AWS
Discover a wide range of reusable Terraform modules tailored for managing AWS infrastructure. These modules simplify the deployment and management of AWS services through consistent and scalable code.
acm-request-certificate
Terraform module to request an ACM certificate for a domain and add a CNAME record to the DNS zone to complete certificate validation
alb
Terraform module to create an ALB, default ALB listener(s), and a default ALB target and related security groups.
alb-ingress
Terraform module to provision an HTTP style ALB ingress based on hostname and/or path.ALB ingress can be provisioned without authentication, or using Cognito or OIDC authentication.
alb-target-group-cloudwatch-sns-alarms
Terraform module for creating alarms for tracking important changes and occurrences from ALBs.
amplify-app
Terraform module to provision AWS Amplify apps, backend environments, branches, domain associations, and webhooks.
api-gateway (1)
Terraform module to provision API Gatway resources.The root module creates an API Gateway REST API along with configuring tracing, logging, and metrics.The module also consists of the following submodules:
- account-settings - to provision account-level settings for logging and metrics for API Gateway
athena
Terraform module to deploy an instance of Amazon Athena on AWS.
backup
Terraform module to provision AWS Backup, a fully managed backup service that makes it easy to centralize and automate the back up of data across AWS services such as Amazon EBS volumes, Amazon EC2 instances, Amazon RDS databases, Amazon DynamoDB tables, Amazon EFS file systems, and AWS Storage Gateway volumes.
[!NOTE]
The syntax of declaring a backup schedule has changed as of release0.14.0
, follow the instructions in the 0.13.x to 0.14.x+ migration guide.
[!WARNING]
The deprecated variables have been fully deprecated as of 1.x.x
. Please use the new variables as described in the 0.13.x to 0.14.x+ migration guide.
batch
This is an example project to provide all the scaffolding for a typical well-built Cloud Posse Terraform module for AWS resources. It's a template repository you can use when creating new repositories. This is not a useful module by itself.
budgets
Terraform module to create AWS Budgets and an associated SNS topic and Lambda function to send notifications to Slack.
cicd
Terraform module to create AWS CodePipeline
with CodeBuild
for CI/CD
This module supports three use-cases:
- GitHub -> S3 (build artifact) -> Elastic Beanstalk (running application stack).
The module gets the code from a
GitHub
repository (public or private), builds it by executing thebuildspec.yml
file from the repository, pushes the built artifact to an S3 bucket, and deploys the artifact toElastic Beanstalk
running one of the supported stacks (e.g.Java
,Go
,Node
,IIS
,Python
,Ruby
, etc.).- http://docs.aws.amazon.com/codebuild/latest/userguide/sample-maven-5m.html
- http://docs.aws.amazon.com/codebuild/latest/userguide/sample-nodejs-hw.html
- http://docs.aws.amazon.com/codebuild/latest/userguide/sample-go-hw.html
- GitHub -> ECR (Docker image) -> Elastic Beanstalk (running Docker stack).
The module gets the code from a
GitHub
repository, builds aDocker
image from it by executing thebuildspec.yml
andDockerfile
files from the repository, pushes theDocker
image to anECR
repository, and deploys theDocker
image toElastic Beanstalk
runningDocker
stack.- http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html
- GitHub -> ECR (Docker image).
The module gets the code from a
GitHub
repository, builds aDocker
image from it by executing thebuildspec.yml
andDockerfile
files from the repository, and pushes theDocker
image to anECR
repository. This is used when we want to build aDocker
image from the code and push it toECR
without deploying toElastic Beanstalk
. To activate this mode, don't specify theapp
andenv
attributes for the module.- http://docs.aws.amazon.com/codebuild/latest/userguide/sample-docker.html
cloudformation-stack
Terraform module to provision CloudFormation Stack.
cloudformation-stack-set
Terraform module to provision Cloudformation Stack Set and Administrator IAM role.
cloudfront-cdn
Terraform Module that implements a CloudFront Distribution (CDN) for a custom origin (e.g. website) and ships logs to a bucket.If you need to accelerate an S3 bucket, we suggest using terraform-aws-cloudfront-s3-cdn
instead.
cloudfront-s3-cdn (1)
Terraform module to provision an AWS CloudFront CDN with an S3 origin.
cloudtrail
Terraform module to provision an AWS CloudTrail.The module accepts an encrypted S3 bucket with versioning to store CloudTrail logs.The bucket could be from the same AWS account or from a different account.This is useful if an organization uses a number of separate AWS accounts to isolate the Audit environment from other environments (production, staging, development).In this case, you create CloudTrail in the production environment (production AWS account), while the S3 bucket to store the CloudTrail logs is created in the Audit AWS account, restricting access to the logs only to the users/groups from the Audit account.
cloudtrail-cloudwatch-alarms
Terraform module for creating alarms for tracking important changes and occurances from cloudtrail.This module creates a set of filter metrics and alarms based on the security best practices covered in the AWS CIS Foundations Benchmark guide.
cloudtrail-s3-bucket
Terraform module to provision an S3 bucket with built in policy to allow CloudTrail logs.This is useful if an organization uses a number of separate AWS accounts to isolate the Audit environment from other environments (production, staging, development).In this case, you create CloudTrail in the production environment (Production AWS account), while the S3 bucket to store the CloudTrail logs is created in the Audit AWS account, restricting access to the logs only to the users/groups from the Audit account.The module supports the following:
- Forced server-side encryption at rest for the S3 bucket
- S3 bucket versioning to easily recover from both unintended user actions and application failures
- S3 bucket is protected from deletion if it's not empty (force_destroy set to
false
)
cloudwatch-events
This is terraform-aws-cloudwatch-events
module that creates CloudWatch Events rules and according targets.
Amazon CloudWatch Events delivers a near real-time stream of system events that describe changes in Amazon Web Services (AWS) resources. Using simple rules that you can quickly set up, you can match events and route them to one or more target functions or streams. CloudWatch Events becomes aware of operational changes as they occur. CloudWatch Events responds to these operational changes and takes corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.
cloudwatch-flow-logs
Terraform module for enabling flow logs
for vpc
and subnets
.
cloudwatch-logs
Terraform module for creation of CloudWatch Log Streams and Log Groups. Useful in combination with Fluentd/Fluent-bit for shipping logs.
code-deploy
Terraform module to provision AWS Code Deploy app and group.
codebuild
Terraform module to create AWS CodeBuild project for AWS CodePipeline.
config (1)
This module enables AWS Config and optionally sets up an SNS topic to receive notifications of its findings.
config-storage
This module creates an S3 bucket suitable for storing AWS Config
data.It implements a configurable log retention policy, which allows you to efficiently manage logs across different
storage classes (e.g. Glacier
) and ultimately expire the data altogether.It enables server-side default encryption.
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.htmlIt blocks public access to the bucket by default.
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
datadog-integration
Terraform module to configure Datadog AWS integration.
datadog-lambda-forwarder
Terraform module to provision all the necessary infrastructure to deploy Datadog Lambda forwarders
dms (1)
Terraform modules for provisioning and managing AWS DMS resources.The following DMS resources are supported:
Refer to modules for more details.documentdb-cluster
Terraform module to provision an Amazon DocumentDB
cluster.
dynamic-subnets
Terraform module to provision public and private subnets
in an existing VPC
Note: This module is intended for use with an existing VPC and existing Internet Gateway.
To create a new VPC, use terraform-aws-vpc module.Note: Due to Terraform limitations,
many optional inputs to this module are specified as a list(string)
that can have zero or one element, rather than
as a string
that could be empty or null
. The designation of an input as a list
type does not necessarily
mean that you can supply more than one value in the list, so check the input's description before supplying more than one value.The core function of this module is to create 2 sets of subnets, a "public" set with bidirectional access to the
public internet, and a "private" set behind a firewall with egress-only access to the public internet. This
includes dividing up a given CIDR range so that a each subnet gets its own
distinct CIDR range within that range, and then creating those subnets in the appropriate availability zones.
The intention is to keep this module relatively simple and easy to use for the most popular use cases.
In its default configuration, this module creates 1 public subnet and 1 private subnet in each
of the specified availability zones. The public subnets are configured for bi-directional traffic to the
public internet, while the private subnets are configured for egress-only traffic to the public internet.
Rather than provide a wealth of configuration options allowing for numerous special cases, this module
provides some common options and further provides the ability to suppress the creation of resources, allowing
you to create and configure them as you like from outside this module. For example, rather than give you the
option to customize the Network ACL, the module gives you the option to create a completely open one (and control
access via Security Groups and other means) or not create one at all, allowing you to create and configure one yourself.
Public subnets
This module defines a public subnet as one that has direct access to an internet gateway and can accept incoming connection requests. In the simplest configuration, the module creates a single route table with a default route targeted to the VPC's internet gateway, and associates all the public subnets with that single route table.Likewise it creates a single Network ACL with associated rules allowing all ingress and all egress, and associates that ACL with all the public subnets.Private subnets
A private subnet may be able to initiate traffic to the public internet through a NAT gateway, a NAT instance, or an egress-only internet gateway, or it might only have direct access to other private subnets. In the simple configuration, for IPv4 and/or IPv6 with NAT64 enabled viapublic_dns64_enabled
or private_dns64_enabled
, the module creates 1 NAT Gateway or NAT Instance for each
private subnet (in the public subnet in the same availability zone), creates 1 route table for each private subnet,
and adds to that route table a default route from the subnet to its NAT Gateway or Instance. For IPv6,
the module adds a route to the Egress-Only Internet Gateway configured via input.As with the Public subnets, the module creates a single Network ACL with associated rules allowing all ingress and
all egress, and associates that ACL with all the private subnets.Customization for special use cases
Various features are controlled bybool
inputs with names ending in _enabled
. By changing the default
values, you can enable or disable creation of public subnets, private subnets, route tables,
NAT gateways, NAT instances, or Network ACLs. So for example, you could use this module to create only
private subnets and the open Network ACL, and then add your own route table associations to the subnets
and route all non-local traffic to a Transit Gateway or VPN.CIDR allocation
For IPv4, you provide a CIDR and the module divides the address space into the largest CIDRs possible that are still small enough to accommodatemax_subnet_count
subnets of each enabled type (public or private). When max_subnet_count
is left at the default 0
, it is set to the total number of availability zones in the region. Private subnets
are allocated out of the first half of the reserved range, and public subnets are allocated out of the second half.For IPv6, you provide a /56
CIDR and the module assigns /64
subnets of that CIDR in consecutive order starting
at zero. (You have the option of specifying a list of CIDRs instead.) As with IPv4, enough CIDRs are allocated to
cover max_subnet_count
private and public subnets (when both are enabled, which is the default), with the private
subnets being allocated out of the lower half of the reservation and the public subnets allocated out of the upper half.dynamodb
Terraform module to provision a DynamoDB table with autoscaling.Autoscaler scales up/down the provisioned OPS for the DynamoDB table based on the load.
Requirements
This module requires AWS Provider>= 4.22.0
dynamodb-autoscaler
Terraform module to provision DynamoDB autoscaler.Autoscaler scales up/down the provisioned OPS for a DynamoDB table based on the load.
ec2-admin-server
Terraform Module for providing a server capable of running admin tasks. Use terraform-aws-ec2-admin-server
to create and manage an admin instance.
ec2-ami-backup
This repo contains a terraform module that creates two lambda functions that will create AMI automatically at regular intervals. It is based on the code at https://serverlesscode.com/post/lambda-schedule-ebs-snapshot-backups/ and https://serverlesscode.com/post/lambda-schedule-ebs-snapshot-backups-2/.
ec2-ami-snapshot
Terraform module to easily generate AMI snapshots to create replica instances
ec2-autoscale-group
Terraform module to provision Auto Scaling Group and Launch Template on AWS.The module also creates AutoScaling Policies and CloudWatch Metric Alarms to monitor CPU utilization on the EC2 instances and scale the number of instance in the AutoScaling Group up or down.
If you don't want to use the provided functionality, or want to provide your own policies, disable it by setting the variable autoscaling_policies_enabled
to false
.At present, although you can set the created AutoScaling Policy type to any legal value, in practice only SimpleScaling
is supported.
To use a StepScaling
or TargetTrackingScaling
policy, create it yourself and then pass it in the alarm_actions
field of custom_alarms
.
ec2-bastion-server
Terraform module to define a generic Bastion host with parameterized user_data
and support for AWS SSM Session Manager for remote access with IAM authentication.
ec2-client-vpn
The terraform-aws-ec2-client-vpn
project provides for ec2 client vpn infrastructure. AWS Client VPN is a managed client-based VPN service based on OpenVPN that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using any OpenVPN-based VPN client.
ec2-instance
Terraform Module for provisioning a general purpose EC2 host.Included features:
- Automatically create a Security Group
- Option to switch EIP attachment
- CloudWatch monitoring and automatic reboot if instance hangs
- Assume Role capability
ec2-instance-group
Terraform Module for providing N general purpose EC2 hosts.If you only need to provision a single EC2 instance, consider using the terraform-aws-ec2-instance module instead.IMPORTANT This module by-design does not provision an AutoScaling group. It was designed to provision a discrete number of instances suitable for running stateful services such as databases (e.g. Kafka, Redis, etc).Included features:
- Automatically create a Security Group
- Option to switch EIP attachment
- CloudWatch monitoring and automatic reboot if instance hangs
- Assume Role capability
ecr
Terraform module to provision an AWS ECR Docker Container registry
.
ecr-public
Terraform module to provision a Public AWS ECR Docker Container registry
.
ecs-alb-service-task
Terraform module to create an ECS Service for a web app (task), and an ALB target group to route requests.
ecs-cloudwatch-autoscaling
Terraform module for creating alarms for tracking important changes and occurrences from ECS Services.
ecs-cloudwatch-sns-alarms
Terraform module for creating alarms for tracking important changes and occurrences from ECS Services.
ecs-cluster
Terraform module to provision an ECS Cluster
with list of
capacity providers
.Supports Amazon ECS Fargate
and EC2 Autoscaling
capacity providers.
ecs-codepipeline
Terraform Module for CI/CD with AWS Code Pipeline using GitHub webhook triggers and Code Build for ECS.
ecs-container-definition
Terraform module to generate well-formed JSON documents that are passed to the aws_ecs_task_definition
Terraform resource as container definitions.
ecs-web-app
A Terraform module which implements a web app on ECS and supporting AWS resources.
efs
Terraform module to provision an AWS EFS
Network File System.NOTE: Release 0.32.0
contains breaking changes. To preserve the SG, follow the instructions in the 0.30.1 to 0.32.x+ migration path.
efs-backup
Terraform module designed to easily backup EFS filesystems to S3 using DataPipeline.The workflow is simple:
- Periodically launch resource (EC2 instance) based on schedule
- Execute the shell command defined in the activity on the instance
- Sync data from Production EFS to S3 Bucket by using
aws-cli
- The execution log of the activity is stored in
S3
- Publish the success or failure of the activity to an
SNS
topic - Automatically rotate the backups using
S3 lifecycle rule
efs-cloudwatch-sns-alarms
Create a set of sane EFS CloudWatch alerts for monitoring the health of an EFS resource.
area | metric | comparison operator | threshold | rationale |
---|---|---|---|---|
Storage | BurstCreditBalance | < | 192000000000 | 192 GB in Bytes (last hour where you can burst at 100 MB/sec) |
Storage | PercentIOLimit | > | 95 | When the IO limit has been exceeded, the system performance drops. |
eks-cluster
Terraform module to provision an EKS cluster on AWS. <br/><br/> This Terraform module provisions a fully-configured AWS EKS (Elastic Kubernetes Service) cluster. It's engineered to integrate smoothly with Karpenter and EKS addons, forming a critical part of Cloud Posse's reference architecture. Ideal for teams looking to deploy scalable and manageable Kubernetes clusters on AWS with minimal fuss.
eks-fargate-profile
Terraform module to provision an AWS Fargate Profile and Fargate Pod Execution Role for EKS.
eks-iam-role
This terraform-aws-eks-iam-role
project provides a simplified mechanism for provisioning
AWS EKS Service Account IAM roles.
eks-node-group
Terraform module to provision an EKS Managed Node Group for Elastic Kubernetes Service.Instantiate it multiple times to create EKS Managed Node Groups with specific settings such as GPUs, EC2 instance types, or autoscale parameters.IMPORTANT: When SSH access is enabled without specifying a source security group, this module provisions EKS Node Group
nodes that are globally accessible by SSH (22) port. Normally, AWS recommends that no security group allows unrestricted ingress access to port 22 .
eks-spotinst-ocean-nodepool
This terraform-aws-eks-spotinst-ocean-nodepool
module provides the scaffolding for provisioning a Spotinst
Ocean connected to an AWS EKS cluster.
eks-workers
Terraform module to provision AWS resources to run EC2 worker nodes for Elastic Kubernetes Service.Instantiate it multiple times to create many EKS worker node pools with specific settings such as GPUs, EC2 instance types, or autoscale parameters.
elastic-beanstalk-application
Terraform module to provision AWS Elastic Beanstalk application
elastic-beanstalk-environment
Terraform module to provision AWS Elastic Beanstalk environment
Searching for Maintainer!
The Cloud Posse team no longer utilizes Beanstalk all that much, but this module is still fairly popular. In an effort to give it the attention it deserves, we're searching for a volunteer maintainer to manage this specific repository's issues and pull requests (of which a number are already stacked up). This is a great opportunity for anyone who is looking to solidify and strengthen their Terraform skillset while also giving back to the SweetOps open source community!You can learn more about being a SweetOps contributor on our docs site here.If you're interested, reach out to us via the#terraform
channel in the SweetOps Slack or directly via email @ [email protected]elasticache-memcached
Terraform module to provision an ElastiCache
Memcached Cluster
elasticache-redis
Terraform module to provision an ElastiCache
Redis Cluster or Serverless instance.
elasticsearch
Terraform module to provision an Elasticsearch
cluster with built-in integrations with Kibana and Logstash.
emr-cluster
Terraform module to provision an Elastic MapReduce (EMR) cluster on AWS.
firewall-manager
Terraform module to create and manage AWS Firewall Manager policies.
github-action-token-rotator
This module deploys a lambda function that runs as a GitHub Application and periodically gets a new GitHub Runner Registration Token from the GitHub API. This token is then stored in AWS Systems Manager Parameter Store.
global-accelerator (1)
This module provisions AWS Global Accelerator. Multiple listeners can be specified when instantiating this module.
The endpoint-group
submodule provisions a Global Accelerator Endpoint Group for a listener created by this module and can be instantiated multiple times
in order to provision multiple Endpoint Groups.The reason why endpoint-group
is its own submodule is because an AWS Provider needs to be instantiated for the region the Endpoint Group's endpoints reside in.
For more information, see the endpoint-group documentation.
glue (1)
Terraform modules for provisioning and managing AWS Glue resources.The following Glue resources are supported:
Refer to modules for more details.guardduty
This module enables AWS GuardDuty in one region of one account and optionally sets up an SNS topic to receive notifications of its findings.
health-events
This module creates EventBridge (formerly CloudWatch Events) rules for AWS Personal Health Dashboard Events and an SNS topic. EventBridge will publish messages to this SNS topic, which can be subcribed to using this module as well. Since AWS Personal Health Dashboard is a global service, but since the KMS key and SNS topic are regional, this module is technically regional but only needs to be deployed once per account.
helm-release
This terraform-aws-helm-release
module deploys a Helm chart with
an option to create an EKS IAM Role for a Service Account (IRSA).
iam-account-settings
Terraform module to provision general IAM account settings. It will create the IAM account alias for pretty login URLs and set the account password policy."
iam-assumed-roles
Terraform module to provision two IAM roles and two IAM groups for assuming the roles provided MFA is present, and add IAM users to the groups.
- Role and group with Administrator (full) access to AWS resources
- Role and group with Readonly access to AWS resources
iam-chamber-s3-role
Terraform module to provision an IAM role with configurable permissions to access S3 Bucket used by Chamber as Parameter Store backend.
iam-policy
This terraform-aws-iam-policy
module is a wrapper around the Terraform aws_iam_policy_document
data source, enhancing it to provide multiple ways to create an AWS IAM Policy document (as a JSON string).
It is primarily intended to simplify creating a policy in Terraform from external inputs. In particular,
if you want to specify a policy in a tfvars
file as a Terraform object, or in YAML as part of an
Atmos stack (which is them turned into a Terraform object input), this module provides
an object type declaration to use for the input and then it can make the translation to JSON for you.
If you can supply the policy as JSON to begin with, or conveniently use the aws_iam_policy_document
Terraform data source directly, then this module is not helpful in your case.
[!NOTE] AWS's IAM policy document syntax allows for replacement of policy variables within a statement using${...}
-style notation, which conflicts with Terraform's interpolation syntax. In order to use AWS policy variables with this module, use&{...}
notation for interpolations that should be processed by AWS rather than by Terraform. Nevertheless, any${...}
-style notations that appear in strings passed into this module (somehow escaping Terraform interpolation earlier) will be passed through to the policy document unchanged.
iam-role
A Terraform module that creates IAM role with provided JSON IAM polices documents.
Warning
- If
var.enabled
setfalse
the module can be used as IAM Policy Document Aggregator becauseoutput.policy
always aggregatesvar.policy_documents
- List size
var.policy_documents
limited to 10
iam-s3-user
Terraform module to provision a basic IAM user with permissions to access S3 resources,
e.g. to give the user read/write/delete access to the objects in an S3 bucket.Suitable for CI/CD systems (e.g. TravisCI, CircleCI) or systems which are external to AWS
that cannot leverage AWS IAM Instance Profiles
or AWS OIDC.By default, IAM users, groups, and roles have no access to AWS resources.
IAM policies are the means by which privileges are granted to users, groups, or roles.
It is recommended that IAM policies be applied directly to groups and roles but not users.
This module intentionally attaches an IAM policy directly to the user and does not use groupsThe IAM user name is constructed using terraform-null-label
and some input is required. The simplest input is name
. By default the name will be converted to lower case
and all non-alphanumeric characters except for hyphen will be removed. See the documentation for terraform-null-label
to learn how to override these defaults if desired.If an AWS Access Key is created, it is stored either in SSM Parameter Store or is provided as a module output,
but not both. Using SSM Parameter Store is recommended because module outputs are stored in plaintext in
the Terraform state file.
iam-system-user
Terraform Module to provision a basic IAM system user suitable for CI/CD Systems
(e.g. TravisCI, CircleCI) or systems which are external to AWS that cannot leverage AWS IAM Instance Profiles
or AWS OIDC.We do not recommend creating IAM users this way for any other purpose.By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users.
This module intentionally attaches an IAM policy directly to the user and does not use groupsThe IAM user name is constructed using terraform-null-label
and some input is required. The simplest input is name
. By default the name will be converted to lower case
and all non-alphanumeric characters except for hyphen will be removed. See the documentation for terraform-null-label
to learn how to override these defaults if desired.If an AWS Access Key is created, it is stored either in SSM Parameter Store or is provided as a module output,
but not both. Using SSM Parameter Store is recommended because module outputs are stored in plaintext in
the Terraform state file.
iam-user
Terraform Module to provision a basic IAM user suitable for humans. It will establish a login profile and associate the user with IAM groups.We do not recommend creating IAM users for any other purpose. For external systems (e.g. CI/CD) check out our terraform-aws-iam-system-user
module.
inspector
This module enables AWS Inspector in one region of one account and optionally enables various rules packages provided by AWS.
key-pair
Terraform module for generating or importing an SSH public key file into AWS.
kinesis-stream
Terraform module to deploy an Amazon Kinesis Data Stream on AWS.
kms-key
Terraform module to provision a KMS key with alias.Can be used with chamber for managing secrets by storing them in Amazon EC2 Systems Manager Parameter Store.
- https://aws.amazon.com/systems-manager/features
- https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store
kv-store
This is an example project to provide all the scaffolding for a typical well-built Cloud Posse Terraform module for AWS resources. It's a template repository you can use when creating new repositories. This is not a useful module by itself.
lakeformation
Terraform module to deploy an instance of Amazon Lake Formation on AWS.
lambda-elasticsearch-cleanup
Terraform module to provision a scheduled Lambda function which will delete old Elasticsearch indexes using SigV4Auth authentication. The lambda function can optionally send output to an SNS topic if the topic ARN is given. This module was largely inspired by aws-lambda-es-cleanup
lambda-function
This module deploys an AWS Lambda function from a Zip file or from a Docker image. Additionally, it creates an IAM role for the Lambda function, which optionally attaches policies to allow for CloudWatch Logs, Cloudwatch Insights, VPC Access and X-Ray tracing.
lb-s3-bucket
Terraform module to provision an S3 bucket with built in IAM policy to allow AWS Load Balancers to ship access logs.
macie
Terraform module to provision Amazon Macie - a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
managed-grafana
This module is responsible for provisioning an Amazon Managed Grafana workspace.
managed-prometheus
This module is responsible for provisioning a workspace for Amazon Managed Service for Prometheus, also known as Amazon Managed Prometheus (AMP).
memorydb
This module allows an engineer to provision MemoryDB clusters along with an admin user, subnet group, and parameter group. MemoryDB is a real-time in-memory database with API compatibility for Redis.
mq-broker
Terraform module to provision AmazonMQ resources on AWS
msk-apache-kafka-cluster
Terraform module to provision Amazon Managed Streaming for Apache KafkaNote: this module is intended for use with an existing VPC.
To create a new VPC, use terraform-aws-vpc module.NOTE: Release 0.8.0
contains breaking changes that will result in the destruction of your existing MSK cluster.
To preserve the original cluster, follow the instructions in the 0.7.x to 0.8.x+ migration path.
multi-az-subnets
Terraform module for multi-AZ subnets
provisioning.The module creates private and public subnets in the provided Availability Zones.The public subnets are routed to the Internet Gateway specified by var.igw_id
.nat_gateway_enabled
flag controls the creation of NAT Gateways in the public subnets.The private subnets are routed to the NAT Gateways provided in the var.az_ngw_ids
map.If you are creating subnets inside a VPC, consider using cloudposse/terraform-aws-dynamic-subnets instead.
mwaa
Terraform module to provision Amazon Managed Workflows for Apache Airflow
named-subnets
Terraform module for named subnets
provisioning.
network-firewall
Terraform module to provision AWS Network Firewall resources.
nlb
Terraform module to create an NLB and a default NLB target and related security groups.
organization-access-group
Terraform module to create an IAM Group and Policy to grant permissions to delegated IAM users in the Organization's master account to access a member accounthttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
organization-access-role
Terraform module to create an IAM Role to grant permissions to delegated IAM users in the master account to access an invited member accounthttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
rds
Terraform module to provision AWS RDS
instances
rds-cloudwatch-sns-alarms
Terraform module that configures important RDS alerts using CloudWatch and sends them to an SNS topic.Create a set of sane RDS CloudWatch alerts for monitoring the health of an RDS instance.
rds-cluster
Terraform module to provision an RDS Aurora
cluster for MySQL or Postgres.Supports Amazon Aurora Serverless.
rds-cluster-instance-group
Terraform module to provision an RDS Aurora
instance group for MySQL or Postgres along with a dedicated endpoint.Use this module together with our terraform-aws-rds-cluster
to provision pools of RDS instances. This is useful for creating reporting clusters that don't impact the production databases.Supports Amazon Aurora Serverless.
rds-db-proxy
Terraform module to provision an Amazon RDS Proxy for MySQL or Postgres.
rds-replica
Terraform module to provision AWS RDS
replica instances. These are best suited for reporting purposes.IMPORTANT It is not possible to create a read replica for a DB Instance that belongs to an Aurora DB Cluster.
redshift-cluster
This is terraform-example-module
project provides all the scaffolding for a typical well-built Cloud Posse module. It's a template repository you can
use when creating new repositories.
refarch-utils
This is an example project to provide all the scaffolding for a typical well-built Cloud Posse Terraform module for AWS resources. It's a template repository you can use when creating new repositories. This is not a useful module by itself.
route53-alias
Terraform module that implements "vanity" host names (e.g. brand.com
) as ALIAS
records to another Route53 DNS resource record (e.g. ELB/ALB, S3 Bucket Endpoint or CloudFront Distribution).
Unlike CNAME
records, the synthetic ALIAS
record works with zone apexes.
route53-cluster-hostname
Terraform module to define a consistent AWS Route53 hostname
route53-cluster-zone
Terraform module to easily define consistent cluster domains on Route53
.
route53-resolver-dns-firewall
Terraform module to provision Route 53 Resolver DNS Firewall, domain lists, firewall rules, rule groups, and logging configurations.
s3-bucket
This module creates an S3 bucket with support for versioning, lifecycles, object locks, replication, encryption, ACL,
bucket object policies, and static website hosting.For backward compatibility, it sets the S3 bucket ACL to private
and the s3_object_ownership
to ObjectWriter
. Moving forward, setting s3_object_ownership
to BucketOwnerEnforced
is recommended,
and doing so automatically disables the ACL.This module blocks public access to the bucket by default. See block_public_acls
, block_public_policy
,
ignore_public_acls
, and restrict_public_buckets
to change the settings. See AWS documentation
for more details.This module can optionally create an IAM User with access to the S3 bucket. This is inherently insecure in that
to enable anyone to become the User, access keys must be generated, and anything generated by Terraform is stored
unencrypted in the Terraform state. See the Terraform documentation for more detailsThe best way to grant access to the bucket is to grant one or more IAM Roles access to the bucket via privileged_principal_arns
.
This IAM Role can be assumed by EC2 instances via their Instance Profile, or Kubernetes (EKS) services using
IRSA.
Entities outside of AWS can assume the Role via OIDC.
(See this example of connecting GitHub
to enable GitHub actions to assume AWS IAM roles, or use this Cloud Posse component
if you are already using the Cloud Posse reference architecture.)If neither of those approaches work, then as a last resort you can set user_enabled = true
and
this module will provision a basic IAM user with permissions to access the bucket.
We do not recommend creating IAM users this way for any other purpose.If an IAM user is created, the IAM user name is constructed using terraform-null-label
and some input is required. The simplest input is name
. By default the name will be converted to lower case
and all non-alphanumeric characters except for hyphen will be removed. See the documentation for terraform-null-label
to learn how to override these defaults if desired.If an AWS Access Key is created, it is stored either in SSM Parameter Store or is provided as a module output,
but not both. Using SSM Parameter Store is recommended because that will keep the secret from being easily accessible
via Terraform remote state lookup, but the key will still be stored unencrypted in the Terraform state in any case.
s3-log-storage
This module creates an S3 bucket suitable for receiving logs from other AWS
services such as S3
, CloudFront
, and CloudTrails
.This module implements a configurable log retention policy, which allows you to efficiently manage logs across different storage classes (e.g. Glacier
) and ultimately expire the data altogether.It enables default server-side encryption.It blocks public access to the bucket by default.As of March, 2022, this module is primarily a wrapper around our
s3-bucket
module, with some options preconfigured and SQS notifications added. If it does not exactly suit your needs,
you may want to use the s3-bucket
module directly.As of version 1.0 of this module, most of the inputs are marked nullable = false
,
meaning you can pass in null
and get the default value rather than having the
input be actually set to null
. This is technically a breaking change from previous versions,
but since null
was not a valid value for most of these variables, we are not considering it
a truly breaking change. However, be mindful that the behavior of inputs set to null
may change in the future, so we recommend setting them to the desired value explicitly.
s3-website
Deprecated
As of July, 2023 this module is deprecated.terraform-aws-s3-website
offers little value beyond
the terraform-aws-s3-bucket
module,
so Cloud Posse is phasing out support for this project. Users are advised to migrate to
terraform-aws-s3-bucket to manage the S3 bucket
(including logging) and terraform-aws-route53-alias
to register the website hostname in Route53. Feature requests should be directed to those modules.Terraform module to provision S3-backed Websites.
IMPORTANT: This module provisions a globally accessible S3 bucket for unauthenticated users because it is designed for hosting public static websites. Normally, AWS recommends that S3 buckets should not publicly accessible in order to protect S3 data from unauthorized users.security-group
Terraform module to create AWS Security Group and rules.
security-hub (1)
Terraform module to deploy AWS Security Hub.
service-control-policies
Terraform module to provision Service Control Policies (SCP) for AWS Organizations, Organizational Units, and AWS accounts.
service-quotas
Terraform module to manage AWS Service Quotas.
ses
Terraform module to provision Simple Email Service on AWS.
ses-lambda-forwarder
This is a terraform module that creates an email forwarder using a combination of AWS SES and Lambda running the aws-lambda-ses-forwarder NPM module.
sns-cloudwatch-sns-alarms
Terraform module to provision CloudWatch alarms for SNS
sns-lambda-notify-slack
Terraform module to provision a lambda function that subscribes to SNS and notifies to Slack.
sns-topic
Terraform module to provision SNS topic
ssm-iam-role
Terraform module to provision an IAM role with configurable permissions to access SSM Parameter Store.
ssm-parameter-chamber-reader
Terraform module read ssm paramters managed with Chamber.
ssm-parameter-store
Terraform module for providing read and write access to the AWS SSM Parameter Store.
ssm-parameter-store-policy-documents
This module generates JSON documents for restricted permission sets for AWS SSM Parameter Store access. Helpful when combined with terraform-aws-ssm-parameter-store
ssm-patch-manager
This module provisions AWS SSM Patch manager maintenance window tasks, targets, patch baselines and patch groups and a s3 bucket for storing patch task logs.
ssm-tls-self-signed-cert
This module creates a self-signed certificate and writes it alongside with its key to SSM Parameter Store (or alternatively AWS Secrets Manager).
ssm-tls-ssh-key-pair
Terraform module that provisions an SSH TLS key pair and writes it to SSM Parameter Store.This is useful for bot accounts (e.g. for GitHub). Easily rotate SSH secrets by simply tainting the module resource and reapplying.
sso (1)
This module configures AWS Single Sign-On (SSO). AWS SSO makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place. With AWS SSO, you can easily manage access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO configures and maintains all the necessary permissions for your accounts automatically, without requiring any additional setup in the individual accounts. You can assign user permissions based on common job functions and customize these permissions to meet your specific security requirements. AWS SSO also includes built-in integrations to many business applications, such as Salesforce, Box, and Microsoft 365.With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source, including Microsoft Active Directory, Okta Universal Directory, and Azure Active Directory (Azure AD). AWS SSO allows you to select user attributes, such as cost center, title, or locale, from your identity source, and then use them for attribute-based access control in AWS.
step-functions
Terraform module to provision AWS Step Functions.
tfstate-backend
Terraform module to provision an S3 bucket to store terraform.tfstate
file and a DynamoDB table to lock the state file
to prevent concurrent modifications and state corruption.The module supports the following:
- Forced server-side encryption at rest for the S3 bucket
- S3 bucket versioning to allow for Terraform state recovery in the case of accidental deletions and human errors
- State locking and consistency checking via DynamoDB table to prevent concurrent operations
- DynamoDB server-side encryption
terraform plan
and terraform apply
NOTE: This module cannot be used to apply changes to the mfa_delete
feature of the bucket. Changes regarding mfa_delete can only be made manually using the root credentials with MFA of the AWS Account where the bucket resides. Please see: https://github.com/terraform-providers/terraform-provider-aws/issues/629transfer-sftp
This is terraform-aws-transfer-sftp
project provides all the scaffolding for a typical well-built Cloud Posse module. It's a template repository you can
use when creating new repositories.
transit-gateway
Terraform module to provision:
- AWS Transit Gateway
- AWS Resource Access Manager (AWS RAM) Resource Share to share the Transit Gateway with
the Organization or another AWS Account (configurable via the variables
ram_resource_share_enabled
andram_principals
) - Transit Gateway route table
- Transit Gateway VPC attachments to connect multiple VPCs via the Transit Gateway
- Transit Gateway route table propagations to create propagated routes and allow traffic from the Transit Gateway to the VPC attachments
- Transit Gateway route table associations to allow traffic from the VPC attachments to the Transit Gateway
- Transit Gateway static routes (static routes have a higher precedence than propagated routes)
- Subnet routes to route traffic from the subnets in each VPC to the other Transit Gateway VPC attachments
utils
This terraform-aws-utils
module provides some simple utilities to use when working in AWS.
vpc (1)
Terraform module to provision a VPC with Internet Gateway. Contains a submodule for provisioning Interface and/or Gateway VPC Endpoints. This module also supports provisioning additional CIDR blocks for the VPC, with or without using IPAM.
vpc-flow-logs-s3-bucket
Terraform module to create AWS VPC Flow logs
backed by S3.
vpc-peering
Terraform module to create a peering connection between two VPCs
vpc-peering-multi-account
Terraform module to create a peering connection between any two VPCs existing in different AWS accounts.This module supports performing this action from a 3rd account (e.g. a "root" account) by specifying the roles to assume for each member account.IMPORTANT: AWS allows a multi-account VPC Peering Connection to be deleted from either the requester's or accepter's side.
However, Terraform only allows the VPC Peering Connection to be deleted from the requester's side by removing the corresponding aws_vpc_peering_connection
resource from your configuration.
Read more about this on Terraform's documentation portal.
vpn-connection
Terraform module to provision a site-to-site VPN connection between a VPC and an on-premises network.The module does the following:
- Creates a Virtual Private Gateway (VPG) and attaches it to the VPC
- Creates a Customer Gateway (CGW) pointing to the provided IP address of the Internet-routable external interface on the on-premises network
- Creates a Site-to-Site Virtual Private Network (VPN) connection and assigns it to the VPG and CGW
- Requests automatic route propagation between the VPG and the provided route tables in the VPC
- If the VPN connection is configured to use static routes, provisions a static route between the VPN connection and the CGW
waf
Terraform module to create and manage AWS WAFv2 rules.