-action-token-rotator#quick-start), or follow the steps below. +Follow the quickstart with the upstream module, +[cloudposse/terraform-aws-github-action-token-rotator](https://github.com/cloudposse/terraform-aws-github-action-token-rotator#quick-start), +or follow the steps below. 1. Create a new GitHub App 1. Add the following permission: + ```diff # Required Permissions for Repository Runners: ## Repository Permissions @@ -175,13 +205,17 @@ Follow the quickstart with the upstream module, [cloudposse/terraform-aws-github ## Organization Permissions + Self-hosted runners (read / write) ``` + 1. Generate a Private Key -If you are working with Cloud Posse, upload this Private Key, GitHub App ID, and Github App Installation ID to 1Password and skip the rest. Otherwise, complete the private key setup in `core--auto`. +If you are working with Cloud Posse, upload this Private Key, GitHub App ID, and Github App Installation ID to 1Password +and skip the rest. Otherwise, complete the private key setup in `core--auto`. -1. Convert the private key to a PEM file using the following command: `openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in {DOWNLOADED_FILE_NAME}.pem -out private-key-pkcs8.key` +1. Convert the private key to a PEM file using the following command: + `openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in {DOWNLOADED_FILE_NAME}.pem -out private-key-pkcs8.key` 1. Upload PEM file key to the specified ssm path: `/github/runners/acme/private-key` in `core--auto` -1. Create another sensitive SSM parameter `/github/runners/acme/registration-token` in `core--auto` with any basic value, such as "foo". This will be overwritten by the rotator. +1. Create another sensitive SSM parameter `/github/runners/acme/registration-token` in `core--auto` with + any basic value, such as "foo". This will be overwritten by the rotator. 1. Update the GitHub App ID and Installation ID in the `github-action-token-rotator` catalog. :::info @@ -191,40 +225,56 @@ If you change the Private Key saved in SSM, redeploy `github-action-token-rotato ::: #### (ClickOps) Obtain the Runner Registration Token -1. Browse to [https://github.com/organizations/{Org}/settings/actions/runners](https://github.com/organizations/{Org}/settings/actions/runners) (Organization) or [https://github.com/{Org}/{Repo}/settings/actions/runners](https://github.com/{Org}/{Repo}/settings/actions/runners) (Repository) + +1. Browse to + [https://github.com/organizations/{Org}/settings/actions/runners](https://github.com/organizations/{Org}/settings/actions/runners) + (Organization) or + [https://github.com/{Org}/{Repo}/settings/actions/runners](https://github.com/{Org}/{Repo}/settings/actions/runners) + (Repository) 2. Click the **New Runner** button (Organization) or **New Self Hosted Runner** button (Repository) -3. Copy the Github Runner token from the next screen. Note that this is the only time you will see this token. Note that if you exit the `New {Self Hosted} Runner` screen and then later return by clicking the `New {Self Hosted} Runner` button again, the registration token will be invalidated and a new token will be generated. +3. Copy the Github Runner token from the next screen. Note that this is the only time you will see this token. Note that + if you exit the `New {Self Hosted} Runner` screen and then later return by clicking the `New {Self Hosted} Runner` + button again, the registration token will be invalidated and a new token will be generated.
-4. Add the `REGISTRATION_TOKEN` to the `/github/token` SSM parameter in the account where Github runners are hosted (usually `automation`), encrypted with KMS. +4. Add the `REGISTRATION_TOKEN` to the `/github/token` SSM parameter in the account where Github runners are hosted + (usually `automation`), encrypted with KMS. ``` chamber write github token ``` - # FAQ ## The GitHub Registration Token is not updated in SSM -The `github-action-token-rotator` runs an AWS Lambda function every 30 minutes. This lambda will attempt to use a private key in its environment configuration to generate a GitHub Registration Token, and then store that token to AWS SSM Parameter Store. +The `github-action-token-rotator` runs an AWS Lambda function every 30 minutes. This lambda will attempt to use a +private key in its environment configuration to generate a GitHub Registration Token, and then store that token to AWS +SSM Parameter Store. -If the GitHub Registration Token parameter, `/github/runners/acme/registration-token`, is not updated, read through the following tips: +If the GitHub Registration Token parameter, `/github/runners/acme/registration-token`, is not updated, read through the +following tips: -1. The private key is stored at the given parameter path: `parameter_store_private_key_path: /github/runners/acme/private-key` -1. The private key is Base 64 encoded. If you pull the key from SSM and decode it, it should begin with `-----BEGIN PRIVATE KEY-----` -1. If the private key has changed, you must _redeploy_ `github-action-token-rotator`. Run a plan against the component to make sure there are not changes required. +1. The private key is stored at the given parameter path: + `parameter_store_private_key_path: /github/runners/acme/private-key` +1. The private key is Base 64 encoded. If you pull the key from SSM and decode it, it should begin with + `-----BEGIN PRIVATE KEY-----` +1. If the private key has changed, you must _redeploy_ `github-action-token-rotator`. Run a plan against the component + to make sure there are not changes required. ## The GitHub Registration Token is valid, but the Runners are not registering with GitHub -If you first deployed the `github-action-token-rotator` component initally with an invalid configuration and then deployed the `github-runners` component, the instance runners will have failed to register with GitHub. +If you first deployed the `github-action-token-rotator` component initally with an invalid configuration and then +deployed the `github-runners` component, the instance runners will have failed to register with GitHub. -After you correct `github-action-token-rotator` and have a valid GitHub Registration Token in SSM, _destroy and recreate_ the `github-runners` component. +After you correct `github-action-token-rotator` and have a valid GitHub Registration Token in SSM, _destroy and +recreate_ the `github-runners` component. -If you cannot see the runners registered in GitHub, check the system logs on one of EC2 Instances in AWS in `core--auto`. +If you cannot see the runners registered in GitHub, check the system logs on one of EC2 Instances in AWS in +`core--auto`. ## I cannot assume the role from GitHub Actions after deploying @@ -234,16 +284,16 @@ The following error is very common if the GitHub workflow is missing proper perm Error: User: arn:aws:sts::***:assumed-role/acme-core-use1-auto-actions-runner@actions-runner-system/token-file-web-identity is not authorized to perform: sts:TagSession on resource: arn:aws:iam::999999999999:role/acme-plat-use1-dev-gha ``` -In order to use a web identity, GitHub Action pipelines must have the following permission. -See [GitHub Action documentation for more](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings). +In order to use a web identity, GitHub Action pipelines must have the following permission. See +[GitHub Action documentation for more](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#adding-permissions-settings). ```yaml permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout ``` - + ## Requirements @@ -353,17 +403,20 @@ permissions: | [iam\_role\_arn](#output\_iam\_role\_arn) | The ARN of the IAM role associated with the Autoscaling Group | | [ssm\_document\_arn](#output\_ssm\_document\_arn) | The ARN of the SSM document. | - + ## FAQ ### Can we scope it to a github org with both private and public repos ? -Yes but this requires Github Enterprise Cloud and the usage of runner groups to scope permissions of runners to specific repos. If you set the scope to the entire org without runner groups and if the org has both public and private repos, then the risk of using a self-hosted runner incorrectly is a vulnerability within public repos. +Yes but this requires Github Enterprise Cloud and the usage of runner groups to scope permissions of runners to specific +repos. If you set the scope to the entire org without runner groups and if the org has both public and private repos, +then the risk of using a self-hosted runner incorrectly is a vulnerability within public repos. [https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups) -If you do not have github enterprise cloud and runner groups cannot be utilized, then it’s best to create new github runners per repo or use the summerwind action-runners-controller via a Github App to set the scope to specific repos. +If you do not have github enterprise cloud and runner groups cannot be utilized, then it’s best to create new github +runners per repo or use the summerwind action-runners-controller via a Github App to set the scope to specific repos. ### How can we see the current spot pricing? @@ -371,19 +424,27 @@ Go to [ec2instances.info](http://ec2instances.info/) ### If we don’t use mixed at all does that mean we can’t do spot? -It’s possible to do spot without using mixed instances but you leave yourself open to zero instance availability with a single instance type. +It’s possible to do spot without using mixed instances but you leave yourself open to zero instance availability with a +single instance type. -For example, if you wanted to use spot and use `t3.xlarge` in `us-east-2` and for some reason, AWS ran out of `t3.xlarge`, you wouldn't have the option to choose another instance type and so all the GitHub Action runs would stall until availability returned. If you use on-demand pricing, it’s more expensive, but you’re more likely to get scheduling priority. For guaranteed availability, reserved instances are required. +For example, if you wanted to use spot and use `t3.xlarge` in `us-east-2` and for some reason, AWS ran out of +`t3.xlarge`, you wouldn't have the option to choose another instance type and so all the GitHub Action runs would stall +until availability returned. If you use on-demand pricing, it’s more expensive, but you’re more likely to get scheduling +priority. For guaranteed availability, reserved instances are required. ### Do the overrides apply to both the on-demand and the spot instances, or only the spot instances? -Since the overrides affect the launch template, I believe they will affect both spot instances and override since weighted capacity can be set for either or. The override terraform option is on the ASG’s `launch_template` +Since the overrides affect the launch template, I believe they will affect both spot instances and override since +weighted capacity can be set for either or. The override terraform option is on the ASG’s `launch_template` -> List of nested arguments provides the ability to specify multiple instance types. This will override the same parameter in the launch template. For on-demand instances, Auto Scaling considers the order of preference of instance types to launch based on the order specified in the overrides list. Defined below. -And in the terraform resource for `instances_distribution` +> List of nested arguments provides the ability to specify multiple instance types. This will override the same +> parameter in the launch template. For on-demand instances, Auto Scaling considers the order of preference of instance +> types to launch based on the order specified in the overrides list. Defined below. And in the terraform resource for +> `instances_distribution` -> `spot_max_price` - (Optional) Maximum price per unit hour that the user is willing to pay for the Spot instances. Default: an empty string which means the on-demand price. -For a `mixed_instances_policy`, this will do purely on-demand +> `spot_max_price` - (Optional) Maximum price per unit hour that the user is willing to pay for the Spot instances. +> Default: an empty string which means the on-demand price. For a `mixed_instances_policy`, this will do purely +> on-demand ``` mixed_instances_policy: @@ -405,7 +466,8 @@ This will always do spot unless instances are unavailable, then switch to on-dem spot_max_price: 0.05 ``` -If you want a single instance type, you could still use the mixed instances policy to define that like above, or you can use these other inputs and comment out the `mixed_instances_policy` +If you want a single instance type, you could still use the mixed instances policy to define that like above, or you can +use these other inputs and comment out the `mixed_instances_policy` ``` instance_type: "t3.xlarge" @@ -422,13 +484,14 @@ If you want a single instance type, you could still use the mixed instances poli The `overrides` will override the `instance_type` above. +## References +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-runners) - + Cloud Posse's upstream component +- [AWS: Auto Scaling groups with multiple instance types and purchase options](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html) +- [InstancesDistribution](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_InstancesDistribution.html) -## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/github-runners) - Cloud Posse's upstream component -* [AWS: Auto Scaling groups with multiple instance types and purchase options](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html) -* [InstancesDistribution](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_InstancesDistribution.html) -- [MixedInstancesPolicy](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_MixedInstancesPolicy.html) -- [Terraform ASG `Override` Attribute](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#override) +* [MixedInstancesPolicy](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_MixedInstancesPolicy.html) +* [Terraform ASG `Override` Attribute](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#override) [](https://cpco.io/component) diff --git a/modules/github-webhook/README.md b/modules/github-webhook/README.md index 4f2afc916..74b5e13f1 100644 --- a/modules/github-webhook/README.md +++ b/modules/github-webhook/README.md @@ -2,7 +2,8 @@ This component provisions a GitHub webhook for a single GitHub repository. -You may want to use this component if you are provisioning webhooks for multiple ArgoCD deployment repositories across GitHub organizations. +You may want to use this component if you are provisioning webhooks for multiple ArgoCD deployment repositories across +GitHub organizations. ## Usage @@ -65,11 +66,13 @@ components: webhook_github_secret: "abcdefg" ``` - ### ArgoCD Webhooks -For usage with the `eks/argocd` component, see [Creating Webhooks with `github-webhook`](https://github.com/cloudposse/terraform-aws-components/blob/main/modules/eks/argocd/README.md#creating-webhooks-with-github-webhook) in that component's README. +For usage with the `eks/argocd` component, see +[Creating Webhooks with `github-webhook`](https://github.com/cloudposse/terraform-aws-components/blob/main/modules/eks/argocd/README.md#creating-webhooks-with-github-webhook) +in that component's README. + ## Requirements @@ -141,8 +144,11 @@ For usage with the `eks/argocd` component, see [Creating Webhooks with `github-w No outputs. + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components) - Cloud Posse's upstream components + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components) - Cloud Posse's upstream + components [](https://cpco.io/component) diff --git a/modules/gitops/README.md b/modules/gitops/README.md index f5d189c0e..58a0a9404 100644 --- a/modules/gitops/README.md +++ b/modules/gitops/README.md @@ -1,10 +1,11 @@ # Component: `gitops` -This component is used to deploy GitHub OIDC roles for accessing the `gitops` Team. We use this team to run Terraform from GitHub Actions. +This component is used to deploy GitHub OIDC roles for accessing the `gitops` Team. We use this team to run Terraform +from GitHub Actions. Examples: -* [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage/blob/main/.github/workflows/build-and-test.yml) +- [cloudposse/github-action-terraform-plan-storage](https://github.com/cloudposse/github-action-terraform-plan-storage/blob/main/.github/workflows/build-and-test.yml) ## Usage @@ -45,13 +46,14 @@ components: vars: enabled: true github_actions_iam_role_enabled: true - github_actions_iam_role_attributes: [ "gitops" ] + github_actions_iam_role_attributes: ["gitops"] github_actions_allowed_repos: - "acmeOrg/infra" s3_bucket_component_name: gitops/s3-bucket dynamodb_component_name: gitops/dynamodb ``` + ## Requirements @@ -122,9 +124,11 @@ components: | [github\_actions\_iam\_role\_arn](#output\_github\_actions\_iam\_role\_arn) | ARN of IAM role for GitHub Actions | | [github\_actions\_iam\_role\_name](#output\_github\_actions\_iam\_role\_name) | Name of IAM role for GitHub Actions | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/gitops) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/gitops) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/global-accelerator-endpoint-group/README.md b/modules/global-accelerator-endpoint-group/README.md index 4a7e9f647..fcbedd063 100644 --- a/modules/global-accelerator-endpoint-group/README.md +++ b/modules/global-accelerator-endpoint-group/README.md @@ -2,7 +2,8 @@ This component is responsible for provisioning a Global Accelerator Endpoint Group. -This component assumes that the `global-accelerator` component has already been deployed to the same account in the environment specified by `var.global_accelerator_environment_name`. +This component assumes that the `global-accelerator` component has already been deployed to the same account in the +environment specified by `var.global_accelerator_environment_name`. ## Usage @@ -21,6 +22,7 @@ components: - endpoint_lb_name: my-load-balancer ``` + ## Requirements @@ -78,10 +80,11 @@ No resources. |------|-------------| | [id](#output\_id) | The ID of the Global Accelerator Endpoint Group. | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/global-accelerator-endpoint-group) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/global-accelerator-endpoint-group) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/global-accelerator/README.md b/modules/global-accelerator/README.md index e1bdc94e4..f76093e40 100644 --- a/modules/global-accelerator/README.md +++ b/modules/global-accelerator/README.md @@ -25,6 +25,7 @@ global-accelerator: to_port: 443 ``` + ## Requirements @@ -90,10 +91,11 @@ No resources. | [name](#output\_name) | Name of the Global Accelerator. | | [static\_ips](#output\_static\_ips) | Global Static IPs owned by the Global Accelerator. | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/global-accelerator) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/global-accelerator) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/catalog-database/README.md b/modules/glue/catalog-database/README.md index 5f2711f84..9ed139442 100644 --- a/modules/glue/catalog-database/README.md +++ b/modules/glue/catalog-database/README.md @@ -23,6 +23,7 @@ components: - "ALL" ``` + ## Requirements @@ -95,9 +96,11 @@ components: | [catalog\_database\_id](#output\_catalog\_database\_id) | Catalog database ID | | [catalog\_database\_name](#output\_catalog\_database\_name) | Catalog database name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/catalog-database) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/catalog-database) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/catalog-table/README.md b/modules/glue/catalog-table/README.md index 1da4ce397..2dbff5cf5 100644 --- a/modules/glue/catalog-table/README.md +++ b/modules/glue/catalog-table/README.md @@ -25,6 +25,7 @@ components: location: "s3://awsglue-datasets/examples/medicare/Medicare_Hospital_Provider.csv" ``` + ## Requirements @@ -105,9 +106,11 @@ components: | [catalog\_table\_id](#output\_catalog\_table\_id) | Catalog table ID | | [catalog\_table\_name](#output\_catalog\_table\_name) | Catalog table name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/catalog-table) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/catalog-table) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/connection/README.md b/modules/glue/connection/README.md index 3b7adff52..082197fd3 100644 --- a/modules/glue/connection/README.md +++ b/modules/glue/connection/README.md @@ -25,6 +25,7 @@ components: vpc_component_name: "vpc" ``` + ## Requirements @@ -114,9 +115,11 @@ components: | [security\_group\_id](#output\_security\_group\_id) | The ID of the Security Group associated with the Glue connection | | [security\_group\_name](#output\_security\_group\_name) | The name of the Security Group and associated with the Glue connection | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/connection) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/connection) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/crawler/README.md b/modules/glue/crawler/README.md index b551ad2db..9395b5eb1 100644 --- a/modules/glue/crawler/README.md +++ b/modules/glue/crawler/README.md @@ -28,6 +28,7 @@ components: update_behavior: null ``` + ## Requirements @@ -107,9 +108,11 @@ No resources. | [crawler\_id](#output\_crawler\_id) | Crawler ID | | [crawler\_name](#output\_crawler\_name) | Crawler name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/crawler) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/crawler) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/iam/README.md b/modules/glue/iam/README.md index 737da185f..6de843fc5 100644 --- a/modules/glue/iam/README.md +++ b/modules/glue/iam/README.md @@ -21,6 +21,7 @@ components: - "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole" ``` + ## Requirements @@ -81,9 +82,11 @@ No resources. | [role\_id](#output\_role\_id) | The ID of the Glue role | | [role\_name](#output\_role\_name) | The name of the Glue role | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/iam) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/iam) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/job/README.md b/modules/glue/job/README.md index b81d700df..edfe7f946 100644 --- a/modules/glue/job/README.md +++ b/modules/glue/job/README.md @@ -28,6 +28,7 @@ components: glue_job_command_python_version: 3 ``` + ## Requirements @@ -114,9 +115,11 @@ components: | [job\_id](#output\_job\_id) | Glue job ID | | [job\_name](#output\_job\_name) | Glue job name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/job) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/job) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/registry/README.md b/modules/glue/registry/README.md index f87f9a8e7..0fa49a243 100644 --- a/modules/glue/registry/README.md +++ b/modules/glue/registry/README.md @@ -19,6 +19,7 @@ components: registry_description: "Glue registry example" ``` + ## Requirements @@ -78,9 +79,11 @@ No resources. | [registry\_id](#output\_registry\_id) | Glue registry ID | | [registry\_name](#output\_registry\_name) | Glue registry name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/registry) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/registry) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/schema/README.md b/modules/glue/schema/README.md index 1dc77e5b0..82a58c1fe 100644 --- a/modules/glue/schema/README.md +++ b/modules/glue/schema/README.md @@ -21,6 +21,7 @@ components: glue_registry_component_name: "glue/registry/example" ``` + ## Requirements @@ -89,9 +90,11 @@ No resources. | [schema\_id](#output\_schema\_id) | Glue schema ID | | [schema\_name](#output\_schema\_name) | Glue schema name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/schema) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/schema) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/trigger/README.md b/modules/glue/trigger/README.md index 88ba77a41..e692e2aa5 100644 --- a/modules/glue/trigger/README.md +++ b/modules/glue/trigger/README.md @@ -26,6 +26,7 @@ components: type: SCHEDULED ``` + ## Requirements @@ -97,9 +98,11 @@ No resources. | [trigger\_id](#output\_trigger\_id) | Glue trigger ID | | [trigger\_name](#output\_trigger\_name) | Glue trigger name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/trigger) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/trigger) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/glue/workflow/README.md b/modules/glue/workflow/README.md index 77ebe4235..d6adadd7a 100644 --- a/modules/glue/workflow/README.md +++ b/modules/glue/workflow/README.md @@ -19,6 +19,7 @@ components: workflow_description: "Glue workflow example" ``` + ## Requirements @@ -80,9 +81,11 @@ No resources. | [workflow\_id](#output\_workflow\_id) | Glue workflow ID | | [workflow\_name](#output\_workflow\_name) | Glue workflow name | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/workflow) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/glue/workflow) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/guardduty/README.md b/modules/guardduty/README.md index 1cfaf66c0..199691f33 100644 --- a/modules/guardduty/README.md +++ b/modules/guardduty/README.md @@ -45,18 +45,18 @@ with an additional layer of security to proactively identify and respond to pote This component is complex in that it must be deployed multiple times with different variables set to configure the AWS Organization successfully. -It is further complicated by the fact that you must deploy each of the the component instances described below to -every region that existed before March 2019 and to any regions that have been opted-in as described in the [AWS -Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions). +It is further complicated by the fact that you must deploy each of the the component instances described below to every +region that existed before March 2019 and to any regions that have been opted-in as described in the +[AWS Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions). In the examples below, we assume that the AWS Organization Management account is `root` and the AWS Organization Delegated Administrator account is `security`, both in the `core` tenant. ### Deploy to Delegated Admininstrator Account -First, the component is deployed to the [Delegated -Admininstrator](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) account in each region in -order to configure the central GuardDuty detector that each account will send its findings to. +First, the component is deployed to the +[Delegated Admininstrator](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) account in each +region in order to configure the central GuardDuty detector that each account will send its findings to. ```yaml # core-ue1-security @@ -115,9 +115,9 @@ atmos terraform apply guardduty/root/uw1 -s core-uw1-root ### Deploy Organization Settings in Delegated Administrator Account -Finally, the component is deployed to the Delegated Administrator Account again in order to create the -organization-wide configuration for the AWS Organization, but with `var.admin_delegated` set to `true` to indicate that -the delegation has already been performed from the Organization Management account. +Finally, the component is deployed to the Delegated Administrator Account again in order to create the organization-wide +configuration for the AWS Organization, but with `var.admin_delegated` set to `true` to indicate that the delegation has +already been performed from the Organization Management account. ```yaml # core-ue1-security @@ -141,6 +141,7 @@ atmos terraform apply guardduty/org-settings/uw1 -s core-uw1-security # ... other regions ``` + ## Requirements @@ -228,6 +229,7 @@ atmos terraform apply guardduty/org-settings/uw1 -s core-uw1-security | [sns\_topic\_name](#output\_sns\_topic\_name) | The name of the SNS topic created by the component | | [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | The SNS topic subscriptions created by the component | + ## References diff --git a/modules/iam-role/README.md b/modules/iam-role/README.md index 7a2c83e96..9976affcf 100644 --- a/modules/iam-role/README.md +++ b/modules/iam-role/README.md @@ -1,6 +1,7 @@ # Component: `iam-role` -This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired then it is better to use a separate component specific to that role. +This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired +then it is better to use a separate component specific to that role. ## Usage @@ -28,7 +29,7 @@ Use-case: An IAM role for AWS Workspaces Directory since this service does not h ```yaml # stacks/catalog/aws-workspaces/directory/iam-role.yaml import: -- catalog/iam-role + - catalog/iam-role components: terraform: @@ -57,6 +58,7 @@ components: - arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess ``` + ## Requirements @@ -126,9 +128,11 @@ No resources. |------|-------------| | [role](#output\_role) | IAM role module outputs | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-role) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-role) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/iam-service-linked-roles/README.md b/modules/iam-service-linked-roles/README.md index f5236791c..b36f0f4f0 100644 --- a/modules/iam-service-linked-roles/README.md +++ b/modules/iam-service-linked-roles/README.md @@ -1,6 +1,7 @@ # Component: `iam-service-linked-roles` -This component is responsible for provisioning [IAM Service-Linked Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html). +This component is responsible for provisioning +[IAM Service-Linked Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html). ## Usage @@ -26,16 +27,15 @@ components: ## Service-Linked Roles for EC2 Spot and EC2 Spot Fleet -__Note:__ If you want to use EC2 Spot or Spot Fleet, -you will need to provision the following Service-Linked Roles: +**Note:** If you want to use EC2 Spot or Spot Fleet, you will need to provision the following Service-Linked Roles: - Service-Linked Role for EC2 Spot - Service-Linked Role for EC2 Spot Fleet This is only necessary if this is the first time you're using EC2 Spot and Spot Fleet in the account. -Note that if the Service-Linked Roles already exist in the AWS account (if you used EC2 Spot or Spot Fleet before), -and you try to provision them again, you will see the following errors: +Note that if the Service-Linked Roles already exist in the AWS account (if you used EC2 Spot or Spot Fleet before), and +you try to provision them again, you will see the following errors: ```text An error occurred (InvalidInput) when calling the CreateServiceLinkedRole operation: @@ -46,10 +46,11 @@ Service role name AWSServiceRoleForEC2SpotFleet has been taken in this account, ``` For more details, see: + - https://docs.aws.amazon.com/batch/latest/userguide/spot_fleet_IAM_role.html - https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html - + ## Requirements @@ -108,8 +109,11 @@ For more details, see: |------|-------------| | [service\_linked\_roles](#output\_service\_linked\_roles) | Provisioned Service-Linked roles | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-service-linked-roles) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/iam-service-linked-roles) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/ipam/README.md b/modules/ipam/README.md index a26449820..a9b590df5 100644 --- a/modules/ipam/README.md +++ b/modules/ipam/README.md @@ -47,6 +47,7 @@ components: ram_share_accounts: [plat-sandbox] ``` + ## Requirements @@ -119,10 +120,11 @@ components: |------|-------------| | [pool\_configurations](#output\_pool\_configurations) | Pool configurations | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/kinesis-stream/README.md b/modules/kinesis-stream/README.md index 72dc6734c..495403606 100644 --- a/modules/kinesis-stream/README.md +++ b/modules/kinesis-stream/README.md @@ -24,12 +24,11 @@ components: tags: Team: sre Service: kinesis-stream - ``` ```yaml import: -- catalog/kinesis-stream/defaults + - catalog/kinesis-stream/defaults components: terraform: @@ -45,6 +44,7 @@ components: kms_key_id: "alias/aws/kinesis" ``` + ## Requirements @@ -109,8 +109,11 @@ No resources. | [shard\_count](#output\_shard\_count) | Number of shards provisioned. | | [stream\_arn](#output\_stream\_arn) | ARN of the the Kinesis stream. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/kinesis-stream) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/kinesis-stream) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/lakeformation/README.md b/modules/lakeformation/README.md index 8c1278ed8..2c43b8d5a 100644 --- a/modules/lakeformation/README.md +++ b/modules/lakeformation/README.md @@ -8,7 +8,8 @@ This component is responsible for provisioning Amazon Lake Formation resources. Here are some example snippets for how to use this component: -`stacks/catalog/lakeformation/defaults.yaml` file (base component for all lakeformation deployments with default settings): +`stacks/catalog/lakeformation/defaults.yaml` file (base component for all lakeformation deployments with default +settings): ```yaml components: @@ -28,7 +29,7 @@ components: ```yaml import: -- catalog/lakeformation/defaults + - catalog/lakeformation/defaults components: terraform: @@ -54,6 +55,7 @@ components: left: test1 ``` + ## Requirements @@ -123,8 +125,11 @@ components: |------|-------------| | [lf\_tags](#output\_lf\_tags) | List of LF tags created. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/lakeformation) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/lakeformation) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/lambda/README.md b/modules/lambda/README.md index 310a65d03..34eaf24cf 100644 --- a/modules/lambda/README.md +++ b/modules/lambda/README.md @@ -7,6 +7,7 @@ This component is responsible for provisioning Lambda functions. **Stack Level**: Regional Stack configuration for defaults: + ```yaml components: terraform: @@ -21,6 +22,7 @@ components: ``` Sample App Yaml Entry: + ```yaml import: - catalog/lambda/defaults @@ -74,7 +76,7 @@ components: # s3_key: hello-world-go.zip ``` - + ## Requirements @@ -186,9 +188,11 @@ components: | [role\_arn](#output\_role\_arn) | Lambda IAM role ARN | | [role\_name](#output\_role\_name) | Lambda IAM role name | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/macie/README.md b/modules/macie/README.md index 3bf9b211a..ecf61acb4 100644 --- a/modules/macie/README.md +++ b/modules/macie/README.md @@ -36,9 +36,9 @@ Delegated Administrator account is `security`, both in the `core` tenant. ### Deploy to Delegated Administrator Account -First, the component is deployed to the [Delegated -Administrator](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-ao-integrate.html) account to configure the -central Macie account∑. +First, the component is deployed to the +[Delegated Administrator](https://docs.aws.amazon.com/macie/latest/user/accounts-mgmt-ao-integrate.html) account to +configure the central Macie account∑. ```yaml # core-ue1-security @@ -63,9 +63,9 @@ atmos terraform apply macie/delegated-administrator -s core-ue1-security Next, the component is deployed to the AWS Organization Management, a/k/a `root`, Account in order to set the AWS Organization Designated Admininstrator account. -Note that you must `SuperAdmin` permissions as we are deploying to the AWS Organization Management account. Since -we are using the `SuperAdmin` user, it will already have access to the state bucket, so we set the `role_arn` of the -backend config to null and set `var.privileged` to `true`. +Note that you must `SuperAdmin` permissions as we are deploying to the AWS Organization Management account. Since we are +using the `SuperAdmin` user, it will already have access to the state bucket, so we set the `role_arn` of the backend +config to null and set `var.privileged` to `true`. ```yaml # core-ue1-root @@ -91,9 +91,9 @@ atmos terraform apply macie/root -s core-ue1-root ### Deploy Organization Settings in Delegated Administrator Account -Finally, the component is deployed to the Delegated Administrator Account again in order to create the -organization-wide configuration for the AWS Organization, but with `var.admin_delegated` set to `true` to indicate that -the delegation has already been performed from the Organization Management account. +Finally, the component is deployed to the Delegated Administrator Account again in order to create the organization-wide +configuration for the AWS Organization, but with `var.admin_delegated` set to `true` to indicate that the delegation has +already been performed from the Organization Management account. ```yaml # core-ue1-security @@ -114,6 +114,7 @@ components: atmos terraform apply macie/org-settings/ue1 -s core-ue1-security ``` + ## Requirements @@ -192,6 +193,7 @@ atmos terraform apply macie/org-settings/ue1 -s core-ue1-security | [macie\_service\_role\_arn](#output\_macie\_service\_role\_arn) | The Amazon Resource Name (ARN) of the service-linked role that allows Macie to monitor and analyze data in AWS resources for the account. | | [member\_account\_ids](#output\_member\_account\_ids) | The AWS Account IDs of the member accounts | + ## References diff --git a/modules/mq-broker/README.md b/modules/mq-broker/README.md index 2b7317c38..bd763ca48 100644 --- a/modules/mq-broker/README.md +++ b/modules/mq-broker/README.md @@ -27,6 +27,7 @@ components: use_aws_owned_key: true ``` + ## Requirements @@ -125,10 +126,11 @@ No resources. | [secondary\_stomp\_ssl\_endpoint](#output\_secondary\_stomp\_ssl\_endpoint) | AmazonMQ secondary STOMP+SSL endpoint | | [secondary\_wss\_endpoint](#output\_secondary\_wss\_endpoint) | AmazonMQ secondary WSS endpoint | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/mq-broker) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/mq-broker) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/msk/README.md b/modules/msk/README.md index f517bcf6b..6c4d8424a 100644 --- a/modules/msk/README.md +++ b/modules/msk/README.md @@ -1,7 +1,7 @@ # Component: `msk/cluster` -This component is responsible for provisioning [Amazon Managed Streaming](https://aws.amazon.com/msk/) -clusters for [Apache Kafka](https://aws.amazon.com/msk/what-is-kafka/). +This component is responsible for provisioning [Amazon Managed Streaming](https://aws.amazon.com/msk/) clusters for +[Apache Kafka](https://aws.amazon.com/msk/what-is-kafka/). ## Usage @@ -12,7 +12,6 @@ Here's an example snippet for how to use this component. ```yaml components: terraform: - msk: metadata: component: "msk" @@ -69,6 +68,7 @@ components: allowed_cidr_blocks: [] ``` + ## Requirements @@ -193,6 +193,7 @@ No resources. | [zookeeper\_connect\_string](#output\_zookeeper\_connect\_string) | Comma separated list of one or more hostname:port pairs to connect to the Apache Zookeeper cluster | | [zookeeper\_connect\_string\_tls](#output\_zookeeper\_connect\_string\_tls) | Comma separated list of one or more hostname:port pairs to connect to the Apache Zookeeper cluster via TLS | + ## References diff --git a/modules/mwaa/README.md b/modules/mwaa/README.md index 1cc7e069d..e8c816d16 100644 --- a/modules/mwaa/README.md +++ b/modules/mwaa/README.md @@ -14,9 +14,9 @@ Allows the Airflow UI to be access over the public internet to users granted acc Limits access to users within the VPC to users granted access by an IAM policy. -* MWAA creates a VPC interface endpoint for the Airflow webserver and an interface endpoint for the pgsql metadatabase. +- MWAA creates a VPC interface endpoint for the Airflow webserver and an interface endpoint for the pgsql metadatabase. - the endpoints are created in the AZs mapped to your private subnets -* MWAA binds an IP address from your private subnet to the interface endpoint +- MWAA binds an IP address from your private subnet to the interface endpoint ### Managing access to VPC endpoings on MWAA @@ -41,6 +41,7 @@ components: airflow_version: 2.0.2 ``` + ## Requirements @@ -144,10 +145,11 @@ components: | [tags\_all](#output\_tags\_all) | A map of tags assigned to the resource, including those inherited from the provider for the Amazon MWAA Environment | | [webserver\_url](#output\_webserver\_url) | The webserver URL of the Amazon MWAA Environment | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/network-firewall/README.md b/modules/network-firewall/README.md index f72db4820..a7fe6c867 100644 --- a/modules/network-firewall/README.md +++ b/modules/network-firewall/README.md @@ -11,10 +11,11 @@ Example of a Network Firewall with stateful 5-tuple rules: :::info -The "5-tuple" means the five items (columns) that each rule (row, or tuple) in a firewall policy uses to define whether to block or allow traffic: -source and destination IP, source and destination port, and protocol. +The "5-tuple" means the five items (columns) that each rule (row, or tuple) in a firewall policy uses to define whether +to block or allow traffic: source and destination IP, source and destination port, and protocol. -Refer to [Standard stateful rule groups in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-basic.html) +Refer to +[Standard stateful rule groups in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-basic.html) for more details. ::: @@ -90,10 +91,12 @@ Example of a Network Firewall with [Suricata](https://suricata.readthedocs.io/en :::info -For [Suricata](https://suricata.io/) rule group type, you provide match and action settings in a string, in a Suricata compatible specification. -The specification fully defines what the stateful rules engine looks for in a traffic flow and the action to take on the packets in a flow that matches the inspection criteria. +For [Suricata](https://suricata.io/) rule group type, you provide match and action settings in a string, in a Suricata +compatible specification. The specification fully defines what the stateful rules engine looks for in a traffic flow and +the action to take on the packets in a flow that matches the inspection criteria. -Refer to [Suricata compatible rule strings in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-suricata.html) +Refer to +[Suricata compatible rule strings in AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-suricata.html) for more details. ::: @@ -197,7 +200,6 @@ components: # https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-how-to-provide-rules.html rules_source: - # Suricata rules for the rule group # https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html # https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html @@ -233,6 +235,7 @@ components: pass ip any any <> any any ( msg: "Allow general traffic"; sid:10000; rev:1; ) ``` + ## Requirements @@ -312,6 +315,7 @@ No resources. | [network\_firewall\_policy\_name](#output\_network\_firewall\_policy\_name) | Network Firewall policy name | | [network\_firewall\_status](#output\_network\_firewall\_status) | Nested list of information about the current status of the Network Firewall | + ## References @@ -323,6 +327,7 @@ No resources. - [How to deploy AWS Network Firewall by using AWS Firewall Manager](https://aws.amazon.com/blogs/security/how-to-deploy-aws-network-firewall-by-using-aws-firewall-manager) - [A Deep Dive into AWS Transit Gateway](https://www.youtube.com/watch?v=a55Iud-66q0) - [Appliance in a shared services VPC](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html) -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/opsgenie-team/README.md b/modules/opsgenie-team/README.md index cdcd659ef..06ee77000 100644 --- a/modules/opsgenie-team/README.md +++ b/modules/opsgenie-team/README.md @@ -5,29 +5,32 @@ This component is responsible for provisioning Opsgenie teams and related servic ## Usage #### Pre-requisites -You need an API Key stored in `/opsgenie/opsgenie_api_key` of SSM, this is configurable using the `ssm_parameter_name_format` and `ssm_path` variables. -Opsgenie is now part of Atlassian, so you need to make sure you are creating -an Opsgenie API Key, which looks like `abcdef12-3456-7890-abcd-ef0123456789` -and not an Atlassian API key, which looks like +You need an API Key stored in `/opsgenie/opsgenie_api_key` of SSM, this is configurable using the +`ssm_parameter_name_format` and `ssm_path` variables. + +Opsgenie is now part of Atlassian, so you need to make sure you are creating an Opsgenie API Key, which looks like +`abcdef12-3456-7890-abcd-ef0123456789` and not an Atlassian API key, which looks like ```shell ATAfT3xFfGF0VFXAfl8EmQNPVv1Hlazp3wsJgTmM8Ph7iP-RtQyiEfw-fkDS2LvymlyUOOhc5XiSx46vQWnznCJolq-GMX4KzdvOSPhEWr-BF6LEkJQC4CSjDJv0N7d91-0gVekNmCD2kXY9haUHUSpO4H7X6QxyImUb9VmOKIWTbQi8rf4CF28=63CB21B9 ``` -Generate an API Key by going to Settings -> API key management on your Opsgenie -control panel, which will have an address like `https://.app.opsgenie.com/settings/api-key-management`, -and click the "Add new API key" button. For more information, see the +Generate an API Key by going to Settings -> API key management on your Opsgenie control panel, which will have an +address like `https://.app.opsgenie.com/settings/api-key-management`, and click the "Add new API key" button. +For more information, see the [Opsgenie API key management documentation](https://support.atlassian.com/opsgenie/docs/api-key-management/). -Once you have the key, you'll need to test it with a curl to verify that you are at least -on a Standard plan with OpsGenie: +Once you have the key, you'll need to test it with a curl to verify that you are at least on a Standard plan with +OpsGenie: + ``` curl -X GET 'https://api.opsgenie.com/v2/account' \ --header "Authorization: GenieKey $API_KEY" ``` The result should be something similar to below: + ``` { "data": { @@ -39,9 +42,8 @@ The result should be something similar to below: } ``` -If you see `Free` or `Essentials` in the plan, then you won't be able -to use this component. You can see more details here: -[OpsGenie pricing/features](https://www.atlassian.com/software/opsgenie/pricing#) +If you see `Free` or `Essentials` in the plan, then you won't be able to use this component. You can see more details +here: [OpsGenie pricing/features](https://www.atlassian.com/software/opsgenie/pricing#) #### Getting Started @@ -49,7 +51,8 @@ to use this component. You can see more details here: Here's an example snippet for how to use this component. -This component should only be applied once as the resources it creates are regional, but it works with integrations. This is typically done via the auto or corp stack (e.g. `gbl-auto.yaml`). +This component should only be applied once as the resources it creates are regional, but it works with integrations. +This is typically done via the auto or corp stack (e.g. `gbl-auto.yaml`). ```yaml # 9-5 Mon-Fri @@ -175,8 +178,8 @@ components: notify_type: default delay: 60 recipients: - - type: team - name: otherteam + - type: team + name: otherteam yaep_escalation: enabled: true @@ -187,8 +190,8 @@ components: notify_type: default delay: 90 recipients: - - type: user - name: user@example.com + - type: user + name: user@example.com schedule_escalation: enabled: true @@ -199,8 +202,8 @@ components: notify_type: default delay: 30 recipients: - - type: schedule - name: secondary_on_call + - type: schedule + name: secondary_on_call ``` The API keys relating to the Opsgenie Integrations are stored in SSM Parameter Store and can be accessed via chamber. @@ -210,13 +213,18 @@ AWS_PROFILE=foo chamber list opsgenie-team/ ``` ### ClickOps Work - - After deploying the opsgenie-team component the created team will have a schedule named after the team. This is purposely left to be clickOps’d so the UI can be used to set who is on call, as that is the usual way (not through code). Additionally, we do not want a re-apply of the Terraform to delete or shuffle who is planned to be on call, thus we left who is on-call on a schedule out of the component. + +- After deploying the opsgenie-team component the created team will have a schedule named after the team. This is + purposely left to be clickOps’d so the UI can be used to set who is on call, as that is the usual way (not through + code). Additionally, we do not want a re-apply of the Terraform to delete or shuffle who is planned to be on call, + thus we left who is on-call on a schedule out of the component. ## Known Issues ### Different API Endpoints in Use The problem is there are 3 different api endpoints in use + - `/webapp` - the most robust - only exposed to the UI (that we've seen) - `/v2/` - robust with some differences from `webapp` - `/v1/` - the oldest and furthest from the live UI. @@ -231,11 +239,11 @@ This module does not create users. Users must have already been created to be ad ### Cannot Add Stakeholders - - Track the issue: https://github.com/opsgenie/terraform-provider-opsgenie/issues/278 +- Track the issue: https://github.com/opsgenie/terraform-provider-opsgenie/issues/278 ### No Resource to create Slack Integration - - Track the issue: https://github.com/DataDog/terraform-provider-datadog/issues/67 +- Track the issue: https://github.com/DataDog/terraform-provider-datadog/issues/67 ### Out of Date Terraform Docs @@ -244,10 +252,12 @@ Another Problem is the terraform docs are not always up to date with the provide The OpsGenie Provider uses a mix of `/v1` and `/v2`. This means there are many things you can only do from the UI. Listed below in no particular order -- Incident Routing cannot add dependent services - in `v1` and `v2` a `service_incident_rule` object has `serviceId` as type string, in webapp this becomes `serviceIds` of type `list(string)` + +- Incident Routing cannot add dependent services - in `v1` and `v2` a `service_incident_rule` object has `serviceId` as + type string, in webapp this becomes `serviceIds` of type `list(string)` - Opsgenie Provider appears to be inconsistent with how it uses `time_restriction`: - - `restrictions` for type `weekday-and-time-of-day` - - `restriction` for type `time-of-day` + - `restrictions` for type `weekday-and-time-of-day` + - `restriction` for type `time-of-day` Unfortunately none of this is in the terraform docs, and was found via errors and digging through source code. @@ -259,24 +269,27 @@ We recommend to use the human readable timezone such as `Europe/London`. - Setting a schedule to a GMT-style timezone with offsets can cause inconsistent plans. - Setting the timezone to `Etc/GMT+1` instead of `Europe/London`, will lead to permadrift as OpsGenie converts the GMT offsets to regional timezones at deploy-time. In the previous deploy, the GMT style get converted to `Atlantic/Cape_Verde`. + Setting the timezone to `Etc/GMT+1` instead of `Europe/London`, will lead to permadrift as OpsGenie converts the GMT + offsets to regional timezones at deploy-time. In the previous deploy, the GMT style get converted to + `Atlantic/Cape_Verde`. - ```hcl - # module.routing["london_schedule"].module.team_routing_rule[0].opsgenie_team_routing_rule.this[0] will be updated in-place - ~ resource "opsgenie_team_routing_rule" "this" { - id = "4b4c4454-8ccf-41a9-b856-02bec6419ba7" - name = "london_schedule" - ~ timezone = "Atlantic/Cape_Verde" -> "Etc/GMT+1" - # (2 unchanged attributes hidden) - ``` + ```hcl + # module.routing["london_schedule"].module.team_routing_rule[0].opsgenie_team_routing_rule.this[0] will be updated in-place + ~ resource "opsgenie_team_routing_rule" "this" { + id = "4b4c4454-8ccf-41a9-b856-02bec6419ba7" + name = "london_schedule" + ~ timezone = "Atlantic/Cape_Verde" -> "Etc/GMT+1" + # (2 unchanged attributes hidden) + ``` - Some GMT styles will not cause a timezone change on subsequent applies such as `Etc/GMT+8` for `Asia/Taipei`. + Some GMT styles will not cause a timezone change on subsequent applies such as `Etc/GMT+8` for `Asia/Taipei`. -- If the calendar date has crossed daylight savings time, the `Etc/GMT+` GMT style will need to be updated to reflect the correct timezone. +- If the calendar date has crossed daylight savings time, the `Etc/GMT+` GMT style will need to be updated to reflect + the correct timezone. Track the issue: https://github.com/opsgenie/terraform-provider-opsgenie/issues/258 - + ## Requirements @@ -370,6 +383,7 @@ Track the issue: https://github.com/opsgenie/terraform-provider-opsgenie/issues/ | [team\_members](#output\_team\_members) | Team members | | [team\_name](#output\_team\_name) | Team Name | + ## Related How-to Guides @@ -383,7 +397,8 @@ Track the issue: https://github.com/opsgenie/terraform-provider-opsgenie/issues/ - [How to Implement Incident Management with OpsGenie](https://docs.cloudposse.com/reference-architecture/how-to-guides/tutorials/how-to-implement-incident-management-with-opsgenie) ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/opsgenie-team) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/opsgenie-team) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/opsgenie-team/modules/escalation/README.md b/modules/opsgenie-team/modules/escalation/README.md index e5261df7c..d57862655 100644 --- a/modules/opsgenie-team/modules/escalation/README.md +++ b/modules/opsgenie-team/modules/escalation/README.md @@ -1,7 +1,7 @@ ## Escalation -Terraform module to configure [Opsgenie Escalation](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs/resources/escalation) - +Terraform module to configure +[Opsgenie Escalation](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs/resources/escalation) ## Usage @@ -27,6 +27,7 @@ module "escalation" { } ``` + ## Requirements @@ -89,3 +90,4 @@ module "escalation" { | [escalation\_id](#output\_escalation\_id) | The ID of the Opsgenie Escalation | | [escalation\_name](#output\_escalation\_name) | Name of the Opsgenie Escalation | + diff --git a/modules/opsgenie-team/modules/integration/README.md b/modules/opsgenie-team/modules/integration/README.md index 21faa8bbe..fe7b0a1f8 100644 --- a/modules/opsgenie-team/modules/integration/README.md +++ b/modules/opsgenie-team/modules/integration/README.md @@ -2,6 +2,7 @@ This module creates an OpsGenie integrations for a team. By Default, it creates a Datadog integration. + ## Requirements @@ -67,3 +68,4 @@ This module creates an OpsGenie integrations for a team. By Default, it creates | [ssm\_path](#output\_ssm\_path) | Full SSM path of the team integration key | | [type](#output\_type) | Type of the team integration | + diff --git a/modules/opsgenie-team/modules/routing/README.md b/modules/opsgenie-team/modules/routing/README.md index bf6f14519..a69fa1d28 100644 --- a/modules/opsgenie-team/modules/routing/README.md +++ b/modules/opsgenie-team/modules/routing/README.md @@ -1,8 +1,10 @@ ## Routing -This module creates team routing rules, these are the initial rules that are applied to an alert to determine who gets notified. -This module also creates incident service rules, which determine if an alert is considered a service incident or not. +This module creates team routing rules, these are the initial rules that are applied to an alert to determine who gets +notified. This module also creates incident service rules, which determine if an alert is considered a service incident +or not. + ## Requirements @@ -76,3 +78,4 @@ This module also creates incident service rules, which determine if an alert is | [service\_incident\_rule](#output\_service\_incident\_rule) | Service incident rules for incidents | | [team\_routing\_rule](#output\_team\_routing\_rule) | Team routing rules for alerts | + diff --git a/modules/philips-labs-github-runners/README.md b/modules/philips-labs-github-runners/README.md index 83ad0b33e..cbb0664a2 100644 --- a/modules/philips-labs-github-runners/README.md +++ b/modules/philips-labs-github-runners/README.md @@ -4,11 +4,15 @@ This component is responsible for provisioning the surrounding infrastructure fo ## Prerequisites -* Github App installed on the organization - * For more details see [Philips Lab's Setting up a Github App](https://github.com/philips-labs/terraform-aws-github-runner/tree/main#setup-github-app-part-1) - * Ensure you create a **PRIVATE KEY** and store it in SSM, **NOT** to be confused with a **Client Secret**. Private Keys are created in the GitHub App Configuration and scrolling to the bottom. -* Github App ID and private key stored in SSM under `/pl-github-runners/id` (or the value of `var.github_app_id_ssm_path`) -* Github App Private Key stored in SSM (base64 encoded) under `/pl-github-runners/key` (or the value of `var.github_app_key_ssm_path`) +- Github App installed on the organization + - For more details see + [Philips Lab's Setting up a Github App](https://github.com/philips-labs/terraform-aws-github-runner/tree/main#setup-github-app-part-1) + - Ensure you create a **PRIVATE KEY** and store it in SSM, **NOT** to be confused with a **Client Secret**. Private + Keys are created in the GitHub App Configuration and scrolling to the bottom. +- Github App ID and private key stored in SSM under `/pl-github-runners/id` (or the value of + `var.github_app_id_ssm_path`) +- Github App Private Key stored in SSM (base64 encoded) under `/pl-github-runners/key` (or the value of + `var.github_app_key_ssm_path`) ## Usage @@ -31,8 +35,8 @@ The following will create - SQS Queue - EC2 Launch Template instances -The API Gateway is registered as a webhook within the GitHub app. Which scales up or down, via lambdas, the EC2 Launch Template -by the number of messages in the SQS queue. +The API Gateway is registered as a webhook within the GitHub app. Which scales up or down, via lambdas, the EC2 Launch +Template by the number of messages in the SQS queue. ![Architecture](https://github.com/philips-labs/terraform-aws-github-runner/blob/main/docs/component-overview.svg) @@ -43,12 +47,16 @@ by the number of messages in the SQS queue. This is a fork of https://github.com/philips-labs/terraform-aws-github-runner/tree/main/modules/webhook-github-app. We customized it until this PR is resolved as it does not update the github app webhook until this is merged. -* https://github.com/philips-labs/terraform-aws-github-runner/pull/3625 + +- https://github.com/philips-labs/terraform-aws-github-runner/pull/3625 This module also requires an environment variable -* `GH_TOKEN` - a github token be set -This module also requires the `gh` cli to be installed. Your Dockerfile can be updated to include the following to install it: +- `GH_TOKEN` - a github token be set + +This module also requires the `gh` cli to be installed. Your Dockerfile can be updated to include the following to +install it: + ```dockerfile ARG GH_CLI_VERSION=2.39.1 # ... @@ -57,13 +65,14 @@ RUN apt-get update && apt-get install -y --allow-downgrades \ gh="${GH_CLI_VERSION}-*" ``` -By default, we leave this disabled, as it requires a github token to be set. You can enable it by setting `var.enable_update_github_app_webhook` to `true`. -When enabled, it will update the github app webhook to point to the API Gateway. This can occur if the API Gateway is deleted and recreated. - -When disabled, you will need to manually update the github app webhook to point to the API Gateway. -This is output by the component, and available via the `webhook` output under `endpoint`. +By default, we leave this disabled, as it requires a github token to be set. You can enable it by setting +`var.enable_update_github_app_webhook` to `true`. When enabled, it will update the github app webhook to point to the +API Gateway. This can occur if the API Gateway is deleted and recreated. +When disabled, you will need to manually update the github app webhook to point to the API Gateway. This is output by +the component, and available via the `webhook` output under `endpoint`. + ## Requirements @@ -140,8 +149,11 @@ This is output by the component, and available via the `webhook` output under `e | [ssm\_parameters](#output\_ssm\_parameters) | Information about the SSM parameters to use to register the runner. | | [webhook](#output\_webhook) | Information about the webhook to use to register the runner. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ecs) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/rds/README.md b/modules/rds/README.md index 9fb828b86..4f8ef7383 100644 --- a/modules/rds/README.md +++ b/modules/rds/README.md @@ -1,11 +1,13 @@ # Component: `rds` -This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store. +This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames, +username, password, etc.) into AWS SSM Parameter Store. ## Security Groups Guidance: -By default this component creates a client security group and adds that security group id to the default attached security group. -Ideally other AWS resources that require RDS access can be granted this client security group. Additionally you can grant access -via specific CIDR blocks or security group ids. + +By default this component creates a client security group and adds that security group id to the default attached +security group. Ideally other AWS resources that require RDS access can be granted this client security group. +Additionally you can grant access via specific CIDR blocks or security group ids. ## Usage @@ -69,24 +71,29 @@ components: # This does not seem to work correctly deletion_protection: false ``` + ### Provisioning from a snapshot -The snapshot identifier variable can be added to provision an instance from a snapshot HOWEVER- -Keep in mind these instances are provisioned from a unique kms key per rds. -For clean terraform runs, you must first provision the key for the destination instance, then copy the snapshot using that kms key. + +The snapshot identifier variable can be added to provision an instance from a snapshot HOWEVER- Keep in mind these +instances are provisioned from a unique kms key per rds. For clean terraform runs, you must first provision the key for +the destination instance, then copy the snapshot using that kms key. Example - I want a new instance `rds-example-new` to be provisioned from a snapshot of `rds-example-old`: + 1. Use the console to manually make a snapshot of rds instance `rds-example-old` 1. provision the kms key for `rds-example-new` - ``` - atmos terraform plan rds-example-new -s ue1-staging '-target=module.kms_key_rds.aws_kms_key.default[0]' - atmos terraform apply rds-example-new -s ue1-staging '-target=module.kms_key_rds.aws_kms_key.default[0]' - ``` + ``` + atmos terraform plan rds-example-new -s ue1-staging '-target=module.kms_key_rds.aws_kms_key.default[0]' + atmos terraform apply rds-example-new -s ue1-staging '-target=module.kms_key_rds.aws_kms_key.default[0]' + ``` 1. Use the console to copy the snapshot to a new name using the above provisioned kms key -1. Add `snapshot_identifier` variable to `rds-example-new` catalog and specify the newly copied snapshot that used the above key +1. Add `snapshot_identifier` variable to `rds-example-new` catalog and specify the newly copied snapshot that used the + above key 1. Post provisioning, remove the `snapshot_idenfier` variable and verify terraform runs clean for the copied instance + ## Requirements @@ -237,10 +244,11 @@ Example - I want a new instance `rds-example-new` to be provisioned from a snaps | [rds\_security\_group\_id](#output\_rds\_security\_group\_id) | ID of the Security Group | | [rds\_subnet\_group\_id](#output\_rds\_subnet\_group\_id) | ID of the created Subnet Group | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/rds) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/rds) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/redshift/README.md b/modules/redshift/README.md index c0045301b..90e9e6bca 100644 --- a/modules/redshift/README.md +++ b/modules/redshift/README.md @@ -1,6 +1,7 @@ # Component: `redshift` -This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store. +This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames, +username, password, etc.) into AWS SSM Parameter Store. ## Usage @@ -36,9 +37,9 @@ components: protocol: tcp cidr_blocks: - 10.0.0.0/8 - ``` + ## Requirements @@ -139,10 +140,11 @@ components: | [redshift\_database\_ssm\_key\_prefix](#output\_redshift\_database\_ssm\_key\_prefix) | SSM prefix | | [vpc\_security\_group\_ids](#output\_vpc\_security\_group\_ids) | The VPC security group IDs associated with the cluster | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/redshift) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/redshift) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/route53-resolver-dns-firewall/README.md b/modules/route53-resolver-dns-firewall/README.md index 7206ca7e3..63519378f 100644 --- a/modules/route53-resolver-dns-firewall/README.md +++ b/modules/route53-resolver-dns-firewall/README.md @@ -1,7 +1,9 @@ # Component: `route53-resolver-dns-firewall` -This component is responsible for provisioning [Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) -resources, including Route 53 Resolver DNS Firewall, domain lists, firewall rule groups, firewall rules, and logging configuration. +This component is responsible for provisioning +[Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) +resources, including Route 53 Resolver DNS Firewall, domain lists, firewall rule groups, firewall rules, and logging +configuration. ## Usage @@ -76,6 +78,7 @@ Execute the following command to provision the `route53-resolver-dns-firewall/ex atmos terraform apply route53-resolver-dns-firewall/example -s ``` + ## Requirements @@ -143,6 +146,7 @@ No resources. | [rule\_groups](#output\_rule\_groups) | Route 53 Resolver DNS Firewall rule groups | | [rules](#output\_rules) | Route 53 Resolver DNS Firewall rules | + ## References @@ -156,6 +160,7 @@ No resources. - [Appliance in a shared services VPC](https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-appliance-scenario.html) - [Quotas on Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/DNSLimitations.html#limits-api-entities-resolver) - [Unified bad hosts](https://github.com/StevenBlack/hosts) -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/s3-bucket/README.md b/modules/s3-bucket/README.md index 0647544c6..7e35bf2ed 100644 --- a/modules/s3-bucket/README.md +++ b/modules/s3-bucket/README.md @@ -51,12 +51,11 @@ components: days: 90 expiration: days: 120 - ``` ```yaml import: -- catalog/s3/defaults + - catalog/s3/defaults components: terraform: @@ -74,6 +73,7 @@ components: prefix: logs/ ``` + ## Requirements @@ -182,10 +182,11 @@ components: | [bucket\_region](#output\_bucket\_region) | Bucket region | | [bucket\_regional\_domain\_name](#output\_bucket\_regional\_domain\_name) | Bucket region-specific domain name | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/s3-bucket) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/s3-bucket) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/security-hub/README.md b/modules/security-hub/README.md index f2611672c..43bf853ca 100644 --- a/modules/security-hub/README.md +++ b/modules/security-hub/README.md @@ -52,18 +52,18 @@ and effectively manage security compliance across their AWS accounts and resourc This component is complex in that it must be deployed multiple times with different variables set to configure the AWS Organization successfully. -It is further complicated by the fact that you must deploy each of the component instances described below to -every region that existed before March 2019 and to any regions that have been opted-in as described in the [AWS -Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions). +It is further complicated by the fact that you must deploy each of the component instances described below to every +region that existed before March 2019 and to any regions that have been opted-in as described in the +[AWS Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions). In the examples below, we assume that the AWS Organization Management account is `root` and the AWS Organization Delegated Administrator account is `security`, both in the `core` tenant. ### Deploy to Delegated Administrator Account -First, the component is deployed to the [Delegated -Administrator](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) account in each region to -configure the Security Hub instance to which each account will send its findings. +First, the component is deployed to the +[Delegated Administrator](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) account in each +region to configure the Security Hub instance to which each account will send its findings. ```yaml # core-ue1-security @@ -148,6 +148,7 @@ atmos terraform apply security-hub/org-settings/uw1 -s core-uw1-security # ... other regions ``` + ## Requirements @@ -236,6 +237,7 @@ atmos terraform apply security-hub/org-settings/uw1 -s core-uw1-security | [sns\_topic\_name](#output\_sns\_topic\_name) | The name of the SNS topic created by the component | | [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | The SNS topic subscriptions created by the component | + ## References diff --git a/modules/ses/README.md b/modules/ses/README.md index 4863a0b03..5d99a0c07 100644 --- a/modules/ses/README.md +++ b/modules/ses/README.md @@ -1,6 +1,7 @@ # Component: `ses` -This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can be retrieved from SSM. +This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can +be retrieved from SSM. ## Usage @@ -26,6 +27,7 @@ components: Service: ses ``` + ## Requirements @@ -97,9 +99,11 @@ components: | [user\_name](#output\_user\_name) | Normalized name of the IAM user with permission to send emails from SES domain | | [user\_unique\_id](#output\_user\_unique\_id) | The unique ID of the IAM user with permission to send emails from SES domain | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ses) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ses) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/sftp/README.md b/modules/sftp/README.md index a3b6d662f..7aad36556 100644 --- a/modules/sftp/README.md +++ b/modules/sftp/README.md @@ -19,6 +19,7 @@ components: enabled: true ``` + ## Requirements @@ -96,9 +97,11 @@ components: |------|-------------| | [sftp](#output\_sftp) | The SFTP module outputs | + ## References -* [cloudposse/terraform-aws-transfer-sftp](https://github.com/cloudposse/terraform-aws-transfer-sftp) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-transfer-sftp](https://github.com/cloudposse/terraform-aws-transfer-sftp) - Cloud Posse's + upstream component [](https://cpco.io/component) diff --git a/modules/snowflake-account/README.md b/modules/snowflake-account/README.md index 89b8932ff..3ad2093f1 100644 --- a/modules/snowflake-account/README.md +++ b/modules/snowflake-account/README.md @@ -1,6 +1,7 @@ # Component: `snowflake-account` -This component sets up the requirements for all other Snowflake components, including creating the Terraform service user. Before running this component, follow the manual, Click-Ops steps below to create a Snowflake subscription. +This component sets up the requirements for all other Snowflake components, including creating the Terraform service +user. Before running this component, follow the manual, Click-Ops steps below to create a Snowflake subscription. ## Deployment Steps @@ -10,7 +11,9 @@ This component sets up the requirements for all other Snowflake components, incl 4. Select "Snowflake Data Cloud" 5. Click "Continue to Subscribe" -6. Fill out the information steps using the following as an example. Note, the provided email cannot use labels such as `mdev+sbx01@example.com`. +6. Fill out the information steps using the following as an example. Note, the provided email cannot use labels such as + `mdev+sbx01@example.com`. + ``` First Name: John Last Name: Smith @@ -18,20 +21,29 @@ This component sets up the requirements for all other Snowflake components, incl Company: Example Country: United States ``` -7. Select "Standard" and the current region. In this example, we chose "US East (Ohio)" which is the same as `us-east-1`. -7. Continue and wait for Sign Up to complete. Note the Snowflake account ID; you can find this in the newly accessible Snowflake console in the top right of the window. -8. Check for the Account Activation email. Note, this may be collected in a Slack notifications channel for easy access. -9. Follow the given link to create the Admin user with username `admin` and a strong password. Be sure to save that password somewhere secure. -10. Upload that password to AWS Parameter Store under `/snowflake/$ACCOUNT/users/admin/password`, where `ACCOUNT` is the value given during the subscription process. This password will only be used to create a private key, and all other authentication will be done with said key. Below is an example of how to do that with a [chamber](https://github.com/segmentio/chamber) command: + +7. Select "Standard" and the current region. In this example, we chose "US East (Ohio)" which is the same as + `us-east-1`. +8. Continue and wait for Sign Up to complete. Note the Snowflake account ID; you can find this in the newly accessible + Snowflake console in the top right of the window. +9. Check for the Account Activation email. Note, this may be collected in a Slack notifications channel for easy access. +10. Follow the given link to create the Admin user with username `admin` and a strong password. Be sure to save that + password somewhere secure. +11. Upload that password to AWS Parameter Store under `/snowflake/$ACCOUNT/users/admin/password`, where `ACCOUNT` is the + value given during the subscription process. This password will only be used to create a private key, and all other + authentication will be done with said key. Below is an example of how to do that with a + [chamber](https://github.com/segmentio/chamber) command: + ``` AWS_PROFILE=$NAMESPACE-$TENANT-gbl-sbx01-admin chamber write /snowflake/$ACCOUNT/users/admin/ admin $PASSWORD ``` + 11. Finally, use atmos to deploy this component: + ``` atmos terraform deploy snowflake/account --stack $TENANT-use2-sbx01 ``` - ## Usage **Stack Level**: Regional @@ -55,6 +67,7 @@ components: Service: snowflake ``` + ## Requirements @@ -150,6 +163,6 @@ components: | [ssm\_path\_terraform\_user\_name](#output\_ssm\_path\_terraform\_user\_name) | The path to the SSM parameter for the Terraform user name. | | [ssm\_path\_terraform\_user\_private\_key](#output\_ssm\_path\_terraform\_user\_private\_key) | The path to the SSM parameter for the Terraform user private key. | - + [](https://cpco.io/component) diff --git a/modules/snowflake-database/README.md b/modules/snowflake-database/README.md index e2800c294..70e340027 100644 --- a/modules/snowflake-database/README.md +++ b/modules/snowflake-database/README.md @@ -1,6 +1,7 @@ # Component: `snowflake-database` -All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This component will create and control a Snowflake database, schema, and set of tables. +All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This +component will create and control a Snowflake database, schema, and set of tables. ## Usage @@ -39,6 +40,7 @@ components: select * from "example"; ``` + ## Requirements @@ -122,10 +124,11 @@ components: No outputs. - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/snowflake-database) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/snowflake-database) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/sns-topic/README.md b/modules/sns-topic/README.md index 95c975a88..1c5eee12d 100644 --- a/modules/sns-topic/README.md +++ b/modules/sns-topic/README.md @@ -40,12 +40,12 @@ components: fifo_queue_enabled: false content_based_deduplication: false redrive_policy_max_receiver_count: 5 - redrive_policy: null + redrive_policy: null ``` ```yaml import: -- catalog/sns-topic/defaults + - catalog/sns-topic/defaults components: terraform: @@ -65,6 +65,7 @@ components: endpoint_auto_confirms: true ``` + ## Requirements @@ -144,8 +145,11 @@ No resources. | [sns\_topic\_owner](#output\_sns\_topic\_owner) | SNS topic owner. | | [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | SNS topic subscription. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sns-topic) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sns-topic) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/spa-s3-cloudfront/README.md b/modules/spa-s3-cloudfront/README.md index 0badadf0a..2ebb4618c 100644 --- a/modules/spa-s3-cloudfront/README.md +++ b/modules/spa-s3-cloudfront/README.md @@ -26,7 +26,7 @@ components: github_runners_component_name: github-runners github_runners_tenant_name: core github_runners_environment_name: ue2 - github_runners_stage_name : auto + github_runners_stage_name: auto origin_force_destroy: false origin_versioning_enabled: true origin_block_public_acls: true @@ -52,16 +52,16 @@ components: name: example-spa site_subdomain: example-spa cloudfront_allowed_methods: - - GET - - HEAD + - GET + - HEAD cloudfront_cached_methods: - - GET - - HEAD + - GET + - HEAD cloudfront_custom_error_response: - - error_caching_min_ttl: 1 - error_code: 403 - response_code: 200 - response_page_path: /index.html + - error_caching_min_ttl: 1 + error_code: 403 + response_code: 200 + response_page_path: /index.html cloudfront_default_ttl: 60 cloudfront_min_ttl: 60 cloudfront_max_ttl: 60 @@ -89,13 +89,15 @@ Failover origins are supported via `var.failover_s3_origin_name` and `var.failov ### Preview Environments -SPA Preview environments (i.e. `subdomain.example.com` mapping to a `/subdomain` path in the S3 bucket) powered by Lambda@Edge -are supported via `var.preview_environment_enabled`. See the both the variable description and inline documentation for -an extensive explanation for how these preview environments work. +SPA Preview environments (i.e. `subdomain.example.com` mapping to a `/subdomain` path in the S3 bucket) powered by +Lambda@Edge are supported via `var.preview_environment_enabled`. See the both the variable description and inline +documentation for an extensive explanation for how these preview environments work. ### Customizing Lambda@Edge -This component supports customizing Lambda@Edge functions for the CloudFront distribution. All Lambda@Edge function configuration is deep merged before being passed to the `cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge` module. You can add additional functions and overwrite existing functions as such: +This component supports customizing Lambda@Edge functions for the CloudFront distribution. All Lambda@Edge function +configuration is deep merged before being passed to the `cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge` module. +You can add additional functions and overwrite existing functions as such: ```yaml import: @@ -124,9 +126,9 @@ components: handler: "index.handler" event_type: "viewer-response" include_body: false - ``` + ## Requirements @@ -269,11 +271,12 @@ components: | [origin\_s3\_bucket\_arn](#output\_origin\_s3\_bucket\_arn) | Origin bucket ARN. | | [origin\_s3\_bucket\_name](#output\_origin\_s3\_bucket\_name) | Origin bucket name. | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spa-s3-cloudfront) - Cloud Posse's upstream component -* [How do I use CloudFront to serve a static website hosted on Amazon S3?](https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/) +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spa-s3-cloudfront) - + Cloud Posse's upstream component +- [How do I use CloudFront to serve a static website hosted on Amazon S3?](https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-serve-static-website/) [](https://cpco.io/component) diff --git a/modules/spacelift/admin-stack/README.md b/modules/spacelift/admin-stack/README.md index 08a33fd7e..ce23def69 100644 --- a/modules/spacelift/admin-stack/README.md +++ b/modules/spacelift/admin-stack/README.md @@ -9,7 +9,8 @@ The component uses a series of `context_filters` to select atmos component insta **Stack Level**: Global -The following are example snippets of how to use this component. For more on Spacelift admin stack usage, see the [Spacelift README](https://docs.cloudposse.com/components/library/aws/spacelift/) +The following are example snippets of how to use this component. For more on Spacelift admin stack usage, see the +[Spacelift README](https://docs.cloudposse.com/components/library/aws/spacelift/) First define the default configuration for any admin stack: @@ -135,6 +136,7 @@ components: - TRIGGER Dependencies ``` + ## Requirements @@ -265,3 +267,4 @@ components: | [root\_stack](#output\_root\_stack) | The root stack, if enabled and created by this component | | [root\_stack\_id](#output\_root\_stack\_id) | The stack id | + diff --git a/modules/spacelift/spaces/README.md b/modules/spacelift/spaces/README.md index dafcf34cc..f8773f8ed 100644 --- a/modules/spacelift/spaces/README.md +++ b/modules/spacelift/spaces/README.md @@ -64,6 +64,7 @@ components: - plat ``` + ## Requirements @@ -120,3 +121,4 @@ No resources. | [policies](#output\_policies) | The policies created by this component | | [spaces](#output\_spaces) | The spaces created by this component | + diff --git a/modules/spacelift/worker-pool/README.md b/modules/spacelift/worker-pool/README.md index 7727590ab..2209c8437 100644 --- a/modules/spacelift/worker-pool/README.md +++ b/modules/spacelift/worker-pool/README.md @@ -11,8 +11,7 @@ assume the role via `trusted_role_arns`), and have the following AWS managed IAM - AWSXRayDaemonWriteAccess - CloudWatchAgentServerPolicy -Among other things, this allows workers with SSM agent installed to -be accessed via SSM Session Manager. +Among other things, this allows workers with SSM agent installed to be accessed via SSM Session Manager. ```bash aws ssm start-session --target @@ -75,11 +74,11 @@ components: ### Impacts on billing -While scaling the workload for Spacelift, keep in mind that each agent connection counts -against your quota of self-hosted workers. The number of EC2 instances you have running is _not_ -going to affect your Spacelift bill. As an example, if you had 3 EC2 instances in your Spacelift -worker pool, and you configured `spacelift_agents_per_node` to be `3`, you would see your Spacelift -bill report 9 agents being run. Take care while configuring the worker pool for your Spacelift infrastructure. +While scaling the workload for Spacelift, keep in mind that each agent connection counts against your quota of +self-hosted workers. The number of EC2 instances you have running is _not_ going to affect your Spacelift bill. As an +example, if you had 3 EC2 instances in your Spacelift worker pool, and you configured `spacelift_agents_per_node` to be +`3`, you would see your Spacelift bill report 9 agents being run. Take care while configuring the worker pool for your +Spacelift infrastructure. ## Configuration @@ -92,9 +91,9 @@ has read-only access to the ECR repository. Prior to deployment, the API key must exist in SSM. The key must have admin permissions. -To generate the key, please follow [these -instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the API -key ID and secret to the SSM key store at the following locations within the same AWS account and region where the +To generate the key, please follow +[these instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the +API key ID and secret to the SSM key store at the following locations within the same AWS account and region where the Spacelift worker pool will reside. | Key | SSM Path | Type | @@ -118,6 +117,7 @@ After provisioning the component, you must give the created instance role permis role. This is done by adding `iam_role_arn` from the output to the `trusted_role_arns` list for the `spacelift` role in `aws-teams`. + ## Requirements @@ -260,10 +260,13 @@ role. This is done by adding `iam_role_arn` from the output to the `trusted_role | [worker\_pool\_id](#output\_worker\_pool\_id) | Spacelift worker pool ID | | [worker\_pool\_name](#output\_worker\_pool\_name) | Spacelift worker pool name | + ## References -- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - Cloud Posse's related upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/spacelift-worker-pool) - Cloud Posse's upstream component +- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - + Cloud Posse's related upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/spacelift-worker-pool) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/sqs-queue/README.md b/modules/sqs-queue/README.md index f7114ac04..fffbaed2b 100644 --- a/modules/sqs-queue/README.md +++ b/modules/sqs-queue/README.md @@ -19,6 +19,7 @@ components: enabled: true ``` + ## Requirements @@ -89,8 +90,11 @@ No resources. | [name](#output\_name) | The name of the created Amazon SQS queue. | | [url](#output\_url) | The URL of the created Amazon SQS queue. | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sqs-queue) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/sqs-queue) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/ssm-parameters/README.md b/modules/ssm-parameters/README.md index 45c48d763..911755472 100644 --- a/modules/ssm-parameters/README.md +++ b/modules/ssm-parameters/README.md @@ -1,6 +1,7 @@ # Component: `ssm-parameters` -This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter store resources that can be configured directly in YAML OR pulling secret values from a local Sops file. +This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter +store resources that can be configured directly in YAML OR pulling secret values from a local Sops file. ## Usage @@ -25,6 +26,7 @@ components: type: String ``` + ## Requirements @@ -89,10 +91,11 @@ components: |------|-------------| | [created\_params](#output\_created\_params) | The keys of created SSM parameter store resources. | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ssm-parameters) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/ssm-parameters) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/strongdm/README.md b/modules/strongdm/README.md index 29709df12..20aa20f0d 100644 --- a/modules/strongdm/README.md +++ b/modules/strongdm/README.md @@ -16,6 +16,7 @@ components: enabled: true ``` + ## Requirements @@ -96,7 +97,9 @@ components: No outputs. + ## References -* https://github.com/spotinst/spotinst-kubernetes-helm-charts -* https://docs.spot.io/ocean/tutorials/spot-kubernetes-controller/ + +- https://github.com/spotinst/spotinst-kubernetes-helm-charts +- https://docs.spot.io/ocean/tutorials/spot-kubernetes-controller/ diff --git a/modules/tfstate-backend/README.md b/modules/tfstate-backend/README.md index 3dd8e61c2..12f8433cb 100644 --- a/modules/tfstate-backend/README.md +++ b/modules/tfstate-backend/README.md @@ -1,25 +1,30 @@ # Component: `tfstate-backend` -This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend. +This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for +usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend. -Once the initial S3 backend is configured, this component can create additional backends, allowing you to segregate them and control access to each backend separately. This may be desirable because any secret or sensitive information (such as generated passwords) that Terraform has access to gets stored in the Terraform state backend S3 bucket, so you may wish to restrict who can read the production Terraform state backend S3 bucket. -However, perhaps counter-intuitively, all Terraform users require read access to the most sensitive accounts, such as `root` and `audit`, in order to read security configuration information, so careful planning is required when architecting backend splits. +Once the initial S3 backend is configured, this component can create additional backends, allowing you to segregate them +and control access to each backend separately. This may be desirable because any secret or sensitive information (such +as generated passwords) that Terraform has access to gets stored in the Terraform state backend S3 bucket, so you may +wish to restrict who can read the production Terraform state backend S3 bucket. However, perhaps counter-intuitively, +all Terraform users require read access to the most sensitive accounts, such as `root` and `audit`, in order to read +security configuration information, so careful planning is required when architecting backend splits. -:::info -Part of cold start so it has to initially be run with `SuperAdmin`, multiple times: to create the S3 bucket and then to move the state into it. -Follow the guide **[here](https://docs.cloudposse.com/reference-architecture/how-to-guides/implementation/enterprise/implement-aws-cold-start/#provision-tfstate-backend-component)** to get started. -::: +:::info Part of cold start so it has to initially be run with `SuperAdmin`, multiple times: to create the S3 bucket and +then to move the state into it. Follow the guide +**[here](https://docs.cloudposse.com/reference-architecture/how-to-guides/implementation/enterprise/implement-aws-cold-start/#provision-tfstate-backend-component)** +to get started. ::: ### Access Control -For each backend, this module will create an IAM role with read/write access and, optionally, an IAM role with read-only access. -You can configure who is allowed to assume these roles. +For each backend, this module will create an IAM role with read/write access and, optionally, an IAM role with read-only +access. You can configure who is allowed to assume these roles. -- While read/write access is required for `terraform apply`, the created role only grants read/write access to the Terraform state, - it does not grant permission to create/modify/destroy AWS resources. +- While read/write access is required for `terraform apply`, the created role only grants read/write access to the + Terraform state, it does not grant permission to create/modify/destroy AWS resources. -- Similarly, while the read-only role prohibits making changes to the Terraform state, it does not prevent anyone - from making changes to AWS resources using a different role. +- Similarly, while the read-only role prohibits making changes to the Terraform state, it does not prevent anyone from + making changes to AWS resources using a different role. - Many Cloud Posse components store information about resources they create in the Terraform state via their outputs, and many other components read this information from the Terraform state backend via the CloudPosse `remote-state` @@ -31,74 +36,77 @@ You can configure who is allowed to assume these roles. and `security`, is nevertheless needed by every account, for example to know where to send audit logs, so it is not obvious and can be counter-intuitive which accounts need access to which backends. Plan carefully. -- Atmos provides separate configuration for Terraform state access via the `backend` and `remote_state_backend` - settings. Always configure the `backend` setting with a role that has read/write access (and override that setting - to be `null` for components deployed by SuperAdmin). If a read-only role is available (only helpful if you have - more than one backend), use that role in `remote_state_backend.s3.role_arn`. Otherwise, use the read/write role in +- Atmos provides separate configuration for Terraform state access via the `backend` and `remote_state_backend` + settings. Always configure the `backend` setting with a role that has read/write access (and override that setting to + be `null` for components deployed by SuperAdmin). If a read-only role is available (only helpful if you have more than + one backend), use that role in `remote_state_backend.s3.role_arn`. Otherwise, use the read/write role in `remote_state_backend.s3.role_arn`, to ensure that all components can read the Terraform state, even if `backend.s3.role_arn` is set to `null`, as it is with a few critical components meant to be deployed by SuperAdmin. -- Note that the "read-only" in the "read-only role" refers solely to the S3 bucket that stores the backend data. - That role still has read/write access to the DynamoDB table, which is desirable so that users restricted to the - read-only role can still perform drift detection by running `terraform plan`. The DynamoDB table only stores - checksums and mutual-exclusion lock information, so it is not considered sensitive. The worst a malicious user - could do would be to corrupt the table and cause a denial-of-service (DoS) for Terraform, but such DoS would only - affect making changes to the infrastructure, it would not affect the operation of the existing infrastructure, so - it is an ineffective and therefore unlikely vector of attack. (Also note that the entire DynamoDB table is - optional and can be deleted entirely; Terraform will repopulate it as new activity takes place.) +- Note that the "read-only" in the "read-only role" refers solely to the S3 bucket that stores the backend data. That + role still has read/write access to the DynamoDB table, which is desirable so that users restricted to the read-only + role can still perform drift detection by running `terraform plan`. The DynamoDB table only stores checksums and + mutual-exclusion lock information, so it is not considered sensitive. The worst a malicious user could do would be to + corrupt the table and cause a denial-of-service (DoS) for Terraform, but such DoS would only affect making changes to + the infrastructure, it would not affect the operation of the existing infrastructure, so it is an ineffective and + therefore unlikely vector of attack. (Also note that the entire DynamoDB table is optional and can be deleted + entirely; Terraform will repopulate it as new activity takes place.) -- For convenience, the component automatically grants access to the backend to the user deploying it. This is - helpful because it allows that user, presumably SuperAdmin, to deploy the normal components that expect - the user does not have direct access to Terraform state. +- For convenience, the component automatically grants access to the backend to the user deploying it. This is helpful + because it allows that user, presumably SuperAdmin, to deploy the normal components that expect the user does not have + direct access to Terraform state. ### Quotas -When allowing access to both SAML and AWS SSO users, the trust policy for the IAM roles created by this component -can exceed the default 2048 character limit. If you encounter this error, you can increase the limit by -requesting a quota increase [here](https://us-east-1.console.aws.amazon.com/servicequotas/home/services/iam/quotas/L-C07B4B0D). -Note that this is the IAM limit on "The maximum number of characters in an IAM role trust policy" and it must be -configured in the `us-east-1` region, regardless of what region you are deploying to. Normally 3072 characters -is sufficient, and is recommended so that you still have room to expand the trust policy in the future while -perhaps considering how to reduce its size. +When allowing access to both SAML and AWS SSO users, the trust policy for the IAM roles created by this component can +exceed the default 2048 character limit. If you encounter this error, you can increase the limit by requesting a quota +increase [here](https://us-east-1.console.aws.amazon.com/servicequotas/home/services/iam/quotas/L-C07B4B0D). Note that +this is the IAM limit on "The maximum number of characters in an IAM role trust policy" and it must be configured in the +`us-east-1` region, regardless of what region you are deploying to. Normally 3072 characters is sufficient, and is +recommended so that you still have room to expand the trust policy in the future while perhaps considering how to reduce +its size. ## Usage -**Stack Level**: Regional (because DynamoDB is region-specific), but deploy only in a single region and only in the `root` account -**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Regional (because DynamoDB is region-specific), but deploy only in a single region and only in the +`root` account **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -This component configures the shared Terraform backend, and as such is the first component that must be deployed, since all other components depend on it. In fact, this component even depends on itself, so special deployment procedures are needed for the initial deployment (documented in the "Cold Start" procedures). +This component configures the shared Terraform backend, and as such is the first component that must be deployed, since +all other components depend on it. In fact, this component even depends on itself, so special deployment procedures are +needed for the initial deployment (documented in the "Cold Start" procedures). Here's an example snippet for how to use this component. ```yaml - terraform: - tfstate-backend: - backend: - s3: - role_arn: null - settings: - spacelift: - workspace_enabled: false - vars: - enable_server_side_encryption: true - enabled: true - force_destroy: false - name: tfstate - prevent_unencrypted_uploads: true - access_roles: - default: &tfstate-access-template - write_enabled: true - allowed_roles: - core-identity: ["devops", "developers", "managers", "spacelift"] - core-root: ["admin"] - denied_roles: {} - allowed_permission_sets: - core-identity: ["AdministratorAccess"] - denied_permission_sets: {} - allowed_principal_arns: [] - denied_principal_arns: [] +terraform: + tfstate-backend: + backend: + s3: + role_arn: null + settings: + spacelift: + workspace_enabled: false + vars: + enable_server_side_encryption: true + enabled: true + force_destroy: false + name: tfstate + prevent_unencrypted_uploads: true + access_roles: + default: &tfstate-access-template + write_enabled: true + allowed_roles: + core-identity: ["devops", "developers", "managers", "spacelift"] + core-root: ["admin"] + denied_roles: {} + allowed_permission_sets: + core-identity: ["AdministratorAccess"] + denied_permission_sets: {} + allowed_principal_arns: [] + denied_principal_arns: [] ``` + ## Requirements @@ -174,7 +182,9 @@ Here's an example snippet for how to use this component. | [tfstate\_backend\_s3\_bucket\_domain\_name](#output\_tfstate\_backend\_s3\_bucket\_domain\_name) | Terraform state S3 bucket domain name | | [tfstate\_backend\_s3\_bucket\_id](#output\_tfstate\_backend\_s3\_bucket\_id) | Terraform state S3 bucket ID | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tfstate-backend) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tfstate-backend) - + Cloud Posse's upstream component diff --git a/modules/tgw/cross-region-hub-connector/README.md b/modules/tgw/cross-region-hub-connector/README.md index 5efbd3bb4..1de5a593a 100644 --- a/modules/tgw/cross-region-hub-connector/README.md +++ b/modules/tgw/cross-region-hub-connector/README.md @@ -1,8 +1,11 @@ # Component: `cross-region-hub-connector` -This component is responsible for provisioning an [AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts and(or) regions. +This component is responsible for provisioning an +[AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts +and(or) regions. -Transit Gateway does not support sharing the Transit Gateway hub across regions. You must deploy a Transit Gateway hub for each region and connect the alternate hub to the primary hub. +Transit Gateway does not support sharing the Transit Gateway hub across regions. You must deploy a Transit Gateway hub +for each region and connect the alternate hub to the primary hub. ## Usage @@ -10,8 +13,9 @@ Transit Gateway does not support sharing the Transit Gateway hub across regions. This component is deployed to each alternate region with `tgw/hub`. -For example if your primary region is `us-east-1` and your alternate region is `us-west-2`, deploy another `tgw/hub` in `us-west-2` -and peer the two with `tgw/cross-region-hub-connector` with the following stack config, imported into `us-west-2` +For example if your primary region is `us-east-1` and your alternate region is `us-west-2`, deploy another `tgw/hub` in +`us-west-2` and peer the two with `tgw/cross-region-hub-connector` with the following stack config, imported into +`us-west-2` ```yaml import: @@ -54,6 +58,7 @@ components: primary_tgw_hub_region: us-east-1 ``` + ## Requirements @@ -126,9 +131,11 @@ components: |------|-------------| | [aws\_ec2\_transit\_gateway\_peering\_attachment\_id](#output\_aws\_ec2\_transit\_gateway\_peering\_attachment\_id) | Transit Gateway Peering Attachment ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw/cross-region-hub-connector) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw/cross-region-hub-connector) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/tgw/hub/README.md b/modules/tgw/hub/README.md index 135e22281..1ada2debe 100644 --- a/modules/tgw/hub/README.md +++ b/modules/tgw/hub/README.md @@ -1,6 +1,7 @@ # Component: `tgw/hub` -This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. +This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` +that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. ## Usage @@ -76,6 +77,7 @@ atmos terraform plan tgw/hub -s --network atmos terraform apply tgw/hub -s --network ``` + ## Requirements @@ -145,9 +147,11 @@ No resources. | [transit\_gateway\_route\_table\_id](#output\_transit\_gateway\_route\_table\_id) | Transit Gateway route table ID | | [vpcs](#output\_vpcs) | Accounts with VPC and VPCs information | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw/hub) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw/hub) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/tgw/spoke/README.md b/modules/tgw/spoke/README.md index de63a4e58..acc6ce0ba 100644 --- a/modules/tgw/spoke/README.md +++ b/modules/tgw/spoke/README.md @@ -1,6 +1,7 @@ # Component: `tgw/spoke` -This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments to connect VPCs in a `spoke` account to different accounts through a central `hub`. +This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments +to connect VPCs in a `spoke` account to different accounts through a central `hub`. ## Usage @@ -88,6 +89,7 @@ atmos terraform plan tgw/spoke -s -- atmos terraform apply tgw/spoke -s -- ``` + ## Requirements @@ -164,9 +166,11 @@ atmos terraform apply tgw/spoke -s -- No outputs. + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/tgw) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/vpc-flow-logs-bucket/README.md b/modules/vpc-flow-logs-bucket/README.md index 7ab0ca610..143e0d10c 100644 --- a/modules/vpc-flow-logs-bucket/README.md +++ b/modules/vpc-flow-logs-bucket/README.md @@ -8,7 +8,8 @@ This component is responsible for provisioning an encrypted S3 bucket which is c Here's an example snippet for how to use this component. -**IMPORTANT**: This component expects the `aws_flow_log` resource to be created externally. Typically that is accomplished through [the `vpc` component](../vpc/). +**IMPORTANT**: This component expects the `aws_flow_log` resource to be created externally. Typically that is +accomplished through [the `vpc` component](../vpc/). ```yaml components: @@ -23,6 +24,7 @@ components: expiration_days: 365 ``` + ## Requirements @@ -88,10 +90,11 @@ No resources. | [vpc\_flow\_logs\_bucket\_arn](#output\_vpc\_flow\_logs\_bucket\_arn) | VPC Flow Logs bucket ARN | | [vpc\_flow\_logs\_bucket\_id](#output\_vpc\_flow\_logs\_bucket\_id) | VPC Flow Logs bucket ID | - + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc-flow-logs-bucket) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc-flow-logs-bucket) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/vpc-peering/README.md b/modules/vpc-peering/README.md index a7cc67e65..3238f64d2 100644 --- a/modules/vpc-peering/README.md +++ b/modules/vpc-peering/README.md @@ -50,42 +50,43 @@ components: Use case: Peering v2 accounts to v2 ```yaml - vpc-peering/-vpc0: - metadata: - component: vpc-peering - inherits: - - vpc-peering/defaults - vars: - requester_vpc_component_name: vpc - accepter_region: us-east-1 - accepter_stage_name: - accepter_vpc: - tags: - # Fill in with your own information - Name: acme---- +vpc-peering/-vpc0: + metadata: + component: vpc-peering + inherits: + - vpc-peering/defaults + vars: + requester_vpc_component_name: vpc + accepter_region: us-east-1 + accepter_stage_name: + accepter_vpc: + tags: + # Fill in with your own information + Name: acme---- ``` ## Legacy Account Configuration The `vpc-peering` component peers the `dev`, `prod`, `sandbox` and `staging` VPCs to a VPC in the legacy account. -The `dev`, `prod`, `sandbox` and `staging` VPCs are the requesters of the VPC peering connection, -while the legacy VPC is the accepter of the peering connection. - -To provision VPC peering and all related resources with Terraform, we need the following information from the legacy account: +The `dev`, `prod`, `sandbox` and `staging` VPCs are the requesters of the VPC peering connection, while the legacy VPC +is the accepter of the peering connection. - - Legacy account ID - - Legacy VPC ID - - Legacy AWS region - - Legacy IAM role (the role must be created in the legacy account with permissions to create VPC peering and routes). - The name of the role could be `acme-vpc-peering` and the ARN of the role should look like `arn:aws:iam:::role/acme-vpc-peering` +To provision VPC peering and all related resources with Terraform, we need the following information from the legacy +account: +- Legacy account ID +- Legacy VPC ID +- Legacy AWS region +- Legacy IAM role (the role must be created in the legacy account with permissions to create VPC peering and routes). + The name of the role could be `acme-vpc-peering` and the ARN of the role should look like + `arn:aws:iam:::role/acme-vpc-peering` ### Legacy Account IAM Role In the legacy account, create IAM role `acme-vpc-peering` with the following policy: -__NOTE:__ Replace `` with the ID of the legacy account. +**NOTE:** Replace `` with the ID of the legacy account. ```json { @@ -93,10 +94,7 @@ __NOTE:__ Replace `` with the ID of the legacy account. "Statement": [ { "Effect": "Allow", - "Action": [ - "ec2:CreateRoute", - "ec2:DeleteRoute" - ], + "Action": ["ec2:CreateRoute", "ec2:DeleteRoute"], "Resource": "arn:aws:ec2:*::route-table/*" }, { @@ -126,10 +124,7 @@ __NOTE:__ Replace `` with the ID of the legacy account. }, { "Effect": "Allow", - "Action": [ - "ec2:DeleteTags", - "ec2:CreateTags" - ], + "Action": ["ec2:DeleteTags", "ec2:CreateTags"], "Resource": "arn:aws:ec2:*::vpc-peering-connection/*" } ] @@ -138,7 +133,7 @@ __NOTE:__ Replace `` with the ID of the legacy account. Add the following trust policy to the IAM role: -__NOTE:__ Replace `` with the ID of the `identity` account in the new infrastructure. +**NOTE:** Replace `` with the ID of the `identity` account in the new infrastructure. ```json { @@ -147,26 +142,22 @@ __NOTE:__ Replace `` with the ID of the `identity` account { "Effect": "Allow", "Principal": { - "AWS": [ - "arn:aws:iam:::root" - ] + "AWS": ["arn:aws:iam:::root"] }, - "Action": [ - "sts:AssumeRole", - "sts:TagSession" - ], + "Action": ["sts:AssumeRole", "sts:TagSession"], "Condition": {} } ] } ``` -The trust policy allows the `identity` account to assume the role (and provision all the resources in the legacy account). +The trust policy allows the `identity` account to assume the role (and provision all the resources in the legacy +account). ## Provisioning -Provision the VPC peering connections in the `dev`, `prod`, `sandbox` and `staging` accounts by executing -the following commands: +Provision the VPC peering connections in the `dev`, `prod`, `sandbox` and `staging` accounts by executing the following +commands: ```sh atmos terraform plan vpc-peering -s ue1-sandbox @@ -182,6 +173,7 @@ atmos terraform plan vpc-peering -s ue1-prod atmos terraform apply vpc-peering -s ue1-prod ``` + ## Requirements @@ -249,7 +241,9 @@ atmos terraform apply vpc-peering -s ue1-prod |------|-------------| | [vpc\_peering](#output\_vpc\_peering) | VPC peering outputs | + -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc-peering) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc-peering) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index a72901b3c..64dde8cd3 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -1,6 +1,8 @@ # Component: `vpc` -This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can optionally be enabled for auditing purposes. See the existing VPC configuration documentation for the provisioned subnets. +This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can +optionally be enabled for auditing purposes. See the existing VPC configuration documentation for the provisioned +subnets. ## Usage @@ -52,6 +54,7 @@ components: ipv4_primary_cidr_block: "10.111.0.0/18" ``` + ## Requirements @@ -164,9 +167,11 @@ components: | [vpc\_default\_security\_group\_id](#output\_vpc\_default\_security\_group\_id) | The ID of the security group created by default on VPC creation | | [vpc\_id](#output\_vpc\_id) | VPC ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/vpc) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/waf/README.md b/modules/waf/README.md index 3a2564dd9..3538f19fc 100644 --- a/modules/waf/README.md +++ b/modules/waf/README.md @@ -1,7 +1,7 @@ # Component: `aws-waf-acl` -This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group. - +This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule +group. ## Usage @@ -24,21 +24,22 @@ components: metric_name: "default" sampled_requests_enabled: false managed_rule_group_statement_rules: - - name: "OWASP-10" - # Rules are processed in order based on the value of priority, lowest number first - priority: 1 - - statement: - name: AWSManagedRulesCommonRuleSet - vendor_name: AWS - - visibility_config: - # Defines and enables Amazon CloudWatch metrics and web request sample collection. - cloudwatch_metrics_enabled: false - metric_name: "OWASP-10" - sampled_requests_enabled: false + - name: "OWASP-10" + # Rules are processed in order based on the value of priority, lowest number first + priority: 1 + + statement: + name: AWSManagedRulesCommonRuleSet + vendor_name: AWS + + visibility_config: + # Defines and enables Amazon CloudWatch metrics and web request sample collection. + cloudwatch_metrics_enabled: false + metric_name: "OWASP-10" + sampled_requests_enabled: false ``` + ## Requirements @@ -128,10 +129,11 @@ components: | [id](#output\_id) | The ID of the WAF WebACL. | | [logging\_config\_id](#output\_logging\_config\_id) | The ARN of the WAFv2 Web ACL logging configuration. | - + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/waf) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/waf) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/modules/zscaler/README.md b/modules/zscaler/README.md index 97843df14..c736f0109 100644 --- a/modules/zscaler/README.md +++ b/modules/zscaler/README.md @@ -2,7 +2,9 @@ This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs. -Prior to provisioning this component, it is required that a SecureString SSM Parameter containing the ZScaler App Connector Provisioning Key is populated in each account corresponding to the regional stack the component is deployed to, with the name of the SSM Parameter matching the value of `var.zscaler_key`. +Prior to provisioning this component, it is required that a SecureString SSM Parameter containing the ZScaler App +Connector Provisioning Key is populated in each account corresponding to the regional stack the component is deployed +to, with the name of the SSM Parameter matching the value of `var.zscaler_key`. This parameter should be populated using `chamber`, which is included in the geodesic image: @@ -10,7 +12,8 @@ This parameter should be populated using `chamber`, which is included in the geo chamber write zscaler key ``` -Where `` is the ZScaler App Connector Provisioning Key. For more information on how to generate this key, see: [ZScaler documentation on Configuring App Connectors](https://help.zscaler.com/zpa/configuring-connectors). +Where `` is the ZScaler App Connector Provisioning Key. For more information on how to generate this key, see: +[ZScaler documentation on Configuring App Connectors](https://help.zscaler.com/zpa/configuring-connectors). ## Usage @@ -26,7 +29,8 @@ components: zscaler_count: 2 ``` -Preferably, regional stack configurations can be kept _DRY_ by importing `catalog/zscaler` via the `imports` list at the top of the configuration. +Preferably, regional stack configurations can be kept _DRY_ by importing `catalog/zscaler` via the `imports` list at the +top of the configuration. ``` import: @@ -34,6 +38,7 @@ import: - catalog/zscaler ``` + ## Requirements @@ -106,8 +111,11 @@ import: | [instance\_id](#output\_instance\_id) | Instance ID | | [private\_ip](#output\_private\_ip) | Private IP of the instance | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/zscaler) - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/zscaler) - + Cloud Posse's upstream component [](https://cpco.io/component) From 3995e5bafe9a3c8acfe0bf30398ae02e1f036834 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 12:56:30 -0800 Subject: [PATCH 02/11] new lines for all admonitions --- modules/spacelift/README.md | 239 +++++++++++++++++++++--------------- modules/tgw/README.md | 49 +++++--- 2 files changed, 173 insertions(+), 115 deletions(-) diff --git a/modules/spacelift/README.md b/modules/spacelift/README.md index a18a0fe99..4adc6c1d4 100644 --- a/modules/spacelift/README.md +++ b/modules/spacelift/README.md @@ -1,14 +1,23 @@ # Spacelift -These components are responsible for setting up Spacelift and include three components: `spacelift/admin-stack`, `spacelift/spaces`, and `spacelift/worker-pool`. +These components are responsible for setting up Spacelift and include three components: `spacelift/admin-stack`, +`spacelift/spaces`, and `spacelift/worker-pool`. -Spacelift is a specialized, Terraform-compatible continuous integration and deployment (CI/CD) platform for infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience with large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. +Spacelift is a specialized, Terraform-compatible continuous integration and deployment (CI/CD) platform for +infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience +with large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. ## Stack Configuration -Spacelift exists outside of the AWS ecosystem, so we define these components as unique to our standard stack organization. Spacelift Spaces are required before tenant-specific stacks are created in Spacelift, and the root administrator stack, referred to as `root-gbl-spacelift-admin-stack`, also does not belong to a specific tenant. Therefore, we define both outside of the standard `core` or `plat` stacks directories. That root administrator stack is responsible for creating the tenant-specific administrator stacks, `core-gbl-spacelift-admin-stack` and `plat-gbl-spacelift-admin-stack`. +Spacelift exists outside of the AWS ecosystem, so we define these components as unique to our standard stack +organization. Spacelift Spaces are required before tenant-specific stacks are created in Spacelift, and the root +administrator stack, referred to as `root-gbl-spacelift-admin-stack`, also does not belong to a specific tenant. +Therefore, we define both outside of the standard `core` or `plat` stacks directories. That root administrator stack is +responsible for creating the tenant-specific administrator stacks, `core-gbl-spacelift-admin-stack` and +`plat-gbl-spacelift-admin-stack`. -Our solution is to define a spacelift-specific configuration file per Spacelift Space. Typically our Spaces would be `root`, `core`, and `plat`, so we add three files: +Our solution is to define a spacelift-specific configuration file per Spacelift Space. Typically our Spaces would be +`root`, `core`, and `plat`, so we add three files: ```diff + stacks/orgs/NAMESPACE/spacelift.yaml @@ -18,28 +27,32 @@ Our solution is to define a spacelift-specific configuration file per Spacelift ### Global Configuration -In order to apply common Spacelift configuration to all stacks, we need to set a few global Spacelift settings. The `pr-comment-triggered` label will be required to trigger stacks with GitHub comments but is not required otherwise. More on triggering Spacelift stacks to follow. +In order to apply common Spacelift configuration to all stacks, we need to set a few global Spacelift settings. The +`pr-comment-triggered` label will be required to trigger stacks with GitHub comments but is not required otherwise. More +on triggering Spacelift stacks to follow. Add the following to `stacks/orgs/NAMESPACE/_defaults.yaml`: + ```yaml - settings: - spacelift: - workspace_enabled: true # enable spacelift by default - before_apply: - - spacelift-configure-paths - before_init: - - spacelift-configure-paths - - spacelift-write-vars - - spacelift-tf-workspace - before_plan: - - spacelift-configure-paths - labels: - - pr-comment-triggered +settings: + spacelift: + workspace_enabled: true # enable spacelift by default + before_apply: + - spacelift-configure-paths + before_init: + - spacelift-configure-paths + - spacelift-write-vars + - spacelift-tf-workspace + before_plan: + - spacelift-configure-paths + labels: + - pr-comment-triggered ``` Furthermore, specify additional tenant-specific Space configuration for both `core` and `plat` tenants. For example, for `core` add the following to `stacks/orgs/NAMESPACE/core/_defaults.yaml`: + ```yaml terraform: settings: @@ -48,6 +61,7 @@ terraform: ``` And for `plat` add the following to `stacks/orgs/NAMESPACE/plat/_defaults.yaml`: + ```yaml terraform: settings: @@ -55,12 +69,14 @@ terraform: space_name: plat ``` - ### Spacelift `root` Space -The `root` Space in Spacelift is responsible for deploying the root adminstrator stack, `admin-stack`, and the Spaces component, `spaces`. This Spaces component also includes Spacelift policies. Since the root adminstrator stack is unique to tenants, we modify the stack context to create a unique stack slug, `root-gbl-spacelift`. +The `root` Space in Spacelift is responsible for deploying the root adminstrator stack, `admin-stack`, and the Spaces +component, `spaces`. This Spaces component also includes Spacelift policies. Since the root adminstrator stack is unique +to tenants, we modify the stack context to create a unique stack slug, `root-gbl-spacelift`. `stacks/orgs/NAMESPACE/spacelift.yaml`: + ```yaml import: - mixins/region/global-region @@ -102,7 +118,6 @@ components: # this creates policies for the children (admin) stacks child_policy_attachments: - TRIGGER Global administrator - ``` #### Deployment @@ -114,6 +129,7 @@ The following steps assume that you've already authenticated with Spacelift loca ::: First deploy Spaces and policies with the `spaces` component: + ```bash atmos terraform apply spaces -s root-gbl-spacelift ``` @@ -121,11 +137,13 @@ atmos terraform apply spaces -s root-gbl-spacelift In the Spacelift UI, you should see each Space and each policy. Next, deploy the `root` `admin-stack` with the following: + ```bash atmos terraform apply admin-stack -s root-gbl-spacelift ``` -Now in the Spacelift UI, you should see the administrator stacks created. Typically these should look similiar to the following: +Now in the Spacelift UI, you should see the administrator stacks created. Typically these should look similiar to the +following: ```diff + root-gbl-spacelift-admin-stack @@ -137,18 +155,23 @@ Now in the Spacelift UI, you should see the administrator stacks created. Typica :::info -The `spacelift/worker-pool` component is deployed to a specific tenant, stage, and region but is still deployed by the root administrator stack. Verify the administrator stack by checking the `managed-by:` label. +The `spacelift/worker-pool` component is deployed to a specific tenant, stage, and region but is still deployed by the +root administrator stack. Verify the administrator stack by checking the `managed-by:` label. ::: Finally, deploy the Spacelift Worker Pool (change the stack-slug to match your configuration): + ```bash atmos terraform apply spacelift/worker-pool -s core-ue1-auto ``` ### Spacelift Tenant-Specific Spaces -A tenant-specific Space in Spacelift, such as `core` or `plat`, includes the administrator stack for that specific Space and _all_ components in the given tenant. This administrator stack uses `var.context_filters` to select all components in the given tenant and create Spacelift stacks for each. Similar to the root adminstrator stack, we again create a unique stack slug for each tenant. For example `core-gbl-spacelift` or `plat-gbl-spacelift`. +A tenant-specific Space in Spacelift, such as `core` or `plat`, includes the administrator stack for that specific Space +and _all_ components in the given tenant. This administrator stack uses `var.context_filters` to select all components +in the given tenant and create Spacelift stacks for each. Similar to the root adminstrator stack, we again create a +unique stack slug for each tenant. For example `core-gbl-spacelift` or `plat-gbl-spacelift`. For example, configure a `core` administrator stack with `stacks/orgs/NAMESPACE/core/spacelift.yaml`. @@ -185,11 +208,14 @@ components: ``` Deploy the `core` `admin-stack` with the following: + ```bash atmos terraform apply admin-stack -s core-gbl-spacelift ``` -Create the same for the `plat` tenant in `stacks/orgs/NAMESPACE/plat/spacelift.yaml`, update the tenant and configuration as necessary, and deploy with the following: +Create the same for the `plat` tenant in `stacks/orgs/NAMESPACE/plat/spacelift.yaml`, update the tenant and +configuration as necessary, and deploy with the following: + ```bash atmos terraform apply admin-stack -s plat-gbl-spacelift ``` @@ -204,20 +230,27 @@ Cloud Posse recommends two options to trigger Spacelift stacks. Historically, all stacks were triggered with three `GIT_PUSH` policies: - 1. [GIT_PUSH Global Administrator](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.administrative.rego) triggers admin stacks - 2. [GIT_PUSH Proposed Run](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.proposed-run.rego) triggers Proposed runs (typically Terraform Plan) for all non-admin stacks on Pull Requests - 3. [GIT_PUSH Tracked Run](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.tracked-run.rego) triggers Tracked runs (typically Terraform Apply) for all non-admin stacks on merges into `main` +1. [GIT_PUSH Global Administrator](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.administrative.rego) + triggers admin stacks +2. [GIT_PUSH Proposed Run](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.proposed-run.rego) + triggers Proposed runs (typically Terraform Plan) for all non-admin stacks on Pull Requests +3. [GIT_PUSH Tracked Run](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/blob/main/catalog/policies/git_push.tracked-run.rego) + triggers Tracked runs (typically Terraform Apply) for all non-admin stacks on merges into `main` Attach these policies to stacks and Spacelift will trigger them on the respective git push. - ### Triggering with GitHub Comments (Preferred) -Atmos support for `atmos describe affected` made it possible to greatly improve Spacelift's triggering workflow. Now we can add a GitHub Action to collect all affected components for a given Pull Request and add a GitHub comment to the given PR with a formatted list of the affected stacks. Then Spacelift can watch for a GitHub comment event and then trigger stacks based on that comment. +Atmos support for `atmos describe affected` made it possible to greatly improve Spacelift's triggering workflow. Now we +can add a GitHub Action to collect all affected components for a given Pull Request and add a GitHub comment to the +given PR with a formatted list of the affected stacks. Then Spacelift can watch for a GitHub comment event and then +trigger stacks based on that comment. -In order to set up GitHub Comment triggers, first add the following `GIT_PUSH Plan Affected` policy to the `spaces` component. +In order to set up GitHub Comment triggers, first add the following `GIT_PUSH Plan Affected` policy to the `spaces` +component. For example, `stacks/catalog/spacelift/spaces.yaml` + ```yaml components: terraform: @@ -232,76 +265,77 @@ components: spaces: root: policies: -... - # This policy will automatically assign itself to stacks and is used to trigger stacks directly from the `cloudposse/github-action-atmos-affected-trigger-spacelift` GitHub action - # This is only used if said GitHub action is set to trigger on "comments" - "GIT_PUSH Plan Affected": - type: GIT_PUSH - labels: - - autoattach:pr-comment-triggered - body: | - package spacelift - - # This policy runs whenever a comment is added to a pull request. It looks for the comment body to contain either: - # /spacelift preview input.stack.id - # /spacelift deploy input.stack.id - # - # If the comment matches those patterns it will queue a tracked run (deploy) or a proposed run (preview). In the case of - # a proposed run, it will also cancel all of the other pending runs for the same branch. - # - # This is being used on conjunction with the GitHub actions `atmos-trigger-spacelift-feature-branch.yaml` and - # `atmos-trigger-spacelift-main-branch.yaml` in .github/workflows to automatically trigger a preview or deploy run based - # on the `atmos describe affected` output. - - track { - commented - contains(input.pull_request.comment, concat(" ", ["/spacelift", "deploy", input.stack.id])) - } - - propose { - commented - contains(input.pull_request.comment, concat(" ", ["/spacelift", "preview", input.stack.id])) - } - - # Ignore if the event is not a comment - ignore { - not commented - } - - # Ignore if the PR has a `spacelift-no-trigger` label - ignore { - input.pull_request.labels[_] = "spacelift-no-trigger" - } - - # Ignore if the PR is a draft and deesnt have a `spacelift-trigger` label - ignore { - input.pull_request.draft - not has_spacelift_trigger_label - } - - has_spacelift_trigger_label { - input.pull_request.labels[_] == "spacelift-trigger" - } - - commented { - input.pull_request.action == "commented" - } - - cancel[run.id] { - run := input.in_progress[_] - run.type == "PROPOSED" - run.state == "QUEUED" - run.branch == input.pull_request.head.branch - } - - # This is a random sample of 10% of the runs - sample { - millis := round(input.request.timestamp_ns / 1e6) - millis % 100 <= 10 - } +--- +# This policy will automatically assign itself to stacks and is used to trigger stacks directly from the `cloudposse/github-action-atmos-affected-trigger-spacelift` GitHub action +# This is only used if said GitHub action is set to trigger on "comments" +"GIT_PUSH Plan Affected": + type: GIT_PUSH + labels: + - autoattach:pr-comment-triggered + body: | + package spacelift + + # This policy runs whenever a comment is added to a pull request. It looks for the comment body to contain either: + # /spacelift preview input.stack.id + # /spacelift deploy input.stack.id + # + # If the comment matches those patterns it will queue a tracked run (deploy) or a proposed run (preview). In the case of + # a proposed run, it will also cancel all of the other pending runs for the same branch. + # + # This is being used on conjunction with the GitHub actions `atmos-trigger-spacelift-feature-branch.yaml` and + # `atmos-trigger-spacelift-main-branch.yaml` in .github/workflows to automatically trigger a preview or deploy run based + # on the `atmos describe affected` output. + + track { + commented + contains(input.pull_request.comment, concat(" ", ["/spacelift", "deploy", input.stack.id])) + } + + propose { + commented + contains(input.pull_request.comment, concat(" ", ["/spacelift", "preview", input.stack.id])) + } + + # Ignore if the event is not a comment + ignore { + not commented + } + + # Ignore if the PR has a `spacelift-no-trigger` label + ignore { + input.pull_request.labels[_] = "spacelift-no-trigger" + } + + # Ignore if the PR is a draft and deesnt have a `spacelift-trigger` label + ignore { + input.pull_request.draft + not has_spacelift_trigger_label + } + + has_spacelift_trigger_label { + input.pull_request.labels[_] == "spacelift-trigger" + } + + commented { + input.pull_request.action == "commented" + } + + cancel[run.id] { + run := input.in_progress[_] + run.type == "PROPOSED" + run.state == "QUEUED" + run.branch == input.pull_request.head.branch + } + + # This is a random sample of 10% of the runs + sample { + millis := round(input.request.timestamp_ns / 1e6) + millis % 100 <= 10 + } ``` -This policy will automatically attach itself to _all_ components that have the `pr-comment-triggered` label, already defined in `stacks/orgs/NAMESPACE/_defaults.yaml` under `settings.spacelift.labels`. +This policy will automatically attach itself to _all_ components that have the `pr-comment-triggered` label, already +defined in `stacks/orgs/NAMESPACE/_defaults.yaml` under `settings.spacelift.labels`. Next, create two new GitHub Action workflows: @@ -310,9 +344,11 @@ Next, create two new GitHub Action workflows: + .github/workflows/atmos-trigger-spacelift-main-branch.yaml ``` -The feature branch workflow will create a comment event in Spacelift to run a Proposed run for a given stack. Whereas the main branch workflow will create a comment event in Spacelift to run a Deploy run for those same stacks. +The feature branch workflow will create a comment event in Spacelift to run a Proposed run for a given stack. Whereas +the main branch workflow will create a comment event in Spacelift to run a Deploy run for those same stacks. #### Feature Branch + ```yaml name: "Plan Affected Spacelift Stacks" @@ -337,11 +373,13 @@ jobs: ``` This will add a GitHub comment such as: + ``` /spacelift preview plat-ue1-sandbox-foobar ``` #### Main Branch + ```yaml name: "Deploy Affected Spacelift Stacks" @@ -366,6 +404,7 @@ jobs: ``` This will add a GitHub comment such as: + ``` /spacelift deploy plat-ue1-sandbox-foobar ``` diff --git a/modules/tgw/README.md b/modules/tgw/README.md index 68103f870..8d191c74d 100644 --- a/modules/tgw/README.md +++ b/modules/tgw/README.md @@ -1,27 +1,37 @@ # Transit Gateway: `tgw` -AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once. +AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. +This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a +highly scalable cloud router—each new connection is made only once. For more on Transit Gateway, see [the AWS documentation](https://aws.amazon.com/transit-gateway/). ## Requirements -In order to connect accounts with Transit Gateway, we deploy Transit Gateway to a central account, typically `core-network`, and then deploy Transit Gateway attachments for each connected account. Each connected accounts needs a Transit Gateway attachment for the given account's VPC, either by VPC attachment or by Peering Connection attachment. Furthermore, each private subnet in each connected VPC needs to explicitly list the CIDRs for all allowed connections. +In order to connect accounts with Transit Gateway, we deploy Transit Gateway to a central account, typically +`core-network`, and then deploy Transit Gateway attachments for each connected account. Each connected accounts needs a +Transit Gateway attachment for the given account's VPC, either by VPC attachment or by Peering Connection attachment. +Furthermore, each private subnet in each connected VPC needs to explicitly list the CIDRs for all allowed connections. ## Solution -First we deploy the Transit Gateway Hub, `tgw/hub`, to a central network account. The component prepares the Transit Gateway network with the following steps: +First we deploy the Transit Gateway Hub, `tgw/hub`, to a central network account. The component prepares the Transit +Gateway network with the following steps: 1. Provision Transit Gateway in the network account 2. Collect VPC and EKS component output from every account connected to Transit Gateway 3. Share the Transit Gateway with the Organization using Resource Access Manager (RAM) -By using the `tgw/hub` component to collect Terraform output from connected accounts, only this single component requires access to the Terraform state of all connected accounts. +By using the `tgw/hub` component to collect Terraform output from connected accounts, only this single component +requires access to the Terraform state of all connected accounts. -Next we deploy `tgw/spoke` to the network account and then to every connected account. This spoke component connects the given account to the central hub and any listed connection with the following steps: +Next we deploy `tgw/spoke` to the network account and then to every connected account. This spoke component connects the +given account to the central hub and any listed connection with the following steps: -1. Create a Transit Gateway VPC attachment in the spoke account. This connects the account's VPC to the shared Transit Gateway from the hub account. -2. Define all allowed routes for private subnets. Each private subnet in an account's VPC has it's own route table. This route table needs to explicitly list any allowed connection to another account's VPC CIDR. +1. Create a Transit Gateway VPC attachment in the spoke account. This connects the account's VPC to the shared Transit + Gateway from the hub account. +2. Define all allowed routes for private subnets. Each private subnet in an account's VPC has it's own route table. This + route table needs to explicitly list any allowed connection to another account's VPC CIDR. 3. (Optional) Create an EKS Cluster Security Group rule to allow traffic to the cluster in the given account. ## Implementation @@ -150,7 +160,6 @@ tgw/spoke: - account: tenant: core stage: auto - ``` ### Alternate Regions @@ -161,15 +170,20 @@ In order to connect any account to the network, the given account needs: 2. An attachment for the given Transit Gateway hub 3. Routes to and from each private subnet -However, sharing the Transit Gateway hub via RAM is only supported in the same region as the primary hub. Therefore, we must instead deploy a new hub in the alternate region and create a [Transit Gateway Peering Connection](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html) between the two Transit Gateway hubs. +However, sharing the Transit Gateway hub via RAM is only supported in the same region as the primary hub. Therefore, we +must instead deploy a new hub in the alternate region and create a +[Transit Gateway Peering Connection](https://docs.aws.amazon.com/vpc/latest/tgw/tgw-peering.html) between the two +Transit Gateway hubs. -Furthermore, since this Transit Gateway hub for the alternate region is now peered, we must create a Peering Transit Gateway attachment, opposed to a VPC Transit Gateway Attachment. +Furthermore, since this Transit Gateway hub for the alternate region is now peered, we must create a Peering Transit +Gateway attachment, opposed to a VPC Transit Gateway Attachment. #### Cross Region Deployment 1. Deploy `tgw/hub` and `tgw/spoke` into the primary region as described in [Implementation](#implementation) -2. Deploy `tgw/hub` and `tgw/cross-region-hub` into the new region in the network account. See the following configuration: +2. Deploy `tgw/hub` and `tgw/cross-region-hub` into the new region in the network account. See the following + configuration: ```yaml # stacks/catalog/tgw/cross-region-hub @@ -343,13 +357,17 @@ tgw/spoke: ## Destruction -When destroying Transit Gateway components, order of operations matters. Always destroy any removed `tgw/spoke` components before removing a connection from the `tgw/hub` component. +When destroying Transit Gateway components, order of operations matters. Always destroy any removed `tgw/spoke` +components before removing a connection from the `tgw/hub` component. -The `tgw/hub` component creates map of VPC resources that each `tgw/spoke` component references. If the required reference is removed before the `tgw/spoke` is destroyed, Terraform will fail to destroy the given `tgw/spoke` component. +The `tgw/hub` component creates map of VPC resources that each `tgw/spoke` component references. If the required +reference is removed before the `tgw/spoke` is destroyed, Terraform will fail to destroy the given `tgw/spoke` +component. :::info Pro Tip! -[Atmos Workflows](https://atmos.tools/core-concepts/workflows/) make applying and destroying Transit Gateway much easier! For example, to destroy components in the correct order, use a workflow similiar to the following: +[Atmos Workflows](https://atmos.tools/core-concepts/workflows/) make applying and destroying Transit Gateway much +easier! For example, to destroy components in the correct order, use a workflow similiar to the following: ```yaml # stacks/workflows/network.yaml @@ -395,4 +413,5 @@ Releasing state lock. This may take a few moments... exit status 1 ``` -This is caused by Terraform attempting to create the replacement VPC attachment before the original is completely destroyed. Retry the apply. Now you should see only "create" actions. +This is caused by Terraform attempting to create the replacement VPC attachment before the original is completely +destroyed. Retry the apply. Now you should see only "create" actions. From b2b4f3a4bc48cf7a4291d57d5c099ecd7017d205 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:01:44 -0800 Subject: [PATCH 03/11] new lines for joined paragraphs --- modules/aurora-mysql-resources/README.md | 6 ++++-- modules/aurora-postgres/README.md | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/aurora-mysql-resources/README.md b/modules/aurora-mysql-resources/README.md index 455544728..c8e8c5ad1 100644 --- a/modules/aurora-mysql-resources/README.md +++ b/modules/aurora-mysql-resources/README.md @@ -25,8 +25,10 @@ components: enabled: true ``` -Example (not actual) `stacks/uw2-dev.yaml` file (override the default settings for the cluster resources in the `dev` -account, create an additional database and user): +Example (not actual): + +`stacks/uw2-dev.yaml` file (override the default settings for the cluster resources in the `dev` account, create an +additional database and user): ```yaml import: diff --git a/modules/aurora-postgres/README.md b/modules/aurora-postgres/README.md index 4a2ac2e9c..56a9e59d2 100644 --- a/modules/aurora-postgres/README.md +++ b/modules/aurora-postgres/README.md @@ -57,8 +57,10 @@ components: stage: auto ``` -Example (not actual) `stacks/uw2-dev.yaml` file (override the default settings for the cluster in the `dev` account, -create an additional database and user): +Example (not actual): + +`stacks/uw2-dev.yaml` file (override the default settings for the cluster in the `dev` account, create an additional +database and user): ```yaml import: From d78f1234060a1d710a5ee64373ec8c017a7e356d Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:08:54 -0800 Subject: [PATCH 04/11] bumped to latest version --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0740390ad..02430bf57 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -48,7 +48,7 @@ repos: pass_filenames: false - repo: https://github.com/pre-commit/mirrors-prettier - rev: v2.7.1 + rev: v3.1.0 hooks: - id: prettier name: prettier From 30ac446e8483e626ba566e17ca9d862fe196a0f3 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:13:08 -0800 Subject: [PATCH 05/11] pre-commit run --all-files --- .github/ISSUE_TEMPLATE/bug_report.md | 18 +- .github/ISSUE_TEMPLATE/feature_request.md | 13 +- .pre-commit-config.yaml | 21 +- CHANGELOG.md | 2238 +++++++++-------- README.md | 178 +- docs/targets.md | 3 + .../account-map/modules/iam-roles/README.md | 20 +- .../modules/roles-to-principals/README.md | 21 +- modules/argocd-repo/CHANGELOG.md | 30 +- modules/aws-backup/README.md | 1 - modules/aws-sso/CHANGELOG.md | 46 +- modules/datadog-integration/CHANGELOG.md | 25 +- modules/datadog-lambda-forwarder/CHANGELOG.md | 12 +- modules/datadog-logs-archive/README.md | 141 +- modules/datadog-monitor/CHANGELOG.md | 4 +- .../CHANGELOG.md | 20 +- modules/datadog-synthetics/CHANGELOG.md | 15 +- modules/dynamodb/README.md | 3 +- modules/eks/alb-controller/CHANGELOG.md | 24 +- modules/eks/argocd/CHANGELOG.md | 66 +- modules/eks/cluster/CHANGELOG.md | 355 ++- modules/eks/datadog-agent/CHANGELOG.md | 77 +- modules/eks/echo-server/CHANGELOG.md | 33 +- .../external-secrets-operator/CHANGELOG.md | 6 +- .../eks/github-actions-runner/CHANGELOG.md | 117 +- modules/eks/karpenter/CHANGELOG.md | 47 +- modules/kms/README.md | 91 +- modules/macie/README.md | 2 - modules/opsgenie-team/CHANGELOG.md | 13 +- .../modules/README.md | 10 +- .../modules/webhook-github-app/README.md | 31 +- modules/redshift/CHANGELOG.md | 6 +- modules/spa-s3-cloudfront/CHANGELOG.md | 35 +- modules/spa-s3-cloudfront/README.md | 2 +- modules/sso-saml-provider/README.md | 2 +- modules/tgw/CHANGELOG.md | 20 +- 36 files changed, 1947 insertions(+), 1799 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index baddda8e7..1722d9473 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -1,10 +1,9 @@ --- name: Bug report about: Create a report to help us improve -title: '' -labels: 'bug' -assignees: '' - +title: "" +labels: "bug" +assignees: "" --- Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help. @@ -12,26 +11,33 @@ Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help. [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) ## Describe the Bug + A clear and concise description of what the bug is. ## Expected Behavior + A clear and concise description of what you expected to happen. ## Steps to Reproduce + Steps to reproduce the behavior: + 1. Go to '...' 2. Run '....' 3. Enter '....' 4. See error ## Screenshots + If applicable, add screenshots or logs to help explain your problem. ## Environment (please complete the following information): Anything that will help us triage the bug will help. Here are some ideas: - - OS: [e.g. Linux, OSX, WSL, etc] - - Version [e.g. 10.15] + +- OS: [e.g. Linux, OSX, WSL, etc] +- Version [e.g. 10.15] ## Additional Context + Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 44cdd4a43..5ec5bfc31 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -1,13 +1,13 @@ --- name: Feature Request about: Suggest an idea for this project -title: '' -labels: 'feature request' -assignees: '' - +title: "" +labels: "feature request" +assignees: "" --- -Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/). +Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our +[Slack Archive](https://archive.sweetops.com/). [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) @@ -21,7 +21,8 @@ A clear and concise description of what you expected to happen. ## Use Case -Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context of why this feature or capability will be valuable. +Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context +of why this feature or capability will be valuable. ## Describe Ideal Solution diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 02430bf57..9f8455073 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,6 +37,19 @@ repos: - id: terraform_docs args: ["--args=--lockfile=false"] + - repo: https://github.com/pre-commit/mirrors-prettier + rev: v3.1.0 + hooks: + - id: prettier + name: prettier + entry: prettier --write --prose-wrap always --print-width 120 + types: ["markdown"] + exclude: | + (?x)^( + deprecated + modules + )$ + - repo: local hooks: - id: rebuild-mixins-docs @@ -46,11 +59,3 @@ repos: types: ["text"] files: (mixins\/.*|bin\/rebuild-mixins-docs\.sh) pass_filenames: false - - - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.1.0 - hooks: - - id: prettier - name: prettier - entry: prettier --write --prose-wrap always --print-width 120 - types: ["markdown"] diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f1a70dc6..b9c7cf94b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,28 +6,32 @@ Aurora Postgres Engine Options @milldr (#845) ### what + - Add scaling configuration variables for both Serverless and Serverless v2 to `aurora-postgres` - Update `aurora-postgres` README ### why + - Support both serverless options - Add an explanation for how to configure each, and where to find valid engine options ### references + - n/a - ## 1.297.0 (2023-08-28T18:06:11Z)
AWS provider V5 dependency updates @max-lobur (#729) ### what -* Update component dependencies for the AWS provider V5 + +- Update component dependencies for the AWS provider V5 Requested components: + - cloudtrail-bucket - config-bucket - datadog-logs-archive @@ -38,13 +42,11 @@ Requested components: - eks/external-secrets-operator ### why -* Maintenance - +- Maintenance
- ## 1.296.0 (2023-08-28T16:24:05Z)
@@ -62,51 +64,54 @@ Requested components: ### references -
- ## 1.295.0 (2023-08-26T00:51:10Z)
TGW FAQ and Spoke Alternate VPC Support @milldr (#840) ### what + - Added FAQ to the TGW upgrade guide for replacing attachments - Added note about destroying TGW components - Added option to not create TGW propagation and association when connecting an alternate VPC ### why -- When connecting an alternate VPC in the same region as the primary VPC, we do not want to create a duplicate TGW propagation and association + +- When connecting an alternate VPC in the same region as the primary VPC, we do not want to create a duplicate TGW + propagation and association ### references -- n/a +- n/a
- ## 1.294.0 (2023-08-26T00:07:42Z)
Aurora Upstream: Serverless, Tags, Enabled: False @milldr (#841) ### what + - Set `module.context` to `module.cluster` across all resources - Only set parameter for replica if cluster size is > 0 - `enabled: false` support ### why + - Missing tags for SSM parameters for cluster attributes -- Serverless clusters set `cluster_size: 0`, which will break the SSM parameter for replica hostname (since it does not exist) +- Serverless clusters set `cluster_size: 0`, which will break the SSM parameter for replica hostname (since it does not + exist) - Support enabled false for `aurora-*-resources` components ### references + - n/a
- ## 1.293.2 (2023-08-24T15:50:53Z) ### 🚀 Enhancements @@ -115,18 +120,19 @@ Requested components: Update `root_stack` output in `modules/spacelift/admin-stack/outputs.tf` @aknysh (#837) ### what -* Update `root_stack` output in `modules/spacelift/admin-stack/outputs.tf` + +- Update `root_stack` output in `modules/spacelift/admin-stack/outputs.tf` ### why -* Fix the issue described in https://github.com/cloudposse/terraform-aws-components/issues/771 + +- Fix the issue described in https://github.com/cloudposse/terraform-aws-components/issues/771 ### related -* Closes https://github.com/cloudposse/terraform-aws-components/issues/771 +- Closes https://github.com/cloudposse/terraform-aws-components/issues/771 - ## 1.293.1 (2023-08-24T11:24:46Z) ### 🐛 Bug Fixes @@ -142,46 +148,46 @@ Requested components: - Fixes #828 - - ## 1.293.0 (2023-08-23T01:18:53Z)
Add visibility to default VPC component name @milldr (#833) ### what + - Set the default component name for `vpc` in variables, not remote-state ### why + - Bring visibility to where the default is set ### references -- Follow up on comments on #832 +- Follow up on comments on #832
- ## 1.292.0 (2023-08-22T21:33:18Z)
Aurora Optional `vpc` Component Names @milldr (#832) ### what + - Allow optional VPC component names in the aurora components ### why + - Support deploying the clusters for other VPC components than `"vpc"` ### references -- n/a +- n/a
- ## 1.291.1 (2023-08-22T20:25:17Z) ### 🐛 Bug Fixes @@ -192,6 +198,7 @@ Requested components: ### what For `aws-sso`: + - Fix root provider, improperly restored in #740 - Restore `SetSourceIdentity` permission inadvertently removed in #740 @@ -205,47 +212,46 @@ For `aws-sso`: - #740 - #738 - - ## 1.291.0 (2023-08-22T17:08:27Z)
chore: remove defaults from components @dudymas (#831) ### what -* remove `defaults.auto.tfvars` from component modules + +- remove `defaults.auto.tfvars` from component modules ### why -* in favor of drying up configuration using atmos + +- in favor of drying up configuration using atmos ### Notes -* Some defaults may not be captured yet. Regressions might occur. +- Some defaults may not be captured yet. Regressions might occur.
- ## 1.290.0 (2023-08-21T18:57:43Z)
Upgrade aws-config and conformance pack modules to 1.1.0 @johncblandii (#829) ### what -* Upgrade aws-config and conformance pack modules to 1.1.0 + +- Upgrade aws-config and conformance pack modules to 1.1.0 ### why -* They're outdated. + +- They're outdated. ### references - #771 -
- ## 1.289.2 (2023-08-21T08:53:08Z) ### 🐛 Bug Fixes @@ -255,7 +261,8 @@ For `aws-sso`: ### what -- [eks/alb-controller] Change name of local variable from `distributed_iam_policy_overridable` to `overridable_distributed_iam_policy` +- [eks/alb-controller] Change name of local variable from `distributed_iam_policy_overridable` to + `overridable_distributed_iam_policy` ### why @@ -263,7 +270,6 @@ For `aws-sso`: - ## 1.289.1 (2023-08-19T05:20:26Z) ### 🐛 Bug Fixes @@ -279,49 +285,50 @@ For `aws-sso`: - Previous policy had error preventing the creation of the ELB service-linked role - - - ## 1.289.0 (2023-08-18T20:18:12Z)
Spacelift Alternate git Providers @milldr (#825) ### what + - set alternate git provider blocks to filter under `settings.spacelift` ### why + - Debugging GitLab support specifically - These settings should be defined under `settings.spacelift`, not as a top-level configuration ### references -- n/a +- n/a
- ## 1.288.0 (2023-08-18T15:12:16Z)
Placeholder for `upgrade-guide.md` @milldr (#823) ### what + - Added a placeholder file for `docs/upgrade-guide.md` with a basic explanation of what is to come ### why -- With #811 we moved the contents of this upgrade-guide file to the individual component. We plan to continue adding upgrade guides for individual components, and in addition, create a higher-level upgrade guide here -- However, the build steps for refarch-scaffold expect `docs/upgrade-guide.md` to exist and are failing without it. We need a placeholder until the `account-map`, etc changes are added to this file + +- With #811 we moved the contents of this upgrade-guide file to the individual component. We plan to continue adding + upgrade guides for individual components, and in addition, create a higher-level upgrade guide here +- However, the build steps for refarch-scaffold expect `docs/upgrade-guide.md` to exist and are failing without it. We + need a placeholder until the `account-map`, etc changes are added to this file ### references -- Example of failing release: https://github.com/cloudposse/refarch-scaffold/actions/runs/5885022872 +- Example of failing release: https://github.com/cloudposse/refarch-scaffold/actions/runs/5885022872
- ## 1.287.2 (2023-08-18T14:42:49Z) ### 🚀 Enhancements @@ -330,11 +337,13 @@ For `aws-sso`: update boolean logic @mcalhoun (#822) ### what -* Update the GuardDuty component to enable GuardDuty on the root account + +- Update the GuardDuty component to enable GuardDuty on the root account ### why -The API call to designate organization members now fails with the following if GuardDuty was not already enabled in the organization management (root) account : +The API call to designate organization members now fails with the following if GuardDuty was not already enabled in the +organization management (root) account : ``` Error: error designating guardduty administrator account members: [{ @@ -343,10 +352,8 @@ Error: error designating guardduty administrator account members: [{ │ }] ``` - - ## 1.287.1 (2023-08-17T16:41:24Z) ### 🚀 Enhancements @@ -355,7 +362,7 @@ Error: error designating guardduty administrator account members: [{ chore: Remove unused @MaxymVlasov (#818) - # why +# why ``` TFLint in components/terraform/eks/cluster/: @@ -376,26 +383,24 @@ Warning: [Fixable] variable "aws_teams_rbac" is declared but not used (terraform Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_unused_declarations.md ``` - - ## 1.287.0 (2023-08-17T15:52:57Z)
Update `remote-states` modules to the latest version @aknysh (#820) ### what -* Update `remote-states` modules to the latest version -### why -* `remote-state` version `1.5.0` uses the latest version of `terraform-provider-utils` which uses the latest version of Atmos with many new features and improvements +- Update `remote-states` modules to the latest version +### why +- `remote-state` version `1.5.0` uses the latest version of `terraform-provider-utils` which uses the latest version of + Atmos with many new features and improvements
- ## 1.286.0 (2023-08-17T05:49:45Z)
@@ -422,24 +427,23 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0
- ## 1.285.0 (2023-08-17T05:49:09Z)
Update api-gateway-account-settings README.md @johncblandii (#819) ### what -* Updated the title + +- Updated the title ### why -* It was an extra helping of copy/pasta -### references +- It was an extra helping of copy/pasta +### references
- ## 1.284.0 (2023-08-17T02:10:47Z)
@@ -448,24 +452,26 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 ### what - Update Datadog components: - - `eks/datadog-agent` see `eks/datadog-agent/CHANGELOG.md` - - `datadog-configuration` better handling of `enabled = false` - - `datadog-integration` move "module count" back to "module" for better compatibility and maintainability, see `datadog-integration/CHANGELOG.md` - - `datadog-lambda-forwared` fix issues around `enable = false` and incomplete destruction of resources (particularly log groups) see `datadog-lambda-forwarder/CHANGELOG.md` - - Cleanup `datadog-monitor` see `datadog-monitor/CHANGELOG.md` for details. Possible breaking change in that several inputs have been removed, but they were previously ignored anyway, so no infrastructure change should result from you simply removing any inputs you had for the removed inputs. - - Update `datadog-sythetics` dependency `remote-state` version - - `datadog-synthetics-private-location` migrate control of namespace to `helm-release` module. Possible destruction and recreation of component on upgrade. See CHANGELOG.md + - `eks/datadog-agent` see `eks/datadog-agent/CHANGELOG.md` + - `datadog-configuration` better handling of `enabled = false` + - `datadog-integration` move "module count" back to "module" for better compatibility and maintainability, see + `datadog-integration/CHANGELOG.md` + - `datadog-lambda-forwared` fix issues around `enable = false` and incomplete destruction of resources (particularly + log groups) see `datadog-lambda-forwarder/CHANGELOG.md` + - Cleanup `datadog-monitor` see `datadog-monitor/CHANGELOG.md` for details. Possible breaking change in that several + inputs have been removed, but they were previously ignored anyway, so no infrastructure change should result from + you simply removing any inputs you had for the removed inputs. + - Update `datadog-sythetics` dependency `remote-state` version + - `datadog-synthetics-private-location` migrate control of namespace to `helm-release` module. Possible destruction + and recreation of component on upgrade. See CHANGELOG.md ### why - More reliable deployments, especially when destroying or disabling them - Bug fixes and new features - -
- ## 1.283.0 (2023-08-16T17:23:39Z)
@@ -492,16 +498,15 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 Update storage-class efs component documentation @max-lobur (#817) ### what -* Update storage-class efs component defaults -### why -* Follow component move outside of eks dir +- Update storage-class efs component defaults +### why +- Follow component move outside of eks dir
- ## 1.282.1 (2023-08-15T21:48:02Z) ### 🐛 Bug Fixes @@ -517,28 +522,27 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 ### why - Bug fix: Karpenter did not work when legacy mode disabled -- Originally we expected to use Karpenter-only clusters and the documentation and defaults aligned with this. Now we recommend all Add-Ons be deployed to a managed node group, but the defaults and documentation did not reflect this. - - +- Originally we expected to use Karpenter-only clusters and the documentation and defaults aligned with this. Now we + recommend all Add-Ons be deployed to a managed node group, but the defaults and documentation did not reflect this. - ## 1.282.0 (2023-08-14T16:05:08Z)
Upstream the latest ecs-service module @goruha (#810) ### what -* Upsteam the latest `ecs-service` component + +- Upsteam the latest `ecs-service` component ### why -* Support ecspresso deployments -* Support s3 task definition mirroring -* Support external ALB/NLN components -
+- Support ecspresso deployments +- Support s3 task definition mirroring +- Support external ALB/NLN components + ## 1.281.0 (2023-08-14T09:10:42Z) @@ -546,20 +550,21 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 Refactor Changelog @milldr (#811) ### what + - moved changelog for individual components - changed title ### why + - Title changelogs consistently by components version - Separate changes by affected components ### references -- https://github.com/cloudposse/knowledge-base/discussions/132 +- https://github.com/cloudposse/knowledge-base/discussions/132 - ## 1.280.1 (2023-08-14T08:06:42Z) ### 🚀 Enhancements @@ -569,7 +574,8 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 ### what -- Fix eks/cluster `node_group_defaults` to default to legal (empty) values for `kubernetes_labels` and `kubernetes_taints` +- Fix eks/cluster `node_group_defaults` to default to legal (empty) values for `kubernetes_labels` and + `kubernetes_taints` - Increase eks/cluster managed node group default disk size from 20 to 50 GB ### why @@ -579,7 +585,6 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 - ## 1.280.0 (2023-08-11T20:13:45Z)
@@ -588,7 +593,8 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0 ### Why: - `cloudposse/ssm-parameter-store/aws` was out of date -- There are no new [changes](https://github.com/cloudposse/terraform-aws-ssm-parameter-store/releases/tag/0.11.0) incorporated but just wanted to standardize new modules to updated version +- There are no new [changes](https://github.com/cloudposse/terraform-aws-ssm-parameter-store/releases/tag/0.11.0) + incorporated but just wanted to standardize new modules to updated version ### What: @@ -607,120 +613,124 @@ Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0
- ## 1.279.0 (2023-08-11T16:39:01Z)
fix: restore argocd notification ssm lookups @dudymas (#764) ### what -* revert some changes to `argocd` component -* connect argocd notifications with ssm secrets -* remove `deployment_id` from `argocd-repo` component -* correct `app_hostname` since gha usually adds protocol + +- revert some changes to `argocd` component +- connect argocd notifications with ssm secrets +- remove `deployment_id` from `argocd-repo` component +- correct `app_hostname` since gha usually adds protocol ### why -* regressions with argocd notifications caused github actions to timeout -* `deployment_id` no longer needed for fascilitating communication between gha -and ArgoCD -* application urls were incorrect and problematic during troubleshooting +- regressions with argocd notifications caused github actions to timeout +- `deployment_id` no longer needed for fascilitating communication between gha and ArgoCD +- application urls were incorrect and problematic during troubleshooting
- ## 1.278.0 (2023-08-09T21:54:09Z)
Upstream `eks/keda` @milldr (#808) ### what + - Added the component `eks/keda` ### why + - We've deployed KEDA for a few customers now and the component should be upstreamed ### references -- n/a +- n/a
- ## 1.277.0 (2023-08-09T20:39:21Z)
Added Inputs for `elasticsearch` and `cognito` @milldr (#786) ### what + - Added `deletion_protection` for `cognito` - Added options for dedicated master for `elasticsearch` ### why + - Allow the default options to be customized ### references -- Customer requested additions +- Customer requested additions
- ## 1.276.1 (2023-08-09T20:30:36Z)
Update upgrade-guide.md Version @milldr (#807) ### what + - Set the version to the correct updated release ### why + - Needs to match correct version ### references + #804
- ### 🚀 Enhancements
feat: allow email to be configured at account level @sgtoj (#799) ### what -* allow email to be configured at account level + +- allow email to be configured at account level ### why -* to allow importing existing accounts with email address that does not met the organization standard naming format + +- to allow importing existing accounts with email address that does not met the organization standard naming format ### references -* n/a +- n/a
- ## 1.276.0 (2023-08-09T16:38:40Z)
Transit Gateway Cross-Region Support @milldr (#804) ### what + - Upgraded `tgw` components to support cross region connections - Added back `tgw/cross-region-hub-connector` with overhaul to support updated `tgw/hub` component ### why + - Deploy `tgw/cross-region-hub-connector` to create peered TGW hubs - Use `tgw/hub` both for in region and intra region connections ### references -- n/a +- n/a
- ## 1.275.0 (2023-08-09T02:53:39Z)
@@ -734,13 +744,11 @@ and ArgoCD - Fixes #797 - Supersedes and closes #798 -- Cloud Posse standard requires error-free operation and no resources created when `enabled` is `false`, but previously this component had several errors - - +- Cloud Posse standard requires error-free operation and no resources created when `enabled` is `false`, but previously + this component had several errors
- ## 1.274.2 (2023-08-09T00:13:36Z) ### 🚀 Enhancements @@ -750,17 +758,15 @@ and ArgoCD ### What: -- Added `enabled` parameter for `modules/aws-saml/modules/okta-user/main.tf` and `modules/datadog-private-location-ecs/main.tf` +- Added `enabled` parameter for `modules/aws-saml/modules/okta-user/main.tf` and + `modules/datadog-private-location-ecs/main.tf` ### Why: - No support for disabling the creation of the resources - - - ## 1.274.1 (2023-08-09T00:11:55Z) ### 🚀 Enhancements @@ -770,7 +776,8 @@ and ArgoCD ### What: -- Updated `bastion`, `redshift`, `rds`, `spacelift`, and `vpc` to utilize the newest version of `cloudposse/security-group/aws` +- Updated `bastion`, `redshift`, `rds`, `spacelift`, and `vpc` to utilize the newest version of + `cloudposse/security-group/aws` ### Why: @@ -780,27 +787,27 @@ and ArgoCD - [AWS Security Group Component](https://github.com/cloudposse/terraform-aws-security-group/compare/2.0.0-rc1...2.2.0) - - ## 1.274.0 (2023-08-08T17:03:41Z)
bug: update descriptions *_account_account_name variables @sgtoj (#801) ### what -* update descriptions `*_account_account_name` variables + +- update descriptions `*_account_account_name` variables - I replaced `stage` with `short` because that is the description used for the respective `outputs` entries ### why -* to help future implementors of CloudPosse's architectures + +- to help future implementors of CloudPosse's architectures ### references -* n/a -
+- n/a + ## 1.273.0 (2023-08-08T17:01:23Z) @@ -808,54 +815,57 @@ and ArgoCD docs: fix issue with eks/cluster usage snippet @sgtoj (#796) ### what + - update usage snippet in readme for `eks/cluster` component ### why + - fix incorrect shape for one of the items in `aws_team_roles_rbac` - improve consistency - remove variables that are not appliable for the component ### references -- n/a +- n/a - ## 1.272.0 (2023-08-08T17:00:32Z)
feat: filter out “SUSPENDED” accounts for account-map @sgtoj (#800) ### what -* filter out “SUSPENDED” accounts (aka accounts in waiting period for termination) for `account-map` component + +- filter out “SUSPENDED” accounts (aka accounts in waiting period for termination) for `account-map` component ### why -* suspended account cannot be used, so therefore it should not exist in the account-map -* allows for new _active_ accounts with same exact name of suspended account to exists and work with `account-map` + +- suspended account cannot be used, so therefore it should not exist in the account-map +- allows for new _active_ accounts with same exact name of suspended account to exists and work with `account-map` ### references -* n/a +- n/a
- ## 1.271.0 (2023-08-08T16:44:18Z)
`eks/karpenter` Readme.md update @Benbentwo (#792) ### what -* Adding Karpenter troubleshooting to readme -* Adding https://endoflife.date/amazon-eks to `EKS/Cluster` + +- Adding Karpenter troubleshooting to readme +- Adding https://endoflife.date/amazon-eks to `EKS/Cluster` ### references -* https://karpenter.sh/docs/troubleshooting/ -* https://endoflife.date/amazon-eks -
+- https://karpenter.sh/docs/troubleshooting/ +- https://endoflife.date/amazon-eks + ## 1.270.0 (2023-08-07T21:54:49Z) @@ -882,10 +892,6 @@ and ArgoCD - Replace with add-ons - Was not being maintained or used - - - -
@@ -897,14 +903,18 @@ and ArgoCD ### why -- Until now, we provisioned StorageClasses as a part of deploying [eks/ebs-controller](https://github.com/cloudposse/terraform-aws-components/blob/ba309ab4ffa96169b2b8dadce0643d13c1bd3ae9/modules/eks/ebs-controller/main.tf#L20-L56) and [eks/efs-controller](https://github.com/cloudposse/terraform-aws-components/blob/ba309ab4ffa96169b2b8dadce0643d13c1bd3ae9/modules/eks/efs-controller/main.tf#L48-L60). However, with the switch from deploying "self-managed" controllers to EKS add-ons, we no longer deploy `eks/ebs-controller` or `eks/efs-controller`. Therefore, we need a new component to manage StorageClasses independently of controllers. - +- Until now, we provisioned StorageClasses as a part of deploying + [eks/ebs-controller](https://github.com/cloudposse/terraform-aws-components/blob/ba309ab4ffa96169b2b8dadce0643d13c1bd3ae9/modules/eks/ebs-controller/main.tf#L20-L56) + and + [eks/efs-controller](https://github.com/cloudposse/terraform-aws-components/blob/ba309ab4ffa96169b2b8dadce0643d13c1bd3ae9/modules/eks/efs-controller/main.tf#L48-L60). + However, with the switch from deploying "self-managed" controllers to EKS add-ons, we no longer deploy + `eks/ebs-controller` or `eks/efs-controller`. Therefore, we need a new component to manage StorageClasses + independently of controllers. ### references - #723 -
@@ -916,179 +926,186 @@ and ArgoCD ### why -- Upgrading Karpenter to v0.28.0 requires updating CRDs, which is not handled by current Helm chart. This script updates them by modifying the existing CRDs to be labeled as being managed by Helm, then installing the `karpenter-crd` Helm chart. +- Upgrading Karpenter to v0.28.0 requires updating CRDs, which is not handled by current Helm chart. This script updates + them by modifying the existing CRDs to be labeled as being managed by Helm, then installing the `karpenter-crd` Helm + chart. ### references - Karpenter [CRD Upgrades](https://karpenter.sh/docs/upgrade-guide/#custom-resource-definition-crd-upgrades) - - -
- ## 1.269.0 (2023-08-03T20:47:56Z)
upstream `api-gateway` and `api-gateway-settings` @Benbentwo (#788) ### what -* Upstream api-gateway and it's corresponding settings component +- Upstream api-gateway and it's corresponding settings component
- ## 1.268.0 (2023-08-01T05:04:37Z)
Added new variable into `argocd-repo` component to configure ArgoCD's `ignore-differences` @zdmytriv (#785) ### what -* Added new variable into `argocd-repo` component to configure ArcoCD `ignore-differences` + +- Added new variable into `argocd-repo` component to configure ArcoCD `ignore-differences` ### why -* There are cases when application and/or third-party operators might want to change k8s API objects. For example, change the number of replicas in deployment. This will conflict with ArgoCD application because the ArgoCD controller will spot drift and will try to make an application in sync with the codebase. + +- There are cases when application and/or third-party operators might want to change k8s API objects. For example, + change the number of replicas in deployment. This will conflict with ArgoCD application because the ArgoCD controller + will spot drift and will try to make an application in sync with the codebase. ### references -* https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs +- https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#respect-ignore-difference-configs
- ## 1.267.0 (2023-07-31T19:41:43Z)
Spacelift `admin-stack` `var.description` @milldr (#787) ### what + - added missing description option ### why + - Variable is defined, but never passed to the modules ### references -n/a +n/a
- ## 1.266.0 (2023-07-29T18:00:25Z)
Use s3_object_ownership variable @sjmiller609 (#779) ### what -* Pass s3_object_ownership variable into s3 module + +- Pass s3_object_ownership variable into s3 module ### why -* I think it was accidentally not included -* Make possible to disable ACL from stack config -### references +- I think it was accidentally not included +- Make possible to disable ACL from stack config -* https://github.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.0 +### references +- https://github.com/cloudposse/terraform-aws-s3-bucket/releases/tag/3.1.0
- ## 1.265.0 (2023-07-28T21:35:14Z)
`bastion` support for `availability_zones` and public IP and subnets @milldr (#783) ### what + - Add support for `availability_zones` - Fix issue with public IP and subnets - `tflint` requirements -- removed all unused locals, variables, formatting ### why + - All instance types are not available in all AZs in a region - Bug fix ### references -- [Internal Slack reference](https://cloudposse.slack.com/archives/C048LCN8LKT/p1689085395494969) +- [Internal Slack reference](https://cloudposse.slack.com/archives/C048LCN8LKT/p1689085395494969)
- ## 1.264.0 (2023-07-28T18:57:28Z)
Aurora Resource Submodule Requirements @milldr (#775) ### what -- Removed unnecessary requirement for aurora resources for the service name not to equal the user name for submodules of both aurora resource components + +- Removed unnecessary requirement for aurora resources for the service name not to equal the user name for submodules of + both aurora resource components ### why -- This conditional doesn't add any value besides creating an unnecessary restriction. We should be able to create a user name as the service name if we want + +- This conditional doesn't add any value besides creating an unnecessary restriction. We should be able to create a user + name as the service name if we want ### references -- n/a +- n/a
- ## 1.263.0 (2023-07-28T18:12:30Z)
fix: restore notifications config in argocd @dudymas (#782) ### what -* Restore ssm configuration options for argocd notifications + +- Restore ssm configuration options for argocd notifications ### why -* notifications were not firing and tasks time out in some installations +- notifications were not firing and tasks time out in some installations
- ## 1.262.0 (2023-07-27T17:05:37Z)
Upstream `spa-s3-cloudfront` @milldr (#780) ### what + - Update module - Add Cloudfront Invalidation permission to GitHub policy ### why + - Corrected bug in the module - Allow GitHub Actions to run invalidations ### references -- https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/288 +- https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/288
- ## 1.261.0 (2023-07-26T16:20:37Z)
Upstream `spa-s3-cloudfront` @milldr (#778) ### what + - Upstream changes to `spa-s3-cloudfront` ### why + - Updated the included modules to support Terraform v5 - Handle disabled WAF from remote-state ### references -- https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/284 +- https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/pull/284
- ## 1.260.1 (2023-07-25T05:10:20Z) ### 🚀 Enhancements @@ -1108,11 +1125,8 @@ n/a - tflint fix - tflint fix - - - ### 🐛 Bug Fixes
@@ -1130,182 +1144,184 @@ n/a - tflint fix - tflint fix - -
- ## 1.260.0 (2023-07-23T23:08:53Z)
Update `alb` component @aknysh (#773) ### what -* Update `alb` component + +- Update `alb` component ### why -* Fixes after provisioning and testing on AWS +- Fixes after provisioning and testing on AWS
- ## 1.259.0 (2023-07-20T04:32:13Z)
`elasticsearch` DNS Component Lookup @milldr (#769) ### what + - add environment for `dns-delegated` component lookup ### why + - `elasticsearch` is deployed in a regional environment, but `dns-delegated` is deployed to `gbl` ### references -- n/a +- n/a
- ## 1.258.0 (2023-07-20T04:17:31Z)
Bump `lambda-elasticsearch-cleanup` module @milldr (#768) ### what + - bump version of `lambda-elasticsearch-cleanup` module ### why + - Support Terraform provider v5 ### references + - https://github.com/cloudposse/terraform-aws-lambda-elasticsearch-cleanup/pull/48
- ## 1.257.0 (2023-07-20T03:04:51Z)
Bump ECS cluster module @max-lobur (#752) ### what -* Update ECS cluster module - -### why -* Maintenance +- Update ECS cluster module +### why +- Maintenance
- ## 1.256.0 (2023-07-18T23:57:44Z)
Bump `elasticache-redis` Module @milldr (#767) ### what + - Bump `elasticache-redis` module ### why + - Resolve issues with terraform provider v5 ### references -- https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/199 +- https://github.com/cloudposse/terraform-aws-elasticache-redis/issues/199
- ## 1.255.0 (2023-07-18T22:53:51Z)
Aurora Postgres Enhanced Monitoring Input @milldr (#766) ### what + - Added `enhanced_monitoring_attributes` as option - Set default `aurora-mysql` component name ### why + - Set this var with a custom value to avoid IAM role length restrictions (default unchanged) - Set common value as default ### references -- n/a +- n/a
- ## 1.254.0 (2023-07-18T21:00:30Z)
feat: acm no longer requires zone @dudymas (#765) ### what -* `acm` only looks up zones if `process_domain_validation_options` is true + +- `acm` only looks up zones if `process_domain_validation_options` is true ### why -* Allow external validation of acm certs +- Allow external validation of acm certs
- ## 1.253.0 (2023-07-18T17:45:16Z)
`alb` and `ssm-parameters` Upstream for Basic Use @milldr (#763) ### what + - `alb` component can get the ACM cert from either `dns-delegated` or `acm` - Support deploying `ssm-parameters` without SOPS - `waf` requires a value for `visibility_config` in the stack catalog ### why + - resolving bugs while deploying example components ### references + - https://cloudposse.atlassian.net/browse/JUMPSTART-1185
- ## 1.252.0 (2023-07-18T16:14:23Z)
fix: argocd flags, versions, and expressions @dudymas (#753) ### what -* adjust expressions in argocd -* update helmchart module -* tidy up variables + +- adjust expressions in argocd +- update helmchart module +- tidy up variables ### why -* component wouldn't run +- component wouldn't run
- ## 1.251.0 (2023-07-15T03:47:29Z)
fix: ecs capacity provider typing @dudymas (#762) ### what -* Adjust typing of `capacity_providers_ec2` + +- Adjust typing of `capacity_providers_ec2` ### why -* Component doesn't work without these fixes +- Component doesn't work without these fixes
- ## 1.250.3 (2023-07-15T00:31:40Z) ### 🚀 Enhancements @@ -1314,16 +1330,16 @@ n/a Update `alb` and `eks/alb-controller` components @aknysh (#760) ### what -* Update `alb` and `eks/alb-controller` components + +- Update `alb` and `eks/alb-controller` components ### why -* Remove unused variables and locals -* Apply variables that are defined in `variables.tf` but were not used +- Remove unused variables and locals +- Apply variables that are defined in `variables.tf` but were not used - ## 1.250.2 (2023-07-14T23:34:14Z) ### 🚀 Enhancements @@ -1337,16 +1353,16 @@ n/a ### why -Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the originating role had sufficient permissions to perform `sts:AssumeRole`. For this reason, we had an explicit policy against assuming roles in the `identity` account. - -AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team structure requires Teams (e.g. `spacelift`) to be able to assume roles in `identity` (e.g. `planner`). Therefore, the previous restriction is both not needed and actually hinders desired operation. - - +Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the +originating role had sufficient permissions to perform `sts:AssumeRole`. For this reason, we had an explicit policy +against assuming roles in the `identity` account. +AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team +structure requires Teams (e.g. `spacelift`) to be able to assume roles in `identity` (e.g. `planner`). Therefore, the +previous restriction is both not needed and actually hinders desired operation. - ### 🐛 Bug Fixes
@@ -1358,16 +1374,16 @@ AWS has removed that implied permission and now requires all roles to have expli ### why -Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the originating role had sufficient permissions to perform `sts:AssumeRole`. For this reason, we had an explicit policy against assuming roles in the `identity` account. - -AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team structure requires Teams (e.g. `spacelift`) to be able to assume roles in `identity` (e.g. `planner`). Therefore, the previous restriction is both not needed and actually hinders desired operation. - - +Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the +originating role had sufficient permissions to perform `sts:AssumeRole`. For this reason, we had an explicit policy +against assuming roles in the `identity` account. +AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team +structure requires Teams (e.g. `spacelift`) to be able to assume roles in `identity` (e.g. `planner`). Therefore, the +previous restriction is both not needed and actually hinders desired operation.
- ## 1.250.1 (2023-07-14T02:14:46Z) ### 🚀 Enhancements @@ -1388,43 +1404,52 @@ AWS has removed that implied permission and now requires all roles to have expli ### why - Bug Fix: Input was there, but was being ignored, leading to unexpected behavior -- If a requirement that had a default value was not supplied, Terraform would fail with an error about inconsistent plans because Karpenter would fill in the default +- If a requirement that had a default value was not supplied, Terraform would fail with an error about inconsistent + plans because Karpenter would fill in the default - Show some default values and how to override them - Reduce the burden of supplying empty fields - - ## 1.250.0 (2023-07-14T02:10:46Z)
Add EKS addons and the required IRSA to the `eks` component @aknysh (#723) ### what -* Deprecate the `eks-iam` component -* Add EKS addons and the required IRSA for the addons to the `eks` component -* Add ability to specify configuration values and timeouts for addons -* Add ability to deploy addons to Fargate when necessary -* Add ability to omit specifying Availability Zones and infer them from private subnets -* Add recommended but optional and requiring opt-in: use a single Fargate Pod Execution Role for all Fargate Profiles + +- Deprecate the `eks-iam` component +- Add EKS addons and the required IRSA for the addons to the `eks` component +- Add ability to specify configuration values and timeouts for addons +- Add ability to deploy addons to Fargate when necessary +- Add ability to omit specifying Availability Zones and infer them from private subnets +- Add recommended but optional and requiring opt-in: use a single Fargate Pod Execution Role for all Fargate Profiles ### why -* The `eks-iam` component is not in use (we now create the IAM roles for Kubernetes Service Accounts in the https://github.com/cloudposse/terraform-aws-helm-release module), and has very old and outdated code -* AWS recommends to provision the required EKS addons and not to rely on the managed addons (some of which are automatically provisioned by EKS on a cluster) +- The `eks-iam` component is not in use (we now create the IAM roles for Kubernetes Service Accounts in the + https://github.com/cloudposse/terraform-aws-helm-release module), and has very old and outdated code + +- AWS recommends to provision the required EKS addons and not to rely on the managed addons (some of which are + automatically provisioned by EKS on a cluster) -* Some EKS addons (e.g. `vpc-cni` and `aws-ebs-csi-driver`) require an IAM Role for Kubernetes Service Account (IRSA) with specific permissions. Since these addons are critical for cluster functionality, we create the IRSA roles for the addons in the `eks` component and provide the role ARNs to the addons +- Some EKS addons (e.g. `vpc-cni` and `aws-ebs-csi-driver`) require an IAM Role for Kubernetes Service Account (IRSA) + with specific permissions. Since these addons are critical for cluster functionality, we create the IRSA roles for the + addons in the `eks` component and provide the role ARNs to the addons -* Some EKS addons can be configured. In particular, `coredns` requires configuration to enable it to be deployed to Fargate. +- Some EKS addons can be configured. In particular, `coredns` requires configuration to enable it to be deployed to + Fargate. -* Users relying on Karpenter to deploy all nodes and wanting to deploy `coredns` or `aws-ebs-csi-driver` addons need to deploy them to Fargate or else the EKS deployment will fail. +- Users relying on Karpenter to deploy all nodes and wanting to deploy `coredns` or `aws-ebs-csi-driver` addons need to + deploy them to Fargate or else the EKS deployment will fail. -* Enable DRY specification of Availability Zones, and use of AZ IDs, by reading the VPCs AZs. +- Enable DRY specification of Availability Zones, and use of AZ IDs, by reading the VPCs AZs. -* A cluster needs only one Fargate Pod Execution Role, and it was a mistake to provision one for every profile. However, making the change would break existing clusters, so it is optional and requires opt-in. +- A cluster needs only one Fargate Pod Execution Role, and it was a mistake to provision one for every profile. However, + making the change would break existing clusters, so it is optional and requires opt-in. ### references + - https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html - https://docs.aws.amazon.com/eks/latest/userguide/managing-add-ons.html#creating-an-add-on - https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html @@ -1436,10 +1461,8 @@ AWS has removed that implied permission and now requires all roles to have expli - https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html#csi-iam-role - https://github.com/kubernetes-sigs/aws-ebs-csi-driver -
- ## 1.249.0 (2023-07-14T01:23:37Z)
@@ -1451,134 +1474,142 @@ AWS has removed that implied permission and now requires all roles to have expli ### why -- When setting `default_ingress_enabled = true` it is a reasonable expectation that the deployed Ingress be marked as the Default Ingress. The previous code suggests this was the intended behavior, but does not work with the current Helm chart and may have never worked. - - +- When setting `default_ingress_enabled = true` it is a reasonable expectation that the deployed Ingress be marked as + the Default Ingress. The previous code suggests this was the intended behavior, but does not work with the current + Helm chart and may have never worked.
- ## 1.248.0 (2023-07-13T00:21:29Z)
Upstream `gitops` Policy Update @milldr (#757) ### what + - allow actions on table resources ### why + - required to be able to query using a global secondary index ### references -- https://github.com/cloudposse/github-action-terraform-plan-storage/pull/16 +- https://github.com/cloudposse/github-action-terraform-plan-storage/pull/16
- ## 1.247.0 (2023-07-12T19:32:33Z)
Update `waf` and `alb` components @aknysh (#755) ### what -* Update `waf` component -* Update `alb` component + +- Update `waf` component +- Update `alb` component ### why -* For `waf` component, add missing features supported by the following resources: + +- For `waf` component, add missing features supported by the following resources: + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl - - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration + +- For `waf` component, remove deprecated features not supported by Terraform `aws` provider v5: -* For `waf` component, remove deprecated features not supported by Terraform `aws` provider v5: - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-5-upgrade#resourceaws_wafv2_web_acl - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-5-upgrade#resourceaws_wafv2_web_acl_logging_configuration -* For `waf` component, allow specifying a list of Atmos components to read from the remote state and associate their ARNs with the web ACL +- For `waf` component, allow specifying a list of Atmos components to read from the remote state and associate their + ARNs with the web ACL -* For `alb` component, update the modules to the latest versions and allow specifying Atmos component names for the remote state in the variables (for the cases where the Atmos component names are not standard) +- For `alb` component, update the modules to the latest versions and allow specifying Atmos component names for the + remote state in the variables (for the cases where the Atmos component names are not standard) ### references -* https://github.com/cloudposse/terraform-aws-waf/pull/45 +- https://github.com/cloudposse/terraform-aws-waf/pull/45
- ## 1.246.0 (2023-07-12T18:57:58Z)
`acm` Upstream @Benbentwo (#756) ### what -* Upstream ACM -### why -* New Variables - * `subject_alternative_names_prefixes` - * `domain_name_prefix` +- Upstream ACM +### why +- New Variables + - `subject_alternative_names_prefixes` + - `domain_name_prefix`
- ## 1.245.0 (2023-07-11T19:36:11Z)
Bump `spaces` module versions @milldr (#754) ### what + - bumped module version for `terraform-spacelift-cloud-infrastructure-automation` ### why + - New policy added to `spaces` ### references -- https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/releases/tag/1.1.0 +- https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/releases/tag/1.1.0
- ## 1.244.0 (2023-07-11T17:50:19Z)
Upstream Spacelift and Documentation @milldr (#732) ### what + - Minor corrections to spacelift components - Documentation ### why + - Deployed this at a customer and resolved the changed errors - Adding documentation for updated Spacelift design ### references -- n/a +- n/a
- ## 1.243.0 (2023-07-06T20:04:08Z)
Upstream `gitops` @milldr (#735) ### what + - Upstream new component, `gitops` ### why -- This component is used to create a role for GitHub to assume. This role is used to assume the `gitops` team and is required for enabling GitHub Action Terraform workflows + +- This component is used to create a role for GitHub to assume. This role is used to assume the `gitops` team and is + required for enabling GitHub Action Terraform workflows ### references -- JUMPSTART-904 +- JUMPSTART-904
- ## 1.242.1 (2023-07-05T19:46:08Z) ### 🚀 Enhancements @@ -1587,16 +1618,15 @@ AWS has removed that implied permission and now requires all roles to have expli Use the new subnets data source @max-lobur (#737) ### what -* Use the new subnets data source -### why -* Planned migration according to https://github.com/hashicorp/terraform-provider-aws/pull/18803 +- Use the new subnets data source +### why +- Planned migration according to https://github.com/hashicorp/terraform-provider-aws/pull/18803 - ## 1.242.0 (2023-07-05T17:05:57Z)
@@ -1608,29 +1638,32 @@ AWS has removed that implied permission and now requires all roles to have expli ### why -- PR #715 removed outputs from `account-map` that `iam-roles` relied on. Although it removed the references in `iam-roles`, this imposed an ordering on the upgrade: the `iam-roles` code had to be deployed before the module could be applied. That proved to be inconvenient. Furthermore, if a future `account-map` upgrade added outputs that iam-roles` required, neither order of operations would go smoothly. With this update, the standard practice of applying `account-map` before deploying code will work again. - - +- PR #715 removed outputs from `account-map` that `iam-roles` relied on. Although it removed the references in + `iam-roles`, this imposed an ordering on the upgrade: the `iam-roles` code had to be deployed before the module could + be applied. That proved to be inconvenient. Furthermore, if a future `account-map` upgrade added outputs that + iam-roles`required, neither order of operations would go smoothly. With this update, the standard practice of applying`account-map` + before deploying code will work again.
- ## 1.241.0 (2023-07-05T16:52:58Z)
Fixed broken links in READMEs @zdmytriv (#749) ### what -* Fixed broken links in READMEs + +- Fixed broken links in READMEs ### why -* Fixed broken links in READMEs + +- Fixed broken links in READMEs ### references -* https://github.com/cloudposse/terraform-aws-components/issues/747 -
+- https://github.com/cloudposse/terraform-aws-components/issues/747 + ## 1.240.1 (2023-07-04T04:54:28Z) @@ -1638,10 +1671,12 @@ AWS has removed that implied permission and now requires all roles to have expli This fixes issues with `aws-sso` and `github-oidc-provider`. Versions from v1.227 through v1.240 should not be used. -After installing this version of `aws-sso`, you may need to change the configuration in your stacks. See [modules/aws-sso/changelog](https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/CHANGELOG.md) for more information. Note: this release is from PR #740 +After installing this version of `aws-sso`, you may need to change the configuration in your stacks. See +[modules/aws-sso/changelog](https://github.com/cloudposse/terraform-aws-components/blob/main/modules/aws-sso/CHANGELOG.md) +for more information. Note: this release is from PR #740 - -After installing this version of `github-oidc-provider`, you may need to change the configuration in your stacks. See the release notes for v1.238.1 for more information. +After installing this version of `github-oidc-provider`, you may need to change the configuration in your stacks. See +the release notes for v1.238.1 for more information. ### 🐛 Bug Fixes @@ -1649,19 +1684,21 @@ After installing this version of `github-oidc-provider`, you may need to change bugfix `aws-sso`, `github-oidc-provider` @Benbentwo (#740) ### what -* Bugfixes `filter` depreciation issue via module update to `1.1.1` -* Bugfixes missing `aws.root` provider -* Bugfixes `github-oidc-provider` v1.238.1 + +- Bugfixes `filter` depreciation issue via module update to `1.1.1` +- Bugfixes missing `aws.root` provider +- Bugfixes `github-oidc-provider` v1.238.1 ### why -* Bugfixes + +- Bugfixes ### references -* https://github.com/cloudposse/terraform-aws-sso/pull/44 -* closes #744 - +- https://github.com/cloudposse/terraform-aws-sso/pull/44 +- closes #744 + ## 1.240.0 (2023-07-03T18:14:14Z) @@ -1673,32 +1710,32 @@ After installing this version of `github-oidc-provider`, you may need to change I'm too lazy to fix it each time when we get module updates via `atmos vendor` GHA ### References -* https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_deprecated_index.md -* https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_comment_syntax.md -* https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_unused_declarations.md +- https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_deprecated_index.md +- https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_comment_syntax.md +- https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.4.0/docs/rules/terraform_unused_declarations.md - ## 1.239.0 (2023-06-29T23:34:53Z)
Bump `cloudposse/ec2-autoscale-group/aws` to `0.35.0` @milldr (#734) ### what + - bumped ASG module version, `cloudposse/ec2-autoscale-group/aws` to `0.35.0` ### why + - Recent versions of this module resolve errors for these components ### references -- https://github.com/cloudposse/terraform-aws-ec2-autoscale-group +- https://github.com/cloudposse/terraform-aws-ec2-autoscale-group
- ## 1.238.1 (2023-06-29T21:15:50Z) ### Upgrade notes: @@ -1707,24 +1744,29 @@ There is a bug in this version of `github-oidc-provider`. Upgrade to version v1. After installing this version of `github-oidc-provider`, you may need to change the configuration in your stacks. -- If you have dynamic Terraform roles enabled, then this should be configured like a normal component. The previous component may have required you to set - - ```yaml - backend: - s3: - role_arn: null - ```` -and **that configuration should be removed** everywhere. -- If you only use SuperAdmin to deploy things to the `identity` account, then for the `identity` (and `root`, if applicable) account ***only***, set - - ```yaml - backend: - s3: - role_arn: null - vars: - superadmin: true - ```` -**Deployments to other accounts should not have any of those settings**. +- If you have dynamic Terraform roles enabled, then this should be configured like a normal component. The previous + component may have required you to set + + ```yaml + backend: + s3: + role_arn: null + ```` + + and **that configuration should be removed** everywhere. + +- If you only use SuperAdmin to deploy things to the `identity` account, then for the `identity` (and `root`, if + applicable) account **_only_**, set + + ```yaml + backend: + s3: + role_arn: null + vars: + superadmin: true + ```` + + **Deployments to other accounts should not have any of those settings**. ### 🚀 Enhancements @@ -1733,14 +1775,12 @@ and **that configuration should be removed** everywhere. ### what && why -- This updates `provider.tf` to provide compatibility with various legacy configurations as well as the current reference architecture +- This updates `provider.tf` to provide compatibility with various legacy configurations as well as the current + reference architecture - This update does NOT require updating `account-map` - - - ## 1.238.0 (2023-06-29T19:39:15Z)
@@ -1754,7 +1794,8 @@ and **that configuration should be removed** everywhere. ### why -- Reduce the friction between SSO permission sets and SAML roles by allowing people to use either interchangeably. (Almost. SSO permission sets do not yet have the same permissions as SAML roles in the `identity` account itself.) +- Reduce the friction between SSO permission sets and SAML roles by allowing people to use either interchangeably. + (Almost. SSO permission sets do not yet have the same permissions as SAML roles in the `identity` account itself.) - Enable continued access in the event of a regional outage in us-east-1 as happened recently - Enable auditing of who is using assumed roles @@ -1767,70 +1808,84 @@ and **that configuration should be removed** everywhere. ### Upgrade notes -The regional endpoints and Source Identity support are non-controversial and cannot be disabled. They do, however, require running `terraform apply` against `aws-saml`, `aws-teams`, and `aws-team-roles` in all accounts. +The regional endpoints and Source Identity support are non-controversial and cannot be disabled. They do, however, +require running `terraform apply` against `aws-saml`, `aws-teams`, and `aws-team-roles` in all accounts. #### AWS SSO updates -To enable SSO Permission Sets to function as teams, you need to update `account-map` and `aws-sso`, then apply changes to +To enable SSO Permission Sets to function as teams, you need to update `account-map` and `aws-sso`, then apply changes +to + - `tfstate-backend` - `aws-teams` - `aws-team-roles` - `aws-sso` -This is all enabled by default. If you do not want it, you only need to update `account-map`, and add `account-map/modules/roles-to-principles/variables_override.tf` in which you set +This is all enabled by default. If you do not want it, you only need to update `account-map`, and add +`account-map/modules/roles-to-principles/variables_override.tf` in which you set `overridable_team_permission_sets_enabled` to default to `false` -Under the old `iam-primary-roles` component, corresponding permission sets were named `IdentityRoleAccess`. Under the current `aws-teams` component, they are named `IdentityTeamAccess`. The current `account-map` defaults to the latter convention. To use the earlier convention, add `account-map/modules/roles-to-principles/variables_override.tf` in which you set `overridable_team_permission_set_name_pattern` to default to `"Identity%sRoleAccess"` +Under the old `iam-primary-roles` component, corresponding permission sets were named `IdentityRoleAccess`. Under +the current `aws-teams` component, they are named `IdentityTeamAccess`. The current `account-map` defaults to the +latter convention. To use the earlier convention, add `account-map/modules/roles-to-principles/variables_override.tf` in +which you set `overridable_team_permission_set_name_pattern` to default to `"Identity%sRoleAccess"` -There is a chance the resulting trust policies will be too big, especially for `tfstate-backend`. If you get an error like +There is a chance the resulting trust policies will be too big, especially for `tfstate-backend`. If you get an error +like ``` Cannot exceed quota for ACLSizePerRole: 2048 ``` -You need to request a quota increase (Quota Code L-C07B4B0D), which will be automatically granted, usually in about 5 minutes. The max quota is 4096, but we recommend increasing it to 3072 first, so you retain some breathing room for the future. - +You need to request a quota increase (Quota Code L-C07B4B0D), which will be automatically granted, usually in about 5 +minutes. The max quota is 4096, but we recommend increasing it to 3072 first, so you retain some breathing room for the +future.
- ## 1.237.0 (2023-06-27T22:27:49Z)
Add Missing `github-oidc-provider` Thumbprint @milldr (#736) ### what + - include both thumbprints for GitHub OIDC ### why -- There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by Github's servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are cross-signed by the CA. + +- There are two possible intermediary certificates for the Actions SSL certificate and either can be returned by + Github's servers, requiring customers to trust both. This is a known behavior when the intermediary certificates are + cross-signed by the CA. ### references -- https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/ +- https://github.blog/changelog/2023-06-27-github-actions-update-on-oidc-integration-with-aws/
- ## 1.236.0 (2023-06-26T18:14:29Z)
Update `eks/echo-server` and `eks/alb-controller-ingress-group` components @aknysh (#733) ### what -* Update `eks/echo-server` and `eks/alb-controller-ingress-group` components -* Allow specifying [alb.ingress.kubernetes.io/scheme](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#scheme) (`internal` or `internet-facing`) + +- Update `eks/echo-server` and `eks/alb-controller-ingress-group` components +- Allow specifying + [alb.ingress.kubernetes.io/scheme](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/#scheme) + (`internal` or `internet-facing`) ### why -* Allow the echo server to work with internal load balancers + +- Allow the echo server to work with internal load balancers ### references -* https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/ +- https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/ingress/annotations/
- ## 1.235.0 (2023-06-22T21:06:18Z)
@@ -1844,14 +1899,13 @@ You need to request a quota increase (Quota Code L-C07B4B0D), which will be auto ### why -- Previously, when the global `account-map` `profiles_enabled` flag was `true`, `iam_roles.terraform_role_arn` would be null. However, `eks/cluster` requires `terraform_role_arn` regardless. -- Changes made in #728 work in environments that have not adopted dynamic Terraform roles but would fail in environments that have (when using SuperAdmin) - - +- Previously, when the global `account-map` `profiles_enabled` flag was `true`, `iam_roles.terraform_role_arn` would be + null. However, `eks/cluster` requires `terraform_role_arn` regardless. +- Changes made in #728 work in environments that have not adopted dynamic Terraform roles but would fail in environments + that have (when using SuperAdmin)
- ## 1.234.0 (2023-06-21T22:44:55Z)
@@ -1863,53 +1917,56 @@ You need to request a quota increase (Quota Code L-C07B4B0D), which will be auto ### why -- Historically, the `terraform` roles in `root` and `identity` were not used for Terraform plan/apply, but for other things, and so the `terraform_roles` map output selected the `admin` roles for those accounts. This "wart" has been remove in current `aws-team-roles` and `tfstate-backend` configurations, but for people who do not want to migrate to the new conventions, this feature flag enables them to maintain the status quo with respect to role usage while taking advantage of other updates to `account-map` and other components. +- Historically, the `terraform` roles in `root` and `identity` were not used for Terraform plan/apply, but for other + things, and so the `terraform_roles` map output selected the `admin` roles for those accounts. This "wart" has been + remove in current `aws-team-roles` and `tfstate-backend` configurations, but for people who do not want to migrate to + the new conventions, this feature flag enables them to maintain the status quo with respect to role usage while taking + advantage of other updates to `account-map` and other components. ### references -This update is recommended for all customers wanting to use ***any*** component version 1.227 or later. +This update is recommended for all customers wanting to use **_any_** component version 1.227 or later. - #715 -
- ## 1.233.0 (2023-06-21T20:03:36Z)
[lambda] feat: allows to use YAML instead of JSON for IAM policy @gberenice (#692) ### what -* BREAKING CHANGE: Actually use variable `function_name` to set the lambda function name. -* Make the variable `function_name` optional. When not set, the old null-lable-derived name will be use. -* Allow IAM policy to be specified in a custom terraform object as an alternative to JSON. - -### why -* `function_name` was required to set, but it wasn't actually passed to `module "lambda"` inputs. -* Allow callers to stop providing `function_name` and preserve old behavior of using automatically generated name. -* When using [Atmos](https://atmos.tools/) to generate inputs from "stack" YAML files, having the ability to pass the statements in as a custom object means specifying them via YAML, which makes the policy declaration in stack more readable compared to embedding a JSON string in the YAML. - +- BREAKING CHANGE: Actually use variable `function_name` to set the lambda function name. +- Make the variable `function_name` optional. When not set, the old null-lable-derived name will be use. +- Allow IAM policy to be specified in a custom terraform object as an alternative to JSON. +### why +- `function_name` was required to set, but it wasn't actually passed to `module "lambda"` inputs. +- Allow callers to stop providing `function_name` and preserve old behavior of using automatically generated name. +- When using [Atmos](https://atmos.tools/) to generate inputs from "stack" YAML files, having the ability to pass the + statements in as a custom object means specifying them via YAML, which makes the policy declaration in stack more + readable compared to embedding a JSON string in the YAML.
- ## 1.232.0 (2023-06-21T15:49:06Z)
refactor securityhub component @mcalhoun (#728) ### what -* Refactor the Security Hub components into a single component + +- Refactor the Security Hub components into a single component ### why -* To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between. -
+- To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between. + ## 1.231.0 (2023-06-21T14:54:50Z) @@ -1917,10 +1974,12 @@ This update is recommended for all customers wanting to use ***any*** component roll guard duty back to previous providers logic @mcalhoun (#727) ### what -* Roll the Guard Duty component back to using the previous logic for role assumption. + +- Roll the Guard Duty component back to using the previous logic for role assumption. ### why -* The newer method is causing the provider to try to assume the role twice. We get the error: + +- The newer method is causing the provider to try to assume the role twice. We get the error: ``` AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 00000000-0000-0000-0000-00000000, api error AccessDenied: User: arn:aws:sts::000000000000:assumed-role/acme-core-gbl-security-terraform/aws-go-sdk-1687312396297825294 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000000000000:role/acme-core-gbl-security-terraform @@ -1928,20 +1987,20 @@ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403 - ## 1.230.0 (2023-06-21T01:49:52Z)
refactor guardduty module @mcalhoun (#725) ### what -* Refactor the GuardDuty components into a single component + +- Refactor the GuardDuty components into a single component ### why -* To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between. -
+- To improve the overall dev experience and to prevent needing to do multiple deploys with variable changes in-between. + ## 1.229.0 (2023-06-20T19:37:35Z) @@ -1949,16 +2008,15 @@ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403 upstream `github-action-runners` dockerhub authentication @Benbentwo (#726) ### what -* Adds support for dockerhub authentication -### why -* Dockerhub limits are unrealistically low for actually using dockerhub as an image registry for automated builds +- Adds support for dockerhub authentication +### why +- Dockerhub limits are unrealistically low for actually using dockerhub as an image registry for automated builds - ## 1.228.0 (2023-06-15T20:57:45Z)
@@ -1966,24 +2024,22 @@ AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403 ### what -* Apply the HTTPS policy +- Apply the HTTPS policy ### why -* The policy was unused so it was defaulting to an old policy +- The policy was unused so it was defaulting to an old policy ### references -
- ## 1.227.0 (2023-06-12T23:41:45Z) - Possibly breaking change: -In this update, `account-map/modules/iam-roles` acquired a provider, making it no longer able to be used with `count`. If you have code like +In this update, `account-map/modules/iam-roles` acquired a provider, making it no longer able to be used with `count`. +If you have code like ```hcl module "optional_role" { @@ -1995,7 +2051,9 @@ module "optional_role" { } ``` -You will need to rewrite it, removing the `count` parameter. It will be fine to always instantiate the module. If there are problems with ensuring appropriate settings with the module is disabled, you can always replace them with the component's inputs: +You will need to rewrite it, removing the `count` parameter. It will be fine to always instantiate the module. If there +are problems with ensuring appropriate settings with the module is disabled, you can always replace them with the +component's inputs: ```hcl module "optional_role" { @@ -2005,17 +2063,27 @@ module "optional_role" { } ``` - The update to components 1.227.0 is huge, and you have options. -- Enable, or not, dynamic Terraform IAM roles, which allow you to give some people (and Spacelift) the ability to run Terraform plan in some accounts without allowing apply. Note that these users will still have read/write access to Terraform state, but will not have IAM permissions to make changes in accounts. [terraform_dynamic_role_enabled](https://github.com/cloudposse/terraform-aws-components/blob/1b338fe664e5debc5bbac30cfe42003f7458575a/modules/account-map/variables.tf#L96-L100) -- Update to new `aws-teams` team names. The new names are (except for support) distinct from team-roles, making it easier to keep track. Also, the new managers team can run Terraform for identity and root in most (but not all) cases. -- Update to new `aws-team-roles`, including new permissions. The custom policies that have been removed are replaced in the `aws-team-roles` configuration with AWS managed policy ARNs. This is required to add the `planner` role and support the `terraform plan` restriction. -- Update the `providers.tf for` all components. Or some of them now, some later. Most components do not require updates, but all of them have updates. The new `providers.tf`, when used with dynamic Terraform roles, allows users directly logged into target accounts (rather than having roles in the `identity` account) to use Terraform in that account, and also allows SuperAdmin to run Terraform in more cases (almost everywhere). - -**If you do not want any new features**, you only need to update `account-map` to v1.235 or later, to be compatible with future components. Note that when updating `account-map` this way, you should update the code everywhere (all open PRs and branches) before applying the Terraform changes, because the applied changes break the old code. - -If you want all the new features, we recommend updating all of the following to the current release in 1 PR: +- Enable, or not, dynamic Terraform IAM roles, which allow you to give some people (and Spacelift) the ability to run + Terraform plan in some accounts without allowing apply. Note that these users will still have read/write access to + Terraform state, but will not have IAM permissions to make changes in accounts. + [terraform_dynamic_role_enabled](https://github.com/cloudposse/terraform-aws-components/blob/1b338fe664e5debc5bbac30cfe42003f7458575a/modules/account-map/variables.tf#L96-L100) +- Update to new `aws-teams` team names. The new names are (except for support) distinct from team-roles, making it + easier to keep track. Also, the new managers team can run Terraform for identity and root in most (but not all) cases. +- Update to new `aws-team-roles`, including new permissions. The custom policies that have been removed are replaced in + the `aws-team-roles` configuration with AWS managed policy ARNs. This is required to add the `planner` role and + support the `terraform plan` restriction. +- Update the `providers.tf for` all components. Or some of them now, some later. Most components do not require updates, + but all of them have updates. The new `providers.tf`, when used with dynamic Terraform roles, allows users directly + logged into target accounts (rather than having roles in the `identity` account) to use Terraform in that account, and + also allows SuperAdmin to run Terraform in more cases (almost everywhere). + +**If you do not want any new features**, you only need to update `account-map` to v1.235 or later, to be compatible with +future components. Note that when updating `account-map` this way, you should update the code everywhere (all open PRs +and branches) before applying the Terraform changes, because the applied changes break the old code. + +If you want all the new features, we recommend updating all of the following to the current release in 1 PR: - account-map - aws-teams @@ -2027,35 +2095,35 @@ If you want all the new features, we recommend updating all of the following to ### Reviewers, please note: -The PR changes a lot of files. In particular, the `providers.tf` and therefore the `README.md` for nearly every component. Therefore it will likely be easier to review this PR one commit at a time. +The PR changes a lot of files. In particular, the `providers.tf` and therefore the `README.md` for nearly every +component. Therefore it will likely be easier to review this PR one commit at a time. -`import_role_arn` and `import_profile_name` have been removed as they are no longer needed. Current versions of Terraform (probably beginning with v1.1.0, but maybe as late as 1.3.0, I have not found authoritative information) can read data sources during plan and so no longer need a role to be explicitly specified while importing. Feel free to perform your own tests to make yourself more comfortable that this is correct. +`import_role_arn` and `import_profile_name` have been removed as they are no longer needed. Current versions of +Terraform (probably beginning with v1.1.0, but maybe as late as 1.3.0, I have not found authoritative information) can +read data sources during plan and so no longer need a role to be explicitly specified while importing. Feel free to +perform your own tests to make yourself more comfortable that this is correct. ### what -* Updates to allow Terraform to dynamically assume a role based on the user, to allow some users to run `terraform plan` but not `terraform apply` - * Deploy standard `providers.tf` to all components that need an `aws` provider - * Move extra provider configurations to separate file, so that `providers.tf` can - remain consistent/identical among components and thus be easily updated - * Create `provider-awsutils.mixin.tf` to provide consistent, maintainable implementation -* Make `aws-sso` vendor safe -* Deprecate `sso` module in favor of `aws-saml` - +- Updates to allow Terraform to dynamically assume a role based on the user, to allow some users to run `terraform plan` + but not `terraform apply` + - Deploy standard `providers.tf` to all components that need an `aws` provider + - Move extra provider configurations to separate file, so that `providers.tf` can remain consistent/identical among + components and thus be easily updated + - Create `provider-awsutils.mixin.tf` to provide consistent, maintainable implementation +- Make `aws-sso` vendor safe +- Deprecate `sso` module in favor of `aws-saml` ### why -- Allow users to try new code or updated configurations by running `terraform plan` without giving them permission to make changes with Terraform +- Allow users to try new code or updated configurations by running `terraform plan` without giving them permission to + make changes with Terraform - Make it easier for people directly logged into target accounts to still run Terraform - Follow-up to #697, which updated `aws-teams` and `aws-team-roles`, to make `aws-sso` consistent - Reduce confusion by moving deprecated code to `deprecated/` - - - - - ## 1.226.0 (2023-06-12T17:42:51Z)
@@ -2067,44 +2135,43 @@ Fix common issues in the repo ### why -It violates our basic checks, which adds a headache to using https://github.com/cloudposse/github-action-atmos-component-updater as is +It violates our basic checks, which adds a headache to using +https://github.com/cloudposse/github-action-atmos-component-updater as is ![image](https://github.com/cloudposse/terraform-aws-components/assets/11096782/248febbe-b65f-4080-8078-376ef576b457) -> **Note**: It is much simpler to review PR if [hide whitespace changes](https://github.com/cloudposse/terraform-aws-components/pull/714/files?w=1) +> **Note**: It is much simpler to review PR if +> [hide whitespace changes](https://github.com/cloudposse/terraform-aws-components/pull/714/files?w=1)
- ## 1.225.0 (2023-06-12T14:57:20Z)
Removed list of components from main README.md @zdmytriv (#721) ### what -* Removed list of components from main README.md -### why -* That list is outdated - -### references +- Removed list of components from main README.md +### why +- That list is outdated +### references
- ## 1.224.0 (2023-06-09T19:52:51Z)
upstream argocd @Benbentwo (#634) ### what -* Upstream fixes that allow for Google OIDC -
+- Upstream fixes that allow for Google OIDC + ## 1.223.0 (2023-06-09T14:28:08Z) @@ -2112,53 +2179,60 @@ It violates our basic checks, which adds a headache to using https://github.com/ add new spacelift components @mcalhoun (#717) ### what -* Add the newly developed spacelift components -* Deprecate the previous components + +- Add the newly developed spacelift components +- Deprecate the previous components ### why -* We undertook a process of decomposing a monolithic module and broke it into smaller, composable pieces for a better developer experience + +- We undertook a process of decomposing a monolithic module and broke it into smaller, composable pieces for a better + developer experience ### references -* Corresponding [Upstream Module PR](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/pull/143) +- Corresponding + [Upstream Module PR](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/pull/143) - ## 1.222.0 (2023-06-08T23:28:34Z)
Karpenter Node Interruption Handler @milldr (#713) ### what + - Added Karpenter Interruption Handler to existing component ### why + - Interruption is supported by karpenter, but we need to deploy sqs queue and event bridge rules to enable ### references -- https://github.com/cloudposse/knowledge-base/discussions/127 - +- https://github.com/cloudposse/knowledge-base/discussions/127
- ## 1.221.0 (2023-06-07T18:11:23Z)
feat: New Component `aws-ssosync` @dudymas (#625) ### what -* adds a fork of [aws-ssosync](https://github.com/awslabs/ssosync) as a lambda on a 15m cronjob + +- adds a fork of [aws-ssosync](https://github.com/awslabs/ssosync) as a lambda on a 15m cronjob ### Why -Google is one of those identity providers that doesn't have good integration with AWS SSO. In order to sync groups and users across we need to use some API calls, luckily AWS Built [aws-ssosync](https://github.com/awslabs/ssosync) to handle that. -Unfortunately, it required ASM so we use [Benbentwo/ssosync](https://github.com/Benbentwo/ssosync) as it removes that requirement. +Google is one of those identity providers that doesn't have good integration with AWS SSO. In order to sync groups and +users across we need to use some API calls, luckily AWS Built [aws-ssosync](https://github.com/awslabs/ssosync) to +handle that. -
+Unfortunately, it required ASM so we use [Benbentwo/ssosync](https://github.com/Benbentwo/ssosync) as it removes that +requirement. + ## 1.220.0 (2023-06-05T22:31:10Z) @@ -2167,41 +2241,41 @@ Unfortunately, it required ASM so we use [Benbentwo/ssosync](https://github.com/ ### what -* Set `helm_manifest_experiment_enabled` to `false` by default -* Block Kubernetes provider 2.21.0 +- Set `helm_manifest_experiment_enabled` to `false` by default +- Block Kubernetes provider 2.21.0 ### why -* The `helm_manifest_experiment_enabled` reliably breaks when a Helm chart installs CRDs. The initial reason for enabling it was for better drift detection, but the provider seems to have fixed most if not all of the drift detection issues since then. -* Kubernetes provider 2.21.0 had breaking changes which were reverted in 2.21.1. +- The `helm_manifest_experiment_enabled` reliably breaks when a Helm chart installs CRDs. The initial reason for + enabling it was for better drift detection, but the provider seems to have fixed most if not all of the drift + detection issues since then. +- Kubernetes provider 2.21.0 had breaking changes which were reverted in 2.21.1. ### references -* https://github.com/hashicorp/terraform-provider-kubernetes/pull/2084#issuecomment-1576711378 - - +- https://github.com/hashicorp/terraform-provider-kubernetes/pull/2084#issuecomment-1576711378 - ## 1.219.0 (2023-06-05T20:23:17Z)
Expand ECR GH OIDC Default Policy @milldr (#711) ### what + - updated default ECR GH OIDC policy ### why + - This policy should grant GH OIDC access both public and private ECR repos ### references -- https://cloudposse.slack.com/archives/CA4TC65HS/p1685993698149499?thread_ts=1685990234.560589&cid=CA4TC65HS +- https://cloudposse.slack.com/archives/CA4TC65HS/p1685993698149499?thread_ts=1685990234.560589&cid=CA4TC65HS
- ## 1.218.0 (2023-06-05T01:59:49Z)
@@ -2217,13 +2291,8 @@ Unfortunately, it required ASM so we use [Benbentwo/ssosync](https://github.com/ - Prepare for `providers.tf` updates to support dynamic Terraform roles - ARB decision on customization compatible with vendoring - - - -
- ## 1.217.0 (2023-06-04T23:11:44Z)
@@ -2233,23 +2302,20 @@ Unfortunately, it required ASM so we use [Benbentwo/ssosync](https://github.com/ For `eks/external-secrets-operator`: -* Normalize variables, update dependencies -* Exclude Kubernetes provider v2.21.0 +- Normalize variables, update dependencies +- Exclude Kubernetes provider v2.21.0 ### why -* Bring in line with other Helm-based modules -* Take advantage of improvements in dependencies +- Bring in line with other Helm-based modules +- Take advantage of improvements in dependencies ### references -* [Breaking change in Kubernetes provider v2.21.0](https://github.com/hashicorp/terraform-provider-kubernetes/pull/2084) - - +- [Breaking change in Kubernetes provider v2.21.0](https://github.com/hashicorp/terraform-provider-kubernetes/pull/2084)
- ## 1.216.2 (2023-06-04T23:08:39Z) ### 🚀 Enhancements @@ -2270,10 +2336,8 @@ For `eks/external-secrets-operator`: - [v5 upgrade guide](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-5-upgrade) - [v5.0.0 Release Notes](https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.0.0) - - ## 1.216.1 (2023-06-04T01:18:31Z) ### 🚀 Enhancements @@ -2287,15 +2351,11 @@ For `eks/external-secrets-operator`: ### why -- Currently, custom polices have to be manually added to the map in `main.tf`, but that gets overwritten with every vendor update. Putting that map in a separate, optional file allows for the custom code to survive vendoring. - - - - +- Currently, custom polices have to be manually added to the map in `main.tf`, but that gets overwritten with every + vendor update. Putting that map in a separate, optional file allows for the custom code to survive vendoring. - ## 1.216.0 (2023-06-02T18:02:01Z)
@@ -2303,98 +2363,119 @@ For `eks/external-secrets-operator`: ### what -* Added support for ssm param tiers -* Updated the minimum version to `>= 1.3.0` to support `optional` parameters +- Added support for ssm param tiers +- Updated the minimum version to `>= 1.3.0` to support `optional` parameters ### why -* `Standard` tier only supports 4096 characters. This allows Advanced and Intelligent Tiering support. +- `Standard` tier only supports 4096 characters. This allows Advanced and Intelligent Tiering support. ### references -
- ## 1.215.0 (2023-06-02T14:28:29Z)
`.editorconfig` Typo @milldr (#704) ### what + fixed intent typo ### why + should be spelled "indent" ### references -https://cloudposse.slack.com/archives/C01EY65H1PA/p1685638634845009 - +https://cloudposse.slack.com/archives/C01EY65H1PA/p1685638634845009
- ## 1.214.0 (2023-05-31T17:46:35Z)
Transit Gateway `var.connections` Redesign @milldr (#685) ### what + - Updated how the connection variables for `tgw/hub` and `tgw/spoke` are defined - Moved the old versions of `tgw` to `deprecated/tgw` ### why + - We want to be able to define multiple or alternately named `vpc` or `eks/cluster` components for both hub and spoke -- The cross-region components are not updated yet with this new design, since the current customers requesting these updates do not need cross-region access at this time. But we want to still support the old design s.t. customers using cross-region components can access the old components. We will need to update the cross-region components with follow up effort +- The cross-region components are not updated yet with this new design, since the current customers requesting these + updates do not need cross-region access at this time. But we want to still support the old design s.t. customers using + cross-region components can access the old components. We will need to update the cross-region components with follow + up effort ### references -- https://github.com/cloudposse/knowledge-base/discussions/112 - +- https://github.com/cloudposse/knowledge-base/discussions/112
- ## 1.213.0 (2023-05-31T14:50:16Z)
Introducing Security Hub @zdmytriv (#683) ### what -* Introducing Security Hub component + +- Introducing Security Hub component ### why -Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and integrated partner solutions. +Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and +resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and +integrated partner solutions. Here are the key features and capabilities of Amazon Security Hub: -- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture across the entire AWS environment. +- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage + security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture + across the entire AWS environment. -- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS CIS Foundations Benchmark, to identify potential security issues. +- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, + configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS + CIS Foundations Benchmark, to identify potential security issues. -- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party security products and solutions. This integration enables the ingestion and analysis of security findings from diverse sources, offering a comprehensive security view. +- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party + security products and solutions. This integration enables the ingestion and analysis of security findings from diverse + sources, offering a comprehensive security view. -- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on remediation actions to ensure adherence to security best practices. +- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory + frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on + remediation actions to ensure adherence to security best practices. -- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security alerts, allowing for efficient threat response and remediation. +- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling + users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security + alerts, allowing for efficient threat response and remediation. -- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation capabilities to identify related security findings and potential attack patterns. +- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules + and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation + capabilities to identify related security findings and potential attack patterns. -- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced visibility, automated remediation, and streamlined security operations. +- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS + CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced + visibility, automated remediation, and streamlined security operations. -- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to receive real-time notifications of security findings. It also facilitates automation and response through integration with AWS Lambda, allowing for automated remediation actions. +- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to + receive real-time notifications of security findings. It also facilitates automation and response through integration + with AWS Lambda, allowing for automated remediation actions. -By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, and effectively manage security compliance across their AWS accounts and resources. +By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, +and effectively manage security compliance across their AWS accounts and resources. ### references + - https://aws.amazon.com/security-hub/ - https://github.com/cloudposse/terraform-aws-security-hub/
- ## 1.212.0 (2023-05-31T14:45:30Z)
@@ -2402,66 +2483,95 @@ By utilizing Amazon Security Hub, organizations can improve their security postu ### what -* Introducing GuardDuty component +- Introducing GuardDuty component ### why -AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats. +AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by +continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources +within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security +threats. Key features and components of AWS GuardDuty include: -- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event logs and network traffic data to detect patterns, anomalies, and known attack techniques. +- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence + to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event + logs and network traffic data to detect patterns, anomalies, and known attack techniques. -- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, domains, and other indicators of compromise. +- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global + community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, + domains, and other indicators of compromise. -- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS Lambda for immediate action or custom response workflows. +- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be + delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS + Lambda for immediate action or custom response workflows. -- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security policies and practices. +- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and + monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security + policies and practices. -- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of security incidents and reduces the need for manual intervention. +- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS + Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of + security incidents and reduces the need for manual intervention. -- Security findings and reports: GuardDuty provides detailed security findings and reports that include information about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed through the AWS Management Console or retrieved via APIs for further analysis and reporting. +- Security findings and reports: GuardDuty provides detailed security findings and reports that include information + about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed + through the AWS Management Console or retrieved via APIs for further analysis and reporting. -GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations with an additional layer of security to proactively identify and respond to potential security risks. +GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations +with an additional layer of security to proactively identify and respond to potential security risks. ### references + - https://aws.amazon.com/guardduty/ - https://github.com/cloudposse/terraform-aws-guardduty - -
- ## 1.211.0 (2023-05-30T16:30:47Z)
Upstream `aws-inspector` @milldr (#700) ### what + Upstream `aws-inspector` from past engagement ### why -* This component was never upstreamed and now were want to use it again -* AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security vulnerabilities and deviations from security best practices. Here are some key features and functionalities of AWS Inspector: - - Security Assessments: AWS Inspector performs security assessments by analyzing the behavior of your resources and identifying potential security vulnerabilities. It examines the network configuration, operating system settings, and installed software to detect common security issues. - - Vulnerability Detection: AWS Inspector uses a predefined set of rules to identify common vulnerabilities, misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously updates its knowledge base to stay current with emerging threats. +- This component was never upstreamed and now were want to use it again +- AWS Inspector is a security assessment service offered by Amazon Web Services (AWS). It helps you analyze and evaluate + the security and compliance of your applications and infrastructure deployed on AWS. AWS Inspector automatically + assesses the resources within your AWS environment, such as Amazon EC2 instances, for potential security + vulnerabilities and deviations from security best practices. Here are some key features and functionalities of AWS + Inspector: - - Agent-Based Architecture: AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS Inspector, and allows for more accurate and detailed assessments. + - Security Assessments: AWS Inspector performs security assessments by analyzing the behavior of your resources and + identifying potential security vulnerabilities. It examines the network configuration, operating system settings, + and installed software to detect common security issues. - - Security Findings: After performing an assessment, AWS Inspector generates detailed findings that highlight security vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you prioritize and address security issues within your AWS environment. + - Vulnerability Detection: AWS Inspector uses a predefined set of rules to identify common vulnerabilities, + misconfigurations, and security exposures. It leverages industry-standard security best practices and continuously + updates its knowledge base to stay current with emerging threats. - - Integration with AWS Services: AWS Inspector seamlessly integrates with other AWS services, such as AWS CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage findings, and centralize security information across your AWS infrastructure. + - Agent-Based Architecture: AWS Inspector utilizes an agent-based approach, where you install an Inspector agent on + your EC2 instances. The agent collects data about the system and its configuration, securely sends it to AWS + Inspector, and allows for more accurate and detailed assessments. -### references -DEV-942 + - Security Findings: After performing an assessment, AWS Inspector generates detailed findings that highlight security + vulnerabilities, including their severity level, impact, and remediation steps. These findings can help you + prioritize and address security issues within your AWS environment. + + - Integration with AWS Services: AWS Inspector seamlessly integrates with other AWS services, such as AWS + CloudFormation, AWS Systems Manager, and AWS Security Hub. This allows you to automate security assessments, manage + findings, and centralize security information across your AWS infrastructure. +### references +DEV-942
- ## 1.210.1 (2023-05-27T18:52:11Z) ### 🚀 Enhancements @@ -2470,49 +2580,49 @@ DEV-942 Fix tags @aknysh (#701) ### what -* Fix tags + +- Fix tags ### why -* Typo +- Typo - ### 🐛 Bug Fixes
Fix tags @aknysh (#701) ### what -* Fix tags + +- Fix tags ### why -* Typo +- Typo
- ## 1.210.0 (2023-05-25T22:06:24Z)
EKS FAQ for Addons @milldr (#699) ### what + Added docs for EKS Cluster Addons ### why + FAQ, requested for documentation ### references -DEV-846 - +DEV-846
- ## 1.209.0 (2023-05-25T19:05:53Z)
@@ -2520,19 +2630,20 @@ DEV-846 ### what -* Update `eks/alb-controller` controller IAM policy - +- Update `eks/alb-controller` controller IAM policy ### why -* Email from AWS: -> On June 1, 2023, we will be adding an additional layer of security to ELB ‘Create*' API calls where API callers must have explicit access to add tags in their Identity and Access Management (IAM) policy. Currently, access to attach tags was implicitly granted with access to 'Create*' APIs. +- Email from AWS: + > On June 1, 2023, we will be adding an additional layer of security to ELB ‘Create*' API calls where API callers must + > have explicit access to add tags in their Identity and Access Management (IAM) policy. Currently, access to attach + > tags was implicitly granted with access to 'Create*' APIs. ### references -* [Updated IAM policy](https://github.com/kubernetes-sigs/aws-load-balancer-controller/pull/3068) -
+- [Updated IAM policy](https://github.com/kubernetes-sigs/aws-load-balancer-controller/pull/3068) + ## 1.208.0 (2023-05-24T11:12:15Z) @@ -2540,74 +2651,75 @@ DEV-846 Managed rules for AWS Config @zdmytriv (#690) ### what -* Added option to specify Managed Rules for AWS Config in addition to Conformance Packs + +- Added option to specify Managed Rules for AWS Config in addition to Conformance Packs ### why -* Managed rules will allows to add and tune AWS predefined rules in addition to Conformance Packs + +- Managed rules will allows to add and tune AWS predefined rules in addition to Conformance Packs ### references -* [About AWS Config Manager Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) -* [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) +- [About AWS Config Manager Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html) +- [List of AWS Config Managed Rules](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) - ## 1.207.0 (2023-05-22T18:40:06Z)
Corrections to `dms` components @milldr (#658) ### what + - Corrections to `dms` components ### why + - outputs were incorrect - set pass and username with ssm ### references -- n/a - +- n/a
- ## 1.206.0 (2023-05-20T19:41:35Z)
Upgrade S3 Bucket module to support recent changes made by AWS team regarding ACL @zdmytriv (#688) ### what -* Upgraded S3 Bucket module version + +- Upgraded S3 Bucket module version ### why -* Upgrade S3 Bucket module to support recent changes made by AWS team regarding ACL + +- Upgrade S3 Bucket module to support recent changes made by AWS team regarding ACL ### references -* https://github.com/cloudposse/terraform-aws-s3-bucket/pull/178 +- https://github.com/cloudposse/terraform-aws-s3-bucket/pull/178
- ## 1.205.0 (2023-05-19T23:55:14Z)
feat: add lambda monitors to datadog-monitor @dudymas (#686) ### what -* add lambda error monitor -* add datadog lambda log forwarder config monitor -### why -* Observability +- add lambda error monitor +- add datadog lambda log forwarder config monitor +### why +- Observability
- ## 1.204.1 (2023-05-19T19:54:05Z) ### 🚀 Enhancements @@ -2616,28 +2728,27 @@ DEV-846 Update `module "datadog_configuration"` modules @aknysh (#684) ### what -* Update `module "datadog_configuration"` modules -### why -* The module does not accept the `region` variable -* The module must be always enabled to be able to read the Datadog API keys even if the component is disabled +- Update `module "datadog_configuration"` modules +### why +- The module does not accept the `region` variable +- The module must be always enabled to be able to read the Datadog API keys even if the component is disabled - ## 1.204.0 (2023-05-18T20:31:49Z)
`datadog-agent` bugfixes @Benbentwo (#681) ### what -* update datadog agent to latest -* remove variable in datadog configuration -
+- update datadog agent to latest +- remove variable in datadog configuration + ## 1.203.0 (2023-05-18T19:44:08Z) @@ -2645,14 +2756,20 @@ DEV-846 Update `vpc` and `eks/cluster` components @aknysh (#677) ### what -* Update `vpc` and `eks/cluster` components + +- Update `vpc` and `eks/cluster` components ### why -* Use latest module versions -* Take into account `var.availability_zones` for the EKS cluster itself. Only the `node-group` module was using `var.availability_zones` to use the subnets from the provided AZs. The EKS cluster (control plane) was using all the subnets provisioned in a VPC. This caused issues because EKS is not available in all AZs in a region, e.g. it's not available in `us-east-1e` b/c of a limited capacity, and when using all AZs from `us-east-1`, the deployment fails +- Use latest module versions + +- Take into account `var.availability_zones` for the EKS cluster itself. Only the `node-group` module was using + `var.availability_zones` to use the subnets from the provided AZs. The EKS cluster (control plane) was using all the + subnets provisioned in a VPC. This caused issues because EKS is not available in all AZs in a region, e.g. it's not + available in `us-east-1e` b/c of a limited capacity, and when using all AZs from `us-east-1`, the deployment fails -* The latest version of the `vpc` component (which was updated in this PR as well) has the outputs to get a map of AZs to the subnet IDs in each AZ +- The latest version of the `vpc` component (which was updated in this PR as well) has the outputs to get a map of AZs + to the subnet IDs in each AZ ``` # Get only the public subnets that correspond to the AZs provided in `var.availability_zones` @@ -2664,47 +2781,45 @@ DEV-846 private_subnet_ids = flatten([for k, v in local.vpc_outputs.az_private_subnets_map : v if contains(var.availability_zones, k)]) ``` - - - ## 1.202.0 (2023-05-18T16:15:12Z)
feat: adds ability to list principals of Lambdas allowed to access ECR @gberenice (#680) ### what -* This change allows listing IDs of the accounts allowed to consume ECR. + +- This change allows listing IDs of the accounts allowed to consume ECR. ### why -* This is supported by [terraform-aws-ecr](https://github.com/cloudposse/terraform-aws-ecr/tree/main), but not the component. + +- This is supported by [terraform-aws-ecr](https://github.com/cloudposse/terraform-aws-ecr/tree/main), but not the + component. ### references -* N/A +- N/A
- ## 1.201.0 (2023-05-18T15:08:54Z)
Introducing AWS Config component @zdmytriv (#675) ### what -* Added AWS Config and related `config-bucket` components -### why -* Added AWS Config and related `config-bucket` components +- Added AWS Config and related `config-bucket` components -### references +### why +- Added AWS Config and related `config-bucket` components +### references
- ## 1.200.1 (2023-05-18T14:52:10Z) ### 🚀 Enhancements @@ -2713,19 +2828,18 @@ DEV-846 Fix `datadog` components @aknysh (#679) ### what -* Fix all `datadog` components + +- Fix all `datadog` components ### why -* Variable `region` is not supported by the `datadog-configuration/modules/datadog_keys` submodule +- Variable `region` is not supported by the `datadog-configuration/modules/datadog_keys` submodule - ## 1.200.0 (2023-05-17T09:19:40Z) -* No changes - +- No changes ## 1.199.0 (2023-05-16T15:01:56Z) @@ -2733,19 +2847,20 @@ DEV-846 `eks/alb-controller-ingress-group`: Corrected Tags to pull LB Data Resource @milldr (#676) ### what + - corrected tag reference for pull lb data resource ### why -- the tags that are used to pull the ALB that's created should be filtering using the same group_name that is given when the LB is created -### references -- n/a +- the tags that are used to pull the ALB that's created should be filtering using the same group_name that is given when + the LB is created +### references +- n/a - ## 1.198.3 (2023-05-15T20:01:18Z) ### 🐛 Bug Fixes @@ -2754,24 +2869,26 @@ DEV-846 Correct `cloudtrail` Account-Map Reference @milldr (#673) ### what + - Correctly pull Audit account from `account-map` for `cloudtrail` - Remove `SessionName` from EKS RBAC user name wrongly added in #668 ### why + - account-map remote state was missing from the `cloudtrail` component - Account names should be pulled from account-map, not using a variable -- Session Name automatically logged in `user.extra.sessionName.0` starting at Kubernetes 1.20, plus addition had a typo and was only on Teams, not Team Roles +- Session Name automatically logged in `user.extra.sessionName.0` starting at Kubernetes 1.20, plus addition had a typo + and was only on Teams, not Team Roles ### references -- Resolves change requests https://github.com/cloudposse/terraform-aws-components/pull/638#discussion_r1193297727 and https://github.com/cloudposse/terraform-aws-components/pull/638#discussion_r1193298107 + +- Resolves change requests https://github.com/cloudposse/terraform-aws-components/pull/638#discussion_r1193297727 and + https://github.com/cloudposse/terraform-aws-components/pull/638#discussion_r1193298107 - Closes #672 - [Internal Slack thread](https://cloudposse.slack.com/archives/CA4TC65HS/p1684122388801769) - - - ## 1.198.2 (2023-05-15T19:47:39Z) ### 🚀 Enhancements @@ -2780,19 +2897,21 @@ DEV-846 bump config yaml dependency on account component as it still depends on hashicorp template provider @lantier (#671) ### what -* Bump [cloudposse/config/yaml](https://github.com/cloudposse/terraform-yaml-config) module dependency from version 1.0.1 to 1.0.2 + +- Bump [cloudposse/config/yaml](https://github.com/cloudposse/terraform-yaml-config) module dependency from version + 1.0.1 to 1.0.2 ### why -* 1.0.1 still uses hashicorp/template provider, which has no M1 binary equivalent, 1.0.2 already uses the cloudposse version which has the binary -### references -* (https://github.com/cloudposse/terraform-yaml-config/releases/tag/1.0.2) +- 1.0.1 still uses hashicorp/template provider, which has no M1 binary equivalent, 1.0.2 already uses the cloudposse + version which has the binary +### references +- (https://github.com/cloudposse/terraform-yaml-config/releases/tag/1.0.2) - ## 1.198.1 (2023-05-15T18:55:09Z) ### 🐛 Bug Fixes @@ -2801,40 +2920,40 @@ DEV-846 Fixed `route53-resolver-dns-firewall` for the case when logging is disabled @zdmytriv (#669) ### what -* Fixed `route53-resolver-dns-firewall` for the case when logging is disabled + +- Fixed `route53-resolver-dns-firewall` for the case when logging is disabled ### why -* Component still required bucket when logging disabled -### references +- Component still required bucket when logging disabled +### references - ## 1.198.0 (2023-05-15T17:37:47Z)
Add `aws-shield` component @aknysh (#670) ### what -* Add `aws-shield` component + +- Add `aws-shield` component ### why -* The component is responsible for enabling AWS Shield Advanced Protection for the following resources: - * Application Load Balancers (ALBs) - * CloudFront Distributions - * Elastic IPs - * Route53 Hosted Zones +- The component is responsible for enabling AWS Shield Advanced Protection for the following resources: -This component also requires that the account where the component is being provisioned to has -been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). + - Application Load Balancers (ALBs) + - CloudFront Distributions + - Elastic IPs + - Route53 Hosted Zones +This component also requires that the account where the component is being provisioned to has been +[subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html).
- ## 1.197.2 (2023-05-15T15:25:39Z) ### 🚀 Enhancements @@ -2848,13 +2967,12 @@ been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/ ### why -- using `string` makes the [if .Values.pvc_enabled](https://github.com/SpotOnInc/cloudposse-actions-runner-controller-tf-module-bugfix/blob/f224c7a4ee8b2ab4baf6929710d6668bd8fc5e8c/modules/eks/actions-runner-controller/charts/actions-runner/templates/runnerdeployment.yaml#L1) condition always true and creates persistent volumes even if they're not intended to use - - +- using `string` makes the + [if .Values.pvc_enabled](https://github.com/SpotOnInc/cloudposse-actions-runner-controller-tf-module-bugfix/blob/f224c7a4ee8b2ab4baf6929710d6668bd8fc5e8c/modules/eks/actions-runner-controller/charts/actions-runner/templates/runnerdeployment.yaml#L1) + condition always true and creates persistent volumes even if they're not intended to use - ## 1.197.1 (2023-05-11T20:39:03Z) ### 🐛 Bug Fixes @@ -2869,7 +2987,8 @@ been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/ ### why -- Test code granting access to all `root` users and roles was accidentally left in #645 and breaks when Tenants are part of account names +- Test code granting access to all `root` users and roles was accidentally left in #645 and breaks when Tenants are part + of account names - There is no reason to allow `root` users to access EKS clusters, so even when this code worked it was wrong - Audit trail can keep track of who is performing actions @@ -2877,20 +2996,18 @@ been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/ - https://aws.github.io/aws-eks-best-practices/security/docs/iam/#use-iam-roles-when-multiple-users-need-identical-access-to-the-cluster - - ## 1.197.0 (2023-05-11T17:59:40Z)
`rds` Component readme update @Benbentwo (#667) ### what -* Updating default example from mssql to postgres -
+- Updating default example from mssql to postgres + ## 1.196.0 (2023-05-11T17:56:41Z) @@ -2898,158 +3015,157 @@ been [subscribed to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/ Update `vpc-flow-logs` @milldr (#649) ### what + - Modernized `vpc-flow-logs` with latest conventions ### why + - Old version of the component was significantly out of date - #498 ### references -- DEV-880 - +- DEV-880 - ## 1.195.0 (2023-05-11T07:27:29Z)
Add `iam-policy` to `ecs-service` @milldr (#663) ### what + Add an option to attach the `iam-policy` resource to `ecs-service` ### why + This policy is already created, but is missing its attachment. We should attach this to the resource when enabled ### references -https://cloudposse.slack.com/archives/CA4TC65HS/p1683729972134479 - +https://cloudposse.slack.com/archives/CA4TC65HS/p1683729972134479
- ## 1.194.0 (2023-05-10T18:36:37Z)
upstream `acm` and `datadog-integration` @Benbentwo (#666) ### what -* ACM allows disabling `*.my.domain` -* Datadog-Integration supports allow-list'ing regions +- ACM allows disabling `*.my.domain` +- Datadog-Integration supports allow-list'ing regions
- ## 1.193.0 (2023-05-09T16:00:08Z)
Add `route53-resolver-dns-firewall` and `network-firewall` components @aknysh (#651) ### what -* Add `route53-resolver-dns-firewall` component -* Add `network-firewall` component + +- Add `route53-resolver-dns-firewall` component +- Add `network-firewall` component ### why -* The `route53-resolver-dns-firewall` component is responsible for provisioning [Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) resources, including Route 53 Resolver DNS Firewall, domain lists, firewall rule groups, firewall rules, and logging configuration - -* The `network-firewall` component is responsible for provisioning [AWS Network Firewall](https://aws.amazon.com/network-firewal) resources, including Network Firewall, firewall policy, rule groups, and logging configuration - +- The `route53-resolver-dns-firewall` component is responsible for provisioning + [Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) + resources, including Route 53 Resolver DNS Firewall, domain lists, firewall rule groups, firewall rules, and logging + configuration +- The `network-firewall` component is responsible for provisioning + [AWS Network Firewall](https://aws.amazon.com/network-firewal) resources, including Network Firewall, firewall policy, + rule groups, and logging configuration
- ## 1.192.0 (2023-05-09T15:40:43Z)
[ecs-service] Added IAM policies for ecspresso deployments @goruha (#659) ### what -* [ecs-service] Added IAM policies for [Ecspresso](https://github.com/kayac/ecspresso) deployments +- [ecs-service] Added IAM policies for [Ecspresso](https://github.com/kayac/ecspresso) deployments
- ## 1.191.0 (2023-05-05T22:16:44Z)
`elasticsearch` Corrections @milldr (#662) ### what + - Modernize Elasticsearch component ### why + - `elasticsearch` was not deployable as is. Added up-to-date config ### references -- n/a - +- n/a
- ## 1.190.0 (2023-05-05T18:46:26Z)
fix: remove stray component.yaml in lambda @dudymas (#661) ### what -* Remove the `component.yaml` in the lambda component -### why -* Vendoring would potentially cause conflicts +- Remove the `component.yaml` in the lambda component +### why +- Vendoring would potentially cause conflicts
- ## 1.189.0 (2023-05-05T18:22:04Z)
fix: eks/efs-controller iam policy updates @dudymas (#660) ### what -* Update the iam policy for eks/efs-controller + +- Update the iam policy for eks/efs-controller ### why -* Older permissions will not work with new versions of the controller -### references -* [official iam policy -sample](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json) +- Older permissions will not work with new versions of the controller +### references +- [official iam policy sample](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json)
- ## 1.188.0 (2023-05-05T17:05:23Z)
Move `eks/efs` to `efs` @milldr (#653) ### what + - Moved `eks/efs` to `efs` ### why -- `efs` shouldn't be a submodule of `eks`. You can deploy EFS without EKS -### references -- n/a +- `efs` shouldn't be a submodule of `eks`. You can deploy EFS without EKS +### references +- n/a
- ## 1.187.0 (2023-05-04T23:04:26Z)
@@ -3071,85 +3187,82 @@ sample](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/i - https://github.com/actions/actions-runner-controller/issues/2562 - -
- ## 1.186.0 (2023-05-04T18:15:31Z)
Update `RDS` @Benbentwo (#657) ### what -* Update RDS Modules -* Allow disabling Monitoring Role - -### why -* Monitoring not always needed -* Context.tf Updates in modules +- Update RDS Modules +- Allow disabling Monitoring Role +### why +- Monitoring not always needed +- Context.tf Updates in modules
- ## 1.185.0 (2023-04-26T21:30:24Z)
Add `amplify` component @aknysh (#650) ### what -* Add `amplify` component + +- Add `amplify` component ### why -* Terraform component to provision AWS Amplify apps, backend environments, branches, domain associations, and webhooks + +- Terraform component to provision AWS Amplify apps, backend environments, branches, domain associations, and webhooks ### references -* https://aws.amazon.com/amplify +- https://aws.amazon.com/amplify
- ## 1.184.0 (2023-04-25T14:29:29Z)
Upstream: `eks/ebs-controller` @milldr (#640) ### what + - Added component for `eks/ebs-controller` ### why + - Upstreaming this component for general use ### references -- n/a +- n/a
- ## 1.183.0 (2023-04-24T23:21:17Z)
GitHub OIDC FAQ @milldr (#648) ### what + Added common question for GHA ### why + This is asked frequently ### references -https://cloudposse.slack.com/archives/C04N39YPVAS/p1682355553255269 - +https://cloudposse.slack.com/archives/C04N39YPVAS/p1682355553255269
- ## 1.182.1 (2023-04-24T19:37:31Z) ### 🚀 Enhancements @@ -3160,102 +3273,100 @@ https://cloudposse.slack.com/archives/C04N39YPVAS/p1682355553255269 ### what Update `aws-config` command: -- Add `teams` command and suggest "aws-config-teams" file name instead of "aws-config-saml" because we want to use "aws-config-teams" for both SAML and SSO logins with Leapp handling the difference. + +- Add `teams` command and suggest "aws-config-teams" file name instead of "aws-config-saml" because we want to use + "aws-config-teams" for both SAML and SSO logins with Leapp handling the difference. - Add `help` command - Add more extensive help - Do not rely on script generated by `account-map` for command `main()` function ### why + - Reflect latest design pattern - Improved user experience - - ## 1.182.0 (2023-04-21T17:20:14Z)
Athena CloudTrail Queries @milldr (#638) ### what + - added cloudtrail integration to athena - conditionally allow audit account to decrypt kms key used for cloudtrail ### why + - allow queries against cloudtrail logs from a centralized account (audit) ### references + n/a
- ## 1.181.0 (2023-04-20T22:00:24Z)
Format Identity Team Access Permission Set Name @milldr (#646) ### what + - format permission set roles with hyphens ### why + - pretty Permission Set naming. We want `devops-super` to format to `IdentityDevopsSuperTeamAccess` ### references -https://github.com/cloudposse/refarch-scaffold/pull/127 - +https://github.com/cloudposse/refarch-scaffold/pull/127
- ## 1.180.0 (2023-04-20T21:12:28Z)
Fix `s3-bucket` `var.bucket_name` @milldr (#637) ### what + changed default value for bucket name to empty string not null ### why + default bucket name should be empty string not null. Module checks against name length ### references -n/a - +n/a
- ## 1.179.0 (2023-04-20T20:26:20Z)
ecs-service: fix lint issues @kevcube (#636) - -
- ## 1.178.0 (2023-04-20T20:23:10Z)
fix:aws-team-roles have stray locals @dudymas (#642) ### what -* remove locals from modules/aws-team-roles -### why -* breaks component when it tries to configure locals (the remote state for -account_map isn't around) +- remove locals from modules/aws-team-roles +### why +- breaks component when it tries to configure locals (the remote state for account_map isn't around)
- ## 1.177.0 (2023-04-20T05:13:53Z)
@@ -3272,13 +3383,8 @@ account_map isn't around) - Keep in sync with other modules - #567 is a silent privilege escalation and not needed to accomplish desired goals - - - -
- ## 1.176.1 (2023-04-19T14:20:27Z) ### 🚀 Enhancements @@ -3302,42 +3408,42 @@ account_map isn't around) │ arguments. ``` - - ## 1.176.0 (2023-04-18T18:46:38Z)
feat: cloudtrail-bucket can have acl configured @dudymas (#643) ### what -* add `acl` var to `cloudtrail-bucket` component + +- add `acl` var to `cloudtrail-bucket` component ### why -* Creating new cloudtrail buckets will fail if the acl isn't set to private -### references -* This is part of [a security update from AWS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-faq.html) +- Creating new cloudtrail buckets will fail if the acl isn't set to private +### references +- This is part of + [a security update from AWS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-faq.html)
- ## 1.175.0 (2023-04-11T12:11:46Z)
[argocd-repo] Added ArgoCD git commit notifications @goruha (#633) ### what -* [argocd-repo] Added ArgoCD git commit notifications + +- [argocd-repo] Added ArgoCD git commit notifications ### why -* ArgoCD sync deployment -
+- ArgoCD sync deployment + ## 1.174.0 (2023-04-11T08:53:06Z) @@ -3345,13 +3451,14 @@ account_map isn't around) [argocd] Added github commit status notifications @goruha (#631) ### what -* [argocd] Added github commit status notifications + +- [argocd] Added github commit status notifications ### why -* ArgoCD sync deployment fix concurrent issue - +- ArgoCD sync deployment fix concurrent issue + ## 1.173.0 (2023-04-06T19:21:23Z) @@ -3359,32 +3466,33 @@ account_map isn't around) Missing Version Pins for Bats @milldr (#629) ### what + added missing provider version pins ### why + missing provider versions, required for bats ### references -#626 -#628, #627 +#626 #628, #627 - ## 1.172.0 (2023-04-06T18:32:04Z)
update datadog_lambda_forwarder ref for darwin_arm64 @kevcube (#626) ### what -* update datadog-lambda-forwarder module for darwin_arm64 + +- update datadog-lambda-forwarder module for darwin_arm64 ### why -* run on Darwin_arm64 hardware -
+- run on Darwin_arm64 hardware + ## 1.171.0 (2023-04-06T18:11:40Z) @@ -3392,48 +3500,51 @@ missing provider versions, required for bats Version Pinning Requirements @milldr (#628) ### what + - missing bats requirements resolved ### why + - PR #627 missed a few bats requirements in submodules ### references + - #627 - #626 - - ## 1.170.0 (2023-04-06T17:38:24Z)
Bats Version Pinning @milldr (#627) ### what + - upgraded pattern for version pinning ### why + - bats would fail for all of these components unless these versions are pinned as such ### references -- https://github.com/cloudposse/terraform-aws-components/pull/626 - +- https://github.com/cloudposse/terraform-aws-components/pull/626
- ## 1.169.0 (2023-04-05T20:28:39Z)
[eks/actions-runner-controller]: support Runner Group, webhook queue size @Nuru (#621) ### what + - `eks/actions-runner-controller` - - Support [Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups) - - Enable configuration of the webhook queue size limit - - Change runner controller Docker image designation + - Support + [Runner Groups](https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups) + - Enable configuration of the webhook queue size limit + - Change runner controller Docker image designation - Add documentation on Runner Groups and Autoscaler configuration ### why @@ -3448,24 +3559,25 @@ missing provider versions, required for bats
- ## 1.168.0 (2023-04-04T21:48:58Z)
s3-bucket: use cloudposse template provider for arm64 @kevcube (#618) ### what -* use cloud posse's template provider + +- use cloud posse's template provider ### why -* arm64 -* also this provider was not pinned in versions.tf so that had to be fixed somehow + +- arm64 +- also this provider was not pinned in versions.tf so that had to be fixed somehow ### references -* closes #617 -
+- closes #617 + ## 1.167.0 (2023-04-04T18:14:45Z) @@ -3473,57 +3585,57 @@ missing provider versions, required for bats chore: aws-sso modules updated to 1.0.0 @dudymas (#623) ### what -* upgrade aws-sso modules: permission_sets, sso_account_assignments, and -sso_account_assignments_root -### why -* upstream updates +- upgrade aws-sso modules: permission_sets, sso_account_assignments, and sso_account_assignments_root +### why +- upstream updates - ## 1.166.0 (2023-04-03T13:39:53Z)
Add `datadog-synthetics` component @aknysh (#619) ### what -* Add `datadog-synthetics` component + +- Add `datadog-synthetics` component ### why -* This component is responsible for provisioning Datadog synthetic tests -* Supports Datadog synthetics private locations - - https://docs.datadoghq.com/getting_started/synthetics/private_location - - https://docs.datadoghq.com/synthetics/private_locations +- This component is responsible for provisioning Datadog synthetic tests -* Synthetic tests allow you to observe how your systems and applications are performing using simulated requests and actions from the AWS managed locations around the globe and to monitor internal endpoints from private locations +- Supports Datadog synthetics private locations + - https://docs.datadoghq.com/getting_started/synthetics/private_location + - https://docs.datadoghq.com/synthetics/private_locations +- Synthetic tests allow you to observe how your systems and applications are performing using simulated requests and + actions from the AWS managed locations around the globe and to monitor internal endpoints from private locations
- ## 1.165.0 (2023-03-31T22:11:26Z)
Update `eks/cluster` README @milldr (#616) ### what + - Updated the README with EKS cluster ### why + The example stack is outdated. Add notes for Github OIDC and karpenter ### references -https://cloudposse.atlassian.net/browse/DEV-835 +https://cloudposse.atlassian.net/browse/DEV-835
- ## 1.164.1 (2023-03-30T20:03:15Z) ### 🚀 Enhancements @@ -3532,30 +3644,30 @@ https://cloudposse.atlassian.net/browse/DEV-835 spacelift: Update README.md example login policy @johncblandii (#597) ### what -* Added support for allowing spaces read access to all members -* Added a reference for allowing spaces write access to the "Developers" group + +- Added support for allowing spaces read access to all members +- Added a reference for allowing spaces write access to the "Developers" group ### why -* Spacelift moved to Spaces Access Control -### references -* https://docs.spacelift.io/concepts/spaces/access-control +- Spacelift moved to Spaces Access Control +### references +- https://docs.spacelift.io/concepts/spaces/access-control - ## 1.164.0 (2023-03-30T16:25:28Z)
Update several component Readmes @Benbentwo (#611) ### what -* Update Readmes of many components from Refarch Docs -
+- Update Readmes of many components from Refarch Docs + ## 1.163.0 (2023-03-29T19:52:46Z) @@ -3563,28 +3675,29 @@ https://cloudposse.atlassian.net/browse/DEV-835 add providers to `mixins` folder @Benbentwo (#613) ### what -* Copies some common providers to the mixins folder + +- Copies some common providers to the mixins folder ### why -* Have a central place where our common providers are held. +- Have a central place where our common providers are held. - ## 1.162.0 (2023-03-29T19:30:15Z)
Added ArgoCD GitHub notification subscription @goruha (#615) ### what -* Added ArgoCD GitHub notification subscription + +- Added ArgoCD GitHub notification subscription ### why -* To use synchronous deployment pattern -
+- To use synchronous deployment pattern + ## 1.161.1 (2023-03-29T17:20:27Z) @@ -3594,73 +3707,72 @@ https://cloudposse.atlassian.net/browse/DEV-835 waf component, update dependency versions for aws provider and waf terraform module @arcaven (#612) ### what -* updates to waf module: - * aws provider from ~> 4.0 to => 4.0 - * module cloudposse/waf/aws from 0.0.4 to 0.2.0 - * different recommended catalog entry + +- updates to waf module: + - aws provider from ~> 4.0 to => 4.0 + - module cloudposse/waf/aws from 0.0.4 to 0.2.0 + - different recommended catalog entry ### why -* @aknysh suggested some updates before we start using waf module +- @aknysh suggested some updates before we start using waf module - ## 1.161.0 (2023-03-28T19:51:27Z)
Quick fixes to EKS/ARC arm64 Support @Nuru (#610) ### what + - While supporting EKS/ARC `arm64`, continue to deploy `amd64` by default - Make `tolerations.value` optional ### why + - Majority of echosystem support is currently `amd64` - `tolerations.value` is option in Kubernetes spec ### references -- Corrects issue which escaped review in #609 +- Corrects issue which escaped review in #609
- ## 1.160.0 (2023-03-28T18:26:20Z)
Upstream EKS/ARC amd64 Support @milldr (#609) ### what + Added arm64 support for eks/arc ### why + when supporting both amd64 and arm64, we need to select the correct architecture ### references -https://github.com/cloudposse/infra-live/pull/265 - +https://github.com/cloudposse/infra-live/pull/265
- ## 1.159.0 (2023-03-27T16:19:29Z)
Update account-map to output account information for aws-config script @Nuru (#608) ### what -* Update `account-map` to output account information for `aws-config` script -* Output AWS profile name for root of credential chain - -### why -* Enable `aws-config` to output account IDs and to generate configuration for "AWS Extend Switch Roles" browser plugin -* Support multiple namespaces in a single infrastructure repo - +- Update `account-map` to output account information for `aws-config` script +- Output AWS profile name for root of credential chain +### why +- Enable `aws-config` to output account IDs and to generate configuration for "AWS Extend Switch Roles" browser plugin +- Support multiple namespaces in a single infrastructure repo
@@ -3668,104 +3780,107 @@ https://github.com/cloudposse/infra-live/pull/265 Update CODEOWNERS to remove contributors @Nuru (#607) ### what -* Update CODEOWNERS to remove contributors + +- Update CODEOWNERS to remove contributors ### why -* Require approval from engineering team (or in some cases admins) for all changes, to keep better quality control on this repo +- Require approval from engineering team (or in some cases admins) for all changes, to keep better quality control on + this repo - ## 1.158.0 (2023-03-27T03:41:43Z)
Upstream latest datadog-agent and datadog-configuration updates @nitrocode (#598) ### what -* Upstream latest datadog-agent and datadog-configuration updates + +- Upstream latest datadog-agent and datadog-configuration updates ### why -* datadog irsa role -* removing unused input vars -* default to `public.ecr.aws` images -* ignore deprecated `default.auto.tfvars` -* move `datadog-agent` to `eks/` subfolder for consistency with other helm charts -### references -N/A +- datadog irsa role +- removing unused input vars +- default to `public.ecr.aws` images +- ignore deprecated `default.auto.tfvars` +- move `datadog-agent` to `eks/` subfolder for consistency with other helm charts +### references +N/A
- ## 1.157.0 (2023-03-24T19:12:17Z)
Remove `root_account_tenant_name` @milldr (#605) ### what + - bumped ecr - remove unnecssary variable ### why + - ECR version update - We shouldn't need to set `root_account_tenant_name` in providers - Some Terraform docs are out-of-date ### references -- n/a +- n/a
- ## 1.156.0 (2023-03-23T21:03:46Z)
exposing variables from 2.0.0 of `VPC` module @Benbentwo (#604) ### what -* Adding vars for vpc module and sending them directly to module -### references -* https://github.com/cloudposse/terraform-aws-vpc/blob/master/variables.tf#L10-L44 +- Adding vars for vpc module and sending them directly to module +### references +- https://github.com/cloudposse/terraform-aws-vpc/blob/master/variables.tf#L10-L44
- ## 1.155.0 (2023-03-23T02:01:29Z)
Add Privileged Option for GH OIDC @milldr (#603) ### what + - allow gh oidc role to use privileged as option for reading tf backend ### why -- If deploying GH OIDC with a component that needs to be applied with SuperAdmin (aws-teams) we need to set privileged here + +- If deploying GH OIDC with a component that needs to be applied with SuperAdmin (aws-teams) we need to set privileged + here ### references -- https://cloudposse.slack.com/archives/C04N39YPVAS/p1679409325357119 +- https://cloudposse.slack.com/archives/C04N39YPVAS/p1679409325357119
- ## 1.154.0 (2023-03-22T17:40:35Z)
update `opsgenie-team` to be delete-able via `enabled: false` @Benbentwo (#589) ### what -* Uses Datdaog Configuration as it's source of datadog variables -* Now supports `enabled: false` on a team to destroy it. -
+- Uses Datdaog Configuration as it's source of datadog variables +- Now supports `enabled: false` on a team to destroy it. + ## 1.153.0 (2023-03-21T19:22:03Z) @@ -3773,35 +3888,38 @@ N/A Upstream AWS Teams components @milldr (#600) ### what + - added eks view only policy ### why + - Provided updates from recent contracts ### references -- https://github.com/cloudposse/refarch-scaffold/pull/99 - +- https://github.com/cloudposse/refarch-scaffold/pull/99 - ## 1.152.0 (2023-03-21T15:42:51Z)
upstream 'datadog-lambda-forwarder' @gberenice (#601) ### what -* Upgrade 'datadog-lambda-forwarder' component to v1.3.0 + +- Upgrade 'datadog-lambda-forwarder' component to v1.3.0 ### why -* Be able [to forward Cloudwatch Events](https://github.com/cloudposse/terraform-aws-datadog-lambda-forwarder/pull/48) via components. + +- Be able [to forward Cloudwatch Events](https://github.com/cloudposse/terraform-aws-datadog-lambda-forwarder/pull/48) + via components. ### references -* N/A -
+- N/A + ## 1.151.0 (2023-03-15T15:56:20Z) @@ -3809,108 +3927,106 @@ N/A Upstream `eks/external-secrets-operator` @milldr (#595) ### what + - Adding new module for `eks/external-secrets-operator` ### why + - Other customers want to use this module now, and it needs to be upstreamed ### references -- n/a - +- n/a - ## 1.150.0 (2023-03-14T20:20:41Z)
chore(spacelift): update with dependency resource @dudymas (#594) ### what -* update spacelift component to 0.55.0 + +- update spacelift component to 0.55.0 ### why -* support feature flag for spacelift_stack_dependency resource -### references -* [spacelift module 0.55.0](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/releases/tag/0.55.0) +- support feature flag for spacelift_stack_dependency resource +### references +- [spacelift module 0.55.0](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/releases/tag/0.55.0)
- ## 1.149.0 (2023-03-13T15:25:25Z)
Fix SSO SAML provider fixes @goruha (#592) ### what -* Fix SSO SAML provider fixes +- Fix SSO SAML provider fixes
- ## 1.148.0 (2023-03-10T18:07:36Z)
ArgoCD SSO improvements @goruha (#590) ### what -* ArgoCD SSO improvements +- ArgoCD SSO improvements
- ## 1.147.0 (2023-03-10T17:52:18Z)
Upstream: `eks/echo-server` @milldr (#591) ### what + - Adding the `ingress.alb.group_name` annotation to Echo Server ### why + - Required to set the ALB specifically, rather than using the default ### references -- n/a - +- n/a
- ## 1.146.0 (2023-03-08T23:13:13Z)
Improve platform and external-dns for release engineering @goruha (#588) ### what -* `eks/external-dns` support `dns-primary` -* `eks/platform` support json query remote components outputs + +- `eks/external-dns` support `dns-primary` +- `eks/platform` support json query remote components outputs ### why -* `vanity domain` pattern support by `eks/external-dns` -* Improve flexibility of `eks/platform` +- `vanity domain` pattern support by `eks/external-dns` +- Improve flexibility of `eks/platform`
- ## 1.145.0 (2023-03-07T00:28:25Z)
`eks/actions-runner-controller`: use coalesce @Benbentwo (#586) ### what -* use coalesce instead of try, as we need a value passed in here -
+- use coalesce instead of try, as we need a value passed in here + ## 1.144.0 (2023-03-05T20:24:09Z) @@ -3918,103 +4034,101 @@ N/A Upgrade Remote State to `1.4.1` @milldr (#585) ### what + - Upgrade _all_ remote state modules (`cloudposse/stack-config/yaml//modules/remote-state`) to version `1.4.1` ### why -- In order to use go templating with Atmos, we need to use the latest cloudposse/utils version. This version is specified by `1.4.1` -### references -- https://github.com/cloudposse/terraform-yaml-stack-config/releases/tag/1.4.1 +- In order to use go templating with Atmos, we need to use the latest cloudposse/utils version. This version is + specified by `1.4.1` +### references +- https://github.com/cloudposse/terraform-yaml-stack-config/releases/tag/1.4.1 - ## 1.143.0 (2023-03-02T18:07:53Z)
bugfix: rds anomalies monitor not sending team information @Benbentwo (#583) ### what -* Update monitor to have default CP tags -
+- Update monitor to have default CP tags + ## 1.142.0 (2023-03-02T17:49:40Z)
datadog-lambda-forwarder: if s3_buckets not set, module fails @kevcube (#581) - This module attempts to do length() on the value for s3_buckets. +This module attempts to do length() on the value for s3_buckets. We are not using s3_buckets, and it defaults to null, so length() fails.
- ## 1.141.0 (2023-03-01T19:10:07Z)
`datadog-monitors`: Team Grouping @Benbentwo (#580) ### what -* grouping by team helps ensure the team tag is sent to Opsgenie -### why -* ensures most data is fed to a valid team tag instead of `@opsgenie-` +- grouping by team helps ensure the team tag is sent to Opsgenie +### why +- ensures most data is fed to a valid team tag instead of `@opsgenie-`
- ## 1.140.0 (2023-02-28T18:47:44Z)
`spacelift` add missing `var.region` @johncblandii (#574) ### what -* Added the missing `var.region` + +- Added the missing `var.region` ### why -* The AWS provider requires it and it was not available -### references +- The AWS provider requires it and it was not available +### references
- ## 1.139.0 (2023-02-28T18:46:35Z)
datadog monitors improvements @Benbentwo (#579) ### what -* Datadog monitor improvements - * Prepends `()` e.g. `(tenant-environment-stage)` - * Fixes some messages that had improper syntax - dd uses `{{ var.name }}` -### why -* Datadog monitor improvements +- Datadog monitor improvements + - Prepends `()` e.g. `(tenant-environment-stage)` + - Fixes some messages that had improper syntax - dd uses `{{ var.name }}` +### why +- Datadog monitor improvements
- ## 1.138.0 (2023-02-28T18:45:48Z)
update `account` readme.md @Benbentwo (#570) ### what -* Updated account readme -
+- Updated account readme + ## 1.137.0 (2023-02-27T20:39:34Z) @@ -4022,10 +4136,10 @@ We are not using s3_buckets, and it defaults to null, so length() fails. Update `eks/cluster` @Benbentwo (#578) ### what -* Update EKS Cluster Module to re-include addons - +- Update EKS Cluster Module to re-include addons + ## 1.136.0 (2023-02-27T17:36:47Z) @@ -4033,52 +4147,58 @@ We are not using s3_buckets, and it defaults to null, so length() fails. Set spacelift-worker-pool ami explicitly to x86_64 @arcaven (#577) ### why + - autoscaling group for spacelift-worker-pool will fail to launch when new arm64 images return first - arm64 ami image is being returned first at the moment in us-east-1 ### what + - set spacelift-worker-pool ami statically to return only x86_64 results ### references + - Spacelift Worker Pool ASG may fail to scale due to ami/instance type mismatch #575 -- Note: this is an alternative to spacelift-worker-pool README update and AMI limits #573 which I read after, but I think this filter approach will be more easily be refactored into setting this as an attribute in variables.tf in the near future +- Note: this is an alternative to spacelift-worker-pool README update and AMI limits #573 which I read after, but I + think this filter approach will be more easily be refactored into setting this as an attribute in variables.tf in the + near future - ## 1.135.0 (2023-02-27T13:56:48Z)
github-runners add support for runner groups @johncblandii (#569) ### what -* Added optional support for separating runners by groups + +- Added optional support for separating runners by groups NOTE: I don't know if the default of `default` is valid or if it is `Default`. I'll confirm this soon. ### why -* Groups are supported by GitHub and allow for Actions to target specific runners by group vs by label + +- Groups are supported by GitHub and allow for Actions to target specific runners by group vs by label ### references -* https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups +- https://docs.github.com/en/actions/hosting-your-own-runners/managing-access-to-self-hosted-runners-using-groups
- ## 1.134.0 (2023-02-24T20:59:40Z)
[account-map] Update remote config module version @goruha (#572) ### what -* Update remote config module version `1.4.1` + +- Update remote config module version `1.4.1` ### why -* Solve terraform module version conflict -
+- Solve terraform module version conflict + ## 1.133.0 (2023-02-24T17:55:52Z) @@ -4086,72 +4206,76 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I Fix ArgoCD minor issues @goruha (#571) ### what -* Fix slack notification annotations -* Fix CRD creation order + +- Fix slack notification annotations +- Fix CRD creation order ### why -* Fix ArgoCD bootstrap +- Fix ArgoCD bootstrap - ## 1.132.0 (2023-02-23T04:33:29Z)
Add spacelift-policy component @nitrocode (#556) ### what -* Add spacelift-policy component + +- Add spacelift-policy component ### why + - De-couple policy creation from admin and child stacks - Auto attach policies to remove additional terraform management of resources ### references -- Depends on PR https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/pull/134 - +- Depends on PR https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation/pull/134
- ## 1.131.0 (2023-02-23T01:13:58Z)
SSO upgrades and Support for Assume Role from Identity Users @johncblandii (#567) ### what -* Upgraded `aws-sso` to use `0.7.1` modules -* Updated `account-map/modules/roles-to-principals` to support assume role from SSO users in the identity account -* Adjusted `aws-sso/policy-Identity-role-RoleAccess.tf` to use the identity account name vs the stage so it supports names like `core-identity` instead of just `identity` + +- Upgraded `aws-sso` to use `0.7.1` modules +- Updated `account-map/modules/roles-to-principals` to support assume role from SSO users in the identity account +- Adjusted `aws-sso/policy-Identity-role-RoleAccess.tf` to use the identity account name vs the stage so it supports + names like `core-identity` instead of just `identity` ### why -* `aws-sso` users could not assume role to plan/apply terraform locally -* using `core-identity` as a name broke the `aws-sso` policy since account `identity` does not exist in `full_account_map` -### references +- `aws-sso` users could not assume role to plan/apply terraform locally +- using `core-identity` as a name broke the `aws-sso` policy since account `identity` does not exist in + `full_account_map` +### references
- ## 1.130.0 (2023-02-21T18:33:53Z)
Add Redshift component @max-lobur (#563) ### what -* Add Redshift + +- Add Redshift ### why -* Fulfilling the AWS catalog + +- Fulfilling the AWS catalog ### references -* https://github.com/cloudposse/terraform-aws-redshift-cluster -
+- https://github.com/cloudposse/terraform-aws-redshift-cluster + ## 1.129.0 (2023-02-21T16:45:43Z) @@ -4159,10 +4283,10 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I update dd agent docs @Benbentwo (#565) ### what -* Update Datadog Docs to be more clear on catalog entry - +- Update Datadog Docs to be more clear on catalog entry + ## 1.128.0 (2023-02-18T16:28:11Z) @@ -4170,46 +4294,44 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I feat: updates spacelift to support policies outside of the comp folder @Gowiem (#522) ### what -* Adds back `policies_by_name_path` variable to spacelift component + +- Adds back `policies_by_name_path` variable to spacelift component ### why -* Allows specifying spacelift policies outside of the component folder -### references -* N/A +- Allows specifying spacelift policies outside of the component folder +### references +- N/A - ## 1.127.0 (2023-02-16T17:53:31Z)
[sso-saml-provider] Upstream SSO SAML provider component @goruha (#562) ### what -* [sso-saml-provider] Upstream SSO SAML provider component - -### why -* Required for ArgoCD +- [sso-saml-provider] Upstream SSO SAML provider component +### why +- Required for ArgoCD
- ## 1.126.0 (2023-02-14T23:01:00Z)
upstream `opsgenie-team` @Benbentwo (#561) ### what -* Upstreams latest opsgenie-team component -
+- Upstreams latest opsgenie-team component + ## 1.125.0 (2023-02-14T21:45:32Z) @@ -4217,22 +4339,21 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I [eks/argocd] Upstream ArgoCD @goruha (#560) ### what -* Upstream `eks/argocd` +- Upstream `eks/argocd` - ## 1.124.0 (2023-02-14T17:34:29Z)
`aws-backup` upstream @Benbentwo (#559) ### what -* Update `aws-backup` to latest -
+- Update `aws-backup` to latest + ## 1.123.0 (2023-02-13T22:42:56Z) @@ -4240,164 +4361,155 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I upstream lambda pt2 @Benbentwo (#558) ### what -* Add archive zip -* Change to python (no compile) +- Add archive zip +- Change to python (no compile) - ## 1.122.0 (2023-02-13T21:24:02Z)
upstream `lambda` @Benbentwo (#557) ### what -* Upstream `lambda` component + +- Upstream `lambda` component ### why -* Quickly deploy serverless code +- Quickly deploy serverless code
- ## 1.121.0 (2023-02-13T16:59:16Z)
Upstream `ACM` and `eks/Platform` for release_engineering @Benbentwo (#555) ### what -* ACM Component outputs it's acm url -* EKS/Platform will deploy many terraform outputs to SSM -### why -* These components are required for CP Release Engineering Setup +- ACM Component outputs it's acm url +- EKS/Platform will deploy many terraform outputs to SSM +### why +- These components are required for CP Release Engineering Setup
- ## 1.120.0 (2023-02-08T16:34:25Z)
Upstream datadog logs archive @Benbentwo (#552) ### what -* Upstream DD Logs Archive - - +- Upstream DD Logs Archive
- ## 1.119.0 (2023-02-07T21:32:25Z)
Upstream `dynamodb` @milldr (#512) ### what + - Updated the `dynamodb` component ### why + - maintaining up-to-date upstream component ### references -- N/A +- N/A
- ## 1.118.0 (2023-02-07T20:15:17Z)
fix dd-forwarder: datadog service config depends on lambda arn config @raybotha (#531) - -
- ## 1.117.0 (2023-02-07T19:44:32Z)
Upstream `spa-s3-cloudfront` @milldr (#500) ### what + - Added missing component from upstream `spa-s3-cloudfront` ### why + - We use this component to provision Cloudfront and related resources ### references -- N/A +- N/A
- ## 1.116.0 (2023-02-07T00:52:27Z)
Upstream `aurora-mysql` @milldr (#517) ### what + - Upstreaming both `aurora-mysql` and `aurora-mysql-resources` ### why + - Added option for allowing ingress by account name, rather than requiring CIDR blocks copy and pasted - Replaced the deprecated provider for MySQL - Resolved issues with Terraform perma-drift for the resources component with granting "ALL" ### references + - Old provider, archived: https://github.com/hashicorp/terraform-provider-mysql - New provider: https://github.com/petoju/terraform-provider-mysql - -
- ## 1.115.0 (2023-02-07T00:49:59Z)
Upstream `aurora-postgres` @milldr (#518) ### what + - Upstreaming `aurora-postgres` and `aurora-postgres-resources` ### why + - TLC for these components - Added options for adding ingress by account - Cleaned up the submodule for the resources component - Support creating schemas - Support conditionally pulling passwords from SSM, similar to `aurora-mysql` - -
- ## 1.114.0 (2023-02-06T17:09:31Z)
`datadog-private-locations` update helm provider @Benbentwo (#549) ### what -* Updates Helm Provider to the latest - -### why -* New API Version +- Updates Helm Provider to the latest +### why +- New API Version
- ## 1.113.0 (2023-02-06T02:26:22Z)
@@ -4405,18 +4517,16 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I ### what -* Stack example has an old variable defined +- Stack example has an old variable defined ### why -* `The root module does not declare a variable named "eks_tags_enabled" but a value was found in file "uw2-automation-vpc.terraform.tfvars.json".` +- `The root module does not declare a variable named "eks_tags_enabled" but a value was found in file "uw2-automation-vpc.terraform.tfvars.json".` ### references -
- ## 1.112.1 (2023-02-03T20:00:09Z) ### 🚀 Enhancements @@ -4425,42 +4535,40 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I Fixed non-html tags that fails rendering on docusaurus @zdmytriv (#546) ### what -* Fixed non-html tags -### why -* Rendering has been failing on docusaurus mdx/jsx engine +- Fixed non-html tags +### why +- Rendering has been failing on docusaurus mdx/jsx engine - ## 1.112.0 (2023-02-03T19:02:57Z)
`datadog-agent` allow values var merged @Benbentwo (#548) ### what -* Allows values to be passed in and merged to values file -### why -* Need to be able to easily override values files +- Allows values to be passed in and merged to values file +### why +- Need to be able to easily override values files
- ## 1.111.0 (2023-01-31T23:02:57Z)
Update echo and alb-controller-ingress-group @Benbentwo (#547) ### what -* Allows target group to be targeted by echo server -
+- Allows target group to be targeted by echo server + ## 1.110.0 (2023-01-26T00:25:13Z) @@ -4468,172 +4576,167 @@ NOTE: I don't know if the default of `default` is valid or if it is `Default`. I Chore/acme/bootcamp core tenant @dudymas (#543) ### what -* upgrade the vpn module in the ec2-client-vpn component -* and protect outputs on ec2-client-vpn + +- upgrade the vpn module in the ec2-client-vpn component +- and protect outputs on ec2-client-vpn ### why -* saml docs were broken in refarch-scaffold. module was trying to alter the cert provider +- saml docs were broken in refarch-scaffold. module was trying to alter the cert provider - ## 1.109.0 (2023-01-24T20:01:56Z)
Chore/acme/bootcamp spacelift @dudymas (#545) ### what -* adjust the type of context_filters in spacelift - -### why -* was getting errors trying to apply spacelift component +- adjust the type of context_filters in spacelift +### why +- was getting errors trying to apply spacelift component
- ## 1.108.0 (2023-01-20T22:36:54Z)
EC2 Client VPN Version Bump @Benbentwo (#544) ### what -* Bump Versin of EC2 Client VPN + +- Bump Versin of EC2 Client VPN ### why -* Bugfixes issue with TLS provider + +- Bugfixes issue with TLS provider ### references -* https://github.com/cloudposse/terraform-aws-ec2-client-vpn/pull/58 -* https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert/pull/20 +- https://github.com/cloudposse/terraform-aws-ec2-client-vpn/pull/58 +- https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert/pull/20
- ## 1.107.0 (2023-01-19T17:34:33Z)
Update pod security context schema in cert-manager @max-lobur (#538) ### what -Pod security context `enabled` field has been deprecated. Now you just specify the options and that's it. -Update the options per recent schema. See references + +Pod security context `enabled` field has been deprecated. Now you just specify the options and that's it. Update the +options per recent schema. See references Tested on k8s 1.24 ### why -* Otherwise it does not pass Deployment validation on newer clusters. -### references -https://github.com/cert-manager/cert-manager/commit/c17b11fa01455eb1b83dce0c2c06be555e4d53eb +- Otherwise it does not pass Deployment validation on newer clusters. +### references +https://github.com/cert-manager/cert-manager/commit/c17b11fa01455eb1b83dce0c2c06be555e4d53eb
- ## 1.106.0 (2023-01-18T15:36:52Z)
Fix github actions runner controller default variables @max-lobur (#542) ### what + Default value for string is null, not false ### why -* Otherwise this does not pass schema when you deploy it without storage requests - - +- Otherwise this does not pass schema when you deploy it without storage requests
- ## 1.105.0 (2023-01-18T15:24:11Z)
Update k8s metrics-server to latest @max-lobur (#537) - - ### what -Upgrade metrics-server -Tested on k8s 1.24 via `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"` - -### why -* The previous one was so old that bitnami has even removed the chart. +Upgrade metrics-server Tested on k8s 1.24 via `kubectl get --raw "/apis/metrics.k8s.io/v1beta1/nodes"` +### why +- The previous one was so old that bitnami has even removed the chart.
- ## 1.104.0 (2023-01-18T14:52:58Z)
Pin kubernetes provider in metrics-server @max-lobur (#541) ### what -* Pin the k8s provider version -* Update versions + +- Pin the k8s provider version +- Update versions ### why -* Fix CI -### references -* https://github.com/cloudposse/terraform-aws-components/pull/537 +- Fix CI +### references +- https://github.com/cloudposse/terraform-aws-components/pull/537
- ## 1.103.0 (2023-01-17T21:09:56Z)
fix(dns-primary/acm): include zone_name arg @dudymas (#540) ### what -* in dns-primary, revert version of acm module 0.17.0 -> 0.16.2 (17 is a preview) + +- in dns-primary, revert version of acm module 0.17.0 -> 0.16.2 (17 is a preview) ### why -* primary zones must be specified now that names are trimmed before the dot (.) +- primary zones must be specified now that names are trimmed before the dot (.)
- ## 1.102.0 (2023-01-17T16:09:59Z)
Fix typo in karpenter-provisioner @max-lobur (#539) ### what -I formatted it last moment and did not notice that actually changed the object. -Fixing that and reformatting all of it so it's more obvious for future maintainers. + +I formatted it last moment and did not notice that actually changed the object. Fixing that and reformatting all of it +so it's more obvious for future maintainers. ### why -* Fixing bug + +- Fixing bug ### references -https://github.com/cloudposse/terraform-aws-components/pull/536 +https://github.com/cloudposse/terraform-aws-components/pull/536
- ## 1.101.0 (2023-01-17T07:47:30Z)
Support setting consolidation in karpenter-provisioner @max-lobur (#536) ### what + This is an alternative way of deprovisioning - proactive one. + ``` There is another way to configure Karpenter to deprovision nodes called Consolidation. This mode is preferred for workloads such as microservices and is imcompatible with setting @@ -4644,137 +4747,141 @@ to a change in the workloads ``` ### why -* To let users set a more aggressive deprovisioning strategy + +- To let users set a more aggressive deprovisioning strategy ### references -* https://ec2spotworkshops.com/karpenter/050_karpenter/consolidation.html +- https://ec2spotworkshops.com/karpenter/050_karpenter/consolidation.html
- ## 1.100.0 (2023-01-17T07:41:58Z)
Sync karpenter chart values with the schema @max-lobur (#535) ### what -Based on https://github.com/aws/karpenter/blob/92b3d4a0b029cae6a9d6536517ba42d70c3ebf8c/charts/karpenter/values.yaml#L129-L142 all these should go under settings.aws + +Based on +https://github.com/aws/karpenter/blob/92b3d4a0b029cae6a9d6536517ba42d70c3ebf8c/charts/karpenter/values.yaml#L129-L142 +all these should go under settings.aws ### why + Ensure compatibility with the new charts ### references -Based on https://github.com/aws/karpenter/blob/92b3d4a0b029cae6a9d6536517ba42d70c3ebf8c/charts/karpenter/values.yaml - +Based on https://github.com/aws/karpenter/blob/92b3d4a0b029cae6a9d6536517ba42d70c3ebf8c/charts/karpenter/values.yaml
- ## 1.99.0 (2023-01-13T14:59:16Z)
fix(aws-sso): dont hardcode account name for root @dudymas (#534) ### what -* remove hardcoding for root account moniker -* change default tenant from `gov` to `core` (now convention) + +- remove hardcoding for root account moniker +- change default tenant from `gov` to `core` (now convention) ### why -* tenant is not included in the account prefix. In this case, changed to be 'core' -* most accounts do not use `gov` as the root tenant +- tenant is not included in the account prefix. In this case, changed to be 'core' +- most accounts do not use `gov` as the root tenant
- ## 1.98.0 (2023-01-12T00:12:36Z)
Bump spacelift to latest @nitrocode (#532) ### what + - Bump spacelift to latest ### why + - Latest ### references -N/A +N/A
- ## 1.97.0 (2023-01-11T01:16:33Z)
Upstream EKS Action Runner Controller @milldr (#528) ### what + - Upstreaming the latest additions for the EKS actions runner controller component ### why -- We've added additional features for the ARC runners, primarily adding options for ephemeral storage and persistent storage. Persistent storage can be used to add image caching with EFS -- Allow for setting a `webhook_startup_timeout` value different than `scale_down_delay_seconds`. Defaults to `scale_down_delay_seconds` -### references -- N/A +- We've added additional features for the ARC runners, primarily adding options for ephemeral storage and persistent + storage. Persistent storage can be used to add image caching with EFS +- Allow for setting a `webhook_startup_timeout` value different than `scale_down_delay_seconds`. Defaults to + `scale_down_delay_seconds` +### references +- N/A
- ## 1.96.0 (2023-01-05T21:19:22Z)
Datadog Upstreams and Account Settings @Benbentwo (#533) ### what -* Datadog Upgrades (Bugfixes for Configuration on default datadog URL) -* Account Settings Fixes for emoji support and updated budgets - -### why -* Upstreams +- Datadog Upgrades (Bugfixes for Configuration on default datadog URL) +- Account Settings Fixes for emoji support and updated budgets +### why +- Upstreams
- ## 1.95.0 (2023-01-04T23:44:35Z)
fix(aws-sso): add missing tf update perms @dudymas (#530) ### what -* Changes for supporting [Refarch Scaffold](github.com/cloudposse/refarch-scaffold) -* TerraformUpdateAccess permission set added + +- Changes for supporting [Refarch Scaffold](github.com/cloudposse/refarch-scaffold) +- TerraformUpdateAccess permission set added ### why -* Allow SSO users to update dynamodb/s3 for terraform backend +- Allow SSO users to update dynamodb/s3 for terraform backend
- ## 1.94.0 (2022-12-21T18:38:15Z)
upstream `spacelift` @Benbentwo (#526) ### what -* Updated Spacelift Component to latest -* Updated README with new example + +- Updated Spacelift Component to latest +- Updated README with new example ### why -* Upstreams -
+- Upstreams + ## 1.93.0 (2022-12-21T18:37:37Z) @@ -4782,51 +4889,50 @@ N/A upstream `ecs` & `ecs-service` @Benbentwo (#529) ### what -* upstream - * `ecs` - * `ecs-service` -### why -* `enabled` flag correctly destroys resources -* bugfixes and improvements -* datadog support for ecs services +- upstream + - `ecs` + - `ecs-service` +### why +- `enabled` flag correctly destroys resources +- bugfixes and improvements +- datadog support for ecs services - ## 1.92.0 (2022-12-21T18:36:35Z)
Upstream Datadog @Benbentwo (#525) ### what -* Datadog updates -* New `datadog-configuration` component for setting up share functions and making codebase more dry +- Datadog updates +- New `datadog-configuration` component for setting up share functions and making codebase more dry
- ## 1.91.0 (2022-11-29T17:17:58Z)
CPLIVE-320: Set VPC to use region-less AZs @nitrocode (#524) ### what -* Set VPC to use region-less AZs + +- Set VPC to use region-less AZs ### why -* Prevent having to set VPC AZs within global region defaults + +- Prevent having to set VPC AZs within global region defaults ### references -* CPLIVE-320 +- CPLIVE-320
- ## 1.90.2 (2022-11-20T05:41:14Z) ### 🚀 Enhancements @@ -4835,20 +4941,20 @@ N/A Use cloudposse/template for arm support @nitrocode (#510) ### what -* Use cloudposse/template for arm support + +- Use cloudposse/template for arm support ### why -* The new cloudposse/template provider has a darwin arm binary for M1 laptops -### references -* https://github.com/cloudposse/terraform-provider-template -* https://registry.terraform.io/providers/cloudposse/template/latest +- The new cloudposse/template provider has a darwin arm binary for M1 laptops +### references +- https://github.com/cloudposse/terraform-provider-template +- https://registry.terraform.io/providers/cloudposse/template/latest - ## 1.90.1 (2022-10-31T13:27:37Z) ### 🚀 Enhancements @@ -4857,38 +4963,38 @@ N/A Allow vpc-peering to peer v2 to v2 @nitrocode (#521) ### what -* Allow vpc-peering to peer v2 to v2 + +- Allow vpc-peering to peer v2 to v2 ### why -* Alternative to transit gateway -### references -N/A +- Alternative to transit gateway +### references +N/A - ## 1.90.0 (2022-10-31T13:24:38Z)
Upstream iam-role component @nitrocode (#520) ### what + - Upstream iam-role component ### why + - Create simple IAM roles ### references -- https://github.com/cloudposse/terraform-aws-iam-role - +- https://github.com/cloudposse/terraform-aws-iam-role
- ## 1.89.0 (2022-10-28T15:35:38Z)
@@ -4899,35 +5005,32 @@ N/A - Support and prefer authentication via GitHub app - Support and prefer webhook-based autoscaling - ### why - GitHub app is much more restricted, plus has higher API rate limits - Webhook-based autoscaling is proactive without being overly expensive - -
- ## 1.88.0 (2022-10-24T15:40:47Z)
Upstream iam-service-linked-roles @nitrocode (#516) ### what -* Upstream iam-service-linked-roles (thanks to @aknysh for writing it) + +- Upstream iam-service-linked-roles (thanks to @aknysh for writing it) ### why -* Centralized component to create IAM service linked roles + +- Centralized component to create IAM service linked roles ### references -- N/A +- N/A
- ## 1.87.0 (2022-10-22T19:12:36Z)
@@ -4943,11 +5046,13 @@ N/A ### notes -Cloud Posse has a [service quotas module](https://github.com/cloudposse/terraform-aws-service-quotas), but it has issues, such as not allowing the service to be specified by name, and not having well documented inputs. It also takes a list input, but Atmos does not merge lists, so a map input is more appropriate. Overall I like this component better, and if others do, too, I will replace the existing module (only at version 0.1.0) with this code. +Cloud Posse has a [service quotas module](https://github.com/cloudposse/terraform-aws-service-quotas), but it has +issues, such as not allowing the service to be specified by name, and not having well documented inputs. It also takes a +list input, but Atmos does not merge lists, so a map input is more appropriate. Overall I like this component better, +and if others do, too, I will replace the existing module (only at version 0.1.0) with this code.
- ## 1.86.0 (2022-10-19T07:28:11Z)
@@ -4957,19 +5062,29 @@ Cloud Posse has a [service quotas module](https://github.com/cloudposse/terrafor Update EKS cluster and basic Kubernetes components for better behavior on initial deployment and on `terraform destroy`. -- Update minimum Terraform version to 1.1.0 and use `one()` where applicable to manage resources that can be disabled with `count = 0` and for bug fixes regarding destroy behavior +- Update minimum Terraform version to 1.1.0 and use `one()` where applicable to manage resources that can be disabled + with `count = 0` and for bug fixes regarding destroy behavior - Update `terraform-aws-eks-cluster` to v2.5.0 for better destroy behavior -- Update all components' (plus `account-map/modules/`)`remote-state` to v1.2.0 for better destroy behavior -- Update all components' `helm-release` to v0.7.0 and move namespace creation via Kubernetes provider into it to avoid race conditions regarding creating IAM roles, Namespaces, and deployments, and to delete namespaces when destroyed -- Update `alb-controller` to deploy a default IngressClass for central, obvious configuration of shared default ingress for services that do not have special needs. -- Add `alb-controller-ingress-class` for the rare case when we want to deploy a non-default IngressClass outside of the component that will be using it -- Update `echo-server` to use the default IngressClass and not specify any configuration that affects other Ingresses, and remove dependence on `alb-controller-ingress-group` (which should be deprecated in favor of `alb-controller-ingress-class` and perhaps a specialized future `alb-controller-ingress`) -- Update `cert-manager` to remove `default.auto.tfvars` (which had a lot of settings) and add dependencies so that initial deployment succeeds in one `terraform apply` and destroy works in one `terraform destroy` +- Update all components' (plus `account-map/modules/`)`remote-state` to v1.2.0 for better destroy behavior +- Update all components' `helm-release` to v0.7.0 and move namespace creation via Kubernetes provider into it to avoid + race conditions regarding creating IAM roles, Namespaces, and deployments, and to delete namespaces when destroyed +- Update `alb-controller` to deploy a default IngressClass for central, obvious configuration of shared default ingress + for services that do not have special needs. +- Add `alb-controller-ingress-class` for the rare case when we want to deploy a non-default IngressClass outside of the + component that will be using it +- Update `echo-server` to use the default IngressClass and not specify any configuration that affects other Ingresses, + and remove dependence on `alb-controller-ingress-group` (which should be deprecated in favor of + `alb-controller-ingress-class` and perhaps a specialized future `alb-controller-ingress`) +- Update `cert-manager` to remove `default.auto.tfvars` (which had a lot of settings) and add dependencies so that + initial deployment succeeds in one `terraform apply` and destroy works in one `terraform destroy` - Update `external-dns` to remove `default.auto.tfvars` (which had a lot of settings) - Update `karpenter` to v0.18.0, fix/update IAM policy (README still needs work, but leaving that for another day) -- Update `karpenter-provisioner` to require Terraform 1.3 and make elements of the Provisioner configuration optional. Support block device mappings (previously broken). Avoid perpetual Terraform plan diff/drift caused by setting fields to `null`. +- Update `karpenter-provisioner` to require Terraform 1.3 and make elements of the Provisioner configuration optional. + Support block device mappings (previously broken). Avoid perpetual Terraform plan diff/drift caused by setting fields + to `null`. - Update `reloader` -- Update `mixins/provider-helm` to better support `terraform destroy` and to default the Kubernetes client authentication API version to `client.authentication.k8s.io/v1beta1` +- Update `mixins/provider-helm` to better support `terraform destroy` and to default the Kubernetes client + authentication API version to `client.authentication.k8s.io/v1beta1` ### references @@ -4978,33 +5093,30 @@ Update EKS cluster and basic Kubernetes components for better behavior on initia - https://github.com/cloudposse/terraform-yaml-stack-config/pull/56 - https://github.com/hashicorp/terraform/issues/32023 - -
- ## 1.85.0 (2022-10-18T00:05:19Z)
Upstream `github-runners` @milldr (#508) ### what + - Minor TLC updates for GitHub Runners ASG component ### why -- Maintaining up-to-date upstream - +- Maintaining up-to-date upstream
- ## 1.84.0 (2022-10-12T22:49:28Z)
Fix feature allowing IAM users to assume team roles @Nuru (#507) ### what + - Replace `deny_all_iam_users` input with `iam_users_enabled` - Fix implementation - Provide more context for `bats` test failures @@ -5012,16 +5124,20 @@ Update EKS cluster and basic Kubernetes components for better behavior on initia ### why - Cloud Posse style guide dictates that boolean feature flags have names ending with `_enabled` -- Previous implementation only removed 1 of 2 policy provisions that blocked IAM users from assuming a role, and therefore IAM users were still not allowed to assume a role. Since the previous implementation did not work, a breaking change (changing the variable name) does not need major warnings or a major version bump. -- Indication of what was being tested was too far removed from `bats` test failure message to be able to easily identify what module had failed +- Previous implementation only removed 1 of 2 policy provisions that blocked IAM users from assuming a role, and + therefore IAM users were still not allowed to assume a role. Since the previous implementation did not work, a + breaking change (changing the variable name) does not need major warnings or a major version bump. +- Indication of what was being tested was too far removed from `bats` test failure message to be able to easily identify + what module had failed ### notes -Currently, any component provisioned by SuperAdmin needs to have a special provider configuration that requires SuperAdmin to provision the component. This feature is part of what is needed to enable SuperAdmin (an IAM User) to work with "normal" provider configurations. +Currently, any component provisioned by SuperAdmin needs to have a special provider configuration that requires +SuperAdmin to provision the component. This feature is part of what is needed to enable SuperAdmin (an IAM User) to work +with "normal" provider configurations. ### references - Breaks change introduced in #495, but that didn't work anyway. -
diff --git a/README.md b/README.md index 6badcac97..c39c187a8 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,10 @@ + Project Banner
-

+ +

Latest ReleaseLast UpdateSlack Community

+ -This is a collection of reusable [AWS Terraform components](https://atmos.tools/core-concepts/components/) for provisioning infrastructure used by the Cloud Posse [reference architectures](https://cloudposse.com). -They work really well with [Atmos](https://atmos.tools), our open-source tool for managing infrastructure as code with Terraform. - +This is a collection of reusable [AWS Terraform components](https://atmos.tools/core-concepts/components/) for +provisioning infrastructure used by the Cloud Posse [reference architectures](https://cloudposse.com). They work really +well with [Atmos](https://atmos.tools), our open-source tool for managing infrastructure as code with Terraform. --- -> [!NOTE] -> This project is part of Cloud Posse's comprehensive ["SweetOps"](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=) approach towards DevOps. + +> [!NOTE] This project is part of Cloud Posse's comprehensive +> ["SweetOps"](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=) +> approach towards DevOps. +> >
Learn More > > It's 100% Open Source and licensed under the [APACHE2](LICENSE). @@ -40,36 +46,33 @@ They work really well with [Atmos](https://atmos.tools), our open-source tool fo - ## Introduction In this repo you'll find real-world examples of how we've implemented Terraform "root" modules as native -[Atmos Components](https://atmos.tools/core-concepts/components/) for our customers. These Components -leverage our hundreds of free and open-source [terraform "child" modules](https://cpco.io/terraform-modules). - -The [component library](https://docs.cloudposse.com/components/) captures the business logic, opinions, best practices and -non-functional requirements for an organization. +[Atmos Components](https://atmos.tools/core-concepts/components/) for our customers. These Components leverage our +hundreds of free and open-source [terraform "child" modules](https://cpco.io/terraform-modules). -It's from this library that other developers in your organization will pick and choose from whenever they need to deploy some new -capability. - -These components make a lot of assumptions (aka ["convention over configuration"](https://en.wikipedia.org/wiki/Convention_over_configuration)) about how we've configured our environments. -That said, they still serve as an excellent reference for others on how to build, organize and distribute enterprise-grade infrastructure -with Terraform that can be used with [Atmos](https://atmos.tools). +The [component library](https://docs.cloudposse.com/components/) captures the business logic, opinions, best practices +and non-functional requirements for an organization. +It's from this library that other developers in your organization will pick and choose from whenever they need to deploy +some new capability. +These components make a lot of assumptions (aka +["convention over configuration"](https://en.wikipedia.org/wiki/Convention_over_configuration)) about how we've +configured our environments. That said, they still serve as an excellent reference for others on how to build, organize +and distribute enterprise-grade infrastructure with Terraform that can be used with [Atmos](https://atmos.tools). ## Usage - - - Please take a look at each [component's README](https://docs.cloudposse.com/components/) for specific usage. > [!TIP] +> > ## 👽 Use Atmos with Terraform -> To orchestrate multiple environments with ease using Terraform, Cloud Posse recommends using [Atmos](https://atmos.tools), -> our open-source tool for Terraform automation. +> +> To orchestrate multiple environments with ease using Terraform, Cloud Posse recommends using +> [Atmos](https://atmos.tools), our open-source tool for Terraform automation. > >
> Watch demo of using Atmos with Terraform @@ -77,22 +80,24 @@ Please take a look at each [component's README](https://docs.cloudposse.com/comp > Example of running atmos to manage infrastructure from our Quick Start tutorial. > -Generally, you can use these components in [Atmos](https://atmos.tools/core-concepts/components/) by adding something like the following -code into your [stack manifest](https://atmos.tools/core-concepts/stacks/): +Generally, you can use these components in [Atmos](https://atmos.tools/core-concepts/components/) by adding something +like the following code into your [stack manifest](https://atmos.tools/core-concepts/stacks/): ```yaml -components: # List of components to include in the stack - terraform: # The toolchain being used for configuration - vpc: # The name of the component (e.g. terraform "root" module) - vars: # Terraform variables (e.g. `.tfvars`) - cidr_block: 10.0.0.0/16 # A variable input passed to terraform via `.tfvars` +components: # List of components to include in the stack + terraform: # The toolchain being used for configuration + vpc: # The name of the component (e.g. terraform "root" module) + vars: # Terraform variables (e.g. `.tfvars`) + cidr_block: 10.0.0.0/16 # A variable input passed to terraform via `.tfvars` ``` ## Automated Updates of Components using GitHub Actions -Leverage our [GitHub Action](https://atmos.tools/integrations/github-actions/component-updater) to automate the creation and management of pull requests for component updates. +Leverage our [GitHub Action](https://atmos.tools/integrations/github-actions/component-updater) to automate the creation +and management of pull requests for component updates. -This is done by creating a new file (e.g. `atmos-component-updater.yml`) in the `.github/workflows` directory of your repository. +This is done by creating a new file (e.g. `atmos-component-updater.yml`) in the `.github/workflows` directory of your +repository. The file should contain the following: @@ -126,13 +131,19 @@ update: dry_run: no ``` -For the full documentation on how to use the Component Updater GitHub Action, please see the [Atmos Intergations](https://atmos.tools/integrations/github-actions/component-updater) documentation. +For the full documentation on how to use the Component Updater GitHub Action, please see the +[Atmos Intergations](https://atmos.tools/integrations/github-actions/component-updater) documentation. ## Using `pre-commit` Hooks -This repository uses [pre-commit](https://pre-commit.com/) and [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) to enforce consistent Terraform code and documentation. This is accomplished by triggering hooks during `git commit` to block commits that don't pass checks (E.g. format, and module documentation). You can find the hooks that are being executed in the [`.pre-commit-config.yaml`](.pre-commit-config.yaml) file. +This repository uses [pre-commit](https://pre-commit.com/) and +[pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) to enforce consistent Terraform code and +documentation. This is accomplished by triggering hooks during `git commit` to block commits that don't pass checks +(E.g. format, and module documentation). You can find the hooks that are being executed in the +[`.pre-commit-config.yaml`](.pre-commit-config.yaml) file. -You can install [pre-commit](https://pre-commit.com/) and this repo's pre-commit hooks on a Mac machine by running the following commands: +You can install [pre-commit](https://pre-commit.com/) and this repo's pre-commit hooks on a Mac machine by running the +following commands: ```bash brew install pre-commit gawk terraform-docs coreutils @@ -146,20 +157,19 @@ make rebuild-docs ``` > [!IMPORTANT] +> > ## Deprecated Components +> > Terraform components which are no longer actively maintained are kept in the [`deprecated/`](deprecated/) folder. > > Many of these deprecated components are used in our older reference architectures. > > We intend to eventually delete, but are leaving them for now in the repo. - - - - - + ## Makefile Targets + ```text Available targets: @@ -171,29 +181,29 @@ Available targets: upstream-component Upstream a given component ``` - + ## Related Projects Check out these related projects. -- [Cloud Posse Terraform Modules](https://docs.cloudposse.com/modules/) - Our collection of reusable Terraform modules used by our reference architectures. +- [Cloud Posse Terraform Modules](https://docs.cloudposse.com/modules/) - Our collection of reusable Terraform modules + used by our reference architectures. - [Atmos](https://atmos.tools) - Atmos is like docker-compose but for your infrastructure - ## References For additional context, refer to some of these links. - [Cloud Posse Documentation](https://docs.cloudposse.com) - Complete documentation for the Cloud Posse solution -- [Reference Architectures](https://cloudposse.com/) - Launch effortlessly with our turnkey reference architectures, built either by your team or ours. - +- [Reference Architectures](https://cloudposse.com/) - Launch effortlessly with our turnkey reference architectures, + built either by your team or ours. ## ✨ Contributing -This project is under active development, and we encourage contributions from our community. -Many thanks to our outstanding contributors: +This project is under active development, and we encourage contributions from our community. Many thanks to our +outstanding contributors: @@ -201,57 +211,75 @@ Many thanks to our outstanding contributors: ### 🐛 Bug Reports & Feature Requests -Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-components/issues) to report any bugs or file feature requests. +Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-components/issues) to report any bugs or file +feature requests. ### 💻 Developing -If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud Posse's other projects, we would love to hear from you! -Hit us up in [Slack](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack), in the `#cloudposse` channel. +If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud +Posse's other projects, we would love to hear from you! Hit us up in +[Slack](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack), +in the `#cloudposse` channel. In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. - 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-components/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). - 2. **Fork** the repo on GitHub - 3. **Clone** the project to your own machine - 4. **Commit** changes to your own branch - 5. **Push** your work back up to your fork - 6. Submit a **Pull Request** so that we can review your changes + +1. Review our + [Code of Conduct](https://github.com/cloudposse/terraform-aws-components/?tab=coc-ov-file#code-of-conduct) and + [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). +2. **Fork** the repo on GitHub +3. **Clone** the project to your own machine +4. **Commit** changes to your own branch +5. **Push** your work back up to your fork +6. Submit a **Pull Request** so that we can review your changes **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! ### 🌎 Slack Community -Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. +Join our +[Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack) +on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar +vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit +feedback, and work together as a community to build totally _sweet_ infrastructure. ### 📰 Newsletter -Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. -Dropped straight into your Inbox every week — and usually a 5-minute read. +Sign up for +[our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=newsletter) +and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can +always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read. ### 📆 Office Hours -[Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else. -It's **FREE** for everyone! +[Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=office_hours) +for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, +plus a _live Q&A_ that you can’t find anywhere else. It's **FREE** for everyone! ## About -This project is maintained by Cloud Posse, LLC. +This project is maintained by +Cloud +Posse, LLC. -We are a [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=commercial_support) for funded startups and enterprises. -Use our ready-to-go terraform architecture blueprints for AWS to get up and running quickly. -We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed. +We are a +[**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=commercial_support) +for funded startups and enterprises. Use our ready-to-go terraform architecture blueprints for AWS to get up and running +quickly. We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed. Learn More -*Your team can operate like a pro today.* +_Your team can operate like a pro today._ -Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you succeed. +Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you +succeed.
📚 See What's Included - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. -- **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and repeatable. +- **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and + repeatable. - **Site Reliability Engineering.** You'll have total visibility into your apps and microservices. - **Security Baseline.** You'll have built-in governance with accountability and audit logs for all changes. - **GitOps.** You'll be able to operate your infrastructure via Pull Requests. @@ -263,6 +291,7 @@ Ensure that your team succeeds by using our proven process and turnkey blueprint
+ ## License License @@ -281,14 +310,12 @@ to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - https://www.apache.org/licenses/LICENSE-2.0 +https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific +language governing permissions and limitations under the License. -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -KIND, either express or implied. See the License for the -specific language governing permissions and limitations -under the License. ```
@@ -302,3 +329,4 @@ Copyright © 2017-2024 [Cloud Posse, LLC](https://cpco.io/copyright) README footer Beacon +``` diff --git a/docs/targets.md b/docs/targets.md index e44b8acf8..4a98e523f 100644 --- a/docs/targets.md +++ b/docs/targets.md @@ -1,5 +1,7 @@ + ## Makefile Targets + ```text Available targets: @@ -11,4 +13,5 @@ Available targets: upstream-component Upstream a given component ``` + diff --git a/modules/account-map/modules/iam-roles/README.md b/modules/account-map/modules/iam-roles/README.md index c08ecf2a5..3fb46aa56 100644 --- a/modules/account-map/modules/iam-roles/README.md +++ b/modules/account-map/modules/iam-roles/README.md @@ -1,16 +1,14 @@ # Submodule `iam-roles` -This submodule is used by other modules to determine which IAM Roles -or AWS CLI Config Profiles to use for various tasks, most commonly -for applying Terraform plans. +This submodule is used by other modules to determine which IAM Roles or AWS CLI Config Profiles to use for various +tasks, most commonly for applying Terraform plans. ## Special Configuration Needed -In order to avoid having to pass customization information through every module -that uses this submodule, if the default configuration does not suit your needs, -you are expected to add `variables_override.tf` to override the variables with -the defaults you want to use in your project. For example, if you are not using -"core" as the `tenant` portion of your "root" account (your Organization Management Account), -then you should include the `variable "overridable_global_tenant_name"` declaration -in your `variables_override.tf` so that `overridable_global_tenant_name` defaults -to the value you are using (or the empty string if you are not using `tenant` at all). +In order to avoid having to pass customization information through every module that uses this submodule, if the default +configuration does not suit your needs, you are expected to add `variables_override.tf` to override the variables with +the defaults you want to use in your project. For example, if you are not using "core" as the `tenant` portion of your +"root" account (your Organization Management Account), then you should include the +`variable "overridable_global_tenant_name"` declaration in your `variables_override.tf` so that +`overridable_global_tenant_name` defaults to the value you are using (or the empty string if you are not using `tenant` +at all). diff --git a/modules/account-map/modules/roles-to-principals/README.md b/modules/account-map/modules/roles-to-principals/README.md index 64d9b1419..65e45e000 100644 --- a/modules/account-map/modules/roles-to-principals/README.md +++ b/modules/account-map/modules/roles-to-principals/README.md @@ -1,17 +1,14 @@ # Submodule `roles-to-principals` -This submodule is used by other modules to map short role names and AWS -SSO Permission Set names in accounts designated by short account names -(for example, `terraform` in the `dev` account) to full IAM Role ARNs and -other related tasks. +This submodule is used by other modules to map short role names and AWS SSO Permission Set names in accounts designated +by short account names (for example, `terraform` in the `dev` account) to full IAM Role ARNs and other related tasks. ## Special Configuration Needed -As with `iam-roles`, in order to avoid having to pass customization information through every module -that uses this submodule, if the default configuration does not suit your needs, -you are expected to add `variables_override.tf` to override the variables with -the defaults you want to use in your project. For example, if you are not using -"core" as the `tenant` portion of your "root" account (your Organization Management Account), -then you should include the `variable "overridable_global_tenant_name"` declaration -in your `variables_override.tf` so that `overridable_global_tenant_name` defaults -to the value you are using (or the empty string if you are not using `tenant` at all). +As with `iam-roles`, in order to avoid having to pass customization information through every module that uses this +submodule, if the default configuration does not suit your needs, you are expected to add `variables_override.tf` to +override the variables with the defaults you want to use in your project. For example, if you are not using "core" as +the `tenant` portion of your "root" account (your Organization Management Account), then you should include the +`variable "overridable_global_tenant_name"` declaration in your `variables_override.tf` so that +`overridable_global_tenant_name` defaults to the value you are using (or the empty string if you are not using `tenant` +at all). diff --git a/modules/argocd-repo/CHANGELOG.md b/modules/argocd-repo/CHANGELOG.md index cb57e1d6e..dad0c1fda 100644 --- a/modules/argocd-repo/CHANGELOG.md +++ b/modules/argocd-repo/CHANGELOG.md @@ -1,11 +1,11 @@ ## Components PR [#851](https://github.com/cloudposse/terraform-aws-components/pull/851) -This is a bug fix and feature enhancement update. -There are few actions necessary to upgrade. +This is a bug fix and feature enhancement update. There are few actions necessary to upgrade. ## Upgrade actions 1. Enable `github_default_notifications_enabled` (set `true`) + ```yaml components: terraform: @@ -16,21 +16,23 @@ components: enabled: true github_default_notifications_enabled: true ``` -2. Apply changes with Atmos +2. Apply changes with Atmos ## Features -* Support predefined GitHub commit status notifications for CD sync mode: - * `on-deploy-started` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` - * `on-deploy-succeded` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` - * `on-deploy-failed` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` + +- Support predefined GitHub commit status notifications for CD sync mode: + - `on-deploy-started` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` + - `on-deploy-succeded` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` + - `on-deploy-failed` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` ### Bug Fixes -* Remove legacy unnecessary helm values used in old ArgoCD versions (ex. `workflow auth` configs) and dropped notifications services +- Remove legacy unnecessary helm values used in old ArgoCD versions (ex. `workflow auth` configs) and dropped + notifications services diff --git a/modules/aws-backup/README.md b/modules/aws-backup/README.md index be1f946b9..cf6c29e3e 100644 --- a/modules/aws-backup/README.md +++ b/modules/aws-backup/README.md @@ -273,7 +273,6 @@ No providers. | Name | Source | Version | |------|--------|---------| | [backup](#module\_backup) | cloudposse/backup/aws | 1.0.0 | -| [copy\_destination\_vault](#module\_copy\_destination\_vault) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | diff --git a/modules/aws-sso/CHANGELOG.md b/modules/aws-sso/CHANGELOG.md index 5173ebc9e..ff01dbd53 100644 --- a/modules/aws-sso/CHANGELOG.md +++ b/modules/aws-sso/CHANGELOG.md @@ -1,33 +1,30 @@ # Change log for aws-sso component -***NOTE***: This file is manually generated and is a work-in-progress. +**_NOTE_**: This file is manually generated and is a work-in-progress. ### PR 830 - Fix `providers.tf` to properly assign roles for `root` account when deploying to `identity` account. -- Restore the `sts:SetSourceIdentity` permission for Identity-role-TeamAccess -permission sets added in PR 738 and inadvertently removed in PR 740. -- Update comments and documentation to reflect Cloud Posse's current - recommendation that SSO ***not*** be delegated to the `identity` account. +- Restore the `sts:SetSourceIdentity` permission for Identity-role-TeamAccess permission sets added in PR 738 and + inadvertently removed in PR 740. +- Update comments and documentation to reflect Cloud Posse's current recommendation that SSO **_not_** be delegated to + the `identity` account. ### Version 1.240.1, PR 740 -This PR restores compatibility with `account-map` prior to version 1.227.0 -and fixes bugs that made versions 1.227.0 up to this release unusable. +This PR restores compatibility with `account-map` prior to version 1.227.0 and fixes bugs that made versions 1.227.0 up +to this release unusable. -Access control configuration (`aws-teams`, `iam-primary-roles`, `aws-sso`, etc.) -has undergone several transformations over the evolution of Cloud Posse's reference -architecture. This update resolves a number of compatibility issues with some of them. +Access control configuration (`aws-teams`, `iam-primary-roles`, `aws-sso`, etc.) has undergone several transformations +over the evolution of Cloud Posse's reference architecture. This update resolves a number of compatibility issues with +some of them. -If the roles you are using to deploy this component are allowed to assume -the `tfstate-backend` access roles (typically `...-gbl-root-tfstate`, possibly -`...-gbl-root-tfstate-ro` or `...-gbl-root-terraform`), then you can use the -defaults. This configuration was introduced in `terraform-aws-components` v1.227.0 -and is the default for all new deployments. +If the roles you are using to deploy this component are allowed to assume the `tfstate-backend` access roles (typically +`...-gbl-root-tfstate`, possibly `...-gbl-root-tfstate-ro` or `...-gbl-root-terraform`), then you can use the defaults. +This configuration was introduced in `terraform-aws-components` v1.227.0 and is the default for all new deployments. -If the roles you are using to deploy this component are not allowed to assume -the `tfstate-backend` access roles, then you will need to configure this component -to include the following: +If the roles you are using to deploy this component are not allowed to assume the `tfstate-backend` access roles, then +you will need to configure this component to include the following: ```yaml components: @@ -40,14 +37,11 @@ components: privileged: true ``` -If you are deploying this component to the `identity` account, then this -restriction will require you to deploy it via the SuperAdmin user. If you are -deploying this component to the `root` account, then any user or role -in the `root` account with the `AdministratorAccess` policy attached will be -able to deploy this component. - +If you are deploying this component to the `identity` account, then this restriction will require you to deploy it via +the SuperAdmin user. If you are deploying this component to the `root` account, then any user or role in the `root` +account with the `AdministratorAccess` policy attached will be able to deploy this component. ## v1.227.0 -This component was broken by changes made in v1.227.0. Either use a version -before v1.227.0 or use the version released by PR 740 or later. +This component was broken by changes made in v1.227.0. Either use a version before v1.227.0 or use the version released +by PR 740 or later. diff --git a/modules/datadog-integration/CHANGELOG.md b/modules/datadog-integration/CHANGELOG.md index bafd98f33..a42d26323 100644 --- a/modules/datadog-integration/CHANGELOG.md +++ b/modules/datadog-integration/CHANGELOG.md @@ -2,21 +2,20 @@ ### Possible Breaking Change -The `module "datadog_integration"` and `module "store_write"` had been changed -in an earlier PR from a module without a `count` -to a module with a `count` of zero or one. This PR changes it back to a module -without a count. If you were using the module with a `count` of zero or one, -applying this new version will cause it be destroyed and recreated. This should only -cause a very brief outage in your Datadog monitoring. +The `module "datadog_integration"` and `module "store_write"` had been changed in an earlier PR from a module without a +`count` to a module with a `count` of zero or one. This PR changes it back to a module without a count. If you were +using the module with a `count` of zero or one, applying this new version will cause it be destroyed and recreated. This +should only cause a very brief outage in your Datadog monitoring. ### New Integration Options This PR adds the following new integration options: -- `cspm_resource_collection_enabled` - Enable Datadog Cloud Security Posture Management scanning of your AWS account. See [announcement](https://www.datadoghq.com/product/cloud-security-management/cloud-security-posture-management/) for details. -- `metrics_collection_enabled` - When enabled, a metric-by-metric crawl of the CloudWatch API pulls data and sends it -to Datadog. New metrics are pulled every ten minutes, on average. -- `resource_collection_enabled` - Some Datadog products leverage information about how your AWS resources ( -such as S3 Buckets, RDS snapshots, and CloudFront distributions) are configured. -When `resource_collection_enabled` is `true`, Datadog collects this information -by making read-only API calls into your AWS account. +- `cspm_resource_collection_enabled` - Enable Datadog Cloud Security Posture Management scanning of your AWS account. + See [announcement](https://www.datadoghq.com/product/cloud-security-management/cloud-security-posture-management/) for + details. +- `metrics_collection_enabled` - When enabled, a metric-by-metric crawl of the CloudWatch API pulls data and sends it to + Datadog. New metrics are pulled every ten minutes, on average. +- `resource_collection_enabled` - Some Datadog products leverage information about how your AWS resources ( such as S3 + Buckets, RDS snapshots, and CloudFront distributions) are configured. When `resource_collection_enabled` is `true`, + Datadog collects this information by making read-only API calls into your AWS account. diff --git a/modules/datadog-lambda-forwarder/CHANGELOG.md b/modules/datadog-lambda-forwarder/CHANGELOG.md index 9a1593e45..478db1e47 100644 --- a/modules/datadog-lambda-forwarder/CHANGELOG.md +++ b/modules/datadog-lambda-forwarder/CHANGELOG.md @@ -2,12 +2,10 @@ ### Fix for `enabled = false` or Destroy and Recreate -Previously, when `enabled = false` was set, the component would not necessarily -function as desired (deleting any existing resources and not creating any new ones). -Also, previously, when deleting the component, there was a race condition where -the log group could be deleted before the lambda function was deleted, causing -the lambda function to trigger automatic recreation of the log group. This -would result in re-creation failing because Terraform would try to create the -log group but it already existed. +Previously, when `enabled = false` was set, the component would not necessarily function as desired (deleting any +existing resources and not creating any new ones). Also, previously, when deleting the component, there was a race +condition where the log group could be deleted before the lambda function was deleted, causing the lambda function to +trigger automatic recreation of the log group. This would result in re-creation failing because Terraform would try to +create the log group but it already existed. These issues have been fixed in this PR. diff --git a/modules/datadog-logs-archive/README.md b/modules/datadog-logs-archive/README.md index 6c4e26a5d..8eb8ffcdb 100644 --- a/modules/datadog-logs-archive/README.md +++ b/modules/datadog-logs-archive/README.md @@ -1,34 +1,42 @@ # Component: `datadog-logs-archive` -This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each AWS account. If the `catchall` flag is set, it creates a catchall archive within the same S3 bucket. +This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each +AWS account. If the `catchall` flag is set, it creates a catchall archive within the same S3 bucket. -Each log archive filters for the tag `env:$env` where $env is the environment/account name (ie sbx, prd, tools, etc), as well as any tags identified in the additional_tags key. The `catchall` archive, as the name implies, filters for '*'. +Each log archive filters for the tag `env:$env` where $env is the environment/account name (ie sbx, prd, tools, etc), as +well as any tags identified in the additional_tags key. The `catchall` archive, as the name implies, filters for '\*'. -A second bucket is created for cloudtrail, and a cloudtrail is configured to monitor the log archive bucket and log activity to the cloudtrail bucket. To forward these cloudtrail logs to datadog, the cloudtrail bucket's id must be added to the s3_buckets key for our datadog-lambda-forwarder component. +A second bucket is created for cloudtrail, and a cloudtrail is configured to monitor the log archive bucket and log +activity to the cloudtrail bucket. To forward these cloudtrail logs to datadog, the cloudtrail bucket's id must be added +to the s3_buckets key for our datadog-lambda-forwarder component. Both buckets support object lock, with overrideable defaults of COMPLIANCE mode with a duration of 7 days. ## Prerequisites -* Datadog integration set up in target environment - * We rely on the datadog api and app keys added by our datadog integration component +- Datadog integration set up in target environment + - We rely on the datadog api and app keys added by our datadog integration component ## Issues, Gotchas, Good-to-Knows ### Destroy/reprovision process -Because of the protections for S3 buckets, if we want to destroy/replace our bucket, we need to do so in two passes or destroy the bucket manually and then use terraform to clean up the rest. If reprovisioning a recently provisioned bucket, the two-pass process works well. If the bucket has a full day or more of logs, though, deleting it manually first will avoid terraform timeouts, and then the terraform process can be used to clean up everything else. +Because of the protections for S3 buckets, if we want to destroy/replace our bucket, we need to do so in two passes or +destroy the bucket manually and then use terraform to clean up the rest. If reprovisioning a recently provisioned +bucket, the two-pass process works well. If the bucket has a full day or more of logs, though, deleting it manually +first will avoid terraform timeouts, and then the terraform process can be used to clean up everything else. #### Two step process to destroy via terraform -* first set `s3_force_destroy` var to true and apply -* next set `enabled` to false and apply or use tf destroy +- first set `s3_force_destroy` var to true and apply +- next set `enabled` to false and apply or use tf destroy ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts from which Datadog receives logs. +Here's an example snippet for how to use this component. It's suggested to apply this component to all accounts from +which Datadog receives logs. ```yaml components: @@ -39,87 +47,88 @@ components: workspace_enabled: true vars: enabled: true - # additional_query_tags: - # - "forwardername:*-dev-datadog-lambda-forwarder-logs" - # - "account:123456789012" - + # additional_query_tags: + # - "forwardername:*-dev-datadog-lambda-forwarder-logs" + # - "account:123456789012" ``` ## Requirements -| Name | Version | -|------|---------| +| Name | Version | +| --------- | --------- | | terraform | >= 0.13.0 | -| aws | >= 2.0 | -| datadog | >= 3.3.0 | -| local | >= 1.3 | +| aws | >= 2.0 | +| datadog | >= 3.3.0 | +| local | >= 1.3 | ## Providers -| Name | Version | -|------|---------| -| aws | >= 2.0 | +| Name | Version | +| ------- | -------- | +| aws | >= 2.0 | | datadog | >= 3.7.0 | -| http | >= 2.1.0 | +| http | >= 2.1.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| cloudtrail | cloudposse/cloudtrail/aws | 0.21.0 | -| cloudtrail_s3_bucket | cloudposse/cloudtrail-s3-bucket/aws | 0.23.1 | -| iam_roles | ../account-map/modules/iam-roles | n/a | -| s3_bucket | cloudposse/s3-bucket/aws | 0.46.0 | -| this | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------- | ----------------------------------- | ------- | +| cloudtrail | cloudposse/cloudtrail/aws | 0.21.0 | +| cloudtrail_s3_bucket | cloudposse/cloudtrail-s3-bucket/aws | 0.23.1 | +| iam_roles | ../account-map/modules/iam-roles | n/a | +| s3_bucket | cloudposse/s3-bucket/aws | 0.46.0 | +| this | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| aws_caller_identity.current | data source | -| aws_partition.current | data source | -| aws_ssm_parameter.datadog_api_key | data source | -| aws_ssm_parameter.datadog_app_key | data source | +| Name | Type | +| --------------------------------------- | ----------- | +| aws_caller_identity.current | data source | +| aws_partition.current | data source | +| aws_ssm_parameter.datadog_api_key | data source | +| aws_ssm_parameter.datadog_app_key | data source | | aws_ssm_parameter.datadog_aws_role_name | data source | -| aws_ssm_parameter.datadog_external_id | data source | -| datadog_logs_archive.catchall_archive | resource | -| datadog_logs_archive.logs_archive | resource | -| http.current_order | data source | +| aws_ssm_parameter.datadog_external_id | data source | +| datadog_logs_archive.catchall_archive | resource | +| datadog_logs_archive.logs_archive | resource | +| http.current_order | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|----------| -| additional_query_tags | Additional tags to include in query for logs for this archive | `list` | [] | no | -| catchall | Set to true to enable a catchall for logs unmatched by any queries. This should only be used in one environment/account | `bool` | false | no | -| datadog_aws_account_id | The AWS account ID Datadog's integration servers use for all integrations | `string` | 464622532012 | no | -| enable_glacier_transition | Enable/disable transition to glacier. Has no effect unless `lifecycle_rules_enabled` set to true | `bool` | true | no | -| glacier_transition_days | Number of days after which to transition objects to glacier storage | `number` | 365 | no | -| lifecycle_rules_enabled | Enable/disable lifecycle management rules for s3 objects | `bool` | true | no | -| object_lock_days_archive | Set duration of archive bucket object lock | `number` | 7 | yes | -| object_lock_days_cloudtrail | Set duration of cloudtrail bucket object lock | `number` | 7 | yes | -| object_lock_mode_archive | Set mode of archive bucket object lock | `string` | COMPLIANCE | yes | -| object_lock_mode_cloudtrail | Set mode of cloudtrail bucket object lock | `string` | COMPLIANCE | yes | -| s3_force_destroy | Set to true to delete non-empty buckets when `enabled` is set to false | `bool` | false | for destroy only | - +| Name | Description | Type | Default | Required | +| --------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ------------ | ---------------- | +| additional_query_tags | Additional tags to include in query for logs for this archive | `list` | [] | no | +| catchall | Set to true to enable a catchall for logs unmatched by any queries. This should only be used in one environment/account | `bool` | false | no | +| datadog_aws_account_id | The AWS account ID Datadog's integration servers use for all integrations | `string` | 464622532012 | no | +| enable_glacier_transition | Enable/disable transition to glacier. Has no effect unless `lifecycle_rules_enabled` set to true | `bool` | true | no | +| glacier_transition_days | Number of days after which to transition objects to glacier storage | `number` | 365 | no | +| lifecycle_rules_enabled | Enable/disable lifecycle management rules for s3 objects | `bool` | true | no | +| object_lock_days_archive | Set duration of archive bucket object lock | `number` | 7 | yes | +| object_lock_days_cloudtrail | Set duration of cloudtrail bucket object lock | `number` | 7 | yes | +| object_lock_mode_archive | Set mode of archive bucket object lock | `string` | COMPLIANCE | yes | +| object_lock_mode_cloudtrail | Set mode of cloudtrail bucket object lock | `string` | COMPLIANCE | yes | +| s3_force_destroy | Set to true to delete non-empty buckets when `enabled` is set to false | `bool` | false | for destroy only | ## Outputs -| Name | Description | -|------|-------------| -| archive_id | The ID of the environment-specific log archive | -| bucket_arn | The ARN of the bucket used for log archive storage | -| bucket_domain_name | The FQDN of the bucket used for log archive storage | -| bucket_id | The ID (name) of the bucket used for log archive storage | -| bucket_region | The region of the bucket used for log archive storage | -| cloudtrail_bucket_arn | The ARN of the bucket used for cloudtrail log storage | -| cloudtrail_bucket_domain_name | The FQDN of the bucket used for cloudtrail log storage | -| cloudtrail_bucket_id | The ID (name) of the bucket used for cloudtrail log storage | -| catchall_id | The ID of the catchall log archive | +| Name | Description | +| ----------------------------- | ----------------------------------------------------------- | +| archive_id | The ID of the environment-specific log archive | +| bucket_arn | The ARN of the bucket used for log archive storage | +| bucket_domain_name | The FQDN of the bucket used for log archive storage | +| bucket_id | The ID (name) of the bucket used for log archive storage | +| bucket_region | The region of the bucket used for log archive storage | +| cloudtrail_bucket_arn | The ARN of the bucket used for cloudtrail log storage | +| cloudtrail_bucket_domain_name | The FQDN of the bucket used for cloudtrail log storage | +| cloudtrail_bucket_id | The ID (name) of the bucket used for cloudtrail log storage | +| catchall_id | The ID of the catchall log archive | ## References -* [cloudposse/s3-bucket/aws](https://registry.terraform.io/modules/cloudposse/s3-bucket/aws/latest) - Cloud Posse's S3 component -* [datadog_logs_archive resource] (https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/logs_archive) - Datadog's provider documentation for the datadog_logs_archive resource +- [cloudposse/s3-bucket/aws](https://registry.terraform.io/modules/cloudposse/s3-bucket/aws/latest) - Cloud Posse's S3 + component +- [datadog_logs_archive resource] + (https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/logs_archive) - Datadog's provider + documentation for the datadog_logs_archive resource [](https://cpco.io/component) diff --git a/modules/datadog-monitor/CHANGELOG.md b/modules/datadog-monitor/CHANGELOG.md index ca3260084..7ca47e3d6 100644 --- a/modules/datadog-monitor/CHANGELOG.md +++ b/modules/datadog-monitor/CHANGELOG.md @@ -11,7 +11,7 @@ The following inputs were removed because they no longer have any effect: - role_paths - secrets_store_type -Except for `monitors_roles_map` and `role_paths`, these inputs were deprecated -in an earlier PR, and replaced with outputs from `datadog-configuration`. +Except for `monitors_roles_map` and `role_paths`, these inputs were deprecated in an earlier PR, and replaced with +outputs from `datadog-configuration`. The implementation of `monitors_roles_map` and `role_paths` has been lost. diff --git a/modules/datadog-synthetics-private-location/CHANGELOG.md b/modules/datadog-synthetics-private-location/CHANGELOG.md index aa19dd6d1..ee538026d 100644 --- a/modules/datadog-synthetics-private-location/CHANGELOG.md +++ b/modules/datadog-synthetics-private-location/CHANGELOG.md @@ -2,16 +2,12 @@ ### Possible Breaking Change -Previously this component directly created the Kubernetes namespace for -the agent when `create_namespace` was set to `true`. Now this component -delegates that responsibility to the `helm-release` module, which -better coordinates the destruction of resources at destruction time -(for example, ensuring that the Helm release is completely destroyed -and finalizers run before deleting the namespace). +Previously this component directly created the Kubernetes namespace for the agent when `create_namespace` was set to +`true`. Now this component delegates that responsibility to the `helm-release` module, which better coordinates the +destruction of resources at destruction time (for example, ensuring that the Helm release is completely destroyed and +finalizers run before deleting the namespace). -Generally the simplest upgrade path is to destroy the Helm release, -then destroy the namespace, then apply the new configuration. Alternatively, -you can use `terraform state mv` to move the existing namespace to the new -Terraform "address", which will preserve the existing deployment and reduce -the possibility of the destroy failing and leaving the Kubernetes cluster -in a bad state. +Generally the simplest upgrade path is to destroy the Helm release, then destroy the namespace, then apply the new +configuration. Alternatively, you can use `terraform state mv` to move the existing namespace to the new Terraform +"address", which will preserve the existing deployment and reduce the possibility of the destroy failing and leaving the +Kubernetes cluster in a bad state. diff --git a/modules/datadog-synthetics/CHANGELOG.md b/modules/datadog-synthetics/CHANGELOG.md index 16bb69d8c..f9ccb06db 100644 --- a/modules/datadog-synthetics/CHANGELOG.md +++ b/modules/datadog-synthetics/CHANGELOG.md @@ -2,19 +2,18 @@ ### API Schema accepted -Test can now be defined using the Datadog API schema, meaning that the test definition -returned by +Test can now be defined using the Datadog API schema, meaning that the test definition returned by + - `https://api.datadoghq.com/api/v1/synthetics/tests/api/{public_id}` - `https://api.datadoghq.com/api/v1/synthetics/tests/browser/{public_id}` can be directly used a map value (you still need to supply a key, though). -You can mix tests using the API schema with tests using the old Terraform schema. -You could probably get away with mixing them in the same test, but it is not recommended. +You can mix tests using the API schema with tests using the old Terraform schema. You could probably get away with +mixing them in the same test, but it is not recommended. ### Default locations -Previously, the default locations for Synthetics tests were "all" public locations. -Now the default is no locations, in favor of locations being specified in each test configuration, -which is more flexible. Also, since the tests are expensive, it is better to err on the side of -too few test locations than too many. +Previously, the default locations for Synthetics tests were "all" public locations. Now the default is no locations, in +favor of locations being specified in each test configuration, which is more flexible. Also, since the tests are +expensive, it is better to err on the side of too few test locations than too many. diff --git a/modules/dynamodb/README.md b/modules/dynamodb/README.md index 50e3b06cc..48c5c4d0b 100644 --- a/modules/dynamodb/README.md +++ b/modules/dynamodb/README.md @@ -44,7 +44,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [dynamodb\_table](#module\_dynamodb\_table) | cloudposse/dynamodb/aws | 0.31.0 | +| [dynamodb\_table](#module\_dynamodb\_table) | cloudposse/dynamodb/aws | 0.35.0 | | [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | @@ -79,6 +79,7 @@ No resources. | [hash\_key](#input\_hash\_key) | DynamoDB table Hash Key | `string` | n/a | yes | | [hash\_key\_type](#input\_hash\_key\_type) | Hash Key type, which must be a scalar type: `S`, `N`, or `B` for String, Number or Binary data, respectively. | `string` | `"S"` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_table](#input\_import\_table) | Import Amazon S3 data into a new table. |
object({
# Valid values are GZIP, ZSTD and NONE
input_compression_type = optional(string, null)
# Valid values are CSV, DYNAMODB_JSON, and ION.
input_format = string
input_format_options = optional(object({
csv = object({
delimiter = string
header_list = list(string)
})
}), null)
s3_bucket_source = object({
bucket = string
bucket_owner = optional(string)
key_prefix = optional(string)
})
})
| `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | diff --git a/modules/eks/alb-controller/CHANGELOG.md b/modules/eks/alb-controller/CHANGELOG.md index a33945647..56d5ba294 100644 --- a/modules/eks/alb-controller/CHANGELOG.md +++ b/modules/eks/alb-controller/CHANGELOG.md @@ -2,23 +2,19 @@ ### Update IAM Policy and Change How it is Managed -The ALB controller needs a lot of permissions and has a complex IAM policy. -For this reason, the project releases a complete JSON policy document that is -updated as needed. +The ALB controller needs a lot of permissions and has a complex IAM policy. For this reason, the project releases a +complete JSON policy document that is updated as needed. In this release: -1. We have updated the policy to the one distributed with version 2.6.0 of the ALB controller. This fixes an issue - where the controller was not able to create the service-linked role for the Elastic Load Balancing service. -2. To ease maintenance, we have moved the policy document to a separate file, - `distributed-iam-policy.tf` and made it easy to update or override. - +1. We have updated the policy to the one distributed with version 2.6.0 of the ALB controller. This fixes an issue where + the controller was not able to create the service-linked role for the Elastic Load Balancing service. +2. To ease maintenance, we have moved the policy document to a separate file, `distributed-iam-policy.tf` and made it + easy to update or override. #### Gov Cloud and China Regions -Actually, the project releases 3 policy documents, one for each of the -three AWS partitions: `aws`, `aws-cn`, and `aws-us-gov`. For simplicity, -this module only uses the `aws` partition policy. If you are in another -partition, you can create a `distributed-iam-policy_override.tf` file in your -directory and override the `overridable_distributed_iam_policy` local -variable with the policy document for your partition. +Actually, the project releases 3 policy documents, one for each of the three AWS partitions: `aws`, `aws-cn`, and +`aws-us-gov`. For simplicity, this module only uses the `aws` partition policy. If you are in another partition, you can +create a `distributed-iam-policy_override.tf` file in your directory and override the +`overridable_distributed_iam_policy` local variable with the policy document for your partition. diff --git a/modules/eks/argocd/CHANGELOG.md b/modules/eks/argocd/CHANGELOG.md index df97d2e81..f88fcb32f 100644 --- a/modules/eks/argocd/CHANGELOG.md +++ b/modules/eks/argocd/CHANGELOG.md @@ -1,11 +1,11 @@ ## Components PR [#905](https://github.com/cloudposse/terraform-aws-components/pull/905) -The `notifictations.tf` file has been renamed to `notifications.tf`. Delete `notifictations.tf` after vendoring these changes. +The `notifictations.tf` file has been renamed to `notifications.tf`. Delete `notifictations.tf` after vendoring these +changes. ## Components PR [#851](https://github.com/cloudposse/terraform-aws-components/pull/851) -This is a bug fix and feature enhancement update. -There are few actions necessary to upgrade. +This is a bug fix and feature enhancement update. There are few actions necessary to upgrade. ## Upgrade actions @@ -15,6 +15,7 @@ There are few actions necessary to upgrade. 3. Remove `notifications_triggers` 4. Remove `notifications_templates` 5. Remove `notifications_notifiers` + ```diff components: terraform: @@ -46,43 +47,58 @@ There are few actions necessary to upgrade. - appID: xxxxxxx - installationID: xxxxxxx ``` -2. Move secrets from `/argocd/notifications/notifiers/service_webhook_github-commit-status/github-token` to `argocd/notifications/notifiers/common/github-token` + +2. Move secrets from `/argocd/notifications/notifiers/service_webhook_github-commit-status/github-token` to + `argocd/notifications/notifiers/common/github-token` + ```bash chamber read -q argocd/notifications/notifiers/service_webhook_github-commit-status github-token | chamber write argocd/notifications/notifiers/common github-token chamber delete argocd/notifications/notifiers/service_webhook_github-commit-status github-token ``` -3. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) with scope `admin:repo_hook` + +3. [Create GitHub PAT](https://docs.github.com/en/enterprise-server@3.6/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token) + with scope `admin:repo_hook` 4. Save the PAT to SSM `/argocd/github/api_key` + ```bash chamber write argocd/github api_key ${PAT} ``` + 5. Apply changes with atmos ## Features -* [Git Webhook Configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/webhook/) - makes GitHub trigger ArgoCD sync on each commit into argocd repo -* Replace [GitHub notification service](https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/github/) with predefined [Webhook notification service](https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/webhook/) -* Added predefined GitHub commit status notifications for CD sync mode: - * `on-deploy-started` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` - * `on-deploy-succeded` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` - * `on-deploy-failed` - * `app-repo-github-commit-status` - * `argocd-repo-github-commit-status` -* Support SSM secrets (`/argocd/notifications/notifiers/common/*`) common for all notification services. (Can be referenced with `$common_{secret-name}` ) + +- [Git Webhook Configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/webhook/) - makes GitHub trigger + ArgoCD sync on each commit into argocd repo +- Replace + [GitHub notification service](https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/github/) + with predefined + [Webhook notification service](https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/webhook/) +- Added predefined GitHub commit status notifications for CD sync mode: + - `on-deploy-started` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` + - `on-deploy-succeded` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` + - `on-deploy-failed` + - `app-repo-github-commit-status` + - `argocd-repo-github-commit-status` +- Support SSM secrets (`/argocd/notifications/notifiers/common/*`) common for all notification services. (Can be + referenced with `$common_{secret-name}` ) ### Bug Fixes -* ArgoCD notifications pods recreated on deployment that change notifications related configs and secrets -* Remove `metadata` output that expose helm values configs (used in debug purpose) -* Remove legacy unnecessary helm values used in old ArgoCD versions (ex. `workflow auth` configs) and dropped notifications services +- ArgoCD notifications pods recreated on deployment that change notifications related configs and secrets +- Remove `metadata` output that expose helm values configs (used in debug purpose) +- Remove legacy unnecessary helm values used in old ArgoCD versions (ex. `workflow auth` configs) and dropped + notifications services ## Breaking changes -* Removed `service_github` from `notifications_notifiers` variable structure -* Renamed `service_webhook` to `webhook` in `notifications_notifiers` variable structure +- Removed `service_github` from `notifications_notifiers` variable structure +- Renamed `service_webhook` to `webhook` in `notifications_notifiers` variable structure + ```diff variable "notifications_notifiers" { type = object({ @@ -102,7 +118,9 @@ variable "notifications_notifiers" { )) }) ``` -* Removed `github` from `notifications_templates` variable structure + +- Removed `github` from `notifications_templates` variable structure + ```diff variable "notifications_templates" { type = map(object({ diff --git a/modules/eks/cluster/CHANGELOG.md b/modules/eks/cluster/CHANGELOG.md index 50beb2380..cafcdb448 100644 --- a/modules/eks/cluster/CHANGELOG.md +++ b/modules/eks/cluster/CHANGELOG.md @@ -2,36 +2,31 @@ Bug fix and updates to Changelog, no action required. -Fixed: Error about managed node group ARNs list being null, which could happen -when adding a managed node group to an existing cluster that never had one. +Fixed: Error about managed node group ARNs list being null, which could happen when adding a managed node group to an +existing cluster that never had one. ## Upgrading to `v1.303.0` Components PR [#852](https://github.com/cloudposse/terraform-aws-components/pull/852) -This is a bug fix and feature enhancement update. No action is necessary to upgrade. -However, with the new features and new recommendations, you may want to change -your configuration. +This is a bug fix and feature enhancement update. No action is necessary to upgrade. However, with the new features and +new recommendations, you may want to change your configuration. ## Recommended (optional) changes -Previously, we recommended deploying Karpenter to Fargate and not provisioning -any nodes. However, this causes issues with add-ons that require compute power -to fully initialize, such as `coredns`, and it can reduce the cluster to a -single node, removing the high availability that comes from having a node -per Availability Zone and replicas of pods spread across those nodes. +Previously, we recommended deploying Karpenter to Fargate and not provisioning any nodes. However, this causes issues +with add-ons that require compute power to fully initialize, such as `coredns`, and it can reduce the cluster to a +single node, removing the high availability that comes from having a node per Availability Zone and replicas of pods +spread across those nodes. -As a result, we now recommend deploying a minimal node group with a single -instance (currently recommended to be a `c6a.large`) in each of 3 Availability -Zones. This will provide the compute power needed to initialize add-ons, and -will provide high availability for the cluster. As a bonus, it will also -remove the need to deploy Karpenter to Fargate. +As a result, we now recommend deploying a minimal node group with a single instance (currently recommended to be a +`c6a.large`) in each of 3 Availability Zones. This will provide the compute power needed to initialize add-ons, and will +provide high availability for the cluster. As a bonus, it will also remove the need to deploy Karpenter to Fargate. -**NOTE about instance type**: The `c6a.large` instance type is relatively -new. If you have deployed an old version of our ServiceControlPolicy -`DenyEC2NonNitroInstances`, `DenyNonNitroInstances` (obsolete, replaced by -`DenyEC2NonNitroInstances`), and/or `DenyEC2InstancesWithoutEncryptionInTransit`, -you will want to update them to v0.12.0 or choose a difference instance type. +**NOTE about instance type**: The `c6a.large` instance type is relatively new. If you have deployed an old version of +our ServiceControlPolicy `DenyEC2NonNitroInstances`, `DenyNonNitroInstances` (obsolete, replaced by +`DenyEC2NonNitroInstances`), and/or `DenyEC2InstancesWithoutEncryptionInTransit`, you will want to update them to +v0.12.0 or choose a difference instance type. ### Migration procedure @@ -41,88 +36,81 @@ To perform the recommended migration, follow these steps: Change your `eks/cluster` configuration to set `deploy_addons_to_fargate: false`. -Add the following to your `eks/cluster` configuration, but -copy the block device name, volume size, and volume type from your existing -Karpenter provisioner configuration. Also select the correct `ami_type` -according to the `ami_family` in your Karpenter provisioner configuration. +Add the following to your `eks/cluster` configuration, but copy the block device name, volume size, and volume type from +your existing Karpenter provisioner configuration. Also select the correct `ami_type` according to the `ami_family` in +your Karpenter provisioner configuration. ```yaml - node_groups: - # will create 1 node group for each item in map - # Provision a minimal static node group for add-ons and redundant replicas - main: - # EKS AMI version to use, e.g. "1.16.13-20200821" (no "v"). - ami_release_version: null - # Type of Amazon Machine Image (AMI) associated with the EKS Node Group - # Typically AL2_x86_64 or BOTTLEROCKET_x86_64 - ami_type: BOTTLEROCKET_x86_64 - # Additional name attributes (e.g. `1`) for the node group - attributes: [] - # will create 1 auto scaling group in each specified availability zone - # or all AZs with subnets if none are specified anywhere - availability_zones: null - # Whether to enable Node Group to scale its AutoScaling Group - cluster_autoscaler_enabled: false - # True (recommended) to create new node_groups before deleting old ones, avoiding a temporary outage - create_before_destroy: true - # Configure storage for the root block device for instances in the Auto Scaling Group - # For Bottlerocket, use /dev/xvdb. For all others, use /dev/xvda. - block_device_map: - "/dev/xvdb": - ebs: - volume_size: 125 # in GiB - volume_type: gp3 - encrypted: true - delete_on_termination: true - # Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided. - instance_types: - - c6a.large - # Desired number of worker nodes when initially provisioned - desired_group_size: 3 - max_group_size: 3 - min_group_size: 3 - resources_to_tag: - - instance - - volume - tags: null +node_groups: + # will create 1 node group for each item in map + # Provision a minimal static node group for add-ons and redundant replicas + main: + # EKS AMI version to use, e.g. "1.16.13-20200821" (no "v"). + ami_release_version: null + # Type of Amazon Machine Image (AMI) associated with the EKS Node Group + # Typically AL2_x86_64 or BOTTLEROCKET_x86_64 + ami_type: BOTTLEROCKET_x86_64 + # Additional name attributes (e.g. `1`) for the node group + attributes: [] + # will create 1 auto scaling group in each specified availability zone + # or all AZs with subnets if none are specified anywhere + availability_zones: null + # Whether to enable Node Group to scale its AutoScaling Group + cluster_autoscaler_enabled: false + # True (recommended) to create new node_groups before deleting old ones, avoiding a temporary outage + create_before_destroy: true + # Configure storage for the root block device for instances in the Auto Scaling Group + # For Bottlerocket, use /dev/xvdb. For all others, use /dev/xvda. + block_device_map: + "/dev/xvdb": + ebs: + volume_size: 125 # in GiB + volume_type: gp3 + encrypted: true + delete_on_termination: true + # Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided. + instance_types: + - c6a.large + # Desired number of worker nodes when initially provisioned + desired_group_size: 3 + max_group_size: 3 + min_group_size: 3 + resources_to_tag: + - instance + - volume + tags: null ``` -You do not need to apply the above changes yet, although you can if you -want to. To reduce overhead, you can apply the changes in the next step. +You do not need to apply the above changes yet, although you can if you want to. To reduce overhead, you can apply the +changes in the next step. #### 2. Move Karpenter to the node group, remove legacy support -Delete the `fargate_profiles` section from your `eks/cluster` configuration, -or at least remove the `karpenter` profile from it. Disable legacy support -by adding: +Delete the `fargate_profiles` section from your `eks/cluster` configuration, or at least remove the `karpenter` profile +from it. Disable legacy support by adding: ```yaml - legacy_fargate_1_role_per_profile_enabled: false +legacy_fargate_1_role_per_profile_enabled: false ``` #### 2.a Optional: Move Karpenter instance profile to `eks/cluster` component -If you have the patience to manually import and remove a Terraform -resource, you should move the Karpenter instance profile to the `eks/cluster` -component. This fixes an issue where the Karpenter instance profile -could be broken by certain sequences of Terraform operations. -However, if you have multiple clusters to migrate, this can be tedious, -and the issue is not a serious one, so you may want to skip this step. +If you have the patience to manually import and remove a Terraform resource, you should move the Karpenter instance +profile to the `eks/cluster` component. This fixes an issue where the Karpenter instance profile could be broken by +certain sequences of Terraform operations. However, if you have multiple clusters to migrate, this can be tedious, and +the issue is not a serious one, so you may want to skip this step. To do this, add the following to your `eks/cluster` configuration: ```yaml - legacy_do_not_create_karpenter_instance_profile: false +legacy_do_not_create_karpenter_instance_profile: false ``` - -**BEFORE APPLYING CHANGES**: -Run `atmos terraform plan` (with the appropriate arguments) to see the changes -that will be made. Among the resources to be created will be -`aws_iam_instance_profile.default[0]`. Using the same arguments as before, run -`atmos`, but replace `plan` with `import 'aws_iam_instance_profile.default[0]' `, -where `` is the name of the profile the plan indicated it would create. -It will be something like `-karpenter`. +**BEFORE APPLYING CHANGES**: Run `atmos terraform plan` (with the appropriate arguments) to see the changes that will be +made. Among the resources to be created will be `aws_iam_instance_profile.default[0]`. Using the same arguments as +before, run `atmos`, but replace `plan` with `import 'aws_iam_instance_profile.default[0]' `, where +`` is the name of the profile the plan indicated it would create. It will be something like +`-karpenter`. **NOTE**: If you perform this step, you must also perform 3.a below. @@ -132,27 +120,24 @@ Apply the changes with `atmos terraform apply`. #### 3. Upgrade Karpenter -Upgrade the `eks/karpenter` component to the latest version. Follow the upgrade -instructions to enable the new `karpenter-crd` chart by setting `crd_chart_enabled: true`. +Upgrade the `eks/karpenter` component to the latest version. Follow the upgrade instructions to enable the new +`karpenter-crd` chart by setting `crd_chart_enabled: true`. -Upgrade to at least Karpenter v0.30.0, which is the first version to support -factoring in the existing node group when determining the number of nodes to -provision. This will prevent Karpenter from provisioning nodes when they are not -needed because the existing node group already has enough capacity. Be -careful about upgrading to v0.32.0 or later, as that version introduces -significant breaking changes. We recommend updating to v0.31.2 or later -versions of v0.31.x, but not v0.32.0 or later, as a first step. This -provides a safe (revertible) upgrade path to v0.32.0 or later. +Upgrade to at least Karpenter v0.30.0, which is the first version to support factoring in the existing node group when +determining the number of nodes to provision. This will prevent Karpenter from provisioning nodes when they are not +needed because the existing node group already has enough capacity. Be careful about upgrading to v0.32.0 or later, as +that version introduces significant breaking changes. We recommend updating to v0.31.2 or later versions of v0.31.x, but +not v0.32.0 or later, as a first step. This provides a safe (revertible) upgrade path to v0.32.0 or later. #### 3.a Finish Move of Karpenter instance profile to `eks/cluster` component -If you performed step 2.a above, you must also perform this step. If you did -not perform step 2.a, you must NOT perform this step. +If you performed step 2.a above, you must also perform this step. If you did not perform step 2.a, you must NOT perform +this step. In the `eks/karpenter` stack, set `legacy_create_karpenter_instance_profile: false`. -**BEFORE APPLYING CHANGES**: Remove the Karpenter instance profile from the Terraform state, since -it is now managed by the `eks/cluster` component, or else Terraform will delete it. +**BEFORE APPLYING CHANGES**: Remove the Karpenter instance profile from the Terraform state, since it is now managed by +the `eks/cluster` component, or else Terraform will delete it. ```shell atmos terraform state eks/karpenter rm 'aws_iam_instance_profile.default[0]' -s= @@ -169,21 +154,19 @@ This is a bug fix and feature enhancement update. No action is necessary to upgr ### Bug Fixes - Timeouts for Add-Ons are now honored (they were being ignored) -- If you supply a service account role ARN for an Add-On, it will be used, and - no new role will be created. Previously it was used, but the component created - a new role anyway. -- The EKS EFS controller add-on cannot be deployed to Fargate, and enabling it - along with `deploy_addons_to_fargate` will no longer attempt to deploy EFS - to Fargate. Note that this means to use the EFS Add-On, you must create - a managed node group. Track the status of this feature with [this issue](https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/1100). -- If you are using an old VPC component that does not supply `az_private_subnets_map`, - this module will now use the older the `private_subnet_ids` output. +- If you supply a service account role ARN for an Add-On, it will be used, and no new role will be created. Previously + it was used, but the component created a new role anyway. +- The EKS EFS controller add-on cannot be deployed to Fargate, and enabling it along with `deploy_addons_to_fargate` + will no longer attempt to deploy EFS to Fargate. Note that this means to use the EFS Add-On, you must create a managed + node group. Track the status of this feature with + [this issue](https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/1100). +- If you are using an old VPC component that does not supply `az_private_subnets_map`, this module will now use the + older the `private_subnet_ids` output. ### Add-Ons have `enabled` option -The EKS Add-Ons now have an optional "enabled" flag (defaults to `true`) so -that you can selectively disable them in a stack where the inherited configuration -has them enabled. +The EKS Add-Ons now have an optional "enabled" flag (defaults to `true`) so that you can selectively disable them in a +stack where the inherited configuration has them enabled. ## Upgrading to `v1.270.0` @@ -191,89 +174,80 @@ Components PR [#795](https://github.com/cloudposse/terraform-aws-components/pull ### Removed `identity` roles from cluster RBAC (`aws-auth` ConfigMap) -Previously, this module added `identity` roles configured by the `aws_teams_rbac` -input to the `aws-auth` ConfigMap. This never worked, and so now `aws_teams_rbac` -is ignored. When upgrading, you may see these roles being removed from the `aws-auth`: -this is expected and harmless. +Previously, this module added `identity` roles configured by the `aws_teams_rbac` input to the `aws-auth` ConfigMap. +This never worked, and so now `aws_teams_rbac` is ignored. When upgrading, you may see these roles being removed from +the `aws-auth`: this is expected and harmless. ### Better support for Manged Node Group Block Device Specifications -Previously, this module only supported specifying the disk size and encryption state -for the root volume of Managed Node Groups. Now, the full set of block device -specifications is supported, including the ability to specify the device name. -This is particularly important when using BottleRocket, which uses a very small -root volume for storing the OS and configuration, and exposes a second volume -(`/dev/xvdb`) for storing data. +Previously, this module only supported specifying the disk size and encryption state for the root volume of Managed Node +Groups. Now, the full set of block device specifications is supported, including the ability to specify the device name. +This is particularly important when using BottleRocket, which uses a very small root volume for storing the OS and +configuration, and exposes a second volume (`/dev/xvdb`) for storing data. #### Block Device Migration -Almost all of the attributes of `node_groups` and `node_group_defaults` are now -optional. This means you can remove from your configuration any attributes that -previously you were setting to `null`. +Almost all of the attributes of `node_groups` and `node_group_defaults` are now optional. This means you can remove from +your configuration any attributes that previously you were setting to `null`. -The `disk_size` and `disk_encryption_enabled` attributes are deprecated. They -only apply to `/dev/xvda`, and only provision a `gp2` volume. In order to -provide backwards compatibility, they are still supported, and, when specified, +The `disk_size` and `disk_encryption_enabled` attributes are deprecated. They only apply to `/dev/xvda`, and only +provision a `gp2` volume. In order to provide backwards compatibility, they are still supported, and, when specified, cause the new `block_device_map` attribute to be ignored. -The new `block_device_map` attribute is a map of objects. The keys are the names -of block devices, and the values are objects with the attributes from the Terraform -[launch_template.block-devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#block-devices) resource. +The new `block_device_map` attribute is a map of objects. The keys are the names of block devices, and the values are +objects with the attributes from the Terraform +[launch_template.block-devices](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#block-devices) +resource. -Note that the new default, when none of `block_device_map`, `disk_size`, or -`disk_encryption_enabled` are specified, is to provision a 20GB `gp3` volume -for `/dev/xvda`, with encryption enabled. This is a change from the previous -default, which provisioned a `gp2` volume instead. +Note that the new default, when none of `block_device_map`, `disk_size`, or `disk_encryption_enabled` are specified, is +to provision a 20GB `gp3` volume for `/dev/xvda`, with encryption enabled. This is a change from the previous default, +which provisioned a `gp2` volume instead. ### Support for EFS add-on -This module now supports the EFS CSI driver add-on, in very much the same way -as it supports the EBS CSI driver add-on. The only difference is that the -EFS CSI driver add-on requires that you first provision an EFS file system. +This module now supports the EFS CSI driver add-on, in very much the same way as it supports the EBS CSI driver add-on. +The only difference is that the EFS CSI driver add-on requires that you first provision an EFS file system. #### Migration from `eks/efs-controller` to EFS CSI Driver Add-On -If you are currently using the `eks/efs-controller` module, you can migrate -to the EFS CSI Driver Add-On by following these steps: +If you are currently using the `eks/efs-controller` module, you can migrate to the EFS CSI Driver Add-On by following +these steps: 1. Remove or scale to zero Pods any Deployments using the EFS file system. -2. Remove (`terraform destroy`) the `eks/efs-controller` module from your - cluster. This will also remove the `efs-sc` StorageClass. -3. Use the [eks/storage-class](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/storage-class) - module to create a replacement EFS StorageClass `efs-sc`. This component is new and you may need to add it to your cluster. +2. Remove (`terraform destroy`) the `eks/efs-controller` module from your cluster. This will also remove the `efs-sc` + StorageClass. +3. Use the + [eks/storage-class](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/storage-class) + module to create a replacement EFS StorageClass `efs-sc`. This component is new and you may need to add it to your + cluster. 4. Deploy the EFS CSI Driver Add-On by adding `aws-efs-csi-driver` to the `addons` map (see [README](./README.md)). 5. Restore the Deployments you modified in step 1. ### More options for specifying Availability Zones -Previously, this module required you to specify the Availability Zones for the -cluster in one of two ways: +Previously, this module required you to specify the Availability Zones for the cluster in one of two ways: 1. Explicitly, by providing the full AZ names via the `availability_zones` input 2. Implicitly, via private subnets in the VPC Option 2 is still usually the best way, but now you have additional options: -- You can specify the Availability Zones via the `availability_zones` input - without specifying the full AZ names. You can just specify the suffixes of - the AZ names, and the module will find the full names for you, using the - current region. This is useful for using the same configuration in multiple regions. -- You can specify Availability Zone IDs via the `availability_zone_ids` input. - This is useful to ensure that clusters in different accounts are nevertheless - deployed to the same Availability Zones. As with the `availability_zones` input, - you can specify the suffixes of the AZ IDs, and the module will find the full - IDs for you, using the current region. +- You can specify the Availability Zones via the `availability_zones` input without specifying the full AZ names. You + can just specify the suffixes of the AZ names, and the module will find the full names for you, using the current + region. This is useful for using the same configuration in multiple regions. +- You can specify Availability Zone IDs via the `availability_zone_ids` input. This is useful to ensure that clusters in + different accounts are nevertheless deployed to the same Availability Zones. As with the `availability_zones` input, + you can specify the suffixes of the AZ IDs, and the module will find the full IDs for you, using the current region. ### Support for Karpenter Instance Profile -Previously, this module created an IAM Role for instances launched by Karpenter, -but did not create the corresponding Instance Profile, which was instead created by -the `eks/karpenter` component. This can cause problems if you delete and recreate the cluster, -so for new clusters, this module can now create the Instance Profile as well. +Previously, this module created an IAM Role for instances launched by Karpenter, but did not create the corresponding +Instance Profile, which was instead created by the `eks/karpenter` component. This can cause problems if you delete and +recreate the cluster, so for new clusters, this module can now create the Instance Profile as well. -Because this is disruptive to existing clusters, this is not enabled by default. -To enable it, set the `legacy_do_not_create_karpenter_instance_profile` input to `false`, -and also set the `eks/karpenter` input `legacy_create_karpenter_instance_profile` to `false`. +Because this is disruptive to existing clusters, this is not enabled by default. To enable it, set the +`legacy_do_not_create_karpenter_instance_profile` input to `false`, and also set the `eks/karpenter` input +`legacy_create_karpenter_instance_profile` to `false`. ## Upgrading to `v1.250.0` @@ -285,57 +259,44 @@ This has improved support for EKS Add-Ons. ##### Configuration and Timeouts -The `addons` input now accepts a `configuration_values` input to allow you -to configure the add-ons, and various timeout inputs to allow you to fine-tune -the timeouts for the add-ons. +The `addons` input now accepts a `configuration_values` input to allow you to configure the add-ons, and various timeout +inputs to allow you to fine-tune the timeouts for the add-ons. ##### Automatic IAM Role Creation -If you enable `aws-ebs-csi-driver` or `vpc-cni` add-ons, the module will -automatically create the required Service Account IAM Role and attach it to -the add-on. +If you enable `aws-ebs-csi-driver` or `vpc-cni` add-ons, the module will automatically create the required Service +Account IAM Role and attach it to the add-on. ##### Add-Ons can be deployed to Fargate -If you are using Karpenter and not provisioning any nodes with this module, -the `coredns` and `aws-ebs-csi-driver` add-ons can be deployed to Fargate. -(They must be able to run somewhere in the cluster or else the deployment -will fail.) +If you are using Karpenter and not provisioning any nodes with this module, the `coredns` and `aws-ebs-csi-driver` +add-ons can be deployed to Fargate. (They must be able to run somewhere in the cluster or else the deployment will +fail.) -To cause the add-ons to be deployed to Fargate, set the `deploy_addons_to_fargate` -input to `true`. +To cause the add-ons to be deployed to Fargate, set the `deploy_addons_to_fargate` input to `true`. -**Note about CoreDNS**: If you want to deploy CoreDNS to Fargate, as of this -writing you must set the `configuration_values` input for CoreDNS to -`'{"computeType": "Fargate"}'`. If you want to deploy CoreDNS to EC2 instances, -you must NOT include the `computeType` configuration value. +**Note about CoreDNS**: If you want to deploy CoreDNS to Fargate, as of this writing you must set the +`configuration_values` input for CoreDNS to `'{"computeType": "Fargate"}'`. If you want to deploy CoreDNS to EC2 +instances, you must NOT include the `computeType` configuration value. ### Availability Zones implied by Private Subnets -You can now avoid specifying Availability Zones for the cluster anywhere. -If all of the possible Availability Zones inputs are empty, the module will -use the Availability Zones implied by the private subnets. That is, it will -deploy the cluster to all of the Availability Zones in which the VPC has -private subnets. +You can now avoid specifying Availability Zones for the cluster anywhere. If all of the possible Availability Zones +inputs are empty, the module will use the Availability Zones implied by the private subnets. That is, it will deploy the +cluster to all of the Availability Zones in which the VPC has private subnets. ### Optional support for 1 Fargate Pod Execution Role per Cluster -Previously, this module created a separate Fargate Pod Execution Role for each -Fargate Profile it created. This is unnecessary, excessive, and can cause -problems due to name collisions, but is otherwise merely inefficient, so it is -not important to fix this on existiong, working clusters. -This update brings a feature that causes the module to create at +Previously, this module created a separate Fargate Pod Execution Role for each Fargate Profile it created. This is +unnecessary, excessive, and can cause problems due to name collisions, but is otherwise merely inefficient, so it is not +important to fix this on existiong, working clusters. This update brings a feature that causes the module to create at most 1 Fargate Pod Execution Role per cluster. -**This change is recommended for all NEW clusters, but only NEW clusters**. -Because it is a breaking change, it is not enabled by default. To enable it, set the -`legacy_fargate_1_role_per_profile_enabled` variable to `false`. - -**WARNING**: If you enable this feature on an existing cluster, and that -cluster is using Karpenter, the update could destroy all of your existing -Karpenter-provisioned nodes. Depending on your Karpenter version, this -could leave you with stranded EC2 instances (still running, but not managed by -Karpenter or visible to the cluster) and an interruption of service, and -possibly other problems. If you are using Karpenter and want to enable this -feature, the safest way is to destroy the existing cluster and create a new -one with this feature enabled. +**This change is recommended for all NEW clusters, but only NEW clusters**. Because it is a breaking change, it is not +enabled by default. To enable it, set the `legacy_fargate_1_role_per_profile_enabled` variable to `false`. + +**WARNING**: If you enable this feature on an existing cluster, and that cluster is using Karpenter, the update could +destroy all of your existing Karpenter-provisioned nodes. Depending on your Karpenter version, this could leave you with +stranded EC2 instances (still running, but not managed by Karpenter or visible to the cluster) and an interruption of +service, and possibly other problems. If you are using Karpenter and want to enable this feature, the safest way is to +destroy the existing cluster and create a new one with this feature enabled. diff --git a/modules/eks/datadog-agent/CHANGELOG.md b/modules/eks/datadog-agent/CHANGELOG.md index 1b1c8e8d3..7c45a6350 100644 --- a/modules/eks/datadog-agent/CHANGELOG.md +++ b/modules/eks/datadog-agent/CHANGELOG.md @@ -2,42 +2,34 @@ ### Possible Breaking Change -Removed inputs `iam_role_enabled` and `iam_policy_statements` because -the Datadog agent does not need an IAM (IRSA) role or any special AWS -permissions because it works solely within the Kubernetes environment. -(Datadog has AWS integrations to handle monitoring that requires AWS permissions.) +Removed inputs `iam_role_enabled` and `iam_policy_statements` because the Datadog agent does not need an IAM (IRSA) role +or any special AWS permissions because it works solely within the Kubernetes environment. (Datadog has AWS integrations +to handle monitoring that requires AWS permissions.) -This only a breaking change if you were setting these inputs. If you were, -simply remove them from your configuration. +This only a breaking change if you were setting these inputs. If you were, simply remove them from your configuration. ### Possible Breaking Change -Previously this component directly created the Kubernetes namespace for -the agent when `create_namespace` was set to `true`. Now this component -delegates that responsibility to the `helm-release` module, which -better coordinates the destruction of resources at destruction time -(for example, ensuring that the Helm release is completely destroyed -and finalizers run before deleting the namespace). +Previously this component directly created the Kubernetes namespace for the agent when `create_namespace` was set to +`true`. Now this component delegates that responsibility to the `helm-release` module, which better coordinates the +destruction of resources at destruction time (for example, ensuring that the Helm release is completely destroyed and +finalizers run before deleting the namespace). -Generally the simplest upgrade path is to destroy the Helm release, -then destroy the namespace, then apply the new configuration. Alternatively, -you can use `terraform state mv` to move the existing namespace to the new -Terraform "address", which will preserve the existing deployment and reduce -the possibility of the destroy failing and leaving the Kubernetes cluster -in a bad state. +Generally the simplest upgrade path is to destroy the Helm release, then destroy the namespace, then apply the new +configuration. Alternatively, you can use `terraform state mv` to move the existing namespace to the new Terraform +"address", which will preserve the existing deployment and reduce the possibility of the destroy failing and leaving the +Kubernetes cluster in a bad state. ### Cluster Agent Redundancy -In this PR we have defaulted the number of Cluster Agents to 2. This is -because when there are no Cluster Agents, all cluster metrics are lost. -Having 2 agents makes it possible to keep 1 agent running at all times, even -when the other is on a node being drained. +In this PR we have defaulted the number of Cluster Agents to 2. This is because when there are no Cluster Agents, all +cluster metrics are lost. Having 2 agents makes it possible to keep 1 agent running at all times, even when the other is +on a node being drained. ### DNS Resolution Enhancement -If Datadog processes are looking for where to send data and are configured -to look up `datadog.monitoring.svc.cluster.local`, by default the cluster -will make a DNS query for each of the following: +If Datadog processes are looking for where to send data and are configured to look up +`datadog.monitoring.svc.cluster.local`, by default the cluster will make a DNS query for each of the following: 1. `datadog.monitoring.svc.cluster.local.monitoring.svc.cluster.local` 2. `datadog.monitoring.svc.cluster.local.svc.cluster.local` @@ -45,31 +37,30 @@ will make a DNS query for each of the following: 4. `datadog.monitoring.svc.cluster.local.ec2.internal` 5. `datadog.monitoring.svc.cluster.local` -due to the DNS resolver's [search path](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services). -Because this lookup happens so frequently -(several times a second in a production environment), it can cause a lot of +due to the DNS resolver's +[search path](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services). Because +this lookup happens so frequently (several times a second in a production environment), it can cause a lot of unnecessary work, even if the DNS query is cached. -In this PR we have set `ndots: 2` in the agent and cluster agent configuration -so that only the 5th query is made. (In Kubernetes, the default value for -`ndots` is 5. DNS queries having fewer than `ndots` dots in them will be attempted -using each component of the search path in turn until a match is -found, while those with more dots, or with a final dot, are looked up as is.) - -Alternately, where you are setting the host name to be resolved, you can add a final dot at the end so that the -search path is not used, e.g. `datadog.monitoring.svc.cluster.local.` +In this PR we have set `ndots: 2` in the agent and cluster agent configuration so that only the 5th query is made. (In +Kubernetes, the default value for `ndots` is 5. DNS queries having fewer than `ndots` dots in them will be attempted +using each component of the search path in turn until a match is found, while those with more dots, or with a final dot, +are looked up as is.) +Alternately, where you are setting the host name to be resolved, you can add a final dot at the end so that the search +path is not used, e.g. `datadog.monitoring.svc.cluster.local.` ### Note for Bottlerocket users -If you are using Bottlerocket, you will want to uncomment the following from -`vaules.yaml` or add it to your `values` input: +If you are using Bottlerocket, you will want to uncomment the following from `vaules.yaml` or add it to your `values` +input: ```yaml -criSocketPath: /run/dockershim.sock # Bottlerocket Only -env: # Bottlerocket Only - - name: DD_AUTOCONFIG_INCLUDE_FEATURES # Bottlerocket Only - value: "containerd" # Bottlerocket Only +criSocketPath: /run/dockershim.sock # Bottlerocket Only +env: # Bottlerocket Only + - name: DD_AUTOCONFIG_INCLUDE_FEATURES # Bottlerocket Only + value: "containerd" # Bottlerocket Only ``` -See the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/distributions/?tab=helm#EKS) for details. +See the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/distributions/?tab=helm#EKS) for +details. diff --git a/modules/eks/echo-server/CHANGELOG.md b/modules/eks/echo-server/CHANGELOG.md index a2a187cae..5dc0fb54a 100644 --- a/modules/eks/echo-server/CHANGELOG.md +++ b/modules/eks/echo-server/CHANGELOG.md @@ -1,22 +1,17 @@ ## Changes in PR #893, components version ~v1.337.0 -- Moved `eks/echo-server` v1.147.0 to `/deprecated/eks/echo-server` for those -who still need it and do not want to switch. It may later become the basis -for an example app or something similar. +- Moved `eks/echo-server` v1.147.0 to `/deprecated/eks/echo-server` for those who still need it and do not want to + switch. It may later become the basis for an example app or something similar. - Removed dependency on and connection to the `eks/alb-controller-ingress-group` component -- Added liveness probe, and disabled logging of probe requests. Probe request -logging can be restored by setting `livenessProbeLogging: true` in `chart_values` -- This component no longer configures automatic redirects from HTTP to HTTPS. This -is because for ALB controller, setting that on one ingress sets it for all -ingresses in the same IngressGroup, and it is a design goal that deploying -this component does not affect other Ingresses (with the obvious exception -of possibly being the first to create the Application Load Balancer). -- Removed from `chart_values`:`ingress.nginx.class` (was set to "nginx") and -`ingress.alb.class` (was set to "alb"). IngressClass should usually not be set, -as this component is intended to be used to test the defaults, including the -default IngressClass. However, if you do want to set it, you can do so by -setting `ingress.class` in `chart_values`. -- Removed the deprecated `kubernetes.io/ingress.class` annotation by default. -It can be restored by setting `ingress.use_ingress_class_annotation: true` in `chart_values`. -IngressClass is now set using the preferred `ingressClassName` field of the -Ingress resource. +- Added liveness probe, and disabled logging of probe requests. Probe request logging can be restored by setting + `livenessProbeLogging: true` in `chart_values` +- This component no longer configures automatic redirects from HTTP to HTTPS. This is because for ALB controller, + setting that on one ingress sets it for all ingresses in the same IngressGroup, and it is a design goal that deploying + this component does not affect other Ingresses (with the obvious exception of possibly being the first to create the + Application Load Balancer). +- Removed from `chart_values`:`ingress.nginx.class` (was set to "nginx") and `ingress.alb.class` (was set to "alb"). + IngressClass should usually not be set, as this component is intended to be used to test the defaults, including the + default IngressClass. However, if you do want to set it, you can do so by setting `ingress.class` in `chart_values`. +- Removed the deprecated `kubernetes.io/ingress.class` annotation by default. It can be restored by setting + `ingress.use_ingress_class_annotation: true` in `chart_values`. IngressClass is now set using the preferred + `ingressClassName` field of the Ingress resource. diff --git a/modules/eks/external-secrets-operator/CHANGELOG.md b/modules/eks/external-secrets-operator/CHANGELOG.md index 5e1c3aa10..2a073f4d6 100644 --- a/modules/eks/external-secrets-operator/CHANGELOG.md +++ b/modules/eks/external-secrets-operator/CHANGELOG.md @@ -1,7 +1,7 @@ ## Components PR [[eks/external-secrets-operator] Set default chart](https://github.com/cloudposse/terraform-aws-components/pull/856) -This is a bug fix and feature enhancement update. -No actions necessary to upgrade. +This is a bug fix and feature enhancement update. No actions necessary to upgrade. ## Fixes -* Set default chart + +- Set default chart diff --git a/modules/eks/github-actions-runner/CHANGELOG.md b/modules/eks/github-actions-runner/CHANGELOG.md index bb7b5e33b..4a6f97722 100644 --- a/modules/eks/github-actions-runner/CHANGELOG.md +++ b/modules/eks/github-actions-runner/CHANGELOG.md @@ -1,74 +1,68 @@ ## Initial Release -This release has been tested and used in production, but testing has not covered -all available features. Please use with caution and report any issues you -encounter. +This release has been tested and used in production, but testing has not covered all available features. Please use with +caution and report any issues you encounter. ### Migration from `actions-runner-controller` -GitHub has released its own official self-hosted GitHub Actions Runner support, -replacing the `actions-runner-controller` implementation developed by Summerwind. -(See the [announcement from GitHub](https://github.com/actions/actions-runner-controller/discussions/2072).) -Accordingly, this component is a replacement for the [`actions-runner-controller`](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) -component. Although there are different defaults for some of the configuration options, if -you are already using `actions-runner-controller` you should be able to reuse -the GitHub app or PAT and image pull secret you are already using, making -migration relatively straightforward. +GitHub has released its own official self-hosted GitHub Actions Runner support, replacing the +`actions-runner-controller` implementation developed by Summerwind. (See the +[announcement from GitHub](https://github.com/actions/actions-runner-controller/discussions/2072).) Accordingly, this +component is a replacement for the +[`actions-runner-controller`](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/eks/actions-runner-controller) +component. Although there are different defaults for some of the configuration options, if you are already using +`actions-runner-controller` you should be able to reuse the GitHub app or PAT and image pull secret you are already +using, making migration relatively straightforward. -We recommend deploying this component into a separate namespace (or namespaces) -than `actions-runner-controller` and get the new runners sets running before -you remove the old ones. You can then migrate your workflows to use the new -runners sets and have zero downtime. +We recommend deploying this component into a separate namespace (or namespaces) than `actions-runner-controller` and get +the new runners sets running before you remove the old ones. You can then migrate your workflows to use the new runners +sets and have zero downtime. Major differences: -- The official GitHub runners deployed are different from the GitHub hosted - runners and the Summerwind self-hosted runners in that [they have very few tools installed](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image). You will need to - install any tools you need in your workflows, either as part of your workflow - (recommended) or by maintaining a [custom runner image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image), or by running - such steps in a [separate container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) - that has the tools pre-installed. Many tools have publicly available actions - to install them, such as `actions/setup-node` to install NodeJS or `dcarbone/install-jq-action` - to install `jq`. You can also install packages using `awalsh128/cache-apt-pkgs-action`, - which has the advantage of being able to skip the installation if the package - is already installed, so you can more efficiently run the same workflow on - GitHub hosted as well as self-hosted runners. -- Self-hosted runners, such as those deployed with the `actions-runner-controller` - component, are targeted by a set of labels indicated by a workflow's `runs-on` - array, of which the first must be "self-hosted". Runner Sets, such as are - deployed with this component, are targeted by a single label, which is the - name of the Runner Set. This means that you will need to update your workflows - to target the new Runner Set label. See [here](https://github.com/actions/actions-runner-controller/discussions/2921#discussioncomment-7501051) - for the reasoning behind GitHub's decision to use a single label instead of a set. -- The `actions-runner-controller` component uses the published Helm chart for the - controller, but there is none for the runners, so it includes a custom Helm chart - for them. However, for Runner Sets, GitHub has published 2 charts, one for the controller - and one for the runners (runner sets). This means that this component requires - configuration (e.g. version numbers) of 2 charts, although both should be - kept at the same version. -- The `actions-runner-controller` component has a `resources/values.yaml` file - that provided defaults for the controller Helm chart. This component does not have - files like that by default, but supports a `resources/values-controller.yaml` file - for the "gha-runner-scale-set-controller" chart and a `resources/values-runner.yaml` - file for the "gha-runner-scale-set" chart. -- The default values for the SSM paths for the GitHub auth secret and the imagePullSecret - have changed. Specify the old values explicitly to keep using the same secrets. -- The `actions-runner-controller` component creates an IAM Role (IRSA) for the runners - to use. This component does not create an IRSA, because the chart does not support - using one while in "dind" mode. Use GitHub OIDC authentication inside your workflows instead. -- The Runner Sets deployed by this component use a different autoscaling mechanism, - so most of the `actions-runner-controller` configuration options related to - autoscaling are not applicable. -- For the same reason, this component does not deploy a webhook listener or Ingress and - does not require configuration of a GitHub webhook. -- The `actions-runner-controller` component has an input named `existing_kubernetes_secret_name`. - The equivalent input for this component is `github_kubernetes_secret_name`, - in order to clearly distinguish it from the `image_pull_kubernetes_secret_name` input. + +- The official GitHub runners deployed are different from the GitHub hosted runners and the Summerwind self-hosted + runners in that + [they have very few tools installed](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#about-the-runner-container-image). + You will need to install any tools you need in your workflows, either as part of your workflow (recommended) or by + maintaining a + [custom runner image](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/about-actions-runner-controller#creating-your-own-runner-image), + or by running such steps in a + [separate container](https://docs.github.com/en/actions/using-jobs/running-jobs-in-a-container) that has the tools + pre-installed. Many tools have publicly available actions to install them, such as `actions/setup-node` to install + NodeJS or `dcarbone/install-jq-action` to install `jq`. You can also install packages using + `awalsh128/cache-apt-pkgs-action`, which has the advantage of being able to skip the installation if the package is + already installed, so you can more efficiently run the same workflow on GitHub hosted as well as self-hosted runners. +- Self-hosted runners, such as those deployed with the `actions-runner-controller` component, are targeted by a set of + labels indicated by a workflow's `runs-on` array, of which the first must be "self-hosted". Runner Sets, such as are + deployed with this component, are targeted by a single label, which is the name of the Runner Set. This means that you + will need to update your workflows to target the new Runner Set label. See + [here](https://github.com/actions/actions-runner-controller/discussions/2921#discussioncomment-7501051) for the + reasoning behind GitHub's decision to use a single label instead of a set. +- The `actions-runner-controller` component uses the published Helm chart for the controller, but there is none for the + runners, so it includes a custom Helm chart for them. However, for Runner Sets, GitHub has published 2 charts, one for + the controller and one for the runners (runner sets). This means that this component requires configuration (e.g. + version numbers) of 2 charts, although both should be kept at the same version. +- The `actions-runner-controller` component has a `resources/values.yaml` file that provided defaults for the controller + Helm chart. This component does not have files like that by default, but supports a `resources/values-controller.yaml` + file for the "gha-runner-scale-set-controller" chart and a `resources/values-runner.yaml` file for the + "gha-runner-scale-set" chart. +- The default values for the SSM paths for the GitHub auth secret and the imagePullSecret have changed. Specify the old + values explicitly to keep using the same secrets. +- The `actions-runner-controller` component creates an IAM Role (IRSA) for the runners to use. This component does not + create an IRSA, because the chart does not support using one while in "dind" mode. Use GitHub OIDC authentication + inside your workflows instead. +- The Runner Sets deployed by this component use a different autoscaling mechanism, so most of the + `actions-runner-controller` configuration options related to autoscaling are not applicable. +- For the same reason, this component does not deploy a webhook listener or Ingress and does not require configuration + of a GitHub webhook. +- The `actions-runner-controller` component has an input named `existing_kubernetes_secret_name`. The equivalent input + for this component is `github_kubernetes_secret_name`, in order to clearly distinguish it from the + `image_pull_kubernetes_secret_name` input. ### Translating configuration from `actions-runner-controller` -Here is an example configuration for the `github-actions-runner` controller, -with comments indicating where in the `actions-runner-controller` configuration -the corresponding configuration option can be copied from. +Here is an example configuration for the `github-actions-runner` controller, with comments indicating where in the +`actions-runner-controller` configuration the corresponding configuration option can be copied from. ```yaml components: @@ -100,14 +94,11 @@ components: replicas: 1 # From `actions-runner-controller` file `resources/values.yaml`, value `replicaCount` # resources from var.resources - - # These values can be copied directly from the `actions-runner-controller` configuration ssm_github_secret_path: "/github_runners/controller_github_app_secret" github_app_id: "250828" github_app_installation_id: "30395627" - # These values require some converstion from the `actions-runner-controller` configuration # Set `create_github_kubernetes_secret` to `true` if `existing_kubernetes_secret_name` was not set, `false` otherwise. create_github_kubernetes_secret: true diff --git a/modules/eks/karpenter/CHANGELOG.md b/modules/eks/karpenter/CHANGELOG.md index 14dd2a56b..f3ff1cc20 100644 --- a/modules/eks/karpenter/CHANGELOG.md +++ b/modules/eks/karpenter/CHANGELOG.md @@ -2,23 +2,36 @@ Components PR [#868](https://github.com/cloudposse/terraform-aws-components/pull/868) -The `karpenter-crd` helm chart can now be installed alongside the `karpenter` helm chart to automatically manage the lifecycle of Karpenter CRDs. However since this chart must be installed before the `karpenter` helm chart, the Kubernetes namespace must be available before either chart is deployed. Furthermore, this namespace should persist whether or not the `karpenter-crd` chart is deployed, so it should not be installed with that given `helm-release` resource. Therefore, we've moved namespace creation to a separate resource that runs before both charts. Terraform will handle that namespace state migration with the `moved` block. +The `karpenter-crd` helm chart can now be installed alongside the `karpenter` helm chart to automatically manage the +lifecycle of Karpenter CRDs. However since this chart must be installed before the `karpenter` helm chart, the +Kubernetes namespace must be available before either chart is deployed. Furthermore, this namespace should persist +whether or not the `karpenter-crd` chart is deployed, so it should not be installed with that given `helm-release` +resource. Therefore, we've moved namespace creation to a separate resource that runs before both charts. Terraform will +handle that namespace state migration with the `moved` block. -There are several scenarios that may or may not require additional steps. Please review the following scenarios and follow the steps for your given requirements. +There are several scenarios that may or may not require additional steps. Please review the following scenarios and +follow the steps for your given requirements. ### Upgrading an existing `eks/karpenter` deployment without changes -If you currently have `eks/karpenter` deployed to an EKS cluster and have upgraded to this version of the component, no changes are required. `var.crd_chart_enabled` will default to `false`. +If you currently have `eks/karpenter` deployed to an EKS cluster and have upgraded to this version of the component, no +changes are required. `var.crd_chart_enabled` will default to `false`. ### Upgrading an existing `eks/karpenter` deployment and deploying the `karpenter-crd` chart -If you currently have `eks/karpenter` deployed to an EKS cluster, have upgraded to this version of the component, do not currently have the `karpenter-crd` chart installed, and want to now deploy the `karpenter-crd` helm chart, a few additional steps are required! +If you currently have `eks/karpenter` deployed to an EKS cluster, have upgraded to this version of the component, do not +currently have the `karpenter-crd` chart installed, and want to now deploy the `karpenter-crd` helm chart, a few +additional steps are required! First, set `var.crd_chart_enabled` to `true`. -Next, update the installed Karpenter CRDs in order for Helm to automatically take over their management when the `karpenter-crd` chart is deployed. We have included a script to run that upgrade. Run the `./karpenter-crd-upgrade` script or run the following commands on the given cluster before deploying the chart. Please note that this script or commands will only need to be run on first use of the CRD chart. +Next, update the installed Karpenter CRDs in order for Helm to automatically take over their management when the +`karpenter-crd` chart is deployed. We have included a script to run that upgrade. Run the `./karpenter-crd-upgrade` +script or run the following commands on the given cluster before deploying the chart. Please note that this script or +commands will only need to be run on first use of the CRD chart. -Before running the script, ensure that the `kubectl` context is set to the cluster where the `karpenter` helm chart is deployed. In Geodesic, you can usually do this with the `set-cluster` command, though your configuration may vary. +Before running the script, ensure that the `kubectl` context is set to the cluster where the `karpenter` helm chart is +deployed. In Geodesic, you can usually do this with the `set-cluster` command, though your configuration may vary. ```bash set-cluster -- terraform @@ -34,33 +47,39 @@ kubectl annotate crd awsnodetemplates.karpenter.k8s.aws provisioners.karpenter.s :::info -Previously the `karpenter-crd-upgrade` script included deploying the `karpenter-crd` chart. Now that this chart is moved to Terraform, that helm deployment is no longer necessary. +Previously the `karpenter-crd-upgrade` script included deploying the `karpenter-crd` chart. Now that this chart is moved +to Terraform, that helm deployment is no longer necessary. For reference, the `karpenter-crd` chart can be installed with helm with the following: + ```bash helm upgrade --install karpenter-crd oci://public.ecr.aws/karpenter/karpenter-crd --version "$VERSION" --namespace karpenter ``` ::: -Now that the CRDs are upgraded, the component is ready to be applied. Apply the `eks/karpenter` component and then apply `eks/karpenter-provisioner`. +Now that the CRDs are upgraded, the component is ready to be applied. Apply the `eks/karpenter` component and then apply +`eks/karpenter-provisioner`. #### Note for upgrading Karpenter from before v0.27.3 to v0.27.3 or later -If you are upgrading Karpenter from before v0.27.3 to v0.27.3 or later, -you may need to run the following command to remove an obsolete webhook: +If you are upgrading Karpenter from before v0.27.3 to v0.27.3 or later, you may need to run the following command to +remove an obsolete webhook: ```bash kubectl delete mutatingwebhookconfigurations defaulting.webhook.karpenter.sh ``` -See [the Karpenter upgrade guide](https://karpenter.sh/v0.32/upgrading/upgrade-guide/#upgrading-to-v0273) -for more details. +See [the Karpenter upgrade guide](https://karpenter.sh/v0.32/upgrading/upgrade-guide/#upgrading-to-v0273) for more +details. ### Upgrading an existing `eks/karpenter` deployment where the `karpenter-crd` chart is already deployed -If you currently have `eks/karpenter` deployed to an EKS cluster, have upgraded to this version of the component, and already have the `karpenter-crd` chart installed, simply set `var.crd_chart_enabled` to `true` and redeploy Terraform to have Terraform manage the helm release for `karpenter-crd`. +If you currently have `eks/karpenter` deployed to an EKS cluster, have upgraded to this version of the component, and +already have the `karpenter-crd` chart installed, simply set `var.crd_chart_enabled` to `true` and redeploy Terraform to +have Terraform manage the helm release for `karpenter-crd`. ### Net new deployments -If you are initially deploying `eks/karpenter`, no changes are required, but we recommend installing the CRD chart. Set `var.crd_chart_enabled` to `true` and continue with deployment. +If you are initially deploying `eks/karpenter`, no changes are required, but we recommend installing the CRD chart. Set +`var.crd_chart_enabled` to `true` and continue with deployment. diff --git a/modules/kms/README.md b/modules/kms/README.md index dc8f3a404..4be480599 100644 --- a/modules/kms/README.md +++ b/modules/kms/README.md @@ -19,7 +19,6 @@ components: enabled: true ``` - ## Requirements No requirements. @@ -30,13 +29,13 @@ No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [iam\_roles](#module\_iam\_roles) | git::ssh://git@github.com/spenmo/infrastructure.git//components/terraform/account-map/modules/iam-roles | n/a | -| [introspection](#module\_introspection) | cloudposse/label/null | 0.25.0 | -| [kms\_key](#module\_kms\_key) | cloudposse/kms-key/aws | 0.12.1 | -| [monorepo](#module\_monorepo) | git::ssh://git@github.com/spenmo/infrastructure.git | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------- | +| [iam_roles](#module_iam_roles) | git::ssh://git@github.com/spenmo/infrastructure.git//components/terraform/account-map/modules/iam-roles | n/a | +| [introspection](#module_introspection) | cloudposse/label/null | 0.25.0 | +| [kms_key](#module_kms_key) | cloudposse/kms-key/aws | 0.12.1 | +| [monorepo](#module_monorepo) | git::ssh://git@github.com/spenmo/infrastructure.git | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -44,48 +43,50 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alias](#input\_alias) | The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated. | `string` | n/a | yes | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [customer\_master\_key\_spec](#input\_customer\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. | `string` | `"SYMMETRIC_DEFAULT"` | no | -| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource | `number` | `10` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | The description of the key as viewed in AWS console | `string` | `"Parameter Store KMS master key"` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enable\_key\_rotation](#input\_enable\_key\_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. | `string` | `"ENCRYPT_DECRYPT"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [multi\_region](#input\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [policy](#input\_policy) | A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | `string` | `""` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [required\_tags](#input\_required\_tags) | List of required tag names | `list(string)` | `[]` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alias](#input_alias) | The display name of the alias. The name must start with the word `alias` followed by a forward slash. If not specified, the alias name will be auto-generated. | `string` | n/a | yes | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [customer_master_key_spec](#input_customer_master_key_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: `SYMMETRIC_DEFAULT`, `RSA_2048`, `RSA_3072`, `RSA_4096`, `ECC_NIST_P256`, `ECC_NIST_P384`, `ECC_NIST_P521`, or `ECC_SECG_P256K1`. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [deletion_window_in_days](#input_deletion_window_in_days) | Duration in days after which the key is deleted after destruction of the resource | `number` | `10` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | The description of the key as viewed in AWS console | `string` | `"Parameter Store KMS master key"` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enable_key_rotation](#input_enable_key_rotation) | Specifies whether key rotation is enabled | `bool` | `true` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [key_usage](#input_key_usage) | Specifies the intended use of the key. Valid values: `ENCRYPT_DECRYPT` or `SIGN_VERIFY`. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [multi_region](#input_multi_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [policy](#input_policy) | A valid KMS policy JSON document. Note that if the policy document is not specific enough (but still valid), Terraform may view the policy as constantly changing in a terraform plan. In this case, please make sure you use the verbose/specific version of the policy. | `string` | `""` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [required_tags](#input_required_tags) | List of required tag names | `list(string)` | `[]` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [kms\_key](#output\_kms\_key) | Output for KMS module | +| Name | Description | +| -------------------------------------------------------- | --------------------- | +| [kms_key](#output_kms_key) | Output for KMS module | ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/kms) - Cloud Posse's upstream component -* [cloudposse/terraform-aws-kms-key](https://github.com/cloudposse/terraform-aws-kms-key) - Cloud Posse's upstream module +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/kms) - + Cloud Posse's upstream component +- [cloudposse/terraform-aws-kms-key](https://github.com/cloudposse/terraform-aws-kms-key) - Cloud Posse's upstream + module [](https://cpco.io/component) diff --git a/modules/macie/README.md b/modules/macie/README.md index ecf61acb4..e5ab09ff9 100644 --- a/modules/macie/README.md +++ b/modules/macie/README.md @@ -166,8 +166,6 @@ atmos terraform apply macie/org-settings/ue1 -s core-ue1-security | [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies how often to publish updates to policy findings for the account. This includes publishing updates to AWS
Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). For more information, see:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html#guardduty_findings_cloudwatch_notification_frequency | `string` | `"FIFTEEN_MINUTES"` | no | | [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | diff --git a/modules/opsgenie-team/CHANGELOG.md b/modules/opsgenie-team/CHANGELOG.md index ed8ac39d2..209f811aa 100644 --- a/modules/opsgenie-team/CHANGELOG.md +++ b/modules/opsgenie-team/CHANGELOG.md @@ -2,15 +2,12 @@ ### `team` replaced with `team_options` -The `team` variable has been replaced with `team_options` to reduce confusion. -The component only ever creates at most one team, with the name -specified in the `name` variable. The `team` variable was introduced to -provide a single object to specify other options, but was not implemented -properly. +The `team` variable has been replaced with `team_options` to reduce confusion. The component only ever creates at most +one team, with the name specified in the `name` variable. The `team` variable was introduced to provide a single object +to specify other options, but was not implemented properly. ### Team membership now managed by this component by default -Previously, the default behavior was to not manage team membership, -allowing users to be managed via the Opsgenie UI. Now the default is to manage -via the `members` input. To restore the previous behavior, set +Previously, the default behavior was to not manage team membership, allowing users to be managed via the Opsgenie UI. +Now the default is to manage via the `members` input. To restore the previous behavior, set `team_options.ignore_members` to `true`. diff --git a/modules/philips-labs-github-runners/modules/README.md b/modules/philips-labs-github-runners/modules/README.md index 85f6ef43b..bade162a5 100644 --- a/modules/philips-labs-github-runners/modules/README.md +++ b/modules/philips-labs-github-runners/modules/README.md @@ -5,12 +5,16 @@ This is a fork of https://github.com/philips-labs/terraform-aws-github-runner/tree/main/modules/webhook-github-app. We customized it until this PR is resolved as it does not update the github app webhook until this is merged. - * https://github.com/philips-labs/terraform-aws-github-runner/pull/3625 + +- https://github.com/philips-labs/terraform-aws-github-runner/pull/3625 This module also requires an environment variable - * `GH_TOKEN` - a github token be set -This module also requires the `gh` cli to be installed. Your Dockerfile can be updated to include the following to install it: +- `GH_TOKEN` - a github token be set + +This module also requires the `gh` cli to be installed. Your Dockerfile can be updated to include the following to +install it: + ```dockerfile ARG GH_CLI_VERSION=2.39.1 # ... diff --git a/modules/philips-labs-github-runners/modules/webhook-github-app/README.md b/modules/philips-labs-github-runners/modules/webhook-github-app/README.md index ba0ca7190..b6125e471 100644 --- a/modules/philips-labs-github-runners/modules/webhook-github-app/README.md +++ b/modules/philips-labs-github-runners/modules/webhook-github-app/README.md @@ -2,21 +2,23 @@ > This module is using the local executor to run a bash script. -This module updates the GitHub App webhook with the endpoint and secret and can be changed with the root module. See the examples for usages. +This module updates the GitHub App webhook with the endpoint and secret and can be changed with the root module. See the +examples for usages. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0 | -| [null](#requirement\_null) | ~> 3 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.3.0 | +| [null](#requirement_null) | ~> 3 | ## Providers -| Name | Version | -|------|---------| -| [null](#provider\_null) | ~> 3 | +| Name | Version | +| --------------------------------------------------- | ------- | +| [null](#provider_null) | ~> 3 | ## Modules @@ -24,18 +26,19 @@ No modules. ## Resources -| Name | Type | -|------|------| +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------- | -------- | | [null_resource.update_app](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [github\_app](#input\_github\_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({
key_base64 = string
id = string
webhook_secret = string
})
| n/a | yes | -| [webhook\_endpoint](#input\_webhook\_endpoint) | The endpoint to use for the webhook, defaults to the endpoint of the runners module. | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------- | :------: | +| [github_app](#input_github_app) | GitHub app parameters, see your github app. Ensure the key is the base64-encoded `.pem` file (the output of `base64 app.private-key.pem`, not the content of `private-key.pem`). |
object({
key_base64 = string
id = string
webhook_secret = string
})
| n/a | yes | +| [webhook_endpoint](#input_webhook_endpoint) | The endpoint to use for the webhook, defaults to the endpoint of the runners module. | `string` | n/a | yes | ## Outputs No outputs. + diff --git a/modules/redshift/CHANGELOG.md b/modules/redshift/CHANGELOG.md index a211c5ef9..055b6d2c9 100644 --- a/modules/redshift/CHANGELOG.md +++ b/modules/redshift/CHANGELOG.md @@ -1,7 +1,7 @@ ## Components PR [Fix components](https://github.com/cloudposse/terraform-aws-components/pull/855) -This is a bug fix and feature enhancement update. -No actions necessary to upgrade. +This is a bug fix and feature enhancement update. No actions necessary to upgrade. ## Fixes -* Fix bug related to the AWS provider `>= 5.0.0` removed `redshift_cluster.cluster_security_groups`. + +- Fix bug related to the AWS provider `>= 5.0.0` removed `redshift_cluster.cluster_security_groups`. diff --git a/modules/spa-s3-cloudfront/CHANGELOG.md b/modules/spa-s3-cloudfront/CHANGELOG.md index 250187cd3..c2b70dd21 100644 --- a/modules/spa-s3-cloudfront/CHANGELOG.md +++ b/modules/spa-s3-cloudfront/CHANGELOG.md @@ -1,9 +1,9 @@ ## Component PRs [#991](https://github.com/cloudposse/terraform-aws-components/pull/991) and [#995](https://github.com/cloudposse/terraform-aws-components/pull/995) -### Drop `lambda_edge_redirect_404` +### Drop `lambda_edge_redirect_404` -This PRs removes the `lambda_edge_redirect_404` functionality because it leads to significat costs. -Use native CloudFront error pages configs instead. +This PRs removes the `lambda_edge_redirect_404` functionality because it leads to significat costs. Use native +CloudFront error pages configs instead. ```yaml cloudfront_custom_error_response: @@ -16,25 +16,40 @@ cloudfront_custom_error_response: ### Lambda@Edge Submodule Refactor -This PR has significantly refactored how Lambda@Edge functions are managed by Terraform with this component. Previously, the specific use cases for Lambda@Edge functions were handled by submodules `lambda-edge-preview` and `lambda_edge_redirect_404`. These component submodules both called the same Terraform module, `cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge`. These submodules have been replaced with a single Terraform file, `lambda_edge.tf`. +This PR has significantly refactored how Lambda@Edge functions are managed by Terraform with this component. Previously, +the specific use cases for Lambda@Edge functions were handled by submodules `lambda-edge-preview` and +`lambda_edge_redirect_404`. These component submodules both called the same Terraform module, +`cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge`. These submodules have been replaced with a single Terraform +file, `lambda_edge.tf`. -The reason a single file is better than submodules is (1) simplification and (2) adding the ability to deep merge function configuration. Cloudfront Distributions support a single Lambda@Edge function for each origin/viewer request or response. With deep merging, we can define default values for function configuration and provide the ability to overwrite specific values for a given deployment. +The reason a single file is better than submodules is (1) simplification and (2) adding the ability to deep merge +function configuration. Cloudfront Distributions support a single Lambda@Edge function for each origin/viewer request or +response. With deep merging, we can define default values for function configuration and provide the ability to +overwrite specific values for a given deployment. -Specifically, our own use case is using an authorization Lambda@Edge viewer request only if the paywall is enabled. Other deployments use an alternative viewer request to redirect 404. +Specifically, our own use case is using an authorization Lambda@Edge viewer request only if the paywall is enabled. +Other deployments use an alternative viewer request to redirect 404. #### Upgrading with `preview_environment_enabled: true` or `lambda_edge_redirect_404_enabled: true` -If you have `var.preview_environment_enabled` or `var.lambda_edge_redirect_404_enabled` set to `true`, Terraform `moved` will move the previous resource by submodule to the new resource by file. Please give your next Terraform plan a sanity check. Any existing Lambda functions _should not be destroyed_ by this change. +If you have `var.preview_environment_enabled` or `var.lambda_edge_redirect_404_enabled` set to `true`, Terraform `moved` +will move the previous resource by submodule to the new resource by file. Please give your next Terraform plan a sanity +check. Any existing Lambda functions _should not be destroyed_ by this change. #### Upgrading with both `preview_environment_enabled: false` and `lambda_edge_redirect_404_enabled: false` -If you have no Lambda@Edge functions deployed and where both `var.preview_environment_enabled` and `var.lambda_edge_redirect_404_enabled` are `false` (the default value), no change is necessary. +If you have no Lambda@Edge functions deployed and where both `var.preview_environment_enabled` and +`var.lambda_edge_redirect_404_enabled` are `false` (the default value), no change is necessary. ### Lambda Runtime Version -The previous PR [#946](https://github.com/cloudposse/terraform-aws-components/pull/946) introduced the `var.lambda_runtime` input. Previously, the version of node in both submodules was hard-coded to be `nodejs12.x`. This PR renames that variable to `var.lambda_edge_runtime` and sets the default to `nodejs16.x`. +The previous PR [#946](https://github.com/cloudposse/terraform-aws-components/pull/946) introduced the +`var.lambda_runtime` input. Previously, the version of node in both submodules was hard-coded to be `nodejs12.x`. This +PR renames that variable to `var.lambda_edge_runtime` and sets the default to `nodejs16.x`. -If you want to maintain the previous version of Node, set `var.lambda_edge_runtime` to `nodejs12.x`, though be aware that AWS deprecated that version on March 31, 2023, and lambdas using that environment may no longer work. Otherwise, this component will attempt to deploy the functions with runtime `nodejs16.x`. +If you want to maintain the previous version of Node, set `var.lambda_edge_runtime` to `nodejs12.x`, though be aware +that AWS deprecated that version on March 31, 2023, and lambdas using that environment may no longer work. Otherwise, +this component will attempt to deploy the functions with runtime `nodejs16.x`. - [See all available runtimes here](https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime) - [See runtime environment deprecation dates here](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy) diff --git a/modules/spa-s3-cloudfront/README.md b/modules/spa-s3-cloudfront/README.md index 2ebb4618c..a511f7255 100644 --- a/modules/spa-s3-cloudfront/README.md +++ b/modules/spa-s3-cloudfront/README.md @@ -192,7 +192,7 @@ components: | [cloudfront\_aws\_waf\_protection\_enabled](#input\_cloudfront\_aws\_waf\_protection\_enabled) | Enable or disable AWS WAF for the CloudFront distribution.

This assumes that the `aws-waf-acl-default-cloudfront` component has been deployed to the regional stack corresponding
to `var.waf_acl_environment`. | `bool` | `true` | no | | [cloudfront\_cached\_methods](#input\_cloudfront\_cached\_methods) | List of cached methods (e.g. GET, PUT, POST, DELETE, HEAD). | `list(string)` |
[
"GET",
"HEAD"
]
| no | | [cloudfront\_compress](#input\_cloudfront\_compress) | Compress content for web requests that include Accept-Encoding: gzip in the request header. | `bool` | `false` | no | -| [cloudfront\_custom\_error\_response](#input\_cloudfront\_custom\_error\_response) | List of one or more custom error response element maps. |
list(object({
error_caching_min_ttl = string
error_code = string
response_code = string
response_page_path = string
}))
| `[]` | no | +| [cloudfront\_custom\_error\_response](#input\_cloudfront\_custom\_error\_response) | List of one or more custom error response element maps. |
list(object({
error_caching_min_ttl = optional(string, "10")
error_code = string
response_code = string
response_page_path = string
}))
| `[]` | no | | [cloudfront\_default\_root\_object](#input\_cloudfront\_default\_root\_object) | Object that CloudFront return when requests the root URL. | `string` | `"index.html"` | no | | [cloudfront\_default\_ttl](#input\_cloudfront\_default\_ttl) | Default amount of time (in seconds) that an object is in a CloudFront cache. | `number` | `60` | no | | [cloudfront\_index\_document](#input\_cloudfront\_index\_document) | Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. | `string` | `"index.html"` | no | diff --git a/modules/sso-saml-provider/README.md b/modules/sso-saml-provider/README.md index bab429ff0..008892277 100644 --- a/modules/sso-saml-provider/README.md +++ b/modules/sso-saml-provider/README.md @@ -1,6 +1,6 @@ # Component: `sso-saml-provider` -This component reads sso credentials from SSM Parameter store and provides them as outputs +This component reads sso credentials from SSM Parameter store and provides them as outputs ## Usage diff --git a/modules/tgw/CHANGELOG.md b/modules/tgw/CHANGELOG.md index 41575194d..9c2e9a799 100644 --- a/modules/tgw/CHANGELOG.md +++ b/modules/tgw/CHANGELOG.md @@ -10,19 +10,27 @@ Components PR [#804](https://github.com/cloudposse/terraform-aws-components/pull ### Summary -This change to the Transit Gateway components, [PR #804](https://github.com/cloudposse/terraform-aws-components/pull/804), added support for cross-region connections. +This change to the Transit Gateway components, +[PR #804](https://github.com/cloudposse/terraform-aws-components/pull/804), added support for cross-region connections. -As part of that change, we've added `environment` to the component identifier used in the Terraform Output created by `tgw/hub`. Because of that map key change, all resources in Terraform now have a new resource identifier and therefore must be recreated with Terraform or removed from state and imported into the new resource ID. +As part of that change, we've added `environment` to the component identifier used in the Terraform Output created by +`tgw/hub`. Because of that map key change, all resources in Terraform now have a new resource identifier and therefore +must be recreated with Terraform or removed from state and imported into the new resource ID. -Recreating the resources is the easiest solution but means that Transit Gateway connectivity will be lost while the changes apply, which typically takes an hour. Alternatively, removing the resources from state and importing back into the new resource ID is much more complex operationally but means no lost Transit Gateway connectivity. +Recreating the resources is the easiest solution but means that Transit Gateway connectivity will be lost while the +changes apply, which typically takes an hour. Alternatively, removing the resources from state and importing back into +the new resource ID is much more complex operationally but means no lost Transit Gateway connectivity. -Since we use Transit Gateway for VPN and GitHub Automation runner access, a temporarily lost connection is not a significant concern, so we choose to accept lost connectivity and recreate all `tgw/spoke` resources. +Since we use Transit Gateway for VPN and GitHub Automation runner access, a temporarily lost connection is not a +significant concern, so we choose to accept lost connectivity and recreate all `tgw/spoke` resources. ### Steps 1. Notify your team of a temporary VPN and Automation outage for accessing private networks -2. Deploy all `tgw/hub` components. There should be a hub component in each region of your network account connected to Transit Gateway -3. Deploy all `tgw/spoke` components. There should be a spoke component in every account and every region connected to Transit Gateway +2. Deploy all `tgw/hub` components. There should be a hub component in each region of your network account connected to + Transit Gateway +3. Deploy all `tgw/spoke` components. There should be a spoke component in every account and every region connected to + Transit Gateway #### Tips From 769e398cb658efb80aa908675a78288ce2cb97bf Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:13:56 -0800 Subject: [PATCH 06/11] pre-commit run --all-files --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9f8455073..0aadbc8d3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -47,7 +47,6 @@ repos: exclude: | (?x)^( deprecated - modules )$ - repo: local From 704e116e7e336a880ed35ccb354eaa1cb1215a2f Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:15:48 -0800 Subject: [PATCH 07/11] pre-commit run --all-files --- deprecated/account-map/README.md | 147 ++++---- .../modules/iam-assume-role-policy/README.md | 95 ++--- .../account-map/modules/iam-roles/README.md | 17 +- .../modules/roles-to-principals/README.md | 18 +- deprecated/aws-waf-acl/README.md | 152 ++++---- deprecated/aws/backing-services/README.md | 1 - deprecated/aws/bootstrap/README.md | 10 +- deprecated/aws/ecs/README.md | 17 +- .../aws/grafana-backing-services/README.md | 22 +- .../aws/keycloak-backing-services/README.md | 76 ++-- .../kops-legacy-account-vpc-peering/README.md | 14 +- deprecated/aws/kops/README.md | 21 +- deprecated/aws/opsgenie/README.md | 223 ++++++------ deprecated/aws/opsgenie/detailed-usage.md | 321 +++++++++-------- deprecated/aws/tfstate-backend/README.md | 10 +- deprecated/eks-iam/README.md | 132 +++---- deprecated/eks/ebs-controller/README.md | 128 +++---- deprecated/eks/echo-server/README.md | 180 ++++----- deprecated/eks/efs-controller/README.md | 140 +++---- deprecated/eks/eks-without-spotinst/README.md | 198 +++++----- deprecated/github-actions-runner/README.md | 204 ++++++----- deprecated/guardduty/common/README.md | 80 ++-- deprecated/guardduty/root/README.md | 102 +++--- deprecated/iam-delegated-roles/README.md | 253 ++++++------- deprecated/iam-primary-roles/README.md | 341 +++++++++--------- .../securityhub/securityhub/common/README.md | 173 +++++---- .../securityhub/securityhub/root/README.md | 111 +++--- deprecated/spacelift-policy/README.md | 100 ++--- deprecated/spacelift-worker-pool/README.md | 286 ++++++++------- deprecated/spacelift/README.md | 212 ++++++----- .../spacelift/docs/spacelift-overview.md | 19 +- deprecated/sso/README.md | 94 ++--- .../tgw/cross-region-hub-connector/README.md | 116 +++--- deprecated/tgw/cross-region-spoke/README.md | 126 +++---- deprecated/tgw/hub/README.md | 108 +++--- deprecated/tgw/spoke/README.md | 93 ++--- mixins/README.md | 7 +- .../README-github-action-iam-role.md | 69 ++-- 38 files changed, 2292 insertions(+), 2124 deletions(-) diff --git a/deprecated/account-map/README.md b/deprecated/account-map/README.md index 43ae68b6b..2d9042b01 100644 --- a/deprecated/account-map/README.md +++ b/deprecated/account-map/README.md @@ -1,12 +1,14 @@ # Component: `account-map` -This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs. +This component is responsible for provisioning information only: it simply populates Terraform state with data (account +ids, groups, and roles) that other root modules need via outputs. ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. Stick this snippet in the management account's stack (E.g. `gbl-root.yaml`) +Here's an example snippet for how to use this component. Stick this snippet in the management account's stack (E.g. +`gbl-root.yaml`) ```yaml components: @@ -32,96 +34,99 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | ~> 4 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | ~> 4 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 4 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | ~> 4 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [accounts](#module\_accounts) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------- | -------------------------------------------------- | ------- | +| [accounts](#module_accounts) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| +| Name | Type | +| -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | | [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [artifacts\_account\_account\_name](#input\_artifacts\_account\_account\_name) | The stage name for the artifacts account | `string` | `"artifacts"` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [audit\_account\_account\_name](#input\_audit\_account\_account\_name) | The stage name for the audit account | `string` | `"audit"` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [dns\_account\_account\_name](#input\_dns\_account\_account\_name) | The stage name for the primary DNS account | `string` | `"dns"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global\_environment\_name](#input\_global\_environment\_name) | Global environment name | `string` | `"gbl"` | no | -| [iam\_role\_arn\_template\_template](#input\_iam\_role\_arn\_template\_template) | The template for the template used to render Role ARNs.
The template is first used to render a template for the account that takes only the role name.
Then that rendered template is used to create the final Role ARN for the account.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"arn:%s:iam::%s:role/%s-%s-%s-%%s"` when not using `tenant`.


Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"arn:%s:iam::%s:role/%s-%s-%s-%s-%%s"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [identity\_account\_account\_name](#input\_identity\_account\_account\_name) | The stage name for the account holding primary IAM roles | `string` | `"identity"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [profile\_template](#input\_profile\_template) | The template used to render AWS Profile names.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"%s-%s-%s-%s"` when not using `tenant`.

Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"%s-%s-%s-%s-%s"` | no | -| [profiles\_enabled](#input\_profiles\_enabled) | Whether or not to enable profiles instead of roles for the backend. If true, profile must be set. If false, role\_arn must be set. | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [root\_account\_account\_name](#input\_root\_account\_account\_name) | The stage name for the root account | `string` | `"root"` | no | -| [root\_account\_aws\_name](#input\_root\_account\_aws\_name) | The name of the root account as reported by AWS | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [artifacts_account_account_name](#input_artifacts_account_account_name) | The stage name for the artifacts account | `string` | `"artifacts"` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [audit_account_account_name](#input_audit_account_account_name) | The stage name for the audit account | `string` | `"audit"` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [dns_account_account_name](#input_dns_account_account_name) | The stage name for the primary DNS account | `string` | `"dns"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global_environment_name](#input_global_environment_name) | Global environment name | `string` | `"gbl"` | no | +| [iam_role_arn_template_template](#input_iam_role_arn_template_template) | The template for the template used to render Role ARNs.
The template is first used to render a template for the account that takes only the role name.
Then that rendered template is used to create the final Role ARN for the account.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"arn:%s:iam::%s:role/%s-%s-%s-%%s"` when not using `tenant`.


Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"arn:%s:iam::%s:role/%s-%s-%s-%s-%%s"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [identity_account_account_name](#input_identity_account_account_name) | The stage name for the account holding primary IAM roles | `string` | `"identity"` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [profile_template](#input_profile_template) | The template used to render AWS Profile names.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"%s-%s-%s-%s"` when not using `tenant`.

Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"%s-%s-%s-%s-%s"` | no | +| [profiles_enabled](#input_profiles_enabled) | Whether or not to enable profiles instead of roles for the backend. If true, profile must be set. If false, role_arn must be set. | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [root_account_account_name](#input_root_account_account_name) | The stage name for the root account | `string` | `"root"` | no | +| [root_account_aws_name](#input_root_account_aws_name) | The name of the root account as reported by AWS | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [account\_info\_map](#output\_account\_info\_map) | A map from account name to various information about the account.
See the `account_info_map` output of `account` for more detail. | -| [all\_accounts](#output\_all\_accounts) | A list of all accounts in the AWS Organization | -| [artifacts\_account\_account\_name](#output\_artifacts\_account\_account\_name) | The short name for the artifacts account | -| [audit\_account\_account\_name](#output\_audit\_account\_account\_name) | The short name for the audit account | -| [aws\_partition](#output\_aws\_partition) | The AWS "partition" to use when constructing resource ARNs | -| [cicd\_profiles](#output\_cicd\_profiles) | A list of all SSO profiles used by cicd platforms | -| [cicd\_roles](#output\_cicd\_roles) | A list of all IAM roles used by cicd platforms | -| [dns\_account\_account\_name](#output\_dns\_account\_account\_name) | The short name for the primary DNS account | -| [eks\_accounts](#output\_eks\_accounts) | A list of all accounts in the AWS Organization that contain EKS clusters | -| [full\_account\_map](#output\_full\_account\_map) | The map of account name to account ID (number). | -| [helm\_profiles](#output\_helm\_profiles) | A list of all SSO profiles used to run helm updates | -| [helm\_roles](#output\_helm\_roles) | A list of all IAM roles used to run helm updates | -| [iam\_role\_arn\_templates](#output\_iam\_role\_arn\_templates) | Map of accounts to corresponding IAM Role ARN templates | -| [identity\_account\_account\_name](#output\_identity\_account\_account\_name) | The short name for the account holding primary IAM roles | -| [non\_eks\_accounts](#output\_non\_eks\_accounts) | A list of all accounts in the AWS Organization that do not contain EKS clusters | -| [org](#output\_org) | The name of the AWS Organization | -| [profiles\_enabled](#output\_profiles\_enabled) | Whether or not to enable profiles instead of roles for the backend | -| [root\_account\_account\_name](#output\_root\_account\_account\_name) | The short name for the root account | -| [root\_account\_aws\_name](#output\_root\_account\_aws\_name) | The name of the root account as reported by AWS | -| [terraform\_profiles](#output\_terraform\_profiles) | A list of all SSO profiles used to run terraform updates | -| [terraform\_roles](#output\_terraform\_roles) | A list of all IAM roles used to run terraform updates | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | +| [account_info_map](#output_account_info_map) | A map from account name to various information about the account.
See the `account_info_map` output of `account` for more detail. | +| [all_accounts](#output_all_accounts) | A list of all accounts in the AWS Organization | +| [artifacts_account_account_name](#output_artifacts_account_account_name) | The short name for the artifacts account | +| [audit_account_account_name](#output_audit_account_account_name) | The short name for the audit account | +| [aws_partition](#output_aws_partition) | The AWS "partition" to use when constructing resource ARNs | +| [cicd_profiles](#output_cicd_profiles) | A list of all SSO profiles used by cicd platforms | +| [cicd_roles](#output_cicd_roles) | A list of all IAM roles used by cicd platforms | +| [dns_account_account_name](#output_dns_account_account_name) | The short name for the primary DNS account | +| [eks_accounts](#output_eks_accounts) | A list of all accounts in the AWS Organization that contain EKS clusters | +| [full_account_map](#output_full_account_map) | The map of account name to account ID (number). | +| [helm_profiles](#output_helm_profiles) | A list of all SSO profiles used to run helm updates | +| [helm_roles](#output_helm_roles) | A list of all IAM roles used to run helm updates | +| [iam_role_arn_templates](#output_iam_role_arn_templates) | Map of accounts to corresponding IAM Role ARN templates | +| [identity_account_account_name](#output_identity_account_account_name) | The short name for the account holding primary IAM roles | +| [non_eks_accounts](#output_non_eks_accounts) | A list of all accounts in the AWS Organization that do not contain EKS clusters | +| [org](#output_org) | The name of the AWS Organization | +| [profiles_enabled](#output_profiles_enabled) | Whether or not to enable profiles instead of roles for the backend | +| [root_account_account_name](#output_root_account_account_name) | The short name for the root account | +| [root_account_aws_name](#output_root_account_aws_name) | The name of the root account as reported by AWS | +| [terraform_profiles](#output_terraform_profiles) | A list of all SSO profiles used to run terraform updates | +| [terraform_roles](#output_terraform_roles) | A list of all IAM roles used to run terraform updates | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/account-map) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/account-map) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/account-map/modules/iam-assume-role-policy/README.md b/deprecated/account-map/modules/iam-assume-role-policy/README.md index f2feb1d5f..f4300ac74 100644 --- a/deprecated/account-map/modules/iam-assume-role-policy/README.md +++ b/deprecated/account-map/modules/iam-assume-role-policy/README.md @@ -2,13 +2,14 @@ This submodule generates a JSON-encoded IAM Policy Document suitable for use as an "Assume Role Policy". -You can designate both who is allowed to assume a role and who is explicitly denied permission -to assume a role. The value of this submodule is that it allows for many ways -to specify the "who" while at the same time limiting the "who" to assumed IAM roles: +You can designate both who is allowed to assume a role and who is explicitly denied permission to assume a role. The +value of this submodule is that it allows for many ways to specify the "who" while at the same time limiting the "who" +to assumed IAM roles: - All assumed roles in the `dev` account: `allowed_roles = { dev = ["*"] }` - Only the `admin` role in the dev account: `allowed_roles = { dev = ["admin"] }` -- A specific principal in any account (though it must still be an assumed role): `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` +- A specific principal in any account (though it must still be an assumed role): + `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` - A user of a specific AWS SSO Permission Set: `allowed_permission_sets = { dev = ["DeveloperAccess"] }` ## Usage @@ -31,65 +32,67 @@ resource "aws_iam_role" "default" { ``` + ## Requirements No requirements. ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | n/a | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [allowed\_role\_map](#module\_allowed\_role\_map) | ../../../account-map/modules/roles-to-principals | n/a | -| [denied\_role\_map](#module\_denied\_role\_map) | ../../../account-map/modules/roles-to-principals | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------- | ------------------------------------------------ | ------- | +| [allowed_role_map](#module_allowed_role_map) | ../../../account-map/modules/roles-to-principals | n/a | +| [denied_role_map](#module_denied_role_map) | ../../../account-map/modules/roles-to-principals | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_arn.allowed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | -| [aws_arn.denied](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_arn.allowed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.denied](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [allowed\_permission\_sets](#input\_allowed\_permission\_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets allowed to assume the role when coming from specified account | `map(list(string))` | `{}` | no | -| [allowed\_principal\_arns](#input\_allowed\_principal\_arns) | List of AWS principal ARNs allowed to assume the role. | `list(string)` | `[]` | no | -| [allowed\_roles](#input\_allowed\_roles) | Map of account:[role, role...] specifying roles allowed to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [denied\_permission\_sets](#input\_denied\_permission\_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account | `map(list(string))` | `{}` | no | -| [denied\_principal\_arns](#input\_denied\_principal\_arns) | List of AWS principal ARNs explicitly denied access to the role. | `list(string)` | `[]` | no | -| [denied\_roles](#input\_denied\_roles) | Map of account:[role, role...] specifying roles explicitly denied permission to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [allowed_permission_sets](#input_allowed_permission_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets allowed to assume the role when coming from specified account | `map(list(string))` | `{}` | no | +| [allowed_principal_arns](#input_allowed_principal_arns) | List of AWS principal ARNs allowed to assume the role. | `list(string)` | `[]` | no | +| [allowed_roles](#input_allowed_roles) | Map of account:[role, role...] specifying roles allowed to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [denied_permission_sets](#input_denied_permission_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account | `map(list(string))` | `{}` | no | +| [denied_principal_arns](#input_denied_principal_arns) | List of AWS principal ARNs explicitly denied access to the role. | `list(string)` | `[]` | no | +| [denied_roles](#input_denied_roles) | Map of account:[role, role...] specifying roles explicitly denied permission to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [policy\_document](#output\_policy\_document) | JSON encoded string representing the "Assume Role" policy configured by the inputs | +| Name | Description | +| -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | +| [policy_document](#output_policy_document) | JSON encoded string representing the "Assume Role" policy configured by the inputs | + diff --git a/deprecated/account-map/modules/iam-roles/README.md b/deprecated/account-map/modules/iam-roles/README.md index 0de665565..2e3f39418 100644 --- a/deprecated/account-map/modules/iam-roles/README.md +++ b/deprecated/account-map/modules/iam-roles/README.md @@ -1,15 +1,12 @@ # Submodule `iam-roles` -This submodule is used by other modules to determine which IAM Roles -or AWS CLI Config Profiles to use for various tasks, most commonly -for applying Terraform plans. +This submodule is used by other modules to determine which IAM Roles or AWS CLI Config Profiles to use for various +tasks, most commonly for applying Terraform plans. ## Special Configuration Needed -In order to avoid having to pass customization information through every module -that uses this submodule, if the default configuration does not suit your needs, -you are expected to customize `variables.tf` with the defaults you want to -use in your project. For example, if you are including the `tenant` label -in the designation of your "root" account (your Organization Management Account), -then you should modify `variables.tf` so that `global_tenant_name` defaults -to the appropriate value. +In order to avoid having to pass customization information through every module that uses this submodule, if the default +configuration does not suit your needs, you are expected to customize `variables.tf` with the defaults you want to use +in your project. For example, if you are including the `tenant` label in the designation of your "root" account (your +Organization Management Account), then you should modify `variables.tf` so that `global_tenant_name` defaults to the +appropriate value. diff --git a/deprecated/account-map/modules/roles-to-principals/README.md b/deprecated/account-map/modules/roles-to-principals/README.md index 82b128d8c..e33e9cc15 100644 --- a/deprecated/account-map/modules/roles-to-principals/README.md +++ b/deprecated/account-map/modules/roles-to-principals/README.md @@ -1,16 +1,12 @@ # Submodule `roles-to-principals` -This submodule is used by other modules to map short role names and AWS -SSO Permission Set names in accounts designated by short account names -(for example, `terraform` in the `dev` account) to full IAM Role ARNs and -other related tasks. +This submodule is used by other modules to map short role names and AWS SSO Permission Set names in accounts designated +by short account names (for example, `terraform` in the `dev` account) to full IAM Role ARNs and other related tasks. ## Special Configuration Needed -In order to avoid having to pass customization information through every module -that uses this submodule, if the default configuration does not suit your needs, -you are expected to customize `variables.tf` with the defaults you want to -use in your project. For example, if you are including the `tenant` label -in the designation of your "root" account (your Organization Management Account), -then you should modify `variables.tf` so that `global_tenant_name` defaults -to the appropriate value. +In order to avoid having to pass customization information through every module that uses this submodule, if the default +configuration does not suit your needs, you are expected to customize `variables.tf` with the defaults you want to use +in your project. For example, if you are including the `tenant` label in the designation of your "root" account (your +Organization Management Account), then you should modify `variables.tf` so that `global_tenant_name` defaults to the +appropriate value. diff --git a/deprecated/aws-waf-acl/README.md b/deprecated/aws-waf-acl/README.md index 64e50e47e..ab3b5910f 100644 --- a/deprecated/aws-waf-acl/README.md +++ b/deprecated/aws-waf-acl/README.md @@ -1,7 +1,7 @@ # Component: `aws-waf-acl` -This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group. - +This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule +group. ## Usage @@ -19,103 +19,105 @@ components: default_action: allow description: Default web ACL managed_rule_group_statement_rules: - - name: "OWASP-10" - # Rules are processed in order based on the value of priority, lowest number first - priority: 1 - - statement: - name: AWSManagedRulesCommonRuleSet - vendor_name: AWS - - visibility_config: - # Defines and enables Amazon CloudWatch metrics and web request sample collection. - cloudwatch_metrics_enabled: false - metric_name: "OWASP-10" - sampled_requests_enabled: false + - name: "OWASP-10" + # Rules are processed in order based on the value of priority, lowest number first + priority: 1 + + statement: + name: AWSManagedRulesCommonRuleSet + vendor_name: AWS + + visibility_config: + # Defines and enables Amazon CloudWatch metrics and web request sample collection. + cloudwatch_metrics_enabled: false + metric_name: "OWASP-10" + sampled_requests_enabled: false ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.14.9 | -| [aws](#requirement\_aws) | >= 3.36 | -| [external](#requirement\_external) | >= 2.1 | -| [local](#requirement\_local) | >= 2.1 | -| [template](#requirement\_template) | >= 2.2 | -| [utils](#requirement\_utils) | >= 0.3 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 0.14.9 | +| [aws](#requirement_aws) | >= 3.36 | +| [external](#requirement_external) | >= 2.1 | +| [local](#requirement_local) | >= 2.1 | +| [template](#requirement_template) | >= 2.2 | +| [utils](#requirement_utils) | >= 0.3 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.36 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 3.36 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 0.0.1 | -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.24.1 | +| Name | Source | Version | +| -------------------------------------------------------------- | -------------------------------- | ------- | +| [aws_waf](#module_aws_waf) | cloudposse/waf/aws | 0.0.1 | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.24.1 | ## Resources -| Name | Type | -|------|------| +| Name | Type | +| ---------------------------------------------------------------------------------------------------------------------- | -------- | | [aws_ssm_parameter.acl_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [acl\_name](#input\_acl\_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm\_path\_prefix}/{acl\_name}/arn | `string` | n/a | yes | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no | -| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The ARN of the IP Set that this statement references.
ip\_set\_forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | -| [log\_destination\_configs](#input\_log\_destination\_configs) | The Amazon Kinesis Data Firehose ARNs. | `list(string)` | `[]` | no | -| [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
name:
The name of the managed rule group.
vendor\_name:
The name of the managed rule group vendor.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. |
object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
})
| `null` | no | -| [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [scope](#input\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no | -| [size\_constraint\_statement\_rules](#input\_size\_constraint\_statement\_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
comparison\_operator:
The operator to use to compare the request part to the size setting.
Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
size:
The size, in bytes, to compare to the request part, after any transformations.
Valid values are integers between `0` and `21474836480`, inclusive.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [sqli\_match\_statement\_rules](#input\_sqli\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [ssm\_path\_prefix](#input\_ssm\_path\_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no | -| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no | -| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [acl_name](#input_acl_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm_path_prefix}/{acl_name}/arn | `string` | n/a | yes | +| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [association_resource_arns](#input_association_resource_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no | +| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [byte_match_statement_rules](#input_byte_match_statement_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [default_action](#input_default_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [geo_match_statement_rules](#input_geo_match_statement_rules) | A rule statement used to identify web requests based on country of origin.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
country_codes:
A list of two-character country codes.
forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [ip_set_reference_statement_rules](#input_ip_set_reference_statement_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The ARN of the IP Set that this statement references.
ip_set_forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [label_key_case](#input_label_key_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | +| [log_destination_configs](#input_log_destination_configs) | The Amazon Kinesis Data Firehose ARNs. | `list(string)` | `[]` | no | +| [managed_rule_group_statement_rules](#input_managed_rule_group_statement_rules) | A rule statement used to run the rules that are defined in a managed rule group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
name:
The name of the managed rule group.
vendor_name:
The name of the managed rule group vendor.
excluded_rule:
The list of names of the rules to exclude.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [rate_based_statement_rules](#input_rate_based_statement_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate_key_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [redacted_fields](#input_redacted_fields) | The parts of the request that you want to keep out of the logs.

method_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri_path_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query_string_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single_header:
The list of names of the query headers to redact. |
object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
})
| `null` | no | +| [regex_pattern_set_reference_statement_rules](#input_regex_pattern_set_reference_statement_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [rule_group_reference_statement_rules](#input_rule_group_reference_statement_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded_rule:
The list of names of the rules to exclude.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [scope](#input_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no | +| [size_constraint_statement_rules](#input_size_constraint_statement_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
comparison_operator:
The operator to use to compare the request part to the size setting.
Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
size:
The size, in bytes, to compare to the request part, after any transformations.
Valid values are integers between `0` and `21474836480`, inclusive.
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [sqli_match_statement_rules](#input_sqli_match_statement_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [ssm_path_prefix](#input_ssm_path_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no | +| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [visibility_config](#input_visibility_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no | +| [xss_match_statement_rules](#input_xss_match_statement_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

xss_match_statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [acl](#output\_acl) | Information about the created WAF ACL | - +| Name | Description | +| -------------------------------------------- | ------------------------------------- | +| [acl](#output_acl) | Information about the created WAF ACL | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/ecr) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/ecr) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/aws/backing-services/README.md b/deprecated/aws/backing-services/README.md index a8f8a707e..da75f3787 100644 --- a/deprecated/aws/backing-services/README.md +++ b/deprecated/aws/backing-services/README.md @@ -1,4 +1,3 @@ - ## Troubleshooting ### Problem diff --git a/deprecated/aws/bootstrap/README.md b/deprecated/aws/bootstrap/README.md index f53ae9f5b..397337031 100644 --- a/deprecated/aws/bootstrap/README.md +++ b/deprecated/aws/bootstrap/README.md @@ -1,7 +1,11 @@ # bootstrap -This module provisions an AWS user along with a bootstrap role suitable for bootstrapping an AWS multi-account architecture as found in our [reference architectures](https://github.com/cloudposse/reference-architecutres). +This module provisions an AWS user along with a bootstrap role suitable for bootstrapping an AWS multi-account +architecture as found in our [reference architectures](https://github.com/cloudposse/reference-architecutres). -These user and role are intended to be used as a **temporary fixture** and should be deprovisioned after all accounts have been provisioned in order to maintain a secure environment. +These user and role are intended to be used as a **temporary fixture** and should be deprovisioned after all accounts +have been provisioned in order to maintain a secure environment. -__WARNING:__ This module grants `AdministrativeAccess` in the current account along with the `OrganizationAccountAccessRole` to all `accounts_enabled` **without MFA**. We repeat, this module should *only* be used during the bootstrapping phase when provisioning your infrastructure for the first time. +**WARNING:** This module grants `AdministrativeAccess` in the current account along with the +`OrganizationAccountAccessRole` to all `accounts_enabled` **without MFA**. We repeat, this module should _only_ be used +during the bootstrapping phase when provisioning your infrastructure for the first time. diff --git a/deprecated/aws/ecs/README.md b/deprecated/aws/ecs/README.md index 2ab2591fd..6434ba8ac 100644 --- a/deprecated/aws/ecs/README.md +++ b/deprecated/aws/ecs/README.md @@ -2,15 +2,15 @@ For GitHub, your personal access token must have the following scopes. -* `repo`: Grants full control of private repositories. -* `repo:status`: Grants access to commit statuses. -* `admin:repo_hook`: Grants full control of repository hooks. This scope is not required if your token has the repo scope. +- `repo`: Grants full control of private repositories. +- `repo:status`: Grants access to commit statuses. +- `admin:repo_hook`: Grants full control of repository hooks. This scope is not required if your token has the repo + scope. We recommend creating the tokens from a "bot" account that has limited access to the repos you are using. Read more: - ## Example Build Manifest Add the following `buildspec.yml` to the root of the GitHub repo's project. @@ -52,14 +52,14 @@ artifacts: ## Troubleshooting - ### InvalidParameterException: Long arn format must be used for tagging operations ```sh aws_ecs_service.default: error tagging ECS Cluster (arn:aws:ecs:us-west-2:223452713953:service/eg-example-fargate-atlantis): InvalidParameterException: Long arn format must be used for tagging operations ``` -See: +See: + After enabling the Long ARNs, the cluster needs to be rebuilt from scratch. @@ -75,13 +75,14 @@ This is a race condition. Rerun `terraform apply`. ```sh Error putting scaling policy: ObjectNotFoundException: No scalable target registered for service namespace: ecs, resource ID: service/cpco-testing-fargate/eg-exapmle-fargate-atlantis, scalable dimension: ecs:service:DesiredCount -```` +``` This is a race condition. Rerun `terraform apply`. ### Webhooks Do Not Trigger Builds -This could happen if the secrets between CodePipeline and GitHub do not match. Unfortunately, terraform cannot detect when the secrets change, so your best bet is to `taint` and reapply. +This could happen if the secrets between CodePipeline and GitHub do not match. Unfortunately, terraform cannot detect +when the secrets change, so your best bet is to `taint` and reapply. ```sh make taint/webhook diff --git a/deprecated/aws/grafana-backing-services/README.md b/deprecated/aws/grafana-backing-services/README.md index e72d7f22d..a707f23b9 100644 --- a/deprecated/aws/grafana-backing-services/README.md +++ b/deprecated/aws/grafana-backing-services/README.md @@ -10,24 +10,22 @@ As of this writing, this only provisions a serverless Aurora MySQL 5.6 database. ### SSL Server Certificate Validation -Connection to the MySQL server take place via SSL, but the Aurora servers -use a distinct root certificate authority (CA) that is not in the -default trust store. Thus the MySQL client cannot validate that it is -talking to the actual MySQL server and is open to man-in-the-middle -attack. This is a security risk, but our assessment is that it is minor, -given that the network connections are all within VPCs and an attacker -who could become a man-in-the-middle would likely to be able to gain -access to all the cluster's resources through Kubernetes. +Connection to the MySQL server take place via SSL, but the Aurora servers use a distinct root certificate authority (CA) +that is not in the default trust store. Thus the MySQL client cannot validate that it is talking to the actual MySQL +server and is open to man-in-the-middle attack. This is a security risk, but our assessment is that it is minor, given +that the network connections are all within VPCs and an attacker who could become a man-in-the-middle would likely to be +able to gain access to all the cluster's resources through Kubernetes. ## Security To Do ### SSL Server Certificate Validation To get the Aurora MySQL SSL connection to validate: -1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem (expires Mar 5 09:11:31 2020 GMT) -or successor (consult current RDS documentation) + +1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem (expires Mar 5 09:11:31 2020 + GMT) or successor (consult current RDS documentation) 2. Save it in a `ConfigMap` 3. Mount it into the Grafana pod -4. Configure the path to it via [`ca_cert_path`](https://grafana.com/docs/installation/configuration/#ca-cert-path) -in `grafana.ini` +4. Configure the path to it via [`ca_cert_path`](https://grafana.com/docs/installation/configuration/#ca-cert-path) in + `grafana.ini` 5. Set `ssl_mode` to `"true"` in `grafana.ini` diff --git a/deprecated/aws/keycloak-backing-services/README.md b/deprecated/aws/keycloak-backing-services/README.md index 631b02f36..148553f66 100644 --- a/deprecated/aws/keycloak-backing-services/README.md +++ b/deprecated/aws/keycloak-backing-services/README.md @@ -8,64 +8,56 @@ As of this writing, this only provisions an Aurora MySQL 5.7 database. ### Database encryption -This module, as of this writing, provisions a database that is **not** encrypted. -This means that database backups/snapshots are also unencrypted. The database, -and of course the backups, contain secrets that an attacker could use -to gain access to anything protected by Keycloak. -This is a security risk, though it is hard to quantify how serious it is. -While adding encryption is of course good "security in depth", -our current assessment is that encrypting the database provides little -practical additional security for the following reasons. - -The database backups are protected using IAM, and any database encryption -key would also be available to someone with the right IAM credentials. As a -practical matter, anyone with access to the backups will likely also have -access to the encryption key via KMS, or be able to access the database -directly after getting the user and password from SSM, or be able to -execute commands in the Keycloak pod/container that expose the secrets. +This module, as of this writing, provisions a database that is **not** encrypted. This means that database +backups/snapshots are also unencrypted. The database, and of course the backups, contain secrets that an attacker could +use to gain access to anything protected by Keycloak. This is a security risk, though it is hard to quantify how serious +it is. While adding encryption is of course good "security in depth", our current assessment is that encrypting the +database provides little practical additional security for the following reasons. + +The database backups are protected using IAM, and any database encryption key would also be available to someone with +the right IAM credentials. As a practical matter, anyone with access to the backups will likely also have access to the +encryption key via KMS, or be able to access the database directly after getting the user and password from SSM, or be +able to execute commands in the Keycloak pod/container that expose the secrets. ### SSL Server Certificate Validation -Connection to the MySQL server take place via SSL, but the RDS servers -use a distinct root certificate authority (CA) that is not in the -default trust store. Thus the MySQL client cannot validate that it is -talking to the actual MySQL server and is open to man-in-the-middle -attack. This is a security risk, but our assessment is that it is minor, -given that the network connections are all within VPCs and an attacker -who could become a man-in-the-middle would likely to be able to gain -access to all the resources protected by Keycloak by appearing to be -an authorized local service. +Connection to the MySQL server take place via SSL, but the RDS servers use a distinct root certificate authority (CA) +that is not in the default trust store. Thus the MySQL client cannot validate that it is talking to the actual MySQL +server and is open to man-in-the-middle attack. This is a security risk, but our assessment is that it is minor, given +that the network connections are all within VPCs and an attacker who could become a man-in-the-middle would likely to be +able to gain access to all the resources protected by Keycloak by appearing to be an authorized local service. ## Security To Do ### Database encryption -To keep the database encrypted, this module will have to be extended: -1 Create a KMS key for encrypting the database. Using the RDS default key -is not advisable since the only practical advantage of the key comes from -limiting access to it, and the default key will likey have relatively -wide access. -1. Create an IAM role for Keycloak that has access to the key. Nodes running -`kiam-server` will need to be able to assume this role. +To keep the database encrypted, this module will have to be extended: 1 Create a KMS key for encrypting the database. +Using the RDS default key is not advisable since the only practical advantage of the key comes from limiting access to +it, and the default key will likey have relatively wide access. + +1. Create an IAM role for Keycloak that has access to the key. Nodes running `kiam-server` will need to be able to + assume this role. 2. Enable encryption for the database using this key. -Then the Keycloak deployment (actually `StatefulSet`) will need to be -annotated so that `kiam` grants Keycloak access to this role. +Then the Keycloak deployment (actually `StatefulSet`) will need to be annotated so that `kiam` grants Keycloak access to +this role. ### SSL Server Certificate Validation To get the RDS MySQL SSL connection to validate: -1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem expires (Mar 5 09:11:31 2020 GMT) -or successor (consult current RDS documentation) + +1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem expires (Mar 5 09:11:31 2020 GMT) or + successor (consult current RDS documentation) 2. Import it into a Java KeyStore (JKS) - * Run`keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass mypassword` in a Keycloak - container in order to be sure to get a compatible version of the Java SDK `keytool` + - Run`keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass mypassword` in a Keycloak + container in order to be sure to get a compatible version of the Java SDK `keytool` 3. Copy the KeyStore into a secret 4. Mount the Secret -5. Set [`JDBC_PARAMS` environment variable](https://github.com/jboss-dockerfiles/keycloak/blob/119fb1f61a477ec217ba71c18c3a71a10e8d5575/server/tools/cli/databases/mysql/change-database.cli#L2 ) +5. Set + [`JDBC_PARAMS` environment variable](https://github.com/jboss-dockerfiles/keycloak/blob/119fb1f61a477ec217ba71c18c3a71a10e8d5575/server/tools/cli/databases/mysql/change-database.cli#L2) to `?clientCertificateKeyStoreUrl=file:///path-to-keystore&clientCertificateKeyStorePassword=mypassword` 6. Note that it would seem to be more appropriate to set to -`?trustCertificateKeyStoreUrl=file:///path-to-keystore&trustCertificateKeyStorePassword=mypassword` - but the [documentation](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html) - [consistently](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) - says to use the `clientCertificate*` stuff for verifying the server. + `?trustCertificateKeyStoreUrl=file:///path-to-keystore&trustCertificateKeyStorePassword=mypassword` but the + [documentation](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html) + [consistently](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) says + to use the `clientCertificate*` stuff for verifying the server. diff --git a/deprecated/aws/kops-legacy-account-vpc-peering/README.md b/deprecated/aws/kops-legacy-account-vpc-peering/README.md index 12ffd3cf8..568ae982c 100644 --- a/deprecated/aws/kops-legacy-account-vpc-peering/README.md +++ b/deprecated/aws/kops-legacy-account-vpc-peering/README.md @@ -2,11 +2,13 @@ Terraform module to provision VPC peering between a `kops` VPC and a VPC from a legacy AWS account. -From the legacy AWS account, which will be the accepter of the VPC peering connection, the following values are required: +From the legacy AWS account, which will be the accepter of the VPC peering connection, the following values are +required: - `legacy_account_assume_role_arn` - Legacy account assume role ARN -- `legacy_account_region` - Legacy account AWS region (e.g. `us-west-2`) -- `legacy_account_vpc_id` - Legacy account VPC ID (the VPC which will accept peering connection from the `kops` VPC). __NOTE:__ the CIDR blocks of the `kops` VPC and the legacy account VPC must not overlap +- `legacy_account_region` - Legacy account AWS region (e.g. `us-west-2`) +- `legacy_account_vpc_id` - Legacy account VPC ID (the VPC which will accept peering connection from the `kops` VPC). + **NOTE:** the CIDR blocks of the `kops` VPC and the legacy account VPC must not overlap The `legacy_account_assume_role_arn` IAM Role should have the following Trust Policy: @@ -28,7 +30,8 @@ The `legacy_account_assume_role_arn` IAM Role should have the following Trust Po and the following IAM Policy attached to it: -__NOTE:__ the policy specifies the minimum permission set required to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the VPC peering connection resources in the accepter (legacy) AWS account +**NOTE:** the policy specifies the minimum permission set required to create (with `terraform plan/apply`) and delete +(with `terraform destroy`) all the VPC peering connection resources in the accepter (legacy) AWS account ```js { @@ -79,4 +82,5 @@ __NOTE:__ the policy specifies the minimum permission set required to create (wi } ``` -For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). +For more information on IAM policies and permissions for VPC peering, see +[Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). diff --git a/deprecated/aws/kops/README.md b/deprecated/aws/kops/README.md index a5cd5ae3d..fe5520b96 100644 --- a/deprecated/aws/kops/README.md +++ b/deprecated/aws/kops/README.md @@ -1,12 +1,12 @@ # Kubernetes Ops (kops) -This project provisions dependencies for `kops` clusters including the DNS zone, S3 bucket for state storage, SSH keypair. +This project provisions dependencies for `kops` clusters including the DNS zone, S3 bucket for state storage, SSH +keypair. It also writes the computed settings to SSM for usage by other modules or tools. ## Configuration Settings - The minimum recommended settings are the following (`terraform.tfvars`): ``` @@ -20,21 +20,28 @@ region = "us-west-2" ## Quick Start -This is roughly the process to get up and running. These instructions assume you're running inside of a [Geodesic shell](https://github.com/cloudposse/geodesic). +This is roughly the process to get up and running. These instructions assume you're running inside of a +[Geodesic shell](https://github.com/cloudposse/geodesic). + 1. Update the `terraform.tfvars` with [desired settings](#configuration-settings). Rebuild the container if necessary. 2. Run `assume-role` to obtain a session. 3. Run `make apply` to provision kops dependencies with terraform (not the cluster itself) -4. Run `make kops/shell` to drop into a shell with configured environment for `kops`. Do this any time you want to interact with the cluster. +4. Run `make kops/shell` to drop into a shell with configured environment for `kops`. Do this any time you want to + interact with the cluster. 5. Run `make kops/build-manifest` to compile the configuration template with current environment settings -6. Run `make kops/create` to submit the cluster state manifest to the cluster state store. Note, no resources will be provisioned. -7. Run `make kops/create-secret-sshpublickey` to provision the SSH public key. Note, the public key was created in the `make apply` step and requires `/secrets/tf` to be mounted. Mount this directory by running `mount -a`. +6. Run `make kops/create` to submit the cluster state manifest to the cluster state store. Note, no resources will be + provisioned. +7. Run `make kops/create-secret-sshpublickey` to provision the SSH public key. Note, the public key was created in the + `make apply` step and requires `/secrets/tf` to be mounted. Mount this directory by running `mount -a`. 8. Run `make kops/plan` to view the proposed cluster 9. Run `make kops/apply` to build the cluster -10. Run `make kops/validate` to view cluster status. Note, it will take ~10 minutes to come online (depending on cluster size) +10. Run `make kops/validate` to view cluster status. Note, it will take ~10 minutes to come online (depending on cluster + size) Once the cluster is online, you can interact with it using `kubectl`. To start, first run this to export `kubecfg` from the `kops` state store (required to access the cluster): + ``` make kops/export ``` diff --git a/deprecated/aws/opsgenie/README.md b/deprecated/aws/opsgenie/README.md index 1dad6bb29..2b6b3a694 100644 --- a/deprecated/aws/opsgenie/README.md +++ b/deprecated/aws/opsgenie/README.md @@ -1,6 +1,7 @@ # Component: `opsgenie` -Terraform component to provision [Opsgenie resources](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs). +Terraform component to provision +[Opsgenie resources](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs). ## Usage @@ -9,7 +10,9 @@ Terraform component to provision [Opsgenie resources](https://registry.terraform Here's an example snippet for how to use this component. For more information use these resources: 1. See the [detailed usage](./detailed-usage.md) documentation for the full breakdown in usage. -1. View the [Cloud Posse opsgenie module's example configuration](https://github.com/cloudposse/terraform-opsgenie-incident-management/tree/master/examples/config/resources) for a more complete example. +1. View the + [Cloud Posse opsgenie module's example configuration](https://github.com/cloudposse/terraform-opsgenie-incident-management/tree/master/examples/config/resources) + for a more complete example. ```yaml components: @@ -17,142 +20,144 @@ components: opsgenie: vars: teams: - - name: acme - description: Global Team for Acme Co. - members: - username: opsgenie-test@cloudposse.com - role: admin - - name: acme.dev - description: Acme Dev Team - delete_default_resources: true - members: - username: opsgenie-test@cloudposse.com - role: admin - - name: acme.dev.some-service - description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" - ignore_members: true - delete_default_resources: true - members: - username: opsgenie-test@cloudposse.com - role: admin + - name: acme + description: Global Team for Acme Co. + members: + username: opsgenie-test@cloudposse.com + role: admin + - name: acme.dev + description: Acme Dev Team + delete_default_resources: true + members: + username: opsgenie-test@cloudposse.com + role: admin + - name: acme.dev.some-service + description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" + ignore_members: true + delete_default_resources: true + members: + username: opsgenie-test@cloudposse.com + role: admin alert_policies: - - name: "prioritize-env-prod-critical-alerts" - owner_team_name: acme.dev - tags: - - "ManagedBy:terraform" - filter: - type: match-all-conditions - conditions: - - field: source - operation: matches - expected_value: ".*prod.acme.*" - - field: tags - operation: contains - expected_value: "severity:critical" - priority: P1 + - name: "prioritize-env-prod-critical-alerts" + owner_team_name: acme.dev + tags: + - "ManagedBy:terraform" + filter: + type: match-all-conditions + conditions: + - field: source + operation: matches + expected_value: ".*prod.acme.*" + - field: tags + operation: contains + expected_value: "severity:critical" + priority: P1 escalations: - - name: acme.dev.some-service-escalation - description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" - owner_team_name: acme.dev - rule: - condition: if-not-acked - notify_type: default - delay: 0 - recipients: - - type: team - team_name: acme.dev.some-service + - name: acme.dev.some-service-escalation + description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" + owner_team_name: acme.dev + rule: + condition: if-not-acked + notify_type: default + delay: 0 + recipients: + - type: team + team_name: acme.dev.some-service api_integrations: - - name: acme-dev-opsgenie-sns-integration - type: AmazonSns - owner_team_name: acme.dev + - name: acme-dev-opsgenie-sns-integration + type: AmazonSns + owner_team_name: acme.dev ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.12 | -| [aws](#requirement\_aws) | >= 2.0 | -| [local](#requirement\_local) | >= 1.3 | -| [opsgenie](#requirement\_opsgenie) | >= 0.5.0 | -| [template](#requirement\_template) | >= 2.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 0.12 | +| [aws](#requirement_aws) | >= 2.0 | +| [local](#requirement_local) | >= 1.3 | +| [opsgenie](#requirement_opsgenie) | >= 0.5.0 | +| [template](#requirement_template) | >= 2.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 2.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 2.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [opsgenie\_config](#module\_opsgenie\_config) | git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config | 0.9.0 | -| [this](#module\_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | +| Name | Source | Version | +| -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------- | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [opsgenie_config](#module_opsgenie_config) | git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config | 0.9.0 | +| [this](#module_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | ## Resources -| Name | Type | -|------|------| -| [aws_ssm_parameter.opsgenie_datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [aws_ssm_parameter.opsgenie_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_ssm_parameter.opsgenie_datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.opsgenie_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS key used for writing to SSM | `string` | `"alias/aws/ssm"` | no | -| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [ssm\_parameter\_name\_format](#input\_ssm\_parameter\_name\_format) | SSM parameter name format | `string` | `"/%s/%s"` | no | -| [ssm\_path](#input\_ssm\_path) | SSM path | `string` | `"opsgenie"` | no | -| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [tfstate\_account\_id](#input\_tfstate\_account\_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | -| [tfstate\_assume\_role](#input\_tfstate\_assume\_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | -| [tfstate\_bucket\_environment\_name](#input\_tfstate\_bucket\_environment\_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | -| [tfstate\_bucket\_stage\_name](#input\_tfstate\_bucket\_stage\_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | -| [tfstate\_existing\_role\_arn](#input\_tfstate\_existing\_role\_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | -| [tfstate\_role\_arn\_template](#input\_tfstate\_role\_arn\_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | -| [tfstate\_role\_environment\_name](#input\_tfstate\_role\_environment\_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | -| [tfstate\_role\_name](#input\_tfstate\_role\_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | -| [tfstate\_role\_stage\_name](#input\_tfstate\_role\_stage\_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [kms_key_arn](#input_kms_key_arn) | AWS KMS key used for writing to SSM | `string` | `"alias/aws/ssm"` | no | +| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [ssm_parameter_name_format](#input_ssm_parameter_name_format) | SSM parameter name format | `string` | `"/%s/%s"` | no | +| [ssm_path](#input_ssm_path) | SSM path | `string` | `"opsgenie"` | no | +| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [tfstate_account_id](#input_tfstate_account_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | +| [tfstate_assume_role](#input_tfstate_assume_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | +| [tfstate_bucket_environment_name](#input_tfstate_bucket_environment_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | +| [tfstate_bucket_stage_name](#input_tfstate_bucket_stage_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | +| [tfstate_existing_role_arn](#input_tfstate_existing_role_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | +| [tfstate_role_arn_template](#input_tfstate_role_arn_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | +| [tfstate_role_environment_name](#input_tfstate_role_environment_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | +| [tfstate_role_name](#input_tfstate_role_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | +| [tfstate_role_stage_name](#input_tfstate_role_stage_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | ## Outputs -| Name | Description | -|------|-------------| -| [alert\_policies](#output\_alert\_policies) | Alert policies | -| [api\_integrations](#output\_api\_integrations) | API integrations | -| [escalations](#output\_escalations) | Escalations | -| [existing\_users](#output\_existing\_users) | Existing Users | -| [notification\_policies](#output\_notification\_policies) | Notification policies | -| [service\_incident\_rule\_ids](#output\_service\_incident\_rule\_ids) | Service Incident Rule IDs | -| [services](#output\_services) | Services | -| [team\_routing\_rules](#output\_team\_routing\_rules) | Team routing rules | -| [teams](#output\_teams) | Teams | -| [users](#output\_users) | Users | - +| Name | Description | +| -------------------------------------------------------------------------------------------------------------- | ------------------------- | +| [alert_policies](#output_alert_policies) | Alert policies | +| [api_integrations](#output_api_integrations) | API integrations | +| [escalations](#output_escalations) | Escalations | +| [existing_users](#output_existing_users) | Existing Users | +| [notification_policies](#output_notification_policies) | Notification policies | +| [service_incident_rule_ids](#output_service_incident_rule_ids) | Service Incident Rule IDs | +| [services](#output_services) | Services | +| [team_routing_rules](#output_team_routing_rules) | Team routing rules | +| [teams](#output_teams) | Teams | +| [users](#output_users) | Users | + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/opsgenie) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/opsgenie) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/aws/opsgenie/detailed-usage.md b/deprecated/aws/opsgenie/detailed-usage.md index d71d1a89f..8ddc18d69 100644 --- a/deprecated/aws/opsgenie/detailed-usage.md +++ b/deprecated/aws/opsgenie/detailed-usage.md @@ -2,30 +2,27 @@ The following Opsgenie resources are configured (see [resources](resources)): - - [API Integrations](resources/api_integrations.yaml) - - [Teams](resources/teams.yaml) - - [Users](resources/existing_users.yaml) - - [Notification Policies](resources/notification_policies.yaml) - - [Alert Policies](resources/alert_policies.yaml) - - [Services](resources/services) - - [Service Incident Rules](resources/services) - - [Escalations](resources/escalations.yaml) - +- [API Integrations](resources/api_integrations.yaml) +- [Teams](resources/teams.yaml) +- [Users](resources/existing_users.yaml) +- [Notification Policies](resources/notification_policies.yaml) +- [Alert Policies](resources/alert_policies.yaml) +- [Services](resources/services) +- [Service Incident Rules](resources/services) +- [Escalations](resources/escalations.yaml)
### `api_integrations.yaml` -__NOTE:__ We provision a Datadog integration without specifying the owning team. -Because of that, all alerts coming to Opsgenie from Datadog do not get assigned to a team automatically (if we specified the owning team, -then all alerts would go to the members of the team). -We assign alerts to the teams in the Alert Policies - when the filter conditions are `true`, the incoming alert gets assigned to a team. -This way, we can filter out and assigns to the teams only the actionable alerts (you can still view all alerts in the Opsgenie UI). - +**NOTE:** We provision a Datadog integration without specifying the owning team. Because of that, all alerts coming to +Opsgenie from Datadog do not get assigned to a team automatically (if we specified the owning team, then all alerts +would go to the members of the team). We assign alerts to the teams in the Alert Policies - when the filter conditions +are `true`, the incoming alert gets assigned to a team. This way, we can filter out and assigns to the teams only the +actionable alerts (you can still view all alerts in the Opsgenie UI). ```yaml api_integrations: - - name: datadog type: Datadog # Use an empty value for `owner_team_name` to make it a global integration @@ -40,16 +37,18 @@ See [Opsgenie API Integration](https://docs.opsgenie.com/docs/api-integration) f Users are assigned to teams in `teams.yaml`. -We can assign the existing users (those that already present in Opsgenie, e.g. from Jira), or we can create new users and assign them to teams. +We can assign the existing users (those that already present in Opsgenie, e.g. from Jira), or we can create new users +and assign them to teams. -Describe the existing users in `existing_users.yaml` (see below). These users will be looked up using the data source `data "opsgenie_user"`. +Describe the existing users in `existing_users.yaml` (see below). These users will be looked up using the data source +`data "opsgenie_user"`. Describe new users in `users.yaml` (see below). These users will be created in Opsgenie. -__NOTE:__ The user's `username` is email and must be unique. - -__NOTE:__ Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the Opsgenie Terraform provider). +**NOTE:** The user's `username` is email and must be unique. +**NOTE:** Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the +Opsgenie Terraform provider).
@@ -82,7 +81,6 @@ The existing users (those that are already in Opsgenie) are described here. These users will be looked up using the data source `data "opsgenie_user"`. - ```yaml existing_users: - username: user1@example.com @@ -99,8 +97,8 @@ See [Opsgenie Users](https://docs.opsgenie.com/docs/users) for more details. New users (to be created by the module) are described here. -__NOTE:__ Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the Opsgenie Terraform provider). - +**NOTE:** Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the +Opsgenie Terraform provider). ```yaml users: @@ -115,15 +113,13 @@ See [Opsgenie Users](https://docs.opsgenie.com/docs/users) for more details.
- ### `notification_policies.yaml` -Notification Policies are used to apply different operations (e.g. `delay/suppress`, `auto restart`, and `auto close`) to all team alert notifications. - +Notification Policies are used to apply different operations (e.g. `delay/suppress`, `auto restart`, and `auto close`) +to all team alert notifications. ```yaml notification_policies: - - name: auto-close-based-on-priority team_name: test auto_close_action: @@ -143,12 +139,11 @@ See [Opsgenie Notification Policy](https://docs.opsgenie.com/docs/team-policies# ### `escalations.yaml` -Escalations are used to escalate the alerts and incidents to a top-level Team -if they do not get acknowledged during the specified amount of time. +Escalations are used to escalate the alerts and incidents to a top-level Team if they do not get acknowledged during the +specified amount of time. Escalations are also used to notify responders according to a given order. - ```yaml escalations: - name: example-team-escalation-to-devops @@ -176,26 +171,30 @@ See [Opsgenie Escalations](https://docs.opsgenie.com/docs/escalations) for more The following flow of events is supported: - - Datadog sends alerts to Opsgenie. All incoming alerts are shown in the Opsgenie UI, but the alerts don't get assigned to teams automatically. +- Datadog sends alerts to Opsgenie. All incoming alerts are shown in the Opsgenie UI, but the alerts don't get assigned + to teams automatically. - - The Alert Policies get evaluated by looking for a specific text in the alert's message or description. - If the filter conditions in any Alert Policy are evaluated to `true`, the policy gets executed and the alert gets assigned to the team specified in the Alert Policy. - Also, a tag with the name of the service gets added to the alert. +- The Alert Policies get evaluated by looking for a specific text in the alert's message or description. If the filter + conditions in any Alert Policy are evaluated to `true`, the policy gets executed and the alert gets assigned to the + team specified in the Alert Policy. Also, a tag with the name of the service gets added to the alert. - - The Service Incident Rules get evaluated. - If the filter conditions in any Service Incident Rules are evaluated to `true`, the rule gets executed, and an incident is created for the service - and assigned to the team the service belongs to. The users of the team get notifications about the incident (via the configured channels, e.g. email, SMS, Opsgenie app, etc.). - On the other hand, if the filter conditions in any Service Incident Rules are evaluated to `false`, Opsgenie does not create an incident, - but instead notifies the users of the team about the alert via the configured channels. +- The Service Incident Rules get evaluated. If the filter conditions in any Service Incident Rules are evaluated to + `true`, the rule gets executed, and an incident is created for the service and assigned to the team the service + belongs to. The users of the team get notifications about the incident (via the configured channels, e.g. email, SMS, + Opsgenie app, etc.). On the other hand, if the filter conditions in any Service Incident Rules are evaluated to + `false`, Opsgenie does not create an incident, but instead notifies the users of the team about the alert via the + configured channels. - - If the alert or incident is not acknowledged by any of the team members during the specified amount of time, the Team's Escalations get evaluated. If Opsgenie finds - an Escalation for the team, it sends notifications to the recipients of the Escalation (e.g. to the users of a top-level Team). +- If the alert or incident is not acknowledged by any of the team members during the specified amount of time, the + Team's Escalations get evaluated. If Opsgenie finds an Escalation for the team, it sends notifications to the + recipients of the Escalation (e.g. to the users of a top-level Team).
## New Service Setup -The Opsgenie resources for a new service are provided in a separate YAML config file (for readability and easy of management). +The Opsgenie resources for a new service are provided in a separate YAML config file (for readability and easy of +management). To add a new service configuration, create a new YAML file with the name of the service. @@ -203,130 +202,134 @@ See [resources/services](resources/services) for details on each service. Each service's config file contains the three sections: - - `service` - provides the name of the service and the name of the team the service belongs to - - `alert_policies` - a list of Opsgenie [Alert Policies](https://docs.opsgenie.com/docs/global-policies#alert-policy) for the service - - `service_incident_rules` - a list of Opsgenie [Service Incident Rules](https://docs.opsgenie.com/docs/service-incident-rules-api) for the service +- `service` - provides the name of the service and the name of the team the service belongs to +- `alert_policies` - a list of Opsgenie [Alert Policies](https://docs.opsgenie.com/docs/global-policies#alert-policy) + for the service +- `service_incident_rules` - a list of Opsgenie + [Service Incident Rules](https://docs.opsgenie.com/docs/service-incident-rules-api) for the service Below are the steps to create Datadog monitors and Opsgenie alert policies and incident rules for a new service. -__NOTE:__ We will be using `example-service` as an example. - - - In the [datadog-monitor](../datadog-monitor) project, add a new YAML file with Datadog monitor configurations for the new service. - For the `example-service`, the file name is [example-service.yaml](../datadog-monitor/monitors/example-service.yaml). - - - Configure Datadog monitors for the service. - For example, to monitor the error rate on `prod`, add the following configuration: - - ```yaml - example-service-prod-high-error-rate: - name: "(example-service) Service example-service has a high error rate on env:prod" - type: query alert - query: | - sum(last_10m):( sum:trace.flask.request.errors{service:example-service,env:prod}.as_count() / sum:trace.flask.request.hits{service:example-service,env:prod}.as_count() ) > 0.05 - message: | - example-service error rate is too high on env:prod - escalation_message: "" - tags: - - "ManagedBy:Terraform" - - "service:example-service" - - "env:prod" - - "alert:high-error-rate" - notify_no_data: false - notify_audit: true - require_full_window: false - enable_logs_sample: false - force_delete: true - include_tags: true - locked: false - renotify_interval: 0 - timeout_h: 0 - evaluation_delay: 60 - new_host_delay: 300 - no_data_timeframe: 10 - threshold_windows: { } - thresholds: - critical: 0.05 - warning: 0.01 - ``` - - Note that the `tags` added to the monitor can be used in Opsgenie alert policies and incident rules to match specific alerts from Datadog. - - - Add the users responsible for the service to [Opsgenie Users](resources/existing_users.yaml) - (or to `users.yaml` if the users don't yet exist in Opsgenie, and you want to create them with Terraform). - - ```yaml - existing_users: - - username: user1@example.com - ``` +**NOTE:** We will be using `example-service` as an example. + +- In the [datadog-monitor](../datadog-monitor) project, add a new YAML file with Datadog monitor configurations for the + new service. For the `example-service`, the file name is + [example-service.yaml](../datadog-monitor/monitors/example-service.yaml). - - Assign the users to the [Opsgenie Team](resources/teams.yaml) +- Configure Datadog monitors for the service. For example, to monitor the error rate on `prod`, add the following + configuration: - ```yaml - - name: example-team - description: "Example Team" - members: - - username: user1@example.com - role: admin - ``` +```yaml +example-service-prod-high-error-rate: + name: "(example-service) Service example-service has a high error rate on env:prod" + type: query alert + query: | + sum(last_10m):( sum:trace.flask.request.errors{service:example-service,env:prod}.as_count() / sum:trace.flask.request.hits{service:example-service,env:prod}.as_count() ) > 0.05 + message: | + example-service error rate is too high on env:prod + escalation_message: "" + tags: + - "ManagedBy:Terraform" + - "service:example-service" + - "env:prod" + - "alert:high-error-rate" + notify_no_data: false + notify_audit: true + require_full_window: false + enable_logs_sample: false + force_delete: true + include_tags: true + locked: false + renotify_interval: 0 + timeout_h: 0 + evaluation_delay: 60 + new_host_delay: 300 + no_data_timeframe: 10 + threshold_windows: {} + thresholds: + critical: 0.05 + warning: 0.01 +``` - - Add [The service and Opsgenie Alert Policies and Service Incident Rules](resources/services/example-service.yaml) +Note that the `tags` added to the monitor can be used in Opsgenie alert policies and incident rules to match specific +alerts from Datadog. - NOTE: The alert policy will assign the Team specified in the `responders` section to the alerts. - The `responders` section is a list, so you can assign many teams as responders to the alerts. +- Add the users responsible for the service to [Opsgenie Users](resources/existing_users.yaml) (or to `users.yaml` if + the users don't yet exist in Opsgenie, and you want to create them with Terraform). - ```yaml - service: - - name: example-service +```yaml +existing_users: + - username: user1@example.com +``` + +- Assign the users to the [Opsgenie Team](resources/teams.yaml) + +```yaml +- name: example-team + description: "Example Team" + members: + - username: user1@example.com + role: admin +``` + +- Add [The service and Opsgenie Alert Policies and Service Incident Rules](resources/services/example-service.yaml) + + NOTE: The alert policy will assign the Team specified in the `responders` section to the alerts. The `responders` + section is a list, so you can assign many teams as responders to the alerts. + +```yaml +service: + - name: example-service + team_name: example-team + +alert_policies: + - name: example-service-alert-policy + owner_team_name: + tags: + - "ManagedBy:terraform" + - "service:example-service" + filter: + type: match-any-condition + conditions: + - field: description + operation: contains + expected_value: "example-service" + - field: message + operation: contains + expected_value: "example-service" + continue_policy: true + ignore_original_responders: true + responders: + - type: team team_name: example-team +service_incident_rules: + - name: example-service-incident-rule + service_name: example-service + incident_rule: + condition_match_type: match-any-condition + + conditions: + - field: tags + operation: contains + expected_value: "service:example-service" + + incident_properties: + message: example-service is having issues + priority: P2 + stakeholder_properties: + message: example-service is having issues + enable: true +``` + +NOTE: In the Alert Policy, `condition_match_type: match-any-condition` is a logical `OR`, which means if any condition +is `true`, the alert will be assigned to the service's team. In the example above, alerts will be assigned to the +`example-team` team if the alert's message or description contains `example-service`. If the condition matches, we also +add the tag `service:example-service` to the alert, which we use in the conditions of the Service Incident Rule. + +NOTE: In the Service Incident Rule, we check if the alert's tags contain the service name tag (`service:example-service` +in this case). If the condition matches, we create an incident and assign it to the team, the members of which get +notifications about the incident. - alert_policies: - - name: example-service-alert-policy - owner_team_name: - tags: - - "ManagedBy:terraform" - - "service:example-service" - filter: - type: match-any-condition - conditions: - - field: description - operation: contains - expected_value: "example-service" - - field: message - operation: contains - expected_value: "example-service" - continue_policy: true - ignore_original_responders: true - responders: - - type: team - team_name: example-team - - - service_incident_rules: - - name: example-service-incident-rule - service_name: example-service - incident_rule: - condition_match_type: match-any-condition - - conditions: - - field: tags - operation: contains - expected_value: "service:example-service" - - incident_properties: - message: example-service is having issues - priority: P2 - stakeholder_properties: - message: example-service is having issues - enable: true - ``` - - NOTE: In the Alert Policy, `condition_match_type: match-any-condition` is a logical `OR`, which means if any condition is `true`, the alert will be - assigned to the service's team. In the example above, alerts will be assigned to the `example-team` team if the alert's message or description contains `example-service`. - If the condition matches, we also add the tag `service:example-service` to the alert, which we use in the conditions of the Service Incident Rule. - - NOTE: In the Service Incident Rule, we check if the alert's tags contain the service name tag (`service:example-service` in this case). - If the condition matches, we create an incident and assign it to the team, the members of which get notifications about the incident. - - - Provision the `datadog-monitor` and `opsgenie` projects with Terraform. - Datadog will monitor the `example-servise` with the provisioned monitors and send alerts to Opsgenie. +- Provision the `datadog-monitor` and `opsgenie` projects with Terraform. Datadog will monitor the `example-servise` + with the provisioned monitors and send alerts to Opsgenie. diff --git a/deprecated/aws/tfstate-backend/README.md b/deprecated/aws/tfstate-backend/README.md index 196869467..de809c009 100644 --- a/deprecated/aws/tfstate-backend/README.md +++ b/deprecated/aws/tfstate-backend/README.md @@ -5,12 +5,14 @@ Perform these steps in each account, the very first time, in order to setup the ## Create Provision the bucket: + ``` make init ``` -Follow the instructions at the end. Ensure the environment variables have been set in the `Dockerfile`. -They look something like this: +Follow the instructions at the end. Ensure the environment variables have been set in the `Dockerfile`. They look +something like this: + ``` ENV TF_BUCKET="cpco-staging-terraform-state" ENV TF_BUCKET_REGION="us-west-2" @@ -22,8 +24,10 @@ ENV TF_DYNAMODB_TABLE="cpco-staging-terraform-state-lock" To destroy the state bucket, first make sure all services in the account have already been destroyed. Then run: + ``` make destroy ``` -**NOTE:** This will only work if the state was previously initialized with `force_destroy=true`. If not, set `force_destroy=true`, rerun `terraform apply`, then run `make destroy`. +**NOTE:** This will only work if the state was previously initialized with `force_destroy=true`. If not, set +`force_destroy=true`, rerun `terraform apply`, then run `make destroy`. diff --git a/deprecated/eks-iam/README.md b/deprecated/eks-iam/README.md index bd080c708..551a5beb7 100644 --- a/deprecated/eks-iam/README.md +++ b/deprecated/eks-iam/README.md @@ -1,6 +1,8 @@ # Component: `eks-iam` -This component is responsible for provisioning specific [IAM roles for Kubernetes Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). IAM roles are created for the following Kubernetes projects: +This component is responsible for provisioning specific +[IAM roles for Kubernetes Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). +IAM roles are created for the following Kubernetes projects: 1. [aws-load-balancer-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) 1. [cluster-proportional-autoscaler](https://github.com/kubernetes-sigs/cluster-proportional-autoscaler) @@ -25,90 +27,92 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.0 | -| [aws](#requirement\_aws) | >= 3.0 | -| [local](#requirement\_local) | >= 1.3 | -| [template](#requirement\_template) | >= 2.2 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 0.13.0 | +| [aws](#requirement_aws) | >= 3.0 | +| [local](#requirement_local) | >= 1.3 | +| [template](#requirement_template) | >= 2.2 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.0 | -| [terraform](#provider\_terraform) | n/a | +| Name | Version | +| ------------------------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 3.0 | +| [terraform](#provider_terraform) | n/a | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [alb-controller](#module\_alb-controller) | ./modules/service-account | n/a | -| [autoscaler](#module\_autoscaler) | ./modules/service-account | n/a | -| [cert-manager](#module\_cert-manager) | ./modules/service-account | n/a | -| [external-dns](#module\_external-dns) | ./modules/service-account | n/a | -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------- | ----------------------------------------------------------- | ----------- | +| [alb-controller](#module_alb-controller) | ./modules/service-account | n/a | +| [autoscaler](#module_autoscaler) | ./modules/service-account | n/a | +| [cert-manager](#module_cert-manager) | ./modules/service-account | n/a | +| [external-dns](#module_external-dns) | ./modules/service-account | n/a | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | ## Resources -| Name | Type | -|------|------| -| [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_kms_alias.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [terraform_remote_state.account_map](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.dns_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [terraform_remote_state.account_map](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| [terraform_remote_state.dns_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | | [terraform_remote_state.dns_gbl_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.eks](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| [terraform_remote_state.eks](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [dns\_gbl\_delegated\_environment\_name](#input\_dns\_gbl\_delegated\_environment\_name) | The name of the environment where global `dns_delegated` is provisioned | `string` | `"gbl"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kms\_alias\_name](#input\_kms\_alias\_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no | -| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [optional\_service\_accounts](#input\_optional\_service\_accounts) | List of optional service accounts to enable | `list(string)` | `[]` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [standard\_service\_accounts](#input\_standard\_service\_accounts) | List of standard service accounts expected to be enabled everywhere | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [tfstate\_account\_id](#input\_tfstate\_account\_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | -| [tfstate\_assume\_role](#input\_tfstate\_assume\_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | -| [tfstate\_bucket\_environment\_name](#input\_tfstate\_bucket\_environment\_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | -| [tfstate\_bucket\_stage\_name](#input\_tfstate\_bucket\_stage\_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | -| [tfstate\_existing\_role\_arn](#input\_tfstate\_existing\_role\_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | -| [tfstate\_role\_arn\_template](#input\_tfstate\_role\_arn\_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | -| [tfstate\_role\_environment\_name](#input\_tfstate\_role\_environment\_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | -| [tfstate\_role\_name](#input\_tfstate\_role\_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | -| [tfstate\_role\_stage\_name](#input\_tfstate\_role\_stage\_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [dns_gbl_delegated_environment_name](#input_dns_gbl_delegated_environment_name) | The name of the environment where global `dns_delegated` is provisioned | `string` | `"gbl"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kms_alias_name](#input_kms_alias_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no | +| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [optional_service_accounts](#input_optional_service_accounts) | List of optional service accounts to enable | `list(string)` | `[]` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [standard_service_accounts](#input_standard_service_accounts) | List of standard service accounts expected to be enabled everywhere | `list(string)` | n/a | yes | +| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [tfstate_account_id](#input_tfstate_account_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | +| [tfstate_assume_role](#input_tfstate_assume_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | +| [tfstate_bucket_environment_name](#input_tfstate_bucket_environment_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | +| [tfstate_bucket_stage_name](#input_tfstate_bucket_stage_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | +| [tfstate_existing_role_arn](#input_tfstate_existing_role_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | +| [tfstate_role_arn_template](#input_tfstate_role_arn_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | +| [tfstate_role_environment_name](#input_tfstate_role_environment_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | +| [tfstate_role_name](#input_tfstate_role_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | +| [tfstate_role_stage_name](#input_tfstate_role_stage_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | ## Outputs -| Name | Description | -|------|-------------| -| [service\_accounts](#output\_service\_accounts) | n/a | - +| Name | Description | +| ----------------------------------------------------------------------------------- | ----------- | +| [service_accounts](#output_service_accounts) | n/a | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks-iam) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks-iam) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/eks/ebs-controller/README.md b/deprecated/eks/ebs-controller/README.md index 178de2cbf..92f3505da 100644 --- a/deprecated/eks/ebs-controller/README.md +++ b/deprecated/eks/ebs-controller/README.md @@ -33,86 +33,88 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [helm](#requirement\_helm) | >= 2.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +| --------------------------------------------------------------------------- | ------------------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [helm](#requirement_helm) | >= 2.0 | +| [kubernetes](#requirement_kubernetes) | >= 2.7.1, != 2.21.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | -| [kubernetes](#provider\_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +| --------------------------------------------------------------------- | ------------------- | +| [aws](#provider_aws) | >= 4.0 | +| [kubernetes](#provider_kubernetes) | >= 2.7.1, != 2.21.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [ebs\_csi\_driver\_controller](#module\_ebs\_csi\_driver\_controller) | DrFaust92/ebs-csi-driver/kubernetes | 3.5.0 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [ebs_csi_driver_controller](#module_ebs_csi_driver_controller) | DrFaust92/ebs-csi-driver/kubernetes | 3.5.0 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [kubernetes_annotations.default_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations) | resource | -| [kubernetes_storage_class.gp3_enc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | -| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| Name | Type | +| ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [kubernetes_annotations.default_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations) | resource | +| [kubernetes_storage_class.gp3_enc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | +| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [ebs\_csi\_controller\_image](#input\_ebs\_csi\_controller\_image) | The image to use for the EBS CSI controller | `string` | `"k8s.gcr.io/provider-aws/aws-ebs-csi-driver"` | no | -| [ebs\_csi\_driver\_version](#input\_ebs\_csi\_driver\_version) | The version of the EBS CSI driver | `string` | `"v1.6.2"` | no | -| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [ebs_csi_controller_image](#input_ebs_csi_controller_image) | The image to use for the EBS CSI controller | `string` | `"k8s.gcr.io/provider-aws/aws-ebs-csi-driver"` | no | +| [ebs_csi_driver_version](#input_ebs_csi_driver_version) | The version of the EBS CSI driver | `string` | `"v1.6.2"` | no | +| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [ebs\_csi\_driver\_controller\_role\_arn](#output\_ebs\_csi\_driver\_controller\_role\_arn) | The Name of the EBS CSI driver controller IAM role ARN | -| [ebs\_csi\_driver\_controller\_role\_name](#output\_ebs\_csi\_driver\_controller\_role\_name) | The Name of the EBS CSI driver controller IAM role name | -| [ebs\_csi\_driver\_controller\_role\_policy\_arn](#output\_ebs\_csi\_driver\_controller\_role\_policy\_arn) | The Name of the EBS CSI driver controller IAM role policy ARN | -| [ebs\_csi\_driver\_controller\_role\_policy\_name](#output\_ebs\_csi\_driver\_controller\_role\_policy\_name) | The Name of the EBS CSI driver controller IAM role policy name | -| [ebs\_csi\_driver\_name](#output\_ebs\_csi\_driver\_name) | The Name of the EBS CSI driver | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | +| [ebs_csi_driver_controller_role_arn](#output_ebs_csi_driver_controller_role_arn) | The Name of the EBS CSI driver controller IAM role ARN | +| [ebs_csi_driver_controller_role_name](#output_ebs_csi_driver_controller_role_name) | The Name of the EBS CSI driver controller IAM role name | +| [ebs_csi_driver_controller_role_policy_arn](#output_ebs_csi_driver_controller_role_policy_arn) | The Name of the EBS CSI driver controller IAM role policy ARN | +| [ebs_csi_driver_controller_role_policy_name](#output_ebs_csi_driver_controller_role_policy_name) | The Name of the EBS CSI driver controller IAM role policy name | +| [ebs_csi_driver_name](#output_ebs_csi_driver_name) | The Name of the EBS CSI driver | + ## References diff --git a/deprecated/eks/echo-server/README.md b/deprecated/eks/echo-server/README.md index de7a28cec..babcb498e 100644 --- a/deprecated/eks/echo-server/README.md +++ b/deprecated/eks/echo-server/README.md @@ -1,29 +1,35 @@ # Component: `eks/echo-server` -This is copied from [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/echo-server). +This is copied from +[cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/echo-server). -This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. -The echo server is a server that sends it back to the client a JSON representation of all the data -the server received, which is a combination of information sent by the client and information sent -by the web server infrastructure. For further details, please see [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). +This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. The echo server +is a server that sends it back to the client a JSON representation of all the data the server received, which is a +combination of information sent by the client and information sent by the web server infrastructure. For further +details, please see [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). ## Prerequisites -Echo server is intended to provide end-to-end testing of everything needed to deploy an application or service with a public HTTPS endpoint. -Therefore, it requires several other components. +Echo server is intended to provide end-to-end testing of everything needed to deploy an application or service with a +public HTTPS endpoint. Therefore, it requires several other components. At the moment, it supports 2 configurations: 1. ALB with ACM Certificate - - AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled - - Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all hosts in the domain) + +- AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled +- Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all + hosts in the domain) + 2. Nginx with Cert Manager Certificate - - Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` - should work with any version that supports Ingress API version `networking.k8s.io/v1`. - - `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates via a Cluster Issuer - (by default, named `letsEncrypt-prod`). + +- Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` + should work with any version that supports Ingress API version `networking.k8s.io/v1`. +- `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates + via a Cluster Issuer (by default, named `letsEncrypt-prod`). In both configurations, it has these common requirements: + - Kubernetes version 1.19 or later - Ingress API version `networking.k8s.io/v1` - [kubernetes-sigs/external-dns](https://github.com/kubernetes-sigs/external-dns) @@ -32,10 +38,9 @@ In both configurations, it has these common requirements: ## Warnings A Terraform plan may fail to apply, giving a Kubernetes authentication failure. This is due to a known issue with -Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes -authentication token and caches it, and then tries to use it during "apply". If the token has expired by -the time you try to run "apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without -a "plan" file. +Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes authentication +token and caches it, and then tries to use it during "apply". If the token has expired by the time you try to run +"apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without a "plan" file. ## Usage @@ -69,93 +74,96 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [helm](#requirement\_helm) | >= 2.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +| --------------------------------------------------------------------------- | ------------------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [helm](#requirement_helm) | >= 2.0 | +| [kubernetes](#requirement_kubernetes) | >= 2.7.1, != 2.21.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [alb](#module\_alb) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [echo\_server](#module\_echo\_server) | cloudposse/helm-release/aws | 0.10.0 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [alb](#module_alb) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [echo_server](#module_echo_server) | cloudposse/helm-release/aws | 0.10.0 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------- | ----------- | | [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alb\_controller\_ingress\_group\_component\_name](#input\_alb\_controller\_ingress\_group\_component\_name) | The name of the alb\_controller\_ingress\_group component | `string` | `"eks/alb-controller-ingress-group"` | no | -| [atomic](#input\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [chart\_values](#input\_chart\_values) | Addition map values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | -| [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create\_namespace](#input\_create\_namespace) | Create the Kubernetes namespace if it does not yet exist | `bool` | `true` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input\_description) | Set release description attribute (visible in the history). | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [hostname\_template](#input\_hostname\_template) | The `format()` string to use to generate the hostname via `format(var.hostname_template, var.tenant, var.stage, var.environment)`"
Typically something like `"echo.%[3]v.%[2]v.example.com"`. | `string` | n/a | yes | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [ingress\_type](#input\_ingress\_type) | Set to 'nginx' to create an ingress resource relying on an NGiNX backend for the echo-server service. Set to 'alb' to create an ingress resource relying on an AWS ALB backend for the echo-server service. Leave blank to not create any ingress for the echo-server service. | `string` | `null` | no | -| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. | `string` | n/a | yes | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [repository](#input\_repository) | Repository URL where to locate the requested chart. | `string` | `null` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [timeout](#input\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | -| [verify](#input\_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | `bool` | `false` | no | -| [wait](#input\_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `true` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alb_controller_ingress_group_component_name](#input_alb_controller_ingress_group_component_name) | The name of the alb_controller_ingress_group component | `string` | `"eks/alb-controller-ingress-group"` | no | +| [atomic](#input_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [chart_values](#input_chart_values) | Addition map values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [chart_version](#input_chart_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | +| [cleanup_on_fail](#input_cleanup_on_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create_namespace](#input_create_namespace) | Create the Kubernetes namespace if it does not yet exist | `bool` | `true` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input_description) | Set release description attribute (visible in the history). | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [hostname_template](#input_hostname_template) | The `format()` string to use to generate the hostname via `format(var.hostname_template, var.tenant, var.stage, var.environment)`"
Typically something like `"echo.%[3]v.%[2]v.example.com"`. | `string` | n/a | yes | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [ingress_type](#input_ingress_type) | Set to 'nginx' to create an ingress resource relying on an NGiNX backend for the echo-server service. Set to 'alb' to create an ingress resource relying on an AWS ALB backend for the echo-server service. Leave blank to not create any ingress for the echo-server service. | `string` | `null` | no | +| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [kubernetes_namespace](#input_kubernetes_namespace) | The namespace to install the release into. | `string` | n/a | yes | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [repository](#input_repository) | Repository URL where to locate the requested chart. | `string` | `null` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [timeout](#input_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | +| [verify](#input_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | `bool` | `false` | no | +| [wait](#input_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `true` | no | ## Outputs -| Name | Description | -|------|-------------| -| [metadata](#output\_metadata) | Block status of the deployed release | +| Name | Description | +| ----------------------------------------------------------- | ------------------------------------ | +| [metadata](#output_metadata) | Block status of the deployed release | + ## References -* https://github.com/Ealenn/Echo-Server + +- https://github.com/Ealenn/Echo-Server diff --git a/deprecated/eks/efs-controller/README.md b/deprecated/eks/efs-controller/README.md index c6c495c7a..df5a8d2ae 100644 --- a/deprecated/eks/efs-controller/README.md +++ b/deprecated/eks/efs-controller/README.md @@ -39,92 +39,94 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [helm](#requirement\_helm) | >= 2.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.0, != 2.21.0 | +| Name | Version | +| --------------------------------------------------------------------------- | ----------------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [helm](#requirement_helm) | >= 2.0 | +| [kubernetes](#requirement_kubernetes) | >= 2.0, != 2.21.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | -| [kubernetes](#provider\_kubernetes) | >= 2.0, != 2.21.0 | +| Name | Version | +| --------------------------------------------------------------------- | ----------------- | +| [aws](#provider_aws) | >= 4.0 | +| [kubernetes](#provider_kubernetes) | >= 2.0, != 2.21.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [efs](#module\_efs) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [efs\_controller](#module\_efs\_controller) | cloudposse/helm-release/aws | 0.9.1 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [efs](#module_efs) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [efs_controller](#module_efs_controller) | cloudposse/helm-release/aws | 0.9.1 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [kubernetes_namespace.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| Name | Type | +| ---------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [kubernetes_namespace.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [atomic](#input\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [chart](#input\_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `/` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended. | `string` | n/a | yes | -| [chart\_description](#input\_chart\_description) | Set release description attribute (visible in the history). | `string` | `null` | no | -| [chart\_repository](#input\_chart\_repository) | Repository URL where to locate the requested chart. | `string` | n/a | yes | -| [chart\_values](#input\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | -| [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create\_namespace](#input\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `false`. | `bool` | `null` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [efs\_component\_name](#input\_efs\_component\_name) | The name of the efs component | `string` | `"efs"` | no | -| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. | `string` | n/a | yes | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region. | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [timeout](#input\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | -| [wait](#input\_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [atomic](#input_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [chart](#input_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `/` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended. | `string` | n/a | yes | +| [chart_description](#input_chart_description) | Set release description attribute (visible in the history). | `string` | `null` | no | +| [chart_repository](#input_chart_repository) | Repository URL where to locate the requested chart. | `string` | n/a | yes | +| [chart_values](#input_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [chart_version](#input_chart_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | +| [cleanup_on_fail](#input_cleanup_on_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create_namespace](#input_create_namespace) | Create the namespace if it does not yet exist. Defaults to `false`. | `bool` | `null` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [efs_component_name](#input_efs_component_name) | The name of the efs component | `string` | `"efs"` | no | +| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [kubernetes_namespace](#input_kubernetes_namespace) | The namespace to install the release into. | `string` | n/a | yes | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region. | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [timeout](#input_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | +| [wait](#input_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [metadata](#output\_metadata) | Block status of the deployed release | +| Name | Description | +| ----------------------------------------------------------- | ------------------------------------ | +| [metadata](#output_metadata) | Block status of the deployed release | + ## References diff --git a/deprecated/eks/eks-without-spotinst/README.md b/deprecated/eks/eks-without-spotinst/README.md index 3f0e2344a..9478c2b7d 100644 --- a/deprecated/eks/eks-without-spotinst/README.md +++ b/deprecated/eks/eks-without-spotinst/README.md @@ -1,14 +1,19 @@ # Component: `eks` -This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups. -NOTE: This component can only be deployed after logging in to AWS via Federated login with SAML (e.g. GSuite) or assuming an IAM role (e.g. from a CI/CD system). It cannot be deployed if you login to AWS via AWS SSO, the reason being is that on initial deployment, the EKS cluster will be owned by the assumed role that provisioned it. If this were to be the AWS SSO Role, then we risk losing access to the EKS cluster once the ARN of the AWS SSO Role eventually changes. +This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups. NOTE: This +component can only be deployed after logging in to AWS via Federated login with SAML (e.g. GSuite) or assuming an IAM +role (e.g. from a CI/CD system). It cannot be deployed if you login to AWS via AWS SSO, the reason being is that on +initial deployment, the EKS cluster will be owned by the assumed role that provisioned it. If this were to be the AWS +SSO Role, then we risk losing access to the EKS cluster once the ARN of the AWS SSO Role eventually changes. If Spotinst is going to be used, the following course of action needs to be followed: 1. Create Spotinst account and subscribe to a Business Plan. 1. Provision [spotinst-integration](https://spot.io/), as documented in the component. 1. Provision EKS with Spotinst Ocean pool only. -1. Deploy core K8s components, including [metrics-server](https://docs.cloudposse.com/components/library/aws/eks/metrics-server), [external-dns](https://docs.cloudposse.com/components/library/aws/eks/external-dns), etc. +1. Deploy core K8s components, including + [metrics-server](https://docs.cloudposse.com/components/library/aws/eks/metrics-server), + [external-dns](https://docs.cloudposse.com/components/library/aws/eks/external-dns), etc. 1. Deploy Spotinst [ocean-controller](https://docs.spot.io/ocean/tutorials/spot-kubernetes-controller/). ## Usage @@ -59,12 +64,13 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 3.0 | ## Providers @@ -72,17 +78,17 @@ No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [delegated\_roles](#module\_delegated\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 0.44.0 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [primary\_roles](#module\_primary\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [region\_node\_group](#module\_region\_node\_group) | ./modules/node_group_by_region | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [vpc\_ingress](#module\_vpc\_ingress) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +| -------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [delegated_roles](#module_delegated_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks_cluster](#module_eks_cluster) | cloudposse/eks-cluster/aws | 0.44.0 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [primary_roles](#module_primary_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [region_node_group](#module_region_node_group) | ./modules/node_group_by_region | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [vpc_ingress](#module_vpc_ingress) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -90,89 +96,91 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [allow\_ingress\_from\_vpc\_stages](#input\_allow\_ingress\_from\_vpc\_stages) | List of stages to pull VPC ingress CIDR and add to security group | `list(string)` | `[]` | no | -| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | -| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | -| [apply\_config\_map\_aws\_auth](#input\_apply\_config\_map\_aws\_auth) | Whether to execute `kubectl apply` to apply the ConfigMap to allow worker nodes to join the EKS cluster | `bool` | `true` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [availability\_zone\_abbreviation\_type](#input\_availability\_zone\_abbreviation\_type) | Type of Availability Zone abbreviation (either `fixed` or `short`) to use in names. See https://github.com/cloudposse/terraform-aws-utils for details. | `string` | `"fixed"` | no | -| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones in which to deploy multi-AZ resources | `list(string)` | n/a | yes | -| [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no | -| [aws\_ssm\_agent\_enabled](#input\_aws\_ssm\_agent\_enabled) | Set true to attach the required IAM policy for AWS SSM agent to each EC2 instance's IAM Role | `bool` | `false` | no | -| [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no | -| [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no | -| [cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation](#input\_cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no | -| [cluster\_encryption\_config\_kms\_key\_id](#input\_cluster\_encryption\_config\_kms\_key\_id) | KMS Key ID to use for cluster encryption config | `string` | `""` | no | -| [cluster\_encryption\_config\_kms\_key\_policy](#input\_cluster\_encryption\_config\_kms\_key\_policy) | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no | -| [cluster\_encryption\_config\_resources](#input\_cluster\_encryption\_config\_resources) | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list(any)` |
[
"secrets"
]
| no | -| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is `false` | `bool` | `false` | no | -| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is `true` | `bool` | `true` | no | -| [cluster\_kubernetes\_version](#input\_cluster\_kubernetes\_version) | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | `string` | `null` | no | -| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `90` | no | -| [cluster\_private\_subnets\_only](#input\_cluster\_private\_subnets\_only) | Whether or not to enable private subnets or both public and private subnets | `bool` | `false` | no | -| [color](#input\_color) | The cluster stage represented by a color; e.g. blue, green | `string` | `""` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delegated\_iam\_roles](#input\_delegated\_iam\_roles) | Delegated IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam\_primary\_roles\_stage\_name](#input\_iam\_primary\_roles\_stage\_name) | The name of the stage where the IAM primary roles are provisioned | `string` | `"identity"` | no | -| [iam\_primary\_roles\_tenant\_name](#input\_iam\_primary\_roles\_tenant\_name) | The name of the tenant where the IAM primary roles are provisioned | `string` | `null` | no | -| [iam\_roles\_environment\_name](#input\_iam\_roles\_environment\_name) | The name of the environment where the IAM roles are provisioned | `string` | `"gbl"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kubeconfig\_file](#input\_kubeconfig\_file) | Name of `kubeconfig` file to use to configure Kubernetes provider | `string` | `""` | no | -| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | Set true to configure Kubernetes provider with a `kubeconfig` file specified by `kubeconfig_file`.
Mainly for when the standard configuration produces a Terraform error. | `bool` | `false` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [managed\_node\_groups\_enabled](#input\_managed\_node\_groups\_enabled) | Set false to prevent the creation of EKS managed node groups. | `bool` | `true` | no | -| [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | -| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap |
list(object({
rolearn = string
username = string
groups = list(string)
}))
| `[]` | no | -| [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `aws-auth` ConfigMap |
list(object({
userarn = string
username = string
groups = list(string)
}))
| `[]` | no | -| [map\_additional\_worker\_roles](#input\_map\_additional\_worker\_roles) | AWS IAM Role ARNs of worker nodes to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [node\_group\_defaults](#input\_node\_group\_defaults) | Defaults for node groups in the cluster |
object({
ami_release_version = string
ami_type = string
attributes = list(string)
availability_zones = list(string) # set to null to use var.region_availability_zones
cluster_autoscaler_enabled = bool
create_before_destroy = bool
desired_group_size = number
disk_encryption_enabled = bool
disk_size = number
instance_types = list(string)
kubernetes_labels = map(string)
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
kubernetes_version = string # set to null to use cluster_kubernetes_version
max_group_size = number
min_group_size = number
resources_to_tag = list(string)
tags = map(string)
})
|
{
"ami_release_version": null,
"ami_type": null,
"attributes": null,
"availability_zones": null,
"cluster_autoscaler_enabled": true,
"create_before_destroy": true,
"desired_group_size": 1,
"disk_encryption_enabled": true,
"disk_size": 20,
"instance_types": [
"t3.medium"
],
"kubernetes_labels": null,
"kubernetes_taints": null,
"kubernetes_version": null,
"max_group_size": 100,
"min_group_size": null,
"resources_to_tag": null,
"tags": null
}
| no | -| [node\_groups](#input\_node\_groups) | List of objects defining a node group for the cluster |
map(object({
# EKS AMI version to use, e.g. "1.16.13-20200821" (no "v").
ami_release_version = string
# Type of Amazon Machine Image (AMI) associated with the EKS Node Group
ami_type = string
# Additional attributes (e.g. `1`) for the node group
attributes = list(string)
# will create 1 auto scaling group in each specified availability zone
availability_zones = list(string)
# Whether to enable Node Group to scale its AutoScaling Group
cluster_autoscaler_enabled = bool
# True to create new node_groups before deleting old ones, avoiding a temporary outage
create_before_destroy = bool
# Desired number of worker nodes when initially provisioned
desired_group_size = number
# Enable disk encryption for the created launch template (if we aren't provided with an existing launch template)
disk_encryption_enabled = bool
# Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided.
disk_size = number
# Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided.
instance_types = list(string)
# Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed
kubernetes_labels = map(string)
# List of objects describing Kubernetes taints.
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
# Desired Kubernetes master version. If you do not specify a value, the latest available version is used
kubernetes_version = string
# The maximum size of the AutoScaling Group
max_group_size = number
# The minimum size of the AutoScaling Group
min_group_size = number
# List of auto-launched resource types to tag
resources_to_tag = list(string)
tags = map(string)
}))
| `{}` | no | -| [oidc\_provider\_enabled](#input\_oidc\_provider\_enabled) | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | `bool` | n/a | yes | -| [primary\_iam\_roles](#input\_primary\_iam\_roles) | Primary IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | -| [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | `[]` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnet\_type\_tag\_key](#input\_subnet\_type\_tag\_key) | The tag used to find the private subnets to find by availability zone. If null, will be looked up in vpc outputs. | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [allow_ingress_from_vpc_stages](#input_allow_ingress_from_vpc_stages) | List of stages to pull VPC ingress CIDR and add to security group | `list(string)` | `[]` | no | +| [allowed_cidr_blocks](#input_allowed_cidr_blocks) | List of CIDR blocks to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | +| [allowed_security_groups](#input_allowed_security_groups) | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | +| [apply_config_map_aws_auth](#input_apply_config_map_aws_auth) | Whether to execute `kubectl apply` to apply the ConfigMap to allow worker nodes to join the EKS cluster | `bool` | `true` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [availability_zone_abbreviation_type](#input_availability_zone_abbreviation_type) | Type of Availability Zone abbreviation (either `fixed` or `short`) to use in names. See https://github.com/cloudposse/terraform-aws-utils for details. | `string` | `"fixed"` | no | +| [availability_zones](#input_availability_zones) | AWS Availability Zones in which to deploy multi-AZ resources | `list(string)` | n/a | yes | +| [aws_auth_yaml_strip_quotes](#input_aws_auth_yaml_strip_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no | +| [aws_ssm_agent_enabled](#input_aws_ssm_agent_enabled) | Set true to attach the required IAM policy for AWS SSM agent to each EC2 instance's IAM Role | `bool` | `false` | no | +| [cluster_encryption_config_enabled](#input_cluster_encryption_config_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no | +| [cluster_encryption_config_kms_key_deletion_window_in_days](#input_cluster_encryption_config_kms_key_deletion_window_in_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no | +| [cluster_encryption_config_kms_key_enable_key_rotation](#input_cluster_encryption_config_kms_key_enable_key_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no | +| [cluster_encryption_config_kms_key_id](#input_cluster_encryption_config_kms_key_id) | KMS Key ID to use for cluster encryption config | `string` | `""` | no | +| [cluster_encryption_config_kms_key_policy](#input_cluster_encryption_config_kms_key_policy) | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no | +| [cluster_encryption_config_resources](#input_cluster_encryption_config_resources) | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list(any)` |
[
"secrets"
]
| no | +| [cluster_endpoint_private_access](#input_cluster_endpoint_private_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is `false` | `bool` | `false` | no | +| [cluster_endpoint_public_access](#input_cluster_endpoint_public_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is `true` | `bool` | `true` | no | +| [cluster_kubernetes_version](#input_cluster_kubernetes_version) | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | `string` | `null` | no | +| [cluster_log_retention_period](#input_cluster_log_retention_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `90` | no | +| [cluster_private_subnets_only](#input_cluster_private_subnets_only) | Whether or not to enable private subnets or both public and private subnets | `bool` | `false` | no | +| [color](#input_color) | The cluster stage represented by a color; e.g. blue, green | `string` | `""` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delegated_iam_roles](#input_delegated_iam_roles) | Delegated IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled_cluster_log_types](#input_enabled_cluster_log_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam_primary_roles_stage_name](#input_iam_primary_roles_stage_name) | The name of the stage where the IAM primary roles are provisioned | `string` | `"identity"` | no | +| [iam_primary_roles_tenant_name](#input_iam_primary_roles_tenant_name) | The name of the tenant where the IAM primary roles are provisioned | `string` | `null` | no | +| [iam_roles_environment_name](#input_iam_roles_environment_name) | The name of the environment where the IAM roles are provisioned | `string` | `"gbl"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kubeconfig_file](#input_kubeconfig_file) | Name of `kubeconfig` file to use to configure Kubernetes provider | `string` | `""` | no | +| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | Set true to configure Kubernetes provider with a `kubeconfig` file specified by `kubeconfig_file`.
Mainly for when the standard configuration produces a Terraform error. | `bool` | `false` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [managed_node_groups_enabled](#input_managed_node_groups_enabled) | Set false to prevent the creation of EKS managed node groups. | `bool` | `true` | no | +| [map_additional_aws_accounts](#input_map_additional_aws_accounts) | Additional AWS account numbers to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | +| [map_additional_iam_roles](#input_map_additional_iam_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap |
list(object({
rolearn = string
username = string
groups = list(string)
}))
| `[]` | no | +| [map_additional_iam_users](#input_map_additional_iam_users) | Additional IAM users to add to `aws-auth` ConfigMap |
list(object({
userarn = string
username = string
groups = list(string)
}))
| `[]` | no | +| [map_additional_worker_roles](#input_map_additional_worker_roles) | AWS IAM Role ARNs of worker nodes to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [node_group_defaults](#input_node_group_defaults) | Defaults for node groups in the cluster |
object({
ami_release_version = string
ami_type = string
attributes = list(string)
availability_zones = list(string) # set to null to use var.region_availability_zones
cluster_autoscaler_enabled = bool
create_before_destroy = bool
desired_group_size = number
disk_encryption_enabled = bool
disk_size = number
instance_types = list(string)
kubernetes_labels = map(string)
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
kubernetes_version = string # set to null to use cluster_kubernetes_version
max_group_size = number
min_group_size = number
resources_to_tag = list(string)
tags = map(string)
})
|
{
"ami_release_version": null,
"ami_type": null,
"attributes": null,
"availability_zones": null,
"cluster_autoscaler_enabled": true,
"create_before_destroy": true,
"desired_group_size": 1,
"disk_encryption_enabled": true,
"disk_size": 20,
"instance_types": [
"t3.medium"
],
"kubernetes_labels": null,
"kubernetes_taints": null,
"kubernetes_version": null,
"max_group_size": 100,
"min_group_size": null,
"resources_to_tag": null,
"tags": null
}
| no | +| [node_groups](#input_node_groups) | List of objects defining a node group for the cluster |
map(object({
# EKS AMI version to use, e.g. "1.16.13-20200821" (no "v").
ami_release_version = string
# Type of Amazon Machine Image (AMI) associated with the EKS Node Group
ami_type = string
# Additional attributes (e.g. `1`) for the node group
attributes = list(string)
# will create 1 auto scaling group in each specified availability zone
availability_zones = list(string)
# Whether to enable Node Group to scale its AutoScaling Group
cluster_autoscaler_enabled = bool
# True to create new node_groups before deleting old ones, avoiding a temporary outage
create_before_destroy = bool
# Desired number of worker nodes when initially provisioned
desired_group_size = number
# Enable disk encryption for the created launch template (if we aren't provided with an existing launch template)
disk_encryption_enabled = bool
# Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided.
disk_size = number
# Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided.
instance_types = list(string)
# Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed
kubernetes_labels = map(string)
# List of objects describing Kubernetes taints.
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
# Desired Kubernetes master version. If you do not specify a value, the latest available version is used
kubernetes_version = string
# The maximum size of the AutoScaling Group
max_group_size = number
# The minimum size of the AutoScaling Group
min_group_size = number
# List of auto-launched resource types to tag
resources_to_tag = list(string)
tags = map(string)
}))
| `{}` | no | +| [oidc_provider_enabled](#input_oidc_provider_enabled) | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | `bool` | n/a | yes | +| [primary_iam_roles](#input_primary_iam_roles) | Primary IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | +| [public_access_cidrs](#input_public_access_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | `[]` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnet_type_tag_key](#input_subnet_type_tag_key) | The tag used to find the private subnets to find by availability zone. If null, will be looked up in vpc outputs. | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [eks\_auth\_worker\_roles](#output\_eks\_auth\_worker\_roles) | List of worker IAM roles that were included in the `auth-map` ConfigMap. | -| [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | -| [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | The Kubernetes cluster certificate authority data | -| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the Kubernetes API server | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | The name of the cluster | -| [eks\_cluster\_identity\_oidc\_issuer](#output\_eks\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster | -| [eks\_cluster\_managed\_security\_group\_id](#output\_eks\_cluster\_managed\_security\_group\_id) | Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads | -| [eks\_cluster\_version](#output\_eks\_cluster\_version) | The Kubernetes server version of the cluster | -| [eks\_managed\_node\_workers\_role\_arns](#output\_eks\_managed\_node\_workers\_role\_arns) | List of ARNs for workers in managed node groups | -| [eks\_node\_group\_arns](#output\_eks\_node\_group\_arns) | List of all the node group ARNs in the cluster | -| [eks\_node\_group\_count](#output\_eks\_node\_group\_count) | Count of the worker nodes | -| [eks\_node\_group\_ids](#output\_eks\_node\_group\_ids) | EKS Cluster name and EKS Node Group name separated by a colon | -| [eks\_node\_group\_role\_names](#output\_eks\_node\_group\_role\_names) | List of worker nodes IAM role names | -| [eks\_node\_group\_statuses](#output\_eks\_node\_group\_statuses) | Status of the EKS Node Group | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [eks_auth_worker_roles](#output_eks_auth_worker_roles) | List of worker IAM roles that were included in the `auth-map` ConfigMap. | +| [eks_cluster_arn](#output_eks_cluster_arn) | The Amazon Resource Name (ARN) of the cluster | +| [eks_cluster_certificate_authority_data](#output_eks_cluster_certificate_authority_data) | The Kubernetes cluster certificate authority data | +| [eks_cluster_endpoint](#output_eks_cluster_endpoint) | The endpoint for the Kubernetes API server | +| [eks_cluster_id](#output_eks_cluster_id) | The name of the cluster | +| [eks_cluster_identity_oidc_issuer](#output_eks_cluster_identity_oidc_issuer) | The OIDC Identity issuer for the cluster | +| [eks_cluster_managed_security_group_id](#output_eks_cluster_managed_security_group_id) | Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads | +| [eks_cluster_version](#output_eks_cluster_version) | The Kubernetes server version of the cluster | +| [eks_managed_node_workers_role_arns](#output_eks_managed_node_workers_role_arns) | List of ARNs for workers in managed node groups | +| [eks_node_group_arns](#output_eks_node_group_arns) | List of all the node group ARNs in the cluster | +| [eks_node_group_count](#output_eks_node_group_count) | Count of the worker nodes | +| [eks_node_group_ids](#output_eks_node_group_ids) | EKS Cluster name and EKS Node Group name separated by a colon | +| [eks_node_group_role_names](#output_eks_node_group_role_names) | List of worker nodes IAM role names | +| [eks_node_group_statuses](#output_eks_node_group_statuses) | Status of the EKS Node Group | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/eks-without-spotinst) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/eks-without-spotinst) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/github-actions-runner/README.md b/deprecated/github-actions-runner/README.md index 5e913c224..fa2574327 100644 --- a/deprecated/github-actions-runner/README.md +++ b/deprecated/github-actions-runner/README.md @@ -111,21 +111,29 @@ Run `make TAG=0.0.6 help` to get the same commands with a specific tag for ease ### ECR Authentication -There are multiple ways to authenticate with ECR. The commands provided by AWS with the `docker login` approach is available with the target: +There are multiple ways to authenticate with ECR. The commands provided by AWS with the `docker login` approach is +available with the target: ```bash make auth ``` -_NOTE_: You cannot run the build or push from inside Geodesic, you need to run those on your host to avoid docker-in-docker issues so ensure you authentication is handled outside of Geodesic as well. +_NOTE_: You cannot run the build or push from inside Geodesic, you need to run those on your host to avoid +docker-in-docker issues so ensure you authentication is handled outside of Geodesic as well. ### Manually Building and Tagging the Image -We create our own runner image with amazon-ecr-credential-helper installed. For actions-runner-controller 0.16.0 we used runners_image: `"summerwind/actions-runner-dind:v2.275.1"` -> `action-runner:v0.1.0`. +We create our own runner image with amazon-ecr-credential-helper installed. For actions-runner-controller 0.16.0 we used +runners_image: `"summerwind/actions-runner-dind:v2.275.1"` -> `action-runner:v0.1.0`. -For `actions-runner-controller` 0.18.0 we tried `runners_image: "summerwind/actions-runner-dind:v2.277.1"` -> `action-runner:0.2.0` but that did not work (see https://github.com/summerwind/actions-runner-controller/issues/274) so we reverted to `runners_image: "summerwind/actions-runner-dind:v2.274.2"` -> `action-runner:0.2.1` based on the [issue comment](https://github.com/summerwind/actions-runner-controller/blob/bc6e499e4f72f60024781d99ec66a665bedb5e1f/runner/Dockerfile#L4) and the runner version configured in the controller release. +For `actions-runner-controller` 0.18.0 we tried `runners_image: "summerwind/actions-runner-dind:v2.277.1"` -> +`action-runner:0.2.0` but that did not work (see https://github.com/summerwind/actions-runner-controller/issues/274) so +we reverted to `runners_image: "summerwind/actions-runner-dind:v2.274.2"` -> `action-runner:0.2.1` based on the +[issue comment](https://github.com/summerwind/actions-runner-controller/blob/bc6e499e4f72f60024781d99ec66a665bedb5e1f/runner/Dockerfile#L4) +and the runner version configured in the controller release. -Edit Dockerfile to set base runner version and `ecr-credential-helper-version`. Create the image before deploying the Helmfile. +Edit Dockerfile to set base runner version and `ecr-credential-helper-version`. Create the image before deploying the +Helmfile. ```bash make TAG=xxx build @@ -139,9 +147,12 @@ Push the image with `make TAG=xxx push`. ## Managing the `GITHUB_TOKEN` -According to the above docs, do not use the Github App if Github Enterprise is used or planned to be used. The best way is to use a Github PAT. +According to the above docs, do not use the Github App if Github Enterprise is used or planned to be used. The best way +is to use a Github PAT. -See the [official documentation](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication) on how to generate and configure the `GITHUB_TOKEN` (Personal Access Token). +See the +[official documentation](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication) +on how to generate and configure the `GITHUB_TOKEN` (Personal Access Token). Install `GITHUB_TOKEN` with: @@ -150,116 +161,121 @@ kubectl create secret generic controller-manager -n actions-runner-system \ --from-literal=github_token=${GITHUB_TOKEN} ``` -_NOTE_: configure the desired cluster in Geodesic using `set-cluster account` (where `account` is the AWS account name; ex: `set-cluster auto`). The region may be required as well as a tenant, if the project uses tenants; ex: `set-cluster apse1-auto`. +_NOTE_: configure the desired cluster in Geodesic using `set-cluster account` (where `account` is the AWS account name; +ex: `set-cluster auto`). The region may be required as well as a tenant, if the project uses tenants; ex: +`set-cluster apse1-auto`. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.0 | -| [helm](#requirement\_helm) | >= 2.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 3.0 | +| [helm](#requirement_helm) | >= 2.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 3.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [actions\_runner](#module\_actions\_runner) | cloudposse/helm-release/aws | 0.3.1 | -| [actions\_runner\_controller](#module\_actions\_runner\_controller) | cloudposse/helm-release/aws | 0.3.1 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | -| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 0.2.2 | -| [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 0.10.3 | -| [github\_action\_controller\_label](#module\_github\_action\_controller\_label) | cloudposse/label/null | 0.25.0 | -| [github\_action\_helm\_label](#module\_github\_action\_helm\_label) | cloudposse/label/null | 0.25.0 | -| [iam\_primary\_roles](#module\_iam\_primary\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [actions_runner](#module_actions_runner) | cloudposse/helm-release/aws | 0.3.1 | +| [actions_runner_controller](#module_actions_runner_controller) | cloudposse/helm-release/aws | 0.3.1 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | +| [eks_iam_policy](#module_eks_iam_policy) | cloudposse/iam-policy/aws | 0.2.2 | +| [eks_iam_role](#module_eks_iam_role) | cloudposse/eks-iam-role/aws | 0.10.3 | +| [github_action_controller_label](#module_github_action_controller_label) | cloudposse/label/null | 0.25.0 | +| [github_action_helm_label](#module_github_action_helm_label) | cloudposse/label/null | 0.25.0 | +| [iam_primary_roles](#module_iam_primary_roles) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_iam_policy.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role_policy_attachment.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kms_alias.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | -| [aws_iam_policy_document.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_policy.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role_policy_attachment.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_policy_document.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [autoscale\_type](#input\_autoscale\_type) | Default choice if not defined in autoscale\_types | `string` | `"low_concurrency"` | no | -| [autoscale\_types](#input\_autoscale\_types) | Map to define HRA CRD scaling configurations |
map(object({
minReplicas = number,
maxReplicas = number
metrics = object({
type = string,
scaleUpThreshold = number,
scaleDownThreshold = number,
scaleUpAdjustment = number,
scaleDownAdjustment = number
})
}))
|
{
"low_concurrency": {
"maxReplicas": 8,
"metrics": {
"scaleDownAdjustment": 1,
"scaleDownThreshold": 0.3,
"scaleUpAdjustment": 1,
"scaleUpThreshold": 0.75,
"type": "PercentageRunnersBusy"
},
"minReplicas": 1
}
}
| no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [controller\_chart\_image](#input\_controller\_chart\_image) | Image to use for controller | `string` | `"summerwind/actions-runner-controller"` | no | -| [controller\_chart\_image\_tag](#input\_controller\_chart\_image\_tag) | Tag to use for controller image | `string` | `"v0.19.0"` | no | -| [controller\_chart\_name](#input\_controller\_chart\_name) | Controller Helm chart name. | `string` | `"actions-runner-controller"` | no | -| [controller\_chart\_namespace](#input\_controller\_chart\_namespace) | Controller kubernetes namespace. | `string` | `"actions-runner-system"` | no | -| [controller\_chart\_namespace\_create](#input\_controller\_chart\_namespace\_create) | Controller kubernetes namespace created if not present | `bool` | `true` | no | -| [controller\_chart\_release\_name](#input\_controller\_chart\_release\_name) | Controller Helm chart release name. | `string` | `"actions-runner-controller"` | no | -| [controller\_chart\_repo](#input\_controller\_chart\_repo) | Controller Helm chart repository name. | `string` | `"https://actions-runner-controller.github.io/actions-runner-controller"` | no | -| [controller\_chart\_values](#input\_controller\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [controller\_chart\_version](#input\_controller\_chart\_version) | Controller Helm chart version. | `string` | `"0.12.8"` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam\_policy\_statements](#input\_iam\_policy\_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `[]` | no | -| [iam\_primary\_roles\_environment\_name](#input\_iam\_primary\_roles\_environment\_name) | The name of the environment where global `iam_primary_roles` is provisioned | `string` | `"gbl"` | no | -| [iam\_primary\_roles\_stage\_name](#input\_iam\_primary\_roles\_stage\_name) | The name of the stage where `iam_primary_roles` is provisioned | `string` | `"identity"` | no | -| [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | -| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [runner\_chart\_image](#input\_runner\_chart\_image) | Controller Helm chart name. | `string` | `"actions-runner"` | no | -| [runner\_chart\_values](#input\_runner\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [runner\_configurations](#input\_runner\_configurations) | List of maps to create runners from | `list(map(string))` | n/a | yes | -| [runner\_type](#input\_runner\_type) | Default choice if not defined in runner\_configurations | `string` | `"small"` | no | -| [runner\_types](#input\_runner\_types) | Map to define resources limits and requests |
map(object({
resources = object({
limits = object({
cpu = string,
memory = string
}),
requests = object({
cpu = string,
memory = string
})
})
}))
|
{
"small": {
"resources": {
"limits": {
"cpu": "3",
"memory": "12Gi"
},
"requests": {
"cpu": "1",
"memory": "1Gi"
}
}
}
}
| no | -| [service\_account\_name](#input\_service\_account\_name) | Kubernetes ServiceAccount name. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | -| [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace where service account is deployed. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [autoscale_type](#input_autoscale_type) | Default choice if not defined in autoscale_types | `string` | `"low_concurrency"` | no | +| [autoscale_types](#input_autoscale_types) | Map to define HRA CRD scaling configurations |
map(object({
minReplicas = number,
maxReplicas = number
metrics = object({
type = string,
scaleUpThreshold = number,
scaleDownThreshold = number,
scaleUpAdjustment = number,
scaleDownAdjustment = number
})
}))
|
{
"low_concurrency": {
"maxReplicas": 8,
"metrics": {
"scaleDownAdjustment": 1,
"scaleDownThreshold": 0.3,
"scaleUpAdjustment": 1,
"scaleUpThreshold": 0.75,
"type": "PercentageRunnersBusy"
},
"minReplicas": 1
}
}
| no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [controller_chart_image](#input_controller_chart_image) | Image to use for controller | `string` | `"summerwind/actions-runner-controller"` | no | +| [controller_chart_image_tag](#input_controller_chart_image_tag) | Tag to use for controller image | `string` | `"v0.19.0"` | no | +| [controller_chart_name](#input_controller_chart_name) | Controller Helm chart name. | `string` | `"actions-runner-controller"` | no | +| [controller_chart_namespace](#input_controller_chart_namespace) | Controller kubernetes namespace. | `string` | `"actions-runner-system"` | no | +| [controller_chart_namespace_create](#input_controller_chart_namespace_create) | Controller kubernetes namespace created if not present | `bool` | `true` | no | +| [controller_chart_release_name](#input_controller_chart_release_name) | Controller Helm chart release name. | `string` | `"actions-runner-controller"` | no | +| [controller_chart_repo](#input_controller_chart_repo) | Controller Helm chart repository name. | `string` | `"https://actions-runner-controller.github.io/actions-runner-controller"` | no | +| [controller_chart_values](#input_controller_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [controller_chart_version](#input_controller_chart_version) | Controller Helm chart version. | `string` | `"0.12.8"` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam_policy_statements](#input_iam_policy_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `[]` | no | +| [iam_primary_roles_environment_name](#input_iam_primary_roles_environment_name) | The name of the environment where global `iam_primary_roles` is provisioned | `string` | `"gbl"` | no | +| [iam_primary_roles_stage_name](#input_iam_primary_roles_stage_name) | The name of the stage where `iam_primary_roles` is provisioned | `string` | `"identity"` | no | +| [iam_role_enabled](#input_iam_role_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | +| [iam_source_json_url](#input_iam_source_json_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [runner_chart_image](#input_runner_chart_image) | Controller Helm chart name. | `string` | `"actions-runner"` | no | +| [runner_chart_values](#input_runner_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [runner_configurations](#input_runner_configurations) | List of maps to create runners from | `list(map(string))` | n/a | yes | +| [runner_type](#input_runner_type) | Default choice if not defined in runner_configurations | `string` | `"small"` | no | +| [runner_types](#input_runner_types) | Map to define resources limits and requests |
map(object({
resources = object({
limits = object({
cpu = string,
memory = string
}),
requests = object({
cpu = string,
memory = string
})
})
}))
|
{
"small": {
"resources": {
"limits": {
"cpu": "3",
"memory": "12Gi"
},
"requests": {
"cpu": "1",
"memory": "1Gi"
}
}
}
}
| no | +| [service_account_name](#input_service_account_name) | Kubernetes ServiceAccount name. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | +| [service_account_namespace](#input_service_account_namespace) | Kubernetes Namespace where service account is deployed. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [kms\_alias](#output\_kms\_alias) | KMS alias | -| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS key ARN | -| [release\_name](#output\_release\_name) | Name of the release | -| [release\_namespace](#output\_release\_namespace) | Namespace of the release | -| [service\_account\_role\_arn](#output\_service\_account\_role\_arn) | Service Account role ARN | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------- | ------------------------ | +| [kms_alias](#output_kms_alias) | KMS alias | +| [kms_key_arn](#output_kms_key_arn) | KMS key ARN | +| [release_name](#output_release_name) | Name of the release | +| [release_namespace](#output_release_namespace) | Namespace of the release | +| [service_account_role_arn](#output_service_account_role_arn) | Service Account role ARN | + ## References - [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) - Github Repo -- [summerwind/actions-runner-controller source](https://github.com/summerwind/actions-runner-controller/blob/master/charts/actions-runner-controller/values.yaml) - Helm Chart +- [summerwind/actions-runner-controller source](https://github.com/summerwind/actions-runner-controller/blob/master/charts/actions-runner-controller/values.yaml) - + Helm Chart [](https://cpco.io/component) diff --git a/deprecated/guardduty/common/README.md b/deprecated/guardduty/common/README.md index 3135006e8..51d0f351d 100644 --- a/deprecated/guardduty/common/README.md +++ b/deprecated/guardduty/common/README.md @@ -1,24 +1,41 @@ # Component: `guardduty/common` -This component is responsible for configuring GuardDuty and it should be used in tandem with the [guardduty/root](../root) component. +This component is responsible for configuring GuardDuty and it should be used in tandem with the +[guardduty/root](../root) component. -AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats. +AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by +continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources +within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security +threats. Key features and components of AWS GuardDuty include: -- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event logs and network traffic data to detect patterns, anomalies, and known attack techniques. +- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence + to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event + logs and network traffic data to detect patterns, anomalies, and known attack techniques. -- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, domains, and other indicators of compromise. +- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global + community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, + domains, and other indicators of compromise. -- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS Lambda for immediate action or custom response workflows. +- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be + delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS + Lambda for immediate action or custom response workflows. -- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security policies and practices. +- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and + monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security + policies and practices. -- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of security incidents and reduces the need for manual intervention. +- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS + Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of + security incidents and reduces the need for manual intervention. -- Security findings and reports: GuardDuty provides detailed security findings and reports that include information about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed through the AWS Management Console or retrieved via APIs for further analysis and reporting. +- Security findings and reports: GuardDuty provides detailed security findings and reports that include information + about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed + through the AWS Management Console or retrieved via APIs for further analysis and reporting. -GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations with an additional layer of security to proactively identify and respond to potential security risks. +GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations +with an additional layer of security to proactively identify and respond to potential security risks. ## Usage @@ -70,31 +87,32 @@ atmos terraform apply guardduty/common-uw1 -s core-uw1-security ``` + ## Requirements No requirements. ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | -| [awsutils](#provider\_awsutils) | n/a | +| Name | Version | +| --------------------------------------------------------------- | ------- | +| [aws](#provider_aws) | n/a | +| [awsutils](#provider_awsutils) | n/a | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [guardduty](#module\_guardduty) | cloudposse/guardduty/aws | 0.5.0 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [guardduty](#module_guardduty) | cloudposse/guardduty/aws | 0.5.0 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | ## Resources -| Name | Type | -|------|------| -| [awsutils_guardduty_organization_settings.this](https://registry.terraform.io/providers/hashicorp/awsutils/latest/docs/resources/guardduty_organization_settings) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [awsutils_guardduty_organization_settings.this](https://registry.terraform.io/providers/hashicorp/awsutils/latest/docs/resources/guardduty_organization_settings) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs @@ -102,16 +120,18 @@ No inputs. ## Outputs -| Name | Description | -|------|-------------| -| [guardduty\_detector\_arn](#output\_guardduty\_detector\_arn) | GuardDuty detector ARN | -| [guardduty\_detector\_id](#output\_guardduty\_detector\_id) | GuardDuty detector ID | -| [sns\_topic\_name](#output\_sns\_topic\_name) | SNS topic name | -| [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | SNS topic subscriptions | +| Name | Description | +| -------------------------------------------------------------------------------------------------------- | ----------------------- | +| [guardduty_detector_arn](#output_guardduty_detector_arn) | GuardDuty detector ARN | +| [guardduty_detector_id](#output_guardduty_detector_id) | GuardDuty detector ID | +| [sns_topic_name](#output_sns_topic_name) | SNS topic name | +| [sns_topic_subscriptions](#output_sns_topic_subscriptions) | SNS topic subscriptions | + ## References -* [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) -* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/common/) + +- [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) +- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/common/) [](https://cpco.io/component) diff --git a/deprecated/guardduty/root/README.md b/deprecated/guardduty/root/README.md index eb9b5c914..b83d512b4 100644 --- a/deprecated/guardduty/root/README.md +++ b/deprecated/guardduty/root/README.md @@ -1,8 +1,10 @@ # Component: `guardduty/root` -This component should be used in tandem with the [guardduty/common](../common/) component. Please take a look at [guardduty/common/README](../common/README.md) for more information about GuardDuty and deployment steps. +This component should be used in tandem with the [guardduty/common](../common/) component. Please take a look at +[guardduty/common/README](../common/README.md) for more information about GuardDuty and deployment steps. -This component is responsible for delegating the AWS GuardDuty administrator accounts to the appropriate account(s). It should be deployed to every region for the root account in the AWS Organization. +This component is responsible for delegating the AWS GuardDuty administrator accounts to the appropriate account(s). It +should be deployed to every region for the root account in the AWS Organization. ## Usage @@ -24,75 +26,79 @@ components: ## Deployment -Please see instructions in [guardduty/common/README](../common/README.md) for information on how to deploy both components. +Please see instructions in [guardduty/common/README](../common/README.md) for information on how to deploy both +components. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [awsutils](#requirement\_awsutils) | >= 0.16.0 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [awsutils](#requirement_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | -| [utils](#module\_utils) | cloudposse/utils/aws | 1.3.0 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| [utils](#module_utils) | cloudposse/utils/aws | 1.3.0 | ## Resources -| Name | Type | -|------|------| -| [aws_guardduty_detector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource | +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [aws_guardduty_detector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource | | [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrator\_account](#input\_administrator\_account) | The name of the account that is the GuardDuty administrator account | `string` | `null` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrator_account](#input_administrator_account) | The name of the account that is the GuardDuty administrator account | `string` | `null` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs No outputs. + ## References -* [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) -* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/root/) + +- [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) +- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/root/) [](https://cpco.io/component) diff --git a/deprecated/iam-delegated-roles/README.md b/deprecated/iam-delegated-roles/README.md index fd40c6e8a..109abbcaa 100644 --- a/deprecated/iam-delegated-roles/README.md +++ b/deprecated/iam-delegated-roles/README.md @@ -1,15 +1,24 @@ # Component: `iam-delegated-roles` -This component is responsible for provisioning all user and system IAM roles. It sets them up to be assumed from the primary, `identity` account roles. This is expected to be used alongside and applied after [the `iam-primary-roles` component][1] is applied to the identity account. +This component is responsible for provisioning all user and system IAM roles. It sets them up to be assumed from the +primary, `identity` account roles. This is expected to be used alongside and applied after [the `iam-primary-roles` +component][1] is applied to the identity account. ## Usage -**Stack Level**: Global -**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Global **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -Here's an example snippet for how to use this component. This specific usage is intended to be used as the default, and is therefore more restrictive than you may want for development accounts, and not restrictive enough for sensitive accounts like `audit`. You can make account-specific changes by importing this default configuration and then overriding settings, for example by setting `enabled: false` for roles you do not want created in that account, limiting access by setting a different value for `trusted_primary_roles`, or by changing the permissions available to that role by overriding the `role_policy_arns` (not recommended, limit access to the role instead). +Here's an example snippet for how to use this component. This specific usage is intended to be used as the default, and +is therefore more restrictive than you may want for development accounts, and not restrictive enough for sensitive +accounts like `audit`. You can make account-specific changes by importing this default configuration and then overriding +settings, for example by setting `enabled: false` for roles you do not want created in that account, limiting access by +setting a different value for `trusted_primary_roles`, or by changing the permissions available to that role by +overriding the `role_policy_arns` (not recommended, limit access to the role instead). -Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the list, too, or they will lose access. +Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting +of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to +allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the +list, too, or they will lose access. ```yaml components: @@ -25,8 +34,7 @@ components: # `template` serves as the default configuration for other roles via the YAML anchor. # However, `atmos` does not support "import" of YAML anchors, so if you define a new role # in another file, you will not be able to reference this anchor. - template: &user-template - # If `enabled: false`, the role will not be created in this account + template: &user-template # If `enabled: false`, the role will not be created in this account enabled: false # `max_session_duration` set the maximum session duration (in seconds) for the IAM roles. @@ -79,7 +87,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Full administration of this account" trusted_primary_roles: ["admin"] trusted_permission_sets: ["AdministratorAccess"] @@ -88,7 +96,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Role for Helm administration of this account" trusted_primary_roles: ["admin", "cicd"] # Unfortunately, we have not yet figured out acceptable limits on Helm. @@ -99,7 +107,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Role for Terraform administration of this account" trusted_primary_roles: ["admin", "spacelift"] # We require Terraform to be allowed to create and modify IAM roles @@ -113,8 +121,8 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/PowerUserAccess" - - "support" + - "arn:aws:iam::aws:policy/PowerUserAccess" + - "support" role_description: "Role for Power Users (read/write)" trusted_primary_roles: ["admin", "poweruser"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess"] @@ -124,7 +132,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "support" + - "support" role_description: "Role with permissions for accessing the AWS Support Service" # Terraform is too powerful a role to allow powerusers to access it trusted_primary_roles: ["admin", "support"] @@ -141,150 +149,151 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - - "support" + - "arn:aws:iam::aws:policy/ReadOnlyAccess" + - "support" role_description: "Read Only access (including reading S3 and other sensitive information)" trusted_primary_roles: ["admin", "cicd", "poweruser", "reader", "spacelift"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess", "ReadOnlyAccess"] - observer: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "support" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "support" role_description: "View Only access" trusted_primary_roles: ["admin", "observer", "poweruser", "reader"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess", "ReadOnlyAccess"] - ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | ~> 4.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | ~> 4.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 4.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | ~> 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [assume\_role](#module\_assume\_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | -| [iam\_roles](#module\_iam\_roles) | ../../modules/account-map/modules/iam-roles | n/a | -| [sso](#module\_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------------- | ------- | +| [assume_role](#module_assume_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | +| [iam_roles](#module_iam_roles) | ../../modules/account-map/modules/iam-roles | n/a | +| [sso](#module_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_iam_policy.billing_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.billing_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy.aws_billing_admin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy.aws_billing_read_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_policy.billing_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.billing_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.aws_billing_admin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_billing_read_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.billing_admin_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam\_primary\_roles\_account\_name](#input\_iam\_primary\_roles\_account\_name) | The name of the account where the IAM primary roles are provisioned | `string` | `"identity"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [roles](#input\_roles) | A roles map to configure the accounts. |
map(object({
enabled = bool

denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam_primary_roles_account_name](#input_iam_primary_roles_account_name) | The name of the account where the IAM primary roles are provisioned | `string` | `"identity"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [roles](#input_roles) | A roles map to configure the accounts. |
map(object({
enabled = bool

denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [role\_long\_name\_policy\_arn\_map](#output\_role\_long\_name\_policy\_arn\_map) | Map of role long names to attached IAM Policy ARNs | -| [role\_name\_role\_arn\_map](#output\_role\_name\_role\_arn\_map) | Map of role names to role ARNs | +| Name | Description | +| -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | +| [role_long_name_policy_arn_map](#output_role_long_name_policy_arn_map) | Map of role long names to attached IAM Policy ARNs | +| [role_name_role_arn_map](#output_role_name_role_arn_map) | Map of role names to role ARNs | + ## References -* [cloudposse/terraform-aws-components][44] - Cloud Posse's upstream component + +- [cloudposse/terraform-aws-components][44] - Cloud Posse's upstream component [][45] -[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles -[2]: #requirement%5C_terraform -[3]: #requirement%5C_aws -[4]: #requirement%5C_local -[5]: #requirement%5C_template -[6]: #requirement%5C_utils -[7]: #provider%5C_aws -[8]: #module%5C_assume%5C_role -[9]: #module%5C_iam%5C_roles -[10]: #module%5C_sso -[11]: #module%5C_this -[12]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role -[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment -[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy -[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[20]: #input%5C_additional%5C_tag%5C_map -[21]: #input%5C_attributes -[22]: #input%5C_context -[23]: #input%5C_delimiter -[24]: #input%5C_descriptor%5C_formats -[25]: #input%5C_enabled -[26]: #input%5C_environment -[27]: #input%5C_iam%5C_primary%5C_roles%5C_account%5C_name -[28]: #input%5C_id%5C_length%5C_limit -[29]: #input%5C_import%5C_role%5C_arn -[30]: #input%5C_label%5C_key%5C_case -[31]: #input%5C_label%5C_order -[32]: #input%5C_label%5C_value%5C_case -[33]: #input%5C_labels%5C_as%5C_tags -[34]: #input%5C_name -[35]: #input%5C_namespace -[36]: #input%5C_regex%5C_replace%5C_chars -[37]: #input%5C_region -[38]: #input%5C_roles -[39]: #input%5C_stage -[40]: #input%5C_tags -[41]: #input%5C_tenant -[42]: #output%5C_role%5C_long%5C_name%5C_policy%5C_arn%5C_map -[43]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map -[44]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO -[45]: https://cpco.io/component +[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles +[2]: #requirement%5C_terraform +[3]: #requirement%5C_aws +[4]: #requirement%5C_local +[5]: #requirement%5C_template +[6]: #requirement%5C_utils +[7]: #provider%5C_aws +[8]: #module%5C_assume%5C_role +[9]: #module%5C_iam%5C_roles +[10]: #module%5C_sso +[11]: #module%5C_this +[12]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy +[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[20]: #input%5C_additional%5C_tag%5C_map +[21]: #input%5C_attributes +[22]: #input%5C_context +[23]: #input%5C_delimiter +[24]: #input%5C_descriptor%5C_formats +[25]: #input%5C_enabled +[26]: #input%5C_environment +[27]: #input%5C_iam%5C_primary%5C_roles%5C_account%5C_name +[28]: #input%5C_id%5C_length%5C_limit +[29]: #input%5C_import%5C_role%5C_arn +[30]: #input%5C_label%5C_key%5C_case +[31]: #input%5C_label%5C_order +[32]: #input%5C_label%5C_value%5C_case +[33]: #input%5C_labels%5C_as%5C_tags +[34]: #input%5C_name +[35]: #input%5C_namespace +[36]: #input%5C_regex%5C_replace%5C_chars +[37]: #input%5C_region +[38]: #input%5C_roles +[39]: #input%5C_stage +[40]: #input%5C_tags +[41]: #input%5C_tenant +[42]: #output%5C_role%5C_long%5C_name%5C_policy%5C_arn%5C_map +[43]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map +[44]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO +[45]: https://cpco.io/component diff --git a/deprecated/iam-primary-roles/README.md b/deprecated/iam-primary-roles/README.md index f86f57c53..5434716cc 100644 --- a/deprecated/iam-primary-roles/README.md +++ b/deprecated/iam-primary-roles/README.md @@ -1,30 +1,47 @@ # Component: `iam-primary-roles` -This component is responsible for provisioning all primary user and system roles into the centralized identity account. This is expected to be use alongside [the `iam-delegated-roles` component][1] to provide fine grained role delegation across the account hierarchy. +This component is responsible for provisioning all primary user and system roles into the centralized identity account. +This is expected to be use alongside [the `iam-delegated-roles` component][1] to provide fine grained role delegation +across the account hierarchy. ### Roles are Really Groups -The roles created in the `identity` account by this module can be thought of as access control "groups": a user who is allowed to assume one of these roles gets access to a set of roles (and corresponding permissions) across a set of accounts. Generally, there is nothing else provisioned in the `identity` account so the roles have limited access to resources in the `identity` account by design. + +The roles created in the `identity` account by this module can be thought of as access control "groups": a user who is +allowed to assume one of these roles gets access to a set of roles (and corresponding permissions) across a set of +accounts. Generally, there is nothing else provisioned in the `identity` account so the roles have limited access to +resources in the `identity` account by design. ### Group Privileges are Defined in Each Account by `iam-delegated-roles` -Every account besides the `identity` account has a set of IAM roles created by the `iam-delegated-roles` component. In that component, the account's roles are assigned privileges and access to those roles is defined in a number of ways. One way is by listing roles created by this component as "trusted" (`trusted_primary_roles`), meaning that users who have access to the role in the `identity` account are allowed (trusted) to assume the role configured in the target account. + +Every account besides the `identity` account has a set of IAM roles created by the `iam-delegated-roles` component. In +that component, the account's roles are assigned privileges and access to those roles is defined in a number of ways. +One way is by listing roles created by this component as "trusted" (`trusted_primary_roles`), meaning that users who +have access to the role in the `identity` account are allowed (trusted) to assume the role configured in the target +account. ### Role Access is Enabled by SAML and/or AWS SSO configuration + Users can again access to a role in the `identity` account through either (or both) of 2 mechanisms: #### SAML Access -- SAML access is globally configured via the `sso` component, enabling an external SAML Identity Provider (IdP) to control access to roles in the `identity` account. (SAML access can be separately configured for other accounts, see the `sso` and `iam-delegated-roles` components for more on that.) + +- SAML access is globally configured via the `sso` component, enabling an external SAML Identity Provider (IdP) to + control access to roles in the `identity` account. (SAML access can be separately configured for other accounts, see + the `sso` and `iam-delegated-roles` components for more on that.) - Individual roles are enabled for SAML access by setting `sso_login_enabled: true` in the role configuration. - Individual users are granted access to these roles by configuration in the SAML IdP. #### AWS SSO Access -The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles in the `identity` account. See the `aws-sso` component for details. + +The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles in the `identity` +account. See the `aws-sso` component for details. ## Usage -**Stack Level**: Global -**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Global **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -Here's an example snippet for how to use this component. The component should only be applied once, which is typically done via the identity stack (e.g. `gbl-identity.yaml`). +Here's an example snippet for how to use this component. The component should only be applied once, which is typically +done via the identity stack (e.g. `gbl-identity.yaml`). ```yaml components: @@ -68,8 +85,8 @@ components: # you can use keys in the `custom_policy_map` in `main.tf` to select policies defined in the component. # If you are using keys from the map, plans look better if you put them after the real role ARNs. role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "delegated_assume_role" role_description: "Role restricted to viewing resources in the identity account" # If `sso_login_enabled: true` then the role will be available via SAML logins. # Otherwise, it will only be accessible via `assume role`. @@ -97,31 +114,31 @@ components: <<: *user-template role_description: Role for our privileged CI/CD Runner role_policy_arns: - - cicd - - delegated_assume_role + - cicd + - delegated_assume_role sso_login_enabled: false trusted_primary_roles: - - admin + - admin trusted_role_arns: - - arn:aws:iam::123456789012:role/eg-uw2-auto-gh-runner + - arn:aws:iam::123456789012:role/eg-uw2-auto-gh-runner spacelift: <<: *user-template role_description: Role for Spacelift role_policy_arns: - - delegated_assume_role + - delegated_assume_role sso_login_enabled: false trusted_primary_roles: - - admin + - admin trusted_role_arns: - - arn:aws:iam::123456789012:role/eg-uw2-auto-spacelift-worker-pool-admin + - arn:aws:iam::123456789012:role/eg-uw2-auto-spacelift-worker-pool-admin security: - <<: *user-template - role_description: "Full Administrative Access to the Security accounts" - sso_login_enabled: true - denied_primary_roles: ["admin", "poweruser", "terraform"] - trusted_permission_sets: ["IdentitySecurityRoleAccess"] + <<: *user-template + role_description: "Full Administrative Access to the Security accounts" + sso_login_enabled: true + denied_primary_roles: ["admin", "poweruser", "terraform"] + trusted_permission_sets: ["IdentitySecurityRoleAccess"] delegated_roles_config: admin: @@ -138,20 +155,20 @@ components: <<: *user-template role_description: Role for Power Users (read/write) role_policy_arns: - - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess - - delegated_assume_role + - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess + - delegated_assume_role sso_login_enabled: true trusted_primary_roles: - - admin - - poweruser + - admin + - poweruser trusted_permission_sets: ["IdentityPoweruserRoleAccess"] # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20 support: <<: *user-template role_policy_arns: - - "arn:aws:iam::aws:policy/AWSSupportAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/AWSSupportAccess" + - "delegated_assume_role" role_description: "Role with permissions for accessing the AWS Support Service" sso_login_enabled: true # Terraform is too powerful a role to allow powerusers to access it @@ -162,8 +179,8 @@ components: <<: *user-template sso_login_enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/ReadOnlyAccess" + - "delegated_assume_role" role_description: "Read Only access (including reading S3 and other sensitive information)" trusted_primary_roles: ["admin", "poweruser"] trusted_permission_sets: ["IdentityReaderRoleAccess"] @@ -172,165 +189,165 @@ components: <<: *user-template sso_login_enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "delegated_assume_role" role_description: "View Only access (excludes access to most sensitive information)" - trusted_primary_roles: ["admin","poweruser", "reader"] + trusted_primary_roles: ["admin", "poweruser", "reader"] trusted_permission_sets: ["IdentityObserverRoleAccess"] - ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | ~> 4 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | ~> 4 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | ~> 4 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | ~> 4 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [assume\_role](#module\_assume\_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | -| [iam\_roles](#module\_iam\_roles) | ../../modules/account-map/modules/iam-roles | n/a | -| [sso](#module\_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [assume_role](#module_assume_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | +| [iam_roles](#module_iam_roles) | ../../modules/account-map/modules/iam-roles | n/a | +| [sso](#module_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_iam_policy.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [aws_iam_policy.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delegated\_roles\_config](#input\_delegated\_roles\_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [primary\_roles\_config](#input\_primary\_roles\_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [sso\_environment\_name](#input\_sso\_environment\_name) | The name of the environment where SSO is provisioned | `string` | `"gbl"` | no | -| [sso\_stage\_name](#input\_sso\_stage\_name) | The name of the stage where SSO is provisioned | `string` | `"identity"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delegated_roles_config](#input_delegated_roles_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [primary_roles_config](#input_primary_roles_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [sso_environment_name](#input_sso_environment_name) | The name of the environment where SSO is provisioned | `string` | `"gbl"` | no | +| [sso_stage_name](#input_sso_stage_name) | The name of the stage where SSO is provisioned | `string` | `"identity"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [delegated\_role\_arns](#output\_delegated\_role\_arns) | List of delegated role ARNs | -| [delegated\_role\_name\_role\_arn\_map](#output\_delegated\_role\_name\_role\_arn\_map) | Map of delegated role names to role ARNs | -| [delegated\_role\_names](#output\_delegated\_role\_names) | List of delegated role names | -| [delegated\_roles\_config](#output\_delegated\_roles\_config) | Map of delegated role config with name, target arn, and description | -| [primary\_roles\_config](#output\_primary\_roles\_config) | Map of role config with name, target arn, and description | -| [role\_arns](#output\_role\_arns) | List of role ARNs | -| [role\_name\_role\_arn\_map](#output\_role\_name\_role\_arn\_map) | Map of role names to role ARNs | -| [role\_names](#output\_role\_names) | List of role names | - +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | +| [delegated_role_arns](#output_delegated_role_arns) | List of delegated role ARNs | +| [delegated_role_name_role_arn_map](#output_delegated_role_name_role_arn_map) | Map of delegated role names to role ARNs | +| [delegated_role_names](#output_delegated_role_names) | List of delegated role names | +| [delegated_roles_config](#output_delegated_roles_config) | Map of delegated role config with name, target arn, and description | +| [primary_roles_config](#output_primary_roles_config) | Map of role config with name, target arn, and description | +| [role_arns](#output_role_arns) | List of role ARNs | +| [role_name_role_arn_map](#output_role_name_role_arn_map) | Map of role names to role ARNs | +| [role_names](#output_role_names) | List of role names | + ## References - * [cloudposse/terraform-aws-components][60] - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components][60] - Cloud Posse's upstream component [][61] -[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-delegated-roles -[2]: #requirement%5C_terraform -[3]: #requirement%5C_aws -[4]: #requirement%5C_local -[5]: #requirement%5C_template -[6]: #requirement%5C_utils -[7]: #provider%5C_aws -[8]: #module%5C_account%5C_map -[9]: #module%5C_assume%5C_role -[10]: #module%5C_iam%5C_roles -[11]: #module%5C_sso -[12]: #module%5C_this -[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role -[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment -[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy -[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[20]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[21]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[22]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[23]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[24]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[25]: #input%5C_account%5C_map%5C_environment%5C_name -[26]: #input%5C_account%5C_map%5C_stage%5C_name -[27]: #input%5C_additional%5C_tag%5C_map -[28]: #input%5C_attributes -[29]: #input%5C_context -[30]: #input%5C_delegated%5C_roles%5C_config -[31]: #input%5C_delimiter -[32]: #input%5C_descriptor%5C_formats -[33]: #input%5C_enabled -[34]: #input%5C_environment -[35]: #input%5C_id%5C_length%5C_limit -[36]: #input%5C_identity%5C_account%5C_stage%5C_name -[37]: #input%5C_import%5C_role%5C_arn -[38]: #input%5C_label%5C_key%5C_case -[39]: #input%5C_label%5C_order -[40]: #input%5C_label%5C_value%5C_case -[41]: #input%5C_labels%5C_as%5C_tags -[42]: #input%5C_name -[43]: #input%5C_namespace -[44]: #input%5C_primary%5C_roles%5C_config -[45]: #input%5C_regex%5C_replace%5C_chars -[46]: #input%5C_region -[47]: #input%5C_sso%5C_environment%5C_name -[48]: #input%5C_sso%5C_stage%5C_name -[49]: #input%5C_stage -[50]: #input%5C_tags -[51]: #input%5C_tenant -[52]: #output%5C_delegated%5C_role%5C_arns -[53]: #output%5C_delegated%5C_role%5C_name%5C_role%5C_arn%5C_map -[54]: #output%5C_delegated%5C_role%5C_names -[55]: #output%5C_delegated%5C_roles%5C_config -[56]: #output%5C_primary%5C_roles%5C_config -[57]: #output%5C_role%5C_arns -[58]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map -[59]: #output%5C_role%5C_names -[60]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles -[61]: https://cpco.io/component +[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-delegated-roles +[2]: #requirement%5C_terraform +[3]: #requirement%5C_aws +[4]: #requirement%5C_local +[5]: #requirement%5C_template +[6]: #requirement%5C_utils +[7]: #provider%5C_aws +[8]: #module%5C_account%5C_map +[9]: #module%5C_assume%5C_role +[10]: #module%5C_iam%5C_roles +[11]: #module%5C_sso +[12]: #module%5C_this +[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy +[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[20]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[21]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[22]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[23]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[24]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[25]: #input%5C_account%5C_map%5C_environment%5C_name +[26]: #input%5C_account%5C_map%5C_stage%5C_name +[27]: #input%5C_additional%5C_tag%5C_map +[28]: #input%5C_attributes +[29]: #input%5C_context +[30]: #input%5C_delegated%5C_roles%5C_config +[31]: #input%5C_delimiter +[32]: #input%5C_descriptor%5C_formats +[33]: #input%5C_enabled +[34]: #input%5C_environment +[35]: #input%5C_id%5C_length%5C_limit +[36]: #input%5C_identity%5C_account%5C_stage%5C_name +[37]: #input%5C_import%5C_role%5C_arn +[38]: #input%5C_label%5C_key%5C_case +[39]: #input%5C_label%5C_order +[40]: #input%5C_label%5C_value%5C_case +[41]: #input%5C_labels%5C_as%5C_tags +[42]: #input%5C_name +[43]: #input%5C_namespace +[44]: #input%5C_primary%5C_roles%5C_config +[45]: #input%5C_regex%5C_replace%5C_chars +[46]: #input%5C_region +[47]: #input%5C_sso%5C_environment%5C_name +[48]: #input%5C_sso%5C_stage%5C_name +[49]: #input%5C_stage +[50]: #input%5C_tags +[51]: #input%5C_tenant +[52]: #output%5C_delegated%5C_role%5C_arns +[53]: #output%5C_delegated%5C_role%5C_name%5C_role%5C_arn%5C_map +[54]: #output%5C_delegated%5C_role%5C_names +[55]: #output%5C_delegated%5C_roles%5C_config +[56]: #output%5C_primary%5C_roles%5C_config +[57]: #output%5C_role%5C_arns +[58]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map +[59]: #output%5C_role%5C_names +[60]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles +[61]: https://cpco.io/component diff --git a/deprecated/securityhub/securityhub/common/README.md b/deprecated/securityhub/securityhub/common/README.md index 21e1e3761..e53c8ed53 100644 --- a/deprecated/securityhub/securityhub/common/README.md +++ b/deprecated/securityhub/securityhub/common/README.md @@ -1,28 +1,48 @@ # Component: `securityhub/common` -This component is responsible for configuring Security Hub and it should be used in tandem with the [securityhub/root](../root) component. +This component is responsible for configuring Security Hub and it should be used in tandem with the +[securityhub/root](../root) component. -Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and integrated partner solutions. +Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and +resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and +integrated partner solutions. Here are the key features and capabilities of Amazon Security Hub: -- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture across the entire AWS environment. +- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage + security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture + across the entire AWS environment. -- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS CIS Foundations Benchmark, to identify potential security issues. +- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, + configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS + CIS Foundations Benchmark, to identify potential security issues. -- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party security products and solutions. This integration enables the ingestion and analysis of security findings from diverse sources, offering a comprehensive security view. +- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party + security products and solutions. This integration enables the ingestion and analysis of security findings from diverse + sources, offering a comprehensive security view. -- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on remediation actions to ensure adherence to security best practices. +- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory + frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on + remediation actions to ensure adherence to security best practices. -- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security alerts, allowing for efficient threat response and remediation. +- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling + users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security + alerts, allowing for efficient threat response and remediation. -- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation capabilities to identify related security findings and potential attack patterns. +- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules + and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation + capabilities to identify related security findings and potential attack patterns. -- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced visibility, automated remediation, and streamlined security operations. +- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS + CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced + visibility, automated remediation, and streamlined security operations. -- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to receive real-time notifications of security findings. It also facilitates automation and response through integration with AWS Lambda, allowing for automated remediation actions. +- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to + receive real-time notifications of security findings. It also facilitates automation and response through integration + with AWS Lambda, allowing for automated remediation actions. -By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, and effectively manage security compliance across their AWS accounts and resources. +By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, +and effectively manage security compliance across their AWS accounts and resources. ## Usage @@ -92,89 +112,92 @@ done ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [awsutils](#requirement\_awsutils) | >= 0.16.0 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [awsutils](#requirement_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | -| [awsutils](#provider\_awsutils) | >= 0.16.0 | +| Name | Version | +| --------------------------------------------------------------- | --------- | +| [aws](#provider_aws) | >= 4.0 | +| [awsutils](#provider_awsutils) | >= 0.16.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [security\_hub](#module\_security\_hub) | cloudposse/security-hub/aws | 0.10.0 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [security_hub](#module_security_hub) | cloudposse/security-hub/aws | 0.10.0 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | -| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | -| [awsutils_security_hub_organization_settings.this](https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs/resources/security_hub_organization_settings) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | +| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | +| [awsutils_security_hub_organization_settings.this](https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs/resources/security_hub_organization_settings) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [admin\_delegated](#input\_admin\_delegated) | A flag to indicate if the Security Hub Admininstrator account has been designated from the root account.

This component should be applied with this variable set to `false`, then the securityhub/root component should be applied
to designate the administrator account, then this component should be applied again with this variable set to `true`. | `bool` | `false` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [central\_resource\_collector\_account](#input\_central\_resource\_collector\_account) | The name of the account that is the centralized aggregation account | `string` | n/a | yes | -| [central\_resource\_collector\_region](#input\_central\_resource\_collector\_region) | The region that collects findings | `string` | n/a | yes | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create\_sns\_topic](#input\_create\_sns\_topic) | Flag to indicate whether an SNS topic should be created for notifications | `bool` | `false` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enable\_default\_standards](#input\_enable\_default\_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled\_standards](#input\_enabled\_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [finding\_aggregator\_enabled](#input\_finding\_aggregator\_enabled) | Flag to indicate whether a finding aggregator should be created

If you want to aggregate findings from one region, set this to `true`.

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_finding_aggregator | `bool` | `false` | no | -| [finding\_aggregator\_linking\_mode](#input\_finding\_aggregator\_linking\_mode) | Linking mode to use for the finding aggregator.

The possible values are:
- `ALL_REGIONS` - Aggregate from all regions
- `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions`
- `SPECIFIED_REGIONS` - Aggregate from regions specified in `var.finding_aggregator_regions` | `string` | `"ALL_REGIONS"` | no | -| [finding\_aggregator\_regions](#input\_finding\_aggregator\_regions) | A list of regions to aggregate findings from.

This is only used if `finding_aggregator_enabled` is `true`. | `any` | `null` | no | -| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [admin_delegated](#input_admin_delegated) | A flag to indicate if the Security Hub Admininstrator account has been designated from the root account.

This component should be applied with this variable set to `false`, then the securityhub/root component should be applied
to designate the administrator account, then this component should be applied again with this variable set to `true`. | `bool` | `false` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [central_resource_collector_account](#input_central_resource_collector_account) | The name of the account that is the centralized aggregation account | `string` | n/a | yes | +| [central_resource_collector_region](#input_central_resource_collector_region) | The region that collects findings | `string` | n/a | yes | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create_sns_topic](#input_create_sns_topic) | Flag to indicate whether an SNS topic should be created for notifications | `bool` | `false` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enable_default_standards](#input_enable_default_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled_standards](#input_enabled_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [finding_aggregator_enabled](#input_finding_aggregator_enabled) | Flag to indicate whether a finding aggregator should be created

If you want to aggregate findings from one region, set this to `true`.

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_finding_aggregator | `bool` | `false` | no | +| [finding_aggregator_linking_mode](#input_finding_aggregator_linking_mode) | Linking mode to use for the finding aggregator.

The possible values are:
- `ALL_REGIONS` - Aggregate from all regions
- `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions`
- `SPECIFIED_REGIONS` - Aggregate from regions specified in `var.finding_aggregator_regions` | `string` | `"ALL_REGIONS"` | no | +| [finding_aggregator_regions](#input_finding_aggregator_regions) | A list of regions to aggregate findings from.

This is only used if `finding_aggregator_enabled` is `true`. | `any` | `null` | no | +| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [enabled\_subscriptions](#output\_enabled\_subscriptions) | A list of subscriptions that have been enabled | -| [sns\_topic\_name](#output\_sns\_topic\_name) | The SNS topic name that was created | -| [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | The SNS topic subscriptions | +| Name | Description | +| -------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | +| [enabled_subscriptions](#output_enabled_subscriptions) | A list of subscriptions that have been enabled | +| [sns_topic_name](#output_sns_topic_name) | The SNS topic name that was created | +| [sns_topic_subscriptions](#output_sns_topic_subscriptions) | The SNS topic subscriptions | + ## References -* [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) -* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/common/) + +- [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) +- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/common/) [](https://cpco.io/component) diff --git a/deprecated/securityhub/securityhub/root/README.md b/deprecated/securityhub/securityhub/root/README.md index 371a8a756..c0c74f1f1 100644 --- a/deprecated/securityhub/securityhub/root/README.md +++ b/deprecated/securityhub/securityhub/root/README.md @@ -1,8 +1,10 @@ # Component: `securityhub/root` -This component should be used in tandem with the [securityhub/common](../common/) component. Please take a look at [securityhub/common/README](../common/README.md) for more information about Security Hub and deployment steps. +This component should be used in tandem with the [securityhub/common](../common/) component. Please take a look at +[securityhub/common/README](../common/README.md) for more information about Security Hub and deployment steps. -This component is responsible for delegating the AWS Security Hub administrator accounts to the appropriate account(s). It should be deployed to every region for the root account in the AWS Organization. +This component is responsible for delegating the AWS Security Hub administrator accounts to the appropriate account(s). +It should be deployed to every region for the root account in the AWS Organization. ## Usage @@ -15,7 +17,7 @@ components: terraform: securityhub/root: metadata: - component: securityhub/root + component: securityhub/root vars: enabled: true account_map_tenant: core @@ -30,76 +32,79 @@ components: Please see instructions in [securityhub/README](../common/README.md) for information on how to deploy both components. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | -| [awsutils](#requirement\_awsutils) | >= 0.16.0 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | +| [awsutils](#requirement_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | -| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | -| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | -| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | +| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | +| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrator\_account](#input\_administrator\_account) | The name of the account that is the Security Hub administrator account | `string` | `null` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enable\_default\_standards](#input\_enable\_default\_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled\_standards](#input\_enabled\_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrator_account](#input_administrator_account) | The name of the account that is the Security Hub administrator account | `string` | `null` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enable_default_standards](#input_enable_default_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled_standards](#input_enabled_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs No outputs. + ## References -* [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) -* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/root/) + +- [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) +- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/root/) [](https://cpco.io/component) diff --git a/deprecated/spacelift-policy/README.md b/deprecated/spacelift-policy/README.md index 2a94f1114..98adcb65d 100644 --- a/deprecated/spacelift-policy/README.md +++ b/deprecated/spacelift-policy/README.md @@ -6,7 +6,8 @@ This component is responsible for provisioning Spacelift policies. **Stack Level**: Global -NOTE: The input `labels` will be applied to every policy. To overwrite (not append) the `labels` key can be used per policy as well. +NOTE: The input `labels` will be applied to every policy. To overwrite (not append) the `labels` key can be used per +policy as well. ```yaml components: @@ -37,7 +38,7 @@ components: - folder:admin vars: labels: - - 'autoattach:folder:admin' + - "autoattach:folder:admin" policy_version: 0.52.0 policies: global-admin-git-push-policy: @@ -63,7 +64,7 @@ components: - spacelift-policy/defaults vars: labels: - - 'autoattach:folder:non-admin' + - "autoattach:folder:non-admin" policy_version: 0.52.0 policies: git-push-proposed-run-policy: @@ -85,71 +86,74 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [http](#requirement\_http) | >= 3.0 | -| [spacelift](#requirement\_spacelift) | >= 0.1.31 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 1.3 | +| [http](#requirement_http) | >= 3.0 | +| [spacelift](#requirement_spacelift) | >= 0.1.31 | ## Providers -| Name | Version | -|------|---------| -| [http](#provider\_http) | >= 3.0 | -| [spacelift](#provider\_spacelift) | >= 0.1.31 | +| Name | Version | +| ------------------------------------------------------------------ | --------- | +| [http](#provider_http) | >= 3.0 | +| [spacelift](#provider_spacelift) | >= 0.1.31 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------- | --------------------- | ------- | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [spacelift_policy.default](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/policy) | resource | -| [http_http.default](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | +| Name | Type | +| ----------------------------------------------------------------------------------------------------------------------- | ----------- | +| [spacelift_policy.default](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/policy) | resource | +| [http_http.default](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels](#input\_labels) | List of global labels to add to each policy. These values can be overridden in `var.policies`'s per policy `labels` key. | `list(string)` | `[]` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [policies](#input\_policies) | The map of required policies to add. | `any` | n/a | yes | -| [policy\_version](#input\_policy\_version) | The optional global policy version injected using a %s in each `body_url`. This can be pinned to a version tag or a branch. | `string` | `"master"` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [space\_id](#input\_space\_id) | The global `space_id` to assign to each policy. This value can be overridden in `var.policies`'s per policy `space_id` key. | `string` | `"root"` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels](#input_labels) | List of global labels to add to each policy. These values can be overridden in `var.policies`'s per policy `labels` key. | `list(string)` | `[]` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [policies](#input_policies) | The map of required policies to add. | `any` | n/a | yes | +| [policy_version](#input_policy_version) | The optional global policy version injected using a %s in each `body_url`. This can be pinned to a version tag or a branch. | `string` | `"master"` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [space_id](#input_space_id) | The global `space_id` to assign to each policy. This value can be overridden in `var.policies`'s per policy `space_id` key. | `string` | `"root"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [policies](#output\_policies) | All calculated policies | +| Name | Description | +| ----------------------------------------------------------- | ----------------------- | +| [policies](#output_policies) | All calculated policies | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-policy) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-policy) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift-worker-pool/README.md b/deprecated/spacelift-worker-pool/README.md index 2fa8022a0..0c52fb14f 100644 --- a/deprecated/spacelift-worker-pool/README.md +++ b/deprecated/spacelift-worker-pool/README.md @@ -2,19 +2,16 @@ This component is responsible for provisioning Spacelift worker pools. -By default, workers are given pull access to the configured ECR, -permission to assume the `spacelift` team role in the identity account -(although you must also configure the `spacelift` team in the identity -account to allow the workers to assume the role via `trusted_role_arns`), -and have the following AWS managed IAM policies attached: +By default, workers are given pull access to the configured ECR, permission to assume the `spacelift` team role in the +identity account (although you must also configure the `spacelift` team in the identity account to allow the workers to +assume the role via `trusted_role_arns`), and have the following AWS managed IAM policies attached: -* AmazonSSMManagedInstanceCore -* AutoScalingReadOnlyAccess -* AWSXRayDaemonWriteAccess -* CloudWatchAgentServerPolicy +- AmazonSSMManagedInstanceCore +- AutoScalingReadOnlyAccess +- AWSXRayDaemonWriteAccess +- CloudWatchAgentServerPolicy -Among other things, this allows workers with SSM agent installed to -be accessed via SSM Session Manager. +Among other things, this allows workers with SSM agent installed to be accessed via SSM Session Manager. ```bash aws ssm start-session --target @@ -46,20 +43,25 @@ components: ### Docker Image on ECR -Build and tag a Docker image for this repository and push to ECR. Ensure the account where this component is deployed has read-only access to the ECR repository. +Build and tag a Docker image for this repository and push to ECR. Ensure the account where this component is deployed +has read-only access to the ECR repository. ### API Key Prior to deployment, the API key must exist in SSM. The key must have admin permissions. -To generate the key, please follow [these instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the API key ID and secret to the SSM key store at the following locations within the same AWS account and region where the Spacelift worker pool will reside. +To generate the key, please follow +[these instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the +API key ID and secret to the SSM key store at the following locations within the same AWS account and region where the +Spacelift worker pool will reside. -| Key | SSM Path | Type | -| -------- | ----------------------- | -------------- | -| API ID | `/spacelift/key_id` | `SecureString` | -| API Key | `/spacelift/key_secret` | `SecureString` | +| Key | SSM Path | Type | +| ------- | ----------------------- | -------------- | +| API ID | `/spacelift/key_id` | `SecureString` | +| API Key | `/spacelift/key_secret` | `SecureString` | -_HINT_: The API key ID is displayed as an upper-case, 16-character alphanumeric value next to the key name in the API key list. +_HINT_: The API key ID is displayed as an upper-case, 16-character alphanumeric value next to the key name in the API +key list. Save the keys using `chamber` using the correct profile for where spacelift worker pool is provisioned @@ -70,151 +72,155 @@ AWS_PROFILE=acme-gbl-auto-admin chamber write spacelift key_secret abcdefghijklm ### IAM configuration -After provisioning the component, you must give the created instance role permission -to assume the Spacelift worker role. This is done by adding `iam_role_arn` from -the output to the `trusted_role_arns` list for the `spacelift` role in `aws-teams`. +After provisioning the component, you must give the created instance role permission to assume the Spacelift worker +role. This is done by adding `iam_role_arn` from the output to the `trusted_role_arns` list for the `spacelift` role in +`aws-teams`. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.9.0 | -| [cloudinit](#requirement\_cloudinit) | >= 2.2.0 | -| [spacelift](#requirement\_spacelift) | >= 0.1.2 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.9.0 | +| [cloudinit](#requirement_cloudinit) | >= 2.2.0 | +| [spacelift](#requirement_spacelift) | >= 0.1.2 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.9.0 | -| [cloudinit](#provider\_cloudinit) | >= 2.2.0 | -| [spacelift](#provider\_spacelift) | >= 0.1.2 | +| Name | Version | +| ------------------------------------------------------------------ | -------- | +| [aws](#provider_aws) | >= 4.9.0 | +| [cloudinit](#provider_cloudinit) | >= 2.2.0 | +| [spacelift](#provider_spacelift) | >= 0.1.2 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [autoscale\_group](#module\_autoscale\_group) | cloudposse/ec2-autoscale-group/aws | 0.34.1 | -| [ecr](#module\_ecr) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.25.0 | -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.0-rc1 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +| -------------------------------------------------------------------------------- | -------------------------------------------------- | --------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [autoscale_group](#module_autoscale_group) | cloudposse/ec2-autoscale-group/aws | 0.34.1 | +| [ecr](#module_ecr) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam_label](#module_iam_label) | cloudposse/label/null | 0.25.0 | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [security_group](#module_security_group) | cloudposse/security-group/aws | 2.0.0-rc1 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources -| Name | Type | -|------|------| -| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | -| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [spacelift_worker_pool.primary](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/worker_pool) | resource | -| [aws_ami.spacelift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [spacelift_worker_pool.primary](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/worker_pool) | resource | +| [aws_ami.spacelift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | -| [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | -| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws\_config\_file](#input\_aws\_config\_file) | The AWS\_CONFIG\_FILE used by the worker. Can be overridden by `/.spacelift/config.yml`. | `string` | `"/etc/aws-config/aws-config-spacelift"` | no | -| [aws\_profile](#input\_aws\_profile) | The AWS\_PROFILE used by the worker. If not specified, `"${var.namespace}-identity"` will be used.
Can be overridden by `/.spacelift/config.yml`. | `string` | `null` | no | -| [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI |
list(object({
device_name = string
no_device = bool
virtual_name = string
ebs = object({
delete_on_termination = bool
encrypted = bool
iops = number
kms_key_id = string
snapshot_id = string
volume_size = number
volume_type = string
})
}))
| `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [cpu\_utilization\_high\_threshold\_percent](#input\_cpu\_utilization\_high\_threshold\_percent) | CPU utilization high threshold | `number` | n/a | yes | -| [cpu\_utilization\_low\_threshold\_percent](#input\_cpu\_utilization\_low\_threshold\_percent) | CPU utilization low threshold | `number` | n/a | yes | -| [custom\_spacelift\_ami](#input\_custom\_spacelift\_ami) | Custom spacelift AMI | `bool` | `false` | no | -| [default\_cooldown](#input\_default\_cooldown) | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start | `number` | `300` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [desired\_capacity](#input\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the group, if not set will use `min_size` as value | `number` | `null` | no | -| [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `false` | no | -| [ecr\_environment\_name](#input\_ecr\_environment\_name) | The name of the environment where `ecr` is provisioned | `string` | `""` | no | -| [ecr\_region](#input\_ecr\_region) | AWS region that contains the ECR infrastructure repo | `string` | `""` | no | -| [ecr\_repo\_name](#input\_ecr\_repo\_name) | ECR repository name | `string` | n/a | yes | -| [ecr\_stage\_name](#input\_ecr\_stage\_name) | The name of the stage where `ecr` is provisioned | `string` | `"artifacts"` | no | -| [ecr\_tenant\_name](#input\_ecr\_tenant\_name) | The name of the tenant where `ecr` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [github\_netrc\_enabled](#input\_github\_netrc\_enabled) | Whether to create a GitHub .netrc file so Spacelift can clone private GitHub repositories. | `bool` | `false` | no | -| [github\_netrc\_ssm\_path\_token](#input\_github\_netrc\_ssm\_path\_token) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub token. | `string` | `"/github/token"` | no | -| [github\_netrc\_ssm\_path\_user](#input\_github\_netrc\_ssm\_path\_user) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub user | `string` | `"/github/user"` | no | -| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time (in seconds) after instance comes into service before checking health | `number` | `300` | no | -| [health\_check\_type](#input\_health\_check\_type) | Controls how health checking is done. Valid values are `EC2` or `ELB` | `string` | `"EC2"` | no | -| [iam\_attributes](#input\_iam\_attributes) | Additional attributes to add to the IDs of the IAM role and policy | `list(string)` | `[]` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [infracost\_api\_token\_ssm\_path](#input\_infracost\_api\_token\_ssm\_path) | This is the SSM path to retrieve and set the INFRACOST\_API\_TOKEN environment variable | `string` | `"/infracost/token"` | no | -| [infracost\_cli\_args](#input\_infracost\_cli\_args) | These are the CLI args passed to infracost | `string` | `""` | no | -| [infracost\_enabled](#input\_infracost\_enabled) | Whether to enable infracost for Spacelift stacks | `bool` | `false` | no | -| [infracost\_warn\_on\_failure](#input\_infracost\_warn\_on\_failure) | A failure executing Infracost, or a non-zero exit code being returned from the command will cause runs to fail. If this is true, this will only warn instead of failing the stack. | `bool` | `true` | no | -| [instance\_refresh](#input\_instance\_refresh) | The instance refresh definition. If this block is configured, an Instance Refresh will be started when the Auto Scaling Group is updated |
object({
strategy = string
preferences = object({
instance_warmup = number
min_healthy_percentage = number
})
triggers = list(string)
})
| `null` | no | -| [instance\_type](#input\_instance\_type) | EC2 instance type to use for workers | `string` | `"r5n.large"` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes | -| [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes | -| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | Policy to use a mixed group of on-demand/spot of different types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 |
object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
})
| `null` | no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [scale\_down\_cooldown\_seconds](#input\_scale\_down\_cooldown\_seconds) | The amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start | `number` | `300` | no | -| [spacelift\_agents\_per\_node](#input\_spacelift\_agents\_per\_node) | Number of Spacelift agents to run on one worker node | `number` | `1` | no | -| [spacelift\_ami\_id](#input\_spacelift\_ami\_id) | AMI ID of Spacelift worker pool image | `string` | `null` | no | -| [spacelift\_api\_endpoint](#input\_spacelift\_api\_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | -| [spacelift\_aws\_account\_id](#input\_spacelift\_aws\_account\_id) | AWS Account ID owned by Spacelift | `string` | `"643313122712"` | no | -| [spacelift\_domain\_name](#input\_spacelift\_domain\_name) | Top-level domain name to use for pulling the launcher binary | `string` | `"spacelift.io"` | no | -| [spacelift\_runner\_image](#input\_spacelift\_runner\_image) | URL of ECR image to use for Spacelift | `string` | `""` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` |
[
"OldestLaunchConfiguration"
]
| no | -| [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws_config_file](#input_aws_config_file) | The AWS_CONFIG_FILE used by the worker. Can be overridden by `/.spacelift/config.yml`. | `string` | `"/etc/aws-config/aws-config-spacelift"` | no | +| [aws_profile](#input_aws_profile) | The AWS_PROFILE used by the worker. If not specified, `"${var.namespace}-identity"` will be used.
Can be overridden by `/.spacelift/config.yml`. | `string` | `null` | no | +| [block_device_mappings](#input_block_device_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI |
list(object({
device_name = string
no_device = bool
virtual_name = string
ebs = object({
delete_on_termination = bool
encrypted = bool
iops = number
kms_key_id = string
snapshot_id = string
volume_size = number
volume_type = string
})
}))
| `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [cpu_utilization_high_threshold_percent](#input_cpu_utilization_high_threshold_percent) | CPU utilization high threshold | `number` | n/a | yes | +| [cpu_utilization_low_threshold_percent](#input_cpu_utilization_low_threshold_percent) | CPU utilization low threshold | `number` | n/a | yes | +| [custom_spacelift_ami](#input_custom_spacelift_ami) | Custom spacelift AMI | `bool` | `false` | no | +| [default_cooldown](#input_default_cooldown) | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start | `number` | `300` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [desired_capacity](#input_desired_capacity) | The number of Amazon EC2 instances that should be running in the group, if not set will use `min_size` as value | `number` | `null` | no | +| [ebs_optimized](#input_ebs_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `false` | no | +| [ecr_environment_name](#input_ecr_environment_name) | The name of the environment where `ecr` is provisioned | `string` | `""` | no | +| [ecr_region](#input_ecr_region) | AWS region that contains the ECR infrastructure repo | `string` | `""` | no | +| [ecr_repo_name](#input_ecr_repo_name) | ECR repository name | `string` | n/a | yes | +| [ecr_stage_name](#input_ecr_stage_name) | The name of the stage where `ecr` is provisioned | `string` | `"artifacts"` | no | +| [ecr_tenant_name](#input_ecr_tenant_name) | The name of the tenant where `ecr` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [github_netrc_enabled](#input_github_netrc_enabled) | Whether to create a GitHub .netrc file so Spacelift can clone private GitHub repositories. | `bool` | `false` | no | +| [github_netrc_ssm_path_token](#input_github_netrc_ssm_path_token) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub token. | `string` | `"/github/token"` | no | +| [github_netrc_ssm_path_user](#input_github_netrc_ssm_path_user) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub user | `string` | `"/github/user"` | no | +| [health_check_grace_period](#input_health_check_grace_period) | Time (in seconds) after instance comes into service before checking health | `number` | `300` | no | +| [health_check_type](#input_health_check_type) | Controls how health checking is done. Valid values are `EC2` or `ELB` | `string` | `"EC2"` | no | +| [iam_attributes](#input_iam_attributes) | Additional attributes to add to the IDs of the IAM role and policy | `list(string)` | `[]` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [infracost_api_token_ssm_path](#input_infracost_api_token_ssm_path) | This is the SSM path to retrieve and set the INFRACOST_API_TOKEN environment variable | `string` | `"/infracost/token"` | no | +| [infracost_cli_args](#input_infracost_cli_args) | These are the CLI args passed to infracost | `string` | `""` | no | +| [infracost_enabled](#input_infracost_enabled) | Whether to enable infracost for Spacelift stacks | `bool` | `false` | no | +| [infracost_warn_on_failure](#input_infracost_warn_on_failure) | A failure executing Infracost, or a non-zero exit code being returned from the command will cause runs to fail. If this is true, this will only warn instead of failing the stack. | `bool` | `true` | no | +| [instance_refresh](#input_instance_refresh) | The instance refresh definition. If this block is configured, an Instance Refresh will be started when the Auto Scaling Group is updated |
object({
strategy = string
preferences = object({
instance_warmup = number
min_healthy_percentage = number
})
triggers = list(string)
})
| `null` | no | +| [instance_type](#input_instance_type) | EC2 instance type to use for workers | `string` | `"r5n.large"` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [max_size](#input_max_size) | The maximum size of the autoscale group | `number` | n/a | yes | +| [min_size](#input_min_size) | The minimum size of the autoscale group | `number` | n/a | yes | +| [mixed_instances_policy](#input_mixed_instances_policy) | Policy to use a mixed group of on-demand/spot of different types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 |
object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
})
| `null` | no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [scale_down_cooldown_seconds](#input_scale_down_cooldown_seconds) | The amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start | `number` | `300` | no | +| [spacelift_agents_per_node](#input_spacelift_agents_per_node) | Number of Spacelift agents to run on one worker node | `number` | `1` | no | +| [spacelift_ami_id](#input_spacelift_ami_id) | AMI ID of Spacelift worker pool image | `string` | `null` | no | +| [spacelift_api_endpoint](#input_spacelift_api_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | +| [spacelift_aws_account_id](#input_spacelift_aws_account_id) | AWS Account ID owned by Spacelift | `string` | `"643313122712"` | no | +| [spacelift_domain_name](#input_spacelift_domain_name) | Top-level domain name to use for pulling the launcher binary | `string` | `"spacelift.io"` | no | +| [spacelift_runner_image](#input_spacelift_runner_image) | URL of ECR image to use for Spacelift | `string` | `""` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [termination_policies](#input_termination_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` |
[
"OldestLaunchConfiguration"
]
| no | +| [wait_for_capacity_timeout](#input_wait_for_capacity_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [autoscaling\_group\_arn](#output\_autoscaling\_group\_arn) | The ARN for this AutoScaling Group | -| [autoscaling\_group\_default\_cooldown](#output\_autoscaling\_group\_default\_cooldown) | Time between a scaling activity and the succeeding scaling activity | -| [autoscaling\_group\_health\_check\_grace\_period](#output\_autoscaling\_group\_health\_check\_grace\_period) | Time after instance comes into service before checking health | -| [autoscaling\_group\_health\_check\_type](#output\_autoscaling\_group\_health\_check\_type) | `EC2` or `ELB`. Controls how health checking is done | -| [autoscaling\_group\_id](#output\_autoscaling\_group\_id) | The autoscaling group id | -| [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscale group | -| [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscale group | -| [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The autoscaling group name | -| [iam\_role\_arn](#output\_iam\_role\_arn) | Spacelift IAM Role ARN | -| [iam\_role\_id](#output\_iam\_role\_id) | Spacelift IAM Role ID | -| [iam\_role\_name](#output\_iam\_role\_name) | Spacelift IAM Role name | -| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template | -| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template | -| [security\_group\_arn](#output\_security\_group\_arn) | Spacelift Security Group ARN | -| [security\_group\_id](#output\_security\_group\_id) | Spacelift Security Group ID | -| [security\_group\_name](#output\_security\_group\_name) | Spacelift Security Group Name | -| [worker\_pool\_id](#output\_worker\_pool\_id) | Spacelift worker pool ID | -| [worker\_pool\_name](#output\_worker\_pool\_name) | Spacelift worker pool name | +| Name | Description | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | +| [autoscaling_group_arn](#output_autoscaling_group_arn) | The ARN for this AutoScaling Group | +| [autoscaling_group_default_cooldown](#output_autoscaling_group_default_cooldown) | Time between a scaling activity and the succeeding scaling activity | +| [autoscaling_group_health_check_grace_period](#output_autoscaling_group_health_check_grace_period) | Time after instance comes into service before checking health | +| [autoscaling_group_health_check_type](#output_autoscaling_group_health_check_type) | `EC2` or `ELB`. Controls how health checking is done | +| [autoscaling_group_id](#output_autoscaling_group_id) | The autoscaling group id | +| [autoscaling_group_max_size](#output_autoscaling_group_max_size) | The maximum size of the autoscale group | +| [autoscaling_group_min_size](#output_autoscaling_group_min_size) | The minimum size of the autoscale group | +| [autoscaling_group_name](#output_autoscaling_group_name) | The autoscaling group name | +| [iam_role_arn](#output_iam_role_arn) | Spacelift IAM Role ARN | +| [iam_role_id](#output_iam_role_id) | Spacelift IAM Role ID | +| [iam_role_name](#output_iam_role_name) | Spacelift IAM Role name | +| [launch_template_arn](#output_launch_template_arn) | The ARN of the launch template | +| [launch_template_id](#output_launch_template_id) | The ID of the launch template | +| [security_group_arn](#output_security_group_arn) | Spacelift Security Group ARN | +| [security_group_id](#output_security_group_id) | Spacelift Security Group ID | +| [security_group_name](#output_security_group_name) | Spacelift Security Group Name | +| [worker_pool_id](#output_worker_pool_id) | Spacelift worker pool ID | +| [worker_pool_name](#output_worker_pool_name) | Spacelift worker pool name | + ## References -- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - Cloud Posse's related upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-worker-pool) - Cloud Posse's upstream component +- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - + Cloud Posse's related upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-worker-pool) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift/README.md b/deprecated/spacelift/README.md index 993d9e337..7cf2e68c2 100644 --- a/deprecated/spacelift/README.md +++ b/deprecated/spacelift/README.md @@ -3,15 +3,15 @@ This component is responsible for provisioning Spacelift stacks. Spacelift is a specialized, Terraform-compatible continuous integration and deployment (CI/CD) platform for -infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience with -large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. +infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience +with large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. ## Usage **Stack Level**: Regional -This component provisions an administrative Spacelift stack and assigns it to a worker pool. Although -the stack can manage stacks in any region, it should be provisioned in the same region as the worker pool. +This component provisions an administrative Spacelift stack and assigns it to a worker pool. Although the stack can +manage stacks in any region, it should be provisioned in the same region as the worker pool. ```yaml components: @@ -152,7 +152,6 @@ components: - trigger.dependencies # Keep these empty policies_by_id_enabled: [] - ``` ## Prerequisites @@ -164,7 +163,8 @@ components: 1. Create a Login Policy - Click on Policies then Add Policy - - Use the following policy and replace `GITHUBORG` with the GitHub Organization slug and DEV with the GitHub id for the Dev setting up the Spacelift module. + - Use the following policy and replace `GITHUBORG` with the GitHub Organization slug and DEV with the GitHub id for + the Dev setting up the Spacelift module. ```rego package spacelift @@ -229,17 +229,17 @@ components: ## Spacelift Layout -[Runtime configuration](https://docs.spacelift.io/concepts/configuration/runtime-configuration) is a piece of setup -that is applied to individual runs instead of being global to the stack. -It's defined in `.spacelift/config.yml` YAML file at the root of your repository. -It is required for Spacelift to work with `atmos`. +[Runtime configuration](https://docs.spacelift.io/concepts/configuration/runtime-configuration) is a piece of setup that +is applied to individual runs instead of being global to the stack. It's defined in `.spacelift/config.yml` YAML file at +the root of your repository. It is required for Spacelift to work with `atmos`. ### Create Spacelift helper scripts -[/rootfs/usr/local/bin/spacelift-tf-workspace](/rootfs/usr/local/bin/spacelift-tf-workspace) manages selecting or creating a Terraform workspace; similar to how `atmos` manages workspaces -during a Terraform run. +[/rootfs/usr/local/bin/spacelift-tf-workspace](/rootfs/usr/local/bin/spacelift-tf-workspace) manages selecting or +creating a Terraform workspace; similar to how `atmos` manages workspaces during a Terraform run. -[/rootfs/usr/local/bin/spacelift-write-vars](/rootfs/usr/local/bin/spacelift-write-vars) writes the component config using `atmos` to the `spacelift.auto.tfvars.json` file. +[/rootfs/usr/local/bin/spacelift-write-vars](/rootfs/usr/local/bin/spacelift-write-vars) writes the component config +using `atmos` to the `spacelift.auto.tfvars.json` file. **NOTE**: make sure they are all executable: @@ -249,8 +249,8 @@ chmod +x rootfs/usr/local/bin/spacelift* ## Bootstrapping -After creating & linking Spacelift to this repo (see the -[docs](https://docs.spacelift.io/integrations/github)), follow these steps... +After creating & linking Spacelift to this repo (see the [docs](https://docs.spacelift.io/integrations/github)), follow +these steps... ### Deploy the [`spacelift-worker-pool`](../spacelift-worker-pool) Component @@ -260,12 +260,10 @@ See [`spacelift-worker-pool` README](../spacelift-worker-pool/README.md) for the 1. `git_repository` = Name of `infrastructure` repository 1. `git_branch` = Name of main/master branch -1. `worker_pool_name_id_map` = Map of arbitrary names to IDs Spacelift worker pools, -taken from the `worker_pool_id` output of the `spacelift-worker-pool` component. -1. Set `components.terraform.spacelift.settings.spacelift.worker_pool_name` -to the name of the worker pool you want to use for the `spacelift` component, -the name being the key you set in the `worker_pool_name_id_map` map. - +1. `worker_pool_name_id_map` = Map of arbitrary names to IDs Spacelift worker pools, taken from the `worker_pool_id` + output of the `spacelift-worker-pool` component. +1. Set `components.terraform.spacelift.settings.spacelift.worker_pool_name` to the name of the worker pool you want to + use for the `spacelift` component, the name being the key you set in the `worker_pool_name_id_map` map. ### Deploy the admin stacks @@ -277,16 +275,15 @@ export SPACELIFT_API_KEY_ID=... export SPACELIFT_API_KEY_SECRET=... ``` -The name of the spacelift stack resource will be different depending on the name of the component and the root atmos stack. -This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. +The name of the spacelift stack resource will be different depending on the name of the component and the root atmos +stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. ``` atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift.module.stacks["core-gbl-auto-spacelift"]' ``` -Note that this is the only manually operation you need to perform in `geodesic` using `atmos` to create the initial admin stack. -All other infrastructure stacks wil be created in Spacelift by this admin stack. - +Note that this is the only manually operation you need to perform in `geodesic` using `atmos` to create the initial +admin stack. All other infrastructure stacks wil be created in Spacelift by this admin stack. ## Pull Request Workflow @@ -296,7 +293,6 @@ All other infrastructure stacks wil be created in Spacelift by this admin stack. 4. View the successful Spacelift checks in the pull request 5. Merge the pull request and check the Spacelift job - ## spacectl See docs https://github.com/spaceone-dev/spacectl @@ -337,108 +333,110 @@ NOTE: remove the `echo` to remove the dry-run functionality cat stacks.txt | while read stack; do echo $stack && echo spacectl stack set-current-commit --sha 25dd359749cfe30c76cce19f58e0a33555256afd --id $stack; done ``` - + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | >= 4.0 | -| [spacelift](#requirement\_spacelift) | >= 0.1.31 | +| Name | Version | +| ------------------------------------------------------------------------ | --------- | +| [terraform](#requirement_terraform) | >= 1.3 | +| [aws](#requirement_aws) | >= 4.0 | +| [spacelift](#requirement_spacelift) | >= 0.1.31 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [spacelift](#module\_spacelift) | cloudposse/cloud-infrastructure-automation/spacelift | 0.55.0 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------- | ---------------------------------------------------- | ------- | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [spacelift](#module_spacelift) | cloudposse/cloud-infrastructure-automation/spacelift | 0.55.0 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| Name | Type | +| -------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrative\_push\_policy\_enabled](#input\_administrative\_push\_policy\_enabled) | Flag to enable/disable the global administrative push policy | `bool` | `true` | no | -| [administrative\_stack\_drift\_detection\_enabled](#input\_administrative\_stack\_drift\_detection\_enabled) | Flag to enable/disable administrative stack drift detection | `bool` | `true` | no | -| [administrative\_stack\_drift\_detection\_reconcile](#input\_administrative\_stack\_drift\_detection\_reconcile) | Flag to enable/disable administrative stack drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | -| [administrative\_stack\_drift\_detection\_schedule](#input\_administrative\_stack\_drift\_detection\_schedule) | List of cron expressions to schedule drift detection for the administrative stack | `list(string)` |
[
"0 4 * * *"
]
| no | -| [administrative\_trigger\_policy\_enabled](#input\_administrative\_trigger\_policy\_enabled) | Flag to enable/disable the global administrative trigger policy | `bool` | `true` | no | -| [attachment\_space\_id](#input\_attachment\_space\_id) | Specify the space ID for attachments (e.g. policies, contexts, etc.) | `string` | `"legacy"` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [autodeploy](#input\_autodeploy) | Default autodeploy value for all stacks created by this project | `bool` | n/a | yes | -| [aws\_role\_arn](#input\_aws\_role\_arn) | ARN of the AWS IAM role to assume and put its temporary credentials in the runtime environment | `string` | `null` | no | -| [aws\_role\_enabled](#input\_aws\_role\_enabled) | Flag to enable/disable Spacelift to use AWS STS to assume the supplied IAM role and put its temporary credentials in the runtime environment | `bool` | `false` | no | -| [aws\_role\_external\_id](#input\_aws\_role\_external\_id) | Custom external ID (works only for private workers). See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html for more details | `string` | `null` | no | -| [aws\_role\_generate\_credentials\_in\_worker](#input\_aws\_role\_generate\_credentials\_in\_worker) | Flag to enable/disable generating AWS credentials in the private worker after assuming the supplied IAM role | `bool` | `false` | no | -| [before\_init](#input\_before\_init) | List of before-init scripts | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [context\_filters](#input\_context\_filters) | Context filters to create stacks for specific context information. Valid lists are `namespaces`, `environments`, `tenants`, `stages`. | `map(list(string))` | `{}` | no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [drift\_detection\_enabled](#input\_drift\_detection\_enabled) | Flag to enable/disable drift detection on the infrastructure stacks | `bool` | `true` | no | -| [drift\_detection\_reconcile](#input\_drift\_detection\_reconcile) | Flag to enable/disable infrastructure stacks drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | -| [drift\_detection\_schedule](#input\_drift\_detection\_schedule) | List of cron expressions to schedule drift detection for the infrastructure stacks | `list(string)` |
[
"0 4 * * *"
]
| no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [external\_execution](#input\_external\_execution) | Set this to true if you're calling this module from outside of a Spacelift stack (e.g. the `complete` example) | `bool` | `false` | no | -| [git\_branch](#input\_git\_branch) | The Git branch name | `string` | `"main"` | no | -| [git\_commit\_sha](#input\_git\_commit\_sha) | The commit SHA for which to trigger a run. Requires `var.spacelift_run_enabled` to be set to `true` | `string` | `null` | no | -| [git\_repository](#input\_git\_repository) | The Git repository name | `string` | n/a | yes | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [infracost\_enabled](#input\_infracost\_enabled) | Flag to enable/disable infracost. If this is enabled, it will add infracost label to each stack. See [spacelift infracost](https://docs.spacelift.io/vendors/terraform/infracost) docs for more details. | `bool` | `false` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [policies\_available](#input\_policies\_available) | List of available default policies to create in Spacelift (these policies will not be attached to Spacelift stacks by default, use `var.policies_enabled`) | `list(string)` |
[
"git_push.proposed-run",
"git_push.tracked-run",
"plan.default",
"trigger.dependencies",
"trigger.retries"
]
| no | -| [policies\_by\_id\_enabled](#input\_policies\_by\_id\_enabled) | List of existing policy IDs to attach to all Spacelift stacks. These policies must already exist in Spacelift | `list(string)` | `[]` | no | -| [policies\_by\_name\_enabled](#input\_policies\_by\_name\_enabled) | List of existing policy names to attach to all Spacelift stacks. These policies must exist at `modules/spacelift/rego-policies` OR `var.policies_by_name_path`. | `list(string)` | `[]` | no | -| [policies\_by\_name\_path](#input\_policies\_by\_name\_path) | Path to the catalog of external Rego policies. The Rego files must exist in the caller's code at the path. The module will create Spacelift policies from the external Rego definitions | `string` | `""` | no | -| [policies\_enabled](#input\_policies\_enabled) | DEPRECATED: Use `policies_by_id_enabled` instead. List of default policies created by this stack to attach to all Spacelift stacks | `list(string)` | `[]` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [runner\_image](#input\_runner\_image) | Full address & tag of the Spacelift runner image (e.g. on ECR) | `string` | n/a | yes | -| [spacelift\_api\_endpoint](#input\_spacelift\_api\_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | -| [spacelift\_component\_path](#input\_spacelift\_component\_path) | The Spacelift Component Path | `string` | `"components/terraform"` | no | -| [spacelift\_run\_enabled](#input\_spacelift\_run\_enabled) | Enable/disable creation of the `spacelift_run` resource | `bool` | `false` | no | -| [spacelift\_stack\_dependency\_enabled](#input\_spacelift\_stack\_dependency\_enabled) | If enabled, the `spacelift_stack_dependency` Spacelift resource will be used to create dependencies between stacks instead of using the `depends-on` labels. The `depends-on` labels will be removed from the stacks and the trigger policies for dependencies will be detached | `bool` | `false` | no | -| [stack\_config\_path\_template](#input\_stack\_config\_path\_template) | Stack config path template | `string` | `"stacks/%s.yaml"` | no | -| [stack\_destructor\_enabled](#input\_stack\_destructor\_enabled) | Flag to enable/disable the stack destructor to destroy the resources of a stack before deleting the stack itself | `bool` | `false` | no | -| [stacks\_space\_id](#input\_stacks\_space\_id) | Override the space ID for all stacks (unless the stack config has `dedicated_space` set to true). Otherwise, it will default to the admin stack's space. | `string` | `null` | no | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tag\_filters](#input\_tag\_filters) | A map of tags that will filter stack creation by the matching `tags` set in a component `vars` configuration. | `map(string)` | `{}` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [terraform\_version](#input\_terraform\_version) | Default Terraform version for all stacks created by this project | `string` | n/a | yes | -| [terraform\_version\_map](#input\_terraform\_version\_map) | A map to determine which Terraform patch version to use for each minor version | `map(string)` | `{}` | no | -| [worker\_pool\_name\_id\_map](#input\_worker\_pool\_name\_id\_map) | Map of worker pool names to worker pool IDs | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrative_push_policy_enabled](#input_administrative_push_policy_enabled) | Flag to enable/disable the global administrative push policy | `bool` | `true` | no | +| [administrative_stack_drift_detection_enabled](#input_administrative_stack_drift_detection_enabled) | Flag to enable/disable administrative stack drift detection | `bool` | `true` | no | +| [administrative_stack_drift_detection_reconcile](#input_administrative_stack_drift_detection_reconcile) | Flag to enable/disable administrative stack drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | +| [administrative_stack_drift_detection_schedule](#input_administrative_stack_drift_detection_schedule) | List of cron expressions to schedule drift detection for the administrative stack | `list(string)` |
[
"0 4 * * *"
]
| no | +| [administrative_trigger_policy_enabled](#input_administrative_trigger_policy_enabled) | Flag to enable/disable the global administrative trigger policy | `bool` | `true` | no | +| [attachment_space_id](#input_attachment_space_id) | Specify the space ID for attachments (e.g. policies, contexts, etc.) | `string` | `"legacy"` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [autodeploy](#input_autodeploy) | Default autodeploy value for all stacks created by this project | `bool` | n/a | yes | +| [aws_role_arn](#input_aws_role_arn) | ARN of the AWS IAM role to assume and put its temporary credentials in the runtime environment | `string` | `null` | no | +| [aws_role_enabled](#input_aws_role_enabled) | Flag to enable/disable Spacelift to use AWS STS to assume the supplied IAM role and put its temporary credentials in the runtime environment | `bool` | `false` | no | +| [aws_role_external_id](#input_aws_role_external_id) | Custom external ID (works only for private workers). See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html for more details | `string` | `null` | no | +| [aws_role_generate_credentials_in_worker](#input_aws_role_generate_credentials_in_worker) | Flag to enable/disable generating AWS credentials in the private worker after assuming the supplied IAM role | `bool` | `false` | no | +| [before_init](#input_before_init) | List of before-init scripts | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [context_filters](#input_context_filters) | Context filters to create stacks for specific context information. Valid lists are `namespaces`, `environments`, `tenants`, `stages`. | `map(list(string))` | `{}` | no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [drift_detection_enabled](#input_drift_detection_enabled) | Flag to enable/disable drift detection on the infrastructure stacks | `bool` | `true` | no | +| [drift_detection_reconcile](#input_drift_detection_reconcile) | Flag to enable/disable infrastructure stacks drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | +| [drift_detection_schedule](#input_drift_detection_schedule) | List of cron expressions to schedule drift detection for the infrastructure stacks | `list(string)` |
[
"0 4 * * *"
]
| no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [external_execution](#input_external_execution) | Set this to true if you're calling this module from outside of a Spacelift stack (e.g. the `complete` example) | `bool` | `false` | no | +| [git_branch](#input_git_branch) | The Git branch name | `string` | `"main"` | no | +| [git_commit_sha](#input_git_commit_sha) | The commit SHA for which to trigger a run. Requires `var.spacelift_run_enabled` to be set to `true` | `string` | `null` | no | +| [git_repository](#input_git_repository) | The Git repository name | `string` | n/a | yes | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [infracost_enabled](#input_infracost_enabled) | Flag to enable/disable infracost. If this is enabled, it will add infracost label to each stack. See [spacelift infracost](https://docs.spacelift.io/vendors/terraform/infracost) docs for more details. | `bool` | `false` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [policies_available](#input_policies_available) | List of available default policies to create in Spacelift (these policies will not be attached to Spacelift stacks by default, use `var.policies_enabled`) | `list(string)` |
[
"git_push.proposed-run",
"git_push.tracked-run",
"plan.default",
"trigger.dependencies",
"trigger.retries"
]
| no | +| [policies_by_id_enabled](#input_policies_by_id_enabled) | List of existing policy IDs to attach to all Spacelift stacks. These policies must already exist in Spacelift | `list(string)` | `[]` | no | +| [policies_by_name_enabled](#input_policies_by_name_enabled) | List of existing policy names to attach to all Spacelift stacks. These policies must exist at `modules/spacelift/rego-policies` OR `var.policies_by_name_path`. | `list(string)` | `[]` | no | +| [policies_by_name_path](#input_policies_by_name_path) | Path to the catalog of external Rego policies. The Rego files must exist in the caller's code at the path. The module will create Spacelift policies from the external Rego definitions | `string` | `""` | no | +| [policies_enabled](#input_policies_enabled) | DEPRECATED: Use `policies_by_id_enabled` instead. List of default policies created by this stack to attach to all Spacelift stacks | `list(string)` | `[]` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [runner_image](#input_runner_image) | Full address & tag of the Spacelift runner image (e.g. on ECR) | `string` | n/a | yes | +| [spacelift_api_endpoint](#input_spacelift_api_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | +| [spacelift_component_path](#input_spacelift_component_path) | The Spacelift Component Path | `string` | `"components/terraform"` | no | +| [spacelift_run_enabled](#input_spacelift_run_enabled) | Enable/disable creation of the `spacelift_run` resource | `bool` | `false` | no | +| [spacelift_stack_dependency_enabled](#input_spacelift_stack_dependency_enabled) | If enabled, the `spacelift_stack_dependency` Spacelift resource will be used to create dependencies between stacks instead of using the `depends-on` labels. The `depends-on` labels will be removed from the stacks and the trigger policies for dependencies will be detached | `bool` | `false` | no | +| [stack_config_path_template](#input_stack_config_path_template) | Stack config path template | `string` | `"stacks/%s.yaml"` | no | +| [stack_destructor_enabled](#input_stack_destructor_enabled) | Flag to enable/disable the stack destructor to destroy the resources of a stack before deleting the stack itself | `bool` | `false` | no | +| [stacks_space_id](#input_stacks_space_id) | Override the space ID for all stacks (unless the stack config has `dedicated_space` set to true). Otherwise, it will default to the admin stack's space. | `string` | `null` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tag_filters](#input_tag_filters) | A map of tags that will filter stack creation by the matching `tags` set in a component `vars` configuration. | `map(string)` | `{}` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [terraform_version](#input_terraform_version) | Default Terraform version for all stacks created by this project | `string` | n/a | yes | +| [terraform_version_map](#input_terraform_version_map) | A map to determine which Terraform patch version to use for each minor version | `map(string)` | `{}` | no | +| [worker_pool_name_id_map](#input_worker_pool_name_id_map) | Map of worker pool names to worker pool IDs | `map(any)` | `{}` | no | ## Outputs -| Name | Description | -|------|-------------| -| [stacks](#output\_stacks) | Spacelift stacks | +| Name | Description | +| ----------------------------------------------------- | ---------------- | +| [stacks](#output_stacks) | Spacelift stacks | + ## References -* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift/docs/spacelift-overview.md b/deprecated/spacelift/docs/spacelift-overview.md index b232276de..da5735c53 100644 --- a/deprecated/spacelift/docs/spacelift-overview.md +++ b/deprecated/spacelift/docs/spacelift-overview.md @@ -9,11 +9,10 @@ large-scale installations - dozens of teams, hundreds of engineers and tens of t There are two projects located in this repository that are required for the deplyoment & day-to-day operation of Spacelift. -| Project | Description | -|-------------------------|---------------------------------------------------------| -| `spacelift-worker-pool` | Deploys Spacelift workers to EC2 | -| `spacelift` | Creates & manages all Spacelift stacks & configuration | - +| Project | Description | +| ----------------------- | ------------------------------------------------------ | +| `spacelift-worker-pool` | Deploys Spacelift workers to EC2 | +| `spacelift` | Creates & manages all Spacelift stacks & configuration | The `spacelift` project relies on this repository's stack configurations ([../stacks](../stacks)). @@ -38,7 +37,8 @@ export SPACELIFT_API_KEY_ID= export SPACELIFT_API_KEY_SECRET= ``` -The name of the spacelift stack resource will be different depending on the name of the component and the root atmos stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. +The name of the spacelift stack resource will be different depending on the name of the component and the root atmos +stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. ``` atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift.module.stacks["core-gbl-auto-spacelift"]' @@ -50,12 +50,13 @@ atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift. 2. Create a new pull request (targeting the mainline branch) 3. View the modified resources directly in the pull request - ![Spacelift-PR-Changes.png](img/Spacelift-PR-Changes.png) + ![Spacelift-PR-Changes.png](img/Spacelift-PR-Changes.png) 4. View the successful Spacelift checks in the pull request - ![Spacelift-PR-Checks.png](img/Spacelift-PR-Checks.png) + ![Spacelift-PR-Checks.png](img/Spacelift-PR-Checks.png) 5. Merge the pull request and check the Spacelift job - ![Spacelift-Infrastructure-Behavior.png](img/Spacelift-Merge-Execution.png) **NOTE**: This job is not set to `autodeploy` and requires manual confirmation before applying. + ![Spacelift-Infrastructure-Behavior.png](img/Spacelift-Merge-Execution.png) **NOTE**: This job is not set to + `autodeploy` and requires manual confirmation before applying. diff --git a/deprecated/sso/README.md b/deprecated/sso/README.md index 86ac7e2c8..fe3b157c7 100644 --- a/deprecated/sso/README.md +++ b/deprecated/sso/README.md @@ -1,6 +1,8 @@ # Component: `sso` -This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM. +This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an +Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user +and corresponding Access Key pair which is pushed into AWS SSM. ## Usage @@ -22,71 +24,73 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 3.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.0 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 3.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | -| [okta\_api\_user](#module\_okta\_api\_user) | ./modules/okta-user | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| -------------------------------------------------------------------------- | -------------------------------- | ------- | +| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | +| [okta_api_user](#module_okta_api_user) | ./modules/okta-user | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------ | -------- | | [aws_iam_saml_provider.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [saml\_providers](#input\_saml\_providers) | Map of provider names to XML data filenames | `map(string)` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [saml_providers](#input_saml_providers) | Map of provider names to XML data filenames | `map(string)` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [okta\_api\_users](#output\_okta\_api\_users) | Map of OKTA API Users | -| [saml\_provider\_arns](#output\_saml\_provider\_arns) | Map of SAML provider names to provider ARNs | - +| Name | Description | +| ----------------------------------------------------------------------------------------- | ------------------------------------------- | +| [okta_api_users](#output_okta_api_users) | Map of OKTA API Users | +| [saml_provider_arns](#output_saml_provider_arns) | Map of SAML provider names to provider ARNs | + ## References - * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/sso) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/sso) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/cross-region-hub-connector/README.md b/deprecated/tgw/cross-region-hub-connector/README.md index e80e18c14..315e490f0 100644 --- a/deprecated/tgw/cross-region-hub-connector/README.md +++ b/deprecated/tgw/cross-region-hub-connector/README.md @@ -1,14 +1,15 @@ # Component: `cross-region-hub-connector` -This component is responsible for provisioning an [AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts and(or) regions. +This component is responsible for provisioning an +[AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts +and(or) regions. ## Usage **Stack Level**: Regional -This component is deployed to each off-region tgw/hub. -meaning if your home region is `region-a`, and you just created a `tgw/hub` in `region-a` and `region-b`. To peer them, deploy this -to `region-b` +This component is deployed to each off-region tgw/hub. meaning if your home region is `region-a`, and you just created a +`tgw/hub` in `region-a` and `region-b`. To peer them, deploy this to `region-b` This can be done by setting up a catalog to point to the main region, and simply importing it. @@ -31,79 +32,82 @@ components: ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | ## Providers -| Name | Version | -|------|---------| -| [aws.tgw\_home\_region](#provider\_aws.tgw\_home\_region) | >= 4.0 | -| [aws.tgw\_this\_region](#provider\_aws.tgw\_this\_region) | >= 4.0 | +| Name | Version | +| ------------------------------------------------------------------------------------------------ | ------- | +| [aws.tgw_home_region](#provider_aws.tgw_home_region) | >= 4.0 | +| [aws.tgw_this_region](#provider_aws.tgw_this_region) | >= 4.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam\_role\_tgw\_home\_region](#module\_iam\_role\_tgw\_home\_region) | ../../account-map/modules/iam-roles | n/a | -| [iam\_role\_tgw\_this\_region](#module\_iam\_role\_tgw\_this\_region) | ../../account-map/modules/iam-roles | n/a | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw\_home\_region](#module\_tgw\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw\_this\_region](#module\_tgw\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam_role_tgw_home_region](#module_iam_role_tgw_home_region) | ../../account-map/modules/iam-roles | n/a | +| [iam_role_tgw_this_region](#module_iam_role_tgw_this_region) | ../../account-map/modules/iam-roles | n/a | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw_home_region](#module_tgw_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw_this_region](#module_tgw_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -|------|------| -| [aws_ec2_transit_gateway_peering_attachment.tgw_peering](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment) | resource | -| [aws_ec2_transit_gateway_peering_attachment_accepter.tgw_peering_accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment_accepter) | resource | +| Name | Type | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [aws_ec2_transit_gateway_peering_attachment.tgw_peering](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment) | resource | +| [aws_ec2_transit_gateway_peering_attachment_accepter.tgw_peering_accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment_accepter) | resource | | [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_cross_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | -| [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_in_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | +| [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_in_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [home\_region](#input\_home\_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
environment = string
})
| n/a | yes | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [this\_region](#input\_this\_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [home_region](#input_home_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
environment = string
})
| n/a | yes | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [this_region](#input_this_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [aws\_ec2\_transit\_gateway\_peering\_attachment\_id](#output\_aws\_ec2\_transit\_gateway\_peering\_attachment\_id) | Transit Gateway Peering Attachment ID | +| Name | Description | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | +| [aws_ec2_transit_gateway_peering_attachment_id](#output_aws_ec2_transit_gateway_peering_attachment_id) | Transit Gateway Peering Attachment ID | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/cross-region-hub-connector) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/cross-region-hub-connector) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/cross-region-spoke/README.md b/deprecated/tgw/cross-region-spoke/README.md index 6c7803eed..1ae07f951 100644 --- a/deprecated/tgw/cross-region-spoke/README.md +++ b/deprecated/tgw/cross-region-spoke/README.md @@ -1,18 +1,21 @@ # Component: `cross-region-spoke` -This component is responsible for provisioning an [AWS Transit Gateway Attachment](https://aws.amazon.com/transit-gateway) to connect VPCs from different accounts and/or regions through a central hub. +This component is responsible for provisioning an +[AWS Transit Gateway Attachment](https://aws.amazon.com/transit-gateway) to connect VPCs from different accounts and/or +regions through a central hub. ## Usage **Stack Level**: Regional -This component is deployed after the `spoke` component. It is deployed in the same region as a `cross-region-hub-connector` and points to your default (`home`) region. +This component is deployed after the `spoke` component. It is deployed in the same region as a +`cross-region-hub-connector` and points to your default (`home`) region. -e.g. if you primarily deploy to us-east-1, and this is a connection to us-east-2, this component would be deployed to us-east-2 pointing to us-east-1 in the `home_region`. +e.g. if you primarily deploy to us-east-1, and this is a connection to us-east-2, this component would be deployed to +us-east-2 pointing to us-east-1 in the `home_region`. Here's an example snippet for how to configure and use this component: - ```yaml components: terraform: @@ -34,17 +37,16 @@ components: tgw_stage_name: network tgw_tenant_name: core region: us-east-1 - ``` - + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.0 | ## Providers @@ -52,23 +54,23 @@ No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [az\_abbreviation](#module\_az\_abbreviation) | cloudposse/utils/aws | 1.0.0 | -| [iam\_role\_tgw\_home\_region](#module\_iam\_role\_tgw\_home\_region) | ../../account-map/modules/iam-roles | n/a | -| [iam\_role\_tgw\_this\_region](#module\_iam\_role\_tgw\_this\_region) | ../../account-map/modules/iam-roles | n/a | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw\_cross\_region\_connector](#module\_tgw\_cross\_region\_connector) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw\_home\_region](#module\_tgw\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw\_routes\_home\_region](#module\_tgw\_routes\_home\_region) | ./modules/tgw_routes | n/a | -| [tgw\_routes\_this\_region](#module\_tgw\_routes\_this\_region) | ./modules/tgw_routes | n/a | -| [tgw\_this\_region](#module\_tgw\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | -| [vpc\_routes\_home](#module\_vpc\_routes\_home) | ./modules/vpc_routes | n/a | -| [vpc\_routes\_this](#module\_vpc\_routes\_this) | ./modules/vpc_routes | n/a | -| [vpcs\_home\_region](#module\_vpcs\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [vpcs\_this\_region](#module\_vpcs\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [az_abbreviation](#module_az_abbreviation) | cloudposse/utils/aws | 1.0.0 | +| [iam_role_tgw_home_region](#module_iam_role_tgw_home_region) | ../../account-map/modules/iam-roles | n/a | +| [iam_role_tgw_this_region](#module_iam_role_tgw_this_region) | ../../account-map/modules/iam-roles | n/a | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw_cross_region_connector](#module_tgw_cross_region_connector) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw_home_region](#module_tgw_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw_routes_home_region](#module_tgw_routes_home_region) | ./modules/tgw_routes | n/a | +| [tgw_routes_this_region](#module_tgw_routes_this_region) | ./modules/tgw_routes | n/a | +| [tgw_this_region](#module_tgw_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| [vpc_routes_home](#module_vpc_routes_home) | ./modules/vpc_routes | n/a | +| [vpc_routes_this](#module_vpc_routes_this) | ./modules/vpc_routes | n/a | +| [vpcs_home_region](#module_vpcs_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [vpcs_this_region](#module_vpcs_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -76,46 +78,48 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws\_region\_abbreviation](#input\_aws\_region\_abbreviation) | AWS Region Abbreviation method, must be one of: `to_fixed`, `to_short`, `from_fixed`, `from_short`, `identity` | `string` | n/a | yes | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [home\_region](#input\_home\_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
connections = set(string)
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
})
| n/a | yes | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [this\_region](#input\_this\_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
connections = set(string)
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws_region_abbreviation](#input_aws_region_abbreviation) | AWS Region Abbreviation method, must be one of: `to_fixed`, `to_short`, `from_fixed`, `from_short`, `identity` | `string` | n/a | yes | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [home_region](#input_home_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
connections = set(string)
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
})
| n/a | yes | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [this_region](#input_this_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
connections = set(string)
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [tgw\_routes\_home\_region](#output\_tgw\_routes\_home\_region) | TGW Routes to the primary region | -| [tgw\_routes\_in\_region](#output\_tgw\_routes\_in\_region) | TGW reoutes in this region | -| [vpc\_routes\_home](#output\_vpc\_routes\_home) | VPC routes to the primary VPC | -| [vpc\_routes\_this](#output\_vpc\_routes\_this) | This modules VPC routes | +| Name | Description | +| ----------------------------------------------------------------------------------------------------- | -------------------------------- | +| [tgw_routes_home_region](#output_tgw_routes_home_region) | TGW Routes to the primary region | +| [tgw_routes_in_region](#output_tgw_routes_in_region) | TGW reoutes in this region | +| [vpc_routes_home](#output_vpc_routes_home) | VPC routes to the primary VPC | +| [vpc_routes_this](#output_vpc_routes_this) | This modules VPC routes | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/hub/README.md b/deprecated/tgw/hub/README.md index 9b88a8c2b..8014eb73b 100644 --- a/deprecated/tgw/hub/README.md +++ b/deprecated/tgw/hub/README.md @@ -1,6 +1,7 @@ # Component: `tgw/hub` -This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. +This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` +that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. ## Usage @@ -43,12 +44,13 @@ atmos terraform apply tgw/hub -s --network ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.1 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.1 | ## Providers @@ -56,14 +58,14 @@ No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw\_hub](#module\_tgw\_hub) | cloudposse/transit-gateway/aws | 0.9.1 | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw_hub](#module_tgw_hub) | cloudposse/transit-gateway/aws | 0.9.1 | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -71,51 +73,53 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [accounts\_with\_eks](#input\_accounts\_with\_eks) | Set of account names that have EKS | `set(string)` | n/a | yes | -| [accounts\_with\_vpc](#input\_accounts\_with\_vpc) | Set of account names that have VPC | `set(string)` | n/a | yes | -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks\_component\_names](#input\_eks\_component\_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [expose\_eks\_sg](#input\_expose\_eks\_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [accounts_with_eks](#input_accounts_with_eks) | Set of account names that have EKS | `set(string)` | n/a | yes | +| [accounts_with_vpc](#input_accounts_with_vpc) | Set of account names that have VPC | `set(string)` | n/a | yes | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks_component_names](#input_eks_component_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [expose_eks_sg](#input_expose_eks_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [eks](#output\_eks) | Accounts with EKS and EKSs information | -| [tgw\_config](#output\_tgw\_config) | Transit Gateway config | -| [transit\_gateway\_arn](#output\_transit\_gateway\_arn) | Transit Gateway ARN | -| [transit\_gateway\_id](#output\_transit\_gateway\_id) | Transit Gateway ID | -| [transit\_gateway\_route\_table\_id](#output\_transit\_gateway\_route\_table\_id) | Transit Gateway route table ID | -| [vpcs](#output\_vpcs) | Accounts with VPC and VPCs information | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | +| [eks](#output_eks) | Accounts with EKS and EKSs information | +| [tgw_config](#output_tgw_config) | Transit Gateway config | +| [transit_gateway_arn](#output_transit_gateway_arn) | Transit Gateway ARN | +| [transit_gateway_id](#output_transit_gateway_id) | Transit Gateway ID | +| [transit_gateway_route_table_id](#output_transit_gateway_route_table_id) | Transit Gateway route table ID | +| [vpcs](#output_vpcs) | Accounts with VPC and VPCs information | + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/hub) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/hub) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/spoke/README.md b/deprecated/tgw/spoke/README.md index 605510858..75e90e8a6 100644 --- a/deprecated/tgw/spoke/README.md +++ b/deprecated/tgw/spoke/README.md @@ -1,6 +1,7 @@ # Component: `tgw/spoke` -This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments to connect VPCs in a `spoke` account to different accounts through a central `hub`. +This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments +to connect VPCs in a `spoke` account to different accounts through a central `hub`. ## Usage @@ -54,7 +55,6 @@ components: - core-network - core-auto - plat-staging - ``` To provision the attachments for a spoke account: @@ -65,12 +65,13 @@ atmos terraform apply tgw/spoke -s -- ``` + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.1 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.0.0 | +| [aws](#requirement_aws) | >= 4.1 | ## Providers @@ -78,14 +79,14 @@ No providers. ## Modules -| Name | Source | Version | -|------|--------|---------| -| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw\_hub](#module\_tgw\_hub) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw\_hub\_role](#module\_tgw\_hub\_role) | ../../account-map/modules/iam-roles | n/a | -| [tgw\_hub\_routes](#module\_tgw\_hub\_routes) | cloudposse/transit-gateway/aws | 0.9.1 | -| [tgw\_spoke\_vpc\_attachment](#module\_tgw\_spoke\_vpc\_attachment) | ./modules/standard_vpc_attachment | n/a | -| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +| ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw_hub](#module_tgw_hub) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw_hub_role](#module_tgw_hub_role) | ../../account-map/modules/iam-roles | n/a | +| [tgw_hub_routes](#module_tgw_hub_routes) | cloudposse/transit-gateway/aws | 0.9.1 | +| [tgw_spoke_vpc_attachment](#module_tgw_spoke_vpc_attachment) | ./modules/standard_vpc_attachment | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -93,44 +94,46 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [connections](#input\_connections) | List of accounts to connect to | `list(string)` | n/a | yes | -| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks\_component\_names](#input\_eks\_component\_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | -| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [expose\_eks\_sg](#input\_expose\_eks\_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | -| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input\_region) | AWS Region | `string` | n/a | yes | -| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [tgw\_hub\_component\_name](#input\_tgw\_hub\_component\_name) | The name of the transit-gateway component | `string` | `"tgw/hub"` | no | -| [tgw\_hub\_environment\_name](#input\_tgw\_hub\_environment\_name) | The name of the environment where `tgw/gateway` is provisioned | `string` | `"ue2"` | no | -| [tgw\_hub\_stage\_name](#input\_tgw\_hub\_stage\_name) | The name of the stage where `tgw/gateway` is provisioned | `string` | `"network"` | no | -| [tgw\_hub\_tenant\_name](#input\_tgw\_hub\_tenant\_name) | The name of the tenant where `tgw/hub` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| Name | Description | Type | Default | Required | +| --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [connections](#input_connections) | List of accounts to connect to | `list(string)` | n/a | yes | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks_component_names](#input_eks_component_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [expose_eks_sg](#input_expose_eks_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [tgw_hub_component_name](#input_tgw_hub_component_name) | The name of the transit-gateway component | `string` | `"tgw/hub"` | no | +| [tgw_hub_environment_name](#input_tgw_hub_environment_name) | The name of the environment where `tgw/gateway` is provisioned | `string` | `"ue2"` | no | +| [tgw_hub_stage_name](#input_tgw_hub_stage_name) | The name of the stage where `tgw/gateway` is provisioned | `string` | `"network"` | no | +| [tgw_hub_tenant_name](#input_tgw_hub_tenant_name) | The name of the tenant where `tgw/hub` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | ## Outputs No outputs. + ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw) - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw) - + Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/mixins/README.md b/mixins/README.md index 04e20811d..8818bf35b 100644 --- a/mixins/README.md +++ b/mixins/README.md @@ -1,12 +1,14 @@ # Terraform Mixins -A Terraform mixin (inspired by the [concept of the same name in OOP languages such as Python and Ruby](https://en.wikipedia.org/wiki/Mixin)) -is a Terraform configuration file that can be dropped into a root-level module, i.e. a component, in order to add additional +A Terraform mixin (inspired by the +[concept of the same name in OOP languages such as Python and Ruby](https://en.wikipedia.org/wiki/Mixin)) is a Terraform +configuration file that can be dropped into a root-level module, i.e. a component, in order to add additional functionality. Mixins are meant to encourage code reuse, leading to more simple components with less code repetition between component to component. + ## Mixin: `infra-state.mixin.tf` @@ -52,3 +54,4 @@ etc. That is, that it has the following characteristics: 2. Does not already instantiate a Kubernetes provider (only the Helm provider is necessary, typically, for EKS components). + diff --git a/mixins/github-actions-iam-role/README-github-action-iam-role.md b/mixins/github-actions-iam-role/README-github-action-iam-role.md index 1c8e0b6bb..c46fbf286 100644 --- a/mixins/github-actions-iam-role/README-github-action-iam-role.md +++ b/mixins/github-actions-iam-role/README-github-action-iam-role.md @@ -1,33 +1,32 @@ # Mixin: `github-actions-iam-role.mixin.tf` -This mixin component is responsible for creating an IAM role that can be assumed by a GitHub action for a specific purpose. -It requires that the `github-oidc-provider` component be installed in the same account, that -`components/terraform/account-map/modules/team-assume-role-policy/github-assume-role-policy.mixin.tf` -is present in the repository, and that the component using this mixin contains a file (by convention named -`github-actions-iam-policy.tf`) which defines a JSON policy document that will be attached to the IAM role, -contained in a local variable named `github_actions_iam_policy`. It is up to the component using this mixin -to define the policy to be associated with the role. The policy should be as restrictive as possible. - -At this time, only one role can be created per component (per account, per region). Generated role names -include all the `null-label` labels, so it is possible to create multiple roles in the same account, -but not multiple roles in the same component in the same region with different policies. -This limitation of the mixin is somewhat intentional, in that each role should be created for a specific -component, and component can create its own specific role. If this limitation turns -out to be truly burdensome, note that `aws-teams` also supports GitHub actions assuming its roles. - +This mixin component is responsible for creating an IAM role that can be assumed by a GitHub action for a specific +purpose. It requires that the `github-oidc-provider` component be installed in the same account, that +`components/terraform/account-map/modules/team-assume-role-policy/github-assume-role-policy.mixin.tf` is present in the +repository, and that the component using this mixin contains a file (by convention named `github-actions-iam-policy.tf`) +which defines a JSON policy document that will be attached to the IAM role, contained in a local variable named +`github_actions_iam_policy`. It is up to the component using this mixin to define the policy to be associated with the +role. The policy should be as restrictive as possible. + +At this time, only one role can be created per component (per account, per region). Generated role names include all the +`null-label` labels, so it is possible to create multiple roles in the same account, but not multiple roles in the same +component in the same region with different policies. This limitation of the mixin is somewhat intentional, in that each +role should be created for a specific component, and component can create its own specific role. If this limitation +turns out to be truly burdensome, note that `aws-teams` also supports GitHub actions assuming its roles. ## Usage **Stack Level**: Global or Regional This mixin provisions a specific IAM role that can be assumed by a GitHub action for a specific purpose, analogous to -how [EKS IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) +how +[EKS IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) works for EKS. ### Define the role policy -Create a file named `github-actions-iam-policy.tf` that defines the desired policy for the role and saves it -as a JSON string in a local variable named `github_actions_iam_policy`. For example: +Create a file named `github-actions-iam-policy.tf` that defines the desired policy for the role and saves it as a JSON +string in a local variable named `github_actions_iam_policy`. For example: ```hcl locals { @@ -48,11 +47,10 @@ data "aws_iam_policy_document" "github_actions_iam_policy" { ### Create the role alongside the component -Define values for the variables defined in `github-actions-iam-role.mixin.tf` in the stack for the component. -Most importantly, set `github_actions_allowed_repos` to the list of GitHub repositories where installed -GitHub actions will be allowed to assume the role. Wildcards are allowed, so you can allow all repositories -in your organization by setting `github_actions_allowed_repos = ["/*"]`. - +Define values for the variables defined in `github-actions-iam-role.mixin.tf` in the stack for the component. Most +importantly, set `github_actions_allowed_repos` to the list of GitHub repositories where installed GitHub actions will +be allowed to assume the role. Wildcards are allowed, so you can allow all repositories in your organization by setting +`github_actions_allowed_repos = ["/*"]`. ```yaml components: @@ -71,26 +69,25 @@ components: #### Add required workflow permissions -In the GitHub action workflow, add required permissions at the top of the -workflow, or within the job. See the [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings) +In the GitHub action workflow, add required permissions at the top of the workflow, or within the job. See the +[GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings) for more details. ```yaml permissions: id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout ``` #### Configure settings via environment variables -Although you can configure the settings in various ways, including using -GitHub Secrets and Environments, for a balance of simplicity and visibility -we recommend configuration by hard-coding settings in the following environment variables +Although you can configure the settings in various ways, including using GitHub Secrets and Environments, for a balance +of simplicity and visibility we recommend configuration by hard-coding settings in the following environment variables at the top the workflow: ```yaml env: - AWS_REGION: us-east-1 # The AWS region where the workflow should run + AWS_REGION: us-east-1 # The AWS region where the workflow should run ECR_REPOSITORY: infrastructure # The ECR repository where the workflow should push the image ECR_REGISTRY: 123456789012.dkr.ecr.us-east-1.amazonaws.com # The ECR registry where the workflow should push the image GHA_IAM_ROLE: arn:aws:iam::123456789012:role/eg-mgmt-use1-art-gha # The ARN of the IAM role to assume @@ -99,10 +96,10 @@ env: Then add the following step to assume the role: ```yaml - - name: Configure AWS credentials for ECR - uses: aws-actions/configure-aws-credentials@v1 - with: - role-to-assume: ${{ env.GHA_IAM_ROLE }} - role-session-name: infra-gha-docker-build-and-push # This can be any name. It shows up in audit logs. - aws-region: ${{ env.AWS_REGION }} +- name: Configure AWS credentials for ECR + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ env.GHA_IAM_ROLE }} + role-session-name: infra-gha-docker-build-and-push # This can be any name. It shows up in audit logs. + aws-region: ${{ env.AWS_REGION }} ``` From 3ef554f44a9e216d08ba7e784f807121d7c37c89 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:20:57 -0800 Subject: [PATCH 08/11] ignore deprecated --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0aadbc8d3..9f1bdb3e8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: types: ["markdown"] exclude: | (?x)^( - deprecated + deprecated/.*README*.md )$ - repo: local From 50862c20cf1d97f73da16c761e6b70282d8c396f Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:23:35 -0800 Subject: [PATCH 09/11] ignore deprecated --- .pre-commit-config.yaml | 3 +- deprecated/account-map/README.md | 147 ++++---- .../modules/iam-assume-role-policy/README.md | 95 +++-- .../account-map/modules/iam-roles/README.md | 17 +- .../modules/roles-to-principals/README.md | 18 +- deprecated/aws-waf-acl/README.md | 152 ++++---- deprecated/aws/backing-services/README.md | 1 + deprecated/aws/bootstrap/README.md | 10 +- deprecated/aws/ecs/README.md | 17 +- .../aws/grafana-backing-services/README.md | 22 +- .../aws/keycloak-backing-services/README.md | 76 ++-- .../kops-legacy-account-vpc-peering/README.md | 14 +- deprecated/aws/kops/README.md | 21 +- deprecated/aws/opsgenie/README.md | 223 ++++++------ deprecated/aws/opsgenie/detailed-usage.md | 321 ++++++++--------- deprecated/aws/tfstate-backend/README.md | 10 +- deprecated/eks-iam/README.md | 132 ++++--- deprecated/eks/ebs-controller/README.md | 128 ++++--- deprecated/eks/echo-server/README.md | 180 +++++---- deprecated/eks/efs-controller/README.md | 140 ++++--- deprecated/eks/eks-without-spotinst/README.md | 198 +++++----- deprecated/github-actions-runner/README.md | 204 +++++------ deprecated/guardduty/common/README.md | 80 ++-- deprecated/guardduty/root/README.md | 102 +++--- deprecated/iam-delegated-roles/README.md | 253 +++++++------ deprecated/iam-primary-roles/README.md | 341 +++++++++--------- .../securityhub/securityhub/common/README.md | 173 ++++----- .../securityhub/securityhub/root/README.md | 111 +++--- deprecated/spacelift-policy/README.md | 100 +++-- deprecated/spacelift-worker-pool/README.md | 286 +++++++-------- deprecated/spacelift/README.md | 212 +++++------ .../spacelift/docs/spacelift-overview.md | 19 +- deprecated/sso/README.md | 94 +++-- .../tgw/cross-region-hub-connector/README.md | 116 +++--- deprecated/tgw/cross-region-spoke/README.md | 126 ++++--- deprecated/tgw/hub/README.md | 108 +++--- deprecated/tgw/spoke/README.md | 93 +++-- 37 files changed, 2088 insertions(+), 2255 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9f1bdb3e8..37d2608b9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,8 @@ repos: types: ["markdown"] exclude: | (?x)^( - deprecated/.*README*.md + deprecated/.*README*.md | + deprecated/.*.md )$ - repo: local diff --git a/deprecated/account-map/README.md b/deprecated/account-map/README.md index 2d9042b01..43ae68b6b 100644 --- a/deprecated/account-map/README.md +++ b/deprecated/account-map/README.md @@ -1,14 +1,12 @@ # Component: `account-map` -This component is responsible for provisioning information only: it simply populates Terraform state with data (account -ids, groups, and roles) that other root modules need via outputs. +This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs. ## Usage **Stack Level**: Global -Here's an example snippet for how to use this component. Stick this snippet in the management account's stack (E.g. -`gbl-root.yaml`) +Here's an example snippet for how to use this component. Stick this snippet in the management account's stack (E.g. `gbl-root.yaml`) ```yaml components: @@ -34,99 +32,96 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | ~> 4 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | ~> 4 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | ~> 4 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4 | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------- | -------------------------------------------------- | ------- | -| [accounts](#module_accounts) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [accounts](#module\_accounts) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| -------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| Name | Type | +|------|------| | [aws_organizations_organization.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [artifacts_account_account_name](#input_artifacts_account_account_name) | The stage name for the artifacts account | `string` | `"artifacts"` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [audit_account_account_name](#input_audit_account_account_name) | The stage name for the audit account | `string` | `"audit"` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [dns_account_account_name](#input_dns_account_account_name) | The stage name for the primary DNS account | `string` | `"dns"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global_environment_name](#input_global_environment_name) | Global environment name | `string` | `"gbl"` | no | -| [iam_role_arn_template_template](#input_iam_role_arn_template_template) | The template for the template used to render Role ARNs.
The template is first used to render a template for the account that takes only the role name.
Then that rendered template is used to create the final Role ARN for the account.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"arn:%s:iam::%s:role/%s-%s-%s-%%s"` when not using `tenant`.


Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"arn:%s:iam::%s:role/%s-%s-%s-%s-%%s"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [identity_account_account_name](#input_identity_account_account_name) | The stage name for the account holding primary IAM roles | `string` | `"identity"` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [profile_template](#input_profile_template) | The template used to render AWS Profile names.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"%s-%s-%s-%s"` when not using `tenant`.

Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"%s-%s-%s-%s-%s"` | no | -| [profiles_enabled](#input_profiles_enabled) | Whether or not to enable profiles instead of roles for the backend. If true, profile must be set. If false, role_arn must be set. | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [root_account_account_name](#input_root_account_account_name) | The stage name for the root account | `string` | `"root"` | no | -| [root_account_aws_name](#input_root_account_aws_name) | The name of the root account as reported by AWS | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [artifacts\_account\_account\_name](#input\_artifacts\_account\_account\_name) | The stage name for the artifacts account | `string` | `"artifacts"` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [audit\_account\_account\_name](#input\_audit\_account\_account\_name) | The stage name for the audit account | `string` | `"audit"` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [dns\_account\_account\_name](#input\_dns\_account\_account\_name) | The stage name for the primary DNS account | `string` | `"dns"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global\_environment\_name](#input\_global\_environment\_name) | Global environment name | `string` | `"gbl"` | no | +| [iam\_role\_arn\_template\_template](#input\_iam\_role\_arn\_template\_template) | The template for the template used to render Role ARNs.
The template is first used to render a template for the account that takes only the role name.
Then that rendered template is used to create the final Role ARN for the account.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"arn:%s:iam::%s:role/%s-%s-%s-%%s"` when not using `tenant`.


Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"arn:%s:iam::%s:role/%s-%s-%s-%s-%%s"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [identity\_account\_account\_name](#input\_identity\_account\_account\_name) | The stage name for the account holding primary IAM roles | `string` | `"identity"` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [profile\_template](#input\_profile\_template) | The template used to render AWS Profile names.
Default is appropriate when using `tenant` and default label order with `null-label`.
Use `"%s-%s-%s-%s"` when not using `tenant`.

Note that if the `null-label` variable `label_order` is truncated or extended with additional labels, this template will
need to be updated to reflect the new number of labels. | `string` | `"%s-%s-%s-%s-%s"` | no | +| [profiles\_enabled](#input\_profiles\_enabled) | Whether or not to enable profiles instead of roles for the backend. If true, profile must be set. If false, role\_arn must be set. | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [root\_account\_account\_name](#input\_root\_account\_account\_name) | The stage name for the root account | `string` | `"root"` | no | +| [root\_account\_aws\_name](#input\_root\_account\_aws\_name) | The name of the root account as reported by AWS | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -| [account_info_map](#output_account_info_map) | A map from account name to various information about the account.
See the `account_info_map` output of `account` for more detail. | -| [all_accounts](#output_all_accounts) | A list of all accounts in the AWS Organization | -| [artifacts_account_account_name](#output_artifacts_account_account_name) | The short name for the artifacts account | -| [audit_account_account_name](#output_audit_account_account_name) | The short name for the audit account | -| [aws_partition](#output_aws_partition) | The AWS "partition" to use when constructing resource ARNs | -| [cicd_profiles](#output_cicd_profiles) | A list of all SSO profiles used by cicd platforms | -| [cicd_roles](#output_cicd_roles) | A list of all IAM roles used by cicd platforms | -| [dns_account_account_name](#output_dns_account_account_name) | The short name for the primary DNS account | -| [eks_accounts](#output_eks_accounts) | A list of all accounts in the AWS Organization that contain EKS clusters | -| [full_account_map](#output_full_account_map) | The map of account name to account ID (number). | -| [helm_profiles](#output_helm_profiles) | A list of all SSO profiles used to run helm updates | -| [helm_roles](#output_helm_roles) | A list of all IAM roles used to run helm updates | -| [iam_role_arn_templates](#output_iam_role_arn_templates) | Map of accounts to corresponding IAM Role ARN templates | -| [identity_account_account_name](#output_identity_account_account_name) | The short name for the account holding primary IAM roles | -| [non_eks_accounts](#output_non_eks_accounts) | A list of all accounts in the AWS Organization that do not contain EKS clusters | -| [org](#output_org) | The name of the AWS Organization | -| [profiles_enabled](#output_profiles_enabled) | Whether or not to enable profiles instead of roles for the backend | -| [root_account_account_name](#output_root_account_account_name) | The short name for the root account | -| [root_account_aws_name](#output_root_account_aws_name) | The name of the root account as reported by AWS | -| [terraform_profiles](#output_terraform_profiles) | A list of all SSO profiles used to run terraform updates | -| [terraform_roles](#output_terraform_roles) | A list of all IAM roles used to run terraform updates | - +| Name | Description | +|------|-------------| +| [account\_info\_map](#output\_account\_info\_map) | A map from account name to various information about the account.
See the `account_info_map` output of `account` for more detail. | +| [all\_accounts](#output\_all\_accounts) | A list of all accounts in the AWS Organization | +| [artifacts\_account\_account\_name](#output\_artifacts\_account\_account\_name) | The short name for the artifacts account | +| [audit\_account\_account\_name](#output\_audit\_account\_account\_name) | The short name for the audit account | +| [aws\_partition](#output\_aws\_partition) | The AWS "partition" to use when constructing resource ARNs | +| [cicd\_profiles](#output\_cicd\_profiles) | A list of all SSO profiles used by cicd platforms | +| [cicd\_roles](#output\_cicd\_roles) | A list of all IAM roles used by cicd platforms | +| [dns\_account\_account\_name](#output\_dns\_account\_account\_name) | The short name for the primary DNS account | +| [eks\_accounts](#output\_eks\_accounts) | A list of all accounts in the AWS Organization that contain EKS clusters | +| [full\_account\_map](#output\_full\_account\_map) | The map of account name to account ID (number). | +| [helm\_profiles](#output\_helm\_profiles) | A list of all SSO profiles used to run helm updates | +| [helm\_roles](#output\_helm\_roles) | A list of all IAM roles used to run helm updates | +| [iam\_role\_arn\_templates](#output\_iam\_role\_arn\_templates) | Map of accounts to corresponding IAM Role ARN templates | +| [identity\_account\_account\_name](#output\_identity\_account\_account\_name) | The short name for the account holding primary IAM roles | +| [non\_eks\_accounts](#output\_non\_eks\_accounts) | A list of all accounts in the AWS Organization that do not contain EKS clusters | +| [org](#output\_org) | The name of the AWS Organization | +| [profiles\_enabled](#output\_profiles\_enabled) | Whether or not to enable profiles instead of roles for the backend | +| [root\_account\_account\_name](#output\_root\_account\_account\_name) | The short name for the root account | +| [root\_account\_aws\_name](#output\_root\_account\_aws\_name) | The name of the root account as reported by AWS | +| [terraform\_profiles](#output\_terraform\_profiles) | A list of all SSO profiles used to run terraform updates | +| [terraform\_roles](#output\_terraform\_roles) | A list of all IAM roles used to run terraform updates | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/account-map) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/account-map) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/account-map/modules/iam-assume-role-policy/README.md b/deprecated/account-map/modules/iam-assume-role-policy/README.md index f4300ac74..f2feb1d5f 100644 --- a/deprecated/account-map/modules/iam-assume-role-policy/README.md +++ b/deprecated/account-map/modules/iam-assume-role-policy/README.md @@ -2,14 +2,13 @@ This submodule generates a JSON-encoded IAM Policy Document suitable for use as an "Assume Role Policy". -You can designate both who is allowed to assume a role and who is explicitly denied permission to assume a role. The -value of this submodule is that it allows for many ways to specify the "who" while at the same time limiting the "who" -to assumed IAM roles: +You can designate both who is allowed to assume a role and who is explicitly denied permission +to assume a role. The value of this submodule is that it allows for many ways +to specify the "who" while at the same time limiting the "who" to assumed IAM roles: - All assumed roles in the `dev` account: `allowed_roles = { dev = ["*"] }` - Only the `admin` role in the dev account: `allowed_roles = { dev = ["admin"] }` -- A specific principal in any account (though it must still be an assumed role): - `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` +- A specific principal in any account (though it must still be an assumed role): `allowed_principal_arns = arn:aws:iam::123456789012:role/trusted-role` - A user of a specific AWS SSO Permission Set: `allowed_permission_sets = { dev = ["DeveloperAccess"] }` ## Usage @@ -32,67 +31,65 @@ resource "aws_iam_role" "default" { ``` - ## Requirements No requirements. ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | n/a | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------------- | ------------------------------------------------ | ------- | -| [allowed_role_map](#module_allowed_role_map) | ../../../account-map/modules/roles-to-principals | n/a | -| [denied_role_map](#module_denied_role_map) | ../../../account-map/modules/roles-to-principals | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [allowed\_role\_map](#module\_allowed\_role\_map) | ../../../account-map/modules/roles-to-principals | n/a | +| [denied\_role\_map](#module\_denied\_role\_map) | ../../../account-map/modules/roles-to-principals | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ----------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_arn.allowed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | -| [aws_arn.denied](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| Name | Type | +|------|------| +| [aws_arn.allowed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_arn.denied](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [allowed_permission_sets](#input_allowed_permission_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets allowed to assume the role when coming from specified account | `map(list(string))` | `{}` | no | -| [allowed_principal_arns](#input_allowed_principal_arns) | List of AWS principal ARNs allowed to assume the role. | `list(string)` | `[]` | no | -| [allowed_roles](#input_allowed_roles) | Map of account:[role, role...] specifying roles allowed to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [denied_permission_sets](#input_denied_permission_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account | `map(list(string))` | `{}` | no | -| [denied_principal_arns](#input_denied_principal_arns) | List of AWS principal ARNs explicitly denied access to the role. | `list(string)` | `[]` | no | -| [denied_roles](#input_denied_roles) | Map of account:[role, role...] specifying roles explicitly denied permission to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [allowed\_permission\_sets](#input\_allowed\_permission\_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets allowed to assume the role when coming from specified account | `map(list(string))` | `{}` | no | +| [allowed\_principal\_arns](#input\_allowed\_principal\_arns) | List of AWS principal ARNs allowed to assume the role. | `list(string)` | `[]` | no | +| [allowed\_roles](#input\_allowed\_roles) | Map of account:[role, role...] specifying roles allowed to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [denied\_permission\_sets](#input\_denied\_permission\_sets) | Map of account:[PermissionSet, PermissionSet...] specifying AWS SSO PermissionSets denied access to the role when coming from specified account | `map(list(string))` | `{}` | no | +| [denied\_principal\_arns](#input\_denied\_principal\_arns) | List of AWS principal ARNs explicitly denied access to the role. | `list(string)` | `[]` | no | +| [denied\_roles](#input\_denied\_roles) | Map of account:[role, role...] specifying roles explicitly denied permission to assume the role.
Roles are symbolic names like `ops` or `terraform`. Use `*` as role for entire account. | `map(list(string))` | `{}` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | -| [policy_document](#output_policy_document) | JSON encoded string representing the "Assume Role" policy configured by the inputs | - +| Name | Description | +|------|-------------| +| [policy\_document](#output\_policy\_document) | JSON encoded string representing the "Assume Role" policy configured by the inputs | diff --git a/deprecated/account-map/modules/iam-roles/README.md b/deprecated/account-map/modules/iam-roles/README.md index 2e3f39418..0de665565 100644 --- a/deprecated/account-map/modules/iam-roles/README.md +++ b/deprecated/account-map/modules/iam-roles/README.md @@ -1,12 +1,15 @@ # Submodule `iam-roles` -This submodule is used by other modules to determine which IAM Roles or AWS CLI Config Profiles to use for various -tasks, most commonly for applying Terraform plans. +This submodule is used by other modules to determine which IAM Roles +or AWS CLI Config Profiles to use for various tasks, most commonly +for applying Terraform plans. ## Special Configuration Needed -In order to avoid having to pass customization information through every module that uses this submodule, if the default -configuration does not suit your needs, you are expected to customize `variables.tf` with the defaults you want to use -in your project. For example, if you are including the `tenant` label in the designation of your "root" account (your -Organization Management Account), then you should modify `variables.tf` so that `global_tenant_name` defaults to the -appropriate value. +In order to avoid having to pass customization information through every module +that uses this submodule, if the default configuration does not suit your needs, +you are expected to customize `variables.tf` with the defaults you want to +use in your project. For example, if you are including the `tenant` label +in the designation of your "root" account (your Organization Management Account), +then you should modify `variables.tf` so that `global_tenant_name` defaults +to the appropriate value. diff --git a/deprecated/account-map/modules/roles-to-principals/README.md b/deprecated/account-map/modules/roles-to-principals/README.md index e33e9cc15..82b128d8c 100644 --- a/deprecated/account-map/modules/roles-to-principals/README.md +++ b/deprecated/account-map/modules/roles-to-principals/README.md @@ -1,12 +1,16 @@ # Submodule `roles-to-principals` -This submodule is used by other modules to map short role names and AWS SSO Permission Set names in accounts designated -by short account names (for example, `terraform` in the `dev` account) to full IAM Role ARNs and other related tasks. +This submodule is used by other modules to map short role names and AWS +SSO Permission Set names in accounts designated by short account names +(for example, `terraform` in the `dev` account) to full IAM Role ARNs and +other related tasks. ## Special Configuration Needed -In order to avoid having to pass customization information through every module that uses this submodule, if the default -configuration does not suit your needs, you are expected to customize `variables.tf` with the defaults you want to use -in your project. For example, if you are including the `tenant` label in the designation of your "root" account (your -Organization Management Account), then you should modify `variables.tf` so that `global_tenant_name` defaults to the -appropriate value. +In order to avoid having to pass customization information through every module +that uses this submodule, if the default configuration does not suit your needs, +you are expected to customize `variables.tf` with the defaults you want to +use in your project. For example, if you are including the `tenant` label +in the designation of your "root" account (your Organization Management Account), +then you should modify `variables.tf` so that `global_tenant_name` defaults +to the appropriate value. diff --git a/deprecated/aws-waf-acl/README.md b/deprecated/aws-waf-acl/README.md index ab3b5910f..64e50e47e 100644 --- a/deprecated/aws-waf-acl/README.md +++ b/deprecated/aws-waf-acl/README.md @@ -1,7 +1,7 @@ # Component: `aws-waf-acl` -This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule -group. +This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group. + ## Usage @@ -19,105 +19,103 @@ components: default_action: allow description: Default web ACL managed_rule_group_statement_rules: - - name: "OWASP-10" - # Rules are processed in order based on the value of priority, lowest number first - priority: 1 - - statement: - name: AWSManagedRulesCommonRuleSet - vendor_name: AWS - - visibility_config: - # Defines and enables Amazon CloudWatch metrics and web request sample collection. - cloudwatch_metrics_enabled: false - metric_name: "OWASP-10" - sampled_requests_enabled: false + - name: "OWASP-10" + # Rules are processed in order based on the value of priority, lowest number first + priority: 1 + + statement: + name: AWSManagedRulesCommonRuleSet + vendor_name: AWS + + visibility_config: + # Defines and enables Amazon CloudWatch metrics and web request sample collection. + cloudwatch_metrics_enabled: false + metric_name: "OWASP-10" + sampled_requests_enabled: false ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 0.14.9 | -| [aws](#requirement_aws) | >= 3.36 | -| [external](#requirement_external) | >= 2.1 | -| [local](#requirement_local) | >= 2.1 | -| [template](#requirement_template) | >= 2.2 | -| [utils](#requirement_utils) | >= 0.3 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.14.9 | +| [aws](#requirement\_aws) | >= 3.36 | +| [external](#requirement\_external) | >= 2.1 | +| [local](#requirement\_local) | >= 2.1 | +| [template](#requirement\_template) | >= 2.2 | +| [utils](#requirement\_utils) | >= 0.3 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 3.36 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.36 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------- | -------------------------------- | ------- | -| [aws_waf](#module_aws_waf) | cloudposse/waf/aws | 0.0.1 | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.24.1 | +| Name | Source | Version | +|------|--------|---------| +| [aws\_waf](#module\_aws\_waf) | cloudposse/waf/aws | 0.0.1 | +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.24.1 | ## Resources -| Name | Type | -| ---------------------------------------------------------------------------------------------------------------------- | -------- | +| Name | Type | +|------|------| | [aws_ssm_parameter.acl_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [acl_name](#input_acl_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm_path_prefix}/{acl_name}/arn | `string` | n/a | yes | -| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [association_resource_arns](#input_association_resource_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no | -| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [byte_match_statement_rules](#input_byte_match_statement_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [default_action](#input_default_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [geo_match_statement_rules](#input_geo_match_statement_rules) | A rule statement used to identify web requests based on country of origin.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
country_codes:
A list of two-character country codes.
forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [ip_set_reference_statement_rules](#input_ip_set_reference_statement_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The ARN of the IP Set that this statement references.
ip_set_forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [label_key_case](#input_label_key_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | -| [log_destination_configs](#input_log_destination_configs) | The Amazon Kinesis Data Firehose ARNs. | `list(string)` | `[]` | no | -| [managed_rule_group_statement_rules](#input_managed_rule_group_statement_rules) | A rule statement used to run the rules that are defined in a managed rule group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
name:
The name of the managed rule group.
vendor_name:
The name of the managed rule group vendor.
excluded_rule:
The list of names of the rules to exclude.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [rate_based_statement_rules](#input_rate_based_statement_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate_key_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded_ip_config:
fallback_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header_name:
The name of the HTTP header to use for the IP address.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [redacted_fields](#input_redacted_fields) | The parts of the request that you want to keep out of the logs.

method_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri_path_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query_string_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single_header:
The list of names of the query headers to redact. |
object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
})
| `null` | no | -| [regex_pattern_set_reference_statement_rules](#input_regex_pattern_set_reference_statement_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [rule_group_reference_statement_rules](#input_rule_group_reference_statement_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded_rule:
The list of names of the rules to exclude.

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [scope](#input_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no | -| [size_constraint_statement_rules](#input_size_constraint_statement_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
comparison_operator:
The operator to use to compare the request part to the size setting.
Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
size:
The size, in bytes, to compare to the request part, after any transformations.
Valid values are integers between `0` and `21474836480`, inclusive.
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [sqli_match_statement_rules](#input_sqli_match_statement_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | -| [ssm_path_prefix](#input_ssm_path_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no | -| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [visibility_config](#input_visibility_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no | -| [xss_match_statement_rules](#input_xss_match_statement_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

xss_match_statement:
field_to_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch_metrics_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric_name:
A friendly name of the CloudWatch metric.
sampled_requests_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [acl\_name](#input\_acl\_name) | Friendly name of the ACL. The ACL ARN will be stored in SSM under {ssm\_path\_prefix}/{acl\_name}/arn | `string` | n/a | yes | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [association\_resource\_arns](#input\_association\_resource\_arns) | A list of ARNs of the resources to associate with the web ACL.
This must be an ARN of an Application Load Balancer or an Amazon API Gateway stage. | `list(string)` | `[]` | no | +| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [byte\_match\_statement\_rules](#input\_byte\_match\_statement\_rules) | A rule statement that defines a string match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [default\_action](#input\_default\_action) | Specifies that AWS WAF should allow requests by default. Possible values: `allow`, `block`. | `string` | `"block"` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | A friendly description of the WebACL. | `string` | `"Managed by Terraform"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [geo\_match\_statement\_rules](#input\_geo\_match\_statement\_rules) | A rule statement used to identify web requests based on country of origin.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
country\_codes:
A list of two-character country codes.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [ip\_set\_reference\_statement\_rules](#input\_ip\_set\_reference\_statement\_rules) | A rule statement used to detect web requests coming from particular IP addresses or address ranges.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The ARN of the IP Set that this statement references.
ip\_set\_forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.
position:
The position in the header to search for the IP address.
Possible values include: `FIRST`, `LAST`, or `ANY`.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | The letter case of label keys (`tag` names) (i.e. `name`, `namespace`, `environment`, `stage`, `attributes`) to use in `tags`.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | The letter case of output label values (also used in `tags` and `id`).
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Default value: `lower`. | `string` | `null` | no | +| [log\_destination\_configs](#input\_log\_destination\_configs) | The Amazon Kinesis Data Firehose ARNs. | `list(string)` | `[]` | no | +| [managed\_rule\_group\_statement\_rules](#input\_managed\_rule\_group\_statement\_rules) | A rule statement used to run the rules that are defined in a managed rule group.

name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
name:
The name of the managed rule group.
vendor\_name:
The name of the managed rule group vendor.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [rate\_based\_statement\_rules](#input\_rate\_based\_statement\_rules) | A rate-based rule tracks the rate of requests for each originating IP address,
and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
aggregate\_key\_type:
Setting that indicates how to aggregate the request counts.
Possible values include: `FORWARDED_IP` or `IP`
limit:
The limit on requests per 5-minute period for a single originating IP address.
forwarded\_ip\_config:
fallback\_behavior:
The match status to assign to the web request if the request doesn't have a valid IP address in the specified position.
Possible values: `MATCH`, `NO_MATCH`
header\_name:
The name of the HTTP header to use for the IP address.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [redacted\_fields](#input\_redacted\_fields) | The parts of the request that you want to keep out of the logs.

method\_enabled:
Whether to enable redaction of the HTTP method.
The method indicates the type of operation that the request is asking the origin to perform.
uri\_path\_enabled:
Whether to enable redaction of the URI path.
This is the part of a web request that identifies a resource.
query\_string\_enabled:
Whether to enable redaction of the query string.
This is the part of a URL that appears after a `?` character, if any.
single\_header:
The list of names of the query headers to redact. |
object({
method_enabled = bool,
uri_path_enabled = bool,
query_string_enabled = bool,
single_header = list(string)
})
| `null` | no | +| [regex\_pattern\_set\_reference\_statement\_rules](#input\_regex\_pattern\_set\_reference\_statement\_rules) | A rule statement used to search web request components for matches with regular expressions.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
arn:
The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [rule\_group\_reference\_statement\_rules](#input\_rule\_group\_reference\_statement\_rules) | A rule statement used to run the rules that are defined in an WAFv2 Rule Group.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

override\_action:
The override action to apply to the rules in a rule group.
Possible values: `count`, `none`

statement:
arn:
The ARN of the `aws_wafv2_rule_group` resource.
excluded\_rule:
The list of names of the rules to exclude.

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [scope](#input\_scope) | Specifies whether this is for an AWS CloudFront distribution or for a regional application.
Possible values are `CLOUDFRONT` or `REGIONAL`.
To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider. | `string` | `"REGIONAL"` | no | +| [size\_constraint\_statement\_rules](#input\_size\_constraint\_statement\_rules) | A rule statement that uses a comparison operator to compare a number of bytes against the size of a request component.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
comparison\_operator:
The operator to use to compare the request part to the size setting.
Possible values: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.
size:
The size, in bytes, to compare to the request part, after any transformations.
Valid values are integers between `0` and `21474836480`, inclusive.
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [sqli\_match\_statement\_rules](#input\_sqli\_match\_statement\_rules) | An SQL injection match condition identifies the part of web requests,
such as the URI or the query string, that you want AWS WAF to inspect.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | +| [ssm\_path\_prefix](#input\_ssm\_path\_prefix) | SSM path prefix (with leading but not trailing slash) under which to store all WAF info | `string` | `"/waf"` | no | +| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [visibility\_config](#input\_visibility\_config) | Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `map(string)` | `{}` | no | +| [xss\_match\_statement\_rules](#input\_xss\_match\_statement\_rules) | A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests.

action:
The action that AWS WAF should take on a web request when it matches the rule's statement.
name:
A friendly name of the rule.
priority:
If you define more than one Rule in a WebACL,
AWS WAF evaluates each request against the rules in order based on the value of priority.
AWS WAF processes rules with lower priority first.

xss\_match\_statement:
field\_to\_match:
The part of a web request that you want AWS WAF to inspect.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#field-to-match
text\_transformation:
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl#text-transformation

visibility\_config:
Defines and enables Amazon CloudWatch metrics and web request sample collection.

cloudwatch\_metrics\_enabled:
Whether the associated resource sends metrics to CloudWatch.
metric\_name:
A friendly name of the CloudWatch metric.
sampled\_requests\_enabled:
Whether AWS WAF should store a sampling of the web requests that match the rules. | `list(any)` | `null` | no | ## Outputs -| Name | Description | -| -------------------------------------------- | ------------------------------------- | -| [acl](#output_acl) | Information about the created WAF ACL | - +| Name | Description | +|------|-------------| +| [acl](#output\_acl) | Information about the created WAF ACL | + ## References +* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/ecr) - Cloud Posse's upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/ecr) - - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/aws/backing-services/README.md b/deprecated/aws/backing-services/README.md index da75f3787..a8f8a707e 100644 --- a/deprecated/aws/backing-services/README.md +++ b/deprecated/aws/backing-services/README.md @@ -1,3 +1,4 @@ + ## Troubleshooting ### Problem diff --git a/deprecated/aws/bootstrap/README.md b/deprecated/aws/bootstrap/README.md index 397337031..f53ae9f5b 100644 --- a/deprecated/aws/bootstrap/README.md +++ b/deprecated/aws/bootstrap/README.md @@ -1,11 +1,7 @@ # bootstrap -This module provisions an AWS user along with a bootstrap role suitable for bootstrapping an AWS multi-account -architecture as found in our [reference architectures](https://github.com/cloudposse/reference-architecutres). +This module provisions an AWS user along with a bootstrap role suitable for bootstrapping an AWS multi-account architecture as found in our [reference architectures](https://github.com/cloudposse/reference-architecutres). -These user and role are intended to be used as a **temporary fixture** and should be deprovisioned after all accounts -have been provisioned in order to maintain a secure environment. +These user and role are intended to be used as a **temporary fixture** and should be deprovisioned after all accounts have been provisioned in order to maintain a secure environment. -**WARNING:** This module grants `AdministrativeAccess` in the current account along with the -`OrganizationAccountAccessRole` to all `accounts_enabled` **without MFA**. We repeat, this module should _only_ be used -during the bootstrapping phase when provisioning your infrastructure for the first time. +__WARNING:__ This module grants `AdministrativeAccess` in the current account along with the `OrganizationAccountAccessRole` to all `accounts_enabled` **without MFA**. We repeat, this module should *only* be used during the bootstrapping phase when provisioning your infrastructure for the first time. diff --git a/deprecated/aws/ecs/README.md b/deprecated/aws/ecs/README.md index 6434ba8ac..2ab2591fd 100644 --- a/deprecated/aws/ecs/README.md +++ b/deprecated/aws/ecs/README.md @@ -2,15 +2,15 @@ For GitHub, your personal access token must have the following scopes. -- `repo`: Grants full control of private repositories. -- `repo:status`: Grants access to commit statuses. -- `admin:repo_hook`: Grants full control of repository hooks. This scope is not required if your token has the repo - scope. +* `repo`: Grants full control of private repositories. +* `repo:status`: Grants access to commit statuses. +* `admin:repo_hook`: Grants full control of repository hooks. This scope is not required if your token has the repo scope. We recommend creating the tokens from a "bot" account that has limited access to the repos you are using. Read more: + ## Example Build Manifest Add the following `buildspec.yml` to the root of the GitHub repo's project. @@ -52,14 +52,14 @@ artifacts: ## Troubleshooting + ### InvalidParameterException: Long arn format must be used for tagging operations ```sh aws_ecs_service.default: error tagging ECS Cluster (arn:aws:ecs:us-west-2:223452713953:service/eg-example-fargate-atlantis): InvalidParameterException: Long arn format must be used for tagging operations ``` -See: - +See: After enabling the Long ARNs, the cluster needs to be rebuilt from scratch. @@ -75,14 +75,13 @@ This is a race condition. Rerun `terraform apply`. ```sh Error putting scaling policy: ObjectNotFoundException: No scalable target registered for service namespace: ecs, resource ID: service/cpco-testing-fargate/eg-exapmle-fargate-atlantis, scalable dimension: ecs:service:DesiredCount -``` +```` This is a race condition. Rerun `terraform apply`. ### Webhooks Do Not Trigger Builds -This could happen if the secrets between CodePipeline and GitHub do not match. Unfortunately, terraform cannot detect -when the secrets change, so your best bet is to `taint` and reapply. +This could happen if the secrets between CodePipeline and GitHub do not match. Unfortunately, terraform cannot detect when the secrets change, so your best bet is to `taint` and reapply. ```sh make taint/webhook diff --git a/deprecated/aws/grafana-backing-services/README.md b/deprecated/aws/grafana-backing-services/README.md index a707f23b9..e72d7f22d 100644 --- a/deprecated/aws/grafana-backing-services/README.md +++ b/deprecated/aws/grafana-backing-services/README.md @@ -10,22 +10,24 @@ As of this writing, this only provisions a serverless Aurora MySQL 5.6 database. ### SSL Server Certificate Validation -Connection to the MySQL server take place via SSL, but the Aurora servers use a distinct root certificate authority (CA) -that is not in the default trust store. Thus the MySQL client cannot validate that it is talking to the actual MySQL -server and is open to man-in-the-middle attack. This is a security risk, but our assessment is that it is minor, given -that the network connections are all within VPCs and an attacker who could become a man-in-the-middle would likely to be -able to gain access to all the cluster's resources through Kubernetes. +Connection to the MySQL server take place via SSL, but the Aurora servers +use a distinct root certificate authority (CA) that is not in the +default trust store. Thus the MySQL client cannot validate that it is +talking to the actual MySQL server and is open to man-in-the-middle +attack. This is a security risk, but our assessment is that it is minor, +given that the network connections are all within VPCs and an attacker +who could become a man-in-the-middle would likely to be able to gain +access to all the cluster's resources through Kubernetes. ## Security To Do ### SSL Server Certificate Validation To get the Aurora MySQL SSL connection to validate: - -1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem (expires Mar 5 09:11:31 2020 - GMT) or successor (consult current RDS documentation) +1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem (expires Mar 5 09:11:31 2020 GMT) +or successor (consult current RDS documentation) 2. Save it in a `ConfigMap` 3. Mount it into the Grafana pod -4. Configure the path to it via [`ca_cert_path`](https://grafana.com/docs/installation/configuration/#ca-cert-path) in - `grafana.ini` +4. Configure the path to it via [`ca_cert_path`](https://grafana.com/docs/installation/configuration/#ca-cert-path) +in `grafana.ini` 5. Set `ssl_mode` to `"true"` in `grafana.ini` diff --git a/deprecated/aws/keycloak-backing-services/README.md b/deprecated/aws/keycloak-backing-services/README.md index 148553f66..631b02f36 100644 --- a/deprecated/aws/keycloak-backing-services/README.md +++ b/deprecated/aws/keycloak-backing-services/README.md @@ -8,56 +8,64 @@ As of this writing, this only provisions an Aurora MySQL 5.7 database. ### Database encryption -This module, as of this writing, provisions a database that is **not** encrypted. This means that database -backups/snapshots are also unencrypted. The database, and of course the backups, contain secrets that an attacker could -use to gain access to anything protected by Keycloak. This is a security risk, though it is hard to quantify how serious -it is. While adding encryption is of course good "security in depth", our current assessment is that encrypting the -database provides little practical additional security for the following reasons. - -The database backups are protected using IAM, and any database encryption key would also be available to someone with -the right IAM credentials. As a practical matter, anyone with access to the backups will likely also have access to the -encryption key via KMS, or be able to access the database directly after getting the user and password from SSM, or be -able to execute commands in the Keycloak pod/container that expose the secrets. +This module, as of this writing, provisions a database that is **not** encrypted. +This means that database backups/snapshots are also unencrypted. The database, +and of course the backups, contain secrets that an attacker could use +to gain access to anything protected by Keycloak. +This is a security risk, though it is hard to quantify how serious it is. +While adding encryption is of course good "security in depth", +our current assessment is that encrypting the database provides little +practical additional security for the following reasons. + +The database backups are protected using IAM, and any database encryption +key would also be available to someone with the right IAM credentials. As a +practical matter, anyone with access to the backups will likely also have +access to the encryption key via KMS, or be able to access the database +directly after getting the user and password from SSM, or be able to +execute commands in the Keycloak pod/container that expose the secrets. ### SSL Server Certificate Validation -Connection to the MySQL server take place via SSL, but the RDS servers use a distinct root certificate authority (CA) -that is not in the default trust store. Thus the MySQL client cannot validate that it is talking to the actual MySQL -server and is open to man-in-the-middle attack. This is a security risk, but our assessment is that it is minor, given -that the network connections are all within VPCs and an attacker who could become a man-in-the-middle would likely to be -able to gain access to all the resources protected by Keycloak by appearing to be an authorized local service. +Connection to the MySQL server take place via SSL, but the RDS servers +use a distinct root certificate authority (CA) that is not in the +default trust store. Thus the MySQL client cannot validate that it is +talking to the actual MySQL server and is open to man-in-the-middle +attack. This is a security risk, but our assessment is that it is minor, +given that the network connections are all within VPCs and an attacker +who could become a man-in-the-middle would likely to be able to gain +access to all the resources protected by Keycloak by appearing to be +an authorized local service. ## Security To Do ### Database encryption -To keep the database encrypted, this module will have to be extended: 1 Create a KMS key for encrypting the database. -Using the RDS default key is not advisable since the only practical advantage of the key comes from limiting access to -it, and the default key will likey have relatively wide access. - -1. Create an IAM role for Keycloak that has access to the key. Nodes running `kiam-server` will need to be able to - assume this role. +To keep the database encrypted, this module will have to be extended: +1 Create a KMS key for encrypting the database. Using the RDS default key +is not advisable since the only practical advantage of the key comes from +limiting access to it, and the default key will likey have relatively +wide access. +1. Create an IAM role for Keycloak that has access to the key. Nodes running +`kiam-server` will need to be able to assume this role. 2. Enable encryption for the database using this key. -Then the Keycloak deployment (actually `StatefulSet`) will need to be annotated so that `kiam` grants Keycloak access to -this role. +Then the Keycloak deployment (actually `StatefulSet`) will need to be +annotated so that `kiam` grants Keycloak access to this role. ### SSL Server Certificate Validation To get the RDS MySQL SSL connection to validate: - -1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem expires (Mar 5 09:11:31 2020 GMT) or - successor (consult current RDS documentation) +1. Get the RDS CA from https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem expires (Mar 5 09:11:31 2020 GMT) +or successor (consult current RDS documentation) 2. Import it into a Java KeyStore (JKS) - - Run`keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass mypassword` in a Keycloak - container in order to be sure to get a compatible version of the Java SDK `keytool` + * Run`keytool -importcert -alias MySQLCACert -file ca.pem -keystore truststore -storepass mypassword` in a Keycloak + container in order to be sure to get a compatible version of the Java SDK `keytool` 3. Copy the KeyStore into a secret 4. Mount the Secret -5. Set - [`JDBC_PARAMS` environment variable](https://github.com/jboss-dockerfiles/keycloak/blob/119fb1f61a477ec217ba71c18c3a71a10e8d5575/server/tools/cli/databases/mysql/change-database.cli#L2) +5. Set [`JDBC_PARAMS` environment variable](https://github.com/jboss-dockerfiles/keycloak/blob/119fb1f61a477ec217ba71c18c3a71a10e8d5575/server/tools/cli/databases/mysql/change-database.cli#L2 ) to `?clientCertificateKeyStoreUrl=file:///path-to-keystore&clientCertificateKeyStorePassword=mypassword` 6. Note that it would seem to be more appropriate to set to - `?trustCertificateKeyStoreUrl=file:///path-to-keystore&trustCertificateKeyStorePassword=mypassword` but the - [documentation](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html) - [consistently](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) says - to use the `clientCertificate*` stuff for verifying the server. +`?trustCertificateKeyStoreUrl=file:///path-to-keystore&trustCertificateKeyStorePassword=mypassword` + but the [documentation](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html) + [consistently](https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html) + says to use the `clientCertificate*` stuff for verifying the server. diff --git a/deprecated/aws/kops-legacy-account-vpc-peering/README.md b/deprecated/aws/kops-legacy-account-vpc-peering/README.md index 568ae982c..12ffd3cf8 100644 --- a/deprecated/aws/kops-legacy-account-vpc-peering/README.md +++ b/deprecated/aws/kops-legacy-account-vpc-peering/README.md @@ -2,13 +2,11 @@ Terraform module to provision VPC peering between a `kops` VPC and a VPC from a legacy AWS account. -From the legacy AWS account, which will be the accepter of the VPC peering connection, the following values are -required: +From the legacy AWS account, which will be the accepter of the VPC peering connection, the following values are required: - `legacy_account_assume_role_arn` - Legacy account assume role ARN -- `legacy_account_region` - Legacy account AWS region (e.g. `us-west-2`) -- `legacy_account_vpc_id` - Legacy account VPC ID (the VPC which will accept peering connection from the `kops` VPC). - **NOTE:** the CIDR blocks of the `kops` VPC and the legacy account VPC must not overlap +- `legacy_account_region` - Legacy account AWS region (e.g. `us-west-2`) +- `legacy_account_vpc_id` - Legacy account VPC ID (the VPC which will accept peering connection from the `kops` VPC). __NOTE:__ the CIDR blocks of the `kops` VPC and the legacy account VPC must not overlap The `legacy_account_assume_role_arn` IAM Role should have the following Trust Policy: @@ -30,8 +28,7 @@ The `legacy_account_assume_role_arn` IAM Role should have the following Trust Po and the following IAM Policy attached to it: -**NOTE:** the policy specifies the minimum permission set required to create (with `terraform plan/apply`) and delete -(with `terraform destroy`) all the VPC peering connection resources in the accepter (legacy) AWS account +__NOTE:__ the policy specifies the minimum permission set required to create (with `terraform plan/apply`) and delete (with `terraform destroy`) all the VPC peering connection resources in the accepter (legacy) AWS account ```js { @@ -82,5 +79,4 @@ and the following IAM Policy attached to it: } ``` -For more information on IAM policies and permissions for VPC peering, see -[Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). +For more information on IAM policies and permissions for VPC peering, see [Creating and managing VPC peering connections](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_IAM.html#vpcpeeringiam). diff --git a/deprecated/aws/kops/README.md b/deprecated/aws/kops/README.md index fe5520b96..a5cd5ae3d 100644 --- a/deprecated/aws/kops/README.md +++ b/deprecated/aws/kops/README.md @@ -1,12 +1,12 @@ # Kubernetes Ops (kops) -This project provisions dependencies for `kops` clusters including the DNS zone, S3 bucket for state storage, SSH -keypair. +This project provisions dependencies for `kops` clusters including the DNS zone, S3 bucket for state storage, SSH keypair. It also writes the computed settings to SSM for usage by other modules or tools. ## Configuration Settings + The minimum recommended settings are the following (`terraform.tfvars`): ``` @@ -20,28 +20,21 @@ region = "us-west-2" ## Quick Start -This is roughly the process to get up and running. These instructions assume you're running inside of a -[Geodesic shell](https://github.com/cloudposse/geodesic). - +This is roughly the process to get up and running. These instructions assume you're running inside of a [Geodesic shell](https://github.com/cloudposse/geodesic). 1. Update the `terraform.tfvars` with [desired settings](#configuration-settings). Rebuild the container if necessary. 2. Run `assume-role` to obtain a session. 3. Run `make apply` to provision kops dependencies with terraform (not the cluster itself) -4. Run `make kops/shell` to drop into a shell with configured environment for `kops`. Do this any time you want to - interact with the cluster. +4. Run `make kops/shell` to drop into a shell with configured environment for `kops`. Do this any time you want to interact with the cluster. 5. Run `make kops/build-manifest` to compile the configuration template with current environment settings -6. Run `make kops/create` to submit the cluster state manifest to the cluster state store. Note, no resources will be - provisioned. -7. Run `make kops/create-secret-sshpublickey` to provision the SSH public key. Note, the public key was created in the - `make apply` step and requires `/secrets/tf` to be mounted. Mount this directory by running `mount -a`. +6. Run `make kops/create` to submit the cluster state manifest to the cluster state store. Note, no resources will be provisioned. +7. Run `make kops/create-secret-sshpublickey` to provision the SSH public key. Note, the public key was created in the `make apply` step and requires `/secrets/tf` to be mounted. Mount this directory by running `mount -a`. 8. Run `make kops/plan` to view the proposed cluster 9. Run `make kops/apply` to build the cluster -10. Run `make kops/validate` to view cluster status. Note, it will take ~10 minutes to come online (depending on cluster - size) +10. Run `make kops/validate` to view cluster status. Note, it will take ~10 minutes to come online (depending on cluster size) Once the cluster is online, you can interact with it using `kubectl`. To start, first run this to export `kubecfg` from the `kops` state store (required to access the cluster): - ``` make kops/export ``` diff --git a/deprecated/aws/opsgenie/README.md b/deprecated/aws/opsgenie/README.md index 2b6b3a694..1dad6bb29 100644 --- a/deprecated/aws/opsgenie/README.md +++ b/deprecated/aws/opsgenie/README.md @@ -1,7 +1,6 @@ # Component: `opsgenie` -Terraform component to provision -[Opsgenie resources](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs). +Terraform component to provision [Opsgenie resources](https://registry.terraform.io/providers/opsgenie/opsgenie/latest/docs). ## Usage @@ -10,9 +9,7 @@ Terraform component to provision Here's an example snippet for how to use this component. For more information use these resources: 1. See the [detailed usage](./detailed-usage.md) documentation for the full breakdown in usage. -1. View the - [Cloud Posse opsgenie module's example configuration](https://github.com/cloudposse/terraform-opsgenie-incident-management/tree/master/examples/config/resources) - for a more complete example. +1. View the [Cloud Posse opsgenie module's example configuration](https://github.com/cloudposse/terraform-opsgenie-incident-management/tree/master/examples/config/resources) for a more complete example. ```yaml components: @@ -20,144 +17,142 @@ components: opsgenie: vars: teams: - - name: acme - description: Global Team for Acme Co. - members: - username: opsgenie-test@cloudposse.com - role: admin - - name: acme.dev - description: Acme Dev Team - delete_default_resources: true - members: - username: opsgenie-test@cloudposse.com - role: admin - - name: acme.dev.some-service - description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" - ignore_members: true - delete_default_resources: true - members: - username: opsgenie-test@cloudposse.com - role: admin + - name: acme + description: Global Team for Acme Co. + members: + username: opsgenie-test@cloudposse.com + role: admin + - name: acme.dev + description: Acme Dev Team + delete_default_resources: true + members: + username: opsgenie-test@cloudposse.com + role: admin + - name: acme.dev.some-service + description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" + ignore_members: true + delete_default_resources: true + members: + username: opsgenie-test@cloudposse.com + role: admin alert_policies: - - name: "prioritize-env-prod-critical-alerts" - owner_team_name: acme.dev - tags: - - "ManagedBy:terraform" - filter: - type: match-all-conditions - conditions: - - field: source - operation: matches - expected_value: ".*prod.acme.*" - - field: tags - operation: contains - expected_value: "severity:critical" - priority: P1 + - name: "prioritize-env-prod-critical-alerts" + owner_team_name: acme.dev + tags: + - "ManagedBy:terraform" + filter: + type: match-all-conditions + conditions: + - field: source + operation: matches + expected_value: ".*prod.acme.*" + - field: tags + operation: contains + expected_value: "severity:critical" + priority: P1 escalations: - - name: acme.dev.some-service-escalation - description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" - owner_team_name: acme.dev - rule: - condition: if-not-acked - notify_type: default - delay: 0 - recipients: - - type: team - team_name: acme.dev.some-service + - name: acme.dev.some-service-escalation + description: "repo: https://github.com/acme/some-service;owner:David Lightman @David Lightman" + owner_team_name: acme.dev + rule: + condition: if-not-acked + notify_type: default + delay: 0 + recipients: + - type: team + team_name: acme.dev.some-service api_integrations: - - name: acme-dev-opsgenie-sns-integration - type: AmazonSns - owner_team_name: acme.dev + - name: acme-dev-opsgenie-sns-integration + type: AmazonSns + owner_team_name: acme.dev ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 0.12 | -| [aws](#requirement_aws) | >= 2.0 | -| [local](#requirement_local) | >= 1.3 | -| [opsgenie](#requirement_opsgenie) | >= 0.5.0 | -| [template](#requirement_template) | >= 2.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | +| [aws](#requirement\_aws) | >= 2.0 | +| [local](#requirement\_local) | >= 1.3 | +| [opsgenie](#requirement\_opsgenie) | >= 0.5.0 | +| [template](#requirement\_template) | >= 2.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 2.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 2.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | ----------- | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [opsgenie_config](#module_opsgenie_config) | git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config | 0.9.0 | -| [this](#module_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | +| Name | Source | Version | +|------|--------|---------| +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [opsgenie\_config](#module\_opsgenie\_config) | git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config | 0.9.0 | +| [this](#module\_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | ## Resources -| Name | Type | -| --------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_ssm_parameter.opsgenie_datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [aws_ssm_parameter.opsgenie_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| Name | Type | +|------|------| +| [aws_ssm_parameter.opsgenie_datadog_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.opsgenie_api_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [kms_key_arn](#input_kms_key_arn) | AWS KMS key used for writing to SSM | `string` | `"alias/aws/ssm"` | no | -| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [ssm_parameter_name_format](#input_ssm_parameter_name_format) | SSM parameter name format | `string` | `"/%s/%s"` | no | -| [ssm_path](#input_ssm_path) | SSM path | `string` | `"opsgenie"` | no | -| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [tfstate_account_id](#input_tfstate_account_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | -| [tfstate_assume_role](#input_tfstate_assume_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | -| [tfstate_bucket_environment_name](#input_tfstate_bucket_environment_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | -| [tfstate_bucket_stage_name](#input_tfstate_bucket_stage_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | -| [tfstate_existing_role_arn](#input_tfstate_existing_role_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | -| [tfstate_role_arn_template](#input_tfstate_role_arn_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | -| [tfstate_role_environment_name](#input_tfstate_role_environment_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | -| [tfstate_role_name](#input_tfstate_role_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | -| [tfstate_role_stage_name](#input_tfstate_role_stage_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | AWS KMS key used for writing to SSM | `string` | `"alias/aws/ssm"` | no | +| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [ssm\_parameter\_name\_format](#input\_ssm\_parameter\_name\_format) | SSM parameter name format | `string` | `"/%s/%s"` | no | +| [ssm\_path](#input\_ssm\_path) | SSM path | `string` | `"opsgenie"` | no | +| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [tfstate\_account\_id](#input\_tfstate\_account\_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | +| [tfstate\_assume\_role](#input\_tfstate\_assume\_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | +| [tfstate\_bucket\_environment\_name](#input\_tfstate\_bucket\_environment\_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | +| [tfstate\_bucket\_stage\_name](#input\_tfstate\_bucket\_stage\_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | +| [tfstate\_existing\_role\_arn](#input\_tfstate\_existing\_role\_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | +| [tfstate\_role\_arn\_template](#input\_tfstate\_role\_arn\_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | +| [tfstate\_role\_environment\_name](#input\_tfstate\_role\_environment\_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | +| [tfstate\_role\_name](#input\_tfstate\_role\_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | +| [tfstate\_role\_stage\_name](#input\_tfstate\_role\_stage\_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------------- | ------------------------- | -| [alert_policies](#output_alert_policies) | Alert policies | -| [api_integrations](#output_api_integrations) | API integrations | -| [escalations](#output_escalations) | Escalations | -| [existing_users](#output_existing_users) | Existing Users | -| [notification_policies](#output_notification_policies) | Notification policies | -| [service_incident_rule_ids](#output_service_incident_rule_ids) | Service Incident Rule IDs | -| [services](#output_services) | Services | -| [team_routing_rules](#output_team_routing_rules) | Team routing rules | -| [teams](#output_teams) | Teams | -| [users](#output_users) | Users | - +| Name | Description | +|------|-------------| +| [alert\_policies](#output\_alert\_policies) | Alert policies | +| [api\_integrations](#output\_api\_integrations) | API integrations | +| [escalations](#output\_escalations) | Escalations | +| [existing\_users](#output\_existing\_users) | Existing Users | +| [notification\_policies](#output\_notification\_policies) | Notification policies | +| [service\_incident\_rule\_ids](#output\_service\_incident\_rule\_ids) | Service Incident Rule IDs | +| [services](#output\_services) | Services | +| [team\_routing\_rules](#output\_team\_routing\_rules) | Team routing rules | +| [teams](#output\_teams) | Teams | +| [users](#output\_users) | Users | + ## References + * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/opsgenie) - Cloud Posse's upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/opsgenie) - - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/aws/opsgenie/detailed-usage.md b/deprecated/aws/opsgenie/detailed-usage.md index 8ddc18d69..d71d1a89f 100644 --- a/deprecated/aws/opsgenie/detailed-usage.md +++ b/deprecated/aws/opsgenie/detailed-usage.md @@ -2,27 +2,30 @@ The following Opsgenie resources are configured (see [resources](resources)): -- [API Integrations](resources/api_integrations.yaml) -- [Teams](resources/teams.yaml) -- [Users](resources/existing_users.yaml) -- [Notification Policies](resources/notification_policies.yaml) -- [Alert Policies](resources/alert_policies.yaml) -- [Services](resources/services) -- [Service Incident Rules](resources/services) -- [Escalations](resources/escalations.yaml) + - [API Integrations](resources/api_integrations.yaml) + - [Teams](resources/teams.yaml) + - [Users](resources/existing_users.yaml) + - [Notification Policies](resources/notification_policies.yaml) + - [Alert Policies](resources/alert_policies.yaml) + - [Services](resources/services) + - [Service Incident Rules](resources/services) + - [Escalations](resources/escalations.yaml) +
### `api_integrations.yaml` -**NOTE:** We provision a Datadog integration without specifying the owning team. Because of that, all alerts coming to -Opsgenie from Datadog do not get assigned to a team automatically (if we specified the owning team, then all alerts -would go to the members of the team). We assign alerts to the teams in the Alert Policies - when the filter conditions -are `true`, the incoming alert gets assigned to a team. This way, we can filter out and assigns to the teams only the -actionable alerts (you can still view all alerts in the Opsgenie UI). +__NOTE:__ We provision a Datadog integration without specifying the owning team. +Because of that, all alerts coming to Opsgenie from Datadog do not get assigned to a team automatically (if we specified the owning team, +then all alerts would go to the members of the team). +We assign alerts to the teams in the Alert Policies - when the filter conditions are `true`, the incoming alert gets assigned to a team. +This way, we can filter out and assigns to the teams only the actionable alerts (you can still view all alerts in the Opsgenie UI). + ```yaml api_integrations: + - name: datadog type: Datadog # Use an empty value for `owner_team_name` to make it a global integration @@ -37,18 +40,16 @@ See [Opsgenie API Integration](https://docs.opsgenie.com/docs/api-integration) f Users are assigned to teams in `teams.yaml`. -We can assign the existing users (those that already present in Opsgenie, e.g. from Jira), or we can create new users -and assign them to teams. +We can assign the existing users (those that already present in Opsgenie, e.g. from Jira), or we can create new users and assign them to teams. -Describe the existing users in `existing_users.yaml` (see below). These users will be looked up using the data source -`data "opsgenie_user"`. +Describe the existing users in `existing_users.yaml` (see below). These users will be looked up using the data source `data "opsgenie_user"`. Describe new users in `users.yaml` (see below). These users will be created in Opsgenie. -**NOTE:** The user's `username` is email and must be unique. +__NOTE:__ The user's `username` is email and must be unique. + +__NOTE:__ Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the Opsgenie Terraform provider). -**NOTE:** Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the -Opsgenie Terraform provider).
@@ -81,6 +82,7 @@ The existing users (those that are already in Opsgenie) are described here. These users will be looked up using the data source `data "opsgenie_user"`. + ```yaml existing_users: - username: user1@example.com @@ -97,8 +99,8 @@ See [Opsgenie Users](https://docs.opsgenie.com/docs/users) for more details. New users (to be created by the module) are described here. -**NOTE:** Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the -Opsgenie Terraform provider). +__NOTE:__ Once a user is created by the module, it's not possible to destroy it using Terraform (not supported by the Opsgenie Terraform provider). + ```yaml users: @@ -113,13 +115,15 @@ See [Opsgenie Users](https://docs.opsgenie.com/docs/users) for more details.
+ ### `notification_policies.yaml` -Notification Policies are used to apply different operations (e.g. `delay/suppress`, `auto restart`, and `auto close`) -to all team alert notifications. +Notification Policies are used to apply different operations (e.g. `delay/suppress`, `auto restart`, and `auto close`) to all team alert notifications. + ```yaml notification_policies: + - name: auto-close-based-on-priority team_name: test auto_close_action: @@ -139,11 +143,12 @@ See [Opsgenie Notification Policy](https://docs.opsgenie.com/docs/team-policies# ### `escalations.yaml` -Escalations are used to escalate the alerts and incidents to a top-level Team if they do not get acknowledged during the -specified amount of time. +Escalations are used to escalate the alerts and incidents to a top-level Team +if they do not get acknowledged during the specified amount of time. Escalations are also used to notify responders according to a given order. + ```yaml escalations: - name: example-team-escalation-to-devops @@ -171,30 +176,26 @@ See [Opsgenie Escalations](https://docs.opsgenie.com/docs/escalations) for more The following flow of events is supported: -- Datadog sends alerts to Opsgenie. All incoming alerts are shown in the Opsgenie UI, but the alerts don't get assigned - to teams automatically. + - Datadog sends alerts to Opsgenie. All incoming alerts are shown in the Opsgenie UI, but the alerts don't get assigned to teams automatically. -- The Alert Policies get evaluated by looking for a specific text in the alert's message or description. If the filter - conditions in any Alert Policy are evaluated to `true`, the policy gets executed and the alert gets assigned to the - team specified in the Alert Policy. Also, a tag with the name of the service gets added to the alert. + - The Alert Policies get evaluated by looking for a specific text in the alert's message or description. + If the filter conditions in any Alert Policy are evaluated to `true`, the policy gets executed and the alert gets assigned to the team specified in the Alert Policy. + Also, a tag with the name of the service gets added to the alert. -- The Service Incident Rules get evaluated. If the filter conditions in any Service Incident Rules are evaluated to - `true`, the rule gets executed, and an incident is created for the service and assigned to the team the service - belongs to. The users of the team get notifications about the incident (via the configured channels, e.g. email, SMS, - Opsgenie app, etc.). On the other hand, if the filter conditions in any Service Incident Rules are evaluated to - `false`, Opsgenie does not create an incident, but instead notifies the users of the team about the alert via the - configured channels. + - The Service Incident Rules get evaluated. + If the filter conditions in any Service Incident Rules are evaluated to `true`, the rule gets executed, and an incident is created for the service + and assigned to the team the service belongs to. The users of the team get notifications about the incident (via the configured channels, e.g. email, SMS, Opsgenie app, etc.). + On the other hand, if the filter conditions in any Service Incident Rules are evaluated to `false`, Opsgenie does not create an incident, + but instead notifies the users of the team about the alert via the configured channels. -- If the alert or incident is not acknowledged by any of the team members during the specified amount of time, the - Team's Escalations get evaluated. If Opsgenie finds an Escalation for the team, it sends notifications to the - recipients of the Escalation (e.g. to the users of a top-level Team). + - If the alert or incident is not acknowledged by any of the team members during the specified amount of time, the Team's Escalations get evaluated. If Opsgenie finds + an Escalation for the team, it sends notifications to the recipients of the Escalation (e.g. to the users of a top-level Team).
## New Service Setup -The Opsgenie resources for a new service are provided in a separate YAML config file (for readability and easy of -management). +The Opsgenie resources for a new service are provided in a separate YAML config file (for readability and easy of management). To add a new service configuration, create a new YAML file with the name of the service. @@ -202,134 +203,130 @@ See [resources/services](resources/services) for details on each service. Each service's config file contains the three sections: -- `service` - provides the name of the service and the name of the team the service belongs to -- `alert_policies` - a list of Opsgenie [Alert Policies](https://docs.opsgenie.com/docs/global-policies#alert-policy) - for the service -- `service_incident_rules` - a list of Opsgenie - [Service Incident Rules](https://docs.opsgenie.com/docs/service-incident-rules-api) for the service + - `service` - provides the name of the service and the name of the team the service belongs to + - `alert_policies` - a list of Opsgenie [Alert Policies](https://docs.opsgenie.com/docs/global-policies#alert-policy) for the service + - `service_incident_rules` - a list of Opsgenie [Service Incident Rules](https://docs.opsgenie.com/docs/service-incident-rules-api) for the service Below are the steps to create Datadog monitors and Opsgenie alert policies and incident rules for a new service. -**NOTE:** We will be using `example-service` as an example. - -- In the [datadog-monitor](../datadog-monitor) project, add a new YAML file with Datadog monitor configurations for the - new service. For the `example-service`, the file name is - [example-service.yaml](../datadog-monitor/monitors/example-service.yaml). - -- Configure Datadog monitors for the service. For example, to monitor the error rate on `prod`, add the following - configuration: - -```yaml -example-service-prod-high-error-rate: - name: "(example-service) Service example-service has a high error rate on env:prod" - type: query alert - query: | - sum(last_10m):( sum:trace.flask.request.errors{service:example-service,env:prod}.as_count() / sum:trace.flask.request.hits{service:example-service,env:prod}.as_count() ) > 0.05 - message: | - example-service error rate is too high on env:prod - escalation_message: "" - tags: - - "ManagedBy:Terraform" - - "service:example-service" - - "env:prod" - - "alert:high-error-rate" - notify_no_data: false - notify_audit: true - require_full_window: false - enable_logs_sample: false - force_delete: true - include_tags: true - locked: false - renotify_interval: 0 - timeout_h: 0 - evaluation_delay: 60 - new_host_delay: 300 - no_data_timeframe: 10 - threshold_windows: {} - thresholds: - critical: 0.05 - warning: 0.01 -``` - -Note that the `tags` added to the monitor can be used in Opsgenie alert policies and incident rules to match specific -alerts from Datadog. - -- Add the users responsible for the service to [Opsgenie Users](resources/existing_users.yaml) (or to `users.yaml` if - the users don't yet exist in Opsgenie, and you want to create them with Terraform). - -```yaml -existing_users: - - username: user1@example.com -``` - -- Assign the users to the [Opsgenie Team](resources/teams.yaml) +__NOTE:__ We will be using `example-service` as an example. + + - In the [datadog-monitor](../datadog-monitor) project, add a new YAML file with Datadog monitor configurations for the new service. + For the `example-service`, the file name is [example-service.yaml](../datadog-monitor/monitors/example-service.yaml). + + - Configure Datadog monitors for the service. + For example, to monitor the error rate on `prod`, add the following configuration: + + ```yaml + example-service-prod-high-error-rate: + name: "(example-service) Service example-service has a high error rate on env:prod" + type: query alert + query: | + sum(last_10m):( sum:trace.flask.request.errors{service:example-service,env:prod}.as_count() / sum:trace.flask.request.hits{service:example-service,env:prod}.as_count() ) > 0.05 + message: | + example-service error rate is too high on env:prod + escalation_message: "" + tags: + - "ManagedBy:Terraform" + - "service:example-service" + - "env:prod" + - "alert:high-error-rate" + notify_no_data: false + notify_audit: true + require_full_window: false + enable_logs_sample: false + force_delete: true + include_tags: true + locked: false + renotify_interval: 0 + timeout_h: 0 + evaluation_delay: 60 + new_host_delay: 300 + no_data_timeframe: 10 + threshold_windows: { } + thresholds: + critical: 0.05 + warning: 0.01 + ``` + + Note that the `tags` added to the monitor can be used in Opsgenie alert policies and incident rules to match specific alerts from Datadog. + + - Add the users responsible for the service to [Opsgenie Users](resources/existing_users.yaml) + (or to `users.yaml` if the users don't yet exist in Opsgenie, and you want to create them with Terraform). + + ```yaml + existing_users: + - username: user1@example.com + ``` -```yaml -- name: example-team - description: "Example Team" - members: - - username: user1@example.com - role: admin -``` + - Assign the users to the [Opsgenie Team](resources/teams.yaml) -- Add [The service and Opsgenie Alert Policies and Service Incident Rules](resources/services/example-service.yaml) + ```yaml + - name: example-team + description: "Example Team" + members: + - username: user1@example.com + role: admin + ``` - NOTE: The alert policy will assign the Team specified in the `responders` section to the alerts. The `responders` - section is a list, so you can assign many teams as responders to the alerts. + - Add [The service and Opsgenie Alert Policies and Service Incident Rules](resources/services/example-service.yaml) -```yaml -service: - - name: example-service - team_name: example-team + NOTE: The alert policy will assign the Team specified in the `responders` section to the alerts. + The `responders` section is a list, so you can assign many teams as responders to the alerts. -alert_policies: - - name: example-service-alert-policy - owner_team_name: - tags: - - "ManagedBy:terraform" - - "service:example-service" - filter: - type: match-any-condition - conditions: - - field: description - operation: contains - expected_value: "example-service" - - field: message - operation: contains - expected_value: "example-service" - continue_policy: true - ignore_original_responders: true - responders: - - type: team + ```yaml + service: + - name: example-service team_name: example-team -service_incident_rules: - - name: example-service-incident-rule - service_name: example-service - incident_rule: - condition_match_type: match-any-condition - - conditions: - - field: tags - operation: contains - expected_value: "service:example-service" - - incident_properties: - message: example-service is having issues - priority: P2 - stakeholder_properties: - message: example-service is having issues - enable: true -``` - -NOTE: In the Alert Policy, `condition_match_type: match-any-condition` is a logical `OR`, which means if any condition -is `true`, the alert will be assigned to the service's team. In the example above, alerts will be assigned to the -`example-team` team if the alert's message or description contains `example-service`. If the condition matches, we also -add the tag `service:example-service` to the alert, which we use in the conditions of the Service Incident Rule. - -NOTE: In the Service Incident Rule, we check if the alert's tags contain the service name tag (`service:example-service` -in this case). If the condition matches, we create an incident and assign it to the team, the members of which get -notifications about the incident. -- Provision the `datadog-monitor` and `opsgenie` projects with Terraform. Datadog will monitor the `example-servise` - with the provisioned monitors and send alerts to Opsgenie. + alert_policies: + - name: example-service-alert-policy + owner_team_name: + tags: + - "ManagedBy:terraform" + - "service:example-service" + filter: + type: match-any-condition + conditions: + - field: description + operation: contains + expected_value: "example-service" + - field: message + operation: contains + expected_value: "example-service" + continue_policy: true + ignore_original_responders: true + responders: + - type: team + team_name: example-team + + + service_incident_rules: + - name: example-service-incident-rule + service_name: example-service + incident_rule: + condition_match_type: match-any-condition + + conditions: + - field: tags + operation: contains + expected_value: "service:example-service" + + incident_properties: + message: example-service is having issues + priority: P2 + stakeholder_properties: + message: example-service is having issues + enable: true + ``` + + NOTE: In the Alert Policy, `condition_match_type: match-any-condition` is a logical `OR`, which means if any condition is `true`, the alert will be + assigned to the service's team. In the example above, alerts will be assigned to the `example-team` team if the alert's message or description contains `example-service`. + If the condition matches, we also add the tag `service:example-service` to the alert, which we use in the conditions of the Service Incident Rule. + + NOTE: In the Service Incident Rule, we check if the alert's tags contain the service name tag (`service:example-service` in this case). + If the condition matches, we create an incident and assign it to the team, the members of which get notifications about the incident. + + - Provision the `datadog-monitor` and `opsgenie` projects with Terraform. + Datadog will monitor the `example-servise` with the provisioned monitors and send alerts to Opsgenie. diff --git a/deprecated/aws/tfstate-backend/README.md b/deprecated/aws/tfstate-backend/README.md index de809c009..196869467 100644 --- a/deprecated/aws/tfstate-backend/README.md +++ b/deprecated/aws/tfstate-backend/README.md @@ -5,14 +5,12 @@ Perform these steps in each account, the very first time, in order to setup the ## Create Provision the bucket: - ``` make init ``` -Follow the instructions at the end. Ensure the environment variables have been set in the `Dockerfile`. They look -something like this: - +Follow the instructions at the end. Ensure the environment variables have been set in the `Dockerfile`. +They look something like this: ``` ENV TF_BUCKET="cpco-staging-terraform-state" ENV TF_BUCKET_REGION="us-west-2" @@ -24,10 +22,8 @@ ENV TF_DYNAMODB_TABLE="cpco-staging-terraform-state-lock" To destroy the state bucket, first make sure all services in the account have already been destroyed. Then run: - ``` make destroy ``` -**NOTE:** This will only work if the state was previously initialized with `force_destroy=true`. If not, set -`force_destroy=true`, rerun `terraform apply`, then run `make destroy`. +**NOTE:** This will only work if the state was previously initialized with `force_destroy=true`. If not, set `force_destroy=true`, rerun `terraform apply`, then run `make destroy`. diff --git a/deprecated/eks-iam/README.md b/deprecated/eks-iam/README.md index 551a5beb7..bd080c708 100644 --- a/deprecated/eks-iam/README.md +++ b/deprecated/eks-iam/README.md @@ -1,8 +1,6 @@ # Component: `eks-iam` -This component is responsible for provisioning specific -[IAM roles for Kubernetes Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). -IAM roles are created for the following Kubernetes projects: +This component is responsible for provisioning specific [IAM roles for Kubernetes Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). IAM roles are created for the following Kubernetes projects: 1. [aws-load-balancer-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) 1. [cluster-proportional-autoscaler](https://github.com/kubernetes-sigs/cluster-proportional-autoscaler) @@ -27,92 +25,90 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 0.13.0 | -| [aws](#requirement_aws) | >= 3.0 | -| [local](#requirement_local) | >= 1.3 | -| [template](#requirement_template) | >= 2.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.0 | +| [aws](#requirement\_aws) | >= 3.0 | +| [local](#requirement\_local) | >= 1.3 | +| [template](#requirement\_template) | >= 2.2 | ## Providers -| Name | Version | -| ------------------------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 3.0 | -| [terraform](#provider_terraform) | n/a | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.0 | +| [terraform](#provider\_terraform) | n/a | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------- | ----------------------------------------------------------- | ----------- | -| [alb-controller](#module_alb-controller) | ./modules/service-account | n/a | -| [autoscaler](#module_autoscaler) | ./modules/service-account | n/a | -| [cert-manager](#module_cert-manager) | ./modules/service-account | n/a | -| [external-dns](#module_external-dns) | ./modules/service-account | n/a | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | +| Name | Source | Version | +|------|--------|---------| +| [alb-controller](#module\_alb-controller) | ./modules/service-account | n/a | +| [autoscaler](#module\_autoscaler) | ./modules/service-account | n/a | +| [cert-manager](#module\_cert-manager) | ./modules/service-account | n/a | +| [external-dns](#module\_external-dns) | ./modules/service-account | n/a | +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | git::https://github.com/cloudposse/terraform-null-label.git | tags/0.21.0 | ## Resources -| Name | Type | -| --------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_kms_alias.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [terraform_remote_state.account_map](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.dns_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| Name | Type | +|------|------| +| [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_kms_alias.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | +| [terraform_remote_state.account_map](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| [terraform_remote_state.dns_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | | [terraform_remote_state.dns_gbl_delegated](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | -| [terraform_remote_state.eks](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| [terraform_remote_state.eks](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional tags for appending to tags_as_list_of_maps. Not added to `tags`. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [dns_gbl_delegated_environment_name](#input_dns_gbl_delegated_environment_name) | The name of the environment where global `dns_delegated` is provisioned | `string` | `"gbl"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kms_alias_name](#input_kms_alias_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no | -| [label_order](#input_label_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | -| [name](#input_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | -| [namespace](#input_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | -| [optional_service_accounts](#input_optional_service_accounts) | List of optional service accounts to enable | `list(string)` | `[]` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [standard_service_accounts](#input_standard_service_accounts) | List of standard service accounts expected to be enabled everywhere | `list(string)` | n/a | yes | -| [tags](#input_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | -| [tfstate_account_id](#input_tfstate_account_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | -| [tfstate_assume_role](#input_tfstate_assume_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | -| [tfstate_bucket_environment_name](#input_tfstate_bucket_environment_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | -| [tfstate_bucket_stage_name](#input_tfstate_bucket_stage_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | -| [tfstate_existing_role_arn](#input_tfstate_existing_role_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | -| [tfstate_role_arn_template](#input_tfstate_role_arn_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | -| [tfstate_role_environment_name](#input_tfstate_role_environment_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | -| [tfstate_role_name](#input_tfstate_role_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | -| [tfstate_role_stage_name](#input_tfstate_role_stage_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional tags for appending to tags\_as\_list\_of\_maps. Not added to `tags`. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | Additional attributes (e.g. `1`) | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. |
object({
enabled = bool
namespace = string
environment = string
stage = string
name = string
delimiter = string
attributes = list(string)
tags = map(string)
additional_tag_map = map(string)
regex_replace_chars = string
label_order = list(string)
id_length_limit = number
})
|
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_order": [],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {}
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between `namespace`, `environment`, `stage`, `name` and `attributes`.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [dns\_gbl\_delegated\_environment\_name](#input\_dns\_gbl\_delegated\_environment\_name) | The name of the environment where global `dns_delegated` is provisioned | `string` | `"gbl"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | Environment, e.g. 'uw2', 'us-west-2', OR 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters.
Set to `0` for unlimited length.
Set to `null` for default, which is `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kms\_alias\_name](#input\_kms\_alias\_name) | AWS KMS alias used for encryption/decryption of SSM parameters default is alias used in SSM | `string` | `"alias/aws/ssm"` | no | +| [label\_order](#input\_label\_order) | The naming order of the id output and Name tag.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 5 elements, but at least one must be present. | `list(string)` | `null` | no | +| [name](#input\_name) | Solution name, e.g. 'app' or 'jenkins' | `string` | `null` | no | +| [namespace](#input\_namespace) | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | `string` | `null` | no | +| [optional\_service\_accounts](#input\_optional\_service\_accounts) | List of optional service accounts to enable | `list(string)` | `[]` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Regex to replace chars with empty string in `namespace`, `environment`, `stage` and `name`.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | Stage, e.g. 'prod', 'staging', 'dev', OR 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [standard\_service\_accounts](#input\_standard\_service\_accounts) | List of standard service accounts expected to be enabled everywhere | `list(string)` | n/a | yes | +| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no | +| [tfstate\_account\_id](#input\_tfstate\_account\_id) | The ID of the account where the Terraform remote state backend is provisioned | `string` | `""` | no | +| [tfstate\_assume\_role](#input\_tfstate\_assume\_role) | Set to false to use the caller's role to access the Terraform remote state | `bool` | `true` | no | +| [tfstate\_bucket\_environment\_name](#input\_tfstate\_bucket\_environment\_name) | The name of the environment for Terraform state bucket | `string` | `""` | no | +| [tfstate\_bucket\_stage\_name](#input\_tfstate\_bucket\_stage\_name) | The name of the stage for Terraform state bucket | `string` | `"root"` | no | +| [tfstate\_existing\_role\_arn](#input\_tfstate\_existing\_role\_arn) | The ARN of the existing IAM Role to access the Terraform remote state. If not provided and `remote_state_assume_role` is `true`, a role will be constructed from `remote_state_role_arn_template` | `string` | `""` | no | +| [tfstate\_role\_arn\_template](#input\_tfstate\_role\_arn\_template) | IAM Role ARN template for accessing the Terraform remote state | `string` | `"arn:aws:iam::%s:role/%s-%s-%s-%s"` | no | +| [tfstate\_role\_environment\_name](#input\_tfstate\_role\_environment\_name) | The name of the environment for Terraform state IAM role | `string` | `"gbl"` | no | +| [tfstate\_role\_name](#input\_tfstate\_role\_name) | IAM Role name for accessing the Terraform remote state | `string` | `"terraform"` | no | +| [tfstate\_role\_stage\_name](#input\_tfstate\_role\_stage\_name) | The name of the stage for Terraform state IAM role | `string` | `"root"` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------- | ----------- | -| [service_accounts](#output_service_accounts) | n/a | - +| Name | Description | +|------|-------------| +| [service\_accounts](#output\_service\_accounts) | n/a | + ## References +* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks-iam) - Cloud Posse's upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks-iam) - - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/eks/ebs-controller/README.md b/deprecated/eks/ebs-controller/README.md index 92f3505da..178de2cbf 100644 --- a/deprecated/eks/ebs-controller/README.md +++ b/deprecated/eks/ebs-controller/README.md @@ -33,88 +33,86 @@ components: ``` - ## Requirements -| Name | Version | -| --------------------------------------------------------------------------- | ------------------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [helm](#requirement_helm) | >= 2.0 | -| [kubernetes](#requirement_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [helm](#requirement\_helm) | >= 2.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.7.1, != 2.21.0 | ## Providers -| Name | Version | -| --------------------------------------------------------------------- | ------------------- | -| [aws](#provider_aws) | >= 4.0 | -| [kubernetes](#provider_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | +| [kubernetes](#provider\_kubernetes) | >= 2.7.1, != 2.21.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [ebs_csi_driver_controller](#module_ebs_csi_driver_controller) | DrFaust92/ebs-csi-driver/kubernetes | 3.5.0 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [ebs\_csi\_driver\_controller](#module\_ebs\_csi\_driver\_controller) | DrFaust92/ebs-csi-driver/kubernetes | 3.5.0 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [kubernetes_annotations.default_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations) | resource | -| [kubernetes_storage_class.gp3_enc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | -| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| Name | Type | +|------|------| +| [kubernetes_annotations.default_storage_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/annotations) | resource | +| [kubernetes_storage_class.gp3_enc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | +| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [ebs_csi_controller_image](#input_ebs_csi_controller_image) | The image to use for the EBS CSI controller | `string` | `"k8s.gcr.io/provider-aws/aws-ebs-csi-driver"` | no | -| [ebs_csi_driver_version](#input_ebs_csi_driver_version) | The version of the EBS CSI driver | `string` | `"v1.6.2"` | no | -| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [ebs\_csi\_controller\_image](#input\_ebs\_csi\_controller\_image) | The image to use for the EBS CSI controller | `string` | `"k8s.gcr.io/provider-aws/aws-ebs-csi-driver"` | no | +| [ebs\_csi\_driver\_version](#input\_ebs\_csi\_driver\_version) | The version of the EBS CSI driver | `string` | `"v1.6.2"` | no | +| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | -| [ebs_csi_driver_controller_role_arn](#output_ebs_csi_driver_controller_role_arn) | The Name of the EBS CSI driver controller IAM role ARN | -| [ebs_csi_driver_controller_role_name](#output_ebs_csi_driver_controller_role_name) | The Name of the EBS CSI driver controller IAM role name | -| [ebs_csi_driver_controller_role_policy_arn](#output_ebs_csi_driver_controller_role_policy_arn) | The Name of the EBS CSI driver controller IAM role policy ARN | -| [ebs_csi_driver_controller_role_policy_name](#output_ebs_csi_driver_controller_role_policy_name) | The Name of the EBS CSI driver controller IAM role policy name | -| [ebs_csi_driver_name](#output_ebs_csi_driver_name) | The Name of the EBS CSI driver | - +| Name | Description | +|------|-------------| +| [ebs\_csi\_driver\_controller\_role\_arn](#output\_ebs\_csi\_driver\_controller\_role\_arn) | The Name of the EBS CSI driver controller IAM role ARN | +| [ebs\_csi\_driver\_controller\_role\_name](#output\_ebs\_csi\_driver\_controller\_role\_name) | The Name of the EBS CSI driver controller IAM role name | +| [ebs\_csi\_driver\_controller\_role\_policy\_arn](#output\_ebs\_csi\_driver\_controller\_role\_policy\_arn) | The Name of the EBS CSI driver controller IAM role policy ARN | +| [ebs\_csi\_driver\_controller\_role\_policy\_name](#output\_ebs\_csi\_driver\_controller\_role\_policy\_name) | The Name of the EBS CSI driver controller IAM role policy name | +| [ebs\_csi\_driver\_name](#output\_ebs\_csi\_driver\_name) | The Name of the EBS CSI driver | ## References diff --git a/deprecated/eks/echo-server/README.md b/deprecated/eks/echo-server/README.md index babcb498e..de7a28cec 100644 --- a/deprecated/eks/echo-server/README.md +++ b/deprecated/eks/echo-server/README.md @@ -1,35 +1,29 @@ # Component: `eks/echo-server` -This is copied from -[cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/echo-server). +This is copied from [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/echo-server). -This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. The echo server -is a server that sends it back to the client a JSON representation of all the data the server received, which is a -combination of information sent by the client and information sent by the web server infrastructure. For further -details, please see [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). +This component installs the [Ealenn/Echo-Server](https://github.com/Ealenn/Echo-Server) to EKS clusters. +The echo server is a server that sends it back to the client a JSON representation of all the data +the server received, which is a combination of information sent by the client and information sent +by the web server infrastructure. For further details, please see [Echo-Server documentation](https://ealenn.github.io/Echo-Server/). ## Prerequisites -Echo server is intended to provide end-to-end testing of everything needed to deploy an application or service with a -public HTTPS endpoint. Therefore, it requires several other components. +Echo server is intended to provide end-to-end testing of everything needed to deploy an application or service with a public HTTPS endpoint. +Therefore, it requires several other components. At the moment, it supports 2 configurations: 1. ALB with ACM Certificate - -- AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled -- Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all - hosts in the domain) - + - AWS Load Balancer Controller (ALB) version 2.2.0 or later, with ACM certificate auto-discovery enabled + - Pre-provisioned ACM TLS certificate covering the provisioned host name (typically a wildcard certificate covering all hosts in the domain) 2. Nginx with Cert Manager Certificate - -- Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` - should work with any version that supports Ingress API version `networking.k8s.io/v1`. -- `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates - via a Cluster Issuer (by default, named `letsEncrypt-prod`). + - Nginx (via `kubernetes/ingress-nginx` controller). We recommend `ingress-nginx` v1.1.0 or later, but `echo-server` + should work with any version that supports Ingress API version `networking.k8s.io/v1`. + - `jetstack/cert-manager` configured to automatically (via Ingress Shim, installed by default) generate TLS certificates via a Cluster Issuer + (by default, named `letsEncrypt-prod`). In both configurations, it has these common requirements: - - Kubernetes version 1.19 or later - Ingress API version `networking.k8s.io/v1` - [kubernetes-sigs/external-dns](https://github.com/kubernetes-sigs/external-dns) @@ -38,9 +32,10 @@ In both configurations, it has these common requirements: ## Warnings A Terraform plan may fail to apply, giving a Kubernetes authentication failure. This is due to a known issue with -Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes authentication -token and caches it, and then tries to use it during "apply". If the token has expired by the time you try to run -"apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without a "plan" file. +Terraform and the Kubernetes provider. During the "plan" phase Terraform gets a short-lived Kubernetes +authentication token and caches it, and then tries to use it during "apply". If the token has expired by +the time you try to run "apply", the "apply" will fail. The workaround is to run `terraform apply -auto-approve` without +a "plan" file. ## Usage @@ -74,96 +69,93 @@ components: ``` - ## Requirements -| Name | Version | -| --------------------------------------------------------------------------- | ------------------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [helm](#requirement_helm) | >= 2.0 | -| [kubernetes](#requirement_kubernetes) | >= 2.7.1, != 2.21.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [helm](#requirement\_helm) | >= 2.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.7.1, != 2.21.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [alb](#module_alb) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [echo_server](#module_echo_server) | cloudposse/helm-release/aws | 0.10.0 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [alb](#module\_alb) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [echo\_server](#module\_echo\_server) | cloudposse/helm-release/aws | 0.10.0 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| --------------------------------------------------------------------------------------------------------------------------- | ----------- | +| Name | Type | +|------|------| | [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [alb_controller_ingress_group_component_name](#input_alb_controller_ingress_group_component_name) | The name of the alb_controller_ingress_group component | `string` | `"eks/alb-controller-ingress-group"` | no | -| [atomic](#input_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [chart_values](#input_chart_values) | Addition map values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [chart_version](#input_chart_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | -| [cleanup_on_fail](#input_cleanup_on_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create_namespace](#input_create_namespace) | Create the Kubernetes namespace if it does not yet exist | `bool` | `true` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [description](#input_description) | Set release description attribute (visible in the history). | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [hostname_template](#input_hostname_template) | The `format()` string to use to generate the hostname via `format(var.hostname_template, var.tenant, var.stage, var.environment)`"
Typically something like `"echo.%[3]v.%[2]v.example.com"`. | `string` | n/a | yes | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [ingress_type](#input_ingress_type) | Set to 'nginx' to create an ingress resource relying on an NGiNX backend for the echo-server service. Set to 'alb' to create an ingress resource relying on an AWS ALB backend for the echo-server service. Leave blank to not create any ingress for the echo-server service. | `string` | `null` | no | -| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [kubernetes_namespace](#input_kubernetes_namespace) | The namespace to install the release into. | `string` | n/a | yes | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [repository](#input_repository) | Repository URL where to locate the requested chart. | `string` | `null` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [timeout](#input_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | -| [verify](#input_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | `bool` | `false` | no | -| [wait](#input_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `true` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [alb\_controller\_ingress\_group\_component\_name](#input\_alb\_controller\_ingress\_group\_component\_name) | The name of the alb\_controller\_ingress\_group component | `string` | `"eks/alb-controller-ingress-group"` | no | +| [atomic](#input\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [chart\_values](#input\_chart\_values) | Addition map values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | +| [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create\_namespace](#input\_create\_namespace) | Create the Kubernetes namespace if it does not yet exist | `bool` | `true` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [description](#input\_description) | Set release description attribute (visible in the history). | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [hostname\_template](#input\_hostname\_template) | The `format()` string to use to generate the hostname via `format(var.hostname_template, var.tenant, var.stage, var.environment)`"
Typically something like `"echo.%[3]v.%[2]v.example.com"`. | `string` | n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [ingress\_type](#input\_ingress\_type) | Set to 'nginx' to create an ingress resource relying on an NGiNX backend for the echo-server service. Set to 'alb' to create an ingress resource relying on an AWS ALB backend for the echo-server service. Leave blank to not create any ingress for the echo-server service. | `string` | `null` | no | +| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. | `string` | n/a | yes | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [repository](#input\_repository) | Repository URL where to locate the requested chart. | `string` | `null` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [timeout](#input\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | +| [verify](#input\_verify) | Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart | `bool` | `false` | no | +| [wait](#input\_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `true` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------- | ------------------------------------ | -| [metadata](#output_metadata) | Block status of the deployed release | - +| Name | Description | +|------|-------------| +| [metadata](#output\_metadata) | Block status of the deployed release | ## References - -- https://github.com/Ealenn/Echo-Server +* https://github.com/Ealenn/Echo-Server diff --git a/deprecated/eks/efs-controller/README.md b/deprecated/eks/efs-controller/README.md index df5a8d2ae..c6c495c7a 100644 --- a/deprecated/eks/efs-controller/README.md +++ b/deprecated/eks/efs-controller/README.md @@ -39,94 +39,92 @@ components: ``` - ## Requirements -| Name | Version | -| --------------------------------------------------------------------------- | ----------------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [helm](#requirement_helm) | >= 2.0 | -| [kubernetes](#requirement_kubernetes) | >= 2.0, != 2.21.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [helm](#requirement\_helm) | >= 2.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.0, != 2.21.0 | ## Providers -| Name | Version | -| --------------------------------------------------------------------- | ----------------- | -| [aws](#provider_aws) | >= 4.0 | -| [kubernetes](#provider_kubernetes) | >= 2.0, != 2.21.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | +| [kubernetes](#provider\_kubernetes) | >= 2.0, != 2.21.0 | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [efs](#module_efs) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [efs_controller](#module_efs_controller) | cloudposse/helm-release/aws | 0.9.1 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [efs](#module\_efs) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [efs\_controller](#module\_efs\_controller) | cloudposse/helm-release/aws | 0.9.1 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ---------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [kubernetes_namespace.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| Name | Type | +|------|------| +| [kubernetes_namespace.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [aws_eks_cluster_auth.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [atomic](#input_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [chart](#input_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `/` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended. | `string` | n/a | yes | -| [chart_description](#input_chart_description) | Set release description attribute (visible in the history). | `string` | `null` | no | -| [chart_repository](#input_chart_repository) | Repository URL where to locate the requested chart. | `string` | n/a | yes | -| [chart_values](#input_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [chart_version](#input_chart_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | -| [cleanup_on_fail](#input_cleanup_on_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create_namespace](#input_create_namespace) | Create the namespace if it does not yet exist. Defaults to `false`. | `bool` | `null` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [efs_component_name](#input_efs_component_name) | The name of the efs component | `string` | `"efs"` | no | -| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [helm_manifest_experiment_enabled](#input_helm_manifest_experiment_enabled) | Enable storing of the rendered manifest for helm_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kube_data_auth_enabled](#input_kube_data_auth_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | -| [kube_exec_auth_aws_profile](#input_kube_exec_auth_aws_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_aws_profile_enabled](#input_kube_exec_auth_aws_profile_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | -| [kube_exec_auth_enabled](#input_kube_exec_auth_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | -| [kube_exec_auth_role_arn](#input_kube_exec_auth_role_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | -| [kube_exec_auth_role_arn_enabled](#input_kube_exec_auth_role_arn_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | -| [kubeconfig_context](#input_kubeconfig_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | -| [kubeconfig_exec_auth_api_version](#input_kubeconfig_exec_auth_api_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | -| [kubeconfig_file](#input_kubeconfig_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | -| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | -| [kubernetes_namespace](#input_kubernetes_namespace) | The namespace to install the release into. | `string` | n/a | yes | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region. | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [timeout](#input_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | -| [wait](#input_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [atomic](#input\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used. | `bool` | `true` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [chart](#input\_chart) | Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `/` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended. | `string` | n/a | yes | +| [chart\_description](#input\_chart\_description) | Set release description attribute (visible in the history). | `string` | `null` | no | +| [chart\_repository](#input\_chart\_repository) | Repository URL where to locate the requested chart. | `string` | n/a | yes | +| [chart\_values](#input\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [chart\_version](#input\_chart\_version) | Specify the exact chart version to install. If this is not specified, the latest version is installed. | `string` | `null` | no | +| [cleanup\_on\_fail](#input\_cleanup\_on\_fail) | Allow deletion of new resources created in this upgrade when upgrade fails. | `bool` | `true` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create\_namespace](#input\_create\_namespace) | Create the namespace if it does not yet exist. Defaults to `false`. | `bool` | `null` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [efs\_component\_name](#input\_efs\_component\_name) | The name of the efs component | `string` | `"efs"` | no | +| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [helm\_manifest\_experiment\_enabled](#input\_helm\_manifest\_experiment\_enabled) | Enable storing of the rendered manifest for helm\_release so the full diff of what is changing can been seen in the plan | `bool` | `false` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kube\_data\_auth\_enabled](#input\_kube\_data\_auth\_enabled) | If `true`, use an `aws_eks_cluster_auth` data source to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled` or `kube_exec_auth_enabled`. | `bool` | `false` | no | +| [kube\_exec\_auth\_aws\_profile](#input\_kube\_exec\_auth\_aws\_profile) | The AWS config profile for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_aws\_profile\_enabled](#input\_kube\_exec\_auth\_aws\_profile\_enabled) | If `true`, pass `kube_exec_auth_aws_profile` as the `profile` to `aws eks get-token` | `bool` | `false` | no | +| [kube\_exec\_auth\_enabled](#input\_kube\_exec\_auth\_enabled) | If `true`, use the Kubernetes provider `exec` feature to execute `aws eks get-token` to authenticate to the EKS cluster.
Disabled by `kubeconfig_file_enabled`, overrides `kube_data_auth_enabled`. | `bool` | `true` | no | +| [kube\_exec\_auth\_role\_arn](#input\_kube\_exec\_auth\_role\_arn) | The role ARN for `aws eks get-token` to use | `string` | `""` | no | +| [kube\_exec\_auth\_role\_arn\_enabled](#input\_kube\_exec\_auth\_role\_arn\_enabled) | If `true`, pass `kube_exec_auth_role_arn` as the role ARN to `aws eks get-token` | `bool` | `true` | no | +| [kubeconfig\_context](#input\_kubeconfig\_context) | Context to choose from the Kubernetes kube config file | `string` | `""` | no | +| [kubeconfig\_exec\_auth\_api\_version](#input\_kubeconfig\_exec\_auth\_api\_version) | The Kubernetes API version of the credentials returned by the `exec` auth plugin | `string` | `"client.authentication.k8s.io/v1beta1"` | no | +| [kubeconfig\_file](#input\_kubeconfig\_file) | The Kubernetes provider `config_path` setting to use when `kubeconfig_file_enabled` is `true` | `string` | `""` | no | +| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | If `true`, configure the Kubernetes provider with `kubeconfig_file` and use that kubeconfig file for authenticating to the EKS cluster | `bool` | `false` | no | +| [kubernetes\_namespace](#input\_kubernetes\_namespace) | The namespace to install the release into. | `string` | n/a | yes | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region. | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [timeout](#input\_timeout) | Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds | `number` | `null` | no | +| [wait](#input\_wait) | Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`. | `bool` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------- | ------------------------------------ | -| [metadata](#output_metadata) | Block status of the deployed release | - +| Name | Description | +|------|-------------| +| [metadata](#output\_metadata) | Block status of the deployed release | ## References diff --git a/deprecated/eks/eks-without-spotinst/README.md b/deprecated/eks/eks-without-spotinst/README.md index 9478c2b7d..3f0e2344a 100644 --- a/deprecated/eks/eks-without-spotinst/README.md +++ b/deprecated/eks/eks-without-spotinst/README.md @@ -1,19 +1,14 @@ # Component: `eks` -This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups. NOTE: This -component can only be deployed after logging in to AWS via Federated login with SAML (e.g. GSuite) or assuming an IAM -role (e.g. from a CI/CD system). It cannot be deployed if you login to AWS via AWS SSO, the reason being is that on -initial deployment, the EKS cluster will be owned by the assumed role that provisioned it. If this were to be the AWS -SSO Role, then we risk losing access to the EKS cluster once the ARN of the AWS SSO Role eventually changes. +This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups. +NOTE: This component can only be deployed after logging in to AWS via Federated login with SAML (e.g. GSuite) or assuming an IAM role (e.g. from a CI/CD system). It cannot be deployed if you login to AWS via AWS SSO, the reason being is that on initial deployment, the EKS cluster will be owned by the assumed role that provisioned it. If this were to be the AWS SSO Role, then we risk losing access to the EKS cluster once the ARN of the AWS SSO Role eventually changes. If Spotinst is going to be used, the following course of action needs to be followed: 1. Create Spotinst account and subscribe to a Business Plan. 1. Provision [spotinst-integration](https://spot.io/), as documented in the component. 1. Provision EKS with Spotinst Ocean pool only. -1. Deploy core K8s components, including - [metrics-server](https://docs.cloudposse.com/components/library/aws/eks/metrics-server), - [external-dns](https://docs.cloudposse.com/components/library/aws/eks/external-dns), etc. +1. Deploy core K8s components, including [metrics-server](https://docs.cloudposse.com/components/library/aws/eks/metrics-server), [external-dns](https://docs.cloudposse.com/components/library/aws/eks/external-dns), etc. 1. Deploy Spotinst [ocean-controller](https://docs.spot.io/ocean/tutorials/spot-kubernetes-controller/). ## Usage @@ -64,13 +59,12 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 3.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 3.0 | ## Providers @@ -78,17 +72,17 @@ No providers. ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [delegated_roles](#module_delegated_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks_cluster](#module_eks_cluster) | cloudposse/eks-cluster/aws | 0.44.0 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [primary_roles](#module_primary_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [region_node_group](#module_region_node_group) | ./modules/node_group_by_region | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [vpc_ingress](#module_vpc_ingress) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +|------|--------|---------| +| [delegated\_roles](#module\_delegated\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 0.44.0 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [primary\_roles](#module\_primary\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [region\_node\_group](#module\_region\_node\_group) | ./modules/node_group_by_region | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [vpc\_ingress](#module\_vpc\_ingress) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -96,91 +90,89 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [allow_ingress_from_vpc_stages](#input_allow_ingress_from_vpc_stages) | List of stages to pull VPC ingress CIDR and add to security group | `list(string)` | `[]` | no | -| [allowed_cidr_blocks](#input_allowed_cidr_blocks) | List of CIDR blocks to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | -| [allowed_security_groups](#input_allowed_security_groups) | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | -| [apply_config_map_aws_auth](#input_apply_config_map_aws_auth) | Whether to execute `kubectl apply` to apply the ConfigMap to allow worker nodes to join the EKS cluster | `bool` | `true` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [availability_zone_abbreviation_type](#input_availability_zone_abbreviation_type) | Type of Availability Zone abbreviation (either `fixed` or `short`) to use in names. See https://github.com/cloudposse/terraform-aws-utils for details. | `string` | `"fixed"` | no | -| [availability_zones](#input_availability_zones) | AWS Availability Zones in which to deploy multi-AZ resources | `list(string)` | n/a | yes | -| [aws_auth_yaml_strip_quotes](#input_aws_auth_yaml_strip_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no | -| [aws_ssm_agent_enabled](#input_aws_ssm_agent_enabled) | Set true to attach the required IAM policy for AWS SSM agent to each EC2 instance's IAM Role | `bool` | `false` | no | -| [cluster_encryption_config_enabled](#input_cluster_encryption_config_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no | -| [cluster_encryption_config_kms_key_deletion_window_in_days](#input_cluster_encryption_config_kms_key_deletion_window_in_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no | -| [cluster_encryption_config_kms_key_enable_key_rotation](#input_cluster_encryption_config_kms_key_enable_key_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no | -| [cluster_encryption_config_kms_key_id](#input_cluster_encryption_config_kms_key_id) | KMS Key ID to use for cluster encryption config | `string` | `""` | no | -| [cluster_encryption_config_kms_key_policy](#input_cluster_encryption_config_kms_key_policy) | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no | -| [cluster_encryption_config_resources](#input_cluster_encryption_config_resources) | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list(any)` |
[
"secrets"
]
| no | -| [cluster_endpoint_private_access](#input_cluster_endpoint_private_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is `false` | `bool` | `false` | no | -| [cluster_endpoint_public_access](#input_cluster_endpoint_public_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is `true` | `bool` | `true` | no | -| [cluster_kubernetes_version](#input_cluster_kubernetes_version) | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | `string` | `null` | no | -| [cluster_log_retention_period](#input_cluster_log_retention_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `90` | no | -| [cluster_private_subnets_only](#input_cluster_private_subnets_only) | Whether or not to enable private subnets or both public and private subnets | `bool` | `false` | no | -| [color](#input_color) | The cluster stage represented by a color; e.g. blue, green | `string` | `""` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delegated_iam_roles](#input_delegated_iam_roles) | Delegated IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks_component_name](#input_eks_component_name) | The name of the eks component | `string` | `"eks/cluster"` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled_cluster_log_types](#input_enabled_cluster_log_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam_primary_roles_stage_name](#input_iam_primary_roles_stage_name) | The name of the stage where the IAM primary roles are provisioned | `string` | `"identity"` | no | -| [iam_primary_roles_tenant_name](#input_iam_primary_roles_tenant_name) | The name of the tenant where the IAM primary roles are provisioned | `string` | `null` | no | -| [iam_roles_environment_name](#input_iam_roles_environment_name) | The name of the environment where the IAM roles are provisioned | `string` | `"gbl"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [kubeconfig_file](#input_kubeconfig_file) | Name of `kubeconfig` file to use to configure Kubernetes provider | `string` | `""` | no | -| [kubeconfig_file_enabled](#input_kubeconfig_file_enabled) | Set true to configure Kubernetes provider with a `kubeconfig` file specified by `kubeconfig_file`.
Mainly for when the standard configuration produces a Terraform error. | `bool` | `false` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [managed_node_groups_enabled](#input_managed_node_groups_enabled) | Set false to prevent the creation of EKS managed node groups. | `bool` | `true` | no | -| [map_additional_aws_accounts](#input_map_additional_aws_accounts) | Additional AWS account numbers to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | -| [map_additional_iam_roles](#input_map_additional_iam_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap |
list(object({
rolearn = string
username = string
groups = list(string)
}))
| `[]` | no | -| [map_additional_iam_users](#input_map_additional_iam_users) | Additional IAM users to add to `aws-auth` ConfigMap |
list(object({
userarn = string
username = string
groups = list(string)
}))
| `[]` | no | -| [map_additional_worker_roles](#input_map_additional_worker_roles) | AWS IAM Role ARNs of worker nodes to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [node_group_defaults](#input_node_group_defaults) | Defaults for node groups in the cluster |
object({
ami_release_version = string
ami_type = string
attributes = list(string)
availability_zones = list(string) # set to null to use var.region_availability_zones
cluster_autoscaler_enabled = bool
create_before_destroy = bool
desired_group_size = number
disk_encryption_enabled = bool
disk_size = number
instance_types = list(string)
kubernetes_labels = map(string)
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
kubernetes_version = string # set to null to use cluster_kubernetes_version
max_group_size = number
min_group_size = number
resources_to_tag = list(string)
tags = map(string)
})
|
{
"ami_release_version": null,
"ami_type": null,
"attributes": null,
"availability_zones": null,
"cluster_autoscaler_enabled": true,
"create_before_destroy": true,
"desired_group_size": 1,
"disk_encryption_enabled": true,
"disk_size": 20,
"instance_types": [
"t3.medium"
],
"kubernetes_labels": null,
"kubernetes_taints": null,
"kubernetes_version": null,
"max_group_size": 100,
"min_group_size": null,
"resources_to_tag": null,
"tags": null
}
| no | -| [node_groups](#input_node_groups) | List of objects defining a node group for the cluster |
map(object({
# EKS AMI version to use, e.g. "1.16.13-20200821" (no "v").
ami_release_version = string
# Type of Amazon Machine Image (AMI) associated with the EKS Node Group
ami_type = string
# Additional attributes (e.g. `1`) for the node group
attributes = list(string)
# will create 1 auto scaling group in each specified availability zone
availability_zones = list(string)
# Whether to enable Node Group to scale its AutoScaling Group
cluster_autoscaler_enabled = bool
# True to create new node_groups before deleting old ones, avoiding a temporary outage
create_before_destroy = bool
# Desired number of worker nodes when initially provisioned
desired_group_size = number
# Enable disk encryption for the created launch template (if we aren't provided with an existing launch template)
disk_encryption_enabled = bool
# Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided.
disk_size = number
# Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided.
instance_types = list(string)
# Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed
kubernetes_labels = map(string)
# List of objects describing Kubernetes taints.
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
# Desired Kubernetes master version. If you do not specify a value, the latest available version is used
kubernetes_version = string
# The maximum size of the AutoScaling Group
max_group_size = number
# The minimum size of the AutoScaling Group
min_group_size = number
# List of auto-launched resource types to tag
resources_to_tag = list(string)
tags = map(string)
}))
| `{}` | no | -| [oidc_provider_enabled](#input_oidc_provider_enabled) | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | `bool` | n/a | yes | -| [primary_iam_roles](#input_primary_iam_roles) | Primary IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | -| [public_access_cidrs](#input_public_access_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | `[]` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [subnet_type_tag_key](#input_subnet_type_tag_key) | The tag used to find the private subnets to find by availability zone. If null, will be looked up in vpc outputs. | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [allow\_ingress\_from\_vpc\_stages](#input\_allow\_ingress\_from\_vpc\_stages) | List of stages to pull VPC ingress CIDR and add to security group | `list(string)` | `[]` | no | +| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | +| [allowed\_security\_groups](#input\_allowed\_security\_groups) | List of Security Group IDs to be allowed to connect to the EKS cluster | `list(string)` | `[]` | no | +| [apply\_config\_map\_aws\_auth](#input\_apply\_config\_map\_aws\_auth) | Whether to execute `kubectl apply` to apply the ConfigMap to allow worker nodes to join the EKS cluster | `bool` | `true` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [availability\_zone\_abbreviation\_type](#input\_availability\_zone\_abbreviation\_type) | Type of Availability Zone abbreviation (either `fixed` or `short`) to use in names. See https://github.com/cloudposse/terraform-aws-utils for details. | `string` | `"fixed"` | no | +| [availability\_zones](#input\_availability\_zones) | AWS Availability Zones in which to deploy multi-AZ resources | `list(string)` | n/a | yes | +| [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no | +| [aws\_ssm\_agent\_enabled](#input\_aws\_ssm\_agent\_enabled) | Set true to attach the required IAM policy for AWS SSM agent to each EC2 instance's IAM Role | `bool` | `false` | no | +| [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no | +| [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no | +| [cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation](#input\_cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no | +| [cluster\_encryption\_config\_kms\_key\_id](#input\_cluster\_encryption\_config\_kms\_key\_id) | KMS Key ID to use for cluster encryption config | `string` | `""` | no | +| [cluster\_encryption\_config\_kms\_key\_policy](#input\_cluster\_encryption\_config\_kms\_key\_policy) | Cluster Encryption Config KMS Key Resource argument - key policy | `string` | `null` | no | +| [cluster\_encryption\_config\_resources](#input\_cluster\_encryption\_config\_resources) | Cluster Encryption Config Resources to encrypt, e.g. ['secrets'] | `list(any)` |
[
"secrets"
]
| no | +| [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Indicates whether or not the Amazon EKS private API server endpoint is enabled. Default to AWS EKS resource and it is `false` | `bool` | `false` | no | +| [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Indicates whether or not the Amazon EKS public API server endpoint is enabled. Default to AWS EKS resource and it is `true` | `bool` | `true` | no | +| [cluster\_kubernetes\_version](#input\_cluster\_kubernetes\_version) | Desired Kubernetes master version. If you do not specify a value, the latest available version is used | `string` | `null` | no | +| [cluster\_log\_retention\_period](#input\_cluster\_log\_retention\_period) | Number of days to retain cluster logs. Requires `enabled_cluster_log_types` to be set. See https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. | `number` | `90` | no | +| [cluster\_private\_subnets\_only](#input\_cluster\_private\_subnets\_only) | Whether or not to enable private subnets or both public and private subnets | `bool` | `false` | no | +| [color](#input\_color) | The cluster stage represented by a color; e.g. blue, green | `string` | `""` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delegated\_iam\_roles](#input\_delegated\_iam\_roles) | Delegated IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks\_component\_name](#input\_eks\_component\_name) | The name of the eks component | `string` | `"eks/cluster"` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled\_cluster\_log\_types](#input\_enabled\_cluster\_log\_types) | A list of the desired control plane logging to enable. For more information, see https://docs.aws.amazon.com/en_us/eks/latest/userguide/control-plane-logs.html. Possible values [`api`, `audit`, `authenticator`, `controllerManager`, `scheduler`] | `list(string)` | `[]` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam\_primary\_roles\_stage\_name](#input\_iam\_primary\_roles\_stage\_name) | The name of the stage where the IAM primary roles are provisioned | `string` | `"identity"` | no | +| [iam\_primary\_roles\_tenant\_name](#input\_iam\_primary\_roles\_tenant\_name) | The name of the tenant where the IAM primary roles are provisioned | `string` | `null` | no | +| [iam\_roles\_environment\_name](#input\_iam\_roles\_environment\_name) | The name of the environment where the IAM roles are provisioned | `string` | `"gbl"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [kubeconfig\_file](#input\_kubeconfig\_file) | Name of `kubeconfig` file to use to configure Kubernetes provider | `string` | `""` | no | +| [kubeconfig\_file\_enabled](#input\_kubeconfig\_file\_enabled) | Set true to configure Kubernetes provider with a `kubeconfig` file specified by `kubeconfig_file`.
Mainly for when the standard configuration produces a Terraform error. | `bool` | `false` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [managed\_node\_groups\_enabled](#input\_managed\_node\_groups\_enabled) | Set false to prevent the creation of EKS managed node groups. | `bool` | `true` | no | +| [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | +| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap |
list(object({
rolearn = string
username = string
groups = list(string)
}))
| `[]` | no | +| [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM users to add to `aws-auth` ConfigMap |
list(object({
userarn = string
username = string
groups = list(string)
}))
| `[]` | no | +| [map\_additional\_worker\_roles](#input\_map\_additional\_worker\_roles) | AWS IAM Role ARNs of worker nodes to add to `aws-auth` ConfigMap | `list(string)` | `[]` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [node\_group\_defaults](#input\_node\_group\_defaults) | Defaults for node groups in the cluster |
object({
ami_release_version = string
ami_type = string
attributes = list(string)
availability_zones = list(string) # set to null to use var.region_availability_zones
cluster_autoscaler_enabled = bool
create_before_destroy = bool
desired_group_size = number
disk_encryption_enabled = bool
disk_size = number
instance_types = list(string)
kubernetes_labels = map(string)
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
kubernetes_version = string # set to null to use cluster_kubernetes_version
max_group_size = number
min_group_size = number
resources_to_tag = list(string)
tags = map(string)
})
|
{
"ami_release_version": null,
"ami_type": null,
"attributes": null,
"availability_zones": null,
"cluster_autoscaler_enabled": true,
"create_before_destroy": true,
"desired_group_size": 1,
"disk_encryption_enabled": true,
"disk_size": 20,
"instance_types": [
"t3.medium"
],
"kubernetes_labels": null,
"kubernetes_taints": null,
"kubernetes_version": null,
"max_group_size": 100,
"min_group_size": null,
"resources_to_tag": null,
"tags": null
}
| no | +| [node\_groups](#input\_node\_groups) | List of objects defining a node group for the cluster |
map(object({
# EKS AMI version to use, e.g. "1.16.13-20200821" (no "v").
ami_release_version = string
# Type of Amazon Machine Image (AMI) associated with the EKS Node Group
ami_type = string
# Additional attributes (e.g. `1`) for the node group
attributes = list(string)
# will create 1 auto scaling group in each specified availability zone
availability_zones = list(string)
# Whether to enable Node Group to scale its AutoScaling Group
cluster_autoscaler_enabled = bool
# True to create new node_groups before deleting old ones, avoiding a temporary outage
create_before_destroy = bool
# Desired number of worker nodes when initially provisioned
desired_group_size = number
# Enable disk encryption for the created launch template (if we aren't provided with an existing launch template)
disk_encryption_enabled = bool
# Disk size in GiB for worker nodes. Terraform will only perform drift detection if a configuration value is provided.
disk_size = number
# Set of instance types associated with the EKS Node Group. Terraform will only perform drift detection if a configuration value is provided.
instance_types = list(string)
# Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed
kubernetes_labels = map(string)
# List of objects describing Kubernetes taints.
kubernetes_taints = list(object({
key = string
value = string
effect = string
}))
# Desired Kubernetes master version. If you do not specify a value, the latest available version is used
kubernetes_version = string
# The maximum size of the AutoScaling Group
max_group_size = number
# The minimum size of the AutoScaling Group
min_group_size = number
# List of auto-launched resource types to tag
resources_to_tag = list(string)
tags = map(string)
}))
| `{}` | no | +| [oidc\_provider\_enabled](#input\_oidc\_provider\_enabled) | Create an IAM OIDC identity provider for the cluster, then you can create IAM roles to associate with a service account in the cluster, instead of using kiam or kube2iam. For more information, see https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html | `bool` | n/a | yes | +| [primary\_iam\_roles](#input\_primary\_iam\_roles) | Primary IAM roles to add to `aws-auth` ConfigMap |
list(object({
role = string
groups = list(string)
}))
| `[]` | no | +| [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | `[]` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [subnet\_type\_tag\_key](#input\_subnet\_type\_tag\_key) | The tag used to find the private subnets to find by availability zone. If null, will be looked up in vpc outputs. | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [eks_auth_worker_roles](#output_eks_auth_worker_roles) | List of worker IAM roles that were included in the `auth-map` ConfigMap. | -| [eks_cluster_arn](#output_eks_cluster_arn) | The Amazon Resource Name (ARN) of the cluster | -| [eks_cluster_certificate_authority_data](#output_eks_cluster_certificate_authority_data) | The Kubernetes cluster certificate authority data | -| [eks_cluster_endpoint](#output_eks_cluster_endpoint) | The endpoint for the Kubernetes API server | -| [eks_cluster_id](#output_eks_cluster_id) | The name of the cluster | -| [eks_cluster_identity_oidc_issuer](#output_eks_cluster_identity_oidc_issuer) | The OIDC Identity issuer for the cluster | -| [eks_cluster_managed_security_group_id](#output_eks_cluster_managed_security_group_id) | Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads | -| [eks_cluster_version](#output_eks_cluster_version) | The Kubernetes server version of the cluster | -| [eks_managed_node_workers_role_arns](#output_eks_managed_node_workers_role_arns) | List of ARNs for workers in managed node groups | -| [eks_node_group_arns](#output_eks_node_group_arns) | List of all the node group ARNs in the cluster | -| [eks_node_group_count](#output_eks_node_group_count) | Count of the worker nodes | -| [eks_node_group_ids](#output_eks_node_group_ids) | EKS Cluster name and EKS Node Group name separated by a colon | -| [eks_node_group_role_names](#output_eks_node_group_role_names) | List of worker nodes IAM role names | -| [eks_node_group_statuses](#output_eks_node_group_statuses) | Status of the EKS Node Group | - +| Name | Description | +|------|-------------| +| [eks\_auth\_worker\_roles](#output\_eks\_auth\_worker\_roles) | List of worker IAM roles that were included in the `auth-map` ConfigMap. | +| [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The Amazon Resource Name (ARN) of the cluster | +| [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | The Kubernetes cluster certificate authority data | +| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the Kubernetes API server | +| [eks\_cluster\_id](#output\_eks\_cluster\_id) | The name of the cluster | +| [eks\_cluster\_identity\_oidc\_issuer](#output\_eks\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster | +| [eks\_cluster\_managed\_security\_group\_id](#output\_eks\_cluster\_managed\_security\_group\_id) | Security Group ID that was created by EKS for the cluster. EKS creates a Security Group and applies it to ENI that is attached to EKS Control Plane master nodes and to any managed workloads | +| [eks\_cluster\_version](#output\_eks\_cluster\_version) | The Kubernetes server version of the cluster | +| [eks\_managed\_node\_workers\_role\_arns](#output\_eks\_managed\_node\_workers\_role\_arns) | List of ARNs for workers in managed node groups | +| [eks\_node\_group\_arns](#output\_eks\_node\_group\_arns) | List of all the node group ARNs in the cluster | +| [eks\_node\_group\_count](#output\_eks\_node\_group\_count) | Count of the worker nodes | +| [eks\_node\_group\_ids](#output\_eks\_node\_group\_ids) | EKS Cluster name and EKS Node Group name separated by a colon | +| [eks\_node\_group\_role\_names](#output\_eks\_node\_group\_role\_names) | List of worker nodes IAM role names | +| [eks\_node\_group\_statuses](#output\_eks\_node\_group\_statuses) | Status of the EKS Node Group | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/eks-without-spotinst) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/eks/eks-without-spotinst) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/github-actions-runner/README.md b/deprecated/github-actions-runner/README.md index fa2574327..5e913c224 100644 --- a/deprecated/github-actions-runner/README.md +++ b/deprecated/github-actions-runner/README.md @@ -111,29 +111,21 @@ Run `make TAG=0.0.6 help` to get the same commands with a specific tag for ease ### ECR Authentication -There are multiple ways to authenticate with ECR. The commands provided by AWS with the `docker login` approach is -available with the target: +There are multiple ways to authenticate with ECR. The commands provided by AWS with the `docker login` approach is available with the target: ```bash make auth ``` -_NOTE_: You cannot run the build or push from inside Geodesic, you need to run those on your host to avoid -docker-in-docker issues so ensure you authentication is handled outside of Geodesic as well. +_NOTE_: You cannot run the build or push from inside Geodesic, you need to run those on your host to avoid docker-in-docker issues so ensure you authentication is handled outside of Geodesic as well. ### Manually Building and Tagging the Image -We create our own runner image with amazon-ecr-credential-helper installed. For actions-runner-controller 0.16.0 we used -runners_image: `"summerwind/actions-runner-dind:v2.275.1"` -> `action-runner:v0.1.0`. +We create our own runner image with amazon-ecr-credential-helper installed. For actions-runner-controller 0.16.0 we used runners_image: `"summerwind/actions-runner-dind:v2.275.1"` -> `action-runner:v0.1.0`. -For `actions-runner-controller` 0.18.0 we tried `runners_image: "summerwind/actions-runner-dind:v2.277.1"` -> -`action-runner:0.2.0` but that did not work (see https://github.com/summerwind/actions-runner-controller/issues/274) so -we reverted to `runners_image: "summerwind/actions-runner-dind:v2.274.2"` -> `action-runner:0.2.1` based on the -[issue comment](https://github.com/summerwind/actions-runner-controller/blob/bc6e499e4f72f60024781d99ec66a665bedb5e1f/runner/Dockerfile#L4) -and the runner version configured in the controller release. +For `actions-runner-controller` 0.18.0 we tried `runners_image: "summerwind/actions-runner-dind:v2.277.1"` -> `action-runner:0.2.0` but that did not work (see https://github.com/summerwind/actions-runner-controller/issues/274) so we reverted to `runners_image: "summerwind/actions-runner-dind:v2.274.2"` -> `action-runner:0.2.1` based on the [issue comment](https://github.com/summerwind/actions-runner-controller/blob/bc6e499e4f72f60024781d99ec66a665bedb5e1f/runner/Dockerfile#L4) and the runner version configured in the controller release. -Edit Dockerfile to set base runner version and `ecr-credential-helper-version`. Create the image before deploying the -Helmfile. +Edit Dockerfile to set base runner version and `ecr-credential-helper-version`. Create the image before deploying the Helmfile. ```bash make TAG=xxx build @@ -147,12 +139,9 @@ Push the image with `make TAG=xxx push`. ## Managing the `GITHUB_TOKEN` -According to the above docs, do not use the Github App if Github Enterprise is used or planned to be used. The best way -is to use a Github PAT. +According to the above docs, do not use the Github App if Github Enterprise is used or planned to be used. The best way is to use a Github PAT. -See the -[official documentation](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication) -on how to generate and configure the `GITHUB_TOKEN` (Personal Access Token). +See the [official documentation](https://github.com/actions-runner-controller/actions-runner-controller#deploying-using-pat-authentication) on how to generate and configure the `GITHUB_TOKEN` (Personal Access Token). Install `GITHUB_TOKEN` with: @@ -161,121 +150,116 @@ kubectl create secret generic controller-manager -n actions-runner-system \ --from-literal=github_token=${GITHUB_TOKEN} ``` -_NOTE_: configure the desired cluster in Geodesic using `set-cluster account` (where `account` is the AWS account name; -ex: `set-cluster auto`). The region may be required as well as a tenant, if the project uses tenants; ex: -`set-cluster apse1-auto`. +_NOTE_: configure the desired cluster in Geodesic using `set-cluster account` (where `account` is the AWS account name; ex: `set-cluster auto`). The region may be required as well as a tenant, if the project uses tenants; ex: `set-cluster apse1-auto`. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 3.0 | -| [helm](#requirement_helm) | >= 2.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 3.0 | +| [helm](#requirement\_helm) | >= 2.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 3.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.0 | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [actions_runner](#module_actions_runner) | cloudposse/helm-release/aws | 0.3.1 | -| [actions_runner_controller](#module_actions_runner_controller) | cloudposse/helm-release/aws | 0.3.1 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | -| [eks_iam_policy](#module_eks_iam_policy) | cloudposse/iam-policy/aws | 0.2.2 | -| [eks_iam_role](#module_eks_iam_role) | cloudposse/eks-iam-role/aws | 0.10.3 | -| [github_action_controller_label](#module_github_action_controller_label) | cloudposse/label/null | 0.25.0 | -| [github_action_helm_label](#module_github_action_helm_label) | cloudposse/label/null | 0.25.0 | -| [iam_primary_roles](#module_iam_primary_roles) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [actions\_runner](#module\_actions\_runner) | cloudposse/helm-release/aws | 0.3.1 | +| [actions\_runner\_controller](#module\_actions\_runner\_controller) | cloudposse/helm-release/aws | 0.3.1 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | +| [eks\_iam\_policy](#module\_eks\_iam\_policy) | cloudposse/iam-policy/aws | 0.2.2 | +| [eks\_iam\_role](#module\_eks\_iam\_role) | cloudposse/eks-iam-role/aws | 0.10.3 | +| [github\_action\_controller\_label](#module\_github\_action\_controller\_label) | cloudposse/label/null | 0.25.0 | +| [github\_action\_helm\_label](#module\_github\_action\_helm\_label) | cloudposse/label/null | 0.25.0 | +| [iam\_primary\_roles](#module\_iam\_primary\_roles) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.0 | +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_iam_policy.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role_policy_attachment.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kms_alias.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | -| [aws_iam_policy_document.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| Name | Type | +|------|------| +| [aws_iam_policy.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role_policy_attachment.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.kubernetes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_policy_document.github_action_runner](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.github_action_runner_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [autoscale_type](#input_autoscale_type) | Default choice if not defined in autoscale_types | `string` | `"low_concurrency"` | no | -| [autoscale_types](#input_autoscale_types) | Map to define HRA CRD scaling configurations |
map(object({
minReplicas = number,
maxReplicas = number
metrics = object({
type = string,
scaleUpThreshold = number,
scaleDownThreshold = number,
scaleUpAdjustment = number,
scaleDownAdjustment = number
})
}))
|
{
"low_concurrency": {
"maxReplicas": 8,
"metrics": {
"scaleDownAdjustment": 1,
"scaleDownThreshold": 0.3,
"scaleUpAdjustment": 1,
"scaleUpThreshold": 0.75,
"type": "PercentageRunnersBusy"
},
"minReplicas": 1
}
}
| no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [controller_chart_image](#input_controller_chart_image) | Image to use for controller | `string` | `"summerwind/actions-runner-controller"` | no | -| [controller_chart_image_tag](#input_controller_chart_image_tag) | Tag to use for controller image | `string` | `"v0.19.0"` | no | -| [controller_chart_name](#input_controller_chart_name) | Controller Helm chart name. | `string` | `"actions-runner-controller"` | no | -| [controller_chart_namespace](#input_controller_chart_namespace) | Controller kubernetes namespace. | `string` | `"actions-runner-system"` | no | -| [controller_chart_namespace_create](#input_controller_chart_namespace_create) | Controller kubernetes namespace created if not present | `bool` | `true` | no | -| [controller_chart_release_name](#input_controller_chart_release_name) | Controller Helm chart release name. | `string` | `"actions-runner-controller"` | no | -| [controller_chart_repo](#input_controller_chart_repo) | Controller Helm chart repository name. | `string` | `"https://actions-runner-controller.github.io/actions-runner-controller"` | no | -| [controller_chart_values](#input_controller_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [controller_chart_version](#input_controller_chart_version) | Controller Helm chart version. | `string` | `"0.12.8"` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam_policy_statements](#input_iam_policy_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `[]` | no | -| [iam_primary_roles_environment_name](#input_iam_primary_roles_environment_name) | The name of the environment where global `iam_primary_roles` is provisioned | `string` | `"gbl"` | no | -| [iam_primary_roles_stage_name](#input_iam_primary_roles_stage_name) | The name of the stage where `iam_primary_roles` is provisioned | `string` | `"identity"` | no | -| [iam_role_enabled](#input_iam_role_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | -| [iam_source_json_url](#input_iam_source_json_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [runner_chart_image](#input_runner_chart_image) | Controller Helm chart name. | `string` | `"actions-runner"` | no | -| [runner_chart_values](#input_runner_chart_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | -| [runner_configurations](#input_runner_configurations) | List of maps to create runners from | `list(map(string))` | n/a | yes | -| [runner_type](#input_runner_type) | Default choice if not defined in runner_configurations | `string` | `"small"` | no | -| [runner_types](#input_runner_types) | Map to define resources limits and requests |
map(object({
resources = object({
limits = object({
cpu = string,
memory = string
}),
requests = object({
cpu = string,
memory = string
})
})
}))
|
{
"small": {
"resources": {
"limits": {
"cpu": "3",
"memory": "12Gi"
},
"requests": {
"cpu": "1",
"memory": "1Gi"
}
}
}
}
| no | -| [service_account_name](#input_service_account_name) | Kubernetes ServiceAccount name. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | -| [service_account_namespace](#input_service_account_namespace) | Kubernetes Namespace where service account is deployed. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [autoscale\_type](#input\_autoscale\_type) | Default choice if not defined in autoscale\_types | `string` | `"low_concurrency"` | no | +| [autoscale\_types](#input\_autoscale\_types) | Map to define HRA CRD scaling configurations |
map(object({
minReplicas = number,
maxReplicas = number
metrics = object({
type = string,
scaleUpThreshold = number,
scaleDownThreshold = number,
scaleUpAdjustment = number,
scaleDownAdjustment = number
})
}))
|
{
"low_concurrency": {
"maxReplicas": 8,
"metrics": {
"scaleDownAdjustment": 1,
"scaleDownThreshold": 0.3,
"scaleUpAdjustment": 1,
"scaleUpThreshold": 0.75,
"type": "PercentageRunnersBusy"
},
"minReplicas": 1
}
}
| no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [controller\_chart\_image](#input\_controller\_chart\_image) | Image to use for controller | `string` | `"summerwind/actions-runner-controller"` | no | +| [controller\_chart\_image\_tag](#input\_controller\_chart\_image\_tag) | Tag to use for controller image | `string` | `"v0.19.0"` | no | +| [controller\_chart\_name](#input\_controller\_chart\_name) | Controller Helm chart name. | `string` | `"actions-runner-controller"` | no | +| [controller\_chart\_namespace](#input\_controller\_chart\_namespace) | Controller kubernetes namespace. | `string` | `"actions-runner-system"` | no | +| [controller\_chart\_namespace\_create](#input\_controller\_chart\_namespace\_create) | Controller kubernetes namespace created if not present | `bool` | `true` | no | +| [controller\_chart\_release\_name](#input\_controller\_chart\_release\_name) | Controller Helm chart release name. | `string` | `"actions-runner-controller"` | no | +| [controller\_chart\_repo](#input\_controller\_chart\_repo) | Controller Helm chart repository name. | `string` | `"https://actions-runner-controller.github.io/actions-runner-controller"` | no | +| [controller\_chart\_values](#input\_controller\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [controller\_chart\_version](#input\_controller\_chart\_version) | Controller Helm chart version. | `string` | `"0.12.8"` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam\_policy\_statements](#input\_iam\_policy\_statements) | IAM policy for the service account. Required if `var.iam_role_enabled` is `true`. This will not do variable replacements. Please see `var.iam_policy_statements_template_path`. | `any` | `[]` | no | +| [iam\_primary\_roles\_environment\_name](#input\_iam\_primary\_roles\_environment\_name) | The name of the environment where global `iam_primary_roles` is provisioned | `string` | `"gbl"` | no | +| [iam\_primary\_roles\_stage\_name](#input\_iam\_primary\_roles\_stage\_name) | The name of the stage where `iam_primary_roles` is provisioned | `string` | `"identity"` | no | +| [iam\_role\_enabled](#input\_iam\_role\_enabled) | Whether to create an IAM role. Setting this to `true` will also replace any occurrences of `{service_account_role_arn}` in `var.values_template_path` with the ARN of the IAM role created by this module. | `bool` | `false` | no | +| [iam\_source\_json\_url](#input\_iam\_source\_json\_url) | IAM source json policy to download. This will be used as the `source_json` meaning the `var.iam_policy_statements` and `var.iam_policy_statements_template_path` can override it. | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [runner\_chart\_image](#input\_runner\_chart\_image) | Controller Helm chart name. | `string` | `"actions-runner"` | no | +| [runner\_chart\_values](#input\_runner\_chart\_values) | Additional values to yamlencode as `helm_release` values. | `any` | `{}` | no | +| [runner\_configurations](#input\_runner\_configurations) | List of maps to create runners from | `list(map(string))` | n/a | yes | +| [runner\_type](#input\_runner\_type) | Default choice if not defined in runner\_configurations | `string` | `"small"` | no | +| [runner\_types](#input\_runner\_types) | Map to define resources limits and requests |
map(object({
resources = object({
limits = object({
cpu = string,
memory = string
}),
requests = object({
cpu = string,
memory = string
})
})
}))
|
{
"small": {
"resources": {
"limits": {
"cpu": "3",
"memory": "12Gi"
},
"requests": {
"cpu": "1",
"memory": "1Gi"
}
}
}
}
| no | +| [service\_account\_name](#input\_service\_account\_name) | Kubernetes ServiceAccount name. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | +| [service\_account\_namespace](#input\_service\_account\_namespace) | Kubernetes Namespace where service account is deployed. Required if `var.iam_role_enabled` is `true`. | `string` | `null` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------- | ------------------------ | -| [kms_alias](#output_kms_alias) | KMS alias | -| [kms_key_arn](#output_kms_key_arn) | KMS key ARN | -| [release_name](#output_release_name) | Name of the release | -| [release_namespace](#output_release_namespace) | Namespace of the release | -| [service_account_role_arn](#output_service_account_role_arn) | Service Account role ARN | - +| Name | Description | +|------|-------------| +| [kms\_alias](#output\_kms\_alias) | KMS alias | +| [kms\_key\_arn](#output\_kms\_key\_arn) | KMS key ARN | +| [release\_name](#output\_release\_name) | Name of the release | +| [release\_namespace](#output\_release\_namespace) | Namespace of the release | +| [service\_account\_role\_arn](#output\_service\_account\_role\_arn) | Service Account role ARN | ## References - [actions-runner-controller](https://github.com/actions-runner-controller/actions-runner-controller) - Github Repo -- [summerwind/actions-runner-controller source](https://github.com/summerwind/actions-runner-controller/blob/master/charts/actions-runner-controller/values.yaml) - - Helm Chart +- [summerwind/actions-runner-controller source](https://github.com/summerwind/actions-runner-controller/blob/master/charts/actions-runner-controller/values.yaml) - Helm Chart [](https://cpco.io/component) diff --git a/deprecated/guardduty/common/README.md b/deprecated/guardduty/common/README.md index 51d0f351d..3135006e8 100644 --- a/deprecated/guardduty/common/README.md +++ b/deprecated/guardduty/common/README.md @@ -1,41 +1,24 @@ # Component: `guardduty/common` -This component is responsible for configuring GuardDuty and it should be used in tandem with the -[guardduty/root](../root) component. +This component is responsible for configuring GuardDuty and it should be used in tandem with the [guardduty/root](../root) component. -AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by -continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources -within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security -threats. +AWS GuardDuty is a managed threat detection service. It is designed to help protect AWS accounts and workloads by continuously monitoring for malicious activities and unauthorized behaviors. GuardDuty analyzes various data sources within your AWS environment, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect potential security threats. Key features and components of AWS GuardDuty include: -- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence - to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event - logs and network traffic data to detect patterns, anomalies, and known attack techniques. +- Threat detection: GuardDuty employs machine learning algorithms, anomaly detection, and integrated threat intelligence to identify suspicious activities, unauthorized access attempts, and potential security threats. It analyzes event logs and network traffic data to detect patterns, anomalies, and known attack techniques. -- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global - community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, - domains, and other indicators of compromise. +- Threat intelligence: GuardDuty leverages threat intelligence feeds from AWS, trusted partners, and the global community to enhance its detection capabilities. It uses this intelligence to identify known malicious IP addresses, domains, and other indicators of compromise. -- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be - delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS - Lambda for immediate action or custom response workflows. +- Real-time alerts: When GuardDuty identifies a potential security issue, it generates real-time alerts that can be delivered through AWS CloudWatch Events. These alerts can be integrated with other AWS services like Amazon SNS or AWS Lambda for immediate action or custom response workflows. -- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and - monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security - policies and practices. +- Multi-account support: GuardDuty can be enabled across multiple AWS accounts, allowing centralized management and monitoring of security across an entire organization's AWS infrastructure. This helps to maintain consistent security policies and practices. -- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS - Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of - security incidents and reduces the need for manual intervention. +- Automated remediation: GuardDuty integrates with other AWS services, such as AWS Macie, AWS Security Hub, and AWS Systems Manager, to facilitate automated threat response and remediation actions. This helps to minimize the impact of security incidents and reduces the need for manual intervention. -- Security findings and reports: GuardDuty provides detailed security findings and reports that include information - about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed - through the AWS Management Console or retrieved via APIs for further analysis and reporting. +- Security findings and reports: GuardDuty provides detailed security findings and reports that include information about detected threats, affected AWS resources, and recommended remediation actions. These findings can be accessed through the AWS Management Console or retrieved via APIs for further analysis and reporting. -GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations -with an additional layer of security to proactively identify and respond to potential security risks. +GuardDuty offers a scalable and flexible approach to threat detection within AWS environments, providing organizations with an additional layer of security to proactively identify and respond to potential security risks. ## Usage @@ -87,32 +70,31 @@ atmos terraform apply guardduty/common-uw1 -s core-uw1-security ``` - ## Requirements No requirements. ## Providers -| Name | Version | -| --------------------------------------------------------------- | ------- | -| [aws](#provider_aws) | n/a | -| [awsutils](#provider_awsutils) | n/a | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [awsutils](#provider\_awsutils) | n/a | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [guardduty](#module_guardduty) | cloudposse/guardduty/aws | 0.5.0 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [guardduty](#module\_guardduty) | cloudposse/guardduty/aws | 0.5.0 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | ## Resources -| Name | Type | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [awsutils_guardduty_organization_settings.this](https://registry.terraform.io/providers/hashicorp/awsutils/latest/docs/resources/guardduty_organization_settings) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| Name | Type | +|------|------| +| [awsutils_guardduty_organization_settings.this](https://registry.terraform.io/providers/hashicorp/awsutils/latest/docs/resources/guardduty_organization_settings) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs @@ -120,18 +102,16 @@ No inputs. ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------- | ----------------------- | -| [guardduty_detector_arn](#output_guardduty_detector_arn) | GuardDuty detector ARN | -| [guardduty_detector_id](#output_guardduty_detector_id) | GuardDuty detector ID | -| [sns_topic_name](#output_sns_topic_name) | SNS topic name | -| [sns_topic_subscriptions](#output_sns_topic_subscriptions) | SNS topic subscriptions | - +| Name | Description | +|------|-------------| +| [guardduty\_detector\_arn](#output\_guardduty\_detector\_arn) | GuardDuty detector ARN | +| [guardduty\_detector\_id](#output\_guardduty\_detector\_id) | GuardDuty detector ID | +| [sns\_topic\_name](#output\_sns\_topic\_name) | SNS topic name | +| [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | SNS topic subscriptions | ## References - -- [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) -- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/common/) +* [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) +* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/common/) [](https://cpco.io/component) diff --git a/deprecated/guardduty/root/README.md b/deprecated/guardduty/root/README.md index b83d512b4..eb9b5c914 100644 --- a/deprecated/guardduty/root/README.md +++ b/deprecated/guardduty/root/README.md @@ -1,10 +1,8 @@ # Component: `guardduty/root` -This component should be used in tandem with the [guardduty/common](../common/) component. Please take a look at -[guardduty/common/README](../common/README.md) for more information about GuardDuty and deployment steps. +This component should be used in tandem with the [guardduty/common](../common/) component. Please take a look at [guardduty/common/README](../common/README.md) for more information about GuardDuty and deployment steps. -This component is responsible for delegating the AWS GuardDuty administrator accounts to the appropriate account(s). It -should be deployed to every region for the root account in the AWS Organization. +This component is responsible for delegating the AWS GuardDuty administrator accounts to the appropriate account(s). It should be deployed to every region for the root account in the AWS Organization. ## Usage @@ -26,79 +24,75 @@ components: ## Deployment -Please see instructions in [guardduty/common/README](../common/README.md) for information on how to deploy both -components. +Please see instructions in [guardduty/common/README](../common/README.md) for information on how to deploy both components. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [awsutils](#requirement_awsutils) | >= 0.16.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [awsutils](#requirement\_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | -| [utils](#module_utils) | cloudposse/utils/aws | 1.3.0 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [utils](#module\_utils) | cloudposse/utils/aws | 1.3.0 | ## Resources -| Name | Type | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -| [aws_guardduty_detector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource | +| Name | Type | +|------|------| +| [aws_guardduty_detector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector) | resource | | [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrator_account](#input_administrator_account) | The name of the account that is the GuardDuty administrator account | `string` | `null` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrator\_account](#input\_administrator\_account) | The name of the account that is the GuardDuty administrator account | `string` | `null` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs No outputs. - ## References - -- [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) -- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/root/) +* [AWS GuardDuty Documentation](https://aws.amazon.com/guardduty/) +* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/guardduty/root/) [](https://cpco.io/component) diff --git a/deprecated/iam-delegated-roles/README.md b/deprecated/iam-delegated-roles/README.md index 109abbcaa..fd40c6e8a 100644 --- a/deprecated/iam-delegated-roles/README.md +++ b/deprecated/iam-delegated-roles/README.md @@ -1,24 +1,15 @@ # Component: `iam-delegated-roles` -This component is responsible for provisioning all user and system IAM roles. It sets them up to be assumed from the -primary, `identity` account roles. This is expected to be used alongside and applied after [the `iam-primary-roles` -component][1] is applied to the identity account. +This component is responsible for provisioning all user and system IAM roles. It sets them up to be assumed from the primary, `identity` account roles. This is expected to be used alongside and applied after [the `iam-primary-roles` component][1] is applied to the identity account. ## Usage -**Stack Level**: Global **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Global +**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -Here's an example snippet for how to use this component. This specific usage is intended to be used as the default, and -is therefore more restrictive than you may want for development accounts, and not restrictive enough for sensitive -accounts like `audit`. You can make account-specific changes by importing this default configuration and then overriding -settings, for example by setting `enabled: false` for roles you do not want created in that account, limiting access by -setting a different value for `trusted_primary_roles`, or by changing the permissions available to that role by -overriding the `role_policy_arns` (not recommended, limit access to the role instead). +Here's an example snippet for how to use this component. This specific usage is intended to be used as the default, and is therefore more restrictive than you may want for development accounts, and not restrictive enough for sensitive accounts like `audit`. You can make account-specific changes by importing this default configuration and then overriding settings, for example by setting `enabled: false` for roles you do not want created in that account, limiting access by setting a different value for `trusted_primary_roles`, or by changing the permissions available to that role by overriding the `role_policy_arns` (not recommended, limit access to the role instead). -Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting -of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to -allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the -list, too, or they will lose access. +Note that when overriding, **maps are deep merged, but lists are replaced**. This means, for example, that your setting of `trusted_primary_roles` in an override completely replaces the default, it does not add to it, so if you want to allow an extra "primary" role to have access to the role, you have to include all the default "primary" roles in the list, too, or they will lose access. ```yaml components: @@ -34,7 +25,8 @@ components: # `template` serves as the default configuration for other roles via the YAML anchor. # However, `atmos` does not support "import" of YAML anchors, so if you define a new role # in another file, you will not be able to reference this anchor. - template: &user-template # If `enabled: false`, the role will not be created in this account + template: &user-template + # If `enabled: false`, the role will not be created in this account enabled: false # `max_session_duration` set the maximum session duration (in seconds) for the IAM roles. @@ -87,7 +79,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Full administration of this account" trusted_primary_roles: ["admin"] trusted_permission_sets: ["AdministratorAccess"] @@ -96,7 +88,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Role for Helm administration of this account" trusted_primary_roles: ["admin", "cicd"] # Unfortunately, we have not yet figured out acceptable limits on Helm. @@ -107,7 +99,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/AdministratorAccess" + - "arn:aws:iam::aws:policy/AdministratorAccess" role_description: "Role for Terraform administration of this account" trusted_primary_roles: ["admin", "spacelift"] # We require Terraform to be allowed to create and modify IAM roles @@ -121,8 +113,8 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/PowerUserAccess" - - "support" + - "arn:aws:iam::aws:policy/PowerUserAccess" + - "support" role_description: "Role for Power Users (read/write)" trusted_primary_roles: ["admin", "poweruser"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess"] @@ -132,7 +124,7 @@ components: <<: *user-template enabled: true role_policy_arns: - - "support" + - "support" role_description: "Role with permissions for accessing the AWS Support Service" # Terraform is too powerful a role to allow powerusers to access it trusted_primary_roles: ["admin", "support"] @@ -149,151 +141,150 @@ components: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - - "support" + - "arn:aws:iam::aws:policy/ReadOnlyAccess" + - "support" role_description: "Read Only access (including reading S3 and other sensitive information)" trusted_primary_roles: ["admin", "cicd", "poweruser", "reader", "spacelift"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess", "ReadOnlyAccess"] + observer: <<: *user-template enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "support" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "support" role_description: "View Only access" trusted_primary_roles: ["admin", "observer", "poweruser", "reader"] trusted_permission_sets: ["AdministratorAccess", "PowerUserAccess", "ReadOnlyAccess"] + ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | ~> 4.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | ~> 4.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | ~> 4.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------------- | ------- | -| [assume_role](#module_assume_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | -| [iam_roles](#module_iam_roles) | ../../modules/account-map/modules/iam-roles | n/a | -| [sso](#module_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [assume\_role](#module\_assume\_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | +| [iam\_roles](#module\_iam\_roles) | ../../modules/account-map/modules/iam-roles | n/a | +| [sso](#module\_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_iam_policy.billing_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.billing_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy.aws_billing_admin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy.aws_billing_read_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|------|------| +| [aws_iam_policy.billing_admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.billing_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.aws_billing_admin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_billing_read_only_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.billing_admin_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [iam_primary_roles_account_name](#input_iam_primary_roles_account_name) | The name of the account where the IAM primary roles are provisioned | `string` | `"identity"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [roles](#input_roles) | A roles map to configure the accounts. |
map(object({
enabled = bool

denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [iam\_primary\_roles\_account\_name](#input\_iam\_primary\_roles\_account\_name) | The name of the account where the IAM primary roles are provisioned | `string` | `"identity"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [roles](#input\_roles) | A roles map to configure the accounts. |
map(object({
enabled = bool

denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | -| [role_long_name_policy_arn_map](#output_role_long_name_policy_arn_map) | Map of role long names to attached IAM Policy ARNs | -| [role_name_role_arn_map](#output_role_name_role_arn_map) | Map of role names to role ARNs | - +| Name | Description | +|------|-------------| +| [role\_long\_name\_policy\_arn\_map](#output\_role\_long\_name\_policy\_arn\_map) | Map of role long names to attached IAM Policy ARNs | +| [role\_name\_role\_arn\_map](#output\_role\_name\_role\_arn\_map) | Map of role names to role ARNs | ## References - -- [cloudposse/terraform-aws-components][44] - Cloud Posse's upstream component +* [cloudposse/terraform-aws-components][44] - Cloud Posse's upstream component [][45] -[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles -[2]: #requirement%5C_terraform -[3]: #requirement%5C_aws -[4]: #requirement%5C_local -[5]: #requirement%5C_template -[6]: #requirement%5C_utils -[7]: #provider%5C_aws -[8]: #module%5C_assume%5C_role -[9]: #module%5C_iam%5C_roles -[10]: #module%5C_sso -[11]: #module%5C_this -[12]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role -[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment -[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy -[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[20]: #input%5C_additional%5C_tag%5C_map -[21]: #input%5C_attributes -[22]: #input%5C_context -[23]: #input%5C_delimiter -[24]: #input%5C_descriptor%5C_formats -[25]: #input%5C_enabled -[26]: #input%5C_environment -[27]: #input%5C_iam%5C_primary%5C_roles%5C_account%5C_name -[28]: #input%5C_id%5C_length%5C_limit -[29]: #input%5C_import%5C_role%5C_arn -[30]: #input%5C_label%5C_key%5C_case -[31]: #input%5C_label%5C_order -[32]: #input%5C_label%5C_value%5C_case -[33]: #input%5C_labels%5C_as%5C_tags -[34]: #input%5C_name -[35]: #input%5C_namespace -[36]: #input%5C_regex%5C_replace%5C_chars -[37]: #input%5C_region -[38]: #input%5C_roles -[39]: #input%5C_stage -[40]: #input%5C_tags -[41]: #input%5C_tenant -[42]: #output%5C_role%5C_long%5C_name%5C_policy%5C_arn%5C_map -[43]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map -[44]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO -[45]: https://cpco.io/component +[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles +[2]: #requirement%5C_terraform +[3]: #requirement%5C_aws +[4]: #requirement%5C_local +[5]: #requirement%5C_template +[6]: #requirement%5C_utils +[7]: #provider%5C_aws +[8]: #module%5C_assume%5C_role +[9]: #module%5C_iam%5C_roles +[10]: #module%5C_sso +[11]: #module%5C_this +[12]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy +[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[20]: #input%5C_additional%5C_tag%5C_map +[21]: #input%5C_attributes +[22]: #input%5C_context +[23]: #input%5C_delimiter +[24]: #input%5C_descriptor%5C_formats +[25]: #input%5C_enabled +[26]: #input%5C_environment +[27]: #input%5C_iam%5C_primary%5C_roles%5C_account%5C_name +[28]: #input%5C_id%5C_length%5C_limit +[29]: #input%5C_import%5C_role%5C_arn +[30]: #input%5C_label%5C_key%5C_case +[31]: #input%5C_label%5C_order +[32]: #input%5C_label%5C_value%5C_case +[33]: #input%5C_labels%5C_as%5C_tags +[34]: #input%5C_name +[35]: #input%5C_namespace +[36]: #input%5C_regex%5C_replace%5C_chars +[37]: #input%5C_region +[38]: #input%5C_roles +[39]: #input%5C_stage +[40]: #input%5C_tags +[41]: #input%5C_tenant +[42]: #output%5C_role%5C_long%5C_name%5C_policy%5C_arn%5C_map +[43]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map +[44]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO +[45]: https://cpco.io/component diff --git a/deprecated/iam-primary-roles/README.md b/deprecated/iam-primary-roles/README.md index 5434716cc..f86f57c53 100644 --- a/deprecated/iam-primary-roles/README.md +++ b/deprecated/iam-primary-roles/README.md @@ -1,47 +1,30 @@ # Component: `iam-primary-roles` -This component is responsible for provisioning all primary user and system roles into the centralized identity account. -This is expected to be use alongside [the `iam-delegated-roles` component][1] to provide fine grained role delegation -across the account hierarchy. +This component is responsible for provisioning all primary user and system roles into the centralized identity account. This is expected to be use alongside [the `iam-delegated-roles` component][1] to provide fine grained role delegation across the account hierarchy. ### Roles are Really Groups - -The roles created in the `identity` account by this module can be thought of as access control "groups": a user who is -allowed to assume one of these roles gets access to a set of roles (and corresponding permissions) across a set of -accounts. Generally, there is nothing else provisioned in the `identity` account so the roles have limited access to -resources in the `identity` account by design. +The roles created in the `identity` account by this module can be thought of as access control "groups": a user who is allowed to assume one of these roles gets access to a set of roles (and corresponding permissions) across a set of accounts. Generally, there is nothing else provisioned in the `identity` account so the roles have limited access to resources in the `identity` account by design. ### Group Privileges are Defined in Each Account by `iam-delegated-roles` - -Every account besides the `identity` account has a set of IAM roles created by the `iam-delegated-roles` component. In -that component, the account's roles are assigned privileges and access to those roles is defined in a number of ways. -One way is by listing roles created by this component as "trusted" (`trusted_primary_roles`), meaning that users who -have access to the role in the `identity` account are allowed (trusted) to assume the role configured in the target -account. +Every account besides the `identity` account has a set of IAM roles created by the `iam-delegated-roles` component. In that component, the account's roles are assigned privileges and access to those roles is defined in a number of ways. One way is by listing roles created by this component as "trusted" (`trusted_primary_roles`), meaning that users who have access to the role in the `identity` account are allowed (trusted) to assume the role configured in the target account. ### Role Access is Enabled by SAML and/or AWS SSO configuration - Users can again access to a role in the `identity` account through either (or both) of 2 mechanisms: #### SAML Access - -- SAML access is globally configured via the `sso` component, enabling an external SAML Identity Provider (IdP) to - control access to roles in the `identity` account. (SAML access can be separately configured for other accounts, see - the `sso` and `iam-delegated-roles` components for more on that.) +- SAML access is globally configured via the `sso` component, enabling an external SAML Identity Provider (IdP) to control access to roles in the `identity` account. (SAML access can be separately configured for other accounts, see the `sso` and `iam-delegated-roles` components for more on that.) - Individual roles are enabled for SAML access by setting `sso_login_enabled: true` in the role configuration. - Individual users are granted access to these roles by configuration in the SAML IdP. #### AWS SSO Access - -The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles in the `identity` -account. See the `aws-sso` component for details. +The `aws-sso` component can create AWS Permission Sets that allow users to assume specific roles in the `identity` account. See the `aws-sso` component for details. ## Usage -**Stack Level**: Global **Deployment**: Must be deployed by SuperAdmin using `atmos` CLI +**Stack Level**: Global +**Deployment**: Must be deployed by SuperAdmin using `atmos` CLI -Here's an example snippet for how to use this component. The component should only be applied once, which is typically -done via the identity stack (e.g. `gbl-identity.yaml`). +Here's an example snippet for how to use this component. The component should only be applied once, which is typically done via the identity stack (e.g. `gbl-identity.yaml`). ```yaml components: @@ -85,8 +68,8 @@ components: # you can use keys in the `custom_policy_map` in `main.tf` to select policies defined in the component. # If you are using keys from the map, plans look better if you put them after the real role ARNs. role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "delegated_assume_role" role_description: "Role restricted to viewing resources in the identity account" # If `sso_login_enabled: true` then the role will be available via SAML logins. # Otherwise, it will only be accessible via `assume role`. @@ -114,31 +97,31 @@ components: <<: *user-template role_description: Role for our privileged CI/CD Runner role_policy_arns: - - cicd - - delegated_assume_role + - cicd + - delegated_assume_role sso_login_enabled: false trusted_primary_roles: - - admin + - admin trusted_role_arns: - - arn:aws:iam::123456789012:role/eg-uw2-auto-gh-runner + - arn:aws:iam::123456789012:role/eg-uw2-auto-gh-runner spacelift: <<: *user-template role_description: Role for Spacelift role_policy_arns: - - delegated_assume_role + - delegated_assume_role sso_login_enabled: false trusted_primary_roles: - - admin + - admin trusted_role_arns: - - arn:aws:iam::123456789012:role/eg-uw2-auto-spacelift-worker-pool-admin + - arn:aws:iam::123456789012:role/eg-uw2-auto-spacelift-worker-pool-admin security: - <<: *user-template - role_description: "Full Administrative Access to the Security accounts" - sso_login_enabled: true - denied_primary_roles: ["admin", "poweruser", "terraform"] - trusted_permission_sets: ["IdentitySecurityRoleAccess"] + <<: *user-template + role_description: "Full Administrative Access to the Security accounts" + sso_login_enabled: true + denied_primary_roles: ["admin", "poweruser", "terraform"] + trusted_permission_sets: ["IdentitySecurityRoleAccess"] delegated_roles_config: admin: @@ -155,20 +138,20 @@ components: <<: *user-template role_description: Role for Power Users (read/write) role_policy_arns: - - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess - - delegated_assume_role + - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess + - delegated_assume_role sso_login_enabled: true trusted_primary_roles: - - admin - - poweruser + - admin + - poweruser trusted_permission_sets: ["IdentityPoweruserRoleAccess"] # https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.20 support: <<: *user-template role_policy_arns: - - "arn:aws:iam::aws:policy/AWSSupportAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/AWSSupportAccess" + - "delegated_assume_role" role_description: "Role with permissions for accessing the AWS Support Service" sso_login_enabled: true # Terraform is too powerful a role to allow powerusers to access it @@ -179,8 +162,8 @@ components: <<: *user-template sso_login_enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/ReadOnlyAccess" + - "delegated_assume_role" role_description: "Read Only access (including reading S3 and other sensitive information)" trusted_primary_roles: ["admin", "poweruser"] trusted_permission_sets: ["IdentityReaderRoleAccess"] @@ -189,165 +172,165 @@ components: <<: *user-template sso_login_enabled: true role_policy_arns: - - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" - - "delegated_assume_role" + - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess" + - "delegated_assume_role" role_description: "View Only access (excludes access to most sensitive information)" - trusted_primary_roles: ["admin", "poweruser", "reader"] + trusted_primary_roles: ["admin","poweruser", "reader"] trusted_permission_sets: ["IdentityObserverRoleAccess"] + ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | ~> 4 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | ~> 4 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | ~> 4 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 4 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [assume_role](#module_assume_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | -| [iam_roles](#module_iam_roles) | ../../modules/account-map/modules/iam-roles | n/a | -| [sso](#module_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [assume\_role](#module\_assume\_role) | ../../modules/account-map/modules/iam-assume-role-policy | n/a | +| [iam\_roles](#module\_iam\_roles) | ../../modules/account-map/modules/iam-roles | n/a | +| [sso](#module\_sso) | cloudposse/stack-config/yaml//modules/remote-state | 0.22.2 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| [aws_iam_policy.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| Name | Type | +|------|------| +| [aws_iam_policy.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.aws_support_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.assume_role_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.delegated_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.saml_provider_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.support_access_aggregated](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.support_access_trusted_advisor](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delegated_roles_config](#input_delegated_roles_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [primary_roles_config](#input_primary_roles_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [sso_environment_name](#input_sso_environment_name) | The name of the environment where SSO is provisioned | `string` | `"gbl"` | no | -| [sso_stage_name](#input_sso_stage_name) | The name of the stage where SSO is provisioned | `string` | `"identity"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delegated\_roles\_config](#input\_delegated\_roles\_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [primary\_roles\_config](#input\_primary\_roles\_config) | A roles map to configure the accounts. |
map(object({
denied_permission_sets = list(string)
denied_primary_roles = list(string)
denied_role_arns = list(string)
max_session_duration = number # in seconds 3600 <= max <= 43200 (12 hours)
role_description = string
role_policy_arns = list(string)
sso_login_enabled = bool
trusted_permission_sets = list(string)
trusted_primary_roles = list(string)
trusted_role_arns = list(string)
}))
| n/a | yes | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [sso\_environment\_name](#input\_sso\_environment\_name) | The name of the environment where SSO is provisioned | `string` | `"gbl"` | no | +| [sso\_stage\_name](#input\_sso\_stage\_name) | The name of the stage where SSO is provisioned | `string` | `"identity"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | -| [delegated_role_arns](#output_delegated_role_arns) | List of delegated role ARNs | -| [delegated_role_name_role_arn_map](#output_delegated_role_name_role_arn_map) | Map of delegated role names to role ARNs | -| [delegated_role_names](#output_delegated_role_names) | List of delegated role names | -| [delegated_roles_config](#output_delegated_roles_config) | Map of delegated role config with name, target arn, and description | -| [primary_roles_config](#output_primary_roles_config) | Map of role config with name, target arn, and description | -| [role_arns](#output_role_arns) | List of role ARNs | -| [role_name_role_arn_map](#output_role_name_role_arn_map) | Map of role names to role ARNs | -| [role_names](#output_role_names) | List of role names | - +| Name | Description | +|------|-------------| +| [delegated\_role\_arns](#output\_delegated\_role\_arns) | List of delegated role ARNs | +| [delegated\_role\_name\_role\_arn\_map](#output\_delegated\_role\_name\_role\_arn\_map) | Map of delegated role names to role ARNs | +| [delegated\_role\_names](#output\_delegated\_role\_names) | List of delegated role names | +| [delegated\_roles\_config](#output\_delegated\_roles\_config) | Map of delegated role config with name, target arn, and description | +| [primary\_roles\_config](#output\_primary\_roles\_config) | Map of role config with name, target arn, and description | +| [role\_arns](#output\_role\_arns) | List of role ARNs | +| [role\_name\_role\_arn\_map](#output\_role\_name\_role\_arn\_map) | Map of role names to role ARNs | +| [role\_names](#output\_role\_names) | List of role names | + ## References + * [cloudposse/terraform-aws-components][60] - Cloud Posse's upstream component -- [cloudposse/terraform-aws-components][60] - Cloud Posse's upstream component [][61] -[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-delegated-roles -[2]: #requirement%5C_terraform -[3]: #requirement%5C_aws -[4]: #requirement%5C_local -[5]: #requirement%5C_template -[6]: #requirement%5C_utils -[7]: #provider%5C_aws -[8]: #module%5C_account%5C_map -[9]: #module%5C_assume%5C_role -[10]: #module%5C_iam%5C_roles -[11]: #module%5C_sso -[12]: #module%5C_this -[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy -[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role -[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment -[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy -[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[20]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[21]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[22]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[23]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[24]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document -[25]: #input%5C_account%5C_map%5C_environment%5C_name -[26]: #input%5C_account%5C_map%5C_stage%5C_name -[27]: #input%5C_additional%5C_tag%5C_map -[28]: #input%5C_attributes -[29]: #input%5C_context -[30]: #input%5C_delegated%5C_roles%5C_config -[31]: #input%5C_delimiter -[32]: #input%5C_descriptor%5C_formats -[33]: #input%5C_enabled -[34]: #input%5C_environment -[35]: #input%5C_id%5C_length%5C_limit -[36]: #input%5C_identity%5C_account%5C_stage%5C_name -[37]: #input%5C_import%5C_role%5C_arn -[38]: #input%5C_label%5C_key%5C_case -[39]: #input%5C_label%5C_order -[40]: #input%5C_label%5C_value%5C_case -[41]: #input%5C_labels%5C_as%5C_tags -[42]: #input%5C_name -[43]: #input%5C_namespace -[44]: #input%5C_primary%5C_roles%5C_config -[45]: #input%5C_regex%5C_replace%5C_chars -[46]: #input%5C_region -[47]: #input%5C_sso%5C_environment%5C_name -[48]: #input%5C_sso%5C_stage%5C_name -[49]: #input%5C_stage -[50]: #input%5C_tags -[51]: #input%5C_tenant -[52]: #output%5C_delegated%5C_role%5C_arns -[53]: #output%5C_delegated%5C_role%5C_name%5C_role%5C_arn%5C_map -[54]: #output%5C_delegated%5C_role%5C_names -[55]: #output%5C_delegated%5C_roles%5C_config -[56]: #output%5C_primary%5C_roles%5C_config -[57]: #output%5C_role%5C_arns -[58]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map -[59]: #output%5C_role%5C_names -[60]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles -[61]: https://cpco.io/component +[1]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-delegated-roles +[2]: #requirement%5C_terraform +[3]: #requirement%5C_aws +[4]: #requirement%5C_local +[5]: #requirement%5C_template +[6]: #requirement%5C_utils +[7]: #provider%5C_aws +[8]: #module%5C_account%5C_map +[9]: #module%5C_assume%5C_role +[10]: #module%5C_iam%5C_roles +[11]: #module%5C_sso +[12]: #module%5C_this +[13]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[14]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[15]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy +[16]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +[17]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment +[18]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy +[19]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[20]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[21]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[22]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[23]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[24]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document +[25]: #input%5C_account%5C_map%5C_environment%5C_name +[26]: #input%5C_account%5C_map%5C_stage%5C_name +[27]: #input%5C_additional%5C_tag%5C_map +[28]: #input%5C_attributes +[29]: #input%5C_context +[30]: #input%5C_delegated%5C_roles%5C_config +[31]: #input%5C_delimiter +[32]: #input%5C_descriptor%5C_formats +[33]: #input%5C_enabled +[34]: #input%5C_environment +[35]: #input%5C_id%5C_length%5C_limit +[36]: #input%5C_identity%5C_account%5C_stage%5C_name +[37]: #input%5C_import%5C_role%5C_arn +[38]: #input%5C_label%5C_key%5C_case +[39]: #input%5C_label%5C_order +[40]: #input%5C_label%5C_value%5C_case +[41]: #input%5C_labels%5C_as%5C_tags +[42]: #input%5C_name +[43]: #input%5C_namespace +[44]: #input%5C_primary%5C_roles%5C_config +[45]: #input%5C_regex%5C_replace%5C_chars +[46]: #input%5C_region +[47]: #input%5C_sso%5C_environment%5C_name +[48]: #input%5C_sso%5C_stage%5C_name +[49]: #input%5C_stage +[50]: #input%5C_tags +[51]: #input%5C_tenant +[52]: #output%5C_delegated%5C_role%5C_arns +[53]: #output%5C_delegated%5C_role%5C_name%5C_role%5C_arn%5C_map +[54]: #output%5C_delegated%5C_role%5C_names +[55]: #output%5C_delegated%5C_roles%5C_config +[56]: #output%5C_primary%5C_roles%5C_config +[57]: #output%5C_role%5C_arns +[58]: #output%5C_role%5C_name%5C_role%5C_arn%5C_map +[59]: #output%5C_role%5C_names +[60]: https://github.com/cloudposse/terraform-aws-components/tree/master/modules/iam-primary-roles +[61]: https://cpco.io/component diff --git a/deprecated/securityhub/securityhub/common/README.md b/deprecated/securityhub/securityhub/common/README.md index e53c8ed53..21e1e3761 100644 --- a/deprecated/securityhub/securityhub/common/README.md +++ b/deprecated/securityhub/securityhub/common/README.md @@ -1,48 +1,28 @@ # Component: `securityhub/common` -This component is responsible for configuring Security Hub and it should be used in tandem with the -[securityhub/root](../root) component. +This component is responsible for configuring Security Hub and it should be used in tandem with the [securityhub/root](../root) component. -Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and -resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and -integrated partner solutions. +Amazon Security Hub enables users to centrally manage and monitor the security and compliance of their AWS accounts and resources. It aggregates, organizes, and prioritizes security findings from various AWS services, third-party tools, and integrated partner solutions. Here are the key features and capabilities of Amazon Security Hub: -- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage - security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture - across the entire AWS environment. +- Centralized security management: Security Hub provides a centralized dashboard where users can view and manage security findings from multiple AWS accounts and regions. This allows for a unified view of the security posture across the entire AWS environment. -- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, - configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS - CIS Foundations Benchmark, to identify potential security issues. +- Automated security checks: Security Hub automatically performs continuous security checks on AWS resources, configurations, and security best practices. It leverages industry standards and compliance frameworks, such as AWS CIS Foundations Benchmark, to identify potential security issues. -- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party - security products and solutions. This integration enables the ingestion and analysis of security findings from diverse - sources, offering a comprehensive security view. +- Integrated partner solutions: Security Hub integrates with a wide range of AWS native services, as well as third-party security products and solutions. This integration enables the ingestion and analysis of security findings from diverse sources, offering a comprehensive security view. -- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory - frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on - remediation actions to ensure adherence to security best practices. +- Security standards and compliance: Security Hub provides compliance checks against industry standards and regulatory frameworks, such as PCI DSS, HIPAA, and GDPR. It identifies non-compliant resources and provides guidance on remediation actions to ensure adherence to security best practices. -- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling - users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security - alerts, allowing for efficient threat response and remediation. +- Prioritized security findings: Security Hub analyzes and prioritizes security findings based on severity, enabling users to focus on the most critical issues. It assigns severity levels and generates a consolidated view of security alerts, allowing for efficient threat response and remediation. -- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules - and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation - capabilities to identify related security findings and potential attack patterns. +- Custom insights and event aggregation: Security Hub supports custom insights, allowing users to create their own rules and filters to focus on specific security criteria or requirements. It also provides event aggregation and correlation capabilities to identify related security findings and potential attack patterns. -- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS - CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced - visibility, automated remediation, and streamlined security operations. +- Integration with other AWS services: Security Hub seamlessly integrates with other AWS services, such as AWS CloudTrail, Amazon GuardDuty, AWS Config, and AWS IAM Access Analyzer. This integration allows for enhanced visibility, automated remediation, and streamlined security operations. -- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to - receive real-time notifications of security findings. It also facilitates automation and response through integration - with AWS Lambda, allowing for automated remediation actions. +- Alert notifications and automation: Security Hub supports alert notifications through Amazon SNS, enabling users to receive real-time notifications of security findings. It also facilitates automation and response through integration with AWS Lambda, allowing for automated remediation actions. -By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, -and effectively manage security compliance across their AWS accounts and resources. +By utilizing Amazon Security Hub, organizations can improve their security posture, gain insights into security risks, and effectively manage security compliance across their AWS accounts and resources. ## Usage @@ -112,92 +92,89 @@ done ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [awsutils](#requirement_awsutils) | >= 0.16.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [awsutils](#requirement\_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -| --------------------------------------------------------------- | --------- | -| [aws](#provider_aws) | >= 4.0 | -| [awsutils](#provider_awsutils) | >= 0.16.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | +| [awsutils](#provider\_awsutils) | >= 0.16.0 | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [security_hub](#module_security_hub) | cloudposse/security-hub/aws | 0.10.0 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [security\_hub](#module\_security\_hub) | cloudposse/security-hub/aws | 0.10.0 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | -| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | -| [awsutils_security_hub_organization_settings.this](https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs/resources/security_hub_organization_settings) | resource | -| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +|------|------| +| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | +| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | +| [awsutils_security_hub_organization_settings.this](https://registry.terraform.io/providers/cloudposse/awsutils/latest/docs/resources/security_hub_organization_settings) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [admin_delegated](#input_admin_delegated) | A flag to indicate if the Security Hub Admininstrator account has been designated from the root account.

This component should be applied with this variable set to `false`, then the securityhub/root component should be applied
to designate the administrator account, then this component should be applied again with this variable set to `true`. | `bool` | `false` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [central_resource_collector_account](#input_central_resource_collector_account) | The name of the account that is the centralized aggregation account | `string` | n/a | yes | -| [central_resource_collector_region](#input_central_resource_collector_region) | The region that collects findings | `string` | n/a | yes | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [create_sns_topic](#input_create_sns_topic) | Flag to indicate whether an SNS topic should be created for notifications | `bool` | `false` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enable_default_standards](#input_enable_default_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled_standards](#input_enabled_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [finding_aggregator_enabled](#input_finding_aggregator_enabled) | Flag to indicate whether a finding aggregator should be created

If you want to aggregate findings from one region, set this to `true`.

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_finding_aggregator | `bool` | `false` | no | -| [finding_aggregator_linking_mode](#input_finding_aggregator_linking_mode) | Linking mode to use for the finding aggregator.

The possible values are:
- `ALL_REGIONS` - Aggregate from all regions
- `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions`
- `SPECIFIED_REGIONS` - Aggregate from regions specified in `var.finding_aggregator_regions` | `string` | `"ALL_REGIONS"` | no | -| [finding_aggregator_regions](#input_finding_aggregator_regions) | A list of regions to aggregate findings from.

This is only used if `finding_aggregator_enabled` is `true`. | `any` | `null` | no | -| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [admin\_delegated](#input\_admin\_delegated) | A flag to indicate if the Security Hub Admininstrator account has been designated from the root account.

This component should be applied with this variable set to `false`, then the securityhub/root component should be applied
to designate the administrator account, then this component should be applied again with this variable set to `true`. | `bool` | `false` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [central\_resource\_collector\_account](#input\_central\_resource\_collector\_account) | The name of the account that is the centralized aggregation account | `string` | n/a | yes | +| [central\_resource\_collector\_region](#input\_central\_resource\_collector\_region) | The region that collects findings | `string` | n/a | yes | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [create\_sns\_topic](#input\_create\_sns\_topic) | Flag to indicate whether an SNS topic should be created for notifications | `bool` | `false` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enable\_default\_standards](#input\_enable\_default\_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled\_standards](#input\_enabled\_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [finding\_aggregator\_enabled](#input\_finding\_aggregator\_enabled) | Flag to indicate whether a finding aggregator should be created

If you want to aggregate findings from one region, set this to `true`.

For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_finding_aggregator | `bool` | `false` | no | +| [finding\_aggregator\_linking\_mode](#input\_finding\_aggregator\_linking\_mode) | Linking mode to use for the finding aggregator.

The possible values are:
- `ALL_REGIONS` - Aggregate from all regions
- `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions`
- `SPECIFIED_REGIONS` - Aggregate from regions specified in `var.finding_aggregator_regions` | `string` | `"ALL_REGIONS"` | no | +| [finding\_aggregator\_regions](#input\_finding\_aggregator\_regions) | A list of regions to aggregate findings from.

This is only used if `finding_aggregator_enabled` is `true`. | `any` | `null` | no | +| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | -| [enabled_subscriptions](#output_enabled_subscriptions) | A list of subscriptions that have been enabled | -| [sns_topic_name](#output_sns_topic_name) | The SNS topic name that was created | -| [sns_topic_subscriptions](#output_sns_topic_subscriptions) | The SNS topic subscriptions | - +| Name | Description | +|------|-------------| +| [enabled\_subscriptions](#output\_enabled\_subscriptions) | A list of subscriptions that have been enabled | +| [sns\_topic\_name](#output\_sns\_topic\_name) | The SNS topic name that was created | +| [sns\_topic\_subscriptions](#output\_sns\_topic\_subscriptions) | The SNS topic subscriptions | ## References - -- [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) -- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/common/) +* [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) +* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/common/) [](https://cpco.io/component) diff --git a/deprecated/securityhub/securityhub/root/README.md b/deprecated/securityhub/securityhub/root/README.md index c0c74f1f1..371a8a756 100644 --- a/deprecated/securityhub/securityhub/root/README.md +++ b/deprecated/securityhub/securityhub/root/README.md @@ -1,10 +1,8 @@ # Component: `securityhub/root` -This component should be used in tandem with the [securityhub/common](../common/) component. Please take a look at -[securityhub/common/README](../common/README.md) for more information about Security Hub and deployment steps. +This component should be used in tandem with the [securityhub/common](../common/) component. Please take a look at [securityhub/common/README](../common/README.md) for more information about Security Hub and deployment steps. -This component is responsible for delegating the AWS Security Hub administrator accounts to the appropriate account(s). -It should be deployed to every region for the root account in the AWS Organization. +This component is responsible for delegating the AWS Security Hub administrator accounts to the appropriate account(s). It should be deployed to every region for the root account in the AWS Organization. ## Usage @@ -17,7 +15,7 @@ components: terraform: securityhub/root: metadata: - component: securityhub/root + component: securityhub/root vars: enabled: true account_map_tenant: core @@ -32,79 +30,76 @@ components: Please see instructions in [securityhub/README](../common/README.md) for information on how to deploy both components. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | -| [awsutils](#requirement_awsutils) | >= 0.16.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | +| [awsutils](#requirement\_awsutils) | >= 0.16.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.2 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | -| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | -| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | -| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| Name | Type | +|------|------| +| [aws_securityhub_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource | +| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | +| [aws_securityhub_standards_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource | +| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrator_account](#input_administrator_account) | The name of the account that is the Security Hub administrator account | `string` | `null` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enable_default_standards](#input_enable_default_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [enabled_standards](#input_enabled_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [privileged](#input_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_tenant](#input\_account\_map\_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | `""` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrator\_account](#input\_administrator\_account) | The name of the account that is the Security Hub administrator account | `string` | `null` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enable\_default\_standards](#input\_enable\_default\_standards) | Flag to indicate whether default standards should be enabled | `bool` | `true` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [enabled\_standards](#input\_enabled\_standards) | A list of standards to enable in the account.

For example:
- standards/aws-foundational-security-best-practices/v/1.0.0
- ruleset/cis-aws-foundations-benchmark/v/1.2.0
- standards/pci-dss/v/3.2.1
- standards/cis-aws-foundations-benchmark/v/1.4.0 | `set(string)` | `[]` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global\_environment](#input\_global\_environment) | Global environment name | `string` | `"gbl"` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [privileged](#input\_privileged) | True if the default provider already has access to the backend | `bool` | `false` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [root\_account\_stage](#input\_root\_account\_stage) | The stage name for the Organization root (management) account | `string` | `"root"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs No outputs. - ## References - -- [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) -- [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/root/) +* [AWS Security Hub Documentation](https://aws.amazon.com/security-hub/) +* [Cloud Posse's upstream component](https://github.com/cloudposse/terraform-aws-components/tree/main/modules/securityhub/root/) [](https://cpco.io/component) diff --git a/deprecated/spacelift-policy/README.md b/deprecated/spacelift-policy/README.md index 98adcb65d..2a94f1114 100644 --- a/deprecated/spacelift-policy/README.md +++ b/deprecated/spacelift-policy/README.md @@ -6,8 +6,7 @@ This component is responsible for provisioning Spacelift policies. **Stack Level**: Global -NOTE: The input `labels` will be applied to every policy. To overwrite (not append) the `labels` key can be used per -policy as well. +NOTE: The input `labels` will be applied to every policy. To overwrite (not append) the `labels` key can be used per policy as well. ```yaml components: @@ -38,7 +37,7 @@ components: - folder:admin vars: labels: - - "autoattach:folder:admin" + - 'autoattach:folder:admin' policy_version: 0.52.0 policies: global-admin-git-push-policy: @@ -64,7 +63,7 @@ components: - spacelift-policy/defaults vars: labels: - - "autoattach:folder:non-admin" + - 'autoattach:folder:non-admin' policy_version: 0.52.0 policies: git-push-proposed-run-policy: @@ -86,74 +85,71 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 1.3 | -| [http](#requirement_http) | >= 3.0 | -| [spacelift](#requirement_spacelift) | >= 0.1.31 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [http](#requirement\_http) | >= 3.0 | +| [spacelift](#requirement\_spacelift) | >= 0.1.31 | ## Providers -| Name | Version | -| ------------------------------------------------------------------ | --------- | -| [http](#provider_http) | >= 3.0 | -| [spacelift](#provider_spacelift) | >= 0.1.31 | +| Name | Version | +|------|---------| +| [http](#provider\_http) | >= 3.0 | +| [spacelift](#provider\_spacelift) | >= 0.1.31 | ## Modules -| Name | Source | Version | -| ----------------------------------------------- | --------------------- | ------- | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ----------------------------------------------------------------------------------------------------------------------- | ----------- | -| [spacelift_policy.default](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/policy) | resource | -| [http_http.default](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | +| Name | Type | +|------|------| +| [spacelift_policy.default](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/policy) | resource | +| [http_http.default](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels](#input_labels) | List of global labels to add to each policy. These values can be overridden in `var.policies`'s per policy `labels` key. | `list(string)` | `[]` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [policies](#input_policies) | The map of required policies to add. | `any` | n/a | yes | -| [policy_version](#input_policy_version) | The optional global policy version injected using a %s in each `body_url`. This can be pinned to a version tag or a branch. | `string` | `"master"` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [space_id](#input_space_id) | The global `space_id` to assign to each policy. This value can be overridden in `var.policies`'s per policy `space_id` key. | `string` | `"root"` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels](#input\_labels) | List of global labels to add to each policy. These values can be overridden in `var.policies`'s per policy `labels` key. | `list(string)` | `[]` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [policies](#input\_policies) | The map of required policies to add. | `any` | n/a | yes | +| [policy\_version](#input\_policy\_version) | The optional global policy version injected using a %s in each `body_url`. This can be pinned to a version tag or a branch. | `string` | `"master"` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [space\_id](#input\_space\_id) | The global `space_id` to assign to each policy. This value can be overridden in `var.policies`'s per policy `space_id` key. | `string` | `"root"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------- | ----------------------- | -| [policies](#output_policies) | All calculated policies | - +| Name | Description | +|------|-------------| +| [policies](#output\_policies) | All calculated policies | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-policy) - - Cloud Posse's upstream component +* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-policy) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift-worker-pool/README.md b/deprecated/spacelift-worker-pool/README.md index 0c52fb14f..2fa8022a0 100644 --- a/deprecated/spacelift-worker-pool/README.md +++ b/deprecated/spacelift-worker-pool/README.md @@ -2,16 +2,19 @@ This component is responsible for provisioning Spacelift worker pools. -By default, workers are given pull access to the configured ECR, permission to assume the `spacelift` team role in the -identity account (although you must also configure the `spacelift` team in the identity account to allow the workers to -assume the role via `trusted_role_arns`), and have the following AWS managed IAM policies attached: +By default, workers are given pull access to the configured ECR, +permission to assume the `spacelift` team role in the identity account +(although you must also configure the `spacelift` team in the identity +account to allow the workers to assume the role via `trusted_role_arns`), +and have the following AWS managed IAM policies attached: -- AmazonSSMManagedInstanceCore -- AutoScalingReadOnlyAccess -- AWSXRayDaemonWriteAccess -- CloudWatchAgentServerPolicy +* AmazonSSMManagedInstanceCore +* AutoScalingReadOnlyAccess +* AWSXRayDaemonWriteAccess +* CloudWatchAgentServerPolicy -Among other things, this allows workers with SSM agent installed to be accessed via SSM Session Manager. +Among other things, this allows workers with SSM agent installed to +be accessed via SSM Session Manager. ```bash aws ssm start-session --target @@ -43,25 +46,20 @@ components: ### Docker Image on ECR -Build and tag a Docker image for this repository and push to ECR. Ensure the account where this component is deployed -has read-only access to the ECR repository. +Build and tag a Docker image for this repository and push to ECR. Ensure the account where this component is deployed has read-only access to the ECR repository. ### API Key Prior to deployment, the API key must exist in SSM. The key must have admin permissions. -To generate the key, please follow -[these instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the -API key ID and secret to the SSM key store at the following locations within the same AWS account and region where the -Spacelift worker pool will reside. +To generate the key, please follow [these instructions](https://docs.spacelift.io/integrations/api.html#spacelift-api-key-token). Once generated, write the API key ID and secret to the SSM key store at the following locations within the same AWS account and region where the Spacelift worker pool will reside. -| Key | SSM Path | Type | -| ------- | ----------------------- | -------------- | -| API ID | `/spacelift/key_id` | `SecureString` | -| API Key | `/spacelift/key_secret` | `SecureString` | +| Key | SSM Path | Type | +| -------- | ----------------------- | -------------- | +| API ID | `/spacelift/key_id` | `SecureString` | +| API Key | `/spacelift/key_secret` | `SecureString` | -_HINT_: The API key ID is displayed as an upper-case, 16-character alphanumeric value next to the key name in the API -key list. +_HINT_: The API key ID is displayed as an upper-case, 16-character alphanumeric value next to the key name in the API key list. Save the keys using `chamber` using the correct profile for where spacelift worker pool is provisioned @@ -72,155 +70,151 @@ AWS_PROFILE=acme-gbl-auto-admin chamber write spacelift key_secret abcdefghijklm ### IAM configuration -After provisioning the component, you must give the created instance role permission to assume the Spacelift worker -role. This is done by adding `iam_role_arn` from the output to the `trusted_role_arns` list for the `spacelift` role in -`aws-teams`. +After provisioning the component, you must give the created instance role permission +to assume the Spacelift worker role. This is done by adding `iam_role_arn` from +the output to the `trusted_role_arns` list for the `spacelift` role in `aws-teams`. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.9.0 | -| [cloudinit](#requirement_cloudinit) | >= 2.2.0 | -| [spacelift](#requirement_spacelift) | >= 0.1.2 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.9.0 | +| [cloudinit](#requirement\_cloudinit) | >= 2.2.0 | +| [spacelift](#requirement\_spacelift) | >= 0.1.2 | ## Providers -| Name | Version | -| ------------------------------------------------------------------ | -------- | -| [aws](#provider_aws) | >= 4.9.0 | -| [cloudinit](#provider_cloudinit) | >= 2.2.0 | -| [spacelift](#provider_spacelift) | >= 0.1.2 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.9.0 | +| [cloudinit](#provider\_cloudinit) | >= 2.2.0 | +| [spacelift](#provider\_spacelift) | >= 0.1.2 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------------- | -------------------------------------------------- | --------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [autoscale_group](#module_autoscale_group) | cloudposse/ec2-autoscale-group/aws | 0.34.1 | -| [ecr](#module_ecr) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam_label](#module_iam_label) | cloudposse/label/null | 0.25.0 | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [security_group](#module_security_group) | cloudposse/security-group/aws | 2.0.0-rc1 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [autoscale\_group](#module\_autoscale\_group) | cloudposse/ec2-autoscale-group/aws | 0.34.1 | +| [ecr](#module\_ecr) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam\_label](#module\_iam\_label) | cloudposse/label/null | 0.25.0 | +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [security\_group](#module\_security\_group) | cloudposse/security-group/aws | 2.0.0-rc1 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | -| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [spacelift_worker_pool.primary](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/worker_pool) | resource | -| [aws_ami.spacelift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| Name | Type | +|------|------| +| [aws_iam_instance_profile.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [spacelift_worker_pool.primary](https://registry.terraform.io/providers/spacelift-io/spacelift/latest/docs/resources/worker_pool) | resource | +| [aws_ami.spacelift](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | -| [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | -| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws_config_file](#input_aws_config_file) | The AWS_CONFIG_FILE used by the worker. Can be overridden by `/.spacelift/config.yml`. | `string` | `"/etc/aws-config/aws-config-spacelift"` | no | -| [aws_profile](#input_aws_profile) | The AWS_PROFILE used by the worker. If not specified, `"${var.namespace}-identity"` will be used.
Can be overridden by `/.spacelift/config.yml`. | `string` | `null` | no | -| [block_device_mappings](#input_block_device_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI |
list(object({
device_name = string
no_device = bool
virtual_name = string
ebs = object({
delete_on_termination = bool
encrypted = bool
iops = number
kms_key_id = string
snapshot_id = string
volume_size = number
volume_type = string
})
}))
| `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [cpu_utilization_high_threshold_percent](#input_cpu_utilization_high_threshold_percent) | CPU utilization high threshold | `number` | n/a | yes | -| [cpu_utilization_low_threshold_percent](#input_cpu_utilization_low_threshold_percent) | CPU utilization low threshold | `number` | n/a | yes | -| [custom_spacelift_ami](#input_custom_spacelift_ami) | Custom spacelift AMI | `bool` | `false` | no | -| [default_cooldown](#input_default_cooldown) | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start | `number` | `300` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [desired_capacity](#input_desired_capacity) | The number of Amazon EC2 instances that should be running in the group, if not set will use `min_size` as value | `number` | `null` | no | -| [ebs_optimized](#input_ebs_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `false` | no | -| [ecr_environment_name](#input_ecr_environment_name) | The name of the environment where `ecr` is provisioned | `string` | `""` | no | -| [ecr_region](#input_ecr_region) | AWS region that contains the ECR infrastructure repo | `string` | `""` | no | -| [ecr_repo_name](#input_ecr_repo_name) | ECR repository name | `string` | n/a | yes | -| [ecr_stage_name](#input_ecr_stage_name) | The name of the stage where `ecr` is provisioned | `string` | `"artifacts"` | no | -| [ecr_tenant_name](#input_ecr_tenant_name) | The name of the tenant where `ecr` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [github_netrc_enabled](#input_github_netrc_enabled) | Whether to create a GitHub .netrc file so Spacelift can clone private GitHub repositories. | `bool` | `false` | no | -| [github_netrc_ssm_path_token](#input_github_netrc_ssm_path_token) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub token. | `string` | `"/github/token"` | no | -| [github_netrc_ssm_path_user](#input_github_netrc_ssm_path_user) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub user | `string` | `"/github/user"` | no | -| [health_check_grace_period](#input_health_check_grace_period) | Time (in seconds) after instance comes into service before checking health | `number` | `300` | no | -| [health_check_type](#input_health_check_type) | Controls how health checking is done. Valid values are `EC2` or `ELB` | `string` | `"EC2"` | no | -| [iam_attributes](#input_iam_attributes) | Additional attributes to add to the IDs of the IAM role and policy | `list(string)` | `[]` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [infracost_api_token_ssm_path](#input_infracost_api_token_ssm_path) | This is the SSM path to retrieve and set the INFRACOST_API_TOKEN environment variable | `string` | `"/infracost/token"` | no | -| [infracost_cli_args](#input_infracost_cli_args) | These are the CLI args passed to infracost | `string` | `""` | no | -| [infracost_enabled](#input_infracost_enabled) | Whether to enable infracost for Spacelift stacks | `bool` | `false` | no | -| [infracost_warn_on_failure](#input_infracost_warn_on_failure) | A failure executing Infracost, or a non-zero exit code being returned from the command will cause runs to fail. If this is true, this will only warn instead of failing the stack. | `bool` | `true` | no | -| [instance_refresh](#input_instance_refresh) | The instance refresh definition. If this block is configured, an Instance Refresh will be started when the Auto Scaling Group is updated |
object({
strategy = string
preferences = object({
instance_warmup = number
min_healthy_percentage = number
})
triggers = list(string)
})
| `null` | no | -| [instance_type](#input_instance_type) | EC2 instance type to use for workers | `string` | `"r5n.large"` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [max_size](#input_max_size) | The maximum size of the autoscale group | `number` | n/a | yes | -| [min_size](#input_min_size) | The minimum size of the autoscale group | `number` | n/a | yes | -| [mixed_instances_policy](#input_mixed_instances_policy) | Policy to use a mixed group of on-demand/spot of different types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 |
object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
})
| `null` | no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [scale_down_cooldown_seconds](#input_scale_down_cooldown_seconds) | The amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start | `number` | `300` | no | -| [spacelift_agents_per_node](#input_spacelift_agents_per_node) | Number of Spacelift agents to run on one worker node | `number` | `1` | no | -| [spacelift_ami_id](#input_spacelift_ami_id) | AMI ID of Spacelift worker pool image | `string` | `null` | no | -| [spacelift_api_endpoint](#input_spacelift_api_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | -| [spacelift_aws_account_id](#input_spacelift_aws_account_id) | AWS Account ID owned by Spacelift | `string` | `"643313122712"` | no | -| [spacelift_domain_name](#input_spacelift_domain_name) | Top-level domain name to use for pulling the launcher binary | `string` | `"spacelift.io"` | no | -| [spacelift_runner_image](#input_spacelift_runner_image) | URL of ECR image to use for Spacelift | `string` | `""` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [termination_policies](#input_termination_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` |
[
"OldestLaunchConfiguration"
]
| no | -| [wait_for_capacity_timeout](#input_wait_for_capacity_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws\_config\_file](#input\_aws\_config\_file) | The AWS\_CONFIG\_FILE used by the worker. Can be overridden by `/.spacelift/config.yml`. | `string` | `"/etc/aws-config/aws-config-spacelift"` | no | +| [aws\_profile](#input\_aws\_profile) | The AWS\_PROFILE used by the worker. If not specified, `"${var.namespace}-identity"` will be used.
Can be overridden by `/.spacelift/config.yml`. | `string` | `null` | no | +| [block\_device\_mappings](#input\_block\_device\_mappings) | Specify volumes to attach to the instance besides the volumes specified by the AMI |
list(object({
device_name = string
no_device = bool
virtual_name = string
ebs = object({
delete_on_termination = bool
encrypted = bool
iops = number
kms_key_id = string
snapshot_id = string
volume_size = number
volume_type = string
})
}))
| `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [cpu\_utilization\_high\_threshold\_percent](#input\_cpu\_utilization\_high\_threshold\_percent) | CPU utilization high threshold | `number` | n/a | yes | +| [cpu\_utilization\_low\_threshold\_percent](#input\_cpu\_utilization\_low\_threshold\_percent) | CPU utilization low threshold | `number` | n/a | yes | +| [custom\_spacelift\_ami](#input\_custom\_spacelift\_ami) | Custom spacelift AMI | `bool` | `false` | no | +| [default\_cooldown](#input\_default\_cooldown) | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start | `number` | `300` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [desired\_capacity](#input\_desired\_capacity) | The number of Amazon EC2 instances that should be running in the group, if not set will use `min_size` as value | `number` | `null` | no | +| [ebs\_optimized](#input\_ebs\_optimized) | If true, the launched EC2 instance will be EBS-optimized | `bool` | `false` | no | +| [ecr\_environment\_name](#input\_ecr\_environment\_name) | The name of the environment where `ecr` is provisioned | `string` | `""` | no | +| [ecr\_region](#input\_ecr\_region) | AWS region that contains the ECR infrastructure repo | `string` | `""` | no | +| [ecr\_repo\_name](#input\_ecr\_repo\_name) | ECR repository name | `string` | n/a | yes | +| [ecr\_stage\_name](#input\_ecr\_stage\_name) | The name of the stage where `ecr` is provisioned | `string` | `"artifacts"` | no | +| [ecr\_tenant\_name](#input\_ecr\_tenant\_name) | The name of the tenant where `ecr` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [github\_netrc\_enabled](#input\_github\_netrc\_enabled) | Whether to create a GitHub .netrc file so Spacelift can clone private GitHub repositories. | `bool` | `false` | no | +| [github\_netrc\_ssm\_path\_token](#input\_github\_netrc\_ssm\_path\_token) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub token. | `string` | `"/github/token"` | no | +| [github\_netrc\_ssm\_path\_user](#input\_github\_netrc\_ssm\_path\_user) | If `github_netrc` is enabled, this is the SSM path to retrieve the GitHub user | `string` | `"/github/user"` | no | +| [health\_check\_grace\_period](#input\_health\_check\_grace\_period) | Time (in seconds) after instance comes into service before checking health | `number` | `300` | no | +| [health\_check\_type](#input\_health\_check\_type) | Controls how health checking is done. Valid values are `EC2` or `ELB` | `string` | `"EC2"` | no | +| [iam\_attributes](#input\_iam\_attributes) | Additional attributes to add to the IDs of the IAM role and policy | `list(string)` | `[]` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [infracost\_api\_token\_ssm\_path](#input\_infracost\_api\_token\_ssm\_path) | This is the SSM path to retrieve and set the INFRACOST\_API\_TOKEN environment variable | `string` | `"/infracost/token"` | no | +| [infracost\_cli\_args](#input\_infracost\_cli\_args) | These are the CLI args passed to infracost | `string` | `""` | no | +| [infracost\_enabled](#input\_infracost\_enabled) | Whether to enable infracost for Spacelift stacks | `bool` | `false` | no | +| [infracost\_warn\_on\_failure](#input\_infracost\_warn\_on\_failure) | A failure executing Infracost, or a non-zero exit code being returned from the command will cause runs to fail. If this is true, this will only warn instead of failing the stack. | `bool` | `true` | no | +| [instance\_refresh](#input\_instance\_refresh) | The instance refresh definition. If this block is configured, an Instance Refresh will be started when the Auto Scaling Group is updated |
object({
strategy = string
preferences = object({
instance_warmup = number
min_healthy_percentage = number
})
triggers = list(string)
})
| `null` | no | +| [instance\_type](#input\_instance\_type) | EC2 instance type to use for workers | `string` | `"r5n.large"` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [max\_size](#input\_max\_size) | The maximum size of the autoscale group | `number` | n/a | yes | +| [min\_size](#input\_min\_size) | The minimum size of the autoscale group | `number` | n/a | yes | +| [mixed\_instances\_policy](#input\_mixed\_instances\_policy) | Policy to use a mixed group of on-demand/spot of different types. Launch template is automatically generated. https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#mixed_instances_policy-1 |
object({
instances_distribution = object({
on_demand_allocation_strategy = string
on_demand_base_capacity = number
on_demand_percentage_above_base_capacity = number
spot_allocation_strategy = string
spot_instance_pools = number
spot_max_price = string
})
override = list(object({
instance_type = string
weighted_capacity = number
}))
})
| `null` | no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [scale\_down\_cooldown\_seconds](#input\_scale\_down\_cooldown\_seconds) | The amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start | `number` | `300` | no | +| [spacelift\_agents\_per\_node](#input\_spacelift\_agents\_per\_node) | Number of Spacelift agents to run on one worker node | `number` | `1` | no | +| [spacelift\_ami\_id](#input\_spacelift\_ami\_id) | AMI ID of Spacelift worker pool image | `string` | `null` | no | +| [spacelift\_api\_endpoint](#input\_spacelift\_api\_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | +| [spacelift\_aws\_account\_id](#input\_spacelift\_aws\_account\_id) | AWS Account ID owned by Spacelift | `string` | `"643313122712"` | no | +| [spacelift\_domain\_name](#input\_spacelift\_domain\_name) | Top-level domain name to use for pulling the launcher binary | `string` | `"spacelift.io"` | no | +| [spacelift\_runner\_image](#input\_spacelift\_runner\_image) | URL of ECR image to use for Spacelift | `string` | `""` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [termination\_policies](#input\_termination\_policies) | A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `Default` | `list(string)` |
[
"OldestLaunchConfiguration"
]
| no | +| [wait\_for\_capacity\_timeout](#input\_wait\_for\_capacity\_timeout) | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out. (See also Waiting for Capacity below.) Setting this to '0' causes Terraform to skip all Capacity Waiting behavior | `string` | n/a | yes | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------- | -| [autoscaling_group_arn](#output_autoscaling_group_arn) | The ARN for this AutoScaling Group | -| [autoscaling_group_default_cooldown](#output_autoscaling_group_default_cooldown) | Time between a scaling activity and the succeeding scaling activity | -| [autoscaling_group_health_check_grace_period](#output_autoscaling_group_health_check_grace_period) | Time after instance comes into service before checking health | -| [autoscaling_group_health_check_type](#output_autoscaling_group_health_check_type) | `EC2` or `ELB`. Controls how health checking is done | -| [autoscaling_group_id](#output_autoscaling_group_id) | The autoscaling group id | -| [autoscaling_group_max_size](#output_autoscaling_group_max_size) | The maximum size of the autoscale group | -| [autoscaling_group_min_size](#output_autoscaling_group_min_size) | The minimum size of the autoscale group | -| [autoscaling_group_name](#output_autoscaling_group_name) | The autoscaling group name | -| [iam_role_arn](#output_iam_role_arn) | Spacelift IAM Role ARN | -| [iam_role_id](#output_iam_role_id) | Spacelift IAM Role ID | -| [iam_role_name](#output_iam_role_name) | Spacelift IAM Role name | -| [launch_template_arn](#output_launch_template_arn) | The ARN of the launch template | -| [launch_template_id](#output_launch_template_id) | The ID of the launch template | -| [security_group_arn](#output_security_group_arn) | Spacelift Security Group ARN | -| [security_group_id](#output_security_group_id) | Spacelift Security Group ID | -| [security_group_name](#output_security_group_name) | Spacelift Security Group Name | -| [worker_pool_id](#output_worker_pool_id) | Spacelift worker pool ID | -| [worker_pool_name](#output_worker_pool_name) | Spacelift worker pool name | - +| Name | Description | +|------|-------------| +| [autoscaling\_group\_arn](#output\_autoscaling\_group\_arn) | The ARN for this AutoScaling Group | +| [autoscaling\_group\_default\_cooldown](#output\_autoscaling\_group\_default\_cooldown) | Time between a scaling activity and the succeeding scaling activity | +| [autoscaling\_group\_health\_check\_grace\_period](#output\_autoscaling\_group\_health\_check\_grace\_period) | Time after instance comes into service before checking health | +| [autoscaling\_group\_health\_check\_type](#output\_autoscaling\_group\_health\_check\_type) | `EC2` or `ELB`. Controls how health checking is done | +| [autoscaling\_group\_id](#output\_autoscaling\_group\_id) | The autoscaling group id | +| [autoscaling\_group\_max\_size](#output\_autoscaling\_group\_max\_size) | The maximum size of the autoscale group | +| [autoscaling\_group\_min\_size](#output\_autoscaling\_group\_min\_size) | The minimum size of the autoscale group | +| [autoscaling\_group\_name](#output\_autoscaling\_group\_name) | The autoscaling group name | +| [iam\_role\_arn](#output\_iam\_role\_arn) | Spacelift IAM Role ARN | +| [iam\_role\_id](#output\_iam\_role\_id) | Spacelift IAM Role ID | +| [iam\_role\_name](#output\_iam\_role\_name) | Spacelift IAM Role name | +| [launch\_template\_arn](#output\_launch\_template\_arn) | The ARN of the launch template | +| [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template | +| [security\_group\_arn](#output\_security\_group\_arn) | Spacelift Security Group ARN | +| [security\_group\_id](#output\_security\_group\_id) | Spacelift Security Group ID | +| [security\_group\_name](#output\_security\_group\_name) | Spacelift Security Group Name | +| [worker\_pool\_id](#output\_worker\_pool\_id) | Spacelift worker pool ID | +| [worker\_pool\_name](#output\_worker\_pool\_name) | Spacelift worker pool name | ## References -- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - - Cloud Posse's related upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-worker-pool) - - Cloud Posse's upstream component +- [cloudposse/terraform-spacelift-cloud-infrastructure-automation](https://github.com/cloudposse/terraform-spacelift-cloud-infrastructure-automation) - Cloud Posse's related upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift-worker-pool) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift/README.md b/deprecated/spacelift/README.md index 7cf2e68c2..993d9e337 100644 --- a/deprecated/spacelift/README.md +++ b/deprecated/spacelift/README.md @@ -3,15 +3,15 @@ This component is responsible for provisioning Spacelift stacks. Spacelift is a specialized, Terraform-compatible continuous integration and deployment (CI/CD) platform for -infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience -with large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. +infrastructure-as-code. It's designed and implemented by long-time DevOps practitioners based on previous experience with +large-scale installations - dozens of teams, hundreds of engineers and tens of thousands of cloud resources. ## Usage **Stack Level**: Regional -This component provisions an administrative Spacelift stack and assigns it to a worker pool. Although the stack can -manage stacks in any region, it should be provisioned in the same region as the worker pool. +This component provisions an administrative Spacelift stack and assigns it to a worker pool. Although +the stack can manage stacks in any region, it should be provisioned in the same region as the worker pool. ```yaml components: @@ -152,6 +152,7 @@ components: - trigger.dependencies # Keep these empty policies_by_id_enabled: [] + ``` ## Prerequisites @@ -163,8 +164,7 @@ components: 1. Create a Login Policy - Click on Policies then Add Policy - - Use the following policy and replace `GITHUBORG` with the GitHub Organization slug and DEV with the GitHub id for - the Dev setting up the Spacelift module. + - Use the following policy and replace `GITHUBORG` with the GitHub Organization slug and DEV with the GitHub id for the Dev setting up the Spacelift module. ```rego package spacelift @@ -229,17 +229,17 @@ components: ## Spacelift Layout -[Runtime configuration](https://docs.spacelift.io/concepts/configuration/runtime-configuration) is a piece of setup that -is applied to individual runs instead of being global to the stack. It's defined in `.spacelift/config.yml` YAML file at -the root of your repository. It is required for Spacelift to work with `atmos`. +[Runtime configuration](https://docs.spacelift.io/concepts/configuration/runtime-configuration) is a piece of setup +that is applied to individual runs instead of being global to the stack. +It's defined in `.spacelift/config.yml` YAML file at the root of your repository. +It is required for Spacelift to work with `atmos`. ### Create Spacelift helper scripts -[/rootfs/usr/local/bin/spacelift-tf-workspace](/rootfs/usr/local/bin/spacelift-tf-workspace) manages selecting or -creating a Terraform workspace; similar to how `atmos` manages workspaces during a Terraform run. +[/rootfs/usr/local/bin/spacelift-tf-workspace](/rootfs/usr/local/bin/spacelift-tf-workspace) manages selecting or creating a Terraform workspace; similar to how `atmos` manages workspaces +during a Terraform run. -[/rootfs/usr/local/bin/spacelift-write-vars](/rootfs/usr/local/bin/spacelift-write-vars) writes the component config -using `atmos` to the `spacelift.auto.tfvars.json` file. +[/rootfs/usr/local/bin/spacelift-write-vars](/rootfs/usr/local/bin/spacelift-write-vars) writes the component config using `atmos` to the `spacelift.auto.tfvars.json` file. **NOTE**: make sure they are all executable: @@ -249,8 +249,8 @@ chmod +x rootfs/usr/local/bin/spacelift* ## Bootstrapping -After creating & linking Spacelift to this repo (see the [docs](https://docs.spacelift.io/integrations/github)), follow -these steps... +After creating & linking Spacelift to this repo (see the +[docs](https://docs.spacelift.io/integrations/github)), follow these steps... ### Deploy the [`spacelift-worker-pool`](../spacelift-worker-pool) Component @@ -260,10 +260,12 @@ See [`spacelift-worker-pool` README](../spacelift-worker-pool/README.md) for the 1. `git_repository` = Name of `infrastructure` repository 1. `git_branch` = Name of main/master branch -1. `worker_pool_name_id_map` = Map of arbitrary names to IDs Spacelift worker pools, taken from the `worker_pool_id` - output of the `spacelift-worker-pool` component. -1. Set `components.terraform.spacelift.settings.spacelift.worker_pool_name` to the name of the worker pool you want to - use for the `spacelift` component, the name being the key you set in the `worker_pool_name_id_map` map. +1. `worker_pool_name_id_map` = Map of arbitrary names to IDs Spacelift worker pools, +taken from the `worker_pool_id` output of the `spacelift-worker-pool` component. +1. Set `components.terraform.spacelift.settings.spacelift.worker_pool_name` +to the name of the worker pool you want to use for the `spacelift` component, +the name being the key you set in the `worker_pool_name_id_map` map. + ### Deploy the admin stacks @@ -275,15 +277,16 @@ export SPACELIFT_API_KEY_ID=... export SPACELIFT_API_KEY_SECRET=... ``` -The name of the spacelift stack resource will be different depending on the name of the component and the root atmos -stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. +The name of the spacelift stack resource will be different depending on the name of the component and the root atmos stack. +This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. ``` atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift.module.stacks["core-gbl-auto-spacelift"]' ``` -Note that this is the only manually operation you need to perform in `geodesic` using `atmos` to create the initial -admin stack. All other infrastructure stacks wil be created in Spacelift by this admin stack. +Note that this is the only manually operation you need to perform in `geodesic` using `atmos` to create the initial admin stack. +All other infrastructure stacks wil be created in Spacelift by this admin stack. + ## Pull Request Workflow @@ -293,6 +296,7 @@ admin stack. All other infrastructure stacks wil be created in Spacelift by this 4. View the successful Spacelift checks in the pull request 5. Merge the pull request and check the Spacelift job + ## spacectl See docs https://github.com/spaceone-dev/spacectl @@ -333,110 +337,108 @@ NOTE: remove the `echo` to remove the dry-run functionality cat stacks.txt | while read stack; do echo $stack && echo spacectl stack set-current-commit --sha 25dd359749cfe30c76cce19f58e0a33555256afd --id $stack; done ``` - + ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | --------- | -| [terraform](#requirement_terraform) | >= 1.3 | -| [aws](#requirement_aws) | >= 4.0 | -| [spacelift](#requirement_spacelift) | >= 0.1.31 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3 | +| [aws](#requirement\_aws) | >= 4.0 | +| [spacelift](#requirement\_spacelift) | >= 0.1.31 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------- | ---------------------------------------------------- | ------- | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [spacelift](#module_spacelift) | cloudposse/cloud-infrastructure-automation/spacelift | 0.55.0 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [spacelift](#module\_spacelift) | cloudposse/cloud-infrastructure-automation/spacelift | 0.55.0 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| -------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | +| Name | Type | +|------|------| +| [aws_ssm_parameter.spacelift_key_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_ssm_parameter.spacelift_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [administrative_push_policy_enabled](#input_administrative_push_policy_enabled) | Flag to enable/disable the global administrative push policy | `bool` | `true` | no | -| [administrative_stack_drift_detection_enabled](#input_administrative_stack_drift_detection_enabled) | Flag to enable/disable administrative stack drift detection | `bool` | `true` | no | -| [administrative_stack_drift_detection_reconcile](#input_administrative_stack_drift_detection_reconcile) | Flag to enable/disable administrative stack drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | -| [administrative_stack_drift_detection_schedule](#input_administrative_stack_drift_detection_schedule) | List of cron expressions to schedule drift detection for the administrative stack | `list(string)` |
[
"0 4 * * *"
]
| no | -| [administrative_trigger_policy_enabled](#input_administrative_trigger_policy_enabled) | Flag to enable/disable the global administrative trigger policy | `bool` | `true` | no | -| [attachment_space_id](#input_attachment_space_id) | Specify the space ID for attachments (e.g. policies, contexts, etc.) | `string` | `"legacy"` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [autodeploy](#input_autodeploy) | Default autodeploy value for all stacks created by this project | `bool` | n/a | yes | -| [aws_role_arn](#input_aws_role_arn) | ARN of the AWS IAM role to assume and put its temporary credentials in the runtime environment | `string` | `null` | no | -| [aws_role_enabled](#input_aws_role_enabled) | Flag to enable/disable Spacelift to use AWS STS to assume the supplied IAM role and put its temporary credentials in the runtime environment | `bool` | `false` | no | -| [aws_role_external_id](#input_aws_role_external_id) | Custom external ID (works only for private workers). See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html for more details | `string` | `null` | no | -| [aws_role_generate_credentials_in_worker](#input_aws_role_generate_credentials_in_worker) | Flag to enable/disable generating AWS credentials in the private worker after assuming the supplied IAM role | `bool` | `false` | no | -| [before_init](#input_before_init) | List of before-init scripts | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [context_filters](#input_context_filters) | Context filters to create stacks for specific context information. Valid lists are `namespaces`, `environments`, `tenants`, `stages`. | `map(list(string))` | `{}` | no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [drift_detection_enabled](#input_drift_detection_enabled) | Flag to enable/disable drift detection on the infrastructure stacks | `bool` | `true` | no | -| [drift_detection_reconcile](#input_drift_detection_reconcile) | Flag to enable/disable infrastructure stacks drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | -| [drift_detection_schedule](#input_drift_detection_schedule) | List of cron expressions to schedule drift detection for the infrastructure stacks | `list(string)` |
[
"0 4 * * *"
]
| no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [external_execution](#input_external_execution) | Set this to true if you're calling this module from outside of a Spacelift stack (e.g. the `complete` example) | `bool` | `false` | no | -| [git_branch](#input_git_branch) | The Git branch name | `string` | `"main"` | no | -| [git_commit_sha](#input_git_commit_sha) | The commit SHA for which to trigger a run. Requires `var.spacelift_run_enabled` to be set to `true` | `string` | `null` | no | -| [git_repository](#input_git_repository) | The Git repository name | `string` | n/a | yes | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [infracost_enabled](#input_infracost_enabled) | Flag to enable/disable infracost. If this is enabled, it will add infracost label to each stack. See [spacelift infracost](https://docs.spacelift.io/vendors/terraform/infracost) docs for more details. | `bool` | `false` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [policies_available](#input_policies_available) | List of available default policies to create in Spacelift (these policies will not be attached to Spacelift stacks by default, use `var.policies_enabled`) | `list(string)` |
[
"git_push.proposed-run",
"git_push.tracked-run",
"plan.default",
"trigger.dependencies",
"trigger.retries"
]
| no | -| [policies_by_id_enabled](#input_policies_by_id_enabled) | List of existing policy IDs to attach to all Spacelift stacks. These policies must already exist in Spacelift | `list(string)` | `[]` | no | -| [policies_by_name_enabled](#input_policies_by_name_enabled) | List of existing policy names to attach to all Spacelift stacks. These policies must exist at `modules/spacelift/rego-policies` OR `var.policies_by_name_path`. | `list(string)` | `[]` | no | -| [policies_by_name_path](#input_policies_by_name_path) | Path to the catalog of external Rego policies. The Rego files must exist in the caller's code at the path. The module will create Spacelift policies from the external Rego definitions | `string` | `""` | no | -| [policies_enabled](#input_policies_enabled) | DEPRECATED: Use `policies_by_id_enabled` instead. List of default policies created by this stack to attach to all Spacelift stacks | `list(string)` | `[]` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [runner_image](#input_runner_image) | Full address & tag of the Spacelift runner image (e.g. on ECR) | `string` | n/a | yes | -| [spacelift_api_endpoint](#input_spacelift_api_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | -| [spacelift_component_path](#input_spacelift_component_path) | The Spacelift Component Path | `string` | `"components/terraform"` | no | -| [spacelift_run_enabled](#input_spacelift_run_enabled) | Enable/disable creation of the `spacelift_run` resource | `bool` | `false` | no | -| [spacelift_stack_dependency_enabled](#input_spacelift_stack_dependency_enabled) | If enabled, the `spacelift_stack_dependency` Spacelift resource will be used to create dependencies between stacks instead of using the `depends-on` labels. The `depends-on` labels will be removed from the stacks and the trigger policies for dependencies will be detached | `bool` | `false` | no | -| [stack_config_path_template](#input_stack_config_path_template) | Stack config path template | `string` | `"stacks/%s.yaml"` | no | -| [stack_destructor_enabled](#input_stack_destructor_enabled) | Flag to enable/disable the stack destructor to destroy the resources of a stack before deleting the stack itself | `bool` | `false` | no | -| [stacks_space_id](#input_stacks_space_id) | Override the space ID for all stacks (unless the stack config has `dedicated_space` set to true). Otherwise, it will default to the admin stack's space. | `string` | `null` | no | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tag_filters](#input_tag_filters) | A map of tags that will filter stack creation by the matching `tags` set in a component `vars` configuration. | `map(string)` | `{}` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [terraform_version](#input_terraform_version) | Default Terraform version for all stacks created by this project | `string` | n/a | yes | -| [terraform_version_map](#input_terraform_version_map) | A map to determine which Terraform patch version to use for each minor version | `map(string)` | `{}` | no | -| [worker_pool_name_id_map](#input_worker_pool_name_id_map) | Map of worker pool names to worker pool IDs | `map(any)` | `{}` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [administrative\_push\_policy\_enabled](#input\_administrative\_push\_policy\_enabled) | Flag to enable/disable the global administrative push policy | `bool` | `true` | no | +| [administrative\_stack\_drift\_detection\_enabled](#input\_administrative\_stack\_drift\_detection\_enabled) | Flag to enable/disable administrative stack drift detection | `bool` | `true` | no | +| [administrative\_stack\_drift\_detection\_reconcile](#input\_administrative\_stack\_drift\_detection\_reconcile) | Flag to enable/disable administrative stack drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | +| [administrative\_stack\_drift\_detection\_schedule](#input\_administrative\_stack\_drift\_detection\_schedule) | List of cron expressions to schedule drift detection for the administrative stack | `list(string)` |
[
"0 4 * * *"
]
| no | +| [administrative\_trigger\_policy\_enabled](#input\_administrative\_trigger\_policy\_enabled) | Flag to enable/disable the global administrative trigger policy | `bool` | `true` | no | +| [attachment\_space\_id](#input\_attachment\_space\_id) | Specify the space ID for attachments (e.g. policies, contexts, etc.) | `string` | `"legacy"` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [autodeploy](#input\_autodeploy) | Default autodeploy value for all stacks created by this project | `bool` | n/a | yes | +| [aws\_role\_arn](#input\_aws\_role\_arn) | ARN of the AWS IAM role to assume and put its temporary credentials in the runtime environment | `string` | `null` | no | +| [aws\_role\_enabled](#input\_aws\_role\_enabled) | Flag to enable/disable Spacelift to use AWS STS to assume the supplied IAM role and put its temporary credentials in the runtime environment | `bool` | `false` | no | +| [aws\_role\_external\_id](#input\_aws\_role\_external\_id) | Custom external ID (works only for private workers). See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html for more details | `string` | `null` | no | +| [aws\_role\_generate\_credentials\_in\_worker](#input\_aws\_role\_generate\_credentials\_in\_worker) | Flag to enable/disable generating AWS credentials in the private worker after assuming the supplied IAM role | `bool` | `false` | no | +| [before\_init](#input\_before\_init) | List of before-init scripts | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [context\_filters](#input\_context\_filters) | Context filters to create stacks for specific context information. Valid lists are `namespaces`, `environments`, `tenants`, `stages`. | `map(list(string))` | `{}` | no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [drift\_detection\_enabled](#input\_drift\_detection\_enabled) | Flag to enable/disable drift detection on the infrastructure stacks | `bool` | `true` | no | +| [drift\_detection\_reconcile](#input\_drift\_detection\_reconcile) | Flag to enable/disable infrastructure stacks drift automatic reconciliation. If drift is detected and `reconcile` is turned on, Spacelift will create a tracked run to correct the drift | `bool` | `true` | no | +| [drift\_detection\_schedule](#input\_drift\_detection\_schedule) | List of cron expressions to schedule drift detection for the infrastructure stacks | `list(string)` |
[
"0 4 * * *"
]
| no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [external\_execution](#input\_external\_execution) | Set this to true if you're calling this module from outside of a Spacelift stack (e.g. the `complete` example) | `bool` | `false` | no | +| [git\_branch](#input\_git\_branch) | The Git branch name | `string` | `"main"` | no | +| [git\_commit\_sha](#input\_git\_commit\_sha) | The commit SHA for which to trigger a run. Requires `var.spacelift_run_enabled` to be set to `true` | `string` | `null` | no | +| [git\_repository](#input\_git\_repository) | The Git repository name | `string` | n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [infracost\_enabled](#input\_infracost\_enabled) | Flag to enable/disable infracost. If this is enabled, it will add infracost label to each stack. See [spacelift infracost](https://docs.spacelift.io/vendors/terraform/infracost) docs for more details. | `bool` | `false` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [policies\_available](#input\_policies\_available) | List of available default policies to create in Spacelift (these policies will not be attached to Spacelift stacks by default, use `var.policies_enabled`) | `list(string)` |
[
"git_push.proposed-run",
"git_push.tracked-run",
"plan.default",
"trigger.dependencies",
"trigger.retries"
]
| no | +| [policies\_by\_id\_enabled](#input\_policies\_by\_id\_enabled) | List of existing policy IDs to attach to all Spacelift stacks. These policies must already exist in Spacelift | `list(string)` | `[]` | no | +| [policies\_by\_name\_enabled](#input\_policies\_by\_name\_enabled) | List of existing policy names to attach to all Spacelift stacks. These policies must exist at `modules/spacelift/rego-policies` OR `var.policies_by_name_path`. | `list(string)` | `[]` | no | +| [policies\_by\_name\_path](#input\_policies\_by\_name\_path) | Path to the catalog of external Rego policies. The Rego files must exist in the caller's code at the path. The module will create Spacelift policies from the external Rego definitions | `string` | `""` | no | +| [policies\_enabled](#input\_policies\_enabled) | DEPRECATED: Use `policies_by_id_enabled` instead. List of default policies created by this stack to attach to all Spacelift stacks | `list(string)` | `[]` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [runner\_image](#input\_runner\_image) | Full address & tag of the Spacelift runner image (e.g. on ECR) | `string` | n/a | yes | +| [spacelift\_api\_endpoint](#input\_spacelift\_api\_endpoint) | The Spacelift API endpoint URL (e.g. https://example.app.spacelift.io) | `string` | n/a | yes | +| [spacelift\_component\_path](#input\_spacelift\_component\_path) | The Spacelift Component Path | `string` | `"components/terraform"` | no | +| [spacelift\_run\_enabled](#input\_spacelift\_run\_enabled) | Enable/disable creation of the `spacelift_run` resource | `bool` | `false` | no | +| [spacelift\_stack\_dependency\_enabled](#input\_spacelift\_stack\_dependency\_enabled) | If enabled, the `spacelift_stack_dependency` Spacelift resource will be used to create dependencies between stacks instead of using the `depends-on` labels. The `depends-on` labels will be removed from the stacks and the trigger policies for dependencies will be detached | `bool` | `false` | no | +| [stack\_config\_path\_template](#input\_stack\_config\_path\_template) | Stack config path template | `string` | `"stacks/%s.yaml"` | no | +| [stack\_destructor\_enabled](#input\_stack\_destructor\_enabled) | Flag to enable/disable the stack destructor to destroy the resources of a stack before deleting the stack itself | `bool` | `false` | no | +| [stacks\_space\_id](#input\_stacks\_space\_id) | Override the space ID for all stacks (unless the stack config has `dedicated_space` set to true). Otherwise, it will default to the admin stack's space. | `string` | `null` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tag\_filters](#input\_tag\_filters) | A map of tags that will filter stack creation by the matching `tags` set in a component `vars` configuration. | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [terraform\_version](#input\_terraform\_version) | Default Terraform version for all stacks created by this project | `string` | n/a | yes | +| [terraform\_version\_map](#input\_terraform\_version\_map) | A map to determine which Terraform patch version to use for each minor version | `map(string)` | `{}` | no | +| [worker\_pool\_name\_id\_map](#input\_worker\_pool\_name\_id\_map) | Map of worker pool names to worker pool IDs | `map(any)` | `{}` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------- | ---------------- | -| [stacks](#output_stacks) | Spacelift stacks | - +| Name | Description | +|------|-------------| +| [stacks](#output\_stacks) | Spacelift stacks | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift) - - Cloud Posse's upstream component +* [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/spacelift) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/spacelift/docs/spacelift-overview.md b/deprecated/spacelift/docs/spacelift-overview.md index da5735c53..b232276de 100644 --- a/deprecated/spacelift/docs/spacelift-overview.md +++ b/deprecated/spacelift/docs/spacelift-overview.md @@ -9,10 +9,11 @@ large-scale installations - dozens of teams, hundreds of engineers and tens of t There are two projects located in this repository that are required for the deplyoment & day-to-day operation of Spacelift. -| Project | Description | -| ----------------------- | ------------------------------------------------------ | -| `spacelift-worker-pool` | Deploys Spacelift workers to EC2 | -| `spacelift` | Creates & manages all Spacelift stacks & configuration | +| Project | Description | +|-------------------------|---------------------------------------------------------| +| `spacelift-worker-pool` | Deploys Spacelift workers to EC2 | +| `spacelift` | Creates & manages all Spacelift stacks & configuration | + The `spacelift` project relies on this repository's stack configurations ([../stacks](../stacks)). @@ -37,8 +38,7 @@ export SPACELIFT_API_KEY_ID= export SPACELIFT_API_KEY_SECRET= ``` -The name of the spacelift stack resource will be different depending on the name of the component and the root atmos -stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. +The name of the spacelift stack resource will be different depending on the name of the component and the root atmos stack. This would be the command if the root atmos stack is `core-gbl-auto` and the spacelift component is `spacelift`. ``` atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift.module.stacks["core-gbl-auto-spacelift"]' @@ -50,13 +50,12 @@ atmos terraform apply spacelift --stack core-gbl-auto -target 'module.spacelift. 2. Create a new pull request (targeting the mainline branch) 3. View the modified resources directly in the pull request - ![Spacelift-PR-Changes.png](img/Spacelift-PR-Changes.png) + ![Spacelift-PR-Changes.png](img/Spacelift-PR-Changes.png) 4. View the successful Spacelift checks in the pull request - ![Spacelift-PR-Checks.png](img/Spacelift-PR-Checks.png) + ![Spacelift-PR-Checks.png](img/Spacelift-PR-Checks.png) 5. Merge the pull request and check the Spacelift job - ![Spacelift-Infrastructure-Behavior.png](img/Spacelift-Merge-Execution.png) **NOTE**: This job is not set to - `autodeploy` and requires manual confirmation before applying. + ![Spacelift-Infrastructure-Behavior.png](img/Spacelift-Merge-Execution.png) **NOTE**: This job is not set to `autodeploy` and requires manual confirmation before applying. diff --git a/deprecated/sso/README.md b/deprecated/sso/README.md index fe3b157c7..86ac7e2c8 100644 --- a/deprecated/sso/README.md +++ b/deprecated/sso/README.md @@ -1,8 +1,6 @@ # Component: `sso` -This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an -Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user -and corresponding Access Key pair which is pushed into AWS SSM. +This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (`okta` must be mentioned in the key given to the `saml_providers` input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM. ## Usage @@ -24,73 +22,71 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 3.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 3.0 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 3.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.0 | ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------------- | -------------------------------- | ------- | -| [iam_roles](#module_iam_roles) | ../account-map/modules/iam-roles | n/a | -| [okta_api_user](#module_okta_api_user) | ./modules/okta-user | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a | +| [okta\_api\_user](#module\_okta\_api\_user) | ./modules/okta-user | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------ | -------- | +| Name | Type | +|------|------| | [aws_iam_saml_provider.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [saml_providers](#input_saml_providers) | Map of provider names to XML data filenames | `map(string)` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [saml\_providers](#input\_saml\_providers) | Map of provider names to XML data filenames | `map(string)` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------- | ------------------------------------------- | -| [okta_api_users](#output_okta_api_users) | Map of OKTA API Users | -| [saml_provider_arns](#output_saml_provider_arns) | Map of SAML provider names to provider ARNs | - +| Name | Description | +|------|-------------| +| [okta\_api\_users](#output\_okta\_api\_users) | Map of OKTA API Users | +| [saml\_provider\_arns](#output\_saml\_provider\_arns) | Map of SAML provider names to provider ARNs | + ## References + * [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/sso) - Cloud Posse's upstream component -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/sso) - - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/cross-region-hub-connector/README.md b/deprecated/tgw/cross-region-hub-connector/README.md index 315e490f0..e80e18c14 100644 --- a/deprecated/tgw/cross-region-hub-connector/README.md +++ b/deprecated/tgw/cross-region-hub-connector/README.md @@ -1,15 +1,14 @@ # Component: `cross-region-hub-connector` -This component is responsible for provisioning an -[AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts -and(or) regions. +This component is responsible for provisioning an [AWS Transit Gateway Peering Connection](https://aws.amazon.com/transit-gateway) to connect TGWs from different accounts and(or) regions. ## Usage **Stack Level**: Regional -This component is deployed to each off-region tgw/hub. meaning if your home region is `region-a`, and you just created a -`tgw/hub` in `region-a` and `region-b`. To peer them, deploy this to `region-b` +This component is deployed to each off-region tgw/hub. +meaning if your home region is `region-a`, and you just created a `tgw/hub` in `region-a` and `region-b`. To peer them, deploy this +to `region-b` This can be done by setting up a catalog to point to the main region, and simply importing it. @@ -32,82 +31,79 @@ components: ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | ## Providers -| Name | Version | -| ------------------------------------------------------------------------------------------------ | ------- | -| [aws.tgw_home_region](#provider_aws.tgw_home_region) | >= 4.0 | -| [aws.tgw_this_region](#provider_aws.tgw_this_region) | >= 4.0 | +| Name | Version | +|------|---------| +| [aws.tgw\_home\_region](#provider\_aws.tgw\_home\_region) | >= 4.0 | +| [aws.tgw\_this\_region](#provider\_aws.tgw\_this\_region) | >= 4.0 | ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam_role_tgw_home_region](#module_iam_role_tgw_home_region) | ../../account-map/modules/iam-roles | n/a | -| [iam_role_tgw_this_region](#module_iam_role_tgw_this_region) | ../../account-map/modules/iam-roles | n/a | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw_home_region](#module_tgw_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw_this_region](#module_tgw_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam\_role\_tgw\_home\_region](#module\_iam\_role\_tgw\_home\_region) | ../../account-map/modules/iam-roles | n/a | +| [iam\_role\_tgw\_this\_region](#module\_iam\_role\_tgw\_this\_region) | ../../account-map/modules/iam-roles | n/a | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw\_home\_region](#module\_tgw\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw\_this\_region](#module\_tgw\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources -| Name | Type | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -| [aws_ec2_transit_gateway_peering_attachment.tgw_peering](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment) | resource | -| [aws_ec2_transit_gateway_peering_attachment_accepter.tgw_peering_accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment_accepter) | resource | +| Name | Type | +|------|------| +| [aws_ec2_transit_gateway_peering_attachment.tgw_peering](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment) | resource | +| [aws_ec2_transit_gateway_peering_attachment_accepter.tgw_peering_accepter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_peering_attachment_accepter) | resource | | [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_cross_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | -| [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_in_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | +| [aws_ec2_transit_gateway_route_table_association.tgw_rt_associate_peering_in_region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [home_region](#input_home_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
environment = string
})
| n/a | yes | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [this_region](#input_this_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [home\_region](#input\_home\_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
environment = string
})
| n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [this\_region](#input\_this\_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | ## Outputs -| Name | Description | -| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | -| [aws_ec2_transit_gateway_peering_attachment_id](#output_aws_ec2_transit_gateway_peering_attachment_id) | Transit Gateway Peering Attachment ID | - +| Name | Description | +|------|-------------| +| [aws\_ec2\_transit\_gateway\_peering\_attachment\_id](#output\_aws\_ec2\_transit\_gateway\_peering\_attachment\_id) | Transit Gateway Peering Attachment ID | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/cross-region-hub-connector) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/cross-region-hub-connector) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/cross-region-spoke/README.md b/deprecated/tgw/cross-region-spoke/README.md index 1ae07f951..6c7803eed 100644 --- a/deprecated/tgw/cross-region-spoke/README.md +++ b/deprecated/tgw/cross-region-spoke/README.md @@ -1,21 +1,18 @@ # Component: `cross-region-spoke` -This component is responsible for provisioning an -[AWS Transit Gateway Attachment](https://aws.amazon.com/transit-gateway) to connect VPCs from different accounts and/or -regions through a central hub. +This component is responsible for provisioning an [AWS Transit Gateway Attachment](https://aws.amazon.com/transit-gateway) to connect VPCs from different accounts and/or regions through a central hub. ## Usage **Stack Level**: Regional -This component is deployed after the `spoke` component. It is deployed in the same region as a -`cross-region-hub-connector` and points to your default (`home`) region. +This component is deployed after the `spoke` component. It is deployed in the same region as a `cross-region-hub-connector` and points to your default (`home`) region. -e.g. if you primarily deploy to us-east-1, and this is a connection to us-east-2, this component would be deployed to -us-east-2 pointing to us-east-1 in the `home_region`. +e.g. if you primarily deploy to us-east-1, and this is a connection to us-east-2, this component would be deployed to us-east-2 pointing to us-east-1 in the `home_region`. Here's an example snippet for how to configure and use this component: + ```yaml components: terraform: @@ -37,16 +34,17 @@ components: tgw_stage_name: network tgw_tenant_name: core region: us-east-1 + ``` - + ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0 | ## Providers @@ -54,23 +52,23 @@ No providers. ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [az_abbreviation](#module_az_abbreviation) | cloudposse/utils/aws | 1.0.0 | -| [iam_role_tgw_home_region](#module_iam_role_tgw_home_region) | ../../account-map/modules/iam-roles | n/a | -| [iam_role_tgw_this_region](#module_iam_role_tgw_this_region) | ../../account-map/modules/iam-roles | n/a | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw_cross_region_connector](#module_tgw_cross_region_connector) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw_home_region](#module_tgw_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw_routes_home_region](#module_tgw_routes_home_region) | ./modules/tgw_routes | n/a | -| [tgw_routes_this_region](#module_tgw_routes_this_region) | ./modules/tgw_routes | n/a | -| [tgw_this_region](#module_tgw_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | -| [vpc_routes_home](#module_vpc_routes_home) | ./modules/vpc_routes | n/a | -| [vpc_routes_this](#module_vpc_routes_this) | ./modules/vpc_routes | n/a | -| [vpcs_home_region](#module_vpcs_home_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [vpcs_this_region](#module_vpcs_this_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [az\_abbreviation](#module\_az\_abbreviation) | cloudposse/utils/aws | 1.0.0 | +| [iam\_role\_tgw\_home\_region](#module\_iam\_role\_tgw\_home\_region) | ../../account-map/modules/iam-roles | n/a | +| [iam\_role\_tgw\_this\_region](#module\_iam\_role\_tgw\_this\_region) | ../../account-map/modules/iam-roles | n/a | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw\_cross\_region\_connector](#module\_tgw\_cross\_region\_connector) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw\_home\_region](#module\_tgw\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw\_routes\_home\_region](#module\_tgw\_routes\_home\_region) | ./modules/tgw_routes | n/a | +| [tgw\_routes\_this\_region](#module\_tgw\_routes\_this\_region) | ./modules/tgw_routes | n/a | +| [tgw\_this\_region](#module\_tgw\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [vpc\_routes\_home](#module\_vpc\_routes\_home) | ./modules/vpc_routes | n/a | +| [vpc\_routes\_this](#module\_vpc\_routes\_this) | ./modules/vpc_routes | n/a | +| [vpcs\_home\_region](#module\_vpcs\_home\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [vpcs\_this\_region](#module\_vpcs\_this\_region) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -78,48 +76,46 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [aws_region_abbreviation](#input_aws_region_abbreviation) | AWS Region Abbreviation method, must be one of: `to_fixed`, `to_short`, `from_fixed`, `from_short`, `identity` | `string` | n/a | yes | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [home_region](#input_home_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
connections = set(string)
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
})
| n/a | yes | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [this_region](#input_this_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
connections = set(string)
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [aws\_region\_abbreviation](#input\_aws\_region\_abbreviation) | AWS Region Abbreviation method, must be one of: `to_fixed`, `to_short`, `from_fixed`, `from_short`, `identity` | `string` | n/a | yes | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [home\_region](#input\_home\_region) | Acceptors region config. Describe the transit gateway that should accept the peering |
object({
connections = set(string)
tgw_name_format = string
tgw_stage_name = string
tgw_tenant_name = string
region = string
})
| n/a | yes | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [this\_region](#input\_this\_region) | Initiators region config. Describe the transit gateway that should originate the peering |
object({
connections = set(string)
tgw_stage_name = string
tgw_tenant_name = string
})
| n/a | yes | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------- | -------------------------------- | -| [tgw_routes_home_region](#output_tgw_routes_home_region) | TGW Routes to the primary region | -| [tgw_routes_in_region](#output_tgw_routes_in_region) | TGW reoutes in this region | -| [vpc_routes_home](#output_vpc_routes_home) | VPC routes to the primary VPC | -| [vpc_routes_this](#output_vpc_routes_this) | This modules VPC routes | - +| Name | Description | +|------|-------------| +| [tgw\_routes\_home\_region](#output\_tgw\_routes\_home\_region) | TGW Routes to the primary region | +| [tgw\_routes\_in\_region](#output\_tgw\_routes\_in\_region) | TGW reoutes in this region | +| [vpc\_routes\_home](#output\_vpc\_routes\_home) | VPC routes to the primary VPC | +| [vpc\_routes\_this](#output\_vpc\_routes\_this) | This modules VPC routes | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/TODO) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/hub/README.md b/deprecated/tgw/hub/README.md index 8014eb73b..9b88a8c2b 100644 --- a/deprecated/tgw/hub/README.md +++ b/deprecated/tgw/hub/README.md @@ -1,7 +1,6 @@ # Component: `tgw/hub` -This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` -that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. +This component is responsible for provisioning an [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) `hub` that acts as a centralized gateway for connecting VPCs from other `spoke` accounts. ## Usage @@ -44,13 +43,12 @@ atmos terraform apply tgw/hub -s --network ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.1 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.1 | ## Providers @@ -58,14 +56,14 @@ No providers. ## Modules -| Name | Source | Version | -| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [eks](#module_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw_hub](#module_tgw_hub) | cloudposse/transit-gateway/aws | 0.9.1 | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | -| [vpc](#module_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| Name | Source | Version | +|------|--------|---------| +| [account\_map](#module\_account\_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [eks](#module\_eks) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw\_hub](#module\_tgw\_hub) | cloudposse/transit-gateway/aws | 0.9.1 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | +| [vpc](#module\_vpc) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | ## Resources @@ -73,53 +71,51 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [account_map_environment_name](#input_account_map_environment_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | -| [account_map_stage_name](#input_account_map_stage_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | -| [account_map_tenant_name](#input_account_map_tenant_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | -| [accounts_with_eks](#input_accounts_with_eks) | Set of account names that have EKS | `set(string)` | n/a | yes | -| [accounts_with_vpc](#input_accounts_with_vpc) | Set of account names that have VPC | `set(string)` | n/a | yes | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks_component_names](#input_eks_component_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [expose_eks_sg](#input_expose_eks_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_map\_environment\_name](#input\_account\_map\_environment\_name) | The name of the environment where `account_map` is provisioned | `string` | `"gbl"` | no | +| [account\_map\_stage\_name](#input\_account\_map\_stage\_name) | The name of the stage where `account_map` is provisioned | `string` | `"root"` | no | +| [account\_map\_tenant\_name](#input\_account\_map\_tenant\_name) | The name of the tenant where `account_map` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| [accounts\_with\_eks](#input\_accounts\_with\_eks) | Set of account names that have EKS | `set(string)` | n/a | yes | +| [accounts\_with\_vpc](#input\_accounts\_with\_vpc) | Set of account names that have VPC | `set(string)` | n/a | yes | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks\_component\_names](#input\_eks\_component\_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [expose\_eks\_sg](#input\_expose\_eks\_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- | -| [eks](#output_eks) | Accounts with EKS and EKSs information | -| [tgw_config](#output_tgw_config) | Transit Gateway config | -| [transit_gateway_arn](#output_transit_gateway_arn) | Transit Gateway ARN | -| [transit_gateway_id](#output_transit_gateway_id) | Transit Gateway ID | -| [transit_gateway_route_table_id](#output_transit_gateway_route_table_id) | Transit Gateway route table ID | -| [vpcs](#output_vpcs) | Accounts with VPC and VPCs information | - +| Name | Description | +|------|-------------| +| [eks](#output\_eks) | Accounts with EKS and EKSs information | +| [tgw\_config](#output\_tgw\_config) | Transit Gateway config | +| [transit\_gateway\_arn](#output\_transit\_gateway\_arn) | Transit Gateway ARN | +| [transit\_gateway\_id](#output\_transit\_gateway\_id) | Transit Gateway ID | +| [transit\_gateway\_route\_table\_id](#output\_transit\_gateway\_route\_table\_id) | Transit Gateway route table ID | +| [vpcs](#output\_vpcs) | Accounts with VPC and VPCs information | ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/hub) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw/hub) - Cloud Posse's upstream component [](https://cpco.io/component) diff --git a/deprecated/tgw/spoke/README.md b/deprecated/tgw/spoke/README.md index 75e90e8a6..605510858 100644 --- a/deprecated/tgw/spoke/README.md +++ b/deprecated/tgw/spoke/README.md @@ -1,7 +1,6 @@ # Component: `tgw/spoke` -This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments -to connect VPCs in a `spoke` account to different accounts through a central `hub`. +This component is responsible for provisioning [AWS Transit Gateway](https://aws.amazon.com/transit-gateway) attachments to connect VPCs in a `spoke` account to different accounts through a central `hub`. ## Usage @@ -55,6 +54,7 @@ components: - core-network - core-auto - plat-staging + ``` To provision the attachments for a spoke account: @@ -65,13 +65,12 @@ atmos terraform apply tgw/spoke -s -- ``` - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.0 | -| [aws](#requirement_aws) | >= 4.1 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.1 | ## Providers @@ -79,14 +78,14 @@ No providers. ## Modules -| Name | Source | Version | -| ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ------- | -| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | -| [tgw_hub](#module_tgw_hub) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | -| [tgw_hub_role](#module_tgw_hub_role) | ../../account-map/modules/iam-roles | n/a | -| [tgw_hub_routes](#module_tgw_hub_routes) | cloudposse/transit-gateway/aws | 0.9.1 | -| [tgw_spoke_vpc_attachment](#module_tgw_spoke_vpc_attachment) | ./modules/standard_vpc_attachment | n/a | -| [this](#module_this) | cloudposse/label/null | 0.25.0 | +| Name | Source | Version | +|------|--------|---------| +| [iam\_roles](#module\_iam\_roles) | ../../account-map/modules/iam-roles | n/a | +| [tgw\_hub](#module\_tgw\_hub) | cloudposse/stack-config/yaml//modules/remote-state | 1.4.1 | +| [tgw\_hub\_role](#module\_tgw\_hub\_role) | ../../account-map/modules/iam-roles | n/a | +| [tgw\_hub\_routes](#module\_tgw\_hub\_routes) | cloudposse/transit-gateway/aws | 0.9.1 | +| [tgw\_spoke\_vpc\_attachment](#module\_tgw\_spoke\_vpc\_attachment) | ./modules/standard_vpc_attachment | n/a | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | ## Resources @@ -94,46 +93,44 @@ No resources. ## Inputs -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | -| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | -| [connections](#input_connections) | List of accounts to connect to | `list(string)` | n/a | yes | -| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | -| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | -| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | -| [eks_component_names](#input_eks_component_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | -| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | -| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | -| [expose_eks_sg](#input_expose_eks_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | -| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | -| [import_profile_name](#input_import_profile_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | -| [import_role_arn](#input_import_role_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | -| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | -| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | -| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | -| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | -| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | -| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | -| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | -| [region](#input_region) | AWS Region | `string` | n/a | yes | -| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | -| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | -| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [tgw_hub_component_name](#input_tgw_hub_component_name) | The name of the transit-gateway component | `string` | `"tgw/hub"` | no | -| [tgw_hub_environment_name](#input_tgw_hub_environment_name) | The name of the environment where `tgw/gateway` is provisioned | `string` | `"ue2"` | no | -| [tgw_hub_stage_name](#input_tgw_hub_stage_name) | The name of the stage where `tgw/gateway` is provisioned | `string` | `"network"` | no | -| [tgw_hub_tenant_name](#input_tgw_hub_tenant_name) | The name of the tenant where `tgw/hub` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [connections](#input\_connections) | List of accounts to connect to | `list(string)` | n/a | yes | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` |
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [eks\_component\_names](#input\_eks\_component\_names) | The names of the eks components | `set(string)` |
[
"eks/cluster"
]
| no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [expose\_eks\_sg](#input\_expose\_eks\_sg) | Set true to allow EKS clusters to accept traffic from source accounts | `bool` | `true` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [import\_profile\_name](#input\_import\_profile\_name) | AWS Profile name to use when importing a resource | `string` | `null` | no | +| [import\_role\_arn](#input\_import\_role\_arn) | IAM Role ARN to use when importing a resource | `string` | `null` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` |
[
"default"
]
| no | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | AWS Region | `string` | n/a | yes | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [tgw\_hub\_component\_name](#input\_tgw\_hub\_component\_name) | The name of the transit-gateway component | `string` | `"tgw/hub"` | no | +| [tgw\_hub\_environment\_name](#input\_tgw\_hub\_environment\_name) | The name of the environment where `tgw/gateway` is provisioned | `string` | `"ue2"` | no | +| [tgw\_hub\_stage\_name](#input\_tgw\_hub\_stage\_name) | The name of the stage where `tgw/gateway` is provisioned | `string` | `"network"` | no | +| [tgw\_hub\_tenant\_name](#input\_tgw\_hub\_tenant\_name) | The name of the tenant where `tgw/hub` is provisioned.

If the `tenant` label is not used, leave this as `null`. | `string` | `null` | no | ## Outputs No outputs. - ## References -- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw) - - Cloud Posse's upstream component +- [cloudposse/terraform-aws-components](https://github.com/cloudposse/terraform-aws-components/tree/master/modules/tgw) - Cloud Posse's upstream component [](https://cpco.io/component) From cdb28c500b8793c932087355ad8cff693c22331d Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:23:50 -0800 Subject: [PATCH 10/11] ignore deprecated --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 37d2608b9..30b8ca41b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,6 @@ repos: types: ["markdown"] exclude: | (?x)^( - deprecated/.*README*.md | deprecated/.*.md )$ From 8993aa1955aa7d26f82203f50a9c0c94ab383410 Mon Sep 17 00:00:00 2001 From: milldr Date: Fri, 8 Mar 2024 13:24:55 -0800 Subject: [PATCH 11/11] ignore main README --- .pre-commit-config.yaml | 1 + README.md | 178 +++++++++++++++++----------------------- 2 files changed, 76 insertions(+), 103 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 30b8ca41b..bce86cb2a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,6 +46,7 @@ repos: types: ["markdown"] exclude: | (?x)^( + README.md | deprecated/.*.md )$ diff --git a/README.md b/README.md index c39c187a8..f604c5195 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,7 @@ - Project Banner
- -

+

Latest ReleaseLast UpdateSlack Community

- -This is a collection of reusable [AWS Terraform components](https://atmos.tools/core-concepts/components/) for -provisioning infrastructure used by the Cloud Posse [reference architectures](https://cloudposse.com). They work really -well with [Atmos](https://atmos.tools), our open-source tool for managing infrastructure as code with Terraform. +This is a collection of reusable [AWS Terraform components](https://atmos.tools/core-concepts/components/) for provisioning infrastructure used by the Cloud Posse [reference architectures](https://cloudposse.com). +They work really well with [Atmos](https://atmos.tools), our open-source tool for managing infrastructure as code with Terraform. ---- -> [!NOTE] This project is part of Cloud Posse's comprehensive -> ["SweetOps"](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=) -> approach towards DevOps. -> +--- +> [!NOTE] +> This project is part of Cloud Posse's comprehensive ["SweetOps"](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=) approach towards DevOps. >
Learn More > > It's 100% Open Source and licensed under the [APACHE2](LICENSE). @@ -46,33 +40,36 @@ well with [Atmos](https://atmos.tools), our open-source tool for managing infras + ## Introduction In this repo you'll find real-world examples of how we've implemented Terraform "root" modules as native -[Atmos Components](https://atmos.tools/core-concepts/components/) for our customers. These Components leverage our -hundreds of free and open-source [terraform "child" modules](https://cpco.io/terraform-modules). +[Atmos Components](https://atmos.tools/core-concepts/components/) for our customers. These Components +leverage our hundreds of free and open-source [terraform "child" modules](https://cpco.io/terraform-modules). + +The [component library](https://docs.cloudposse.com/components/) captures the business logic, opinions, best practices and +non-functional requirements for an organization. -The [component library](https://docs.cloudposse.com/components/) captures the business logic, opinions, best practices -and non-functional requirements for an organization. +It's from this library that other developers in your organization will pick and choose from whenever they need to deploy some new +capability. + +These components make a lot of assumptions (aka ["convention over configuration"](https://en.wikipedia.org/wiki/Convention_over_configuration)) about how we've configured our environments. +That said, they still serve as an excellent reference for others on how to build, organize and distribute enterprise-grade infrastructure +with Terraform that can be used with [Atmos](https://atmos.tools). -It's from this library that other developers in your organization will pick and choose from whenever they need to deploy -some new capability. -These components make a lot of assumptions (aka -["convention over configuration"](https://en.wikipedia.org/wiki/Convention_over_configuration)) about how we've -configured our environments. That said, they still serve as an excellent reference for others on how to build, organize -and distribute enterprise-grade infrastructure with Terraform that can be used with [Atmos](https://atmos.tools). ## Usage + + + Please take a look at each [component's README](https://docs.cloudposse.com/components/) for specific usage. > [!TIP] -> > ## 👽 Use Atmos with Terraform -> -> To orchestrate multiple environments with ease using Terraform, Cloud Posse recommends using -> [Atmos](https://atmos.tools), our open-source tool for Terraform automation. +> To orchestrate multiple environments with ease using Terraform, Cloud Posse recommends using [Atmos](https://atmos.tools), +> our open-source tool for Terraform automation. > >
> Watch demo of using Atmos with Terraform @@ -80,24 +77,22 @@ Please take a look at each [component's README](https://docs.cloudposse.com/comp > Example of running atmos to manage infrastructure from our Quick Start tutorial. > -Generally, you can use these components in [Atmos](https://atmos.tools/core-concepts/components/) by adding something -like the following code into your [stack manifest](https://atmos.tools/core-concepts/stacks/): +Generally, you can use these components in [Atmos](https://atmos.tools/core-concepts/components/) by adding something like the following +code into your [stack manifest](https://atmos.tools/core-concepts/stacks/): ```yaml -components: # List of components to include in the stack - terraform: # The toolchain being used for configuration - vpc: # The name of the component (e.g. terraform "root" module) - vars: # Terraform variables (e.g. `.tfvars`) - cidr_block: 10.0.0.0/16 # A variable input passed to terraform via `.tfvars` +components: # List of components to include in the stack + terraform: # The toolchain being used for configuration + vpc: # The name of the component (e.g. terraform "root" module) + vars: # Terraform variables (e.g. `.tfvars`) + cidr_block: 10.0.0.0/16 # A variable input passed to terraform via `.tfvars` ``` ## Automated Updates of Components using GitHub Actions -Leverage our [GitHub Action](https://atmos.tools/integrations/github-actions/component-updater) to automate the creation -and management of pull requests for component updates. +Leverage our [GitHub Action](https://atmos.tools/integrations/github-actions/component-updater) to automate the creation and management of pull requests for component updates. -This is done by creating a new file (e.g. `atmos-component-updater.yml`) in the `.github/workflows` directory of your -repository. +This is done by creating a new file (e.g. `atmos-component-updater.yml`) in the `.github/workflows` directory of your repository. The file should contain the following: @@ -131,19 +126,13 @@ update: dry_run: no ``` -For the full documentation on how to use the Component Updater GitHub Action, please see the -[Atmos Intergations](https://atmos.tools/integrations/github-actions/component-updater) documentation. +For the full documentation on how to use the Component Updater GitHub Action, please see the [Atmos Intergations](https://atmos.tools/integrations/github-actions/component-updater) documentation. ## Using `pre-commit` Hooks -This repository uses [pre-commit](https://pre-commit.com/) and -[pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) to enforce consistent Terraform code and -documentation. This is accomplished by triggering hooks during `git commit` to block commits that don't pass checks -(E.g. format, and module documentation). You can find the hooks that are being executed in the -[`.pre-commit-config.yaml`](.pre-commit-config.yaml) file. +This repository uses [pre-commit](https://pre-commit.com/) and [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform) to enforce consistent Terraform code and documentation. This is accomplished by triggering hooks during `git commit` to block commits that don't pass checks (E.g. format, and module documentation). You can find the hooks that are being executed in the [`.pre-commit-config.yaml`](.pre-commit-config.yaml) file. -You can install [pre-commit](https://pre-commit.com/) and this repo's pre-commit hooks on a Mac machine by running the -following commands: +You can install [pre-commit](https://pre-commit.com/) and this repo's pre-commit hooks on a Mac machine by running the following commands: ```bash brew install pre-commit gawk terraform-docs coreutils @@ -157,19 +146,20 @@ make rebuild-docs ``` > [!IMPORTANT] -> > ## Deprecated Components -> > Terraform components which are no longer actively maintained are kept in the [`deprecated/`](deprecated/) folder. > > Many of these deprecated components are used in our older reference architectures. > > We intend to eventually delete, but are leaving them for now in the repo. - -## Makefile Targets + + + + +## Makefile Targets ```text Available targets: @@ -181,29 +171,29 @@ Available targets: upstream-component Upstream a given component ``` - + ## Related Projects Check out these related projects. -- [Cloud Posse Terraform Modules](https://docs.cloudposse.com/modules/) - Our collection of reusable Terraform modules - used by our reference architectures. +- [Cloud Posse Terraform Modules](https://docs.cloudposse.com/modules/) - Our collection of reusable Terraform modules used by our reference architectures. - [Atmos](https://atmos.tools) - Atmos is like docker-compose but for your infrastructure + ## References For additional context, refer to some of these links. - [Cloud Posse Documentation](https://docs.cloudposse.com) - Complete documentation for the Cloud Posse solution -- [Reference Architectures](https://cloudposse.com/) - Launch effortlessly with our turnkey reference architectures, - built either by your team or ours. +- [Reference Architectures](https://cloudposse.com/) - Launch effortlessly with our turnkey reference architectures, built either by your team or ours. + ## ✨ Contributing -This project is under active development, and we encourage contributions from our community. Many thanks to our -outstanding contributors: +This project is under active development, and we encourage contributions from our community. +Many thanks to our outstanding contributors: @@ -211,75 +201,57 @@ outstanding contributors: ### 🐛 Bug Reports & Feature Requests -Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-components/issues) to report any bugs or file -feature requests. +Please use the [issue tracker](https://github.com/cloudposse/terraform-aws-components/issues) to report any bugs or file feature requests. ### 💻 Developing -If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud -Posse's other projects, we would love to hear from you! Hit us up in -[Slack](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack), -in the `#cloudposse` channel. +If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud Posse's other projects, we would love to hear from you! +Hit us up in [Slack](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack), in the `#cloudposse` channel. In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. - -1. Review our - [Code of Conduct](https://github.com/cloudposse/terraform-aws-components/?tab=coc-ov-file#code-of-conduct) and - [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). -2. **Fork** the repo on GitHub -3. **Clone** the project to your own machine -4. **Commit** changes to your own branch -5. **Push** your work back up to your fork -6. Submit a **Pull Request** so that we can review your changes + 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-components/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). + 2. **Fork** the repo on GitHub + 3. **Clone** the project to your own machine + 4. **Commit** changes to your own branch + 5. **Push** your work back up to your fork + 6. Submit a **Pull Request** so that we can review your changes **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! ### 🌎 Slack Community -Join our -[Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack) -on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar -vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit -feedback, and work together as a community to build totally _sweet_ infrastructure. +Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. ### 📰 Newsletter -Sign up for -[our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=newsletter) -and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can -always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read. +Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. +Dropped straight into your Inbox every week — and usually a 5-minute read. ### 📆 Office Hours -[Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=office_hours) -for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, -plus a _live Q&A_ that you can’t find anywhere else. It's **FREE** for everyone! +[Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else. +It's **FREE** for everyone! ## About -This project is maintained by -Cloud -Posse, LLC. +This project is maintained by Cloud Posse, LLC. -We are a -[**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=commercial_support) -for funded startups and enterprises. Use our ready-to-go terraform architecture blueprints for AWS to get up and running -quickly. We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed. +We are a [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-components&utm_content=commercial_support) for funded startups and enterprises. +Use our ready-to-go terraform architecture blueprints for AWS to get up and running quickly. +We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed. Learn More -_Your team can operate like a pro today._ +*Your team can operate like a pro today.* -Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you -succeed. +Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you succeed.
📚 See What's Included - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. -- **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and - repeatable. +- **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and repeatable. - **Site Reliability Engineering.** You'll have total visibility into your apps and microservices. - **Security Baseline.** You'll have built-in governance with accountability and audit logs for all changes. - **GitOps.** You'll be able to operate your infrastructure via Pull Requests. @@ -291,7 +263,6 @@ succeed.
- ## License License @@ -310,12 +281,14 @@ to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at -https://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an -"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific -language governing permissions and limitations under the License. + https://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. ```
@@ -329,4 +302,3 @@ Copyright © 2017-2024 [Cloud Posse, LLC](https://cpco.io/copyright) README footer Beacon -```