-
4 | Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP
5 | has AWS Shield protection. This rule also checks if they have web ACL associated for Application Load Balancer and
6 | Amazon CloudFront distributions.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # webACLId: The WebACLId of the web ACL.
11 | # resourceTags: The resource tags associated with the rule. For example, { "tagKey1" : ["tagValue1"],
12 | # "tagKey2" : ["tagValue2", "tagValue3"] }").
13 | # excludeResourceTags: If true, exclude the resources that match the resourceTags. If false, include all the
14 | # resources that match the resourceTags.
15 | # fmsManagedToken: A token generated by AWS Firewall Manager when creating the rule in your account. AWS
16 | # Config ignores this parameter when you create this rule.
17 | # fmsRemediationEnabled: If true, AWS Firewall Manager will update NON_COMPLIANT resources according to FMS policy.
18 | # AWS Config ignores this parameter when you create this rule.
19 | webACLId: ""
20 | resourceTags: ""
21 | excludeResourceTags: ""
22 | fmsManagedToken: ""
23 | fmsRemediationEnabled: ""
24 | enabled: true
25 | tags:
26 | catalog/fms: true
27 |
28 | fms-webacl-resource-policy-check:
29 | identifier: FMS_WEBACL_RESOURCE_POLICY_CHECK
30 | description: >-
31 | Checks whether the web ACL is associated with an Application Load Balancer, API Gateway stage, or Amazon CloudFront
32 | distributions. When AWS Firewall Manager creates this rule, the FMS policy owner specifies the WebACLId in the FMS
33 | policy and can optionally enable remediation.
34 | inputParameters: webACLId
35 | enabled: true
36 | tags:
37 | catalog/fms: true
38 |
39 | fms-webacl-rulegroup-association-check:
40 | identifier: FMS_WEBACL_RULEGROUP_ASSOCIATION_CHECK
41 | description: >-
42 | Checks that the rule groups associate with the web ACL at the correct priority. The correct priority is decided by
43 | the rank of the rule groups in the ruleGroups parameter. When AWS Firewall Manager creates this rule, it assigns the
44 | highest priority 0 followed by 1, 2, and so on. The FMS policy owner specifies the ruleGroups rank in the FMS policy
45 | and can optionally enable remediation.
46 | inputParameters: ruleGroups
47 | enabled: true
48 | tags:
49 | catalog/fms: true
50 |
--------------------------------------------------------------------------------
/catalog/lambda.yaml:
--------------------------------------------------------------------------------
1 | lambda-concurrency-check:
2 | identifier: LAMBDA_CONCURRENCY_CHECK
3 | description: >-
4 | Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The rule is
5 | NON_COMPLIANT if the Lambda function is not configured with function-level concurrent execution limit.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # ConcurrencyLimitLow: Minimum concurrency execution limit
10 | # ConcurrencyLimitHigh: Maximum concurrency execution limit
11 | enabled: true
12 | tags:
13 | catalog/lambda: true
14 |
15 | lambda-dlq-check:
16 | identifier: LAMBDA_DLQ_CHECK
17 | description: >-
18 | Checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the
19 | Lambda function is not configured with a dead-letter queue.
20 | inputParameters:
21 | # The following parameters are optional:
22 | #
23 | # dlqArns: Comma-separated list of Amazon SQS and Amazon SNS ARNs that must be configured as the Lambda function dead-letter queue target.
24 | enabled: true
25 | tags:
26 | catalog/lambda: true
27 |
28 | lambda-function-public-access-prohibited:
29 | identifier: LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
30 | description: >-
31 | Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda
32 | function policy allows public access it is NON_COMPLIANT.
33 | inputParameters: {}
34 | enabled: true
35 | tags:
36 | catalog/lambda: true
37 |
38 | lambda-function-settings-check:
39 | identifier: LAMBDA_FUNCTION_SETTINGS_CHECK
40 | description: >-
41 | Checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.
42 | inputParameters:
43 | # The following parameters are required:
44 | #
45 | # runtime: Comma-separated list of runtime values.
46 | # role: IAM role.
47 | # timeout: Timeout in seconds.
48 | # memorySize: Memory size in MB.
49 | runtime: ""
50 | role: ""
51 | timeout: "30"
52 | memorySize: "1024"
53 | enabled: true
54 | tags:
55 | catalog/lambda: true
56 |
57 | lambda-inside-vpc:
58 | identifier: LAMBDA_INSIDE_VPC
59 | description: >-
60 | Checks whether an AWS Lambda function is in an Amazon Virtual Private Cloud. The rule is NON_COMPLIANT if the Lambda
61 | function is not in a VPC.
62 | inputParameters:
63 | # The following parameters are optional:
64 | #
65 | # subnetIds: Comma-separated list of subnet IDs that Lambda functions must be associated with.
66 | {}
67 | enabled: true
68 | tags:
69 | catalog/lambda: true
70 |
--------------------------------------------------------------------------------
/catalog/redshift.yaml:
--------------------------------------------------------------------------------
1 | redshift-backup-enabled:
2 | identifier: REDSHIFT_BACKUP_ENABLED
3 | description: >-
4 | Checks that Amazon Redshift automated snapshots are enabled for clusters. The rule is NON_COMPLIANT if the value for
5 | automatedSnapshotRetentionPeriod is greater than MaxRetentionPeriod or less than MinRetentionPeriod or the value is
6 | 0.
7 | inputParameters:
8 | # The following parameters are optional:
9 | #
10 | # MinRetentionPeriod: Minimum value for the retention period. Minimum value is 1.
11 | # MaxRetentionPeriod: Maximum value for the retention period. Maximum value is 35.
12 | enabled: true
13 | tags:
14 | catalog/redshift: true
15 |
16 | redshift-cluster-configuration-check:
17 | identifier: REDSHIFT_CLUSTER_CONFIGURATION_CHECK
18 | description: >-
19 | Checks whether Amazon Redshift clusters have the specified settings.
20 | inputParameters:
21 | # The following parameters are optional:
22 | #
23 | # clusterDbEncrypted: Database encryption is enabled.
24 | # nodeTypes: Specify node type.
25 | # loggingEnabled: Audit logging is enabled.
26 | enabled: true
27 | tags:
28 | catalog/redshift: true
29 |
30 | redshift-cluster-maintenancesettings-check:
31 | identifier: REDSHIFT_CLUSTER_MAINTENANCESETTINGS_CHECK
32 | description: >-
33 | Checks whether Amazon Redshift clusters have the specified maintenance settings.
34 | inputParameters:
35 | # The following parameters are optional:
36 | #
37 | # allowVersionUpgrade: Allow version upgrade is enabled.
38 | # preferredMaintenanceWindow: Scheduled maintenance window for clusters (for example, Mon:09:30-Mon:10:00).
39 | # automatedSnapshotRetentionPeriod: Number of days to retain automated snapshots.
40 | allowVersionUpgrade: "true"
41 | preferredMaintenanceWindow: ""
42 | automatedSnapshotRetentionPeriod: "30"
43 | enabled: true
44 | tags:
45 | catalog/redshift: true
46 |
47 | redshift-cluster-public-access-check:
48 | identifier: REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
49 | description: >-
50 | Checks whether Amazon Redshift clusters are not publicly accessible. The rule is NON_COMPLIANT if the
51 | publiclyAccessible field is true in the cluster configuration item.
52 | inputParameters: {}
53 | enabled: true
54 | tags:
55 | catalog/redshift: true
56 |
57 | redshift-require-tls-ssl:
58 | identifier: REDSHIFT_REQUIRE_TLS_SSL
59 | description: >-
60 | Checks whether Amazon Redshift clusters require TLS/SSL encryption to connect to SQL clients. The rule is
61 | NON_COMPLIANT if any Amazon Redshift cluster has parameter require_SSL not set to true.
62 | inputParameters: {}
63 | enabled: true
64 | tags:
65 | catalog/redshift: true
66 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | current_region = module.utils.region_az_alt_code_maps.to_fixed[data.aws_region.current.name]
3 |
4 | file_rules = module.aws_config_rules_yaml_config.map_configs
5 | rules_with_tags = { for k, rule in local.file_rules : k => rule if rule.tags != null }
6 |
7 | compliance_standard_tag = "compliance/cis-aws-foundations/1.2"
8 | logging_only_tag = "compliance/cis-aws-foundations/filters/logging-account-only"
9 | global_only_tag = "compliance/cis-aws-foundations/filters/global-resource-region-only"
10 | region_exclusion_tag = "region/excluded/${local.current_region}"
11 |
12 | tagged_rules = { for key, rule in local.rules_with_tags : key => rule if lookup(rule.tags, local.compliance_standard_tag, false) == true }
13 | logging_account_rules = { for key, rule in local.tagged_rules : key => rule if var.is_logging_account && lookup(rule.tags, local.logging_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false) }
14 | global_resource_rules = { for key, rule in local.tagged_rules : key => rule if var.is_global_resource_region && lookup(rule.tags, local.global_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false) }
15 | base_rules = { for key, rule in local.tagged_rules : key => rule if(!lookup(rule.tags, local.logging_only_tag, false) && !lookup(rule.tags, local.global_only_tag, false) && !lookup(rule.tags, local.region_exclusion_tag, false)) }
16 | all_rules = merge(local.base_rules, local.logging_account_rules, local.global_resource_rules)
17 |
18 | base_params = {
19 |
20 | "s3-bucket-logging-enabled" : {
21 | "targetBucket" : var.cloudtrail_bucket_name
22 | }
23 | "multi-region-cloudtrail-enabled" : {
24 | "s3BucketName" : var.cloudtrail_bucket_name
25 | }
26 | }
27 |
28 | global_resource_params = {
29 | "iam-policy-in-use" : {
30 | "policyARN" : var.support_policy_arn
31 | }
32 | }
33 |
34 | params = var.is_global_resource_region ? merge(local.base_params, local.global_resource_params) : local.base_params
35 |
36 | enabled_rules = { for key, rule in local.all_rules : key => {
37 | description = rule.description,
38 | identifier = rule.identifier,
39 | input_parameters = merge(rule.inputParameters, lookup(local.params, key, {}), lookup(var.parameter_overrides, key, {})),
40 | tags = rule.tags,
41 | enabled = rule.enabled,
42 | } if module.this.enabled }
43 | }
44 |
45 | module "aws_config_rules_yaml_config" {
46 | source = "cloudposse/config/yaml"
47 | version = "1.0.2"
48 |
49 | map_config_local_base_path = path.module
50 | map_config_paths = var.config_rules_paths
51 |
52 | context = module.this.context
53 | }
54 |
55 | data "aws_region" "current" {}
56 |
57 | module "utils" {
58 | source = "cloudposse/utils/aws"
59 | version = "1.0.0"
60 | }
61 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/variables.tf:
--------------------------------------------------------------------------------
1 | variable "support_policy_arn" {
2 | description = <<-DOC
3 | The ARN of the IAM Policy required for compliance with 1.20 of the Benchmark, which states:
4 |
5 | Ensure a support role has been created to manage incidents with AWS Support
6 |
7 | AWS provides a support center that can be used for incident notification and response, as well as technical support
8 | and customer services.
9 |
10 | Create an IAM role to allow authorized users to manage incidents with AWS Support. By implementing least privilege
11 | for access control, an IAM role will require an appropriate IAM policy to allow support center access in order to
12 | manage incidents with AWS Support.
13 | DOC
14 | type = string
15 | }
16 |
17 | variable "cloudtrail_bucket_name" {
18 | description = <<-DOC
19 | The name of the S3 bucket where CloudTrail logs are being sent. This is needed to comply with 2.6 of the Benchmark
20 | which states:
21 |
22 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
23 | DOC
24 | type = string
25 | }
26 |
27 | variable "config_rules_paths" {
28 | description = "Set of PATH'es to files with config rules"
29 | type = set(string)
30 | default = [
31 | "../../catalog/cloudtrail.yaml",
32 | "../../catalog/cmk.yaml",
33 | "../../catalog/iam.yaml",
34 | "../../catalog/network.yaml",
35 | "../../catalog/vpc.yaml",
36 | ]
37 | }
38 |
39 | variable "parameter_overrides" {
40 | type = map(map(string))
41 | description = <<-DOC
42 | Map of parameters for interpolation within the YAML config templates
43 |
44 | For example, to override the maxCredentialUsageAge parameter in the access-keys-rotated.yaml rule, you would specify
45 | the following:
46 |
47 | parameter_overrides = {
48 | "access-keys-rotated" : { maxCredentialUsageAge : "120" }
49 | }
50 | DOC
51 | default = {}
52 | }
53 |
54 | variable "is_logging_account" {
55 | description = <<-DOC
56 | Flag to indicate if this instance of AWS Config is being installed into a centralized logging account. If this flag
57 | is set to true, then the config rules associated with logging in the catalog (loggingAccountOnly: true) will be
58 | installed. If false, they will not be installed.
59 | installed.
60 | DOC
61 | type = bool
62 | default = false
63 | }
64 |
65 | variable "is_global_resource_region" {
66 | description = <<-DOC
67 | Flag to indicate if this instance of AWS Config is being installed to monitor global resources (such as IAM). In
68 | order to save money, you can disable the monitoring of global resources in all but region. If this flag is set to
69 | true, then the config rules associated with global resources in the catalog (globalResource: true) will be
70 | installed. If false, they will not be installed.
71 | DOC
72 | type = bool
73 | default = false
74 | }
75 |
--------------------------------------------------------------------------------
/catalog/elb.yaml:
--------------------------------------------------------------------------------
1 | elb-acm-certificate-required:
2 | identifier: ELB_ACM_CERTIFICATE_REQUIRED
3 | description: >-
4 | Checks whether the Classic Load Balancers use SSL certificates provided by AWS Certificate Manager. To use this
5 | rule, use an SSL or HTTPS listener with your Classic Load Balancer. This rule is only applicable to Classic Load
6 | Balancers. This rule does not check Application Load Balancers and Network Load Balancers.
7 | inputParameters: {}
8 | enabled: true
9 | tags:
10 | catalog/elb: true
11 |
12 | elb-cross-zone-load-balancing-enabled:
13 | identifier: ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED
14 | description: >-
15 | Checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This rule is NON_COMPLIANT if
16 | cross-zone load balancing is not enabled for a CLB.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/elb: true
21 |
22 | elb-custom-security-policy-ssl-check:
23 | identifier: ELB_CUSTOM_SECURITY_POLICY_SSL_CHECK
24 | description: >-
25 | Checks whether your Classic Load Balancer SSL listeners are using a custom policy. The rule is only applicable if
26 | there are SSL listeners for the Classic Load Balancer.
27 | inputParameters: sslProtocolsAndCiphers
28 | enabled: true
29 | tags:
30 | catalog/elb: true
31 |
32 | elb-deletion-protection-enabled:
33 | identifier: ELB_DELETION_PROTECTION_ENABLED
34 | description: >-
35 | Checks whether Elastic Load Balancing has deletion protection enabled. The rule is NON_COMPLIANT if
36 | deletion_protection.enabled is false.
37 | inputParameters: {}
38 | enabled: true
39 | tags:
40 | catalog/elb: true
41 |
42 | elb-logging-enabled:
43 | identifier: ELB_LOGGING_ENABLED
44 | description: >-
45 | Checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The rule is
46 | NON_COMPLIANT if the access_logs.s3.enabled is false or access_logs.S3.bucket is not equal to the s3BucketName that
47 | you provided.
48 | inputParameters:
49 | # The following parameters are optional:
50 | #
51 | # s3BucketNames: Comma-separated list of Amazon S3 bucket names for Elastic Load Balancing to deliver the log files.
52 | {}
53 | enabled: true
54 | tags:
55 | catalog/elb: true
56 |
57 | elb-predefined-security-policy-ssl-check:
58 | identifier: ELB_PREDEFINED_SECURITY_POLICY_SSL_CHECK
59 | description: >-
60 | Checks whether your Classic Load Balancer SSL listeners are using a predefined policy. The rule is only applicable
61 | if there are SSL listeners for the Classic Load Balancer.
62 | inputParameters:
63 | # The following parameters are required:
64 | #
65 | # predefinedPolicyName: Name of the predefined policy.
66 | predefinedPolicyName: ""
67 | enabled: true
68 | tags:
69 | catalog/elb: true
70 |
71 | elb-tls-https-listeners-only:
72 | identifier: ELB_TLS_HTTPS_LISTENERS_ONLY
73 | description: >-
74 | Checks whether your Classic Load Balancer is configured with SSL or HTTPS listeners. The rule is applicable if a
75 | Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the
76 | rule returns NOT_APPLICABLE. The rule is COMPLIANT if the Classic Load Balancer listeners is configured with SSL or
77 | HTTPS. The rule is NON_COMPLIANT if the listener is not configured with SSL or HTTPS.
78 | inputParameters: {}
79 | enabled: true
80 | tags:
81 | catalog/elb: true
82 |
--------------------------------------------------------------------------------
/catalog/cloudwatch.yaml:
--------------------------------------------------------------------------------
1 | cloudwatch-alarm-action-check:
2 | identifier: CLOUDWATCH_ALARM_ACTION_CHECK
3 | description: >-
4 | Checks whether CloudWatch alarms have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action
5 | enabled. Optionally, checks whether any of the actions matches one of the specified ARNs.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # action1: The action to execute, specified as an ARN.
10 | # action2: The action to execute, specified as an ARN.
11 | # action3: The action to execute, specified as an ARN.
12 | # action4: The action to execute, specified as an ARN.
13 | # action5: The action to execute, specified as an ARN.
14 | alarmActionRequired: "true"
15 | insufficientDataActionRequired: "true"
16 | okActionRequired: "false"
17 | enabled: true
18 | tags:
19 | catalog/cloudwatch: true
20 |
21 | cloudwatch-alarm-resource-check:
22 | identifier: CLOUDWATCH_ALARM_RESOURCE_CHECK
23 | description: >-
24 | Checks whether the specified resource type has a CloudWatch alarm for the specified metric. For resource type, you
25 | can specify EBS volumes, EC2 instances, RDS clusters, or S3 buckets.
26 | inputParameters:
27 | # The following parameters are required:
28 | #
29 | # resourceType:AWS resource type. The value can be one of the following:AWS::EC2::Volume, AWS::EC2::Instance,
30 | # AWS::EC2::Bucket
31 | # metricName: The name of the metric associated with the alarm (for example, "CPUUtilization" for EC2 instances).
32 | resourceType: ""
33 | metricName: ""
34 | enabled: true
35 | tags:
36 | catalog/cloudwatch: true
37 |
38 | cloudwatch-alarm-settings-check:
39 | identifier: CLOUDWATCH_ALARM_SETTINGS_CHECK
40 | description: >-
41 | Checks whether CloudWatch alarms with the given metric name have the specified settings.
42 | inputParameters:
43 | # The following parameters are required:
44 | #
45 | # metricName: The name for the metric associated with the alarm.
46 | # threshold: The value against which the specified statistic is compared.
47 | # evaluationPeriod: The number of periods in which data is compared to the specified threshold.
48 | # period: The period, in seconds, during which the specified statistic is applied.
49 | # comparisonOperator: The operation for comparing the specified statistic and threshold. For example,
50 | # "GreaterThanThreshold".
51 | # statistic: The statistic for the metric associated with the alarm (for example, "Average" or "Sum").
52 | {}
53 | enabled: true
54 | tags:
55 | catalog/cloudwatch: true
56 |
57 | cloudwatch-log-group-encrypted:
58 | identifier: CLOUDWATCH_LOG_GROUP_ENCRYPTED
59 | description: >-
60 | Checks whether a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed
61 | Customer Master Keys (CMK). The rule is NON_COMPLIANT if no AWS KMS CMK is configured on the log groups.
62 | inputParameters:
63 | # The following parameters are optional:
64 | #
65 | # KmsKeyId: Amazon Resource Name (ARN) of an AWS Key Management Service (KMS) key that is used to encrypt the
66 | # CloudWatch Logs log group.
67 | {}
68 | enabled: true
69 | tags:
70 | catalog/cloudwatch: true
71 |
72 | cw-loggroup-retention-period-check:
73 | identifier: CW_LOGGROUP_RETENTION_PERIOD_CHECK
74 | description: >-
75 | Checks whether Amazon CloudWatch LogGroup retention period is set to specific number of days. The rule is
76 | NON_COMPLIANT if the retention period is not set or is less than the configured retention period.
77 | inputParameters:
78 | # The following parameters are optional:
79 | #
80 | # LogGroupNames: A comma-separated list of Log Group names to check the retention period.
81 | # MinRetentionTime: Specify the retention time. Valid values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365,
82 | # 400, 545, 731, 1827, and 3653. The default retention period is 365 days.
83 | {}
84 | enabled: true
85 | tags:
86 | catalog/cloudwatch: true
87 |
--------------------------------------------------------------------------------
/catalog/dynamodb.yaml:
--------------------------------------------------------------------------------
1 | dynamodb-autoscaling-enabled:
2 | identifier: DYNAMODB_AUTOSCALING_ENABLED
3 | description: >-
4 | Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables and/or global secondary indexes.
5 | Optionally you can set the read and write capacity units for the table or global secondary index.
6 | inputParameters:
7 | # The following parameters are optional:
8 | #
9 | # minProvisionedReadCapacity: The minimum number of units that should be provisioned with read capacity in the
10 | # Auto Scaling group.
11 | # minProvisionedWriteCapacity: The minimum number of units that should be provisioned with write capacity in the
12 | # Auto Scaling group.
13 | # maxProvisionedReadCapacity: The maximum number of units that should be provisioned with read capacity in the
14 | # Auto Scaling group.
15 | # maxProvisionedWriteCapacity: The maximum number of units that should be provisioned with write capacity in the
16 | # Auto Scaling group.
17 | # targetReadUtilization: The target utilization percentage for read capacity. Target utilization is expressed
18 | # in terms of the ratio of consumed capacity to provisioned capacity.
19 | # targetWriteUtilization: The target utilization percentage for write capacity. Target utilization is
20 | # expressed in terms of the ratio of consumed capacity to provisioned capacity.
21 | {}
22 | enabled: true
23 | tags:
24 | catalog/dynamodb: true
25 |
26 | dynamodb-in-backup-plan:
27 | identifier: DYNAMODB_IN_BACKUP_PLAN
28 | description: >-
29 | Checks whether Amazon DynamoDB table is present in AWS Backup plans. The rule is NON_COMPLIANT if DynamoDB tables
30 | are not present in any AWS Backup plan.
31 | inputParameters: {}
32 | enabled: true
33 | tags:
34 | catalog/dynamodb: true
35 |
36 | dynamodb-pitr-enabled:
37 | identifier: DYNAMODB_PITR_ENABLED
38 | description: >-
39 | Checks that point in time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if point
40 | in time recovery is not enabled for Amazon DynamoDB tables.
41 | inputParameters: {}
42 | enabled: true
43 | tags:
44 | catalog/dynamodb: true
45 |
46 | dynamodb-table-encrypted-kms:
47 | identifier: DYNAMODB_TABLE_ENCRYPTED_KMS
48 | description: >-
49 | Checks whether Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT
50 | if DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not
51 | present in kmsKeyArns input parameter.
52 | inputParameters:
53 | # The following parameters are optional:
54 | #
55 | # kmsKeyArns: Comma separated list of AWS KMS Key ARN list.
56 | enabled: true
57 | tags:
58 | catalog/dynamodb: true
59 |
60 | dynamodb-table-encryption-enabled:
61 | identifier: DYNAMODB_TABLE_ENCRYPTION_ENABLED
62 | description: >-
63 | Checks whether the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status
64 | is enabled or enabling.
65 | inputParameters: {}
66 | enabled: true
67 | tags:
68 | catalog/dynamodb: true
69 |
70 | dynamodb-throughput-limit-check:
71 | identifier: DYNAMODB_THROUGHPUT_LIMIT_CHECK
72 | description: >-
73 | Checks whether provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the
74 | rule checks if provisioned throughput exceeds a threshold of 80% of your account limits.
75 | inputParameters:
76 | # The following parameters are optional:
77 | #
78 | # accountRCUThresholdPercentage: Percentage of provisioned read capacity units for your account. When this value is
79 | # reached, the rule is marked as NON_COMPLIANT.
80 | # accountWCUThresholdPercentage: Percentage of provisioned write capacity units for your account. When this value is
81 | # reached, the rule is marked as NON_COMPLIANT.
82 | {}
83 | enabled: true
84 | tags:
85 | catalog/dynamodb: true
86 |
87 | dax-encryption-enabled:
88 | identifier: DAX_ENCRYPTION_ENABLED
89 | description: >-
90 | Checks that DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not
91 | encrypted.
92 | inputParameters: {}
93 | enabled: true
94 | tags:
95 | catalog/dynamodb: true
96 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-config
8 |
9 | # Logo for this project
10 | #logo: docs/logo.png
11 |
12 | # License of this project
13 | license: "APACHE2"
14 |
15 | # Copyrights
16 | copyrights:
17 | - name: "Cloud Posse, LLC"
18 | url: "https://cloudposse.com"
19 | year: "2021"
20 |
21 | # Canonical GitHub repo
22 | github_repo: cloudposse/terraform-aws-config
23 |
24 | # Badges to display
25 | badges:
26 | - name: Latest Release
27 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-config.svg?style=for-the-badge
28 | url: https://github.com/cloudposse/terraform-aws-config/releases/latest
29 | - name: Last Updated
30 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-config.svg?style=for-the-badge
31 | url: https://github.com/cloudposse/terraform-aws-config/commits
32 | - name: Slack Community
33 | image: https://slack.cloudposse.com/for-the-badge.svg
34 | url: https://cloudposse.com/slack
35 |
36 | # List any related terraform modules that this module may be used with or that this module depends on.
37 | related:
38 | - name: "terraform-null-label"
39 | description: "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention."
40 | url: "https://github.com/cloudposse/terraform-null-label"
41 | - name: "terraform-aws-config-storage"
42 | description: "Terraform module that creates an S3 bucket suitable for storing AWS Config data."
43 | url: "https://github.com/cloudposse/terraform-aws-config-storage"
44 | - name: "terraform-aws-guardduty"
45 | description: "Terraform module that enables and configures AWS GuardDuty."
46 | url: "https://github.com/cloudposse/terraform-aws-guardduty"
47 | - name: "terraform-aws-security-hub"
48 | description: "Terraform module that enables and configures AWS Security Hub."
49 | url: "https://github.com/cloudposse/terraform-aws-security-hub"
50 |
51 | # List any resources helpful for someone to get started. For example, link to the hashicorp documentation or AWS documentation.
52 | references:
53 | - name: "List of AWS Config Managed Rules"
54 | description: "A list of rules AWS Config currently supports in the analytics; compute; cryptography and PKI; database; machine learning; management and governance; migration and transfer; network and content delivery; security; identity and compliance; and storage categories."
55 | url: "https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html"
56 |
57 | # Short description of this project
58 | description: |-
59 | This module enables [AWS Config](https://aws.amazon.com/config/) and optionally sets up an SNS topic to receive notifications of its findings.
60 |
61 | # Introduction to the project
62 | #introduction: |-
63 | # This is an introduction.
64 |
65 | # How to use this module. Should be an easy example to copy and paste.
66 | usage: |-
67 | For a complete example, see [examples/complete](examples/complete).
68 |
69 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
70 | (which tests and deploys the example on AWS), see [test](test).
71 |
72 | ```hcl
73 | module "example" {
74 | source = "cloudposse/config/aws"
75 | # Cloud Posse recommends pinning every module to a specific version
76 | # version = "x.x.x"
77 |
78 | create_sns_topic = true
79 | create_iam_role = true
80 |
81 | managed_rules = {
82 | account-part-of-organizations = {
83 | description = "Checks whether AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId.",
84 | identifier = "ACCOUNT_PART_OF_ORGANIZATIONS",
85 | trigger_type = "PERIODIC"
86 | enabled = true
87 | }
88 | }
89 | }
90 | ```
91 |
92 | # Example usage
93 | examples: |-
94 | Here is an example of using this module:
95 | - [`examples/complete`](https://github.com/cloudposse/terraform-aws-config/) - complete example of using this module
96 |
97 | # How to get started quickly
98 | #quickstart: |-
99 | # Here's how to get started...
100 |
101 | # Other files to include in this README from the project folder
102 | include: []
103 | contributors: []
104 |
--------------------------------------------------------------------------------
/catalog/rds.yaml:
--------------------------------------------------------------------------------
1 | rds-cluster-deletion-protection-enabled:
2 | identifier: RDS_CLUSTER_DELETION_PROTECTION_ENABLED
3 | description: >-
4 | Checks if an Amazon Relational Database Service (Amazon RDS) cluster has deletion protection enabled. This rule is
5 | NON_COMPLIANT if an RDS cluster does not have deletion protection enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/rds: true
10 |
11 | rds-enhanced-monitoring-enabled:
12 | identifier: RDS_ENHANCED_MONITORING_ENABLED
13 | description: >-
14 | Checks whether enhanced monitoring is enabled for Amazon Relational Database Service (Amazon RDS) instances.
15 | inputParameters:
16 | # The following parameters are optional:
17 | #
18 | # monitoringInterval: An integer value in seconds between points when enhanced monitoring metrics are collected for
19 | # the database instance. The valid values are 1, 5, 10, 15, 30, and 60.
20 | enabled: true
21 | tags:
22 | catalog/rds: true
23 |
24 | rds-in-backup-plan:
25 | identifier: RDS_IN_BACKUP_PLAN
26 | description: >-
27 | Checks whether Amazon RDS database is present in back plans of AWS Backup. The rule is NON_COMPLIANT if Amazon RDS
28 | databases are not included in any AWS Backup plan.
29 | inputParameters: {}
30 | enabled: true
31 | tags:
32 | catalog/rds: true
33 |
34 | rds-instance-deletion-protection-enabled:
35 | identifier: RDS_INSTANCE_DELETION_PROTECTION_ENABLED
36 | description: >-
37 | Checks if an Amazon Relational Database Service (Amazon RDS) instance has deletion protection enabled. This rule is
38 | NON_COMPLIANT if an Amazon RDS instance does not have deletion protection enabled i.e deletionProtection is set to
39 | false.
40 | inputParameters: {}
41 | enabled: true
42 | tags:
43 | catalog/rds: true
44 |
45 | rds-instance-iam-authentication-enabled:
46 | identifier: RDS_INSTANCE_IAM_AUTHENTICATION_ENABLED
47 | description: >-
48 | Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM)
49 | authentication enabled. This rule is NON_COMPLIANT if an Amazon RDS instance does not have AWS IAM authentication
50 | enabled i.e configuration.iAMDatabaseAuthenticationEnabled is set to false.
51 | inputParameters: {}
52 | enabled: true
53 | tags:
54 | catalog/rds: true
55 |
56 | rds-instance-public-access-check:
57 | identifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK
58 | description: >-
59 | Check whether the Amazon Relational Database Service instances are not publicly accessible. The rule is
60 | NON_COMPLIANT if the publiclyAccessible field is true in the instance configuration item.
61 | inputParameters: {}
62 | enabled: true
63 | tags:
64 | catalog/rds: true
65 |
66 | rds-logging-enabled:
67 | identifier: RDS_LOGGING_ENABLED
68 | description: >-
69 | Checks that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled. The rule is
70 | NON_COMPLIANT if any log types are not enabled.
71 | inputParameters: additionalLogs (Optional)
72 | enabled: true
73 | tags:
74 | catalog/rds: true
75 |
76 | rds-multi-az-support:
77 | identifier: RDS_MULTI_AZ_SUPPORT
78 | description: >-
79 | Checks whether high availability is enabled for your RDS DB instances.
80 | inputParameters: {}
81 | enabled: true
82 | tags:
83 | catalog/rds: true
84 |
85 | rds-snapshot-encrypted:
86 | identifier: RDS_SNAPSHOT_ENCRYPTED
87 | description: >-
88 | Checks whether Amazon Relational Database Service (Amazon RDS) DB snapshots are encrypted. The rule is
89 | NON_COMPLIANT, if Amazon RDS DB snapshots are not encrypted.
90 | inputParameters: {}
91 | enabled: true
92 | tags:
93 | catalog/rds: true
94 |
95 | rds-snapshots-public-prohibited:
96 | identifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED
97 | description: >-
98 | Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is NON_COMPLIANT if any
99 | existing and new Amazon RDS snapshots are public.
100 | inputParameters: {}
101 | enabled: true
102 | tags:
103 | catalog/rds: true
104 |
105 | rds-storage-encrypted:
106 | identifier: RDS_STORAGE_ENCRYPTED
107 | description: >-
108 | Checks whether storage encryption is enabled for your RDS DB instances.
109 | inputParameters:
110 | # The following parameters are required:
111 | #
112 | # kmsKeyId: KMS key ID or ARN used to encrypt the storage.
113 | kmsKeyId: ""
114 | enabled: true
115 | tags:
116 | catalog/rds: true
117 |
118 | db-instance-backup-enabled:
119 | identifier: DB_INSTANCE_BACKUP_ENABLED
120 | description: >-
121 | Checks whether RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and
122 | the backup window.
123 | inputParameters:
124 | # The following parameters are optional:
125 | #
126 | # backupRetentionPeriod: Retention period for backups.
127 | # preferredBackupWindow: Time range in which backups are created.
128 | # checkReadReplicas: Checks whether RDS DB instances have backups enabled for read replicas.
129 | enabled: true
130 | tags:
131 | catalog/rds: true
132 |
--------------------------------------------------------------------------------
/catalog/cloudtrail.yaml:
--------------------------------------------------------------------------------
1 | cloud-trail-cloud-watch-logs-enabled:
2 | identifier: CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED
3 | description: >-
4 | Checks whether AWS CloudTrail trails are configured to send logs to Amazon CloudWatch Logs. The trail is
5 | NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/cloudtrail: true
10 | compliance/cis-aws-foundations/1.2: true
11 | compliance/cis-aws-foundations/1.2/controls: 2.4
12 |
13 | cloud-trail-encryption-enabled:
14 | identifier: CLOUD_TRAIL_ENCRYPTION_ENABLED
15 | description: >-
16 | Checks whether AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS
17 | KMS) customer master key (CMK) encryption. The rule is COMPLIANT if the KmsKeyId is defined.
18 | inputParameters: {}
19 | enabled: true
20 | tags:
21 | catalog/cloudtrail: true
22 | compliance/cis-aws-foundations/1.2: true
23 | compliance/cis-aws-foundations/filters/logging-account-only: true
24 | compliance/cis-aws-foundations/1.2/controls: 2.7
25 |
26 | cloud-trail-log-file-validation-enabled:
27 | identifier: CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED
28 | description: >-
29 | Checks whether AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must
30 | be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled.
31 | inputParameters: {}
32 | enabled: true
33 | tags:
34 | catalog/cloudtrail: true
35 | compliance/cis-aws-foundations/1.2: true
36 | compliance/cis-aws-foundations/1.2/controls: 2.2
37 |
38 | multi-region-cloudtrail-enabled:
39 | identifier: MULTI_REGION_CLOUD_TRAIL_ENABLED
40 | description: >-
41 | Checks that there is at least one multi-region AWS CloudTrail. The rule is NON_COMPLIANT if the trails do not match
42 | inputs parameters.
43 | inputParameters:
44 | # The following parameters are optional:
45 | #
46 | # s3BucketName: Name of Amazon S3 bucket for AWS CloudTrail to deliver log files to.
47 | # snsTopicArn: Amazon SNS topic ARN for AWS CloudTrail to use for notifications.
48 | # cloudWatchLogsLogGroupArn: Amazon CloudWatch log group ARN for AWS CloudTrail to send data to.
49 | # includeManagementEvents: Event selector to include management events for the AWS CloudTrail.
50 | # readWriteType: ReadOnly, WriteOnly or ALL
51 | {}
52 | enabled: true
53 | tags:
54 | catalog/cloudtrail: true
55 | compliance/cis-aws-foundations/1.2: true
56 | compliance/cis-aws-foundations/1.2/controls: 2.1
57 |
58 | s3-bucket-public-read-prohibited:
59 | identifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
60 | description: >-
61 | Checks that your Amazon S3 buckets do not allow public read access. The rule checks the Block Public Access
62 | settings, the bucket policy, and the bucket access control list (ACL).
63 | inputParameters: {}
64 | enabled: true
65 | tags:
66 | catalog/cloudtrail: true
67 | compliance/cis-aws-foundations/1.2: true
68 | compliance/cis-aws-foundations/1.2/controls: 2.3
69 |
70 | s3-bucket-public-write-prohibited:
71 | identifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
72 | description: >-
73 | Checks that your Amazon S3 buckets do not allow public write access. The rule checks the Block Public Access
74 | settings, the bucket policy, and the bucket access control list (ACL).
75 | inputParameters: {}
76 | enabled: true
77 | tags:
78 | catalog/cloudtrail: true
79 | compliance/cis-aws-foundations/1.2: true
80 | compliance/cis-aws-foundations/1.2/controls: 2.3
81 |
82 | cloudtrail-enabled:
83 | identifier: CLOUD_TRAIL_ENABLED
84 | description: >-
85 | Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS
86 | topic, and Amazon CloudWatch Logs ARN to use.
87 | inputParameters:
88 | # The following parameters are optional:
89 | #
90 | # s3BucketName: The name of the S3 bucket for AWS CloudTrail to deliver log files to.
91 | # snsTopicArn: The ARN of the SNS topic for AWS CloudTrail to use for notifications.
92 | # cloudWatchLogsLogGroupArn: The ARN of the Amazon CloudWatch log group for AWS CloudTrail to send data to.
93 | enabled: true
94 | tags:
95 | catalog/cloudtrail: true
96 |
97 | cloudtrail-s3-dataevents-enabled:
98 | identifier: CLOUDTRAIL_S3_DATAEVENTS_ENABLED
99 | description: >-
100 | Checks whether at least one AWS CloudTrail trail is logging Amazon S3 data events for all S3 buckets.The rule is
101 | NON_COMPLIANT if trails that log data events for S3 buckets are not configured.
102 | inputParameters:
103 | # The following parameters are optional:
104 | #
105 | # S3BucketNames: Comma-separated list of S3 bucket names for which data events logging should be enabled. Default
106 | # behavior checks for all S3 buckets.
107 | enabled: true
108 | tags:
109 | catalog/cloudtrail: true
110 |
111 | cloudtrail-security-trail-enabled:
112 | identifier: CLOUDTRAIL_SECURITY_TRAIL_ENABLED
113 | description: >-
114 | Checks that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT
115 | if there is at least one trail that meets all of the following
116 | inputParameters: {}
117 | enabled: true
118 | tags:
119 | catalog/cloudtrail: true
120 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "s3_bucket_id" {
2 | description = "The id (name) of the S3 bucket used to store the configuration history"
3 | type = string
4 | }
5 |
6 | variable "s3_bucket_arn" {
7 | description = "The ARN of the S3 bucket used to store the configuration history"
8 | type = string
9 | }
10 |
11 | variable "create_sns_topic" {
12 | description = <<-DOC
13 | Flag to indicate whether an SNS topic should be created for notifications
14 | If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
15 | DOC
16 |
17 | type = bool
18 | default = false
19 | }
20 |
21 | variable "sns_encryption_key_id" {
22 | description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK."
23 | type = string
24 | default = "" # Use "alias/aws/sns" for AWS Managed Key
25 | }
26 |
27 | variable "sqs_queue_kms_master_key_id" {
28 | type = string
29 | description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS Queue or a custom CMK"
30 | default = "" # Use "alias/aws/sqs" for AWS Managed Key
31 | }
32 |
33 | variable "subscribers" {
34 | type = map(any)
35 | description = <<-DOC
36 | A map of subscription configurations for SNS topics
37 |
38 | For more information, see:
39 | https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference
40 |
41 | protocol:
42 | The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
43 | supported, see link) (email is an option but is unsupported in terraform, see link).
44 | endpoint:
45 | The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
46 | endpoint_auto_confirms (Optional):
47 | Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
48 | false
49 | raw_message_delivery (Optional):
50 | Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.
51 | DOC
52 | default = {}
53 | }
54 |
55 | variable "findings_notification_arn" {
56 | description = <<-DOC
57 | The ARN for an SNS topic to send findings notifications to. This is only used if create_sns_topic is false.
58 | If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set
59 | create_sns_topic to false.
60 | DOC
61 | default = null
62 | type = string
63 | }
64 |
65 | variable "create_iam_role" {
66 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
67 | type = bool
68 | default = false
69 | }
70 |
71 | variable "create_organization_aggregator_iam_role" {
72 | description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config to send logs from organization accounts"
73 | type = bool
74 | default = false
75 | }
76 |
77 | variable "iam_role_arn" {
78 | description = <<-DOC
79 | The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
80 | AWS resources associated with the account. This is only used if create_iam_role is false.
81 |
82 | If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
83 | create_iam_role to false.
84 |
85 | See the AWS Docs for further information:
86 | http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
87 | DOC
88 | default = null
89 | type = string
90 | }
91 |
92 | variable "iam_role_organization_aggregator_arn" {
93 | description = <<-DOC
94 | The ARN for an IAM Role that AWS Config uses for the organization aggregator that fetches AWS config data from AWS accounts.
95 | This is only used if create_organization_aggregator_iam_role is false.
96 |
97 | If you want to use an existing IAM Role, set the value of this to the ARN of the existing role and set
98 | create_organization_aggregator_iam_role to false.
99 |
100 | See the AWS docs for further information:
101 | http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
102 | DOC
103 | default = null
104 | type = string
105 | }
106 |
107 | variable "global_resource_collector_region" {
108 | description = "The region that collects AWS Config data for global resources such as IAM"
109 | type = string
110 | }
111 |
112 | variable "central_resource_collector_account" {
113 | description = "The account ID of a central account that will aggregate AWS Config from other accounts"
114 | type = string
115 | default = null
116 | }
117 |
118 | variable "child_resource_collector_accounts" {
119 | description = "The account IDs of other accounts that will send their AWS Configuration to this account"
120 | type = set(string)
121 | default = null
122 | }
123 |
124 | variable "force_destroy" {
125 | type = bool
126 | description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"
127 | default = false
128 | }
129 |
130 | variable "managed_rules" {
131 | description = <<-DOC
132 | A list of AWS Managed Rules that should be enabled on the account.
133 |
134 | See the following for a list of possible rules to enable:
135 | https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
136 | DOC
137 | type = map(object({
138 | description = string
139 | identifier = string
140 | input_parameters = any
141 | tags = map(string)
142 | enabled = bool
143 | }))
144 | default = {}
145 | }
146 |
147 | variable "recording_mode" {
148 | description = <<-DOC
149 | The mode for AWS Config to record configuration changes.
150 |
151 | recording_frequency:
152 | The frequency with which AWS Config records configuration changes (service defaults to CONTINUOUS).
153 | - CONTINUOUS
154 | - DAILY
155 |
156 | You can also override the recording frequency for specific resource types.
157 | recording_mode_override:
158 | description:
159 | A description for the override.
160 | recording_frequency:
161 | The frequency with which AWS Config records configuration changes for the specified resource types.
162 | - CONTINUOUS
163 | - DAILY
164 | resource_types:
165 | A list of resource types for which AWS Config records configuration changes. For example, AWS::EC2::Instance.
166 |
167 | See the following for more information:
168 | https://docs.aws.amazon.com/config/latest/developerguide/stop-start-recorder.html
169 |
170 | /*
171 | recording_mode = {
172 | recording_frequency = "DAILY"
173 | recording_mode_override = {
174 | description = "Override for specific resource types"
175 | recording_frequency = "CONTINUOUS"
176 | resource_types = ["AWS::EC2::Instance"]
177 | }
178 | }
179 | */
180 | DOC
181 | type = object({
182 | recording_frequency = string
183 | recording_mode_override = optional(object({
184 | description = string
185 | recording_frequency = string
186 | resource_types = list(string)
187 | }))
188 | })
189 | default = null
190 | }
191 |
192 | variable "s3_key_prefix" {
193 | type = string
194 | description = <<-DOC
195 | The prefix for AWS Config objects stored in the the S3 bucket. If this variable is set to null, the default, no
196 | prefix will be used.
197 |
198 | Examples:
199 |
200 | with prefix: {S3_BUCKET NAME}:/{S3_KEY_PREFIX}/AWSLogs/{ACCOUNT_ID}/Config/*.
201 | without prefix: {S3_BUCKET NAME}:/AWSLogs/{ACCOUNT_ID}/Config/*.
202 | DOC
203 | default = null
204 | }
205 |
206 | // Config aggregation isn't enabled for ap-northeast-3, maybe others in the future
207 | // https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
208 | variable "disabled_aggregation_regions" {
209 | type = list(string)
210 | description = "A list of regions where config aggregation is disabled"
211 | default = ["ap-northeast-3"]
212 | }
213 |
214 | variable "is_organization_aggregator" {
215 | type = bool
216 | default = false
217 | description = "The aggregator is an AWS Organizations aggregator"
218 | }
219 |
220 | variable "allowed_aws_services_for_sns_published" {
221 | type = list(string)
222 | description = "AWS services that will have permission to publish to SNS topic. Used when no external JSON policy is used"
223 | default = []
224 | }
225 |
226 | variable "allowed_iam_arns_for_sns_publish" {
227 | type = list(string)
228 | description = "IAM role/user ARNs that will have permission to publish to SNS topic. Used when no external json policy is used."
229 | default = []
230 | }
--------------------------------------------------------------------------------
/catalog/ec2.yaml:
--------------------------------------------------------------------------------
1 | ec2-ebs-encryption-by-default:
2 | identifier: EC2_EBS_ENCRYPTION_BY_DEFAULT
3 | description: >-
4 | Check that Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the
5 | encryption is not enabled.
6 | inputParameters: {}
7 | enabled: true
8 | tags:
9 | catalog/ec2: true
10 |
11 | ec2-imdsv2-check:
12 | identifier: EC2_IMDSV2_CHECK
13 | description: >-
14 | Checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance
15 | Metadata Service Version 2 (IMDSv2). The rule is COMPLIANT if the HttpTokens is set to required and is NON_COMPLIANT
16 | if the HttpTokens is set to optional.
17 | inputParameters: {}
18 | enabled: true
19 | tags:
20 | catalog/ec2: true
21 |
22 | ec2-instance-detailed-monitoring-enabled:
23 | identifier: EC2_INSTANCE_DETAILED_MONITORING_ENABLED
24 | description: >-
25 | Checks whether detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is
26 | not enabled.
27 | inputParameters: {}
28 | enabled: true
29 | tags:
30 | catalog/ec2: true
31 |
32 | ec2-instance-managed-by-systems-manager:
33 | identifier: EC2_INSTANCE_MANAGED_BY_SSM
34 | description: >-
35 | Checks whether the Amazon EC2 instances in your account are managed by AWS Systems Manager.
36 | inputParameters: {}
37 | enabled: true
38 | tags:
39 | catalog/ec2: true
40 |
41 | ec2-instance-no-public-ip:
42 | identifier: EC2_INSTANCE_NO_PUBLIC_IP
43 | description: >-
44 | Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. The rule is
45 | NON_COMPLIANT if the publicIp field is present in the Amazon EC2 instance configuration item. This rule applies only
46 | to IPv4.
47 | inputParameters: {}
48 | enabled: true
49 | tags:
50 | catalog/ec2: true
51 |
52 | ec2-instances-in-vpc:
53 | identifier: INSTANCES_IN_VPC
54 | description: >-
55 | Checks whether your EC2 instances belong to a virtual private cloud (VPC). Optionally, you can specify the VPC ID to
56 | associate with your instances.
57 | inputParameters:
58 | # The following parameters are optional:
59 | #
60 | # vpcId: The ID of the VPC that contains these instances.
61 | enabled: true
62 | tags:
63 | catalog/ec2: true
64 |
65 | ec2-managedinstance-applications-blacklisted:
66 | identifier: EC2_MANAGEDINSTANCE_APPLICATIONS_BLACKLISTED
67 | description: >-
68 | Checks that none of the specified applications are installed on the instance. Optionally, specify the application
69 | version. Newer versions of the application will not be blacklisted. You can also specify the platform to apply the
70 | rule only to instances running that platform.
71 | inputParameters:
72 | # The following parameters are required:
73 | #
74 | # applicationNames: Comma-separated list of application names. Optionally, specify versions appended with ":", for
75 | # example, "Chrome:0.5.3, FireFox"). Note The application names must be an exact match. For
76 | # example, use firefox on Linux or firefox-compat on Amazon Linux. In addition, AWS Config does
77 | # not currently support wildcards for the applicationNames parameter (for example, firefox*).
78 | #
79 | # The following parameters are optional:
80 | #
81 | # platformType: The platform type (for example, "Linux" or "Windows").
82 | {}
83 | enabled: true
84 | tags:
85 | catalog/ec2: true
86 |
87 | ec2-managedinstance-applications-required:
88 | identifier: EC2_MANAGEDINSTANCE_APPLICATIONS_REQUIRED
89 | description: >-
90 | Checks whether all of the specified applications are installed on the instance. Optionally, specify the minimum
91 | acceptable version. You can also specify the platform to apply the rule only to instances running that platform.
92 | inputParameters:
93 | # The following parameters are required:
94 | #
95 | # applicationNames: Comma-separated list of application names. Optionally, specify versions appended with ":", for
96 | # example, "Chrome:0.5.3, FireFox"). Note The application names must be an exact match. For
97 | # example, use firefox on Linux or firefox-compat on Amazon Linux. In addition, AWS Config does
98 | # not currently support wildcards for the applicationNames parameter (for example, firefox*).
99 | #
100 | # The following parameters are optional:
101 | #
102 | # platformType: The platform type (for example, "Linux" or "Windows").
103 | {}
104 | enabled: true
105 | tags:
106 | catalog/ec2: true
107 |
108 | ec2-managedinstance-association-compliance-status-check:
109 | identifier: EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK
110 | description: >-
111 | Checks whether the compliance status of AWS Systems Manager association compliance is COMPLIANT or NON_COMPLIANT
112 | after the association execution on the instance. The rule is COMPLIANT if the field status is COMPLIANT.
113 | inputParameters: {}
114 | enabled: true
115 | tags:
116 | catalog/ec2: true
117 |
118 | ec2-managedinstance-inventory-blacklisted:
119 | identifier: EC2_MANAGEDINSTANCE_INVENTORY_BLACKLISTED
120 | description: >-
121 | Checks whether instances managed by AWS Systems Manager are configured to collect blacklisted inventory types.
122 | inputParameters: inventoryNames
123 | enabled: true
124 | tags:
125 | catalog/ec2: true
126 |
127 | ec2-managedinstance-patch-compliance-status-check:
128 | identifier: EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK
129 | description: >-
130 | Checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or
131 | NON_COMPLIANT after the patch installation on the instance. The rule is COMPLIANT if the field status is COMPLIANT.
132 | inputParameters: {}
133 | enabled: true
134 | tags:
135 | catalog/ec2: true
136 |
137 | ec2-managedinstance-platform-check:
138 | identifier: EC2_MANAGEDINSTANCE_PLATFORM_CHECK
139 | description: >-
140 | Checks whether EC2 managed instances have the desired configurations.
141 | inputParameters: agentVersion
142 | enabled: true
143 | tags:
144 | catalog/ec2: true
145 |
146 | ec2-security-group-attached-to-eni:
147 | identifier: EC2_SECURITY_GROUP_ATTACHED_TO_ENI
148 | description: >-
149 | Checks that Amazon Elastic Compute Cloud (Amazon EC2) instances use security groups that are attached to an elastic
150 | network interface. The rule returns NON_COMPLIANT if a security group is not associated with an elastic network
151 | interface.
152 | inputParameters: {}
153 | enabled: true
154 | tags:
155 | catalog/ec2: true
156 |
157 | ec2-stopped-instance:
158 | identifier: EC2_STOPPED_INSTANCE
159 | description: >-
160 | Checks whether there are instances stopped for more than the allowed number of days. The instance is NON_COMPLIANT
161 | if the state of the ec2 instance has been stopped for longer than the allowed number of days.
162 | inputParameters:
163 | # The following parameters are optional:
164 | #
165 | # AllowedDays: The number of days an ec2 instance can be stopped before it is NON_COMPLIANT. The default number of
166 | # days is 30.
167 | {}
168 | enabled: true
169 | tags:
170 | catalog/ec2: true
171 |
172 | ec2-volume-inuse-check:
173 | identifier: EC2_VOLUME_INUSE_CHECK
174 | description: >-
175 | Checks whether EBS volumes are attached to EC2 instances. Optionally checks if EBS volumes are marked for deletion
176 | when an instance is terminated.
177 | inputParameters:
178 | # The following parameters are optional:
179 | #
180 | # deleteOnTermination: EBS volumes are marked for deletion when an instance is terminated.
181 | {}
182 | enabled: true
183 | tags:
184 | catalog/ec2: true
185 |
186 | desired-instance-tenancy:
187 | identifier: DESIRED_INSTANCE_TENANCY
188 | description: >-
189 | Checks instances for specified tenancy. Specify AMI IDs to check instances that are launched from those AMIs or
190 | specify host IDs to check whether instances are launched on those Dedicated Hosts. Separate multiple ID values with
191 | commas.
192 | inputParameters:
193 | # The following parameters are required:
194 | #
195 | # tenancy: The desired tenancy of the instances. Valid values are DEDICATED, HOST, and DEFAULT.
196 | #
197 | # The following parameters are optional:
198 | #
199 | # imageId: The rule evaluates instances launched only from the AMI with the specified ID. Separate multiple AMI IDs
200 | # with commas.
201 | # hostId: The ID of the Amazon EC2 Dedicated Host on which the instances are meant to be launched. Separate
202 | # multiple host IDs with commas.
203 | tenancy; "DEFAULT"
204 | enabled: true
205 | tags:
206 | catalog/ec2: true
207 |
208 | desired-instance-type:
209 | identifier: DESIRED_INSTANCE_TYPE
210 | description: >-
211 | Checks whether your EC2 instances are of the specified instance types.
212 | inputParameters:
213 | # The following parameters are optional:
214 | #
215 | # instanceType: Comma-separated list of EC2 instance types (for example, "t2.small, m4.large, i2.xlarge").
216 | enabled: true
217 | tags:
218 | catalog/ec2: true
219 |
220 | encrypted-volumes:
221 | identifier: ENCRYPTED_VOLUMES
222 | description: >-
223 | Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for
224 | encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with
225 | that KMS key.
226 | inputParameters:
227 | # The following parameters are required:
228 | #
229 | # kmsId: ID or ARN of the KMS key that is used to encrypt the volume.
230 | kmsId: ""
231 | enabled: true
232 | tags:
233 | catalog/ec2: true
234 |
--------------------------------------------------------------------------------
/catalog/iam.yaml:
--------------------------------------------------------------------------------
1 | access-keys-rotated:
2 | identifier: ACCESS_KEYS_ROTATED
3 | description: >-
4 | Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule
5 | is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.
6 | inputParameters:
7 | maxAccessKeyAge: "90"
8 | enabled: true
9 | tags:
10 | catalog/iam: true
11 | compliance/cis-aws-foundations/1.2: true
12 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
13 | compliance/cis-aws-foundations/1.2/controls: 1.4
14 |
15 | iam-password-policy:
16 | identifier: IAM_PASSWORD_POLICY
17 | description: >-
18 | Checks whether the account password policy for IAM users meets the specified requirements indicated in the
19 | parameters. This rule is NON_COMPLIANT if the account password policy does not meet the specified requirements.
20 | inputParameters:
21 | RequireUppercaseCharacters: "true"
22 | RequireLowercaseCharacters: "true"
23 | RequireSymbols: "true"
24 | RequireNumbers: "true"
25 | MinimumPasswordLength: "14"
26 | PasswordReusePrevention: "24"
27 | MaxPasswordAge: "90"
28 | enabled: true
29 | tags:
30 | catalog/iam: true
31 | compliance/cis-aws-foundations/1.2: true
32 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
33 | compliance/cis-aws-foundations/1.2/controls: 1.5 1.6 1.7 1.8 1.9 1.10 1.11
34 |
35 | iam-policy-in-use:
36 | identifier: IAM_POLICY_IN_USE
37 | description: >-
38 | Checks whether the IAM policy ARN is attached to an IAM user, or an IAM group with one or more IAM users, or an IAM
39 | role with one or more trusted entity.
40 | inputParameters:
41 | policyARN: "MANDATORY"
42 | policyUsageType: "ANY"
43 | enabled: true
44 | tags:
45 | catalog/iam: true
46 | compliance/cis-aws-foundations/1.2: true
47 | compliance/cis-aws-foundations/1.2/controls: 1.20
48 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
49 |
50 | iam-policy-no-statements-with-admin-access:
51 | identifier: IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS
52 | description: >-
53 | Checks the IAM policies that you create for Allow statements that grant permissions to all actions on all resources.
54 | The rule is NON_COMPLIANT if any policy statement includes "Effect": "Allow" with "Action": "*" over "Resource":
55 | "*".
56 | inputParameters: {}
57 | enabled: true
58 | tags:
59 | catalog/iam: true
60 | compliance/cis-aws-foundations/1.2: true
61 | compliance/cis-aws-foundations/1.2/controls: 1.22
62 |
63 | iam-root-access-key-check:
64 | identifier: IAM_ROOT_ACCESS_KEY_CHECK
65 | description: >-
66 | Checks whether the root user access key is available. The rule is COMPLIANT if the user access key does not exist.
67 | inputParameters: {}
68 | enabled: true
69 | tags:
70 | catalog/iam: true
71 | compliance/cis-aws-foundations/1.2: true
72 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
73 | compliance/cis-aws-foundations/1.2/controls: 1.12
74 |
75 | iam-user-no-policies-check:
76 | identifier: IAM_USER_NO_POLICIES_CHECK
77 | description: >-
78 | Checks that none of your IAM users have policies attached. IAM users must inherit permissions from IAM groups or
79 | roles.
80 | inputParameters: {}
81 | enabled: true
82 | tags:
83 | catalog/iam: true
84 | compliance/cis-aws-foundations/1.2: true
85 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
86 | compliance/cis-aws-foundations/1.2/controls: 1.16
87 |
88 | iam-user-unused-credentials-check:
89 | identifier: IAM_USER_UNUSED_CREDENTIALS_CHECK
90 | description: >-
91 | Checks whether your AWS Identity and Access Management (IAM) users have passwords or active access keys that have
92 | not been used within the specified number of days you provided.
93 | inputParameters:
94 | maxCredentialUsageAge: "90"
95 | enabled: true
96 | tags:
97 | catalog/iam: true
98 | compliance/cis-aws-foundations/1.2: true
99 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
100 | compliance/cis-aws-foundations/1.2/controls: 1.3
101 |
102 | mfa-enabled-for-iam-console-access:
103 | identifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
104 | description: >-
105 | Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM)
106 | users that use a console password. The rule is COMPLIANT if MFA is enabled.
107 | inputParameters: {}
108 | enabled: true
109 | tags:
110 | catalog/iam: true
111 | compliance/cis-aws-foundations/1.2: true
112 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
113 | compliance/cis-aws-foundations/1.2/controls: 1.2
114 |
115 | root-account-hardware-mfa-enabled:
116 | identifier: ROOT_ACCOUNT_HARDWARE_MFA_ENABLED
117 | description: >-
118 | Checks whether your AWS account is enabled to use multi-factor authentication (MFA) hardware device to sign in with
119 | root credentials. The rule is NON_COMPLIANT if any virtual MFA devices are permitted for signing in with root
120 | credentials.
121 | inputParameters: {}
122 | enabled: true
123 | tags:
124 | catalog/iam: true
125 | compliance/cis-aws-foundations/1.2: true
126 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
127 | compliance/cis-aws-foundations/1.2/controls: 1.14
128 |
129 | root-account-mfa-enabled:
130 | identifier: ROOT_ACCOUNT_MFA_ENABLED
131 | description: >-
132 | Checks whether users of your AWS account require a multi-factor authentication (MFA) device to sign in with root
133 | credentials.
134 | inputParameters: {}
135 | enabled: true
136 | tags:
137 | catalog/iam: true
138 | compliance/cis-aws-foundations/1.2: true
139 | compliance/cis-aws-foundations/filters/global-resource-region-only: true
140 | compliance/cis-aws-foundations/1.2/controls: 1.13
141 |
142 | iam-customer-policy-blocked-kms-actions:
143 | identifier: IAM_CUSTOMER_POLICY_BLOCKED_KMS_ACTIONS
144 | description: >-
145 | Checks that the managed AWS Identity and Access Management policies that you create do not allow blocked actions on
146 | all AWS AWS KMS keys. The rule is NON_COMPLIANT if any blocked action is allowed on all AWS AWS KMS keys by the
147 | managed IAM policy.
148 | inputParameters:
149 | # The following parameters are required:
150 | #
151 | # blockedActionsPatterns: Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt,
152 | # kms:ReEncrypt*.
153 | blockedActionsPatterns: "kms:*"
154 | enabled: true
155 | tags:
156 | catalog/iam: true
157 |
158 | iam-group-has-users-check:
159 | identifier: IAM_GROUP_HAS_USERS_CHECK
160 | description: >-
161 | Checks whether IAM groups have at least one IAM user.
162 | inputParameters: {}
163 | enabled: true
164 | tags:
165 | catalog/iam: true
166 |
167 | iam-inline-policy-blocked-kms-actions:
168 | identifier: IAM_INLINE_POLICY_BLOCKED_KMS_ACTIONS
169 | description: >-
170 | Checks that the inline policies attached to your AWS Identity and Access Management users, roles, and groups do not
171 | allow blocked actions on all AWS Key Management Service keys. The rule is NON_COMPLIANT if any blocked action is
172 | allowed on all AWS KMS keys in an inline policy.
173 | inputParameters:
174 | # The following parameters are required:
175 | #
176 | # blockedActionsPatterns: Comma-separated list of blocked KMS action patterns, for example, kms:*, kms:Decrypt,
177 | # kms:ReEncrypt*.
178 | blockedActionsPatterns: "kms:*"
179 | enabled: true
180 | tags:
181 | catalog/iam: true
182 |
183 | iam-no-inline-policy-check:
184 | identifier: IAM_NO_INLINE_POLICY_CHECK
185 | description: >-
186 | Checks that inline policy feature is not in use. The rule is NON_COMPLIANT if an AWS Identity and Access Management
187 | (IAM) user, IAM role or IAM group has any inline policy.
188 | inputParameters: {}
189 | enabled: true
190 | tags:
191 | catalog/iam: true
192 |
193 | iam-policy-blacklisted-check:
194 | identifier: IAM_POLICY_BLACKLISTED_CHECK
195 | description: >-
196 | Checks whether for each IAM resource, a policy ARN in the input parameter is attached to the IAM resource. The rule
197 | is NON_COMPLIANT if the policy ARN is attached to the IAM resource. AWS Config marks the resource as COMPLIANT if
198 | the IAM resource is part of the exceptionList parameter irrespective of the presence of the policy ARN.
199 | inputParameters:
200 | # The following parameters are required:
201 | #
202 | # policyArns: Comma-separated list of policy ARNs.
203 | # exceptionList: Comma-separated list IAM users, groups, or roles that are exempt from this rule. For example,
204 | # users:[user1;user2], groups:[group1;group2], roles:[role1;role2;role3].
205 | policyArns: ""
206 | exceptionList: ""
207 | enabled: true
208 | tags:
209 | catalog/iam: true
210 |
211 | iam-role-managed-policy-check:
212 | identifier: IAM_ROLE_MANAGED_POLICY_CHECK
213 | description: >-
214 | Checks that AWS Identity and Access Management (IAM) policies in a list of policies are attached to all AWS roles.
215 | The rule is NON_COMPLIANT if the IAM managed policy is not attached to the IAM role.
216 | inputParameters:
217 | # The following parameters are required:
218 | #
219 | # managedPolicyNames: Comma-separated list of AWS managed policy ARNs.
220 | managedPolicyNames: ""
221 | enabled: true
222 | tags:
223 | catalog/iam: true
224 |
225 | iam-user-mfa-enabled:
226 | identifier: IAM_USER_MFA_ENABLED
227 | description: >-
228 | Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled.
229 | inputParameters: {}
230 | enabled: true
231 | tags:
232 | catalog/iam: true
233 |
--------------------------------------------------------------------------------
/modules/conformance-pack/README.md:
--------------------------------------------------------------------------------
1 | # AWS Config Conformance Pack
2 |
3 | This module deploys a [Conformance Pack](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html). A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an account and a Region or across an organization in AWS Organizations.Conformance packs are created by authoring a YAML template that contains the list of AWS Config managed or custom rules and remediation actions.
4 |
5 | The Conformance Pack cannot be deployed until AWS Config is deployed, which can be deployed using the [root module](../../) of this repository.
6 |
7 | ## Usage
8 |
9 | **IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
10 | Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-config/releases).
11 |
12 | For a complete example, see [examples/hipaa](../../examples/hipaa).
13 |
14 | For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)(which tests and deploys the example on AWS), see [test](test).
15 |
16 | ```hcl
17 | module "hipaa_conformance_pack" {
18 | source = "cloudposse/config/aws//modules/conformance-pack"
19 | # Cloud Posse recommends pinning every module to a specific version
20 | # version = "x.x.x"
21 |
22 | name = "Operational-Best-Practices-for-HIPAA-Security"
23 |
24 | conformance_pack="https://raw.githubusercontent.com/awslabs/aws-config-rules/master/aws-config-conformance-packs/Operational-Best-Practices-for-HIPAA-Security.yaml"
25 | parameter_overrides = {
26 | AccessKeysRotatedParamMaxAccessKeyAge = "45"
27 | }
28 |
29 | depends_on = [
30 | module.config
31 | ]
32 | }
33 |
34 | module "config" {
35 | source = "cloudposse/config/aws"
36 | # Cloud Posse recommends pinning every module to a specific version
37 | # version = "x.x.x"
38 |
39 | create_sns_topic = true
40 | create_iam_role = true
41 | }
42 | ```
43 |
44 |
45 |
46 |
47 | ## Requirements
48 |
49 | | Name | Version |
50 | |------|---------|
51 | | [terraform](#requirement\_terraform) | >= 1.0 |
52 | | [aws](#requirement\_aws) | >= 5.0 |
53 | | [http](#requirement\_http) | >= 3.4.1 |
54 |
55 | ## Providers
56 |
57 | | Name | Version |
58 | |------|---------|
59 | | [aws](#provider\_aws) | >= 5.0 |
60 | | [http](#provider\_http) | >= 3.4.1 |
61 |
62 | ## Modules
63 |
64 | | Name | Source | Version |
65 | |------|--------|---------|
66 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 |
67 |
68 | ## Resources
69 |
70 | | Name | Type |
71 | |------|------|
72 | | [aws_config_conformance_pack.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_conformance_pack) | resource |
73 | | [http_http.conformance_pack](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
74 |
75 | ## Inputs
76 |
77 | | Name | Description | Type | Default | Required |
78 | |------|-------------|------|---------|:--------:|
79 | | [access\_token](#input\_access\_token) | Optional: access token required to access private GitHub repos, where custom conformance packs could be stored | `string` | `""` | no |
80 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
81 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
82 | | [conformance\_pack](#input\_conformance\_pack) | The URL to a Conformance Pack | `string` | n/a | yes |
83 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
84 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
85 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
86 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
87 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
88 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
89 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
90 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
91 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
92 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
93 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
94 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
95 | | [parameter\_overrides](#input\_parameter\_overrides) | A map of parameters names to values to override from the template | `map(any)` | `{}` | no |
96 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
97 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
98 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
99 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
100 |
101 | ## Outputs
102 |
103 | | Name | Description |
104 | |------|-------------|
105 | | [arn](#output\_arn) | ARN of the conformance pack |
106 |
107 |
108 |
109 |
--------------------------------------------------------------------------------
/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/cis/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/hipaa/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/examples/complete/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/modules/cis-1-2-rules/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------
/modules/conformance-pack/context.tf:
--------------------------------------------------------------------------------
1 | #
2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label
3 | # All other instances of this file should be a copy of that one
4 | #
5 | #
6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf
7 | # and then place it in your Terraform module to automatically get
8 | # Cloud Posse's standard configuration inputs suitable for passing
9 | # to Cloud Posse modules.
10 | #
11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf
12 | #
13 | # Modules should access the whole context as `module.this.context`
14 | # to get the input variables with nulls for defaults,
15 | # for example `context = module.this.context`,
16 | # and access individual variables as `module.this.`,
17 | # with final values filled in.
18 | #
19 | # For example, when using defaults, `module.this.context.delimiter`
20 | # will be null, and `module.this.delimiter` will be `-` (hyphen).
21 | #
22 |
23 | module "this" {
24 | source = "cloudposse/label/null"
25 | version = "0.25.0" # requires Terraform >= 0.13.0
26 |
27 | enabled = var.enabled
28 | namespace = var.namespace
29 | tenant = var.tenant
30 | environment = var.environment
31 | stage = var.stage
32 | name = var.name
33 | delimiter = var.delimiter
34 | attributes = var.attributes
35 | tags = var.tags
36 | additional_tag_map = var.additional_tag_map
37 | label_order = var.label_order
38 | regex_replace_chars = var.regex_replace_chars
39 | id_length_limit = var.id_length_limit
40 | label_key_case = var.label_key_case
41 | label_value_case = var.label_value_case
42 | descriptor_formats = var.descriptor_formats
43 | labels_as_tags = var.labels_as_tags
44 |
45 | context = var.context
46 | }
47 |
48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here
49 |
50 | variable "context" {
51 | type = any
52 | default = {
53 | enabled = true
54 | namespace = null
55 | tenant = null
56 | environment = null
57 | stage = null
58 | name = null
59 | delimiter = null
60 | attributes = []
61 | tags = {}
62 | additional_tag_map = {}
63 | regex_replace_chars = null
64 | label_order = []
65 | id_length_limit = null
66 | label_key_case = null
67 | label_value_case = null
68 | descriptor_formats = {}
69 | # Note: we have to use [] instead of null for unset lists due to
70 | # https://github.com/hashicorp/terraform/issues/28137
71 | # which was not fixed until Terraform 1.0.0,
72 | # but we want the default to be all the labels in `label_order`
73 | # and we want users to be able to prevent all tag generation
74 | # by setting `labels_as_tags` to `[]`, so we need
75 | # a different sentinel to indicate "default"
76 | labels_as_tags = ["unset"]
77 | }
78 | description = <<-EOT
79 | Single object for setting entire context at once.
80 | See description of individual variables for details.
81 | Leave string and numeric variables as `null` to use default value.
82 | Individual variable settings (non-null) override settings in context object,
83 | except for attributes, tags, and additional_tag_map, which are merged.
84 | EOT
85 |
86 | validation {
87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"])
88 | error_message = "Allowed values: `lower`, `title`, `upper`."
89 | }
90 |
91 | validation {
92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"])
93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
94 | }
95 | }
96 |
97 | variable "enabled" {
98 | type = bool
99 | default = null
100 | description = "Set to false to prevent the module from creating any resources"
101 | }
102 |
103 | variable "namespace" {
104 | type = string
105 | default = null
106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
107 | }
108 |
109 | variable "tenant" {
110 | type = string
111 | default = null
112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for"
113 | }
114 |
115 | variable "environment" {
116 | type = string
117 | default = null
118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
119 | }
120 |
121 | variable "stage" {
122 | type = string
123 | default = null
124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
125 | }
126 |
127 | variable "name" {
128 | type = string
129 | default = null
130 | description = <<-EOT
131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
132 | This is the only ID element not also included as a `tag`.
133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.
134 | EOT
135 | }
136 |
137 | variable "delimiter" {
138 | type = string
139 | default = null
140 | description = <<-EOT
141 | Delimiter to be used between ID elements.
142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.
143 | EOT
144 | }
145 |
146 | variable "attributes" {
147 | type = list(string)
148 | default = []
149 | description = <<-EOT
150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
151 | in the order they appear in the list. New attributes are appended to the
152 | end of the list. The elements of the list are joined by the `delimiter`
153 | and treated as a single ID element.
154 | EOT
155 | }
156 |
157 | variable "labels_as_tags" {
158 | type = set(string)
159 | default = ["default"]
160 | description = <<-EOT
161 | Set of labels (ID elements) to include as tags in the `tags` output.
162 | Default is to include all labels.
163 | Tags with empty values will not be included in the `tags` output.
164 | Set to `[]` to suppress all generated tags.
165 | **Notes:**
166 | The value of the `name` tag, if included, will be the `id`, not the `name`.
167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
168 | changed in later chained modules. Attempts to change it will be silently ignored.
169 | EOT
170 | }
171 |
172 | variable "tags" {
173 | type = map(string)
174 | default = {}
175 | description = <<-EOT
176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
177 | Neither the tag keys nor the tag values will be modified by this module.
178 | EOT
179 | }
180 |
181 | variable "additional_tag_map" {
182 | type = map(string)
183 | default = {}
184 | description = <<-EOT
185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
186 | This is for some rare cases where resources want additional configuration of tags
187 | and therefore take a list of maps with tag key, value, and additional configuration.
188 | EOT
189 | }
190 |
191 | variable "label_order" {
192 | type = list(string)
193 | default = null
194 | description = <<-EOT
195 | The order in which the labels (ID elements) appear in the `id`.
196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"].
197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
198 | EOT
199 | }
200 |
201 | variable "regex_replace_chars" {
202 | type = string
203 | default = null
204 | description = <<-EOT
205 | Terraform regular expression (regex) string.
206 | Characters matching the regex will be removed from the ID elements.
207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.
208 | EOT
209 | }
210 |
211 | variable "id_length_limit" {
212 | type = number
213 | default = null
214 | description = <<-EOT
215 | Limit `id` to this many characters (minimum 6).
216 | Set to `0` for unlimited length.
217 | Set to `null` for keep the existing setting, which defaults to `0`.
218 | Does not affect `id_full`.
219 | EOT
220 | validation {
221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0
222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length."
223 | }
224 | }
225 |
226 | variable "label_key_case" {
227 | type = string
228 | default = null
229 | description = <<-EOT
230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
231 | Does not affect keys of tags passed in via the `tags` input.
232 | Possible values: `lower`, `title`, `upper`.
233 | Default value: `title`.
234 | EOT
235 |
236 | validation {
237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case)
238 | error_message = "Allowed values: `lower`, `title`, `upper`."
239 | }
240 | }
241 |
242 | variable "label_value_case" {
243 | type = string
244 | default = null
245 | description = <<-EOT
246 | Controls the letter case of ID elements (labels) as included in `id`,
247 | set as tag values, and output by this module individually.
248 | Does not affect values of tags passed in via the `tags` input.
249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation).
250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
251 | Default value: `lower`.
252 | EOT
253 |
254 | validation {
255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case)
256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`."
257 | }
258 | }
259 |
260 | variable "descriptor_formats" {
261 | type = any
262 | default = {}
263 | description = <<-EOT
264 | Describe additional descriptors to be output in the `descriptors` output map.
265 | Map of maps. Keys are names of descriptors. Values are maps of the form
266 | `{
267 | format = string
268 | labels = list(string)
269 | }`
270 | (Type is `any` so the map values can later be enhanced to provide additional options.)
271 | `format` is a Terraform format string to be passed to the `format()` function.
272 | `labels` is a list of labels, in order, to pass to `format()` function.
273 | Label values will be normalized before being passed to `format()` so they will be
274 | identical to how they appear in `id`.
275 | Default is `{}` (`descriptors` output will be empty).
276 | EOT
277 | }
278 |
279 | #### End of copy of cloudposse/terraform-null-label/variables.tf
280 |
--------------------------------------------------------------------------------