forked from cmdlabs/terraform-aws-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
153 lines (140 loc) · 4.22 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
variable "delivery_frequency" {
type = string
description = "The frequency with which AWS Config recurringly delivers configuration snapshots. May be one of One_Hour, Three_Hours, Six_Hours, Twelve_Hours, or TwentyFour_Hours"
default = "TwentyFour_Hours"
}
variable "enable_recorder" {
type = bool
description = "Whether the configuration recorder should be enabled or disabled"
default = true
}
variable "expiration" {
type = number
description = "The number of days to wait before expiring an object"
default = 2555
}
variable "transition_to_glacier" {
type = number
description = "The number of days to wait before transitioning an object to Glacier"
default = 30
}
variable "is_aggregator" {
type = bool
description = "Whether the account is to be an aggregator or not"
default = false
}
variable "aggregator_account_id" {
type = string
description = "The AWS Account ID of the aggregator account"
default = null
}
variable "aggregator_account_region" {
type = string
description = "The AWS Region of the aggregator account"
default = null
}
variable "source_account_ids" {
type = list(string)
description = "List of 12-digit account IDs of the accounts being aggregated"
default = []
}
variable "bucket_name" {
type = string
description = "The bucket name - required by both aggregator and source accounts"
}
variable "bucket_sse_algorithm" {
type = string
description = "The server-side encryption algorithm to use"
default = "AES256"
}
variable "bucket_kms_master_key" {
type = string
description = "The AWS KMS master key ID used for the SSE-KMS encryption"
default = null
}
variable "config_rules" {
type = map(any)
description = "A list of config rules. By not specifying, a minimum set of recommended rules are applied"
default = {
eip_attached = {
name = "eip-attached"
source = {
owner = "AWS"
source_identifier = "EIP_ATTACHED"
}
scope = {
compliance_resource_types = ["AWS::EC2::EIP"]
}
}
encrypted_volumes = {
name = "encrypted-volumes"
source = {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
scope = {
compliance_resource_types = ["AWS::EC2::SecurityGroup"]
}
}
s3_bucket_logging_enabled = {
name = "s3-bucket-logging-enabled"
source = {
owner = "AWS"
source_identifier = "S3_BUCKET_LOGGING_ENABLED"
}
scope = {
compliance_resource_types = ["AWS::S3::Bucket"]
}
}
acm_certificate_expiration_check = {
name = "acm-certificate-expiration-check"
source = {
owner = "AWS"
source_identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK"
}
scope = {
compliance_resource_types = ["AWS::ACM::Certificate"]
}
}
ec2_instances_in_vpc = {
name = "ec2-instances-in-vpc"
source = {
owner = "AWS"
source_identifier = "INSTANCES_IN_VPC"
}
scope = {
compliance_resource_types = ["AWS::EC2::Instance"]
}
}
s3_bucket_ssl_requests_only = {
name = "s3-bucket-ssl-requests-only"
source = {
owner = "AWS"
source_identifier = "S3_BUCKET_SSL_REQUESTS_ONLY"
}
scope = {
compliance_resource_types = ["AWS::S3::Bucket"]
}
}
root_account_mfa_enabled = {
name = "root-account-mfa-enabled"
source = {
owner = "AWS"
source_identifier = "ROOT_ACCOUNT_MFA_ENABLED"
}
scope = {
compliance_resource_types = ["AWS::S3::Bucket"]
}
}
}
}
variable "include_global_resource_types" {
type = bool
description = "Specifies whether AWS Config includes all supported types of global resources with the resources that it records"
default = true
}
variable "resource_types" {
description = "A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail)"
type = list(string)
default = null
}