account
This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It includes the ability to associate Service Control Policies (SCPs) to the Organization, each Organizational Unit and account.
account-map
1 items
account-quotas
This component is responsible for requesting service quota increases. We recommend
account-settings
This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS encryption, and Service Quotas.
acm
This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone to complete certificate validation.
alb
This component is responsible for provisioning a generic Application Load Balancer. It depends on the vpc and dns-delegated components.
argocd-repo
This component is responsible for creating and managing an ArgoCD desired state repository.
athena
This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources.
aurora-mysql
This component is responsible for provisioning Aurora MySQL RDS clusters.
aurora-mysql-resources
This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants, etc.
aurora-postgres
This component is responsible for provisioning Aurora Postgres RDS clusters.
aurora-postgres-resources
This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, grants, etc.
aws-backup
This component is responsible for provisioning an AWS Backup Plan. It creates a schedule for backing up given ARNs.
aws-saml
This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (okta must be mentioned in the key given to the saml_providers input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM.
aws-sso
This component is responsible for creating AWS SSO Permission Sets and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts.
aws-team-roles
This component is responsible for provisioning user and system IAM roles outside the identity account.
aws-teams
This component is responsible for provisioning all primary user and system roles into the centralized identity account.
aws-waf-acl
This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group.
bastion
This component is responsible for provisioning a generic Bastion host within an ASG with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication.
cloudtrail
This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used alongside
cloudtrail-bucket
This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected to be used alongside the cloudtrail component.
cloudwatch-logs
This component is responsible for creation of CloudWatch Log Streams and Log Groups.
cognito
This component is responsible for provisioning and managing AWS Cognito resources.
datadog-agent
This component installs the datadog-agent for EKS clusters.
datadog-configuration
1 items
datadog-integration
This component is responsible for provisioning Datadog AWS integrations.
datadog-lambda-forwarder
This component is responsible for provision all the necessary infrastructure to
datadog-logs-archive
This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each AWS account. If the catchall flag is set, it creates a catchall archive within the same S3 bucket.
datadog-monitor
This component is responsible for provisioning Datadog monitors and assigning Datadog roles to the monitors.
datadog-private-location-ecs
This component is responsible for creating a datadog private location and deploying it to ECS (EC2 / Fargate)
datadog-synthetics-private-location
This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster.
dms
4 items
dns-delegated
This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS account. The primary DNS zone is expected to already be provisioned via the dns-primary component.
dns-primary
This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically provision the primary DNS zones in the dns account. The primary account for branded zones (e.g. example.com), however, would be in the prod account, while staging zone (e.g. example.qa) might be in the staging account.
documentdb
This component is responsible for provisioning DocumentDB clusters.
dynamodb
This component is responsible for provisioning a DynamoDB table.
ec2-client-vpn
This component is responsible for provisioning VPN Client Endpoints.
ecr
This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage.
ecs
This component is responsible for provisioning an ECS Cluster and associated load balancer.
ecs-service
This component is responsible for creating an ECS service.
eks
22 items
eks-iam
This component is responsible for provisioning specific IAM roles for Kubernetes Service Accounts. IAM roles are created for the following Kubernetes projects:
elasticache-redis
This component is responsible for provisioning ElastiCache Redis clusters.
elasticsearch
This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
github-action-token-rotator
This component is responsible for provisioning Github Action Token Rotator.
github-oidc-provider
This component is responsible for authorizing the GitHub OIDC provider
github-runners
This component is responsible for provisioning EC2 instances for GitHub runners.
global-accelerator
This component is responsible for provisioning AWS Global Accelerator and its listeners.
global-accelerator-endpoint-group
This component is responsible for provisioning a Global Accelerator Endpoint Group.
iam-role
This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired then it is better to use a separate component specific to that role.
iam-service-linked-roles
This component is responsible for provisioning IAM Service-Linked Roles.
kinesis-stream
This component is responsible for provisioning an Amazon Kinesis data stream.
kms
This component is responsible for provisioning a KMS Key.
lakeformation
This component is responsible for provisioning Amazon Lake Formation resources.
lambda
This component is responsible for provisioning Lambda functions.
mq-broker
This component is responsible for provisioning an AmazonMQ broker and corresponding security group.
mwaa
This component provisions Amazon managed workflows for Apache Airflow.
opsgenie-team
1 items
rds
This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store.
redshift
This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store.
s3-bucket
This component is responsible for provisioning S3 buckets.
ses
This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can be retrieved from SSM.
sftp
This component is responsible for provisioning SFTP Endpoints.
snowflake-account
This component sets up the requirements for all other Snowflake components, including creating the Terraform service user. Before running this component, follow the manual, Click-Ops steps below to create a Snowflake subscription.
snowflake-database
All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This component will create and control a Snowflake database, schema, and set of tables.
sns-topic
This component is responsible for provisioning an SNS topic.
spa-s3-cloudfront
This component is responsible for provisioning:
spacelift
This component is responsible for provisioning Spacelift stacks.
spacelift-policy
This component is responsible for provisioning Spacelift policies.
spacelift-worker-pool
This component is responsible for provisioning Spacelift worker pools.
sqs-queue
This component is responsible for creating an SQS queue.
ssm-parameters
This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter store resources that can be configured directly in YAML OR pulling secret values from a local Sops file.
sso
This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (okta must be mentioned in the key given to the saml_providers input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM.
sso-saml-provider
This component reads sso credentials from SSM Parameter store and provides them as outputs
strongdm
This component provisions strongDM gateway, relay and roles
tfstate-backend
This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend.
tgw
4 items
vpc
This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can optionally be enabled for auditing purposes. See the existing VPC configuration documentation for the provisioned subnets.
vpc-flow-logs-bucket
This component is responsible for provisioning an encrypted S3 bucket which is configured to receive VPC Flow Logs.
vpc-peering
This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts.
waf
This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group.
zscaler
This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs.