Skip to content

Files

Latest commit

 

History

History

layer1-aws

README.md

Requirements

Name Version
terraform 1.4.4
aws 5.1.0
kubernetes 2.19.0

Providers

Name Version
aws 5.1.0

Modules

Name Source Version
acm terraform-aws-modules/acm/aws 4.3.2
aws_cost_allocation_tags ../modules/aws-cost-allocation-tags n/a
aws_ebs_csi_driver terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks 5.17.0
eks terraform-aws-modules/eks/aws 19.12.0
eventbridge terraform-aws-modules/eventbridge/aws 1.17.3
pritunl ../modules/aws-pritunl n/a
r53_zone terraform-aws-modules/route53/aws//modules/zones 2.10.2
vpc terraform-aws-modules/vpc/aws 4.0.1
vpc_cni_irsa terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks 5.17.0
vpc_gateway_endpoints terraform-aws-modules/vpc/aws//modules/vpc-endpoints 4.0.1

Resources

Name Type
aws_cloudtrail.main resource
aws_ebs_encryption_by_default.default resource
aws_iam_account_password_policy.default resource
aws_s3_bucket.cloudtrail resource
aws_s3_bucket_lifecycle_configuration.cloudtrail resource
aws_s3_bucket_policy.cloudtrail resource
aws_s3_bucket_public_access_block.cloudtrail resource
aws_s3_bucket_server_side_encryption_configuration.cloudtrail resource
aws_sns_topic.security_alerts resource
aws_sns_topic_policy.security_alerts resource
aws_sns_topic_subscription.security_alerts resource
aws_acm_certificate.main data source
aws_ami.eks_default_arm64 data source
aws_availability_zones.available data source
aws_caller_identity.current data source
aws_eks_cluster_auth.main data source
aws_route53_zone.main data source
aws_security_group.default data source

Inputs

Name Description Type Default Required
allowed_account_ids List of allowed AWS account IDs list [] no
allowed_ips IP addresses allowed to connect to private resources list(any) [] no
aws_account_password_policy n/a any 
{
  "allow_users_to_change_password": true,
  "create": true,
  "hard_expiry": false,
  "max_password_age": 90,
  "minimum_password_length": 14,
  "password_reuse_prevention": 10,
  "require_lowercase_characters": true,
  "require_numbers": true,
  "require_symbols": true,
  "require_uppercase_characters": true
}
 no
aws_cis_benchmark_alerts AWS CIS Benchmark alerts configuration any 
{
  "email": "demo@example.com",
  "enabled": "false",
  "rules": {
    "aws_config_changes_enabled": true,
    "cloudtrail_configuration_changes_enabled": true,
    "console_login_failed_enabled": true,
    "consolelogin_without_mfa_enabled": true,
    "iam_policy_changes_enabled": true,
    "kms_cmk_delete_or_disable_enabled": true,
    "nacl_changes_enabled": true,
    "network_gateway_changes_enabled": true,
    "organization_changes_enabled": true,
    "parameter_store_actions_enabled": true,
    "route_table_changes_enabled": true,
    "s3_bucket_policy_changes_enabled": true,
    "secrets_manager_actions_enabled": true,
    "security_group_changes_enabled": true,
    "unauthorized_api_calls_enabled": true,
    "usage_of_root_account_enabled": true,
    "vpc_changes_enabled": true
  }
}
 no
az_count Count of avaiablity zones, min 2 number 3 no
cidr Default CIDR block for VPC string "10.0.0.0/16" no
cloudtrail_logs_s3_expiration_days How many days keep cloudtrail logs on S3 string 180 no
create_acm_certificate Whether to create acm certificate or use existing bool false no
create_r53_zone Create R53 zone for main public domain bool false no
domain_name Main public domain name any n/a yes
eks_cloudwatch_log_group_retention_in_days Number of days to retain log events. Default retention - 90 days. number 90 no
eks_cluster_enabled_log_types A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler list(string) 
[
  "audit"
]
 no
eks_cluster_encryption_config_enable Enable or not encryption for k8s secrets with aws-kms bool false no
eks_cluster_endpoint_only_pritunl Only Pritunl VPN server will have access to eks endpoint. bool false no
eks_cluster_endpoint_private_access Enable or not private access to cluster endpoint bool false no
eks_cluster_endpoint_public_access Enable or not public access to cluster endpoint bool true no
eks_cluster_version Version of the EKS K8S cluster string "1.25" no
eks_map_roles Additional IAM roles to add to the aws-auth configmap. 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
 [] no
environment Env name in case workspace wasn't used string "demo" no
is_this_payment_account Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags bool true no
name Project name, required to create unique resource names any n/a yes
node_group_default Default node group configuration 
object({
    instance_type              = string
    max_capacity               = number
    min_capacity               = number
    desired_capacity           = number
    capacity_rebalance         = bool
    use_mixed_instances_policy = bool
    mixed_instances_policy     = any
  })
 
{
  "capacity_rebalance": true,
  "desired_capacity": 2,
  "instance_type": "t4g.medium",
  "max_capacity": 3,
  "min_capacity": 2,
  "mixed_instances_policy": {
    "instances_distribution": {
      "on_demand_base_capacity": 0,
      "on_demand_percentage_above_base_capacity": 0
    },
    "override": [
      {
        "instance_type": "t4g.small"
      },
      {
        "instance_type": "t4g.medium"
      }
    ]
  },
  "use_mixed_instances_policy": true
}
 no
pritunl_vpn_access_cidr_blocks IP address that will have access to the web console string "127.0.0.1/32" no
pritunl_vpn_server_enable Indicates whether or not the Pritunl VPN server is deployed. bool false no
region Default infrastructure region string "us-east-1" no
short_region The abbreviated name of the region, required to form unique resource names map 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
 no
single_nat_gateway Flag to create single nat gateway for all AZs bool true no
zone_id R53 zone id for public domain any null no

Outputs

Name Description
allowed_ips List of allowed ip's, used for direct ssh access to instances.
az_count Count of avaiablity zones, min 2
domain_name Domain name
eks_cluster_endpoint Endpoint for EKS control plane.
eks_cluster_id n/a
eks_cluster_security_group_id Security group ids attached to the cluster control plane.
eks_kubectl_console_config description
eks_oidc_provider_arn ARN of EKS oidc provider
env Suffix for the hostname depending on workspace
name Project name, required to form unique resource names
name_wo_region Project name, required to form unique resource names without short region
node_group_default_iam_role_arn n/a
node_group_default_iam_role_name n/a
region Target region for all infrastructure resources
route53_zone_id ID of domain zone
short_region The abbreviated name of the region, required to form unique resource names
ssl_certificate_arn ARN of SSL certificate
vpc_cidr CIDR block of infra VPC
vpc_database_subnets Database subnets of infra VPC
vpc_id ID of infra VPC
vpc_intra_subnets Private intra subnets
vpc_name Name of infra VPC
vpc_private_subnets Private subnets of infra VPC
vpc_public_subnets Public subnets of infra VPC