Terraform Components

This is a library of reusable Terraform "root module" components.

access-analyzer

This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS Organization

account

This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs)

account-map (1)

This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs

account-quotas

This component is responsible for requesting AWS Service Quota increases

account-settings

This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS encryption, and Service Quotas

acm

This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone to complete certificate validation

alb

This component is responsible for provisioning a generic Application Load Balancer

amplify

This component is responsible for provisioning AWS Amplify apps, backend environments, branches, domain associations, and webhooks

api-gateway-account-settings

This component is responsible for setting the global, regional settings required to allow API Gateway to write to CloudWatch logs

api-gateway-rest-api

This component is responsible for deploying an API Gateway REST API

argocd-github-repo

This component is responsible for creating and managing an ArgoCD desired state repository

athena

This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources

audit-manager

This component is responsible for configuring AWS Audit Manager within an AWS Organization

aurora-mysql

This component provisions Amazon Aurora MySQL RDS clusters and seeds relevant database information (hostnames, username, password, etc

aurora-mysql-resources (1)

This component provisions Aurora MySQL resources: additional databases, users, permissions, and grants

aurora-postgres

This component is responsible for provisioning Aurora Postgres RDS clusters

aurora-postgres-resources (1)

This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, grants, etc

auth0 (3)

Auth0 Application component

aws-backup

This component is responsible for provisioning an AWS Backup Plan

aws-config (1)

This component provisions AWS Config across all accounts in an AWS Organization

aws-inspector

This component is responsible for provisioning an [AWS Inspector](https://docs

aws-inspector2

This component is responsible for configuring Inspector V2 within an AWS Organization

aws-saml (1)

This component provisions SAML metadata into AWS IAM as new SAML providers

aws-shield

This component is responsible for enabling AWS Shield Advanced Protection for the following resources:

• Application Load Balancers (ALBs)
• CloudFront Distributions
• Elastic IPs (NAT Gateways, EC2 instances)
• Route53 Hosted Zones

About AWS Shield

AWS Shield is a managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS

aws-ssosync

Component: ssosync

Deploys [AWS ssosync](https://github

aws-team-roles

This component is responsible for provisioning user and system IAM roles outside the identity account

aws-teams

This component is responsible for provisioning all primary user and system roles into the centralized identity account

bastion

This component provisions a generic Bastion host within an Auto Scaling Group (ASG) with parameterized user_data and supports AWS SSM Session Manager for remote access with IAM authentication

cloudmap-namespace

cloudtrail

This component is responsible for provisioning CloudTrail auditing in an individual AWS account

cloudtrail-bucket

This component is responsible for provisioning a bucket for storing CloudTrail logs for auditing purposes

cloudwatch-logs

This component is responsible for creation of CloudWatch Log Streams and Log Groups

cognito

This component is responsible for provisioning and managing AWS Cognito resources

config-bucket

This module creates an S3 bucket suitable for storing AWS Config data

datadog-child-organization

Terraform component to provision a Datadog child organization using the Datadog provider

datadog-credentials (1)

This component is responsible for provisioning SSM or ASM entries for Datadog API keys

datadog-integration

This component is responsible for provisioning Datadog AWS integrations

datadog-lambda-forwarder

This component provisions all infrastructure required to deploy [Datadog Lambda forwarders](https://github

datadog-logs-archive

This component provisions Datadog Log Archives

datadog-monitor

This component provisions Datadog monitors and assigns Datadog roles to those monitors

datadog-private-location-ecs

This component creates a Datadog Private Location and deploys it to ECS (EC2 or Fargate)

datadog-synthetics

This component provides the ability to implement [Datadog synthetic tests](https://docs

datadog-synthetics-private-location

This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster

delegated-administrator

Description of this component 55

dms (4)

This component provisions DMS endpoints

dns-delegated

This component provisions a delegated DNS zone for managing subdomains delegated from a primary DNS account

dns-primary

This component is responsible for provisioning the primary DNS zones into an AWS account

documentdb

This component is responsible for provisioning DocumentDB clusters

dynamodb

This component is responsible for provisioning a DynamoDB table

ec2-client-vpn

This component is responsible for provisioning VPN Client Endpoints

ec2-instance

This component is responsible for provisioning a single EC2 instance

ecr

This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage

ecs

This component is responsible for provisioning an ECS Cluster and associated load balancer

ecs-adot-collector

This component deploys the AWS Distro for OpenTelemetry (ADOT) collector as an ECS service

ecs-service

This component is responsible for creating an ECS service

efs

This component is responsible for provisioning an [EFS](https://aws

eks (31)

This component creates a Helm release for [actions-runner-controller](https://github

elasticache-redis (1)

This component provisions AWS [ElastiCache Redis](https://aws

elasticsearch

This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and Logstash

eventbridge

The eventbridge component is a Terraform module that defines a CloudWatch EventBridge rule

github-action-token-rotator

This component provisions the [Github Action Token Rotator](https://github

github-oidc-provider

This component authorizes the GitHub OIDC provider as an identity provider for an AWS account

github-oidc-role

This component is responsible for creating IAM roles for GitHub Actions to assume

github-repository

:lock: Managing GitHub repos in a compliant way just got way easier

github-runners

This component is responsible for provisioning EC2 instances for GitHub runners

github-webhook

This component provisions a GitHub webhook for a single GitHub repository

global-accelerator

This component provisions AWS Global Accelerator and its listeners

global-accelerator-endpoint-group

This component is responsible for provisioning a Global Accelerator Endpoint Group

glue (10)

This component provisions Glue catalog databases

guardduty

This component is responsible for configuring GuardDuty within an AWS Organization

iam-policy

Terraform component that composes IAM policy documents and creates an AWS IAM policy

iam-role

This component is responsible for provisioning simple IAM roles

iam-service-linked-roles

This component is responsible for provisioning [IAM Service-Linked Roles](https://docs

identity-center

This component is responsible for creating [AWS SSO Permission Sets][1] and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts

ipam

This component is responsible for provisioning IPAM per region in a centralized account

kinesis-firehose-stream

This component provisions a Kinesis Firehose delivery stream and at this time supports CloudWatch to S3 delivery

kinesis-stream

This component is responsible for provisioning an Amazon Kinesis data stream

kms

This component is responsible for provisioning a KMS Key

lakeformation

This component is responsible for provisioning Amazon Lake Formation resources

lambda

This component is responsible for provisioning Lambda functions

macie

This component is responsible for configuring Macie within an AWS Organization

managed-grafana (3)

This component provisions an API Key for an Amazon Managed Grafana workspace

managed-grafana-data-source (3)

This component creates a CloudWatch data source in Amazon Managed Grafana

managed-prometheus (1)

This component is responsible for provisioning a workspace for Amazon Managed Service for Prometheus, also known as Amazon Managed Prometheus (AMP)

memorydb

This component provisions an AWS MemoryDB cluster

mq-broker

This component is responsible for provisioning an AmazonMQ broker and the corresponding security group

msk

This component is responsible for provisioning [Amazon Managed Streaming](https://aws

mwaa

This component provisions Amazon managed workflows for Apache Airflow

network-firewall

This component is responsible for provisioning [AWS Network Firewall](https://aws

nlb

This component provisions an AWS Network Load Balancer (NLB) using the upstream Cloud Posse Terraform module

opsgenie-team (1)

This component provisions Opsgenie teams and related services, rules, and schedules

organization

Description of this component 55

organizational-unit

Description of this component 55

philips-labs-github-runners

This component provisions the surrounding infrastructure for GitHub self-hosted runners

private-link-service

This component provisions AWS VPC Endpoint Services (provider side) to expose YOUR services to external consumers via AWS PrivateLink

rds

This component is responsible for provisioning an RDS instance

redshift

This component provisions an AWS Redshift cluster and seeds relevant database information (hostnames, username, password, etc

redshift-serverless

This component is responsible for provisioning Redshift Serverless clusters

route53-resolver-dns-firewall

This component is responsible for provisioning [Route 53 Resolver DNS Firewall](https://docs

runs-on

Component: runs-onThis component provisions RunsOn for GitHub Actions self-hosted runners

s3-bucket

This component is responsible for provisioning S3 buckets

scp

Description of this component 55

security-hub

This component is responsible for configuring Security Hub within an AWS Organization

ses

This component provisions Amazon Simple Email Service (SES) to act as an SMTP gateway

sftp

This component is responsible for provisioning SFTP Endpoints

site-to-site-vpn

This component provisions a [Site-To-Site VPN](https://aws

snowflake-account

This component sets up the requirements for all other Snowflake components, including creating the Terraform service user

snowflake-database

All data in Snowflake is stored in database tables, logically structured as collections of columns and rows

sns-topic

This component is responsible for provisioning an SNS topic

spa-s3-cloudfront

This component provisions infrastructure to serve a Single Page Application (SPA) via Amazon S3 and Amazon CloudFront

spacelift (4)

These components are responsible for setting up Spacelift and include three components: spacelift/admin-stack,

sqs-queue

This component is responsible for creating an SQS queue

ssm-parameters

This component is responsible for provisioning Parameter Store resources against AWS SSM

sso-saml-provider

This component reads sso credentials from SSM Parameter store and provides them as outputs

strongdm

This component provisions [strongDM](https://www

tfstate-backend

This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend

tgw (5)

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.

vpc

This component is responsible for provisioning a VPC and corresponding Subnets with advanced configuration capabilities

vpc-flow-logs-bucket

This component provisions an encrypted S3 bucket configured to receive VPC Flow Logs

vpc-peering

This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts

vpc-routes

This component provisions routes in AWS VPC route tables

waf

This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group

zscaler

This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs