DOC: added readme

2021-01-28 16:36:32 +08:00 · 2021-01-28 16:36:32 +08:00 · c58be7d974
commit c58be7d974
parent 69fe037ec9
6 changed files with 72 additions and 6 deletions
--- a/layers/networking/base-network/main.tf
+++ b/layers/networking/base-network/main.tf
@ -13,4 +13,5 @@ module networking-vpc-subnets {
  vpc-cidr = "10.2.0.0/16"
  aws-region-short = "apne1"
  aws-region = var.aws-region
+  vpcflowlog-cwl-loggroup-key-arn = "arn:aws:kms:${var.aws-region}:${data.aws_caller_identity.this.account_id}:alias/${local.resource-prefix}-kmskey-default"
 }
--- a/modules/networking/vpc_subnets/README.md
+++ b/modules/networking/vpc_subnets/README.md
@ -0,0 +1,31 @@
+# Overview
+This module performs the following tasks:
+
+- Create VPC, vpcflow log
+- Create subnets in every AZ
+- Create IGW, NGW
+
+## Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| application | name of application | string | none | yes |
+| environment | capacity of environment (prd/dev/lab) | string | none | yes | 
+| customer-name | owner of aws resources | string | none | yes |
+| project | name of project | string | none | yes |
+| default-tags | tags to be added to resources | list | none | yes | 
+| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes |
+| number-of-public-subnets-per-az | number of public subnets per az  | number | 0 | yes |
+| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes |
+| vpc-cidr | VPC cidr | string | none | yes |
+| enable-flowlog | whether to enable vpc flowlog | bool | true | yes |
+| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes |
+| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
+| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes |
+| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes |  
+
+## Outputs:
+| Name | Description | Type |
+|------|-------------|------|
+| vpc_id | vpc id | string |
+| public_subnets | list of cidr blocks | list |
+| private_subnets | list of cidr blocks | list |
--- a/modules/networking/vpc_subnets/variables.tf
+++ b/modules/networking/vpc_subnets/variables.tf
@ -12,9 +12,18 @@ locals {

 # VPC variables
 variable vpc-cidr {}
-variable number-of-public-subnets-per-az {}
-variable number-of-private-subnets-per-az {}
-variable create-nat-gateway {}
+variable number-of-public-subnets-per-az {
+  type = number
+  default = 0
+}
+variable number-of-private-subnets-per-az {
+  type = number
+  default = 0
+}
+variable create-nat-gateway {
+  type = bool
+  default = false
+}
 variable enable-flow-log {
  type = bool
  default = true
@ -22,4 +31,5 @@ variable enable-flow-log {
 variable vpcflowlog-retain-days {
  type = number
  default = 90
-}
+}
+variable vpcflowlog-cwl-loggroup-key-arn {}
--- a/modules/networking/vpc_subnets/vpc-flowlog.tf
+++ b/modules/networking/vpc_subnets/vpc-flowlog.tf
@ -16,7 +16,7 @@ resource "aws_cloudwatch_log_group" "vpcflowlog-loggroup" {
  count = var.enable-flow-log ? 1 : 0

  name_prefix = "vpcflowlog/${aws_vpc.vpc.id}/"
-  kms_key_id = "arn:aws:kms:${var.aws-region}:${data.aws_caller_identity.this.account_id}:alias/lab-apne1-racken-cleanslate-kmskey-default"
+  kms_key_id = var.vpcflowlog-cwl-loggroup-key-arn

  retention_in_days = var.vpcflowlog-retain-days
  tags = var.default-tags
--- a/modules/security_identity_compliance/cloudtrail_cwlogs/README.md
+++ b/modules/security_identity_compliance/cloudtrail_cwlogs/README.md
@ -6,4 +6,16 @@ This module performs the following tasks:
 - Create cloudtrail
 - Create cloudwatch log group for cloudtrail
 - Create cloudwatch metric filter for CIS1.1
- Create cloudwatch alarm for CIS1.1
+- Create cloudwatch alarm for CIS1.1
+
+## Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| application | name of application | string | none | yes |
+| environment | capacity of environment (prd/dev/lab) | string | none | yes | 
+| customer-name | owner of aws resources | string | none | yes |
+| project | name of project | string | none | yes |
+| default-tags | tags to be added to resources | list | none | yes | 
+| cloudtrail-retain-days | Days before cloudtrail logs are expired on s3 | number | 90 | yes |
+| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
+
--- a/modules/security_identity_compliance/roles_iam_resources/README.md
+++ b/modules/security_identity_compliance/roles_iam_resources/README.md
@ -5,3 +5,15 @@ This module performs the following tasks
 - Create IAM password policy
 - Enable IAM access analyzer

+## Inputs:
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| application | name of application | string | none | yes |
+| environment | capacity of environment (prd/dev/lab) | string | none | yes | 
+| customer-name | owner of aws resources | string | none | yes |
+| project | name of project | string | none | yes |
+| default-tags | tags to be added to resources | list | none | yes | 
+| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes |
+| create-cloudhealth-resources | create cloudhealth role | bool | none | yes |
+| cloudheath-ext-id1 | cloudhealth role external id for sts | string | none | no |
+| cloudheath-ext-id2 | cloudhealth role external id for sts | string | none | no |