| account_type |
AWS account type (master, administrator, log, member) |
string |
n/a |
yes |
| bucket_custom_policy_json |
Custom S3 bucket policy override JSON |
string |
"" |
no |
| cloudtrail_enable_log_file_validation |
Specifies whether log file integrity validation is enabled. Creates signed digest for validated contents of logs |
bool |
true |
no |
| cloudtrail_enable_logging |
Enable logging for the trail |
bool |
true |
no |
| cloudtrail_include_global_service_events |
Specifies whether the trail is publishing events from global services such as IAM to the log files |
bool |
true |
no |
| cloudtrail_insight_selector |
Specifies an insight selector for identifying unusual operational activity. See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#insight_type details for this variable |
list(object({
insight_type = string
})) |
[
{
"insight_type": "ApiCallRateInsight"
},
{
"insight_type": "ApiErrorRateInsight"
}
] |
no |
| cloudtrail_is_multi_region_trail |
Specifies whether the trail is created in the current region or in all regions |
bool |
true |
no |
| cloudtrail_is_organization_trail |
The trail is an AWS Organizations trail |
bool |
true |
no |
| cloudtrail_name |
CloudTrail trail name |
string |
"org" |
no |
| cloudtrail_s3_bucket |
CloudTrail S3 bucket |
string |
null |
no |
| cloudtrail_s3_key_prefix |
S3 key prefix for CloudTrail |
string |
"cloudtrail" |
no |
| config_s3_bucket_key_prefix |
S3 key prefix for Config |
string |
"config" |
no |
| ecr_scan_type |
ECR scanning type (BASIC or ENHANCED) |
string |
"BASIC" |
no |
| ecr_scanning_rules |
List of ECR scanning rules |
list(map(string)) |
[
{
"filter": "*",
"frequency": "SCAN_ON_PUSH"
}
] |
no |
| enable_cloudtrail |
Enable AWS CloudTrail service |
bool |
true |
no |
| enable_config |
Enable AWS Config service |
bool |
true |
no |
| enable_ebs_baseline |
Boolean whether ebs-baseline is enabled. |
bool |
true |
no |
| enable_ecr_baseline |
Enable ECR image scanning |
bool |
true |
no |
| enable_firewall_manager |
Enable AWS Firewall Manager service |
bool |
true |
no |
| enable_guardduty |
Enable AWS GuardDuty service |
bool |
true |
no |
| enable_iam_access_analyzer |
Enable AWS IAM Access Analyzer |
bool |
true |
no |
| enable_iam_baseline |
Boolean whether iam-baseline is enabled. |
bool |
true |
no |
| enable_s3_baseline |
Enable S3 baseline? |
bool |
true |
no |
| enable_s3_buckets |
Enable S3 buckets? |
bool |
false |
no |
| enable_scp |
Manage organization SCP policies |
bool |
true |
no |
| enable_securityhub |
Enable AWS Security Hub service |
bool |
true |
no |
| force_destroy |
Allow destroy of S3 bucket with objects |
bool |
false |
no |
| iam_allow_users_to_change_password |
Whether to allow users to change their own password. |
bool |
true |
no |
| iam_create_password_policy |
Define if the password policy should be created. |
bool |
true |
no |
| iam_max_password_age |
The number of days that an user password is valid. |
number |
0 |
no |
| iam_minimum_password_length |
Minimum length to require for user passwords. |
number |
14 |
no |
| iam_password_reuse_prevention |
The number of previous passwords that users are prevented from reusing. |
number |
24 |
no |
| iam_require_lowercase_characters |
Whether to require lowercase characters for user passwords. |
bool |
true |
no |
| iam_require_numbers |
Whether to require numbers for user passwords. |
bool |
true |
no |
| iam_require_symbols |
Whether to require symbols for user passwords. |
bool |
true |
no |
| iam_require_uppercase_characters |
Whether to require uppercase characters for user passwords. |
bool |
true |
no |
| s3_block_public_acls |
Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. |
bool |
true |
no |
| s3_block_public_policy |
Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. |
bool |
true |
no |
| s3_ignore_public_acls |
Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. |
bool |
true |
no |
| s3_restrict_public_buckets |
Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. |
bool |
true |
no |
| security_administrator_account_id |
AWS Security Administrator Account ID |
number |
n/a |
yes |
| securityhub_enable_products |
Subscribe Security Hub to Products |
list(string) |
[] |
no |
| tags |
Specifies object tags key and value. This applies to all resources created by this module. |
map(any) |
{
"Environment": "infra",
"Product": "security",
"Team": "devops",
"Terraform": true
} |
no |
| target_regions |
A list of regions to set up with this module. |
list(string) |
[
"eu-west-1",
"us-east-1",
"us-east-2"
] |
no |
| vpc_flow_logs_s3_key_prefix |
S3 key prefix for VPC Flow Logs |
string |
"flow-logs" |
no |
