Terraform Components

This is a library of reusable Terraform "root module" components.

access-analyzer

This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS

account

This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It

account-map (1)

This component is responsible for provisioning information only: it simply populates Terraform state with data (account

account-quotas

This component is responsible for requesting service quota increases. We recommend making requests here rather than in

account-settings

This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS

acm

This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone

alb

This component is responsible for provisioning a generic Application Load Balancer. It depends on the vpc and

amplify

This component is responsible for provisioning AWS Amplify apps, backend environments, branches, domain associations,

api-gateway-account-settings

This component is responsible for setting the global, regional settings required to allow API Gateway to write to

api-gateway-rest-api

This component is responsible for deploying an API Gateway REST API.

argocd-repo (1)

This component is responsible for creating and managing an ArgoCD desired state repository.

athena

This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources.

aurora-mysql

This component is responsible for provisioning Aurora MySQL RDS clusters. It seeds relevant database information

aurora-mysql-resources

This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants,

aurora-postgres

This component is responsible for provisioning Aurora Postgres RDS clusters. It seeds relevant database information

aurora-postgres-resources

This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions,

auth0 (3)

Auth0 Application component. Auth0 is a third-party service that provides authentication and

aws-backup

This component is responsible for provisioning an AWS Backup Plan. It creates a schedule for backing up given ARNs.

aws-config (1)

This component is responsible for configuring AWS Config.

aws-inspector

This component is responsible for provisioning an

aws-inspector2

This component is responsible for configuring Inspector V2 within an AWS Organization.

aws-saml

This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an

aws-shield

This component is responsible for enabling AWS Shield Advanced Protection for the following resources:

aws-sso

This component is responsible for creating AWS SSO Permission Sets and creating AWS SSO Account Assignments, that

aws-ssosync (1)

Deploys AWS ssosync to sync Google Groups with AWS SSO.

aws-team-roles

This component is responsible for provisioning user and system IAM roles outside the identity account. It sets them up

aws-teams

This component is responsible for provisioning all primary user and system roles into the centralized identity account.

bastion

This component is responsible for provisioning a generic Bastion host within an ASG with parameterized user_data and

cloudtrail

This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used

cloudtrail-bucket

This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected

cloudwatch-logs

This component is responsible for creation of CloudWatch Log Streams and Log Groups.

cognito

This component is responsible for provisioning and managing AWS Cognito resources.

config-bucket

This module creates an S3 bucket suitable for storing AWS Config data.

datadog-configuration (1)

This component is responsible for provisioning SSM or ASM entries for Datadog API keys.

datadog-integration

This component is responsible for provisioning Datadog AWS integrations. It depends on the datadog-configuration

datadog-lambda-forwarder

This component is responsible for provision all the necessary infrastructure to deploy

datadog-logs-archive

This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each

datadog-monitor

This component is responsible for provisioning Datadog monitors and assigning Datadog roles to the monitors.

datadog-private-location-ecs

This component is responsible for creating a datadog private location and deploying it to ECS (EC2 / Fargate)

datadog-synthetics

This component provides the ability to implement

datadog-synthetics-private-location

This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster.

dms (4)

This component provisions DMS endpoints.

dns-delegated

This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS

dns-primary

This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically

documentdb

This component is responsible for provisioning DocumentDB clusters.

dynamodb

This component is responsible for provisioning a DynamoDB table.

ec2-client-vpn

This component is responsible for provisioning VPN Client Endpoints.

ec2-instance

This component is responsible for provisioning a single EC2 instance.

ecr

This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage.

ecs

This component is responsible for provisioning an ECS Cluster and associated load balancer.

ecs-service

This component is responsible for creating an ECS service.

efs

This component is responsible for provisioning an EFS Network File System with KMS

eks (25)

This component creates a Helm release for

elasticache-redis

This component is responsible for provisioning ElastiCache Redis clusters.

elasticsearch

This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and

eventbridge

The eventbridge component is a Terraform module that defines a CloudWatch EventBridge rule. The rule is pointed at

github-action-token-rotator

This component is responsible for provisioning

github-oidc-provider

This component is responsible for authorizing the GitHub OIDC provider as an Identity provider for an AWS account. It is

github-oidc-role

This component is responsible for creating IAM roles for GitHub Actions to assume.

github-runners

This component is responsible for provisioning EC2 instances for GitHub runners.

github-webhook

This component provisions a GitHub webhook for a single GitHub repository.

global-accelerator

This component is responsible for provisioning AWS Global Accelerator and its listeners.

global-accelerator-endpoint-group

This component is responsible for provisioning a Global Accelerator Endpoint Group.

glue (10)

This component provisions Glue catalog databases.

guardduty

This component is responsible for configuring GuardDuty within an AWS Organization.

iam-role

This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired

iam-service-linked-roles

This component is responsible for provisioning

ipam

This component is responsible for provisioning IPAM per region in a centralized account.

kinesis-stream

This component is responsible for provisioning an Amazon Kinesis data stream.

kms

This component is responsible for provisioning a KMS Key.

lakeformation

This component is responsible for provisioning Amazon Lake Formation resources.

lambda

This component is responsible for provisioning Lambda functions.

macie

This component is responsible for configuring Macie within an AWS Organization.

managed-grafana (4)

This component is responsible for provisioning an API Key for an Amazon Managed Grafana workspace.

managed-prometheus (1)

This component is responsible for provisioning a workspace for Amazon Managed Service for Prometheus, also known as

memorydb

This component provisions an AWS MemoryDB cluster. MemoryDB is a fully managed, Redis-compatible, in-memory database

mq-broker

This component is responsible for provisioning an AmazonMQ broker and corresponding security group.

msk

This component is responsible for provisioning Amazon Managed Streaming clusters for

mwaa

This component provisions Amazon managed workflows for Apache Airflow.

network-firewall

This component is responsible for provisioning AWS Network Firewall resources,

opsgenie-team (1)

This component is responsible for provisioning Opsgenie teams and related services, rules, schedules.

philips-labs-github-runners

This component is responsible for provisioning the surrounding infrastructure for the github runners.

rds

This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames,

redshift

This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames,

route53-resolver-dns-firewall

This component is responsible for provisioning

s3-bucket

This component is responsible for provisioning S3 buckets.

security-hub

This component is responsible for configuring Security Hub within an AWS Organization.

ses

This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can

sftp

This component is responsible for provisioning SFTP Endpoints.

site-to-site-vpn

This component provisions a Site-To-Site VPN with a

snowflake-account

This component sets up the requirements for all other Snowflake components, including creating the Terraform service

snowflake-database

All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This

sns-topic

This component is responsible for provisioning an SNS topic.

spa-s3-cloudfront

This component is responsible for provisioning:

spacelift (3)

These components are responsible for setting up Spacelift and include three components: spacelift/admin-stack,

sqs-queue

This component is responsible for creating an SQS queue.

ssm-parameters

This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter

sso-saml-provider

This component reads sso credentials from SSM Parameter store and provides them as outputs

strongdm

This component provisions strongDM gateway, relay and roles

tfstate-backend

This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for

tgw (3)

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.

vpc

This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can

vpc-flow-logs-bucket

This component is responsible for provisioning an encrypted S3 bucket which is configured to receive VPC Flow Logs.

vpc-peering

This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts.

waf

This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule

zscaler

This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs.