From 4446a4cc0aa0356a7568eb23489ed65a03fa2f61 Mon Sep 17 00:00:00 2001 From: Max Glotov Date: Fri, 9 Jun 2023 17:14:56 +0600 Subject: [PATCH 1/5] set default_tags on provider level --- terraform/layer1-aws/aws-cloudtrail.tf | 5 ---- terraform/layer1-aws/aws-eks.tf | 6 +---- terraform/layer1-aws/main.tf | 23 ++++++++++++++++++- terraform/layer1-aws/providers.tf | 7 ++++++ terraform/layer1-aws/variables.tf | 5 ++++ .../modules/aws-cost-allocation-tags/main.tf | 6 +++++ .../aws-cost-allocation-tags/variables.tf | 6 +++++ terraform/modules/aws-pritunl/main.tf | 2 +- 8 files changed, 48 insertions(+), 12 deletions(-) create mode 100644 terraform/modules/aws-cost-allocation-tags/main.tf create mode 100644 terraform/modules/aws-cost-allocation-tags/variables.tf diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index 85390dfc..28c3f5fc 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -19,11 +19,6 @@ resource "aws_s3_bucket" "cloudtrail" { tags = local.tags } -resource "aws_s3_bucket_acl" "cloudtrail" { - bucket = aws_s3_bucket.cloudtrail.id - acl = "private" -} - resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" { bucket = aws_s3_bucket.cloudtrail.id diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf index b7838130..ab790e7d 100644 --- a/terraform/layer1-aws/aws-eks.tf +++ b/terraform/layer1-aws/aws-eks.tf @@ -56,11 +56,6 @@ module "eks" { cluster_enabled_log_types = var.eks_cluster_enabled_log_types cloudwatch_log_group_retention_in_days = var.eks_cloudwatch_log_group_retention_in_days - tags = { - ClusterName = local.name - Environment = local.env - } - vpc_id = module.vpc.vpc_id cluster_endpoint_public_access = var.eks_cluster_endpoint_public_access @@ -185,6 +180,7 @@ module "eks" { } } + tags = { "ClusterName" = local.name } } module "vpc_cni_irsa" { diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf index f4ce095a..3a181750 100644 --- a/terraform/layer1-aws/main.tf +++ b/terraform/layer1-aws/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "4.62.0" + version = "5.1.0" } kubernetes = { source = "hashicorp/kubernetes" @@ -33,3 +33,24 @@ resource "aws_iam_account_password_policy" "default" { allow_users_to_change_password = var.aws_account_password_policy.allow_users_to_change_password max_password_age = var.aws_account_password_policy.max_password_age } + + +module "aws-cost-allocation-tags" { + count = var.is_this_payment_account ? 1 : 0 + source = "../modules/aws-cost-allocation-tags" + + tags = [ + { + tag_key = "Environment" + status = "Active" + }, + { + tag_key = "Terraform" + status = "Active" + }, + { + tag_key = "aws:autoscaling:groupName" + status = "Active" + } + ] +} diff --git a/terraform/layer1-aws/providers.tf b/terraform/layer1-aws/providers.tf index 449e183b..2e4d1306 100644 --- a/terraform/layer1-aws/providers.tf +++ b/terraform/layer1-aws/providers.tf @@ -1,6 +1,13 @@ provider "aws" { region = var.region allowed_account_ids = var.allowed_account_ids + default_tags { + tags = { + Name = local.name + Environment = local.env + Terraform = "true" + } + } } provider "kubernetes" { diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index 7df7332e..8837ec61 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -21,6 +21,11 @@ variable "aws_account_password_policy" { } } +variable "is_this_payment_account" { + default = false + description = "Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags" +} + variable "name" { description = "Project name, required to create unique resource names" } diff --git a/terraform/modules/aws-cost-allocation-tags/main.tf b/terraform/modules/aws-cost-allocation-tags/main.tf new file mode 100644 index 00000000..4f0aabb9 --- /dev/null +++ b/terraform/modules/aws-cost-allocation-tags/main.tf @@ -0,0 +1,6 @@ +resource "aws_ce_cost_allocation_tag" "this" { + for_each = { for item in var.tags : item.tag_key => item } + + tag_key = each.value.tag_key + status = each.value.status +} diff --git a/terraform/modules/aws-cost-allocation-tags/variables.tf b/terraform/modules/aws-cost-allocation-tags/variables.tf new file mode 100644 index 00000000..bd075607 --- /dev/null +++ b/terraform/modules/aws-cost-allocation-tags/variables.tf @@ -0,0 +1,6 @@ +variable "tags" { + type = list(object({ + tag_key = string + status = string + })) +} diff --git a/terraform/modules/aws-pritunl/main.tf b/terraform/modules/aws-pritunl/main.tf index 1326e105..77446c18 100644 --- a/terraform/modules/aws-pritunl/main.tf +++ b/terraform/modules/aws-pritunl/main.tf @@ -1,6 +1,6 @@ data "aws_region" "current" {} resource "aws_eip" "this" { - vpc = true + domain = "vpc" tags = { Name = var.name Environment = var.environment From 4d012b3bf9788be9616e98c26d1e7951654a8253 Mon Sep 17 00:00:00 2001 From: Max Glotov Date: Fri, 9 Jun 2023 17:20:02 +0600 Subject: [PATCH 2/5] update doc using terraform-doc and enable cost_allocation_tags by default --- terraform/layer1-aws/README.md | 197 +++++++++++++++--------------- terraform/layer1-aws/variables.tf | 2 +- 2 files changed, 100 insertions(+), 99 deletions(-) diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index c4b19e22..7d062862 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -1,115 +1,116 @@ ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | 1.4.4 | -| [aws](#requirement\_aws) | 4.62.0 | -| [kubernetes](#requirement\_kubernetes) | 2.19.0 | +| Name | Version | +| ---------------------------------------------------------------------------- | ------- | +| [terraform](#requirement\_terraform) | 1.4.4 | +| [aws](#requirement\_aws) | 5.1.0 | +| [kubernetes](#requirement\_kubernetes) | 2.19.0 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.62.0 | +| Name | Version | +| ------------------------------------------------- | ------- | +| [aws](#provider\_aws) | 5.1.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 4.3.2 | -| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.12.0 | -| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.17.3 | -| [pritunl](#module\_pritunl) | ../modules/aws-pritunl | n/a | -| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.10.2 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 4.0.1 | -| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | -| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 4.0.1 | +| Name | Source | Version | +| ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ | ------- | +| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 4.3.2 | +| [aws-cost-allocation-tags](#module\_aws-cost-allocation-tags) | ../modules/aws-cost-allocation-tags | n/a | +| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.12.0 | +| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.17.3 | +| [pritunl](#module\_pritunl) | ../modules/aws-pritunl | n/a | +| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.10.2 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 4.0.1 | +| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | +| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 4.0.1 | ## Resources -| Name | Type | -|------|------| -| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/cloudtrail) | resource | -| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/ebs_encryption_by_default) | resource | -| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/iam_account_password_policy) | resource | -| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_acl) | resource | -| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic) | resource | -| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic_policy) | resource | -| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic_subscription) | resource | -| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/acm_certificate) | data source | -| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/ami) | data source | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster_auth) | data source | -| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/route53_zone) | data source | -| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/security_group) | data source | +| Name | Type | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | +| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/cloudtrail) | resource | +| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/ebs_encryption_by_default) | resource | +| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/iam_account_password_policy) | resource | +| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_subscription) | resource | +| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/acm_certificate) | data source | +| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/route53_zone) | data source | +| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/security_group) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | -| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | -| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
| no | -| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | -| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | -| [cloudtrail\_logs\_s3\_expiration\_days](#input\_cloudtrail\_logs\_s3\_expiration\_days) | How many days keep cloudtrail logs on S3 | `string` | `180` | no | -| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | -| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | -| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | -| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | -| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | -| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | -| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no | -| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | 
{
  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
| no | -| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | -| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | -| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | -| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 1,
  "instance_type": "t3a.medium",
  "max_capacity": 5,
  "min_capacity": 1,
  "mixed_instances_policy": null,
  "use_mixed_instances_policy": false
}
| no | -| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 1,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | -| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | -| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | -| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | -| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | -| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | +| Name | Description | Type | Default | Required | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | +| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | +| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | +| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
| no | +| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | +| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | +| [cloudtrail\_logs\_s3\_expiration\_days](#input\_cloudtrail\_logs\_s3\_expiration\_days) | How many days keep cloudtrail logs on S3 | `string` | `180` | no | +| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | +| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | +| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | +| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | +| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | +| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | +| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no | +| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | 
{
  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
| no | +| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | +| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | +| [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags | `bool` | `true` | no | +| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | +| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 1,
  "instance_type": "t3a.medium",
  "max_capacity": 5,
  "min_capacity": 1,
  "mixed_instances_policy": null,
  "use_mixed_instances_policy": false
}
| no | +| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 1,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | +| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | +| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | +| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | +| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | +| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | ## Outputs -| Name | Description | -|------|-------------| -| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | -| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | -| [domain\_name](#output\_domain\_name) | Domain name | -| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | -| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | -| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | -| [env](#output\_env) | Suffix for the hostname depending on workspace | -| [name](#output\_name) | Project name, required to form unique resource names | -| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | -| [region](#output\_region) | Target region for all infrastructure resources | -| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | -| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | -| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | -| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | -| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | -| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | -| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | -| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | -| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | -| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | +| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | +| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | +| [domain\_name](#output\_domain\_name) | Domain name | +| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | +| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | +| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | +| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | +| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | +| [env](#output\_env) | Suffix for the hostname depending on workspace | +| [name](#output\_name) | Project name, required to form unique resource names | +| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | +| [region](#output\_region) | Target region for all infrastructure resources | +| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | +| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | +| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | +| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | +| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | +| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | +| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | +| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | +| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | +| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index 8837ec61..d434130e 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -22,7 +22,7 @@ variable "aws_account_password_policy" { } variable "is_this_payment_account" { - default = false + default = true description = "Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags" } From af4c3c5ea9dcdfc91c419355c21937e15b215fa0 Mon Sep 17 00:00:00 2001 From: Max Glotov Date: Fri, 9 Jun 2023 17:28:56 +0600 Subject: [PATCH 3/5] fix syntax mistake --- terraform/layer1-aws/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf index 3a181750..28de5dc1 100644 --- a/terraform/layer1-aws/main.tf +++ b/terraform/layer1-aws/main.tf @@ -36,9 +36,9 @@ resource "aws_iam_account_password_policy" "default" { module "aws-cost-allocation-tags" { - count = var.is_this_payment_account ? 1 : 0 - source = "../modules/aws-cost-allocation-tags" + count = var.is_this_payment_account ? 1 : 0 + source = "../modules/aws-cost-allocation-tags" tags = [ { tag_key = "Environment" From a0274ed3d7867b218c2798efb235ba25eb5dff44 Mon Sep 17 00:00:00 2001 From: Max Glotov Date: Fri, 9 Jun 2023 17:44:01 +0600 Subject: [PATCH 4/5] update docs; fix PR comments --- terraform/layer1-aws/README.md | 198 +++++++++--------- terraform/layer1-aws/main.tf | 2 +- .../aws-cost-allocation-tags/README.md | 29 +++ .../aws-cost-allocation-tags/variables.tf | 1 + 4 files changed, 130 insertions(+), 100 deletions(-) create mode 100644 terraform/modules/aws-cost-allocation-tags/README.md diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index 7d062862..3c69bb79 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -1,116 +1,116 @@ ## Requirements -| Name | Version | -| ---------------------------------------------------------------------------- | ------- | -| [terraform](#requirement\_terraform) | 1.4.4 | -| [aws](#requirement\_aws) | 5.1.0 | -| [kubernetes](#requirement\_kubernetes) | 2.19.0 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | 1.4.4 | +| [aws](#requirement\_aws) | 5.1.0 | +| [kubernetes](#requirement\_kubernetes) | 2.19.0 | ## Providers -| Name | Version | -| ------------------------------------------------- | ------- | -| [aws](#provider\_aws) | 5.1.0 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.1.0 | ## Modules -| Name | Source | Version | -| ------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------ | ------- | -| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 4.3.2 | -| [aws-cost-allocation-tags](#module\_aws-cost-allocation-tags) | ../modules/aws-cost-allocation-tags | n/a | -| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.12.0 | -| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.17.3 | -| [pritunl](#module\_pritunl) | ../modules/aws-pritunl | n/a | -| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.10.2 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 4.0.1 | -| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | -| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 4.0.1 | +| Name | Source | Version | +|------|--------|---------| +| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 4.3.2 | +| [aws\_cost\_allocation\_tags](#module\_aws\_cost\_allocation\_tags) | ../modules/aws-cost-allocation-tags | n/a | +| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.12.0 | +| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.17.3 | +| [pritunl](#module\_pritunl) | ../modules/aws-pritunl | n/a | +| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.10.2 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 4.0.1 | +| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 | +| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 4.0.1 | ## Resources -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- | -| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/cloudtrail) | resource | -| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/ebs_encryption_by_default) | resource | -| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/iam_account_password_policy) | resource | -| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_policy) | resource | -| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic) | resource | -| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_policy) | resource | -| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_subscription) | resource | -| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/acm_certificate) | data source | -| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/eks_cluster_auth) | data source | -| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/route53_zone) | data source | -| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/security_group) | data source | +| Name | Type | +|------|------| +| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/cloudtrail) | resource | +| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/ebs_encryption_by_default) | resource | +| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/iam_account_password_policy) | resource | +| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic) | resource | +| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_policy) | resource | +| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_subscription) | resource | +| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/acm_certificate) | data source | +| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/route53_zone) | data source | +| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/security_group) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | -| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | -| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
| no | -| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | -| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | -| [cloudtrail\_logs\_s3\_expiration\_days](#input\_cloudtrail\_logs\_s3\_expiration\_days) | How many days keep cloudtrail logs on S3 | `string` | `180` | no | -| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | -| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | -| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | -| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | -| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | -| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | -| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no | -| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | 
{
  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
| no | -| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | -| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | -| [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags | `bool` | `true` | no | -| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | -| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 1,
  "instance_type": "t3a.medium",
  "max_capacity": 5,
  "min_capacity": 1,
  "mixed_instances_policy": null,
  "use_mixed_instances_policy": false
}
| no | -| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 1,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | -| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | -| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | -| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | -| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | -| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | -| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | +| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | +| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
| no | +| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
| no | +| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | +| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | +| [cloudtrail\_logs\_s3\_expiration\_days](#input\_cloudtrail\_logs\_s3\_expiration\_days) | How many days keep cloudtrail logs on S3 | `string` | `180` | no | +| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | +| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | +| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | +| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | +| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | +| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | +| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.25"` | no | +| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | 
{
  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
| no | +| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | +| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | +| [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags | `bool` | `true` | no | +| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | +| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 1,
  "instance_type": "t3a.medium",
  "max_capacity": 5,
  "min_capacity": 1,
  "mixed_instances_policy": null,
  "use_mixed_instances_policy": false
}
| no | +| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 1,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | +| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | +| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | +| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | +| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | +| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | +| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | -| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | -| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | -| [domain\_name](#output\_domain\_name) | Domain name | -| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | -| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | -| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | -| [env](#output\_env) | Suffix for the hostname depending on workspace | -| [name](#output\_name) | Project name, required to form unique resource names | -| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | -| [region](#output\_region) | Target region for all infrastructure resources | -| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | -| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | -| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | -| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | -| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | -| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | -| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | -| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | -| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | -| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | +| Name | Description | +|------|-------------| +| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | +| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | +| [domain\_name](#output\_domain\_name) | Domain name | +| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | +| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | +| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | +| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | +| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | +| [env](#output\_env) | Suffix for the hostname depending on workspace | +| [name](#output\_name) | Project name, required to form unique resource names | +| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | +| [region](#output\_region) | Target region for all infrastructure resources | +| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | +| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | +| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | +| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | +| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | +| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | +| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | +| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | +| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | +| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf index 28de5dc1..14de12e5 100644 --- a/terraform/layer1-aws/main.tf +++ b/terraform/layer1-aws/main.tf @@ -35,7 +35,7 @@ resource "aws_iam_account_password_policy" "default" { } -module "aws-cost-allocation-tags" { +module "aws_cost_allocation_tags" { count = var.is_this_payment_account ? 1 : 0 source = "../modules/aws-cost-allocation-tags" diff --git a/terraform/modules/aws-cost-allocation-tags/README.md b/terraform/modules/aws-cost-allocation-tags/README.md new file mode 100644 index 00000000..89dc123f --- /dev/null +++ b/terraform/modules/aws-cost-allocation-tags/README.md @@ -0,0 +1,29 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_ce_cost_allocation_tag.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_cost_allocation_tag) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [tags](#input\_tags) | A list of tags to use for cost allocation tags | 
list(object({
    tag_key = string
    status  = string
  }))
| n/a | yes | + +## Outputs + +No outputs. diff --git a/terraform/modules/aws-cost-allocation-tags/variables.tf b/terraform/modules/aws-cost-allocation-tags/variables.tf index bd075607..16720007 100644 --- a/terraform/modules/aws-cost-allocation-tags/variables.tf +++ b/terraform/modules/aws-cost-allocation-tags/variables.tf @@ -3,4 +3,5 @@ variable "tags" { tag_key = string status = string })) + description = "A list of tags to use for cost allocation tags" } From f532f5be927b580c3611433b0d1b5eb5edb3ead5 Mon Sep 17 00:00:00 2001 From: Max Glotov Date: Fri, 9 Jun 2023 17:46:17 +0600 Subject: [PATCH 5/5] update variable description --- terraform/layer1-aws/README.md | 2 +- terraform/layer1-aws/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index 3c69bb79..33b167ba 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -75,7 +75,7 @@ | [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | 
{
  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
| no | | [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | | [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | -| [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags | `bool` | `true` | no | +| [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags | `bool` | `true` | no | | [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | | [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": true,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | | [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
| 
{
  "capacity_rebalance": false,
  "desired_capacity": 0,
  "instance_type": "t3.medium",
  "max_capacity": 5,
  "min_capacity": 0,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t3.medium"
      },
      {
        "instance_type": "t3a.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
| no | diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index d434130e..3d98e246 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -23,7 +23,7 @@ variable "aws_account_password_policy" { variable "is_this_payment_account" { default = true - description = "Set it to false if target account is under AWS Organization. This variable is used to enable apply configuration for cost allocation tags" + description = "Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags" } variable "name" {