From c58be7d97478c133a1917632c92297a08b61a639 Mon Sep 17 00:00:00 2001 From: xpk Date: Thu, 28 Jan 2021 16:36:32 +0800 Subject: [PATCH] DOC: added readme --- layers/networking/base-network/main.tf | 1 + modules/networking/vpc_subnets/README.md | 31 +++++++++++++++++++ modules/networking/vpc_subnets/variables.tf | 18 ++++++++--- modules/networking/vpc_subnets/vpc-flowlog.tf | 2 +- .../cloudtrail_cwlogs/README.md | 14 ++++++++- .../roles_iam_resources/README.md | 12 +++++++ 6 files changed, 72 insertions(+), 6 deletions(-) create mode 100644 modules/networking/vpc_subnets/README.md diff --git a/layers/networking/base-network/main.tf b/layers/networking/base-network/main.tf index ad9b9b2..88174ea 100644 --- a/layers/networking/base-network/main.tf +++ b/layers/networking/base-network/main.tf @@ -13,4 +13,5 @@ module networking-vpc-subnets { vpc-cidr = "10.2.0.0/16" aws-region-short = "apne1" aws-region = var.aws-region + vpcflowlog-cwl-loggroup-key-arn = "arn:aws:kms:${var.aws-region}:${data.aws_caller_identity.this.account_id}:alias/${local.resource-prefix}-kmskey-default" } \ No newline at end of file diff --git a/modules/networking/vpc_subnets/README.md b/modules/networking/vpc_subnets/README.md new file mode 100644 index 0000000..59b2073 --- /dev/null +++ b/modules/networking/vpc_subnets/README.md @@ -0,0 +1,31 @@ +# Overview +This module performs the following tasks: + +- Create VPC, vpcflow log +- Create subnets in every AZ +- Create IGW, NGW + +## Inputs: +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:-----:| +| application | name of application | string | none | yes | +| environment | capacity of environment (prd/dev/lab) | string | none | yes | +| customer-name | owner of aws resources | string | none | yes | +| project | name of project | string | none | yes | +| default-tags | tags to be added to resources | list | none | yes | +| number-of-private-subnets-per-az | number of private subnets per az | number | 0 | yes | +| number-of-public-subnets-per-az | number of public subnets per az | number | 0 | yes | +| create-nat-gateway | whether to deploy NAT gateway for private subnets | bool | true | yes | +| vpc-cidr | VPC cidr | string | none | yes | +| enable-flowlog | whether to enable vpc flowlog | bool | true | yes | +| vpcflowlog-retain-days | number of days to retain vpc cloudwatch log | number | 90 | yes | +| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | +| aws-region | aws region (e.g. ap-northeast-1) | string | none | yes | +| vpcflowlog-cwl-loggroup-key-arn | kms key alias arn for log group encryption | string | none | yes | + +## Outputs: +| Name | Description | Type | +|------|-------------|------| +| vpc_id | vpc id | string | +| public_subnets | list of cidr blocks | list | +| private_subnets | list of cidr blocks | list | diff --git a/modules/networking/vpc_subnets/variables.tf b/modules/networking/vpc_subnets/variables.tf index bcff993..2f1b96d 100644 --- a/modules/networking/vpc_subnets/variables.tf +++ b/modules/networking/vpc_subnets/variables.tf @@ -12,9 +12,18 @@ locals { # VPC variables variable vpc-cidr {} -variable number-of-public-subnets-per-az {} -variable number-of-private-subnets-per-az {} -variable create-nat-gateway {} +variable number-of-public-subnets-per-az { + type = number + default = 0 +} +variable number-of-private-subnets-per-az { + type = number + default = 0 +} +variable create-nat-gateway { + type = bool + default = false +} variable enable-flow-log { type = bool default = true @@ -22,4 +31,5 @@ variable enable-flow-log { variable vpcflowlog-retain-days { type = number default = 90 -} \ No newline at end of file +} +variable vpcflowlog-cwl-loggroup-key-arn {} \ No newline at end of file diff --git a/modules/networking/vpc_subnets/vpc-flowlog.tf b/modules/networking/vpc_subnets/vpc-flowlog.tf index 9fc43a1..437f1fb 100644 --- a/modules/networking/vpc_subnets/vpc-flowlog.tf +++ b/modules/networking/vpc_subnets/vpc-flowlog.tf @@ -16,7 +16,7 @@ resource "aws_cloudwatch_log_group" "vpcflowlog-loggroup" { count = var.enable-flow-log ? 1 : 0 name_prefix = "vpcflowlog/${aws_vpc.vpc.id}/" - kms_key_id = "arn:aws:kms:${var.aws-region}:${data.aws_caller_identity.this.account_id}:alias/lab-apne1-racken-cleanslate-kmskey-default" + kms_key_id = var.vpcflowlog-cwl-loggroup-key-arn retention_in_days = var.vpcflowlog-retain-days tags = var.default-tags diff --git a/modules/security_identity_compliance/cloudtrail_cwlogs/README.md b/modules/security_identity_compliance/cloudtrail_cwlogs/README.md index e3b2339..64e92cc 100644 --- a/modules/security_identity_compliance/cloudtrail_cwlogs/README.md +++ b/modules/security_identity_compliance/cloudtrail_cwlogs/README.md @@ -6,4 +6,16 @@ This module performs the following tasks: - Create cloudtrail - Create cloudwatch log group for cloudtrail - Create cloudwatch metric filter for CIS1.1 -- Create cloudwatch alarm for CIS1.1 \ No newline at end of file +- Create cloudwatch alarm for CIS1.1 + +## Inputs: +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:-----:| +| application | name of application | string | none | yes | +| environment | capacity of environment (prd/dev/lab) | string | none | yes | +| customer-name | owner of aws resources | string | none | yes | +| project | name of project | string | none | yes | +| default-tags | tags to be added to resources | list | none | yes | +| cloudtrail-retain-days | Days before cloudtrail logs are expired on s3 | number | 90 | yes | +| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | + diff --git a/modules/security_identity_compliance/roles_iam_resources/README.md b/modules/security_identity_compliance/roles_iam_resources/README.md index 0f9613f..8647a0b 100644 --- a/modules/security_identity_compliance/roles_iam_resources/README.md +++ b/modules/security_identity_compliance/roles_iam_resources/README.md @@ -5,3 +5,15 @@ This module performs the following tasks - Create IAM password policy - Enable IAM access analyzer +## Inputs: +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:-----:| +| application | name of application | string | none | yes | +| environment | capacity of environment (prd/dev/lab) | string | none | yes | +| customer-name | owner of aws resources | string | none | yes | +| project | name of project | string | none | yes | +| default-tags | tags to be added to resources | list | none | yes | +| aws-region-short | short name of aws region (e.g. apne1) | string | none | yes | +| create-cloudhealth-resources | create cloudhealth role | bool | none | yes | +| cloudheath-ext-id1 | cloudhealth role external id for sts | string | none | no | +| cloudheath-ext-id2 | cloudhealth role external id for sts | string | none | no |