-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathvariables.tf
309 lines (259 loc) · 8.75 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
variable "create_lacework_integration" {
type = bool
default = true
description = "Set this to `false` if you don't want the module to automatically create a corresponding Lacework integration."
}
variable "consolidated_trail" {
type = bool
default = false
description = "Set this to true to configure a consolidated cloudtrail"
}
variable "is_organization_trail" {
type = bool
default = false
description = "Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account"
}
variable "org_account_mappings" {
type = list(object({
default_lacework_account = string
mapping = list(object({
lacework_account = string
aws_accounts = list(string)
}))
}))
default = []
description = "Mapping of AWS accounts to Lacework accounts within a Lacework organization"
}
variable "use_existing_kms_key" {
type = bool
default = false
description = "Set this to true to use an existing KMS key."
}
variable "use_existing_iam_role" {
type = bool
default = false
description = "Set this to true to use an existing IAM role"
}
variable "use_existing_iam_role_policy" {
type = bool
default = false
description = "Set this to `true` to use an existing policy on the IAM role, rather than attaching a new one"
}
variable "iam_role_name" {
type = string
default = ""
description = "The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true"
}
variable "iam_role_arn" {
type = string
default = ""
description = "The IAM role ARN is required when setting use_existing_iam_role to true"
}
variable "iam_role_external_id" {
type = string
default = ""
description = "The external ID configured inside the IAM role is required when setting use_existing_iam_role to true"
}
variable "permission_boundary_arn" {
type = string
default = null
description = "Optional - ARN of the policy that is used to set the permissions boundary for the role."
}
variable "external_id_length" {
type = number
default = 16
description = "**Deprecated** - Will be removed on our next major release v3.0.0"
}
variable "prefix" {
type = string
default = "lacework-ct"
description = "The prefix that will be use at the beginning of every generated resource"
}
variable "enable_log_file_validation" {
type = bool
default = true
description = "Specifies whether cloudtrail log file integrity validation is enabled"
}
variable "bucket_name" {
type = string
default = ""
description = "Optional value to specify name for a newly created S3 bucket. Not required when `use_existing_cloudtrail` is true."
}
variable "bucket_arn" {
type = string
default = ""
description = "The S3 bucket ARN is required when setting use_existing_cloudtrail to true"
}
variable "bucket_encryption_enabled" {
type = bool
default = true
description = "Set this to `true` to enable encryption on a created S3 bucket"
}
variable "bucket_logs_enabled" {
type = bool
default = true
description = "Set this to `true` to enable access logging on a created S3 bucket"
}
variable "bucket_enable_mfa_delete" {
type = bool
default = false
description = "Set this to `true` to require MFA for object deletion (Requires versioning)"
}
variable "bucket_versioning_enabled" {
type = bool
default = true
description = "Set this to `true` to enable access versioning on a created S3 bucket"
}
variable "bucket_force_destroy" {
type = bool
default = true
description = "Force destroy bucket (When 'false' a non-empty bucket will NOT be destroyed.)"
}
variable "bucket_sse_algorithm" {
type = string
default = "aws:kms"
description = "The encryption algorithm to use for S3 bucket server-side encryption"
}
variable "bucket_sse_key_arn" {
type = string
default = ""
description = "The ARN of the KMS encryption key to be used for S3 (Required when `bucket_sse_algorithm` is `aws:kms` and using an existing aws_kms_key)"
}
variable "log_bucket_name" {
type = string
default = ""
description = "Name of the S3 bucket for access logs. Is required when setting `use_existing_access_log_bucket` to true"
}
variable "access_log_prefix" {
type = string
default = "log/"
description = "Optional value to specify a key prefix for access log objects for logging S3 bucket"
}
variable "s3_notification_log_prefix" {
type = string
default = "AWSLogs/"
description = "The object prefix for which to create S3 notifications"
}
variable "s3_notification_type" {
type = string
default = "SQS"
description = "The destination type that should be used for S3 notifications: `SNS` or `SQS`. Defaults to `SQS`"
validation {
condition = contains(["SNS", "SQS"], var.s3_notification_type)
error_message = "Valid values for variable 's3_notification_type' are: ['SNS', 'SQS']."
}
}
variable "sns_topic_arn" {
type = string
default = ""
description = "The SNS topic ARN"
}
variable "sns_topic_name" {
type = string
default = ""
description = "The SNS topic name"
}
variable "sns_topic_encryption_key_arn" {
type = string
default = ""
description = "The ARN of an existing KMS encryption key to be used for SNS"
}
variable "sns_topic_encryption_enabled" {
type = bool
default = true
description = "Set this to `false` to disable encryption on a sns topic. Defaults to true"
}
variable "sqs_queue_name" {
type = string
default = ""
description = "The SQS queue name"
}
variable "sqs_encryption_enabled" {
type = bool
default = true
description = "Set this to `true` to enable server-side encryption on SQS."
}
variable "sqs_encryption_key_arn" {
type = string
default = ""
description = "The ARN of the KMS encryption key to be used for SQS (Required when `sqs_encryption_enabled` is `true`)"
}
variable "use_s3_bucket_notification" {
type = bool
default = false
description = "Set this to `true` to use S3 bucket notifications instead of CloudTrail. When set to `false` CloudTrail will be used. Defaults to `false`"
}
variable "use_existing_cloudtrail" {
type = bool
default = false
description = "Set this to true to use an existing cloudtrail. Default behavior enables new cloudtrail"
}
variable "use_existing_access_log_bucket" {
type = bool
default = false
description = "Set this to `true` to use an existing bucket for access logging. Default behavior creates a new access log bucket if logging is enabled"
}
variable "use_existing_sns_topic" {
type = bool
default = false
description = "Set this to true to use an existing SNS topic. Default behavior creates a new SNS topic"
}
variable "cloudtrail_name" {
type = string
default = "lacework-cloudtrail"
description = "The name of the CloudTrail. Required when setting use_existing_cloudtrail to true"
}
variable "cross_account_policy_name" {
type = string
default = ""
}
variable "sqs_queues" {
type = list(string)
default = []
description = "List of SQS queues to configure in the Lacework cross-account policy"
}
variable "lacework_integration_name" {
type = string
default = "TF cloudtrail"
description = "The name of the integration in Lacework."
}
variable "lacework_aws_account_id" {
type = string
default = "434813966438"
description = "The Lacework AWS account that the IAM role will grant access"
}
variable "wait_time" {
type = string
default = "10s"
description = "Amount of time to wait before the next resource is provisioned."
}
variable "tags" {
type = map(string)
description = "A map/dictionary of Tags to be assigned to created resources"
default = {}
}
variable "kms_key_rotation" {
type = bool
default = false
description = "Enable KMS automatic key rotation"
}
variable "kms_key_deletion_days" {
type = number
default = 30
description = "The waiting period, specified in number of days"
}
variable "kms_key_multi_region" {
type = bool
default = true
description = "Whether the KMS key is a multi-region or regional key"
}
variable "enable_cloudtrail_s3_management_events" {
type = bool
default = false
description = "Enable CloudTrail Object-level logging"
}
variable "cross_account_cloudtrail_arn" {
type = string
default = null
description = "If using an existing CloudTrail in another account, provide the ARN here"
}