-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
160 lines (133 loc) · 5.64 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
variable "s3_bucket_id" {
description = "The id (name) of the S3 bucket used to store the configuration history"
type = string
}
variable "s3_bucket_arn" {
description = "The ARN of the S3 bucket used to store the configuration history"
type = string
}
variable "create_sns_topic" {
description = <<-DOC
Flag to indicate whether an SNS topic should be created for notifications
If you want to send findings to a new SNS topic, set this to true and provide a valid configuration for subscribers
DOC
type = bool
default = false
}
variable "sns_encryption_key_id" {
description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK."
type = string
default = "" # Use "alias/aws/sns" for AWS Managed Key
}
variable "sqs_queue_kms_master_key_id" {
type = string
description = "The ID of an AWS-managed customer master key (CMK) for Amazon SQS Queue or a custom CMK"
default = "" # Use "alias/aws/sqs" for AWS Managed Key
}
variable "subscribers" {
type = map(any)
description = <<-DOC
A map of subscription configurations for SNS topics
For more information, see:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference
protocol:
The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially
supported, see link) (email is an option but is unsupported in terraform, see link).
endpoint:
The endpoint to send data to, the contents will vary with the protocol. (see link for more information)
endpoint_auto_confirms (Optional):
Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is
false
raw_message_delivery (Optional):
Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.
DOC
default = {}
}
variable "findings_notification_arn" {
description = <<-DOC
The ARN for an SNS topic to send findings notifications to. This is only used if create_sns_topic is false.
If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set
create_sns_topic to false.
DOC
default = null
type = string
}
variable "create_iam_role" {
description = "Flag to indicate whether an IAM Role should be created to grant the proper permissions for AWS Config"
type = bool
default = false
}
variable "iam_role_arn" {
description = <<-DOC
The ARN for an IAM Role AWS Config uses to make read or write requests to the delivery channel and to describe the
AWS resources associated with the account. This is only used if create_iam_role is false.
If you want to use an existing IAM Role, set the value of this to the ARN of the existing topic and set
create_iam_role to false.
See the AWS Docs for further information:
http://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html
DOC
default = null
type = string
}
variable "global_resource_collector_region" {
description = "The region that collects AWS Config data for global resources such as IAM"
type = string
}
variable "central_resource_collector_account" {
description = "The account ID of a central account that will aggregate AWS Config from other accounts"
type = string
default = null
}
variable "child_resource_collector_accounts" {
description = "The account IDs of other accounts that will send their AWS Configuration to this account"
type = set(string)
default = null
}
variable "force_destroy" {
type = bool
description = "A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable"
default = false
}
variable "managed_rules" {
description = <<-DOC
A list of AWS Managed Rules that should be enabled on the account.
See the following for a list of possible rules to enable:
https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
DOC
type = map(object({
description = string
identifier = string
input_parameters = any
tags = map(string)
enabled = bool
}))
default = {}
}
variable "s3_key_prefix" {
type = string
description = <<-DOC
The prefix for AWS Config objects stored in the the S3 bucket. If this variable is set to null, the default, no
prefix will be used.
Examples:
with prefix: {S3_BUCKET NAME}:/{S3_KEY_PREFIX}/AWSLogs/{ACCOUNT_ID}/Config/*.
without prefix: {S3_BUCKET NAME}:/AWSLogs/{ACCOUNT_ID}/Config/*.
DOC
default = null
}
// Config aggregation isn't enabled for ap-northeast-3, maybe others in the future
// https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html
variable "disabled_aggregation_regions" {
type = list(string)
description = "A list of regions where config aggregation is disabled"
default = ["ap-northeast-3"]
}
variable "allowed_aws_services_for_sns_published" {
type = list(string)
description = "AWS services that will have permission to publish to SNS topic. Used when no external JSON policy is used"
default = []
}
variable "allowed_iam_arns_for_sns_publish" {
type = list(string)
description = "IAM role/user ARNs that will have permission to publish to SNS topic. Used when no external json policy is used."
default = []
}