account
This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It
150 docs tagged with "terraform"
View All Tagsaccount-map
This component is responsible for provisioning information only: it simply populates Terraform state with data (account
account-quotas
This component is responsible for requesting service quota increases. We recommend making requests here rather than in
account-settings
This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS
acm
This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone
actions-runner-controller
This component creates a Helm release for
admin-stack
This component is responsible for creating an administrative stack and its
alb
This component is responsible for provisioning a generic Application Load Balancer. It depends on the vpc and
alb-controller
This component creates a Helm release for
alb-controller-ingress-class
This component deploys a Kubernetes IngressClass resource for the AWS Load Balancer Controller. This is not often
alb-controller-ingress-group
This component provisions a Kubernetes Service that creates an ALB for a specific [IngressGroup].
amplify
This component is responsible for provisioning AWS Amplify apps, backend environments, branches, domain associations,
api-gateway-account-settings
This component is responsible for setting the global, regional settings required to allow API Gateway to write to
api-gateway-rest-api
This component is responsible for deploying an API Gateway REST API.
argocd
This component is responsible for provisioning Argo CD.
argocd-repo
This component is responsible for creating and managing an ArgoCD desired state repository.
athena
This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources.
aurora-mysql
This component is responsible for provisioning Aurora MySQL RDS clusters. It seeds relevant database information
aurora-mysql-resources
This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants,
aurora-postgres
This component is responsible for provisioning Aurora Postgres RDS clusters. It seeds relevant database information
aurora-postgres-resources
This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions,
aws-backup
This component is responsible for provisioning an AWS Backup Plan. It creates a schedule for backing up given ARNs.
aws-config
This component is responsible for configuring AWS Config.
aws-inspector
This component is responsible for provisioning an
aws-inspector2
This component is responsible for configuring Inspector V2 within an AWS Organization.
aws-node-termination-handler
This component creates a Helm release for
aws-saml
This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an
aws-shield
This component is responsible for enabling AWS Shield Advanced Protection for the following resources:
aws-sso
This component is responsible for creating AWS SSO Permission Sets and creating AWS SSO Account Assignments, that
aws-ssosync
Deploys AWS ssosync to sync Google Groups with AWS SSO.
aws-team-roles
This component is responsible for provisioning user and system IAM roles outside the identity account. It sets them up
aws-teams
This component is responsible for provisioning all primary user and system roles into the centralized identity account.
bastion
This component is responsible for provisioning a generic Bastion host within an ASG with parameterized user_data and
catalog-database
This component provisions Glue catalog databases.
catalog-table
This component provisions Glue catalog tables.
cert-manager
This component creates a Helm release for cert-manager on a Kubernetes
cloudtrail
This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used
cloudtrail-bucket
This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected
cloudwatch-logs
This component is responsible for creation of CloudWatch Log Streams and Log Groups.
cluster
This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate
cognito
This component is responsible for provisioning and managing AWS Cognito resources.
config-bucket
This module creates an S3 bucket suitable for storing AWS Config data.
connection
This component provisions Glue connections.
crawler
This component provisions Glue crawlers.
cross-region-hub-connector
This component is responsible for provisioning an
datadog_keys
Useful submodule for other modules to quickly configure the datadog provider
datadog-agent
This component installs the datadog-agent for EKS clusters.
datadog-configuration
This component is responsible for provisioning SSM or ASM entries for Datadog API keys.
datadog-integration
This component is responsible for provisioning Datadog AWS integrations. It depends on the datadog-configuration
datadog-lambda-forwarder
This component is responsible for provision all the necessary infrastructure to deploy
datadog-logs-archive
This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each
datadog-monitor
This component is responsible for provisioning Datadog monitors and assigning Datadog roles to the monitors.
datadog-private-location-ecs
This component is responsible for creating a datadog private location and deploying it to ECS (EC2 / Fargate)
datadog-synthetics
This component provides the ability to implement
datadog-synthetics-private-location
This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster.
dist
Removes need for ASM Secrets
dns-delegated
This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS
dns-primary
This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically
documentdb
This component is responsible for provisioning DocumentDB clusters.
dynamodb
This component is responsible for provisioning a DynamoDB table.
ec2-client-vpn
This component is responsible for provisioning VPN Client Endpoints.
echo-server
This is copied from
ecr
This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage.
ecs
This component is responsible for provisioning an ECS Cluster and associated load balancer.
ecs-service
This component is responsible for creating an ECS service.
efs
This component is responsible for provisioning an EFS Network File System with KMS
elasticache-redis
This component is responsible for provisioning ElastiCache Redis clusters.
elasticsearch
This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and
endpoint
This component provisions DMS endpoints.
escalation
Escalation
eventbridge
The eventbridge component is a Terraform module that defines a CloudWatch EventBridge rule. The rule is pointed at
external-dns
This component creates a Helm deployment for external-dns on a
external-secrets-operator
This component (ESO) is used to create an external SecretStore configured to synchronize secrets from AWS SSM
github-action-token-rotator
This component is responsible for provisioning
github-actions-runner
This component deploys self-hosted GitHub Actions Runners and a
github-oidc-provider
This component is responsible for authorizing the GitHub OIDC provider as an Identity provider for an AWS account. It is
github-oidc-role
This component is responsible for creating IAM roles for GitHub Actions to assume.
github-runners
This component is responsible for provisioning EC2 instances for GitHub runners.
github-webhook
This component provisions a GitHub webhook for a single GitHub repository.
gitops
This component is used to deploy GitHub OIDC roles for accessing the gitops Team. We use this team to run Terraform
global-accelerator
This component is responsible for provisioning AWS Global Accelerator and its listeners.
global-accelerator-endpoint-group
This component is responsible for provisioning a Global Accelerator Endpoint Group.
guardduty
This component is responsible for configuring GuardDuty within an AWS Organization.
hub
This component is responsible for provisioning an AWS Transit Gateway hub
iam
This component provisions IAM roles required for DMS.
iam
This component provisions IAM roles for AWS Glue.
iam-role
This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired
iam-roles
This submodule is used by other modules to determine which IAM Roles or AWS CLI Config Profiles to use for various
iam-service-linked-roles
This component is responsible for provisioning
idp-roles
This component installs the idp-roles for EKS clusters. These identity provider roles specify severl pre-determined
integration
Integration
ipam
This component is responsible for provisioning IPAM per region in a centralized account.
job
This component provisions Glue jobs.
karpenter
This component provisions Karpenter on an EKS cluster. It requires at least version 0.19.0 of
karpenter-provisioner
This component deploys Karpenter provisioners on an EKS cluster.
keda
This component is used to install the KEDA operator.
kinesis-stream
This component is responsible for provisioning an Amazon Kinesis data stream.
kms
This component is responsible for provisioning a KMS Key.
lakeformation
This component is responsible for provisioning Amazon Lake Formation resources.
lambda
This component is responsible for provisioning Lambda functions.
macie
This component is responsible for configuring Macie within an AWS Organization.
metrics-server
This component creates a Helm release for metrics-server is a
modules
webhook-github-app
mq-broker
This component is responsible for provisioning an AmazonMQ broker and corresponding security group.
msk
This component is responsible for provisioning Amazon Managed Streaming clusters for
mwaa
This component provisions Amazon managed workflows for Apache Airflow.
network-firewall
This component is responsible for provisioning AWS Network Firewall resources,
opsgenie-team
This component is responsible for provisioning Opsgenie teams and related services, rules, schedules.
philips-labs-github-runners
This component is responsible for provisioning the surrounding infrastructure for the github runners.
platform
This component maps another components' outputs into SSM parameter store to declare platform context used by CI/CD
rds
This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames,
redis
This component installs redis for EKS clusters. This is a Self Hosted Redis Cluster installed on EKS.
redis-operator
This component installs redis-operator for EKS clusters. Redis Operator creates/configures/manages high availability
redshift
This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames,
registry
This component provisions Glue registries.
reloader
This component installs the Stakater Reloader for EKS clusters. reloader can
replication-instance
This component provisions DMS replication instances.
replication-task
This component provisions DMS replication tasks.
roles-to-principals
This submodule is used by other modules to map short role names and AWS SSO Permission Set names in accounts designated
route53-resolver-dns-firewall
This component is responsible for provisioning
routing
Routing
s3-bucket
This component is responsible for provisioning S3 buckets.
schema
This component provisions Glue schemas.
security-hub
This component is responsible for configuring Security Hub within an AWS Organization.
ses
This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can
sftp
This component is responsible for provisioning SFTP Endpoints.
snowflake-account
This component sets up the requirements for all other Snowflake components, including creating the Terraform service
snowflake-database
All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This
sns-topic
This component is responsible for provisioning an SNS topic.
spa-s3-cloudfront
This component is responsible for provisioning:
spacelift
These components are responsible for setting up Spacelift and include three components: spacelift/admin-stack,
spaces
This component is responsible for creating and managing the spaces in the
spoke
This component is responsible for provisioning AWS Transit Gateway attachments
sqs-queue
This component is responsible for creating an SQS queue.
ssm-parameters
This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter
sso-saml-provider
This component reads sso credentials from SSM Parameter store and provides them as outputs
storage-class
This component is responsible for provisioning StorageClasses in an EKS cluster. See the list of guides and references
strongdm
This component provisions strongDM gateway, relay and roles
team-assume-role-policy
This submodule generates a JSON-encoded IAM Policy Document suitable for use as an "Assume Role Policy".
tfstate-backend
This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for
tgw
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.
trigger
This component provisions Glue triggers.
vpc
This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can
vpc-flow-logs-bucket
This component is responsible for provisioning an encrypted S3 bucket which is configured to receive VPC Flow Logs.
vpc-peering
This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts.
waf
This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule
webhook-github-app
This module is using the local executor to run a bash script.
worker-pool
This component is responsible for provisioning Spacelift worker pools.
workflow
This component provisions Glue workflows.
zscaler
This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs.