Skip to content

Latest commit

History

History

region

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
cloudwatch.tf
cloudwatch.tf
ebs.tf
ebs.tf
ec2.tf
ec2.tf
guardduty.tf
guardduty.tf
inspector.tf
inspector.tf
macie.tf
macie.tf
main.tf
main.tf
outputs.tf
outputs.tf
resource-explorer.tf
resource-explorer.tf
resource-group.tf
resource-group.tf
service-quotas.tf
service-quotas.tf
variables.tf
variables.tf
versions.tf
versions.tf
vpc.tf
vpc.tf

README.md

region

This module creates following resources.

  • aws_ebs_encryption_by_default
  • aws_ebs_default_kms_key (optional)
  • aws_ec2_image_block_public_access
  • aws_ec2_instance_metadata_defaults (optional)
  • aws_ec2_serial_console_access
  • aws_guardduty_organization_admin_account (optional)
  • aws_inspector2_delegated_admin_account (optional)
  • aws_macie2_organization_admin_account (optional)
  • aws_oam_sink (optional)
  • aws_oam_sink_policy (optional)
  • aws_resourceexplorer2_index (optional)
  • aws_resourceexplorer2_view (optional)
  • aws_servicequotas_service_quota (optional)

Requirements

Name Version
terraform >= 1.6
aws >= 5.43

Providers

Name Version
aws 5.51.0

Modules

Name Source Version
cloudwatch_oam_sink tedilabs/observability/aws//modules/cloudwatch-oam-sink ~> 0.2.0
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0

Resources

Name Type
aws_ebs_default_kms_key.this resource
aws_ebs_encryption_by_default.this resource
aws_ec2_availability_zone_group.this resource
aws_ec2_image_block_public_access.this resource
aws_ec2_instance_metadata_defaults.this resource
aws_ec2_serial_console_access.this resource
aws_guardduty_organization_admin_account.this resource
aws_inspector2_delegated_admin_account.this resource
aws_macie2_organization_admin_account.this resource
aws_resourceexplorer2_index.this resource
aws_resourceexplorer2_view.this resource
aws_servicequotas_service_quota.this resource
aws_region.this data source

Inputs

Name Description Type Default Required
cloudwatch (Optional) The configuration of CloudWatch in the current AWS region. cloudwatch as defined below.
(Optional) oam_sink - A configuration of CloudWatch OAM(Observability Access Manager) sink. oam_sink as defined below.
(Required) name - The name of the CloudWatch OAM sink.
(Optional) telemetry_types - A set of the telemetry types can be shared with it. Valid values are AWS::CloudWatch::Metric, AWS::Logs::LogGroup, AWS::XRay::Trace, AWS::ApplicationInsights::Application, AWS::InternetMonitor::Monitor.
(Optional) allowed_source_accounts - A list of the IDs of AWS accounts that will share data with this monitoring account.
(Optional) allowed_source_organizations - A list of the organization IDs of AWS accounts that will share data with this monitoring account.
(Optional) allowed_source_organization_paths - A list of the organization paths of the AWS accounts that will share data with this monitoring account.
(Optional) tags - A map of tags to add to the resource.		 
object({
    oam_sink = optional(object({
      name                              = string
      telemetry_types                   = optional(set(string), [])
      allowed_source_accounts           = optional(list(string), [])
      allowed_source_organizations      = optional(list(string), [])
      allowed_source_organization_paths = optional(list(string), [])
      tags                              = optional(map(string), {})
    }))
  })
 {} no
ebs_default_encryption (Optional) The configuration of the EBS default encryption. ebs_default_encryption as defined below.
(Optional) enabled - Whether or not default EBS encryption is enabled.
(Optional) kms_key - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume.		 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
 {} no
ec2 (Optional) The configuration of EC2 in the current AWS region. ec2 as defined below.
(Optional) ami_public_access_enabled - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to false.
(Optional) instance_metadata_defaults - The configuration of the regional instance metadata default settings. instance_metadata_defaults as defined below.
(Optional) http_enabled - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to null (No preference).
(Optional) http_token_required - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to false. Defaults to null (No preference).
(Optional) http_put_response_hop_limit - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from 1 to 64. Defaults to null (No preference).
(Optional) instance_tags_enabled - Whether to enable the access to instance tags from the instance metadata service. Defaults to null (No preference).
(Optional) serial_console_enabled - Whether serial console access is enabled for the current AWS region. Defaults to false.		 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
 {} no
guardduty (Optional) The configuration of GuardDuty in the current AWS region. guardduty as defined below.
(Optional) delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization.		 
object({
    delegated_administrator = optional(string)
  })
 {} no
inspector (Optional) The configuration of Inspector in the current AWS region. inspector as defined below.
(Optional) delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. The delegated administrator is granted all of the permissions required to administer Inspector for your organization. When you choose a delegated administrator, Inspector is activated for that account. Can be used in only management account of the organization.		 
object({
    delegated_administrator = optional(string)
  })
 {} no
macie (Optional) The configuration of Macie in the current AWS region. macie as defined below.
(Optional) delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization.		 
object({
    delegated_administrator = optional(string)
  })
 {} no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
resource_explorer (Optional) The configuration of the Resource Explorer in the current AWS region. resource_explorer as defined below.
(Optional) enabled - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to true.
(Optional) index_type - The type of the index. Valid values are AGGREGATOR, LOCAL. Defaults to LOCAL.
(Optional) views - A list of views to create. views as defined below.
(Required) name - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) is_default - Whether the view is the default view for the AWS Region. Defaults to false.
(Optional) filter_queries - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to [] (include all resources).
(Optional) additional_resource_attributes - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are tags. Defaults to [].		 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
 {} no
resource_group_description (Optional) The description of Resource Groupolicy. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Groupolicy. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
service_quotas_code_translation_enabled (Optional) Whether to use translated quota code for readability. bool false no
service_quotas_request (Optional) A map of service quotas to request. The key is <service-code>/<quota-code> and the value is a desired value to request. map(number) {} no
tags (Optional) A map of tags to add to all resources. map(string) {} no
vpc_availability_zone_groups (Optional) The configurations to manage Availability Zone Groups for the current AWS region. The key is the name of Availability Zone Group, the value is a boolean value to enable the group. In this time, disabling Availability Zone Group is not supported on AWS. map(bool) {} no

Outputs

Name Description
cloudwdatch The region-level configurations of CloudWatch service.
oam_sink - A configuration of CloudWatch OAM(Observability Access Manager) sink.
code The short code of the current region.
description The description of the current region in this format: Location (Region name)
ebs The region-level configurations of EBS service.
default_encryption - The configurations for EBS Default Encryption.
ec2 The region-level configurations of EC2 service.
ami_public_access_enabled - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.
serial_console_enabled - Whether serial console access is enabled for the current AWS region.
guardduty The region-level configurations of GuardDuty service.
delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization.
id The ID of the current region.
inspector The region-level configurations of Inspector service.
delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization.
macie The region-level configurations of Macie service.
delegated_administrator - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization.
name The name of the current region.
resource_explorer The region-level configurations of Resource Explorer service.
enabled - Whether the Resource Explorer is enabled in the current AWS region.
index_type - The type of the index.
views - The list of views.
service_quotas The region-level configurations of Service Quotas.
vpc The region-level configurations of VPC.