-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathvariables.tf
177 lines (151 loc) · 6.99 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# This Terraform file contains the variable definitions for the AWS CloudTrail module.
# It allows you to configure various settings related to the module's integration with Expel and CloudTrail.
/* --- Set these to keep track of the effects of this module in your AWS infrastructure --- */
variable "prefix" {
description = "A prefix to group all Expel integration resources."
type = string
default = "expel-aws-cloudtrail"
validation {
condition = length(var.prefix) <= 26
error_message = "Prefix value must be 26 characters or less."
}
}
variable "tags" {
description = "A set of tags to group resources."
type = map(string)
default = {}
}
/* --- Set these variables to enable connection with Expel Workbench --- */
variable "expel_customer_organization_guid" {
description = "Expel customer's organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench."
type = string
}
variable "expel_customer_aws_account_id" {
description = "Account id of customer's AWS account that will be monitored by Expel if it is different than the one terraform is using. This should be the management account id if organization trail is enabled."
type = string
default = null
validation {
condition = var.expel_customer_aws_account_id == null || can(regex("^[0-9]{12}$", coalesce(var.expel_customer_aws_account_id, "")))
error_message = "Account id must be 12 digits."
}
}
variable "expel_aws_user_arn" {
description = "Expel's AWS User ARN to allow assuming role to gain CloudTrail access."
type = string
default = "arn:aws:iam::012205512454:user/ExpelCloudService"
}
variable "expel_assume_role_name" {
description = "The role name Expel will assume when authenticating."
type = string
default = "ExpelTrailAssumeRole"
}
variable "expel_assume_role_session_name" {
description = "The session name Expel will use when authenticating."
type = string
default = "ExpelCloudTrailServiceSession"
}
variable "enable_organization_trail" {
description = "For customers with AWS organizations setup, log events for the management account and all member accounts, and permeate IAM policies in all member accounts for Expel to get basic read permissions of resources in order to investigate alerts. Set to false if you want to onboard a single AWS account"
type = bool
default = true
}
/* --- Set these variables to support CloudTrail configuration --- */
variable "assume_role_arn" {
type = string
description = "ARN of the IAM role being assumed for resource creation"
default = null
}
variable "is_existing_cloudtrail_cross_account" {
description = "For an existing cloudtrail, whether the cloudtrail & the log bucket (& optionally log bucket notifier topic if existing) are in different aws accounts"
type = bool
default = false
}
variable "existing_cloudtrail_bucket_name" {
description = "The name of the existing bucket connected to the existing CloudTrail"
type = string
default = null
}
variable "aws_management_account_id" {
description = "Account id of AWS management account."
type = string
default = null
validation {
condition = var.aws_management_account_id == null || can(regex("^[0-9]{12}$", var.aws_management_account_id))
error_message = "Account id must be 12 digits."
}
}
variable "existing_cloudtrail_log_bucket_account_id" {
description = "Account id of AWS account where the existing cloudtrail log bucket is created. This is where the new SQS queue will be created"
type = string
default = null
validation {
condition = var.existing_cloudtrail_log_bucket_account_id == null || can(regex("^[0-9]{12}$", var.existing_cloudtrail_log_bucket_account_id))
error_message = "Account id must be 12 digits."
}
}
variable "existing_cloudtrail_kms_key_arn" {
description = "The ARN of the KMS key used to encrypt existing CloudTrail bucket"
type = string
default = null
}
variable "existing_notification_kms_key_arn" {
description = "The ARN of the KMS key used to encrypt new SQS/SNS. If provided, please add key policies to enable IAM permission for the account root, and allow `kms:GenerateDataKey` & `kms:Decrypt` actions to log bucket [principal:s3.amazonaws.com] & sns topic [principal:sns.amazonaws.com]."
type = string
default = null
}
variable "existing_sns_topic_arn" {
description = "The ARN of the existing SNS Topic configured to be notified by the existing CloudTrail bucket. The S3 bucket notification configuration must have the s3:ObjectCreated:* event type checked."
type = string
default = null
}
variable "queue_message_retention_days" {
description = "The visibility timeout for the queue. See: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html"
type = number
default = 7
}
variable "enable_sqs_encryption" {
description = "Enable server-side encryption (SSE) of message content with SQS-owned encryption keys."
type = bool
default = true
}
/* --- Set these variables to support new CloudTrail configuration --- */
variable "enable_cloudtrail_log_file_validation" {
description = "Validates that a log file was not modified, deleted, or unchanged after CloudTrail delivered it."
type = bool
default = true
}
variable "enable_bucket_access_logging" {
description = "Access logging provides detailed records for the requests that are made to an Amazon S3 bucket."
type = bool
default = true
}
variable "enable_access_logging_bucket_encryption" {
description = "Enable to encrypt objects in the access logging bucket."
type = bool
default = true
}
variable "enable_bucket_versioning" {
description = "Enable to protect against accidental/malicious removal or modification of S3 objects."
type = bool
default = true
}
variable "enable_bucket_encryption_key_rotation" {
description = "If `enable_s3_encryption` is set to true, enabling key rotation will rotate the KMS keys used for S3 bucket encryption."
type = bool
default = true
}
variable "stackset_fault_tolerance_count" {
description = "The number of accounts, per Region, for which stackset deployment operation can fail before AWS CloudFormation stops the operation in that Region."
type = number
default = null
}
variable "stackset_max_concurrent_count" {
description = "The maximum number of accounts in which to perform this operation at one time. At most, this should be set to one more than `stackset_fault_tolerance_count`"
type = number
default = 1
}
variable "stackset_target_organizational_units" {
description = "If the stackset is desired to be deployed to targeted OUs only, provide a list of OU ids. Please note that the OU that the trail log bucket account belongs to, must be included."
type = list(string)
default = null
}