terraform.aws-baseline-infra/examples/bea-adc/main.tf

module "vpc-subnets" {
  source = "../../modules/networking/vpc_subnets"

  application                      = var.application
  aws-region                       = var.aws-region
  customer-name                    = var.customer-name
  default-tags                     = local.default-tags
  environment                      = var.environment
  project                          = var.project
  vpc-cidr                         = var.vpc-cidr
  number-of-private-subnets-per-az = var.number-of-private-subnets-per-az
  number-of-public-subnets-per-az  = var.number-of-public-subnets-per-az
  create-nat-gateway               = false
  enable-flow-log                  = true
  vpcflowlog-retain-days           = 90
  vpcflowlog-cwl-loggroup-key-arn  = ""
  create-free-vpc-endpoints        = false
}

# S3 flow log needs to be created separately. it's not supported by vpc_subnets module
resource "aws_flow_log" "vpc-log-s3" {
  log_destination      = var.vpc-flowlog-bucket-arn
  log_destination_type = "s3"
  traffic_type         = "ALL"
  vpc_id               = module.vpc-subnets.vpc_id
}

/*
After adc is deployed by terraform, the following tasks need to be performed manually.
They cannot be managed by terraform
1. Edit security group created for adconnector. SG name is d-???_controllers
2. Enable client LDAPS communication
3. Setup maintenance notification through SNS
4. Enable SSO application. Setting enable_sso in member account results in error. alias is deliberately not set
*/

module "adconnector" {
  source = "../../modules/security_identity_compliance/ds-adconnector"

  adc-dns-ips                  = var.adc-dns-ips
  adc-domainname               = var.adc-domainname
  adc-service-account-password = var.adc-service-account-password
  adc-service-account-username = var.adc-service-account-username
  adc-size                     = var.adc-size
  adc-subnet-ids               = module.vpc-subnets.private-subnet-ids
  adc-vpc-id                   = module.vpc-subnets.vpc_id
  default-tags                 = local.default-tags
}