Terraform Components
This is a library of reusable Terraform "root module" components.
access-analyzer
This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS Organization
account
This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs)
account-map (1)
This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs
account-quotas
This component is responsible for requesting AWS Service Quota increases
account-settings
This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS encryption, and Service Quotas
acm
This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone to complete certificate validation
alb
This component is responsible for provisioning a generic Application Load Balancer
amplify
This component is responsible for provisioning AWS Amplify apps, backend environments, branches, domain associations, and webhooks
api-gateway-account-settings
This component is responsible for setting the global, regional settings required to allow API Gateway to write to CloudWatch logs
api-gateway-rest-api
This component is responsible for deploying an API Gateway REST API
argocd-github-repo
This component is responsible for creating and managing an ArgoCD desired state repository
athena
This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources
aurora-mysql
This component provisions Amazon Aurora MySQL RDS clusters and seeds relevant database information (hostnames, username, password, etc
aurora-mysql-resources
This component provisions Aurora MySQL resources: additional databases, users, permissions, and grants
aurora-postgres
This component is responsible for provisioning Aurora Postgres RDS clusters
aurora-postgres-resources
This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, grants, etc
auth0 (3)
Auth0 Application component
aws-backup
This component is responsible for provisioning an AWS Backup Plan
aws-config (1)
This component is responsible for configuring AWS Config
aws-inspector
This component is responsible for provisioning an [AWS Inspector](https://docs
aws-inspector2
This component is responsible for configuring Inspector V2 within an AWS Organization
aws-saml
This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers
aws-shield
This component is responsible for enabling AWS Shield Advanced Protection for the following resources:
- Application Load Balancers (ALBs)
- CloudFront Distributions
- Elastic IPs
- Route53 Hosted Zones
xxx_aws_shield_protection_enabled variable set to trueaws-ssosync
Component: ssosync
Deploys [AWS ssosync](https://githubaws-team-roles
This component is responsible for provisioning user and system IAM roles outside the identity account
aws-teams
This component is responsible for provisioning all primary user and system roles into the centralized identity account
bastion
This component provisions a generic Bastion host within an Auto Scaling Group (ASG) with parameterized user_data and
supports AWS SSM Session Manager for remote access with IAM authentication
cloudmap-namespace
cloudtrail
This component is responsible for provisioning CloudTrail auditing in an individual AWS account
cloudtrail-bucket
This component is responsible for provisioning a bucket for storing CloudTrail logs for auditing purposes
cloudwatch-logs
This component is responsible for creation of CloudWatch Log Streams and Log Groups
cognito
This component is responsible for provisioning and managing AWS Cognito resources
config-bucket
This module creates an S3 bucket suitable for storing AWS Config data
datadog-child-organization
Terraform component to provision a Datadog child organization using the Datadog provider
datadog-credentials (1)
This component is responsible for provisioning SSM or ASM entries for Datadog API keys
datadog-integration
This component is responsible for provisioning Datadog AWS integrations
datadog-lambda-forwarder
This component provisions all infrastructure required to deploy [Datadog Lambda forwarders](https://github
datadog-logs-archive
This component is responsible for provisioning Datadog Log Archives
datadog-monitor
This component provisions Datadog monitors and assigns Datadog roles to those monitors
datadog-private-location-ecs
This component is responsible for creating a datadog private location and deploying it to ECS (EC2 / Fargate)
Usage
Note The app key required for this component requires admin level permissions if you are using the default rolesdatadog-synthetics
This component provides the ability to implement [Datadog synthetic tests](https://docs
datadog-synthetics-private-location
This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster
dms (4)
This component provisions DMS endpoints
dns-delegated
This component is responsible for provisioning a DNS zone which manages subdomains delegated from a DNS zone in the primary DNS account
dns-primary
This component is responsible for provisioning the primary DNS zones into an AWS account
documentdb
This component is responsible for provisioning DocumentDB clusters
dynamodb
This component is responsible for provisioning a DynamoDB table
ec2-client-vpn
This component is responsible for provisioning VPN Client Endpoints
ec2-instance
This component is responsible for provisioning a single EC2 instance
ecr
This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage
ecs
This component is responsible for provisioning an ECS Cluster and associated load balancer
ecs-service
This component is responsible for creating an ECS service
efs
This component is responsible for provisioning an [EFS](https://aws
eks (28)
This component creates a Helm release for [actions-runner-controller](https://github
elasticache-redis
This component provisions AWS [ElastiCache Redis](https://aws
elasticsearch
This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and Logstash
eventbridge
The eventbridge component is a Terraform module that defines a CloudWatch EventBridge rule
github-action-token-rotator
This component provisions the [Github Action Token Rotator](https://github
github-oidc-provider
This component authorizes the GitHub OIDC provider as an identity provider for an AWS account
github-oidc-role
This component is responsible for creating IAM roles for GitHub Actions to assume
github-repository
:lock: Managing GitHub repos in a compliant way just got way easier
github-runners
This component is responsible for provisioning EC2 instances for GitHub runners
github-webhook
This component provisions a GitHub webhook for a single GitHub repository
global-accelerator
This component provisions AWS Global Accelerator and its listeners
global-accelerator-endpoint-group
This component is responsible for provisioning a Global Accelerator Endpoint Group
glue (10)
This component provisions Glue catalog databases
guardduty
This component is responsible for configuring GuardDuty within an AWS Organization
iam-policy
Terraform component that composes IAM policy documents and creates an AWS IAM policy
iam-role
This component is responsible for provisioning simple IAM roles
iam-service-linked-roles
This component is responsible for provisioning [IAM Service-Linked Roles](https://docs
identity-center
This component is responsible for creating [AWS SSO Permission Sets][1] and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts
ipam
This component is responsible for provisioning IPAM per region in a centralized account
kinesis-firehose-stream
This component provisions a Kinesis Firehose delivery stream and at this time supports CloudWatch to S3 delivery
kinesis-stream
This component is responsible for provisioning an Amazon Kinesis data stream
kms
This component is responsible for provisioning a KMS Key
lakeformation
This component is responsible for provisioning Amazon Lake Formation resources
lambda
This component is responsible for provisioning Lambda functions
macie
This component is responsible for configuring Macie within an AWS Organization
managed-grafana (3)
This component provisions an API Key for an Amazon Managed Grafana workspace
managed-grafana-data-source (2)
This component is responsible for provisioning a Loki data source for an Amazon Managed Grafana workspace
managed-prometheus (1)
This component is responsible for provisioning a workspace for Amazon Managed Service for Prometheus, also known as Amazon Managed Prometheus (AMP)
memorydb
This component provisions an AWS MemoryDB cluster
mq-broker
This component is responsible for provisioning an AmazonMQ broker and the corresponding security group
msk
This component is responsible for provisioning [Amazon Managed Streaming](https://aws
mwaa
This component provisions Amazon managed workflows for Apache Airflow
network-firewall
This component is responsible for provisioning [AWS Network Firewall](https://aws
nlb
Terraform component that wraps the [cloudposse/nlb/aws](https://github
opsgenie-team (1)
This component is responsible for provisioning Opsgenie teams and related services, rules, schedules
philips-labs-github-runners
This component provisions the surrounding infrastructure for GitHub self-hosted runners
rds
This component is responsible for provisioning an RDS instance
redshift
This component provisions an AWS Redshift cluster and seeds relevant database information (hostnames, username, password, etc
redshift-serverless
This component is responsible for provisioning Redshift Serverless clusters
route53-resolver-dns-firewall
This component is responsible for provisioning [Route 53 Resolver DNS Firewall](https://docs
runs-on
Component: runs-onThis component provisions RunsOn for GitHub Actions self-hosted runners
s3-bucket
This component is responsible for provisioning S3 buckets
security-hub
This component is responsible for configuring Security Hub within an AWS Organization
ses
This component is responsible for provisioning SES to act as an SMTP gateway
sftp
This component is responsible for provisioning SFTP Endpoints
site-to-site-vpn
This component provisions a [Site-To-Site VPN](https://aws
snowflake-account
This component sets up the requirements for all other Snowflake components, including creating the Terraform service user
snowflake-database
All data in Snowflake is stored in database tables, logically structured as collections of columns and rows
sns-topic
This component is responsible for provisioning an SNS topic
spa-s3-cloudfront
This component provisions infrastructure to serve a Single Page Application (SPA) via Amazon S3 and Amazon CloudFront
spacelift (4)
These components are responsible for setting up Spacelift and include three components: spacelift/admin-stack,
sqs-queue
This component is responsible for creating an SQS queue
ssm-parameters
This component is responsible for provisioning Parameter Store resources against AWS SSM
sso-saml-provider
This component reads sso credentials from SSM Parameter store and provides them as outputs
strongdm
This component provisions [strongDM](https://www
tfstate-backend
This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend
tgw (4)
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.
vpc
This component is responsible for provisioning a VPC and corresponding Subnets
vpc-flow-logs-bucket
This component provisions an encrypted S3 bucket configured to receive VPC Flow Logs
vpc-peering
This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts
vpc-routes
This component provisions routes in AWS VPC route tables
waf
This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group
zscaler
This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs