127 docs tagged with "terraform"

This component is responsible for provisioning the full account hierarchy along with Organizational Units (OUs). It includes the ability to associate Service Control Policies (SCPs) to the Organization, each Organizational Unit and account.

This component is responsible for provisioning information only: it simply populates Terraform state with data (account ids, groups, and roles) that other root modules need via outputs.

This component is responsible for requesting service quota increases. We recommend

This component is responsible for provisioning account level settings: IAM password policy, AWS Account Alias, EBS encryption, and Service Quotas.

This component is responsible for requesting an ACM certificate for a domain and adding a CNAME record to the DNS zone to complete certificate validation.

This component creates a Helm release for actions-runner-controller on an EKS cluster.

This component is responsible for provisioning a generic Application Load Balancer. It depends on the vpc and dns-delegated components.

This component creates a Helm release for alb-controller on an EKS cluster.

This component deploys a Kubernetes IngressClass resource for the AWS Load Balancer Controller.

This component creates a Kubernetes Service that creates an ALB for a specific [IngressGroup].

This component is responsible for provisioning

This component is responsible for provisioning Argo CD.

This component is responsible for creating and managing an ArgoCD desired state repository.

This component is responsible for provisioning an Amazon Athena workgroup, databases, and related resources.

This component is responsible for provisioning Aurora MySQL RDS clusters.

This component is responsible for provisioning Aurora MySQL resources: additional databases, users, permissions, grants, etc.

This component is responsible for provisioning Aurora Postgres RDS clusters.

This component is responsible for provisioning Aurora Postgres resources: additional databases, users, permissions, grants, etc.

This component is responsible for provisioning an AWS Backup Plan. It creates a schedule for backing up given ARNs.

This component is responsible for configuring AWS Config.

This component is responsible for provisioning an AWS Inspector by installing the Inspector agent across all EC2 instances and applying the Inspector rules.

This component creates a Helm release for aws-node-termination-handler on a Kubernetes cluster. aws-node-termination-handler is a Kubernetes addon that (by default) monitors the EC2 IMDS endpoint for scheduled maintenance events, spot instance termination events, and rebalance recommendation events, and drains and/or cordons nodes upon such events.

This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (okta must be mentioned in the key given to the saml_providers input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM.

This component is responsible for enabling AWS Shield Advanced Protection for the following resources:

This component is responsible for creating AWS SSO Permission Sets and creating AWS SSO Account Assignments, that is, assigning IdP (Okta) groups and/or users to AWS SSO permission sets in specific AWS Accounts.

This component is responsible for provisioning user and system IAM roles outside the identity account.

Purpose

This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group.

This component is responsible for provisioning a generic Bastion host within an ASG with parameterized user_data and support for AWS SSM Session Manager for remote access with IAM authentication.

This component creates a Helm release for cert-manager on a Kubernetes cluster. cert-manager is a Kubernetes addon that provisions X.509 certificates.

This component is responsible for provisioning cloudtrail auditing in an individual account. It's expected to be used alongside

This component is responsible for provisioning a bucket for storing cloudtrail logs for auditing purposes. It's expected to be used alongside the cloudtrail component.

This component is responsible for creation of CloudWatch Log Streams and Log Groups.

This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups and Fargate profiles.

This component is responsible for provisioning and managing AWS Cognito resources.

This component is responsible for configuring GuardDuty and it should be used in tandem with the guardduty/root component.

This component is responsible for configuring Security Hub and it should be used in tandem with the securityhub/root component.

This module creates an S3 bucket suitable for storing AWS Config data.

Useful submodule for other modules to quickly configure the datadog provider

This component installs the datadog-agent for EKS clusters.

This component is responsible for provisioning SSM or ASM entries for Datadog API keys.

This component is responsible for provisioning Datadog AWS integrations.

This component is responsible for provision all the necessary infrastructure to

This component is responsible for provisioning Datadog Log Archives. It creates a single log archive pipeline for each AWS account. If the catchall flag is set, it creates a catchall archive within the same S3 bucket.

This component is responsible for provisioning Datadog monitors and assigning Datadog roles to the monitors.

This component is responsible for creating a datadog private location and deploying it to ECS (EC2 / Fargate)

This component provides the ability to implement Datadog synthetic tests.

This component provisions a Datadog synthetics private location on Datadog and a private location agent on EKS cluster.

This component is responsible for provisioning a DNS zone which delegates nameservers to the DNS zone in the primary DNS account. The primary DNS zone is expected to already be provisioned via the dns-primary component.

This component is responsible for provisioning the primary DNS zones into an AWS account. By convention, we typically provision the primary DNS zones in the dns account. The primary account for branded zones (e.g. example.com), however, would be in the prod account, while staging zone (e.g. example.qa) might be in the staging account.

This component is responsible for provisioning DocumentDB clusters.

This component is responsible for provisioning a DynamoDB table.

This component creates a Helm release for ebs-controller on a Kubernetes cluster.

This component is responsible for provisioning VPN Client Endpoints.

This is copied from cloudposse/terraform-aws-components.

This component is responsible for provisioning repositories, lifecycle rules, and permissions for streamlined ECR usage.

This component is responsible for provisioning an ECS Cluster and associated load balancer.

This component is responsible for creating an ECS service.

This component is responsible for provisioning an EFS Network File System with KMS encryption-at-rest. EFS is an excellent choice as the default block storage for EKS clusters so that volumes are not zone-locked.

This component creates a Helm release for efs-controller on a Kubernetes cluster.

This component is responsible for provisioning specific IAM roles for Kubernetes Service Accounts. IAM roles are created for the following Kubernetes projects:

This component is responsible for provisioning an end-to-end EKS Cluster, including managed node groups.

This component is responsible for provisioning ElastiCache Redis clusters.

This component is responsible for provisioning an Elasticsearch cluster with built-in integrations with Kibana and Logstash.

This component provisions DMS endpoints.

Escalation

This component creates a Helm deployment for external-dns on a Kubernetes cluster. external-dns is a Kubernetes addon that configures public DNS servers with information about exposed Kubernetes services to make them discoverable.

This component (ESO) is used to create an external SecretStore configured to synchronize secrets from AWS SSM Parameter store as Kubernetes Secrets within the cluster. Per the operator pattern, the external-secret-operator pods will watch for any ExternalSecret resources which reference the SecretStore to pull secrets from.

This component is responsible for provisioning Github Action Token Rotator.

This component is responsible for authorizing the GitHub OIDC provider

This component is responsible for provisioning EC2 instances for GitHub runners.

This component is responsible for provisioning AWS Global Accelerator and its listeners.

This component is responsible for provisioning a Global Accelerator Endpoint Group.

This component is responsible for provisioning an AWS Transit Gateway hub that acts as a centralized gateway for connecting VPCs from other spoke accounts.

This component provisions IAM roles required for DMS.

This component is responsible for provisioning simple IAM roles. If a more complicated IAM role and policy are desired then it is better to use a separate component specific to that role.

This submodule is used by other modules to determine which IAM Roles

This component is responsible for provisioning IAM Service-Linked Roles.

This component installs the idp-roles for EKS clusters. These identity provider roles specify severl pre-determined permission levels for cluster users and come with bindings that make them easy to assign to Users and Groups.

Integration

This component provisions Karpenter on an EKS cluster.

This component deploys Karpenter provisioners on an EKS cluster.

This component is responsible for provisioning an Amazon Kinesis data stream.

This component is responsible for provisioning a KMS Key.

This component is responsible for provisioning Amazon Lake Formation resources.

This component is responsible for provisioning Lambda functions.

This component creates a Helm release for metrics-server is a Kubernetes addon that provides resource usage metrics used in particular by other addons such Horizontal Pod Autoscaler.

This component is responsible for provisioning an AmazonMQ broker and corresponding security group.

This component provisions Amazon managed workflows for Apache Airflow.

This component is responsible for provisioning AWS Network Firewall resources,

This component is responsible for provisioning Opsgenie teams and related services, rules, schedules.

This component maps another components' outputs into SSM parameter store to declare

This component is responsible for provisioning an RDS instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store.

This component installs redis for EKS clusters. This is a Self Hosted Redis Cluster installed on EKS.

This component installs redis-operator for EKS clusters. Redis Operator creates/configures/manages high availability redis with sentinel automatic failover atop Kubernetes.

This component is responsible for provisioning a RedShift instance. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store.

This component installs the Stakater Reloader for EKS clusters.

This component provisions DMS replication instances.

This component provisions DMS replication tasks.

This submodule is used by other modules to map short role names and AWS

This component should be used in tandem with the guardduty/common component. Please take a look at guardduty/common/README for more information about GuardDuty and deployment steps.

This component should be used in tandem with the securityhub/common component. Please take a look at securityhub/common/README for more information about Security Hub and deployment steps.

This component is responsible for provisioning Route 53 Resolver DNS Firewall

Routing

This component is responsible for provisioning S3 buckets.

This component is responsible for provisioning SES to act as an SMTP gateway. The credentials used for sending email can be retrieved from SSM.

This component is responsible for provisioning SFTP Endpoints.

This component sets up the requirements for all other Snowflake components, including creating the Terraform service user. Before running this component, follow the manual, Click-Ops steps below to create a Snowflake subscription.

All data in Snowflake is stored in database tables, logically structured as collections of columns and rows. This component will create and control a Snowflake database, schema, and set of tables.

This component is responsible for provisioning an SNS topic.

This component is responsible for provisioning:

This component is responsible for provisioning Spacelift stacks.

This component is responsible for provisioning Spacelift policies.

This component is responsible for provisioning Spacelift worker pools.

This component is responsible for provisioning AWS Transit Gateway attachments to connect VPCs in a spoke account to different accounts through a central hub.

This component is responsible for creating an SQS queue.

This component is responsible for provisioning Parameter Store resources against AWS SSM. It supports normal parameter store resources that can be configured directly in YAML OR pulling secret values from a local Sops file.

This component is responsible for provisioning SAML metadata into AWS IAM as new SAML providers. Additionally, for an Okta integration (okta must be mentioned in the key given to the saml_providers input) it creates an Okta API user and corresponding Access Key pair which is pushed into AWS SSM.

This component reads sso credentials from SSM Parameter store and provides them as outputs

This component provisions strongDM gateway, relay and roles

This submodule generates a JSON-encoded IAM Policy Document suitable for use as an "Assume Role Policy".

This component is responsible for provisioning an S3 Bucket and DynamoDB table that follow security best practices for usage as a Terraform backend. It also creates IAM roles for access to the Terraform backend.

This component is responsible for provisioning a VPC and corresponding Subnets. Additionally, VPC Flow Logs can optionally be enabled for auditing purposes. See the existing VPC configuration documentation for the provisioned subnets.

This component is responsible for provisioning an encrypted S3 bucket which is configured to receive VPC Flow Logs.

This component is responsible for creating a peering connection between two VPCs existing in different AWS accounts.

This component is responsible for provisioning an AWS Web Application Firewall (WAF) with an associated managed rule group.

This component is responsible for provisioning ZScaler Private Access Connector instances on Amazon Linux 2 AMIs.