diff --git a/main.tf b/main.tf index 0dcaf395..9a4a5c3a 100644 --- a/main.tf +++ b/main.tf @@ -9,7 +9,8 @@ module "aft_account_provisioning_framework" { providers = { aws = aws.aft_management } - source = "./modules/aft-account-provisioning-framework" + source = "./modules/aft-account-provisioning-framework" + aft_account_provisioning_framework_sfn_name = local.aft_account_provisioning_framework_sfn_name aft_account_provisioning_customizations_sfn_name = local.aft_account_provisioning_customizations_sfn_name trigger_customizations_sfn_name = local.trigger_customizations_sfn_name @@ -26,7 +27,8 @@ module "aft_account_provisioning_framework" { } module "vpc" { - source = "terraform-aws-modules/vpc/aws" + source = "registry.terraform.io/terraform-aws-modules/vpc/aws" + providers = { aws = aws.aft_management } @@ -44,7 +46,7 @@ module "vpc" { private_subnet_suffix = "private" public_subnet_suffix = "public" - default_security_group_name = "aft-endpoint-sg" + default_security_group_name = "aft-endpoint-sg" default_security_group_egress = [ { from_port = 0 @@ -60,7 +62,7 @@ module "vpc" { to_port = 443 protocol = "tcp" cidr_blocks = var.aft_vpc_cidr - }, { + }, { from_port = 22 to_port = 22 protocol = "tcp" @@ -125,7 +127,7 @@ module "aft_backend" { module "aft_code_repositories" { depends_on = [module.vpc] - providers = { + providers = { aws = aws.aft_management } source = "./modules/aft-code-repositories" @@ -155,7 +157,7 @@ module "aft_code_repositories" { module "aft_customizations" { depends_on = [module.vpc] - providers = { + providers = { aws = aws.aft_management } source = "./modules/aft-customizations" @@ -212,7 +214,7 @@ module "aft_feature_options" { } module "aft_iam_roles" { - source = "./modules/aft-iam-roles" + source = "./modules/aft-iam-roles" providers = { aws.ct_management = aws.ct_management aws.audit = aws.audit @@ -223,7 +225,7 @@ module "aft_iam_roles" { module "aft_lambda_layer" { depends_on = [module.vpc] - providers = { + providers = { aws = aws.aft_management } source = "./modules/aft-lambda-layer" @@ -247,67 +249,72 @@ module "aft_ssm_parameters" { providers = { aws = aws.aft_management } - source = "./modules/aft-ssm-parameters" - aft_request_queue_name = module.aft_account_request_framework.request_queue_name - aft_request_table_name = module.aft_account_request_framework.request_table_name - aft_request_audit_table_name = module.aft_account_request_framework.request_audit_table_name - aft_request_metadata_table_name = module.aft_account_request_framework.request_metadata_table_name - aft_controltower_events_table_name = module.aft_account_request_framework.controltower_events_table_name - account_factory_product_name = module.aft_account_request_framework.account_factory_product_name - aft_invoke_aft_account_provisioning_framework_function_name = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_lambda_function_name - aft_account_provisioning_framework_sfn_name = module.aft_account_request_framework.aft_account_provisioning_framework_sfn_name - aft_sns_topic_arn = module.aft_account_request_framework.sns_topic_arn - aft_failure_sns_topic_arn = module.aft_account_request_framework.failure_sns_topic_arn - request_action_trigger_function_arn = module.aft_account_request_framework.request_action_trigger_function_arn - request_audit_trigger_function_arn = module.aft_account_request_framework.request_audit_trigger_function_arn - request_processor_function_arn = module.aft_account_request_framework.request_processor_function_arn - control_tower_event_logger_function_arn = module.aft_account_request_framework.control_tower_event_logger_function_arn - invoke_aft_account_provisioning_framework_function_arn = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_function_arn - validate_request_function_arn = module.aft_account_provisioning_framework.validate_request_function_arn - get_account_info_function_arn = module.aft_account_provisioning_framework.get_account_info_function_arn - create_role_function_arn = module.aft_account_provisioning_framework.create_role_function_arn - tag_account_function_arn = module.aft_account_provisioning_framework.tag_account_function_arn - persist_metadata_function_arn = module.aft_account_provisioning_framework.persist_metadata_function_arn - aft_customizations_identify_targets_function_arn = module.aft_customizations.aft_customizations_identify_targets_function_arn - aft_customizations_execute_pipeline_function_arn = module.aft_customizations.aft_customizations_execute_pipeline_function_arn - aft_customizations_get_pipeline_executions_function_arn = module.aft_customizations.aft_customizations_get_pipeline_executions_function_arn - codestar_connection_arn = module.aft_code_repositories.codestar_connection_arn - aft_log_key_arn = module.aft_feature_options.aws_aft_log_key_arn - aft_logging_bucket_arn = module.aft_feature_options.aws_aft_logs_s3_bucket_arn - aft_config_backend_bucket_id = module.aft_backend.bucket_id - aft_config_backend_table_id = module.aft_backend.table_id - aft_config_backend_kms_key_id = module.aft_backend.kms_key_id - aft_administrator_role_name = local.aft_administrator_role_name - aft_execution_role_name = local.aft_execution_role_name - aft_session_name = local.aft_session_name - aft_version = local.aft_version - ct_management_account_id = var.ct_management_account_id - ct_audit_account_id = var.audit_account_id - ct_log_archive_account_id = var.log_archive_account_id - aft_management_account_id = var.aft_management_account_id - ct_primary_region = var.ct_home_region - tf_version = var.terraform_version - tf_distribution = var.terraform_distribution - terraform_api_endpoint = var.terraform_api_endpoint - account_request_repo_branch = var.account_request_repo_branch - account_request_repo_name = var.account_request_repo_name - vcs_provider = var.vcs_provider - aft_config_backend_primary_region = var.ct_home_region - aft_config_backend_secondary_region = var.tf_backend_secondary_region - aft_framework_repo_url = var.aft_framework_repo_url - aft_framework_repo_git_ref = var.aft_framework_repo_git_ref - terraform_token = var.terraform_token - terraform_version = var.terraform_version - terraform_org_name = var.terraform_org_name - aft_feature_cloudtrail_data_events = var.aft_feature_cloudtrail_data_events - aft_feature_enterprise_support = var.aft_feature_enterprise_support - aft_feature_delete_default_vpcs_enabled = var.aft_feature_delete_default_vpcs_enabled - account_customizations_repo_name = var.account_customizations_repo_name - account_customizations_repo_branch = var.account_customizations_repo_branch - global_customizations_repo_name = var.global_customizations_repo_name - global_customizations_repo_branch = var.global_customizations_repo_branch - account_provisioning_customizations_repo_name = var.account_provisioning_customizations_repo_name - account_provisioning_customizations_repo_branch = var.account_provisioning_customizations_repo_branch - maximum_concurrent_customizations = var.maximum_concurrent_customizations - github_enterprise_url = var.github_enterprise_url + source = "./modules/aft-ssm-parameters" + not_sensitive = { + account_customizations_repo_branch = var.account_customizations_repo_branch + account_customizations_repo_name = var.account_customizations_repo_name + account_factory_product_name = module.aft_account_request_framework.account_factory_product_name + account_provisioning_customizations_repo_branch = var.account_provisioning_customizations_repo_branch + account_provisioning_customizations_repo_name = var.account_provisioning_customizations_repo_name + account_request_repo_branch = var.account_request_repo_branch + account_request_repo_name = var.account_request_repo_name + aft_account_provisioning_framework_sfn_name = module.aft_account_request_framework.aft_account_provisioning_framework_sfn_name + aft_administrator_role_name = local.aft_administrator_role_name + aft_config_backend_bucket_id = module.aft_backend.bucket_id + aft_config_backend_kms_key_id = module.aft_backend.kms_key_id + aft_config_backend_primary_region = var.ct_home_region + aft_config_backend_secondary_region = var.tf_backend_secondary_region + aft_config_backend_table_id = module.aft_backend.table_id + aft_controltower_events_table_name = module.aft_account_request_framework.controltower_events_table_name + aft_customizations_execute_pipeline_function_arn = module.aft_customizations.aft_customizations_execute_pipeline_function_arn + aft_customizations_get_pipeline_executions_function_arn = module.aft_customizations.aft_customizations_get_pipeline_executions_function_arn + aft_customizations_identify_targets_function_arn = module.aft_customizations.aft_customizations_identify_targets_function_arn + aft_execution_role_name = local.aft_execution_role_name + aft_failure_sns_topic_arn = module.aft_account_request_framework.failure_sns_topic_arn + aft_feature_cloudtrail_data_events = var.aft_feature_cloudtrail_data_events + aft_feature_delete_default_vpcs_enabled = var.aft_feature_delete_default_vpcs_enabled + aft_feature_enterprise_support = var.aft_feature_enterprise_support + aft_framework_repo_git_ref = var.aft_framework_repo_git_ref + aft_framework_repo_url = var.aft_framework_repo_url + aft_invoke_aft_account_provisioning_framework_function_name = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_lambda_function_name + aft_log_key_arn = module.aft_feature_options.aws_aft_log_key_arn + aft_logging_bucket_arn = module.aft_feature_options.aws_aft_logs_s3_bucket_arn + aft_management_account_id = var.aft_management_account_id + aft_request_audit_table_name = module.aft_account_request_framework.request_audit_table_name + aft_request_metadata_table_name = module.aft_account_request_framework.request_metadata_table_name + aft_request_queue_name = module.aft_account_request_framework.request_queue_name + aft_request_table_name = module.aft_account_request_framework.request_table_name + aft_session_name = local.aft_session_name + aft_sns_topic_arn = module.aft_account_request_framework.sns_topic_arn + aft_version = local.aft_version + codestar_connection_arn = module.aft_code_repositories.codestar_connection_arn + control_tower_event_logger_function_arn = module.aft_account_request_framework.control_tower_event_logger_function_arn + create_role_function_arn = module.aft_account_provisioning_framework.create_role_function_arn + ct_audit_account_id = var.audit_account_id + ct_log_archive_account_id = var.log_archive_account_id + ct_management_account_id = var.ct_management_account_id + ct_primary_region = var.ct_home_region + get_account_info_function_arn = module.aft_account_provisioning_framework.get_account_info_function_arn + github_enterprise_url = var.github_enterprise_url + global_customizations_repo_branch = var.global_customizations_repo_branch + global_customizations_repo_name = var.global_customizations_repo_name + invoke_aft_account_provisioning_framework_function_arn = module.aft_account_request_framework.invoke_aft_account_provisioning_framework_function_arn + maximum_concurrent_customizations = var.maximum_concurrent_customizations + persist_metadata_function_arn = module.aft_account_provisioning_framework.persist_metadata_function_arn + request_action_trigger_function_arn = module.aft_account_request_framework.request_action_trigger_function_arn + request_audit_trigger_function_arn = module.aft_account_request_framework.request_audit_trigger_function_arn + request_processor_function_arn = module.aft_account_request_framework.request_processor_function_arn + tag_account_function_arn = module.aft_account_provisioning_framework.tag_account_function_arn + terraform_api_endpoint = var.terraform_api_endpoint + terraform_org_name = var.terraform_org_name + terraform_version = var.terraform_version + tf_distribution = var.terraform_distribution + tf_version = var.terraform_version + validate_request_function_arn = module.aft_account_provisioning_framework.validate_request_function_arn + vcs_provider = var.vcs_provider + } + + sensitive = { + terraform_token = var.terraform_token + } } diff --git a/modules/aft-account-provisioning-framework/lambda.tf b/modules/aft-account-provisioning-framework/lambda.tf index 087d528b..f0e4c480 100644 --- a/modules/aft-account-provisioning-framework/lambda.tf +++ b/modules/aft-account-provisioning-framework/lambda.tf @@ -1,8 +1,8 @@ # Copyright Amazon.com, Inc. or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # -### VALIDATE REQUEST FUNCTION +### VALIDATE REQUEST FUNCTION resource "aws_lambda_function" "validate_request" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-validate-request" @@ -10,9 +10,9 @@ resource "aws_lambda_function" "validate_request" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request.arn handler = "aft_account_provisioning_framework_validate_request.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -27,8 +27,6 @@ resource "aws_cloudwatch_log_group" "validate_request" { } ### GET ACCOUNT INFO FUNCTION - - resource "aws_lambda_function" "get_account_info" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-get-account-info" @@ -36,9 +34,9 @@ resource "aws_lambda_function" "get_account_info" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info.arn handler = "aft_account_provisioning_framework_get_account_info.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -53,7 +51,6 @@ resource "aws_cloudwatch_log_group" "get_account_info" { } ### CREATE ROLE FUNCTION - resource "aws_lambda_function" "create_role" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-create-aft-execution-role" @@ -61,9 +58,9 @@ resource "aws_lambda_function" "create_role" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role.arn handler = "aft_account_provisioning_framework_create_role.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -77,9 +74,7 @@ resource "aws_cloudwatch_log_group" "create_role" { retention_in_days = var.cloudwatch_log_group_retention } - ### TAG ACCOUNT FUNCTION - resource "aws_lambda_function" "tag_account" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-tag-account" @@ -87,9 +82,9 @@ resource "aws_lambda_function" "tag_account" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account.arn handler = "aft_account_provisioning_framework_tag_account.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -104,7 +99,6 @@ resource "aws_cloudwatch_log_group" "tag_account" { } ### PERSIST METADATA FUNCTION - resource "aws_lambda_function" "persist_metadata" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-persist-metadata" @@ -112,9 +106,9 @@ resource "aws_lambda_function" "persist_metadata" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn handler = "aft_account_provisioning_framework_persist_metadata.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -128,10 +122,8 @@ resource "aws_cloudwatch_log_group" "persist_metadata" { retention_in_days = var.cloudwatch_log_group_retention } -### Account Metadata SSM Function - - +### Account Metadata SSM Function resource "aws_lambda_function" "account_metadata_ssm" { filename = var.provisioning_framework_archive_path function_name = "aft-account-provisioning-framework-account-metadata-ssm" @@ -139,9 +131,9 @@ resource "aws_lambda_function" "account_metadata_ssm" { role = aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata.arn handler = "aft_account_provisioning_framework_account_metadata_ssm.lambda_handler" source_code_hash = var.provisioning_framework_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = 300 + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { diff --git a/modules/aft-account-provisioning-framework/outputs.tf b/modules/aft-account-provisioning-framework/outputs.tf index e491356e..e860b968 100644 --- a/modules/aft-account-provisioning-framework/outputs.tf +++ b/modules/aft-account-provisioning-framework/outputs.tf @@ -4,7 +4,6 @@ output "state_machine_arn" { value = aws_sfn_state_machine.aft_account_provisioning_framework_sfn.arn } - output "validate_request_function_arn" { value = aws_lambda_function.validate_request.arn } diff --git a/modules/aft-account-provisioning-framework/readme.md b/modules/aft-account-provisioning-framework/readme.md new file mode 100644 index 00000000..917d0792 --- /dev/null +++ b/modules/aft-account-provisioning-framework/readme.md @@ -0,0 +1,85 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.account_metadata_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_lambda_aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_invoke_aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_account_provisioning_framework_validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.account_metadata_ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.create_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.get_account_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.persist_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.tag_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.validate_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_sfn_state_machine.aft_account_provisioning_framework_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_region.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aft\_account\_provisioning\_customizations\_sfn\_name](#input\_aft\_account\_provisioning\_customizations\_sfn\_name) | n/a | `string` | n/a | yes | +| [aft\_account\_provisioning\_framework\_sfn\_name](#input\_aft\_account\_provisioning\_framework\_sfn\_name) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes | +| [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes | +| [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_features\_sfn\_name](#input\_aft\_features\_sfn\_name) | n/a | `string` | n/a | yes | +| [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes | +| [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes | +| [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes | +| [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes | +| [lambda\_configuration](#input\_lambda\_configuration) | n/a |
object({
memory_size = string
runtime = string
timeout = string
})
|
{
"memory_size": 1024,
"runtime": "python3.8",
"timeout": 300
}
| no | +| [provisioning\_framework\_archive\_hash](#input\_provisioning\_framework\_archive\_hash) | n/a | `string` | n/a | yes | +| [provisioning\_framework\_archive\_path](#input\_provisioning\_framework\_archive\_path) | n/a | `string` | n/a | yes | +| [trigger\_customizations\_sfn\_name](#input\_trigger\_customizations\_sfn\_name) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [create\_role\_function\_arn](#output\_create\_role\_function\_arn) | n/a | +| [get\_account\_info\_function\_arn](#output\_get\_account\_info\_function\_arn) | n/a | +| [persist\_metadata\_function\_arn](#output\_persist\_metadata\_function\_arn) | n/a | +| [state\_machine\_arn](#output\_state\_machine\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | +| [tag\_account\_function\_arn](#output\_tag\_account\_function\_arn) | n/a | +| [validate\_request\_function\_arn](#output\_validate\_request\_function\_arn) | n/a | diff --git a/modules/aft-account-provisioning-framework/variables.tf b/modules/aft-account-provisioning-framework/variables.tf index 05f55222..d245cfb8 100644 --- a/modules/aft-account-provisioning-framework/variables.tf +++ b/modules/aft-account-provisioning-framework/variables.tf @@ -52,3 +52,16 @@ variable "provisioning_framework_archive_path" { variable "provisioning_framework_archive_hash" { type = string } + +variable "lambda_configuration" { + type = object({ + memory_size = string + runtime = string + timeout = string + }) + default = { + memory_size = 1024 + runtime = "python3.8" + timeout = 300 + } +} diff --git a/modules/aft-account-request-framework/README.md b/modules/aft-account-request-framework/README.md index 5c740710..82050e66 100644 --- a/modules/aft-account-request-framework/README.md +++ b/modules/aft-account-request-framework/README.md @@ -8,7 +8,6 @@ This module deploys the components responsible for processing an account request - Triggering Step Functions based on a request payload ![Request Processor](../../images/account_request.png) - ## Requirements | Name | Version | @@ -95,34 +94,6 @@ No modules. | [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_region.aft-management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_subnet_ids.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.git-codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_subnet_ids.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | -| [aws_vpc_endpoint_service.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.git-codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | ## Inputs @@ -131,10 +102,12 @@ No modules. | [account\_factory\_product\_name](#input\_account\_factory\_product\_name) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes | | [aft\_account\_provisioning\_framework\_sfn\_name](#input\_aft\_account\_provisioning\_framework\_sfn\_name) | n/a | `string` | n/a | yes | | [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes | +| [aft\_vpc\_default\_sg\_id](#input\_aft\_vpc\_default\_sg\_id) | n/a | `string` | n/a | yes | | [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes | | [aft\_vpc\_private\_subnet\_ids](#input\_aft\_vpc\_private\_subnet\_ids) | n/a | `list(string)` | n/a | yes | | [aft\_vpc\_public\_subnet\_ids](#input\_aft\_vpc\_public\_subnet\_ids) | n/a | `list(string)` | n/a | yes | | [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes | +| [lambda\_configuration](#input\_lambda\_configuration) | n/a |
object({
memory_size = string
runtime = string
timeout = string
})
|
{
"memory_size": 1024,
"runtime": "python3.8",
"timeout": 300
}
| no | | [request\_framework\_archive\_hash](#input\_request\_framework\_archive\_hash) | n/a | `string` | n/a | yes | | [request\_framework\_archive\_path](#input\_request\_framework\_archive\_path) | n/a | `string` | n/a | yes | diff --git a/modules/aft-account-request-framework/backup.tf b/modules/aft-account-request-framework/backup.tf index af49d09f..1bdd3b06 100644 --- a/modules/aft-account-request-framework/backup.tf +++ b/modules/aft-account-request-framework/backup.tf @@ -5,6 +5,7 @@ resource "aws_backup_vault" "aft_controltower_backup_vault" { name = "aft-controltower-backup-vault" kms_key_arn = aws_kms_key.aft.arn } + resource "aws_backup_plan" "aft_controltower_backup_plan" { name = "aft-controltower-backup-plan" rule { diff --git a/modules/aft-account-request-framework/data.tf b/modules/aft-account-request-framework/data.tf index ba14ed5b..3007b71b 100644 --- a/modules/aft-account-request-framework/data.tf +++ b/modules/aft-account-request-framework/data.tf @@ -20,287 +20,3 @@ data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" { data "aws_availability_zones" "available" { state = "available" } - -###################################### -# VPC Endpoints -###################################### - -#### CodeBuild #### - -data "aws_vpc_endpoint_service" "codebuild" { - service = "codebuild" -} - -data "aws_subnet_ids" "codebuild" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.codebuild.availability_zones - } -} - -#### CodeCommit #### - -data "aws_vpc_endpoint_service" "codecommit" { - service = "codecommit" -} - -data "aws_subnet_ids" "codecommit" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.codecommit.availability_zones - } -} - -#### git-codecommit #### - -data "aws_vpc_endpoint_service" "git-codecommit" { - service = "git-codecommit" -} - -data "aws_subnet_ids" "git-codecommit" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.git-codecommit.availability_zones - } -} - -#### codepipeline #### - -data "aws_vpc_endpoint_service" "codepipeline" { - service = "codepipeline" -} - -data "aws_subnet_ids" "codepipeline" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.codepipeline.availability_zones - } -} - -#### servicecatalog #### - -data "aws_vpc_endpoint_service" "servicecatalog" { - service = "servicecatalog" -} - -data "aws_subnet_ids" "servicecatalog" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.servicecatalog.availability_zones - } -} - -#### lambda #### - -data "aws_vpc_endpoint_service" "lambda" { - service = "lambda" -} - -data "aws_subnet_ids" "lambda" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.lambda.availability_zones - } -} - -#### kms #### - -data "aws_vpc_endpoint_service" "kms" { - service = "kms" -} - -data "aws_subnet_ids" "kms" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.kms.availability_zones - } -} - -#### logs #### - -data "aws_vpc_endpoint_service" "logs" { - service = "logs" -} - -data "aws_subnet_ids" "logs" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.logs.availability_zones - } -} - -#### events #### - -data "aws_vpc_endpoint_service" "events" { - service = "events" -} - -data "aws_subnet_ids" "events" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.events.availability_zones - } -} - -#### states #### - -data "aws_vpc_endpoint_service" "states" { - service = "states" -} - -data "aws_subnet_ids" "states" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.states.availability_zones - } -} - -#### ssm #### - -data "aws_vpc_endpoint_service" "ssm" { - service = "ssm" -} - -data "aws_subnet_ids" "ssm" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.ssm.availability_zones - } -} - -#### sns #### - -data "aws_vpc_endpoint_service" "sns" { - service = "sns" -} - -data "aws_subnet_ids" "sns" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.sns.availability_zones - } -} - -#### sqs #### - -data "aws_vpc_endpoint_service" "sqs" { - service = "sqs" -} - -data "aws_subnet_ids" "sqs" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.sqs.availability_zones - } -} - -#### sts #### - -data "aws_vpc_endpoint_service" "sts" { - service = "sts" -} - -data "aws_subnet_ids" "sts" { - vpc_id = var.aft_vpc_id - - filter { - name = "subnet-id" - values = var.aft_vpc_private_subnet_ids - } - - filter { - name = "availability-zone" - values = data.aws_vpc_endpoint_service.sts.availability_zones - } -} diff --git a/modules/aft-account-request-framework/ddb.tf b/modules/aft-account-request-framework/dynamodb.tf similarity index 100% rename from modules/aft-account-request-framework/ddb.tf rename to modules/aft-account-request-framework/dynamodb.tf diff --git a/modules/aft-account-request-framework/eventbridge.tf b/modules/aft-account-request-framework/eventbridge.tf index 9cd8e16d..ebf76155 100644 --- a/modules/aft-account-request-framework/eventbridge.tf +++ b/modules/aft-account-request-framework/eventbridge.tf @@ -14,18 +14,27 @@ resource "aws_cloudwatch_event_permission" "control_tower_management_account" { ######### Control Tower Events - CT Management ######### resource "aws_cloudwatch_event_rule" "aft_control_tower_events" { - provider = aws.ct_management - name = "aft-capture-ct-events" - description = "Capture ControlTower events" - event_pattern = < [archive](#provider\_archive) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [archive_file.builder](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.customizations](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.feature_options](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.provisioning_framework](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.request_framework](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [builder\_archive\_hash](#output\_builder\_archive\_hash) | n/a | +| [builder\_archive\_path](#output\_builder\_archive\_path) | n/a | +| [customizations\_archive\_hash](#output\_customizations\_archive\_hash) | n/a | +| [customizations\_archive\_path](#output\_customizations\_archive\_path) | n/a | +| [feature\_options\_archive\_hash](#output\_feature\_options\_archive\_hash) | n/a | +| [feature\_options\_archive\_path](#output\_feature\_options\_archive\_path) | n/a | +| [provisioning\_framework\_archive\_hash](#output\_provisioning\_framework\_archive\_hash) | n/a | +| [provisioning\_framework\_archive\_path](#output\_provisioning\_framework\_archive\_path) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | +| [request\_framework\_archive\_hash](#output\_request\_framework\_archive\_hash) | n/a | +| [request\_framework\_archive\_path](#output\_request\_framework\_archive\_path) | n/a | diff --git a/modules/aft-backend/main.tf b/modules/aft-backend/main.tf index 4829ae81..1241ad4a 100644 --- a/modules/aft-backend/main.tf +++ b/modules/aft-backend/main.tf @@ -92,125 +92,124 @@ resource "aws_iam_role" "replication" { provider = aws.primary_region name = "aft-s3-terraform-backend-replication" - assume_role_policy = < [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.primary\_region](#provider\_aws.primary\_region) | >= 3.72, < 4.0.0 | +| [aws.secondary\_region](#provider\_aws.secondary\_region) | >= 3.72, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_dynamodb_table.lock-table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | +| [aws_iam_policy.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.replication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.encrypt-alias-primary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_alias.encrypt-alias-secondary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.encrypt-primary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_kms_key.encrypt-secondary-region](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.primary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.secondary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_public_access_block.primary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_public_access_block.secondary-backend-bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [primary\_region](#input\_primary\_region) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes | +| [secondary\_region](#input\_secondary\_region) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_id](#output\_bucket\_id) | The name of the primary bucket. | +| [kms\_key\_id](#output\_kms\_key\_id) | The globally unique identifier for the primary key. | +| [table\_id](#output\_table\_id) | The name of the primary table. | diff --git a/modules/aft-code-repositories/codepipeline.tf b/modules/aft-code-repositories/codepipeline.tf index 3638bdb0..c3548479 100644 --- a/modules/aft-code-repositories/codepipeline.tf +++ b/modules/aft-code-repositories/codepipeline.tf @@ -71,31 +71,31 @@ resource "aws_cloudwatch_event_rule" "account_request" { name = "aft-account-request-codepipeline-trigger" description = "Trigger CodePipeline upon commit" - event_pattern = < [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72, < 4.0.0 | +| [local](#provider\_local) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_rule.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_event_target.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_codebuild_project.account_provisioning_customizations_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_project.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codecommit_repository.account_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource | +| [aws_codecommit_repository.account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource | +| [aws_codecommit_repository.account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource | +| [aws_codecommit_repository.global_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codecommit_repository) | resource | +| [aws_codepipeline.codecommit_account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource | +| [aws_codepipeline.codecommit_account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource | +| [aws_codepipeline.codestar_account_provisioning_customizations](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource | +| [aws_codepipeline.codestar_account_request](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codepipeline) | resource | +| [aws_codestarconnections_connection.bitbucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource | +| [aws_codestarconnections_connection.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource | +| [aws_codestarconnections_connection.githubenterprise](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_connection) | resource | +| [aws_codestarconnections_host.githubenterprise](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codestarconnections_host) | resource | +| [aws_iam_role.account_provisioning_customizations_codebuild_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.account_provisioning_customizations_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.account_request_codebuild_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.account_request_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.cloudwatch_events_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.account_provisioning_customizations_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.account_provisioning_customizations_codepipeline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.account_request_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.account_request_codepipeline_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.cloudwatch_events_codepipeline_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.terraform_oss_backend_account_provisioning_customizations_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.terraform_oss_backend_account_request_codebuild_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [local_file.account_provisioning_customizations_buildspec](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [local_file.account_request_buildspec](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_customizations\_repo\_branch](#input\_account\_customizations\_repo\_branch) | n/a | `string` | n/a | yes | +| [account\_customizations\_repo\_name](#input\_account\_customizations\_repo\_name) | n/a | `string` | n/a | yes | +| [account\_provisioning\_customizations\_repo\_branch](#input\_account\_provisioning\_customizations\_repo\_branch) | n/a | `string` | n/a | yes | +| [account\_provisioning\_customizations\_repo\_name](#input\_account\_provisioning\_customizations\_repo\_name) | n/a | `string` | n/a | yes | +| [account\_request\_repo\_branch](#input\_account\_request\_repo\_branch) | n/a | `string` | n/a | yes | +| [account\_request\_repo\_name](#input\_account\_request\_repo\_name) | n/a | `string` | n/a | yes | +| [account\_request\_table\_name](#input\_account\_request\_table\_name) | n/a | `string` | n/a | yes | +| [aft\_config\_backend\_bucket\_id](#input\_aft\_config\_backend\_bucket\_id) | n/a | `string` | n/a | yes | +| [aft\_config\_backend\_kms\_key\_id](#input\_aft\_config\_backend\_kms\_key\_id) | n/a | `string` | n/a | yes | +| [aft\_config\_backend\_table\_id](#input\_aft\_config\_backend\_table\_id) | n/a | `string` | n/a | yes | +| [aft\_key\_arn](#input\_aft\_key\_arn) | n/a | `string` | n/a | yes | +| [codepipeline\_s3\_bucket\_arn](#input\_codepipeline\_s3\_bucket\_arn) | n/a | `string` | n/a | yes | +| [codepipeline\_s3\_bucket\_name](#input\_codepipeline\_s3\_bucket\_name) | n/a | `string` | n/a | yes | +| [github\_enterprise\_url](#input\_github\_enterprise\_url) | n/a | `string` | n/a | yes | +| [global\_customizations\_repo\_branch](#input\_global\_customizations\_repo\_branch) | n/a | `string` | n/a | yes | +| [global\_customizations\_repo\_name](#input\_global\_customizations\_repo\_name) | n/a | `string` | n/a | yes | +| [log\_group\_retention](#input\_log\_group\_retention) | n/a | `string` | n/a | yes | +| [security\_group\_ids](#input\_security\_group\_ids) | n/a | `list(string)` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | n/a | `list(string)` | n/a | yes | +| [terraform\_distribution](#input\_terraform\_distribution) | n/a | `string` | n/a | yes | +| [vcs\_provider](#input\_vcs\_provider) | n/a | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [codestar\_connection\_arn](#output\_codestar\_connection\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | diff --git a/modules/aft-customizations/readme.md b/modules/aft-customizations/readme.md new file mode 100644 index 00000000..c6838d56 --- /dev/null +++ b/modules/aft-customizations/readme.md @@ -0,0 +1,113 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72, < 4.0.0 | +| [local](#provider\_local) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_customizations_identify_targets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_customizations_invoke_account_provisioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_execute_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_get_pipeline_executions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_codebuild_project.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_project.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_project.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_project.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_codebuild_project.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_iam_role.aft_codebuild_customizations_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_codepipeline_customizations_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_customizations_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_customizations_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_customizations_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.aft_codebuild_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_codepipeline_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.terraform_oss_backend_codebuild_customizations_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.aft_customizations_invoke_account_provisioning_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_execute_pipeline_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_get_pipeline_executions_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_identify_targets_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.aft_customizations_execute_pipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.aft_customizations_get_pipeline_executions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.aft_customizations_identify_targets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.aft_customizations_invoke_account_provisioning](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_s3_bucket.aft_codepipeline_customizations_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_sfn_state_machine.aft_invoke_customizations_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_region.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [local_file.aft_account_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [local_file.aft_account_customizations_terraform](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [local_file.aft_create_pipeline](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [local_file.aft_global_customizations_api_helpers](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [local_file.aft_global_customizations_terraform](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_request\_table\_name](#input\_account\_request\_table\_name) | n/a | `string` | n/a | yes | +| [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes | +| [aft\_config\_backend\_bucket\_id](#input\_aft\_config\_backend\_bucket\_id) | n/a | `string` | n/a | yes | +| [aft\_config\_backend\_kms\_key\_id](#input\_aft\_config\_backend\_kms\_key\_id) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `string` | n/a | yes | +| [aft\_config\_backend\_table\_id](#input\_aft\_config\_backend\_table\_id) | n/a | `string` | n/a | yes | +| [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes | +| [aft\_kms\_key\_id](#input\_aft\_kms\_key\_id) | n/a | `string` | n/a | yes | +| [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_aws\_customizations\_module\_url\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_url\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_backend\_region\_ssm\_path](#input\_aft\_tf\_backend\_region\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_ddb\_table\_ssm\_path](#input\_aft\_tf\_ddb\_table\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_kms\_key\_id\_ssm\_path](#input\_aft\_tf\_kms\_key\_id\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_s3\_bucket\_ssm\_path](#input\_aft\_tf\_s3\_bucket\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_version\_ssm\_path](#input\_aft\_tf\_version\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes | +| [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes | +| [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes | +| [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes | +| [customizations\_archive\_hash](#input\_customizations\_archive\_hash) | n/a | `string` | n/a | yes | +| [customizations\_archive\_path](#input\_customizations\_archive\_path) | n/a | `string` | n/a | yes | +| [invoke\_account\_provisioning\_sfn\_arn](#input\_invoke\_account\_provisioning\_sfn\_arn) | n/a | `string` | n/a | yes | +| [maximum\_concurrent\_customizations](#input\_maximum\_concurrent\_customizations) | n/a | `number` | n/a | yes | +| [request\_metadata\_table\_name](#input\_request\_metadata\_table\_name) | n/a | `string` | n/a | yes | +| [terraform\_distribution](#input\_terraform\_distribution) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [aft\_codepipeline\_customizations\_bucket\_arn](#output\_aft\_codepipeline\_customizations\_bucket\_arn) | n/a | +| [aft\_codepipeline\_customizations\_bucket\_name](#output\_aft\_codepipeline\_customizations\_bucket\_name) | n/a | +| [aft\_customizations\_execute\_pipeline\_function\_arn](#output\_aft\_customizations\_execute\_pipeline\_function\_arn) | n/a | +| [aft\_customizations\_get\_pipeline\_executions\_function\_arn](#output\_aft\_customizations\_get\_pipeline\_executions\_function\_arn) | n/a | +| [aft\_customizations\_identify\_targets\_function\_arn](#output\_aft\_customizations\_identify\_targets\_function\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | diff --git a/modules/aft-customizations/variables.tf b/modules/aft-customizations/variables.tf index f9e62e48..b0cacf13 100644 --- a/modules/aft-customizations/variables.tf +++ b/modules/aft-customizations/variables.tf @@ -9,18 +9,7 @@ variable "aft_kms_key_id" { type = string } - - variable "aft_kms_key_arn" { - - - - - - - - - type = string } diff --git a/modules/aft-feature-options/lambda.tf b/modules/aft-feature-options/lambda.tf index a4ae63c8..1403e023 100644 --- a/modules/aft-feature-options/lambda.tf +++ b/modules/aft-feature-options/lambda.tf @@ -11,9 +11,9 @@ resource "aws_lambda_function" "aft_delete_default_vpc" { handler = "aft_delete_default_vpc.lambda_handler" source_code_hash = var.feature_options_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = "300" + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -28,7 +28,6 @@ resource "aws_cloudwatch_log_group" "aft_delete_default_vpc" { retention_in_days = var.cloudwatch_log_group_retention } - ######## aft_enroll_support ######## resource "aws_lambda_function" "aft_enroll_support" { provider = aws.aft_management @@ -39,9 +38,9 @@ resource "aws_lambda_function" "aft_enroll_support" { handler = "aft_enroll_support.lambda_handler" source_code_hash = var.feature_options_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = "300" + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { @@ -66,9 +65,9 @@ resource "aws_lambda_function" "aft_enable_cloudtrail" { handler = "aft_enable_cloudtrail.lambda_handler" source_code_hash = var.feature_options_archive_hash - memory_size = 1024 - runtime = "python3.8" - timeout = "300" + memory_size = var.lambda_configuration.memory_size + runtime = var.lambda_configuration.runtime + timeout = var.lambda_configuration.timeout layers = [var.aft_common_layer_arn] vpc_config { diff --git a/modules/aft-feature-options/readme.md b/modules/aft-feature-options/readme.md new file mode 100644 index 00000000..6ad1d538 --- /dev/null +++ b/modules/aft-feature-options/readme.md @@ -0,0 +1,89 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.aft\_management](#provider\_aws.aft\_management) | >= 3.72, < 4.0.0 | +| [aws.audit](#provider\_aws.audit) | >= 3.72, < 4.0.0 | +| [aws.ct\_management](#provider\_aws.ct\_management) | >= 3.72, < 4.0.0 | +| [aws.log\_archive](#provider\_aws.log\_archive) | >= 3.72, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.aft_delete_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_role.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.aft_features_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.aft_features_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.aft_delete_default_vpc_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_alias.aft_log_key_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.aft_log_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_lambda_function.aft_delete_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.aft_enable_cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.aft_enroll_support](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_s3_bucket.aft_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.aft_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_public_access_block.aft_logging_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_sfn_state_machine.aft_features](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [aws_caller_identity.ct_audit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.ct_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.ct_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy.AWSLambdaBasicExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy.AWSLambdaVPCAccessExecutionRole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_organizations_organization.aft_organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aft\_common\_layer\_arn](#input\_aft\_common\_layer\_arn) | n/a | `string` | n/a | yes | +| [aft\_failure\_sns\_topic\_arn](#input\_aft\_failure\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_features\_sfn\_name](#input\_aft\_features\_sfn\_name) | n/a | `string` | n/a | yes | +| [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes | +| [aft\_sns\_topic\_arn](#input\_aft\_sns\_topic\_arn) | n/a | `string` | n/a | yes | +| [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes | +| [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | `list(string)` | n/a | yes | +| [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | n/a | `string` | n/a | yes | +| [feature\_options\_archive\_hash](#input\_feature\_options\_archive\_hash) | n/a | `string` | n/a | yes | +| [feature\_options\_archive\_path](#input\_feature\_options\_archive\_path) | n/a | `string` | n/a | yes | +| [lambda\_configuration](#input\_lambda\_configuration) | n/a |
object({
memory_size = string
runtime = string
timeout = string
})
|
{
"memory_size": 1024,
"runtime": "python3.8",
"timeout": 300
}
| no | +| [log\_archive\_access\_logs\_bucket\_name](#input\_log\_archive\_access\_logs\_bucket\_name) | n/a | `string` | n/a | yes | +| [log\_archive\_account\_id](#input\_log\_archive\_account\_id) | n/a | `string` | n/a | yes | +| [log\_archive\_bucket\_name](#input\_log\_archive\_bucket\_name) | n/a | `string` | n/a | yes | +| [log\_archive\_bucket\_object\_expiration\_days](#input\_log\_archive\_bucket\_object\_expiration\_days) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_aft\_access\_logs\_s3\_bucket\_arn](#output\_aws\_aft\_access\_logs\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. | +| [aws\_aft\_access\_logs\_s3\_bucket\_id](#output\_aws\_aft\_access\_logs\_s3\_bucket\_id) | The name of the bucket. | +| [aws\_aft\_access\_logs\_s3\_bucket\_region](#output\_aws\_aft\_access\_logs\_s3\_bucket\_region) | The AWS region this bucket resides in. | +| [aws\_aft\_log\_key\_arn](#output\_aws\_aft\_log\_key\_arn) | The ARN of the KMS key used to encrypt contents in the Log bucket | +| [aws\_aft\_logs\_s3\_bucket\_arn](#output\_aws\_aft\_logs\_s3\_bucket\_arn) | The ARN of the bucket. Will be of format arn:aws:s3:::bucketname. | +| [aws\_aft\_logs\_s3\_bucket\_id](#output\_aws\_aft\_logs\_s3\_bucket\_id) | The name of the bucket. | +| [aws\_aft\_logs\_s3\_bucket\_region](#output\_aws\_aft\_logs\_s3\_bucket\_region) | The AWS region this bucket resides in. | diff --git a/modules/aft-feature-options/variables.tf b/modules/aft-feature-options/variables.tf index 188ad30a..c838db19 100644 --- a/modules/aft-feature-options/variables.tf +++ b/modules/aft-feature-options/variables.tf @@ -48,6 +48,7 @@ variable "log_archive_account_id" { variable "aft_features_sfn_name" { type = string } + variable "feature_options_archive_path" { type = string } @@ -55,3 +56,16 @@ variable "feature_options_archive_path" { variable "feature_options_archive_hash" { type = string } + +variable "lambda_configuration" { + type = object({ + memory_size = string + runtime = string + timeout = string + }) + default = { + memory_size = 1024 + runtime = "python3.8" + timeout = 300 + } +} diff --git a/modules/aft-iam-roles/readme.md b/modules/aft-iam-roles/readme.md new file mode 100644 index 00000000..5372c44e --- /dev/null +++ b/modules/aft-iam-roles/readme.md @@ -0,0 +1,43 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws.aft\_management](#provider\_aws.aft\_management) | >= 3.72, < 4.0.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aft\_exec\_role](#module\_aft\_exec\_role) | ./admin-role | n/a | +| [audit\_exec\_role](#module\_audit\_exec\_role) | ./admin-role | n/a | +| [ct\_management\_exec\_role](#module\_ct\_management\_exec\_role) | ./admin-role | n/a | +| [log\_archive\_exec\_role](#module\_log\_archive\_exec\_role) | ./admin-role | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.aft_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.aft_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_caller_identity.aft_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [aft\_admin\_role\_arn](#output\_aft\_admin\_role\_arn) | Copyright Amazon.com, Inc. or its affiliates. All rights reserved. SPDX-License-Identifier: Apache-2.0 | +| [aft\_exec\_role\_arn](#output\_aft\_exec\_role\_arn) | n/a | +| [audit\_exec\_role\_arn](#output\_audit\_exec\_role\_arn) | n/a | +| [ct\_management\_exec\_role\_arn](#output\_ct\_management\_exec\_role\_arn) | n/a | +| [log\_archive\_exec\_role\_arn](#output\_log\_archive\_exec\_role\_arn) | n/a | diff --git a/modules/aft-lambda-layer/lambda.tf b/modules/aft-lambda-layer/lambda.tf index 9c92d378..44ee74b3 100644 --- a/modules/aft-lambda-layer/lambda.tf +++ b/modules/aft-lambda-layer/lambda.tf @@ -21,11 +21,11 @@ resource "aws_lambda_function" "codebuild_invoker" { data "aws_lambda_invocation" "invoke_codebuild_job" { function_name = aws_lambda_function.codebuild_invoker.function_name - input = < [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72, < 4.0.0 | +| [local](#provider\_local) | n/a | +| [random](#provider\_random) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_codebuild_project.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project) | resource | +| [aws_iam_role.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.codebuild_invoker_lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy.codebuild_invoker_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.codebuild_invoker_VPC_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.codebuild_invoker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_layer_version.layer_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_layer_version) | resource | +| [random_string.resource_suffix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_caller_identity.session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_lambda_invocation.invoke_codebuild_job](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lambda_invocation) | data source | +| [local_file.aft_lambda_layer](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aft\_kms\_key\_arn](#input\_aft\_kms\_key\_arn) | n/a | `string` | n/a | yes | +| [aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_git\_ref\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_tf\_aws\_customizations\_module\_url\_ssm\_path](#input\_aft\_tf\_aws\_customizations\_module\_url\_ssm\_path) | n/a | `string` | n/a | yes | +| [aft\_version](#input\_aft\_version) | n/a | `string` | n/a | yes | +| [aft\_vpc\_default\_sg](#input\_aft\_vpc\_default\_sg) | n/a | `list(string)` | n/a | yes | +| [aft\_vpc\_id](#input\_aft\_vpc\_id) | n/a | `string` | n/a | yes | +| [aft\_vpc\_private\_subnets](#input\_aft\_vpc\_private\_subnets) | n/a | `list(string)` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The region to deploy the layer in | `string` | n/a | yes | +| [builder\_archive\_hash](#input\_builder\_archive\_hash) | n/a | `string` | n/a | yes | +| [builder\_archive\_path](#input\_builder\_archive\_path) | n/a | `string` | n/a | yes | +| [lambda\_layer\_codebuild\_delay](#input\_lambda\_layer\_codebuild\_delay) | n/a | `string` | n/a | yes | +| [lambda\_layer\_name](#input\_lambda\_layer\_name) | The name of the lambda layer | `string` | n/a | yes | +| [lambda\_layer\_python\_version](#input\_lambda\_layer\_python\_version) | Major python version. Defaults to 3.8 | `string` | `"python3.8"` | no | +| [s3\_bucket\_name](#input\_s3\_bucket\_name) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [lambda\_layer\_build\_status](#output\_lambda\_layer\_build\_status) | n/a | +| [layer\_version\_arn](#output\_layer\_version\_arn) | the ARN of the lambda layer version | diff --git a/modules/aft-lambda-layer/variables.tf b/modules/aft-lambda-layer/variables.tf index ed738906..1f0828a4 100644 --- a/modules/aft-lambda-layer/variables.tf +++ b/modules/aft-lambda-layer/variables.tf @@ -3,6 +3,7 @@ # variable "lambda_layer_name" { type = string + description = "The name of the lambda layer" validation { condition = can(regex("^[a-zA-Z0-9\\-]+$", var.lambda_layer_name)) error_message = "Layer name must contain only alphanumeric characters and hyphens." @@ -19,6 +20,7 @@ variable "aft_tf_aws_customizations_module_git_ref_ssm_path" { variable "aws_region" { type = string + description = "The region to deploy the layer in" } variable "lambda_layer_codebuild_delay" { @@ -27,6 +29,8 @@ variable "lambda_layer_codebuild_delay" { variable "lambda_layer_python_version" { type = string + default = "python3.8" + description = "Major python version. Defaults to 3.8" } variable "s3_bucket_name" { @@ -48,6 +52,7 @@ variable "aft_vpc_private_subnets" { variable "aft_vpc_default_sg" { type = list(string) } + variable "aft_version" { type = string } diff --git a/modules/aft-ssm-parameters/readme.md b/modules/aft-ssm-parameters/readme.md new file mode 100644 index 00000000..b400a633 --- /dev/null +++ b/modules/aft-ssm-parameters/readme.md @@ -0,0 +1,34 @@ +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.15.1 | +| [aws](#requirement\_aws) | >= 3.72, < 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.72, < 4.0.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|---------------------------------------------------------------------------------------------------------------------------------|----------| +| [aws_ssm_parameter.no_secure_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.secure_string](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|-----------------------------------------------------------------------------|-------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|:--------:| +| [not\_sensitive](#input\_not\_sensitive) | n/a |
object({
account_customizations_repo_branch = string
account_customizations_repo_name = string
account_factory_product_name = string
account_provisioning_customizations_repo_branch = string
account_provisioning_customizations_repo_name = string
account_request_repo_branch = string
account_request_repo_name = string
aft_account_provisioning_framework_sfn_name = string
aft_administrator_role_name = string
aft_config_backend_bucket_id = string
aft_config_backend_kms_key_id = string
aft_config_backend_primary_region = string
aft_config_backend_secondary_region = string
aft_config_backend_table_id = string
aft_controltower_events_table_name = string
aft_customizations_execute_pipeline_function_arn = string
aft_customizations_get_pipeline_executions_function_arn = string
aft_customizations_identify_targets_function_arn = string
aft_execution_role_name = string
aft_failure_sns_topic_arn = string
aft_feature_cloudtrail_data_events = string
aft_feature_delete_default_vpcs_enabled = string
aft_feature_enterprise_support = string
aft_framework_repo_git_ref = string
aft_framework_repo_url = string
aft_invoke_aft_account_provisioning_framework_function_name = string
aft_log_key_arn = string
aft_logging_bucket_arn = string
aft_management_account_id = string
aft_request_audit_table_name = string
aft_request_metadata_table_name = string
aft_request_queue_name = string
aft_request_table_name = string
aft_session_name = string
aft_sns_topic_arn = string
aft_version = string
codestar_connection_arn = string
control_tower_event_logger_function_arn = string
create_role_function_arn = string
ct_audit_account_id = string
ct_log_archive_account_id = string
ct_management_account_id = string
ct_primary_region = string
get_account_info_function_arn = string
github_enterprise_url = string
global_customizations_repo_branch = string
global_customizations_repo_name = string
invoke_aft_account_provisioning_framework_function_arn = string
maximum_concurrent_customizations = string
persist_metadata_function_arn = string
request_action_trigger_function_arn = string
request_audit_trigger_function_arn = string
request_processor_function_arn = string
tag_account_function_arn = string
terraform_api_endpoint = string
terraform_org_name = string
terraform_version = string
tf_distribution = string
tf_version = string
validate_request_function_arn = string
vcs_provider = string
})
| n/a | yes | +| [sensitive](#input\_sensitive) | n/a |
object({
terraform_token = string
})
| n/a | yes | + +## Outputs + +No outputs. diff --git a/modules/aft-ssm-parameters/ssm.tf b/modules/aft-ssm-parameters/ssm.tf index 2fa991b4..fd7fb616 100644 --- a/modules/aft-ssm-parameters/ssm.tf +++ b/modules/aft-ssm-parameters/ssm.tf @@ -1,368 +1,268 @@ # Copyright Amazon.com, Inc. or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # -resource "aws_ssm_parameter" "aft_request_queue_name" { - name = "/aft/resources/sqs/aft-request-queue-name" - type = "String" - value = var.aft_request_queue_name -} - -resource "aws_ssm_parameter" "aft_request_table_name" { - name = "/aft/resources/ddb/aft-request-table-name" - type = "String" - value = var.aft_request_table_name -} - -resource "aws_ssm_parameter" "aft_request_audit_table_name" { - name = "/aft/resources/ddb/aft-request-audit-table-name" - type = "String" - value = var.aft_request_audit_table_name -} - -resource "aws_ssm_parameter" "aft_request_metadata_table_name" { - name = "/aft/resources/ddb/aft-request-metadata-table-name" - type = "String" - value = var.aft_request_metadata_table_name -} - -resource "aws_ssm_parameter" "aft_controltower_events_table_name" { - name = "/aft/resources/ddb/aft-controltower-events-table-name" - type = "String" - value = var.aft_controltower_events_table_name -} - -resource "aws_ssm_parameter" "aft_account_factory_product_name" { - name = "/aft/resources/sc/account-factory-product-name" - type = "String" - value = var.account_factory_product_name -} - -resource "aws_ssm_parameter" "aft_invoke_aft_account_provisioning_framework_lambda_function_name" { - name = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework" - type = "String" - value = var.aft_invoke_aft_account_provisioning_framework_function_name -} - -resource "aws_ssm_parameter" "aft_account_provisioning_framework_sfn_name" { - name = "/aft/account/aft-management/sfn/aft-account-provisioning-framework-sfn-name" - type = "String" - value = var.aft_account_provisioning_framework_sfn_name -} - -resource "aws_ssm_parameter" "aft_sns_topic_arn" { - name = "/aft/account/aft-management/sns/topic-arn" - type = "String" - value = var.aft_sns_topic_arn -} - -resource "aws_ssm_parameter" "aft_failure_sns_topic_arn" { - name = "/aft/account/aft-management/sns/failure-topic-arn" - type = "String" - value = var.aft_failure_sns_topic_arn -} - -resource "aws_ssm_parameter" "aft_request_action_trigger_function_arn" { - name = "/aft/resources/lambda/aft-account-request-action-trigger-function-arn" - type = "String" - value = var.request_action_trigger_function_arn -} - -resource "aws_ssm_parameter" "request_audit_trigger_function_arn" { - name = "/aft/resources/lambda/aft-account-request-audit-trigger-function-arn" - type = "String" - value = var.request_audit_trigger_function_arn -} - -resource "aws_ssm_parameter" "request_processor_function_arn" { - name = "/aft/resources/lambda/aft-account-request-processor-function-arn" - type = "String" - value = var.request_processor_function_arn -} - -resource "aws_ssm_parameter" "control_tower_event_logger_function_arn" { - name = "/aft/resources/lambda/aft-controltower-event-logger-function-arn" - type = "String" - value = var.control_tower_event_logger_function_arn -} - -resource "aws_ssm_parameter" "invoke_aft_account_provisioning_framework_function_arn" { - name = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework-function-arn" - type = "String" - value = var.invoke_aft_account_provisioning_framework_function_arn -} - -resource "aws_ssm_parameter" "validate_request_function_arn" { - name = "/aft/resources/lambda/aft-account-provisioning-framework-validate-request-function-arn" - type = "String" - value = var.validate_request_function_arn -} - -resource "aws_ssm_parameter" "get_account_info_function_arn" { - name = "/aft/resources/lambda/aft-account-provisioning-framework-get-account-info-function-arn" - type = "String" - value = var.get_account_info_function_arn -} - -resource "aws_ssm_parameter" "create_role_function_arn" { - name = "/aft/resources/lambda/aft-account-provisioning-framework-create-role-function-arn" - type = "String" - value = var.create_role_function_arn -} - -resource "aws_ssm_parameter" "tag_account_function_arn" { - name = "/aft/resources/lambda/aft-account-provisioning-framework-tag-account-function-arn" - type = "String" - value = var.tag_account_function_arn -} - -resource "aws_ssm_parameter" "persist_metadata_function_arn" { - name = "/aft/resources/lambda/aft-account-provisioning-framework-persist-metadata-function-arn" - type = "String" - value = var.persist_metadata_function_arn -} - -resource "aws_ssm_parameter" "aft_customizations_identify_targets_function_arn" { - name = "/aft/resources/lambda/aft-customizations-identify-targets-function-arn" - type = "String" - value = var.aft_customizations_identify_targets_function_arn -} - -resource "aws_ssm_parameter" "aft_customizations_execute_pipeline_function_arn" { - name = "/aft/resources/lambda/aft-customizations-execute-pipeline-function-arn" - type = "String" - value = var.aft_customizations_execute_pipeline_function_arn -} - -resource "aws_ssm_parameter" "aft_customizations_get_pipeline_executions_function_arn" { - name = "/aft/resources/lambda/aft-customizations-get-pipeline-executions-function-arn" - type = "String" - value = var.aft_customizations_get_pipeline_executions_function_arn -} - -resource "aws_ssm_parameter" "vcs_provider" { - name = "/aft/config/vcs/provider" - type = "String" - value = var.vcs_provider -} - -resource "aws_ssm_parameter" "ct_management_account_id" { - name = "/aft/account/ct-management/account-id" - type = "String" - value = var.ct_management_account_id -} - -resource "aws_ssm_parameter" "ct_log_archive_account_id" { - name = "/aft/account/log-archive/account-id" - type = "String" - value = var.ct_log_archive_account_id -} - -resource "aws_ssm_parameter" "ct_audit_account_id" { - name = "/aft/account/audit/account-id" - type = "String" - value = var.ct_audit_account_id -} - -resource "aws_ssm_parameter" "aft_management_account_id" { - name = "/aft/account/aft-management/account-id" - type = "String" - value = var.aft_management_account_id -} - -resource "aws_ssm_parameter" "ct_primary_region" { - name = "/aft/config/ct-management-region" - type = "String" - value = var.ct_primary_region -} - -resource "aws_ssm_parameter" "aft_version" { - name = "/aft/config/aft/version" - type = "String" - value = var.aft_version -} - -resource "aws_ssm_parameter" "tf_version" { - name = "/aft/config/terraform/version" - type = "String" - value = var.tf_version -} - -resource "aws_ssm_parameter" "tf_distribution" { - name = "/aft/config/terraform/distribution" - type = "String" - value = var.tf_distribution -} - -resource "aws_ssm_parameter" "terraform_api_endpoint" { - name = "/aft/config/terraform/api-endpoint" - type = "String" - value = var.terraform_api_endpoint -} - -resource "aws_ssm_parameter" "terraform_token" { - name = "/aft/config/terraform/token" +locals { + ssm_vars_not_sensitive_strings = [ + { + name = "/aft/account/aft-management/account-id", + value = var.not_sensitive.aft_management_account_id + }, + { + name = "/aft/account/aft-management/sfn/aft-account-provisioning-framework-sfn-name", + value = var.not_sensitive.aft_account_provisioning_framework_sfn_name + }, + { + name = "/aft/account/aft-management/sns/failure-topic-arn", + value = var.not_sensitive.aft_failure_sns_topic_arn + }, + { + name = "/aft/account/aft-management/sns/topic-arn", + value = var.not_sensitive.aft_sns_topic_arn + }, + { + name = "/aft/account/audit/account-id", + value = var.not_sensitive.ct_audit_account_id + }, + { + name = "/aft/account/ct-management/account-id", + value = var.not_sensitive.ct_management_account_id + }, + { + name = "/aft/account/log-archive/account-id", + value = var.not_sensitive.ct_log_archive_account_id + }, + { + name = "/aft/account/log-archive/kms_key_arn", + value = var.not_sensitive.aft_log_key_arn + }, + { + name = "/aft/account/log-archive/log_bucket_arn", + value = var.not_sensitive.aft_logging_bucket_arn + }, + { + name = "/aft/config/account-customizations/repo-branch", + value = var.not_sensitive.account_customizations_repo_branch + }, + { + name = "/aft/config/account-customizations/repo-name", + value = var.not_sensitive.account_customizations_repo_name + }, + { + name = "/aft/config/account-provisioning-customizations/repo-branch", + value = var.not_sensitive.account_provisioning_customizations_repo_branch + }, + { + name = "/aft/config/account-provisioning-customizations/repo-name", + value = var.not_sensitive.account_provisioning_customizations_repo_name + }, + { + name = "/aft/config/account-request/repo-branch", + value = var.not_sensitive.account_request_repo_branch + }, + { + name = "/aft/config/account-request/repo-name", + value = var.not_sensitive.account_request_repo_name + }, + { + name = "/aft/config/aft-pipeline-code-source/repo-git-ref", + value = var.not_sensitive.aft_framework_repo_git_ref + }, + { + name = "/aft/config/aft-pipeline-code-source/repo-url", + value = var.not_sensitive.aft_framework_repo_url + }, + { + name = "/aft/config/aft/version", + value = var.not_sensitive.aft_version + }, + { + name = "/aft/config/ct-management-region", + value = var.not_sensitive.ct_primary_region + }, + { + name = "/aft/config/customizations/maximum_concurrent_customizations", + value = var.not_sensitive.maximum_concurrent_customizations + }, + { + name = "/aft/config/feature/cloudtrail-data-events-enabled", + value = var.not_sensitive.aft_feature_cloudtrail_data_events + }, + { + name = "/aft/config/feature/delete-default-vpcs-enabled", + value = var.not_sensitive.aft_feature_delete_default_vpcs_enabled + }, + { + name = "/aft/config/feature/enterprise-support-enabled", + value = var.not_sensitive.aft_feature_enterprise_support + }, + { + name = "/aft/config/global-customizations/repo-branch", + value = var.not_sensitive.global_customizations_repo_branch + }, + { + name = "/aft/config/global-customizations/repo-name", + value = var.not_sensitive.global_customizations_repo_name + }, + { + name = "/aft/config/oss-backend/bucket-id", + value = var.not_sensitive.aft_config_backend_bucket_id + }, + { + name = "/aft/config/oss-backend/kms-key-id", + value = var.not_sensitive.aft_config_backend_kms_key_id + }, + { + name = "/aft/config/oss-backend/primary-region", + value = var.not_sensitive.aft_config_backend_primary_region + }, + { + name = "/aft/config/oss-backend/secondary-region", + value = var.not_sensitive.aft_config_backend_secondary_region + }, + { + name = "/aft/config/oss-backend/table-id", + value = var.not_sensitive.aft_config_backend_table_id + }, + { + name = "/aft/config/terraform/api-endpoint", + value = var.not_sensitive.terraform_api_endpoint + }, + { + name = "/aft/config/terraform/distribution", + value = var.not_sensitive.tf_distribution + }, + { + name = "/aft/config/terraform/org-name", + value = var.not_sensitive.terraform_org_name + }, + { + name = "/aft/config/terraform/version", + value = var.not_sensitive.tf_version + }, + { + name = "/aft/config/vcs/codestar-connection-arn", + value = var.not_sensitive.codestar_connection_arn + }, + { + name = "/aft/config/vcs/github-enterprise-url", + value = var.not_sensitive.github_enterprise_url + }, + { + name = "/aft/config/vcs/provider", + value = var.not_sensitive.vcs_provider + }, + { + name = "/aft/resources/ddb/aft-controltower-events-table-name", + value = var.not_sensitive.aft_controltower_events_table_name + }, + { + name = "/aft/resources/ddb/aft-request-audit-table-name", + value = var.not_sensitive.aft_request_audit_table_name + }, + { + name = "/aft/resources/ddb/aft-request-metadata-table-name", + value = var.not_sensitive.aft_request_metadata_table_name + }, + { + name = "/aft/resources/ddb/aft-request-table-name", + value = var.not_sensitive.aft_request_table_name + }, + { + name = "/aft/resources/iam/aft-administrator-role-name", + value = var.not_sensitive.aft_administrator_role_name + }, + { + name = "/aft/resources/iam/aft-execution-role-name", + value = var.not_sensitive.aft_execution_role_name + }, + { + name = "/aft/resources/iam/aft-session-name", + value = var.not_sensitive.aft_session_name + }, + { + name = "/aft/resources/lambda/aft-account-provisioning-framework-create-role-function-arn", + value = var.not_sensitive.create_role_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-provisioning-framework-get-account-info-function-arn", + value = var.not_sensitive.get_account_info_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-provisioning-framework-persist-metadata-function-arn", + value = var.not_sensitive.persist_metadata_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-provisioning-framework-tag-account-function-arn", + value = var.not_sensitive.tag_account_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-provisioning-framework-validate-request-function-arn", + value = var.not_sensitive.validate_request_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-request-action-trigger-function-arn", + value = var.not_sensitive.request_action_trigger_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-request-audit-trigger-function-arn", + value = var.not_sensitive.request_audit_trigger_function_arn + }, + { + name = "/aft/resources/lambda/aft-account-request-processor-function-arn", + value = var.not_sensitive.request_processor_function_arn + }, + { + name = "/aft/resources/lambda/aft-controltower-event-logger-function-arn", + value = var.not_sensitive.control_tower_event_logger_function_arn + }, + { + name = "/aft/resources/lambda/aft-customizations-execute-pipeline-function-arn", + value = var.not_sensitive.aft_customizations_execute_pipeline_function_arn + }, + { + name = "/aft/resources/lambda/aft-customizations-get-pipeline-executions-function-arn", + value = var.not_sensitive.aft_customizations_get_pipeline_executions_function_arn + }, + { + name = "/aft/resources/lambda/aft-customizations-identify-targets-function-arn", + value = var.not_sensitive.aft_customizations_identify_targets_function_arn + }, + { + name = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework", + value = var.not_sensitive.aft_invoke_aft_account_provisioning_framework_function_name + }, + { + name = "/aft/resources/lambda/aft-invoke-aft-account-provisioning-framework-function-arn", + value = var.not_sensitive.invoke_aft_account_provisioning_framework_function_arn + }, + { + name = "/aft/resources/sc/account-factory-product-name", + value = var.not_sensitive.account_factory_product_name + }, + { + name = "/aft/resources/sqs/aft-request-queue-name", + value = var.not_sensitive.aft_request_queue_name + } + ] + ssm_vars_sensitive_strings = [ + { + name = "/aft/config/terraform/token", + value = var.sensitive.terraform_token + } + ] +} + +resource "aws_ssm_parameter" "no_secure_string" { + count = length(local.ssm_vars_not_sensitive_strings) + name = local.ssm_vars_not_sensitive_strings[count.index]["name"] + value = local.ssm_vars_not_sensitive_strings[count.index]["value"] type = "SecureString" - value = var.terraform_token -} - -resource "aws_ssm_parameter" "terraform_org_name" { - name = "/aft/config/terraform/org-name" - type = "String" - value = var.terraform_org_name -} - -resource "aws_ssm_parameter" "aft_execution_role_name" { - name = "/aft/resources/iam/aft-execution-role-name" - type = "String" - value = var.aft_execution_role_name -} - -resource "aws_ssm_parameter" "aft_administrator_role_name" { - name = "/aft/resources/iam/aft-administrator-role-name" - type = "String" - value = var.aft_administrator_role_name -} - -resource "aws_ssm_parameter" "aft_session_name" { - name = "/aft/resources/iam/aft-session-name" - type = "String" - value = var.aft_session_name } -resource "aws_ssm_parameter" "aft_config_backend_bucket_id" { - name = "/aft/config/oss-backend/bucket-id" - type = "String" - value = var.aft_config_backend_bucket_id -} - -resource "aws_ssm_parameter" "aft_config_backend_primary_region" { - name = "/aft/config/oss-backend/primary-region" - type = "String" - value = var.aft_config_backend_primary_region -} - -resource "aws_ssm_parameter" "aft_config_backend_secondary_region" { - name = "/aft/config/oss-backend/secondary-region" - type = "String" - value = var.aft_config_backend_secondary_region -} - -resource "aws_ssm_parameter" "aft_config_backend_kms_key_id" { - name = "/aft/config/oss-backend/kms-key-id" - type = "String" - value = var.aft_config_backend_kms_key_id -} - -resource "aws_ssm_parameter" "aft_config_backend_table_id" { - name = "/aft/config/oss-backend/table-id" - type = "String" - value = var.aft_config_backend_table_id -} - -resource "aws_ssm_parameter" "aft_framework_repo_url" { - name = "/aft/config/aft-pipeline-code-source/repo-url" - type = "String" - value = var.aft_framework_repo_url -} - -resource "aws_ssm_parameter" "aft_framework_repo_git_ref" { - name = "/aft/config/aft-pipeline-code-source/repo-git-ref" - type = "String" - value = var.aft_framework_repo_git_ref -} - -resource "aws_ssm_parameter" "aft_feature_cloudtrail_data_events" { - name = "/aft/config/feature/cloudtrail-data-events-enabled" - type = "String" - value = var.aft_feature_cloudtrail_data_events -} -resource "aws_ssm_parameter" "aft_feature_enterprise_support" { - name = "/aft/config/feature/enterprise-support-enabled" - type = "String" - value = var.aft_feature_enterprise_support -} - -resource "aws_ssm_parameter" "aft_feature_delete_default_vpcs_enabled" { - name = "/aft/config/feature/delete-default-vpcs-enabled" - type = "String" - value = var.aft_feature_delete_default_vpcs_enabled -} - -resource "aws_ssm_parameter" "account_request_repo_name" { - name = "/aft/config/account-request/repo-name" - type = "String" - value = var.account_request_repo_name -} - -resource "aws_ssm_parameter" "account_request_repo_branch" { - name = "/aft/config/account-request/repo-branch" - type = "String" - value = var.account_request_repo_branch -} - -resource "aws_ssm_parameter" "global_customizations_repo_name" { - name = "/aft/config/global-customizations/repo-name" - type = "String" - value = var.global_customizations_repo_name -} - -resource "aws_ssm_parameter" "global_customizations_repo_branch" { - name = "/aft/config/global-customizations/repo-branch" - type = "String" - value = var.global_customizations_repo_branch -} - -resource "aws_ssm_parameter" "account_customizations_repo_name" { - name = "/aft/config/account-customizations/repo-name" - type = "String" - value = var.account_customizations_repo_name -} - -resource "aws_ssm_parameter" "account_customizations_repo_branch" { - name = "/aft/config/account-customizations/repo-branch" - type = "String" - value = var.account_customizations_repo_branch -} - -resource "aws_ssm_parameter" "account_provisioning_customizations_repo_name" { - name = "/aft/config/account-provisioning-customizations/repo-name" - type = "String" - value = var.account_provisioning_customizations_repo_name -} - -resource "aws_ssm_parameter" "account_provisioning_customizations_repo_branch" { - name = "/aft/config/account-provisioning-customizations/repo-branch" - type = "String" - value = var.account_provisioning_customizations_repo_branch -} - -resource "aws_ssm_parameter" "codestar_connection_arn" { - name = "/aft/config/vcs/codestar-connection-arn" - type = "String" - value = var.codestar_connection_arn -} - -resource "aws_ssm_parameter" "github_enterprise_url" { - name = "/aft/config/vcs/github-enterprise-url" - type = "String" - value = var.github_enterprise_url -} - -resource "aws_ssm_parameter" "aft_logging_bucket_arn" { - name = "/aft/account/log-archive/log_bucket_arn" - type = "String" - value = var.aft_logging_bucket_arn -} - -resource "aws_ssm_parameter" "aft_log_key_arn" { - name = "/aft/account/log-archive/kms_key_arn" - type = "String" - value = var.aft_log_key_arn -} - -resource "aws_ssm_parameter" "aft_maximum_concurrent_customizations" { - name = "/aft/config/customizations/maximum_concurrent_customizations" - value = var.maximum_concurrent_customizations - type = "String" +resource "aws_ssm_parameter" "secure_string" { + count = length(local.ssm_vars_sensitive_strings) + name = local.ssm_vars_sensitive_strings[count.index]["name"] + value = local.ssm_vars_sensitive_strings[count.index]["value"] + type = "SecureString" } diff --git a/modules/aft-ssm-parameters/variables.tf b/modules/aft-ssm-parameters/variables.tf index 8782b76a..0ae7a039 100644 --- a/modules/aft-ssm-parameters/variables.tf +++ b/modules/aft-ssm-parameters/variables.tf @@ -1,251 +1,94 @@ # Copyright Amazon.com, Inc. or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # -variable "aft_request_queue_name" { - type = string -} - -variable "aft_request_table_name" { - type = string -} - -variable "aft_request_audit_table_name" { - type = string -} - -variable "aft_request_metadata_table_name" { - type = string -} - -variable "aft_controltower_events_table_name" { - type = string -} - -variable "account_factory_product_name" { - type = string -} - -variable "aft_invoke_aft_account_provisioning_framework_function_name" { - type = string -} - -variable "aft_account_provisioning_framework_sfn_name" { - type = string -} - -variable "aft_sns_topic_arn" { - type = string -} - -variable "aft_failure_sns_topic_arn" { - type = string -} - -variable "request_action_trigger_function_arn" { - type = string -} - -variable "request_audit_trigger_function_arn" { - type = string -} - -variable "request_processor_function_arn" { - type = string -} - -variable "control_tower_event_logger_function_arn" { - type = string -} - -variable "invoke_aft_account_provisioning_framework_function_arn" { - type = string -} - -variable "validate_request_function_arn" { - type = string -} - -variable "get_account_info_function_arn" { - type = string -} - -variable "create_role_function_arn" { - type = string -} - -variable "tag_account_function_arn" { - type = string -} - -variable "persist_metadata_function_arn" { - type = string -} - -variable "aft_customizations_identify_targets_function_arn" { - type = string -} - -variable "aft_customizations_execute_pipeline_function_arn" { - type = string -} - -variable "aft_customizations_get_pipeline_executions_function_arn" { - type = string -} - -variable "vcs_provider" { - type = string -} - -variable "ct_management_account_id" { - type = string -} - -variable "ct_log_archive_account_id" { - type = string -} - -variable "ct_audit_account_id" { - type = string -} - -variable "aft_management_account_id" { - type = string -} - -variable "ct_primary_region" { - type = string -} - -variable "tf_version" { - type = string -} - -variable "tf_distribution" { - type = string -} - -variable "terraform_api_endpoint" { - type = string -} - -variable "terraform_token" { - type = string - sensitive = true -} - -variable "account_request_repo_name" { - type = string -} - -variable "account_request_repo_branch" { - type = string -} - -variable "account_provisioning_customizations_repo_name" { - type = string -} - -variable "account_provisioning_customizations_repo_branch" { - type = string -} - -variable "terraform_org_name" { - type = string -} -variable "aft_execution_role_name" { - type = string +variable "not_sensitive" { + type = object({ + account_customizations_repo_branch = string + account_customizations_repo_name = string + account_factory_product_name = string + account_provisioning_customizations_repo_branch = string + account_provisioning_customizations_repo_name = string + account_request_repo_branch = string + account_request_repo_name = string + aft_account_provisioning_framework_sfn_name = string + aft_administrator_role_name = string + aft_config_backend_bucket_id = string + aft_config_backend_kms_key_id = string + aft_config_backend_primary_region = string + aft_config_backend_secondary_region = string + aft_config_backend_table_id = string + aft_controltower_events_table_name = string + aft_customizations_execute_pipeline_function_arn = string + aft_customizations_get_pipeline_executions_function_arn = string + aft_customizations_identify_targets_function_arn = string + aft_execution_role_name = string + aft_failure_sns_topic_arn = string + aft_feature_cloudtrail_data_events = string + aft_feature_delete_default_vpcs_enabled = string + aft_feature_enterprise_support = string + aft_framework_repo_git_ref = string + aft_framework_repo_url = string + aft_invoke_aft_account_provisioning_framework_function_name = string + aft_log_key_arn = string + aft_logging_bucket_arn = string + aft_management_account_id = string + aft_request_audit_table_name = string + aft_request_metadata_table_name = string + aft_request_queue_name = string + aft_request_table_name = string + aft_session_name = string + aft_sns_topic_arn = string + aft_version = string + codestar_connection_arn = string + control_tower_event_logger_function_arn = string + create_role_function_arn = string + ct_audit_account_id = string + ct_log_archive_account_id = string + ct_management_account_id = string + ct_primary_region = string + get_account_info_function_arn = string + github_enterprise_url = string + global_customizations_repo_branch = string + global_customizations_repo_name = string + invoke_aft_account_provisioning_framework_function_arn = string + maximum_concurrent_customizations = string + persist_metadata_function_arn = string + request_action_trigger_function_arn = string + request_audit_trigger_function_arn = string + request_processor_function_arn = string + tag_account_function_arn = string + terraform_api_endpoint = string + terraform_org_name = string + terraform_version = string + tf_distribution = string + tf_version = string + validate_request_function_arn = string + vcs_provider = string + }) } -variable "aft_administrator_role_name" { - type = string -} -variable "aft_session_name" { - type = string -} +variable "sensitive" { + type = object({ + terraform_token = string + }) -variable "aft_config_backend_bucket_id" { - type = string } -variable "aft_config_backend_primary_region" { - type = string -} -variable "aft_config_backend_secondary_region" { - type = string -} -variable "aft_config_backend_kms_key_id" { - type = string -} -variable "aft_config_backend_table_id" { - type = string -} -variable "aft_framework_repo_url" { - type = string -} -variable "aft_framework_repo_git_ref" { - type = string -} -variable "terraform_version" { - type = string -} -variable "aft_feature_cloudtrail_data_events" { - type = string -} -variable "aft_feature_enterprise_support" { - type = string -} -variable "aft_feature_delete_default_vpcs_enabled" { - type = string -} -variable "global_customizations_repo_name" { - type = string -} -variable "global_customizations_repo_branch" { - type = string -} - -variable "account_customizations_repo_name" { - type = string -} - -variable "account_customizations_repo_branch" { - type = string -} - -variable "codestar_connection_arn" { - type = string -} -variable "github_enterprise_url" { - type = string -} -variable "aft_logging_bucket_arn" { - type = string -} -variable "aft_log_key_arn" { - type = string -} -variable "maximum_concurrent_customizations" { - type = number -} -variable "aft_version" { - type = string -}