Skip to content

Latest commit

 

History

History
601 lines (589 loc) · 135 KB

File metadata and controls

601 lines (589 loc) · 135 KB

Terraform dxw Dalmatian infrastructure

Terraform CI GitHub release

This project creates and manages resources within an AWS account for infrastructures on dxw's Dalmatian hosting platform.

Requirements

Name Version
terraform >= 1.6.5
archive >= 2.4.1
aws >= 5.30.0
datadog >= 3.46.0
external >= 2.3.2
null >= 3.2.2
random >= 3.6.0

Providers

Name Version
archive 2.7.0
aws 5.84.0
aws.awsroute53root 5.84.0
aws.useast1 5.84.0
datadog 3.52.1
external 2.3.4
random 3.6.3
terraform n/a

Resources

Name Type
aws_acm_certificate.infrastructure_wildcard resource
aws_acm_certificate.infrastructure_wildcard_us_east_1 resource
aws_acm_certificate_validation.infrastructure_wildcard resource
aws_acm_certificate_validation.infrastructure_wildcard_us_east_1 resource
aws_alb.infrastructure_ecs_cluster_service resource
aws_alb_listener.infrastructure_ecs_cluster_service_http resource
aws_alb_listener.infrastructure_ecs_cluster_service_http_https_redirect resource
aws_alb_listener.infrastructure_ecs_cluster_service_https resource
aws_alb_listener_rule.infrastructure_ecs_cluster_service_host_header resource
aws_alb_listener_rule.infrastructure_ecs_cluster_service_host_header_custom resource
aws_alb_listener_rule.service_alb_host_rule_bypass_exclusions resource
aws_alb_target_group.infrastructure_ecs_cluster_service resource
aws_alb_target_group.infrastructure_ecs_cluster_service_blue resource
aws_alb_target_group.infrastructure_ecs_cluster_service_green resource
aws_athena_workgroup.infrastructure_ecs_cluster_service_cloudfront_logs resource
aws_athena_workgroup.infrastructure_vpc_flow_logs resource
aws_autoscaling_group.infrastructure_ecs_cluster resource
aws_autoscaling_lifecycle_hook.infrastructure_ecs_cluster_termination resource
aws_autoscaling_schedule.ecs_infrastructure_time_based_custom resource
aws_autoscaling_schedule.ecs_infrastructure_time_based_max resource
aws_autoscaling_schedule.ecs_infrastructure_time_based_min resource
aws_cloudformation_stack.custom resource
aws_cloudfront_cache_policy.custom_s3_buckets resource
aws_cloudfront_distribution.custom_s3_buckets resource
aws_cloudfront_distribution.infrastructure_ecs_cluster_service_cloudfront resource
aws_cloudfront_function.custom_s3_buckets_viewer_request resource
aws_cloudfront_origin_access_control.custom_s3_buckets resource
aws_cloudwatch_event_rule.ecs_cluster_infrastructure_ecs_asg_diff_metric_1_min_cron resource
aws_cloudwatch_event_rule.ecs_cluster_infrastructure_instance_refresh resource
aws_cloudwatch_event_rule.ecs_cluster_infrastructure_pending_task_metric_1_min_cron resource
aws_cloudwatch_event_rule.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild resource
aws_cloudwatch_event_rule.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild resource
aws_cloudwatch_event_rule.infrastructure_ecs_cluster_service_ecr_scan resource
aws_cloudwatch_event_rule.infrastructure_ecs_cluster_service_scheduled_task resource
aws_cloudwatch_event_rule.infrastructure_rds_s3_backups_image_build_trigger_codebuild resource
aws_cloudwatch_event_rule.infrastructure_rds_s3_backups_scheduled_task resource
aws_cloudwatch_event_target.ecr_scan_event_target resource
aws_cloudwatch_event_target.ecs_cluster_infrastructure_ecs_asg_diff_metric_1_min_cron resource
aws_cloudwatch_event_target.ecs_cluster_infrastructure_instance_refresh resource
aws_cloudwatch_event_target.ecs_cluster_infrastructure_pending_task_metric_1_min_cron resource
aws_cloudwatch_event_target.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild resource
aws_cloudwatch_event_target.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild resource
aws_cloudwatch_event_target.infrastructure_ecs_cluster_service_scheduled_task resource
aws_cloudwatch_event_target.infrastructure_rds_s3_backups_image_build_trigger_codebuild resource
aws_cloudwatch_event_target.infrastructure_rds_s3_backups_scheduled_task resource
aws_cloudwatch_log_group.ecs_cluster_infrastructure_draining_lambda_log_group resource
aws_cloudwatch_log_group.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda_log_group resource
aws_cloudwatch_log_group.ecs_cluster_infrastructure_instance_refresh_lambda_log_group resource
aws_cloudwatch_log_group.ecs_cluster_infrastructure_pending_task_metric_lambda_log_group resource
aws_cloudwatch_log_group.infrastructure_ecs_cluster_datadog_agent resource
aws_cloudwatch_log_group.infrastructure_ecs_cluster_service resource
aws_cloudwatch_log_group.infrastructure_rds_exports resource
aws_cloudwatch_log_group.infrastructure_rds_s3_backups resource
aws_cloudwatch_log_group.infrastructure_vpc_flow_logs resource
aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_asg_cpu resource
aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_ecs_asg_diff resource
aws_cloudwatch_metric_alarm.infrastructure_ecs_cluster_pending_task resource
aws_codebuild_project.infrastructure_ecs_cluster_datadog_agent_image_build resource
aws_codebuild_project.infrastructure_ecs_cluster_logspout_image_build resource
aws_codebuild_project.infrastructure_ecs_cluster_service_build resource
aws_codebuild_project.infrastructure_rds_s3_backups_image_build resource
aws_codedeploy_app.infrastructure_ecs_cluster_service_blue_green resource
aws_codedeploy_deployment_config.infrastructure_ecs_cluster_service_blue_green resource
aws_codedeploy_deployment_group.infrastructure_ecs_cluster_service_blue_green resource
aws_codepipeline.infrastructure_ecs_cluster_service resource
aws_db_instance.infrastructure_rds resource
aws_db_option_group.infrastructure_rds resource
aws_db_parameter_group.infrastructure_rds resource
aws_db_subnet_group.infrastructure_rds resource
aws_default_network_acl.infrastructure resource
aws_ecr_repository.infrastructure_ecs_cluster_datadog_agent resource
aws_ecr_repository.infrastructure_ecs_cluster_logspout resource
aws_ecr_repository.infrastructure_ecs_cluster_service resource
aws_ecr_repository.infrastructure_rds_s3_backups resource
aws_ecs_cluster.infrastructure resource
aws_ecs_cluster.infrastrucutre_rds_tooling resource
aws_ecs_service.infrastructure_ecs_cluster_datadog_agent resource
aws_ecs_service.infrastructure_ecs_cluster_logspout resource
aws_ecs_service.infrastructure_ecs_cluster_service resource
aws_ecs_task_definition.infrastructure_ecs_cluster_datadog_agent resource
aws_ecs_task_definition.infrastructure_ecs_cluster_logspout resource
aws_ecs_task_definition.infrastructure_ecs_cluster_service resource
aws_ecs_task_definition.infrastructure_ecs_cluster_service_scheduled_task resource
aws_ecs_task_definition.infrastructure_rds_s3_backups_scheduled_task resource
aws_efs_file_system.infrastructure_ecs_cluster resource
aws_efs_mount_target.infrastructure_ecs_cluster resource
aws_eip.infrastructure_nat resource
aws_elasticache_parameter_group.infrastructure_elasticache_cluster resource
aws_elasticache_replication_group.infrastructure_elasticache_cluster resource
aws_elasticache_serverless_cache.infrastructure_elasticache resource
aws_elasticache_subnet_group.infrastructure_elasticache_cluster_subnet_group resource
aws_flow_log.infrastructure_vpc_flow_logs_cloudwatch resource
aws_flow_log.infrastructure_vpc_flow_logs_s3 resource
aws_globalaccelerator_accelerator.infrastructure_ecs_cluster_service_alb resource
aws_globalaccelerator_endpoint_group.service_loadbalancer_alb_http resource
aws_globalaccelerator_endpoint_group.service_loadbalancer_alb_https resource
aws_globalaccelerator_listener.infrastructure_ecs_cluster_service_alb_http resource
aws_globalaccelerator_listener.infrastructure_ecs_cluster_service_alb_https resource
aws_glue_catalog_database.infrastructure_ecs_cluster_service_cloudfront_logs resource
aws_glue_catalog_database.infrastructure_vpc_flow_logs resource
aws_glue_catalog_table.infrastructure_ecs_cluster_service_cloudfront_logs resource
aws_glue_catalog_table.infrastructure_vpc_flow_logs resource
aws_iam_instance_profile.infrastructure_ecs_cluster resource
aws_iam_policy.ecs_cluster_infrastructure_draining_ecs_container_instance_state_update_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_draining_kms_encrypt resource
aws_iam_policy.ecs_cluster_infrastructure_draining_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_draining_sns_publish_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_asg_describe_asg_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_cloudwatch_put_metric_data_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_ecs_describe_cluster_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_kms_encrypt resource
aws_iam_policy.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh resource
aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_allow_modify_launch_template resource
aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_kms_encrypt resource
aws_iam_policy.ecs_cluster_infrastructure_instance_refresh_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_cloudwatch_put_metric_data_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_ecs_describe_cluster_lambda resource
aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_kms_encrypt resource
aws_iam_policy.ecs_cluster_infrastructure_pending_task_metric_lambda resource
aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt resource
aws_iam_policy.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_cloudwatch_logs resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_ecr_pull resource
aws_iam_policy.infrastructure_ecs_cluster_datadog_agent_task_execution_get_secret_value resource
aws_iam_policy.infrastructure_ecs_cluster_ec2_ecs resource
aws_iam_policy.infrastructure_ecs_cluster_kms_encrypt resource
aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds resource
aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_cloudwatch_rw resource
aws_iam_policy.infrastructure_ecs_cluster_logspout_image_codebuild_ecr_push resource
aws_iam_policy.infrastructure_ecs_cluster_s3_transfer_bucket_rw resource
aws_iam_policy.infrastructure_ecs_cluster_service_blue_green_codedeploy resource
aws_iam_policy.infrastructure_ecs_cluster_service_blue_green_codedeploy_kms_encrypt resource
aws_iam_policy.infrastructure_ecs_cluster_service_codebuild resource
aws_iam_policy.infrastructure_ecs_cluster_service_codebuild_blue_green resource
aws_iam_policy.infrastructure_ecs_cluster_service_codebuild_ecr_push resource
aws_iam_policy.infrastructure_ecs_cluster_service_codebuild_kms_encrypt resource
aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline resource
aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codedeploy resource
aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_codestar_connection resource
aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy resource
aws_iam_policy.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt resource
aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task resource
aws_iam_policy.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_custom resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_ecs_exec_log_kms_decrypt resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_ecs_exec_log_s3_write resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_cloudwatch_logs resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_ecr_pull resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_kms_decrypt resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles resource
aws_iam_policy.infrastructure_ecs_cluster_service_task_ssm_create_channels resource
aws_iam_policy.infrastructure_rds_monitoring resource
aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task resource
aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role resource
aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_allow_builds resource
aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw resource
aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_ecr_push resource
aws_iam_policy.infrastructure_rds_s3_backups_task_execution_cloudwatch_logs resource
aws_iam_policy.infrastructure_rds_s3_backups_task_execution_ecr_pull resource
aws_iam_policy.infrastructure_rds_s3_backups_task_execution_get_secret_value resource
aws_iam_policy.infrastructure_rds_s3_backups_task_kms_encrypt resource
aws_iam_policy.infrastructure_rds_s3_backups_task_s3_list resource
aws_iam_policy.infrastructure_rds_s3_backups_task_s3_write resource
aws_iam_role.ecs_cluster_infrastructure_draining_lambda resource
aws_iam_role.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda resource
aws_iam_role.ecs_cluster_infrastructure_instance_refresh_lambda resource
aws_iam_role.ecs_cluster_infrastructure_pending_task_metric_lambda resource
aws_iam_role.infrastructure_ecs_cluster resource
aws_iam_role.infrastructure_ecs_cluster_autoscaling_lifecycle_termination resource
aws_iam_role.infrastructure_ecs_cluster_datadog_agent_image_codebuild resource
aws_iam_role.infrastructure_ecs_cluster_datadog_agent_task_execution resource
aws_iam_role.infrastructure_ecs_cluster_logspout_image_codebuild resource
aws_iam_role.infrastructure_ecs_cluster_service_blue_green_codedeploy resource
aws_iam_role.infrastructure_ecs_cluster_service_codebuild resource
aws_iam_role.infrastructure_ecs_cluster_service_codepipeline resource
aws_iam_role.infrastructure_ecs_cluster_service_scheduled_task resource
aws_iam_role.infrastructure_ecs_cluster_service_task resource
aws_iam_role.infrastructure_ecs_cluster_service_task_execution resource
aws_iam_role.infrastructure_rds_monitoring resource
aws_iam_role.infrastructure_rds_s3_backups_cloudwatch_schedule resource
aws_iam_role.infrastructure_rds_s3_backups_image_codebuild resource
aws_iam_role.infrastructure_rds_s3_backups_task resource
aws_iam_role.infrastructure_rds_s3_backups_task_execution resource
aws_iam_role.infrastructure_vpc_flow_logs resource
aws_iam_role_policy.infrastructure_vpc_flow_logs_allow_cloudwatch_rw resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_draining_ecs_container_instance_state_update_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_draining_kms_encrypt resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_draining_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_draining_sns_publish_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_cloudwatch_metric_put_metric_data_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_kms_encrypt resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_asg_describe_asg_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_ecs_describe_cluster_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_allow_instance_refresh resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_allow_modify_launch_template resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_kms_encrypt resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_instance_refresh_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_cloudwatch_metric_put_metric_data_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_kms_encrypt resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_metric_ecs_describe_cluster_lambda resource
aws_iam_role_policy_attachment.ecs_cluster_infrastructure_pending_task_metric_lambda resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_autoscaling_lifecycle_termination_sns_publish resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_allow_builds resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_cloudwatch_rw resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_image_codebuild_ecr_push resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_cloudwatch_logs resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_ecr_pull resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_datadog_agent_task_execution_get_secret_value resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ec2_ecs resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_allow_builds resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_cloudwatch_rw resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_logspout_image_codebuild_ecr_push resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_s3_transfer_bucket_rw resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_blue_green_codedeploy resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_blue_green_codedeploy_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codebuild resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codebuild_blue_green resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codebuild_ecr_push resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codebuild_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codedeploy resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_codestar_connection resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_ecs_deploy resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_codepipeline_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_ecs_run_task resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_scheduled_task_pass_role_execution_role resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_custom resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ecs_exec_log_kms_decrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ecs_exec_log_s3_write resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_cloudwatch_logs resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_ecr_pull resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_kms_decrypt resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_execution_s3_read_envfiles resource
aws_iam_role_policy_attachment.infrastructure_ecs_cluster_service_task_ssm_create_channels resource
aws_iam_role_policy_attachment.infrastructure_rds_monitoring resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_allow_builds resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_ecr_push resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_execution_cloudwatch_logs resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_execution_ecr_pull resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_execution_get_secret_value resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_kms_encrypt resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_s3_list resource
aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_task_s3_write resource
aws_instance.infrastructure_bastion resource
aws_internet_gateway.infrastructure_public resource
aws_kms_alias.custom_s3_buckets resource
aws_kms_alias.infrastructure resource
aws_kms_key.custom_s3_buckets resource
aws_kms_key.infrastructure resource
aws_lambda_function.ecs_cluster_infrastructure_draining resource
aws_lambda_function.ecs_cluster_infrastructure_ecs_asg_diff_metric resource
aws_lambda_function.ecs_cluster_infrastructure_instance_refresh resource
aws_lambda_function.ecs_cluster_infrastructure_pending_task_metric resource
aws_lambda_permission.ecs_cluster_infrastructure_draining_allow_sns_execution resource
aws_lambda_permission.ecs_cluster_infrastructure_ecs_asg_diff_metric_allow_cloudwatch_execution resource
aws_lambda_permission.ecs_cluster_infrastructure_instance_refresh_allow_cloudwatch resource
aws_lambda_permission.ecs_cluster_infrastructure_pending_task_metric_allow_cloudwatch_execution resource
aws_launch_template.infrastructure_ecs_cluster resource
aws_lb_listener_certificate.service_shared_alb_certificate resource
aws_nat_gateway.infrastructure resource
aws_network_acl.infrastructure_private resource
aws_network_acl.infrastructure_public resource
aws_network_acl_association.infrastructure_private_subnets resource
aws_network_acl_association.infrastructure_public_subnets resource
aws_network_acl_rule.egress_allow_all_private resource
aws_network_acl_rule.egress_allow_all_public resource
aws_network_acl_rule.egress_private resource
aws_network_acl_rule.egress_public resource
aws_network_acl_rule.ingress_allow_all_private resource
aws_network_acl_rule.ingress_allow_all_public resource
aws_network_acl_rule.ingress_private resource
aws_network_acl_rule.ingress_public resource
aws_placement_group.infrastructure_ecs_cluster resource
aws_rds_cluster.infrastructure_rds resource
aws_rds_cluster_instance.infrastructure_rds resource
aws_route.infrustructure_public_internet_gateway resource
aws_route.private_nat_gateway resource
aws_route53_record.custom_a resource
aws_route53_record.custom_alias resource
aws_route53_record.custom_cname resource
aws_route53_record.custom_mx resource
aws_route53_record.custom_ns resource
aws_route53_record.custom_s3_cloudfront_record resource
aws_route53_record.custom_txt resource
aws_route53_record.infrastructure_ns resource
aws_route53_record.infrastructure_wildcard_ssl_verification resource
aws_route53_record.service_loadbalancer_record_alb resource
aws_route53_record.service_loadbalancer_record_alb_global_accelerator_a resource
aws_route53_record.service_record resource
aws_route53_record.service_record_ipv6 resource
aws_route53_zone.custom resource
aws_route53_zone.infrastructure resource
aws_route_table.infrastructure_private resource
aws_route_table.infrastructure_public resource
aws_route_table_association.infrastructure_private resource
aws_route_table_association.infrastructure_public resource
aws_s3_bucket.cloudformation_custom_stack_template_store resource
aws_s3_bucket.custom resource
aws_s3_bucket.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket.infrastructure_logs resource
aws_s3_bucket.infrastructure_rds_s3_backups resource
aws_s3_bucket.infrastructure_vpc_transfer resource
aws_s3_bucket_acl.infrastructure_logs_log_delivery_write resource
aws_s3_bucket_lifecycle_configuration.custom resource
aws_s3_bucket_lifecycle_configuration.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket_lifecycle_configuration.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_lifecycle_configuration.infrastructure_rds_s3_backups resource
aws_s3_bucket_lifecycle_configuration.logs resource
aws_s3_bucket_logging.cloudformation_custom_stack_template_store resource
aws_s3_bucket_logging.custom resource
aws_s3_bucket_logging.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_logging.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket_logging.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket_logging.infrastructure_rds_s3_backups resource
aws_s3_bucket_logging.infrastructure_vpc_transfer resource
aws_s3_bucket_ownership_controls.custom resource
aws_s3_bucket_ownership_controls.infrastructure_logs resource
aws_s3_bucket_policy.cloudformation_custom_stack_template_store resource
aws_s3_bucket_policy.custom resource
aws_s3_bucket_policy.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket_policy.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_policy.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket_policy.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket_policy.infrastructure_logs resource
aws_s3_bucket_policy.infrastructure_rds_s3_backups resource
aws_s3_bucket_policy.infrastructure_vpc_transfer resource
aws_s3_bucket_public_access_block.cloudformation_custom_stack_template_store resource
aws_s3_bucket_public_access_block.custom resource
aws_s3_bucket_public_access_block.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket_public_access_block.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_public_access_block.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket_public_access_block.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket_public_access_block.infrastructure_logs resource
aws_s3_bucket_public_access_block.infrastructure_rds_s3_backups resource
aws_s3_bucket_public_access_block.infrastructure_vpc_transfer resource
aws_s3_bucket_server_side_encryption_configuration.cloudformation_custom_stack_template_store resource
aws_s3_bucket_server_side_encryption_configuration.custom resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_logs resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_rds_s3_backups resource
aws_s3_bucket_server_side_encryption_configuration.infrastructure_vpc_transfer resource
aws_s3_bucket_versioning.cloudformation_custom_stack_template_store resource
aws_s3_bucket_versioning.custom resource
aws_s3_bucket_versioning.infrastructure_ecs_cluster_service_alb_logs resource
aws_s3_bucket_versioning.infrastructure_ecs_cluster_service_build_pipeline_artifact_store resource
aws_s3_bucket_versioning.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store resource
aws_s3_bucket_versioning.infrastructure_ecs_cluster_service_environment_files resource
aws_s3_bucket_versioning.infrastructure_logs resource
aws_s3_bucket_versioning.infrastructure_rds_s3_backups resource
aws_s3_bucket_versioning.infrastructure_vpc_transfer resource
aws_s3_object.infrastructure_ecs_cluster_service_build_pipeline_buildspec_store_files resource
aws_secretsmanager_secret.infrastructure_ecs_cluster_datadog_agent_api_key resource
aws_secretsmanager_secret.infrastructure_rds_root_password resource
aws_secretsmanager_secret_version.infrastructure_ecs_cluster_datadog_agent_api_key resource
aws_secretsmanager_secret_version.infrastructure_rds_root_password resource
aws_security_group.infrastructure_ec2_bastion_host resource
aws_security_group.infrastructure_ecs_cluster_container_instances resource
aws_security_group.infrastructure_ecs_cluster_efs resource
aws_security_group.infrastructure_ecs_cluster_service_alb resource
aws_security_group.infrastructure_elasticache resource
aws_security_group.infrastructure_rds resource
aws_security_group.infrastructure_rds_s3_backups_scheduled_task resource
aws_security_group_rule.infrastructure_ec2_bastion_host_custom resource
aws_security_group_rule.infrastructure_ec2_bastion_host_egress_dns_tcp resource
aws_security_group_rule.infrastructure_ec2_bastion_host_egress_dns_udp resource
aws_security_group_rule.infrastructure_ec2_bastion_host_egress_https_tcp resource
aws_security_group_rule.infrastructure_ec2_bastion_host_egress_https_udp resource
aws_security_group_rule.infrastructure_ec2_bastion_host_egress_rds resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_custom resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_dns_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_dns_udp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_https_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_https_udp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_logspout_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_nfs_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_egress_rds resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_ingress_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_container_instances_ingress_udp resource
aws_security_group_rule.infrastructure_ecs_cluster_efs_ingress_nfs_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_service_alb_container_instance_egress_tcp resource
aws_security_group_rule.infrastructure_ecs_cluster_service_alb_container_instance_egress_udp resource
aws_security_group_rule.infrastructure_ecs_cluster_service_alb_http resource
aws_security_group_rule.infrastructure_ecs_cluster_service_alb_https resource
aws_security_group_rule.infrastructure_elasticache_ingress_tcp resource
aws_security_group_rule.infrastructure_rds_ingress_tcp resource
aws_security_group_rule.infrastructure_rds_s3_backup_task_ingress_tcp resource
aws_security_group_rule.infrastructure_rds_s3_backups_scheduled_task_egress_dns_tcp resource
aws_security_group_rule.infrastructure_rds_s3_backups_scheduled_task_egress_dns_udp resource
aws_security_group_rule.infrastructure_rds_s3_backups_scheduled_task_egress_https_tcp resource
aws_security_group_rule.infrastructure_rds_s3_backups_scheduled_task_egress_https_udp resource
aws_security_group_rule.infrastructure_rds_s3_backups_scheduled_task_egress_rds resource
aws_sns_topic.infrastructure_ecs_cluster_autoscaling_lifecycle_termination resource
aws_sns_topic_subscription.ecs_cluster_infrastructure_draining_autoscaling_lifecycle_termination resource
aws_ssm_document.infrastructure_vpc_transfer_s3_download resource
aws_ssm_document.infrastructure_vpc_transfer_s3_upload resource
aws_subnet.infrastructure_private resource
aws_subnet.infrastructure_public resource
aws_vpc.infrastructure resource
aws_wafv2_ip_set.infrastructure_ecs_cluster_ipv4_allow_list resource
aws_wafv2_ip_set.infrastructure_ecs_cluster_ipv4_deny_list resource
aws_wafv2_ip_set.infrastructure_ecs_cluster_ipv6_allow_list resource
aws_wafv2_ip_set.infrastructure_ecs_cluster_ipv6_deny_list resource
aws_wafv2_web_acl.infrastructure_ecs_cluster resource
datadog_service_definition_yaml.infrastructure_ecs_cluster_service resource
random_password.infrastructure_ecs_cluster_service_cloudfront_bypass_protection_secret resource
random_password.infrastructure_rds_root resource
terraform_data.infrastructure_ecs_cluster_datadog_agent_image_build_trigger_codebuild resource
terraform_data.infrastructure_ecs_cluster_logspout_image_build_trigger_codebuild resource
terraform_data.infrastructure_ecs_cluster_service_blue_green_create_codedeploy_deployment resource
terraform_data.infrastructure_ecs_cluster_service_env_file resource
terraform_data.infrastructure_rds_s3_backups_image_build_trigger_codebuild resource
archive_file.ecs_cluster_infrastructure_draining_lambda data source
archive_file.ecs_cluster_infrastructure_ecs_asg_diff_metric_lambda data source
archive_file.ecs_cluster_infrastructure_instance_refresh_lambda data source
archive_file.ecs_cluster_infrastructure_pending_task_metric_lambda data source
aws_ami.bastion_ami data source
aws_ami.ecs_cluster_ami data source
aws_caller_identity.current data source
aws_cloudfront_cache_policy.managed_policy data source
aws_cloudfront_origin_request_policy.managed_policy data source
aws_cloudfront_response_headers_policy.managed_policy data source
aws_elb_service_account.current data source
aws_route53_zone.root data source
aws_s3_object.ecs_cluster_service_buildspec data source
aws_sns_topic.infrastructure_opsgenie_sns_topic data source
aws_sns_topic.infrastructure_slack_sns_topic data source
external_external.s3_presigned_url data source

Inputs

Name Description Type Default Required
aws_profile_name_route53_root AWS Profile name which is configured for the account in which the root Route53 Hosted Zone exists. string n/a yes
aws_region AWS region in which to launch resources string n/a yes
custom_cloudformation_stacks Map of CloudFormation stacks to deploy
{
stack-name = {
s3_template_store_key: The filename of a CloudFormation template that is stored within the S3 bucket, created by the enable_cloudformatian_s3_template_store
template_body: (Optional - use of s3_template_store_key is preferred) The CloudFormation template body
parameters: The CloudFormation template parameters ({ parameter-name = parameter-value, ... })
on_failure: What to do on failure, either 'DO_NOTHING', 'ROLLBACK' or 'DELETE'
capabilities: A list of capabilities. Valid values: CAPABILITY_NAMED_IAM, CAPABILITY_IAM, CAPABILITY_AUTO_EXPAND
}
}
map(object({
s3_template_store_key = optional(string, null)
template_body = optional(string, null)
parameters = optional(map(string), null)
on_failure = optional(string, null)
capabilities = optional(list(string), null)
}))
n/a yes
custom_route53_hosted_zones Map of Route53 Hosted Zone configurations to create
{
example.com = {
ns_records: Map of NS records to create ({ "domain.example.com" = { values = ["ns1.example.com", "ns2.example.com"], ttl = 300 })
a_records: Map of A records to create ({ "domain.example.com" = { values = ["1.2.3.4", "5.6.7.8"], ttl = 300 })
alias_records: Map of ALIAS records to create ({ "domain.example.com" = { value = "example.cloudfront.com", zone_id = "Z2FDTNDATAQYW2" })
cname_records: Map of CNAME records to create ({ "domain.example.com" = { values = ["external1.example.com", "external2.example.com"], ttl = 60 })
mx_records: Map of MX records to create ({ "example.com" = { values = ["1 mail.example.com", "5 mail2.example.com"], ttl = 60 })
txt_records: Map of TXT records to create ({ "example.com" = { values = ["v=spf1 include:spf.example.com -all"], ttl = 60 })
}
}
map(object({
ns_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
a_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
alias_records = optional(map(object({
value = string
zone_id = string
})), null)
cname_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
mx_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
txt_records = optional(map(object({
values = list(string)
ttl = optional(number, 300)
})), null)
}))
n/a yes
custom_s3_buckets Map of S3 buckets to create, and conditionally serve via CloudFront. The S3 configuration will follow AWS best practices (eg. Private, ACLS disabled, SSE, Versioning, Logging). The bucket must be emptied before attempting deletion/destruction."
{
bucket-name = {
create_dedicated_kms_key: Conditionally create a KMS key specifically for this bucket's server side encryption (rather than using the Infrastructure's KMS key). It's recommended to use this if the S3 bucket will be accessed from external AWS accounts.
custom_kms_key_policy_statements: Conditionally add a string of comma delimited user-defined bucket policy statements (eg. '{"Effect": ...},{"Effect": ...}')
use_aes256_encryption: Conditionally enforce using AES256 encryption, rather than the infrastructure KMS key. Also overrides create_dedicated_kms_key
transition_to_ia_days: Conditionally transition objects to 'Standard Infrequent Access' storage in N days
transition_to_glacier_days: Conditionally transition objects to 'Glacier' storage in N days
cloudfront_dedicated_distribution: Conditionally create a CloudFront distribution to serve objects from the S3 bucket.
cloudfront_s3_root: Sets the S3 document root when being served from CloudFront. By default this will be '/'. If cloudfront_infrastructure_ecs_cluster_service_path has been set, this helps by modifying the request from /sub-directory-path to / by use of a CloudFront function.
cloudfront_infrastructure_ecs_cluster_service: Conditionally create an Origin on a CloudFront distribution that is serving the given Infrastructure ECS Cluster Service name
cloudfront_infrastructure_ecs_cluster_service_path: If cloudfront_infrastructure_ecs_cluster_service, set this to the path that objects will be served from.
custom_bucket_policy_statements: Conditionally add a string of comma delimited user-defined key policy statements (eg. '{"Effect": ...},{"Effect": ...}'
}
}
map(object({
create_dedicated_kms_key = optional(bool, null)
custom_kms_key_policy_statements = optional(string, null)
use_aes256_encryption = optional(bool, null)
transition_to_ia_days = optional(number, null)
transition_to_glacier_days = optional(number, null)
cloudfront_dedicated_distribution = optional(bool, null)
cloudfront_s3_root = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service = optional(string, null)
cloudfront_infrastructure_ecs_cluster_service_path = optional(string, null)
custom_bucket_policy_statements = optional(string, null)
}))
n/a yes
ecs_cluster_efs_directories ECS cluster EFS directories to create list(string) n/a yes
ecs_cluster_efs_infrequent_access_transition ECS cluser EFS IA transiton in days. Set to 0 to disable IA transition. number n/a yes
ecs_cluster_efs_performance_mode ECS cluser EFS performance mode string n/a yes
ecs_cluster_efs_throughput_mode ECS cluser EFS throughput mode string n/a yes
enable_cloudformatian_s3_template_store Creates an S3 bucket to store custom CloudFormation templates, which can then be referenced in custom_cloudformation_stacks. A user with RW access to the bucket is also created. bool n/a yes
enable_infrastructure_bastion_host Enable Infrastructure Bastion host. This launches a t3.micro AL2023 instance within the VPC that can be accessed via Session Manager bool n/a yes
enable_infrastructure_ecs_cluster Enable creation of infrastructure ECS cluster, to place ECS services bool n/a yes
enable_infrastructure_ecs_cluster_asg_cpu_alert Enable a CPU alert for the ECS cluster's Autoscaling Group bool n/a yes
enable_infrastructure_ecs_cluster_datadog_agent Conditionally launch Datadog agent containers on the ECS cluster bool n/a yes
enable_infrastructure_ecs_cluster_ecs_asg_diff_alert Enable the ECS Cluster Container Instance / ASG instance diff alert bool n/a yes
enable_infrastructure_ecs_cluster_efs Conditionally create and mount EFS to the ECS cluster instances bool n/a yes
enable_infrastructure_ecs_cluster_pending_task_alert Enable the ECS Cluster pending task alert bool n/a yes
enable_infrastructure_ecs_cluster_services_alb_logs Enable Infrastructure ECS cluster services ALB logs bool n/a yes
enable_infrastructure_rds_backup_to_s3 Enable Infrastructure RDS backups to S3. This will create a scheduled Fargate task to take SQL dumps and upload them to S3 bool n/a yes
enable_infrastructure_route53_hosted_zone Creates a Route53 hosted zone, where DNS records will be created for resources launched within this module. bool n/a yes
enable_infrastructure_vpc_transfer_s3_bucket Enable VPC transfer S3 bucket. This allows uploading/downloading files from resources within the infrastructure VPC bool n/a yes
environment The environment name to be used as part of the resource prefix string n/a yes
infrastructure_bastion_host_custom_security_group_rules Map of custom security group rules to add to the Infrastructure EC2 Bastion Host security group (eg. { rule-name = {type = "egress", ... } })
map(object({
description = string
type = string
from_port = number
to_port = number
protocol = string
source_security_group_id = optional(string, "")
cidr_blocks = optional(list(string), [])
}))
n/a yes
infrastructure_datadog_api_key Datadog API key string n/a yes
infrastructure_datadog_app_key Datadog App key string n/a yes
infrastructure_datadog_region Datadog region string n/a yes
infrastructure_dockerhub_email Dockerhub email string n/a yes
infrastructure_dockerhub_token Dockerhub token which has permissions to pull images string n/a yes
infrastructure_dockerhub_username Dockerhub username string n/a yes
infrastructure_ecs_cluster_ami_version AMI version for ECS cluster instances (amzn2-ami-ecs-hvm-) string n/a yes
infrastructure_ecs_cluster_asg_cpu_alert_evaluation_periods Evaluation periods for the ECS cluster's Autoscaling Group CPU alert number n/a yes
infrastructure_ecs_cluster_asg_cpu_alert_opsgenie Enable Opsgenie alerts for the ECS cluster's Autoscaling Group CPU alert bool n/a yes
infrastructure_ecs_cluster_asg_cpu_alert_period Period (in secods) for the ECS cluster's Autoscaling Group CPU alert number n/a yes
infrastructure_ecs_cluster_asg_cpu_alert_slack Enable Slack alerts for the ECS cluster's Autoscaling Group CPU alert bool n/a yes
infrastructure_ecs_cluster_asg_cpu_alert_threshold Threshold (CPU%) for the ECS cluster's Autoscaling Group CPU alert number n/a yes
infrastructure_ecs_cluster_autoscaling_time_based_custom List of objects with min/max sizes and cron expressions to scale the ECS cluster. Min size will be used as desired.
list(
object({
cron = string
min = number
max = number
})
)
n/a yes
infrastructure_ecs_cluster_autoscaling_time_based_max List of cron expressions to scale the ECS cluster to the configured max size list(string) n/a yes
infrastructure_ecs_cluster_autoscaling_time_based_min List of cron expressions to scale the ECS cluster to the configured min size list(string) n/a yes
infrastructure_ecs_cluster_custom_security_group_rules Map of custom security group rules to add to the ECS Cluster security group (eg. { rule-name = {type = "egress", ... } })
map(object({
description = string
type = string
from_port = number
to_port = number
protocol = string
source_security_group_id = optional(string, "")
cidr_blocks = optional(list(string), [])
}))
n/a yes
infrastructure_ecs_cluster_draining_lambda_enabled Enable the Lambda which ensures all containers have drained before terminating ECS cluster instances bool n/a yes
infrastructure_ecs_cluster_draining_lambda_log_retention Log retention for the ECS cluster draining Lambda number n/a yes
infrastructure_ecs_cluster_ebs_docker_storage_volume_size Size of EBS volume for Docker storage on the infrastructure ECS instances number n/a yes
infrastructure_ecs_cluster_ebs_docker_storage_volume_type Type of EBS volume for Docker storage on the infrastructure ECS instances (eg. gp3) string n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_alert_evaluation_periods Evaluation periods for the ECS cluster's Container Instance / ASG instance diff alert number n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_alert_opsgenie Enable Opsgenie alerts for the ECS cluster's Container Instance / ASG instance diff alert bool n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_alert_period Period (in secods) for the ECS cluster's Container Instance / ASG instance diff alert number n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_alert_slack Enable Slack alerts for the ECS cluster's Container Instance / ASG instance diff alert bool n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_alert_threshold Threshold (Number of pending tasks) for the ECS cluster's Container Instance / ASG instance diff alert number n/a yes
infrastructure_ecs_cluster_ecs_asg_diff_metric_lambda_log_retention Log retention for the ECS cluster Container Instance / ASG instance diff metric Lambda number n/a yes
infrastructure_ecs_cluster_enable_debug_mode Enable debug mode for ECS and Docker on the Infrastructure ECS. This should only be enabled when debugging (Can cause a lot of logs) bool n/a yes
infrastructure_ecs_cluster_enable_execute_command_logging Enable ECS Exec logging for services within the cluster. This will log to the infrastructure logs S3 bucket bool n/a yes
infrastructure_ecs_cluster_instance_refresh_lambda_log_retention Log retention for the ECS cluster instance refresh lambda number n/a yes
infrastructure_ecs_cluster_instance_refresh_lambda_schedule_expression Conditionally launch a lambda to trigger an instance refresh on the ECS ASG, provided a schedule expression string n/a yes
infrastructure_ecs_cluster_instance_type The instance type for EC2 instances launched in the ECS cluster string n/a yes
infrastructure_ecs_cluster_logspout_command If provided, a logspout container will be launched on each container instance with the given command. If specified, container logs will no longer automatically be sent to CloudWatch, or to the given infrastructure_ecs_cluster_syslog_endpoint list(string) n/a yes
infrastructure_ecs_cluster_max_instance_lifetime Maximum lifetime in seconds of an instance within the ECS cluster number n/a yes
infrastructure_ecs_cluster_max_size Maximum number of instances for the ECS cluster number n/a yes
infrastructure_ecs_cluster_min_size Minimum number of instances for the ECS cluster number n/a yes
infrastructure_ecs_cluster_pending_task_alert_evaluation_periods Evaluation periods for the ECS cluster's Pending Task alert number n/a yes
infrastructure_ecs_cluster_pending_task_alert_opsgenie Enable Opsgenie alerts for the ECS cluster's Pending Task alert bool n/a yes
infrastructure_ecs_cluster_pending_task_alert_period Period (in secods) for the ECS cluster's Pending Task alert number n/a yes
infrastructure_ecs_cluster_pending_task_alert_slack Enable Slack alerts for the ECS cluster's Pending Task alert bool n/a yes
infrastructure_ecs_cluster_pending_task_alert_threshold Threshold (Number of pending tasks) for the ECS cluster's Pending Task alert number n/a yes
infrastructure_ecs_cluster_pending_task_metric_lambda_log_retention Log retention for the ECS cluster pending task metric Lambda number n/a yes
infrastructure_ecs_cluster_publicly_avaialble Conditionally launch the ECS cluster EC2 instances into the Public subnet bool n/a yes
infrastructure_ecs_cluster_service_defaults Default values for ECS Cluster Services
object({
github_v1_source = optional(bool, null)
github_v1_oauth_token = optional(string, null)
codestar_connection_arn = optional(string, null)
github_owner = optional(string, null)
github_repo = optional(string, null)
github_track_revision = optional(string, null)
buildspec = optional(string, null)
buildspec_from_github_repo = optional(bool, null)
codebuild_environment_variables = optional(list(object({
name = string
value = string
})), [])
ecr_scan_target_sns_topic_arn = optional(string, null)
deployment_type = optional(string, null)
enable_cloudwatch_logs = optional(bool, null)
cloudwatch_logs_retention = optional(number, null)
enable_execute_command = optional(bool, null)
deregistration_delay = optional(number, null)
custom_policies = optional(map(object({
description = string
policy = object({
Version = string
Statement = list(object({
Action = list(string)
Effect = string
Resource = list(string)
}))
})
})), {})
container_entrypoint = optional(list(string), null)
container_port = optional(number, null)
container_volumes = optional(list(map(string)), null)
container_extra_hosts = optional(list(map(string)), null)
container_count = optional(number, null)
container_heath_check_path = optional(string, null)
container_heath_grace_period = optional(number, null)
scheduled_tasks = optional(map(object({
entrypoint = optional(list(string), null)
schedule_expression = string
})), {})
domain_names = optional(list(string), null)
enable_cloudfront = optional(bool, null)
cloudfront_tls_certificate_arn = optional(string, null)
cloudfront_access_logging_enabled = optional(bool, null)
cloudfront_bypass_protection_enabled = optional(bool, null)
cloudfront_bypass_protection_excluded_domains = optional(list(string), null)
cloudfront_origin_shield_enabled = optional(bool, null)
cloudfront_managed_cache_policy = optional(string, null)
cloudfront_managed_origin_request_policy = optional(string, null)
cloudfront_managed_response_headers_policy = optional(string, null)
cloudfront_waf_association = optional(string, null)
alb_tls_certificate_arn = optional(string, null)
})
n/a yes
infrastructure_ecs_cluster_services Map of ECS Cluster Services (The key will be the service name). Values in here will override infrastructure_ecs_cluster_service_defaults values if set."
{
service-name = {
github_v1_source: Conditionally use GitHubV1 for the CodePipeline source (CodeStar will be used by default)
github_v1_oauth_token: If github_v1_source is set to true, provide the GitHub OAuthToken here
codestar_connection_arn: The CodeStar Connection ARN to use in the CodePipeline source
github_owner: The GitHub Owner of the repository to be pulled by the CodePipeline source
github_repo: The GitHub repo name to be pulled by the CodePipeline source
github_track_revision: The branch/revision of the GitHub repository to be pulled by the CodePipeline source
buildspec: The filename of the buildspec to use for the CodePipeline build phase, stored within the 'codepipeline buildspec store' S3 bucket
buildspec_from_github_repo: Conditionally use the 'buildspec' filename stored within the GitHub repo as the buildspec
codebuild_environment_variables: List of codebuild environment variable objects (eg. [{ name = "MY_VAR", value = "foo" },{ name = "MY_OTHER_VAR", value = "bar"}])
ecr_scan_target_sns_topic_arn: An SNS topic ARN to publish ECR scan results to
deployment_type: The service deployment type - Can be one of 'rolling' or 'blue-green'
enable_cloudwatch_logs: Conditionally enable cloudwatch logs for the service
cloudwatch_logs_retention: CloudWatch log retention in days
enable_execute_command: Enable Amazon ECS Exec to directly interact with containers
deregistration_delay: Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused
custom_policies: Map of custom policies to attach to the service task role (eg. { policy-name = { description = "my custom policy", policy = { Version = "2012-10-17", Statement = [] } } })
container_entrypoint: The container entrypoint
container_port: The service container port
container_volumes: List of maps containing volume mappings eg. [ { "name" = "my-volume", "host_path" = "/mnt/efs/my-dir", "container_path" = "/mnt/my-dir" } ]
container_extra_hosts: List of maps containing extra hosts eg. [ { "hostname" = "my.host", "ip_address" = "10.1.2.3" } ]
container_count: Number of containers to launch for the service
container_heath_check_path: Destination for the health check request
container_heath_grace_period: Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown
scheduled_tasks: A map of scheduled tasks that use the same image as the service defined eg. { "name" => { "entrypoint" = ["bundle", "exec", "run_jobs"], "schedule_expression" = "cron(* * * * ? *)" } }
domain_names: Domain names to assign to CloudFront aliases, and the Application Load Balancer's host_header condition
enable_cloudfront: Enable cloadfront for the service
cloudfront_tls_certificate_arn: Certificate ARN to attach to CloudFront - must contain the names provided in domain_names
cloudfront_access_logging_enabled: Enable access logging for the distribution to the infrastructure S3 logs bucket
cloudfront_bypass_protection_enabled: This adds a secret header at the CloudFront level, which is then checked by the ALB listener rules. Requests are only forwarded if the header matches, preventing requests going directly to the ALB.
cloudfront_bypass_protection_excluded_domains: A list of domains to exclude from the bypass protection
cloudfront_origin_shield_enabled: Enable CloudFront Origin Shield
cloudfront_managed_cache_policy: Conditionally specify a CloudFront Managed Cache Policy for the distribution
cloudfront_managed_origin_request_policy: Conditionally specify a CloudFront Managed Origin Request Policy for the distribution
cloudfront_managed_response_headers_policy: Conditionally specify a CloudFront Managed Response Headers Policy for the distribution
cloudfront_waf_association: Conditionally associate WAF created via infrastructure_ecs_cluster_wafs using the key of the waf configuration
alb_tls_certificate_arn: Certificate ARN to attach to the Application Load Balancer - must contain the names provided in domain_names
}
}
map(object({
github_v1_source = optional(bool, null)
github_v1_oauth_token = optional(string, null)
codestar_connection_arn = optional(string, null)
github_owner = optional(string, null)
github_repo = optional(string, null)
github_track_revision = optional(string, null)
buildspec = optional(string, null)
buildspec_from_github_repo = optional(bool, null)
codebuild_environment_variables = optional(list(object({
name = string
value = string
})), [])
ecr_scan_target_sns_topic_arn = optional(string, null)
deployment_type = optional(string, null)
enable_cloudwatch_logs = optional(bool, null)
cloudwatch_logs_retention = optional(number, null)
enable_execute_command = optional(bool, null)
deregistration_delay = optional(number, null)
custom_policies = optional(map(object({
description = string
policy = object({
Version = string
Statement = list(object({
Action = list(string)
Effect = string
Resource = list(string)
}))
})
})), {})
container_entrypoint = optional(list(string), null)
container_port = optional(number, null)
container_volumes = optional(list(map(string)), null)
container_extra_hosts = optional(list(map(string)), null)
container_count = optional(number, null)
container_heath_check_path = optional(string, null)
container_heath_grace_period = optional(number, null)
scheduled_tasks = optional(map(object({
entrypoint = list(string)
schedule_expression = string
})), null)
domain_names = optional(list(string), null)
enable_cloudfront = optional(bool, null)
cloudfront_tls_certificate_arn = optional(string, null)
cloudfront_access_logging_enabled = optional(bool, null)
cloudfront_bypass_protection_enabled = optional(bool, null)
cloudfront_bypass_protection_excluded_domains = optional(list(string), null)
cloudfront_origin_shield_enabled = optional(bool, null)
cloudfront_managed_cache_policy = optional(string, null)
cloudfront_managed_origin_request_policy = optional(string, null)
cloudfront_managed_response_headers_policy = optional(string, null)
cloudfront_waf_association = optional(string, null)
alb_tls_certificate_arn = optional(string, null)
}))
n/a yes
infrastructure_ecs_cluster_services_alb_enable_global_accelerator Enable Global Accelerator (GA) for the infrastructure ECS cluster services ALB. If cloudfront_bypass_protection_enabled is set for a service, any domain pointing towards the GA must be added to the cloudfront_bypass_protection_excluded_domains list. It is recommended that the GA only be used for apex domains that redirect to the domain associated with CloudFront. Ideally, apex domains would use an ALIAS record pointing towards the CloudFront distribution. bool n/a yes
infrastructure_ecs_cluster_services_alb_ip_allow_list IP allow list for ingress traffic to the infrastructure ECS cluster services ALB list(string) n/a yes
infrastructure_ecs_cluster_services_alb_logs_retention Retention in days for the infrasrtucture ecs cluster ALB logs number n/a yes
infrastructure_ecs_cluster_syslog_endpoint ECS Infrastructure Syslog endpoint. If specified, rsyslog will be installed on the ECS container instances and configured to send logs to this endpoint. Logspout containers will also be launched to gather and send Docker logs (Application logs from the running ECS services). The port must be included in the URI, eg. 'syslog+tls://example.com:1234' string n/a yes
infrastructure_ecs_cluster_syslog_permitted_peer Specify the certificate common name (CN) of the remote to ensure syslog communication is restricted to permitted endpoints (eg. '*.example.com') string n/a yes
infrastructure_ecs_cluster_termination_timeout The timeout for the terminiation lifecycle hook number n/a yes
infrastructure_ecs_cluster_wafs Map of WAF ACLs to craete, which can be used with service CloudFront distributions
map(object({
ipv4_deny_list = optional(list(string), null)
ipv4_allow_list = optional(list(string), null)
ipv6_deny_list = optional(list(string), null)
ipv6_allow_list = optional(list(string), null)
aws_managed_rules = optional(list(object({
name = string
action = string
exclude_rules = optional(list(string), null)
excluded_path_patterns = optional(list(string), null)
})), null)
}))
n/a yes
infrastructure_elasticache Map of Elasticaches (The key will be the elasticache name). Values in here will override infrastructure_elasticache_defaults values if set."
{
elasticache-name = {
type: Choose either cluster or serverless
engine: ElastiCache engine (Only redis is currently supported)
engine_version: ElastiCache Engine version (For serverless, Specify the major version only)
parameters: Map of Parameters for the ElastiCache parameter group ({ parameter-name = parameter-value, ... })
cluster_node_type: ElastiCache Cluster node type
cluster_node_count: ElastiCache Cluster node count
serverless_max_storage: Serverless maximum storage
serverless_max_ecpu: Serverless maximum number of ECPUs the cache can consume per second (1000 - 15000000)
snapshot_retention_limit: Snapshot retention limit
}
}
map(object({
type = optional(string, null)
engine = optional(string, null)
engine_version = optional(string, null)
parameters = optional(map(string), null)
cluster_node_type = optional(string, null)
cluster_node_count = optional(number, null)
serverless_max_storage = optional(string, null)
serverless_max_ecpu = optional(number, null)
snapshot_retention_limit = optional(number, null)
}))
n/a yes
infrastructure_elasticache_defaults Default values for ElastiCaches
object({
type = optional(string, null)
engine = optional(string, null)
engine_version = optional(string, null)
parameters = optional(map(string), null)
cluster_node_type = optional(string, null)
cluster_node_count = optional(number, null)
serverless_max_storage = optional(number, null)
serverless_max_ecpu = optional(number, null)
snapshot_retention_limit = optional(number, null)
})
n/a yes
infrastructure_kms_encryption Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption. bool n/a yes
infrastructure_logging_bucket_retention Retention in days for the infrasrtucture S3 logs. This is for the default S3 logs bucket, where all AWS service logs will be delivered number n/a yes
infrastructure_name The infrastructure name to be used as part of the resource prefix string n/a yes
infrastructure_rds Map of RDSs (The key will be the rds name). Values in here will override infrastructure_rds_defaults values if set."
{
rds-name = {
type: Choose either instance for RDS instance, or cluster for RDS Aurora
engine: RDS engine (Either mysql or postgres)
engine_version: RDS Engine version (Specify the major version only, to prevent terraform attempting to downgrade minor versions)
parameters: Map of Parameters for the DB parameter group ({ parameter-name = parameter-value, ... })
instance_class: RDS instance class
allocated_storage: RDS allocated storage
storage_type: RDS storage type
iops: RDS iops (When type is instance, this is only required for storage type of io1 or gp3 - When cluster, this must be a multiple between .5 and 50 of the storage amount for the DB cluster.)<br/> storage_throughput: RDS storage throughput (Only required when storage_typeisgp3. Only applicable for typeofinstance)<br/> multi_az: Enable Multi-AZ RDS (Not applicable for typeofcluster. For cluster - set storage_type, allocated_storage, iops and instance_class)
monitoring_interval: The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. Valid Values: 0, 1, 5, 10, 15, 30, 60.
cloudwatch_logs_export_types: List of log types to enable for exporting to CloudWatch Logs. See EnableCloudwatchLogsExports.member.N (https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html) for valid values.
cluster_instance_count: Number of instances to launch within the Aurora DB cluster
cluster_serverlessv2_min_capacity: Minimum capacity for an Aurora DB cluster
cluster_serverlessv2_max_capacity: Maximum capacity for an Aurora DB cluster
}
}
map(object({
type = optional(string, null)
engine = optional(string, null)
engine_version = optional(string, null)
parameters = optional(map(string), null)
instance_class = optional(string, null)
allocated_storage = optional(number, null)
storage_type = optional(string, null)
iops = optional(number, null)
storage_throughput = optional(number, null)
multi_az = optional(bool, null)
monitoring_interval = optional(number, null)
cloudwatch_logs_export_types = optional(list(string), null)
cluster_instance_count = optional(number, null)
cluster_serverlessv2_min_capacity = optional(number, null)
cluster_serverlessv2_max_capacity = optional(number, null)
}))
n/a yes
infrastructure_rds_backup_to_s3_cron_expression Cron expression for when to trigger the SQL backups to S3 string n/a yes
infrastructure_rds_backup_to_s3_retention Retention in days to keep the S3 SQL backups and logs number n/a yes
infrastructure_rds_defaults Default values for RDSs
object({
type = optional(string, null)
engine = optional(string, null)
engine_version = optional(string, null)
parameters = optional(map(string), null)
instance_class = optional(string, null)
allocated_storage = optional(number, null)
storage_type = optional(string, null)
iops = optional(number, null)
storage_throughput = optional(number, null)
multi_az = optional(bool, null)
monitoring_interval = optional(number, null)
cloudwatch_logs_export_types = optional(list(string), null)
cluster_instance_count = optional(number, null)
cluster_serverlessv2_min_capacity = optional(number, null)
cluster_serverlessv2_max_capacity = optional(number, null)
})
n/a yes
infrastructure_vpc Enable infrastructure VPC bool n/a yes
infrastructure_vpc_assign_generated_ipv6_cidr_block Assign generated IPv6 CIDR block on infrastructure VPC bool n/a yes
infrastructure_vpc_cidr_block Infrastructure VPC CIDR block string n/a yes
infrastructure_vpc_enable_dns_hostnames Enable DNS hostnames on infrastructure VPC bool n/a yes
infrastructure_vpc_enable_dns_support Enable DNS support on infrastructure VPC bool n/a yes
infrastructure_vpc_enable_network_address_usage_metrics Enable network address usage metrics on infrastructure VPC bool n/a yes
infrastructure_vpc_flow_logs_cloudwatch_logs Enable VPC logs on infrastructure VPC to CloudWatch Logs bool n/a yes
infrastructure_vpc_flow_logs_retention VPC flow logs retention in days number n/a yes
infrastructure_vpc_flow_logs_s3_key_prefix Flow Logs by default will go into the infrastructure S3 logs bucket. This is the key prefix used to isolate them from other logs string n/a yes
infrastructure_vpc_flow_logs_s3_with_athena Enable VPC flow logs in infrastructure VPC to the S3 logs bucket. A compatible Glue table/database and Athena workgroup will also be created to allow querying the logs. bool n/a yes
infrastructure_vpc_flow_logs_traffic_type Infrastructure VPC flow logs traffic type string n/a yes
infrastructure_vpc_instance_tenancy Infrastructure VPC instance tenancy string n/a yes
infrastructure_vpc_network_acl_egress_custom_rules_private Infrastructure vpc egress custom rules for the private subnets. These will be evaluated before any automatically added rules.
list(object({
protocol = string
from_port = number
to_port = number
action = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
n/a yes
infrastructure_vpc_network_acl_egress_custom_rules_public Infrastructure vpc egress custom rules for the public subnets. These will be evaluated before any automatically added rules.
list(object({
protocol = string
from_port = number
to_port = number
action = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
n/a yes
infrastructure_vpc_network_acl_egress_lockdown_private Creates a network ACL for the private subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. bool n/a yes
infrastructure_vpc_network_acl_egress_lockdown_public Creates a network ACL for the public subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. bool n/a yes
infrastructure_vpc_network_acl_ingress_custom_rules_private Infrastructure vpc ingress custom rules for the private subnets. These will be evaluated before any automatically added rules.
list(object({
protocol = string
from_port = number
to_port = number
action = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
n/a yes
infrastructure_vpc_network_acl_ingress_custom_rules_public Infrastructure vpc ingress custom rules for the public subnets. These will be evaluated before any automatically added rules.
list(object({
protocol = string
from_port = number
to_port = number
action = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
n/a yes
infrastructure_vpc_network_acl_ingress_lockdown_private Creates a network ACL for the private subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. bool n/a yes
infrastructure_vpc_network_acl_ingress_lockdown_public Creates a network ACL for the public subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. bool n/a yes
infrastructure_vpc_network_availability_zones A list of availability zone characters (eg. ["a", "b", "c"]) list(string) n/a yes
infrastructure_vpc_network_enable_private Enable private networking on Infrastructure VPC. This will create subnets with a route to a NAT Gateway (If Public networking has been enabled) bool n/a yes
infrastructure_vpc_network_enable_public Enable public networking on Infrastructure VPC. This will create subnets with a route to an Internet Gateway bool n/a yes
infrastructure_vpc_transfer_s3_bucket_access_vpc_ids Additional VPC ids which are allowed to access the transfer S3 bucket list(string) n/a yes
project_name Project name to be used as a prefix for all resources string n/a yes
route53_root_hosted_zone_domain_name Route53 Hosted Zone in which to delegate Infrastructure Route53 Hosted Zones. string n/a yes

Outputs

Name Description
resource_map Simplified map of resources and their dependencies, associations and attachments