-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
adding file to list necessary CSS TF Module inputs. (#321)
Co-authored-by: marti926 <marti926@iebcloud.csvd.census.gov> Co-authored-by: Donald E Badrak II <donald.e.badrak.ii@census.gov>
- Loading branch information
3 people
committed
Jan 16, 2025
1 parent
ddc21d1
commit 4aecaec
Showing
1 changed file
with
123 additions
and
0 deletions.
There are no files selected for viewing
123 changes: 123 additions & 0 deletions
123
aws/projects/ois-cloud-storage-security/CSS_TF_NecessaryInputs.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| # Cloud Storage Security Terraform Module - Necessary Inputs | ||
|
|
||
| --- | ||
|
|
||
| ## Required Inputs | ||
| These variables must be set in the module block when using this module: | ||
|
|
||
| ### `cidr` (list(string)) | ||
| - **Description**: The CIDR blocks which are allowed access to the CSS Console (e.g., `0.0.0.0/0` for open access). | ||
|
|
||
| ### `email` (string) | ||
| - **Description**: The email address to be used for the initial admin account created for the CSS Console. | ||
|
|
||
| ### `subnet_a_id` (string) | ||
| - **Description**: A subnet ID within the VPC that may be used for ECS tasks for this deployment. | ||
|
|
||
| ### `subnet_b_id` (string) | ||
| - **Description**: A second subnet ID within the VPC that may be used for ECS tasks for this deployment. We recommend choosing subnets in different availability zones. | ||
|
|
||
| ### `vpc` (string) | ||
| - **Description**: The VPC in which to place the user-facing Console. | ||
|
|
||
| ## Also Necessary Inputs | ||
|
|
||
| ### `allow_access_to_all_kms_keys` (bool) | ||
| - **Description**: Pick `true` if you would like to give the scanner access to all KMS encrypted buckets. | ||
| - **Default**: `true` or 'false' | ||
| - **Comment**: May want to specify kms keys | ||
|
|
||
| ### `api_request_scaling_policy_prefix` (string) | ||
| - **Description**: Prefix for the AutoScaling policy for the API Service. | ||
| - **Default**: `"ApiServiceRequestScaling"` | ||
| - **Comment**: `<Census Aligned Prefix>"` | ||
|
|
||
| ### `application_bucket_prefix` (string) | ||
| - **Description**: Prefix for the main application bucket name. | ||
| - **Default**: `"cloudstoragesec"` | ||
| - **Comment**: `<Census Aligned Prefix>"` | ||
|
|
||
| ### `aws_account` (string) | ||
| - **Description**: The AWS account number where resources are being deployed. Defaults to the effective Account ID in which Terraform is authorized if not set. | ||
| - **Default**: `<Account ID>` | ||
|
|
||
| ### `buckets_to_protect` (string) | ||
| - **Description**: Enter any pre-existing buckets to enable event-based protection. Bucket names must be separated by commas (e.g., `bucket1,bucket2,bucket3`). | ||
| - **Default**: `"<Include Lab Buckets to test>"` | ||
|
|
||
| ### `configure_load_balancer` (bool) | ||
| - **Description**: Whether the Console should be deployed behind a load balancer. | ||
| - **Default**: `false` or 'true' | ||
| - **Comment**: Will decide based on Network Requirements | ||
|
|
||
| ### `console_auto_assign_public_ip` (bool) | ||
| - **Description**: Whether a public IP should be assigned to the console. If set to `false`, ensure the console can still reach AWS services via a proxy or NAT gateway. | ||
| - **Default**: `true` | ||
| - **Comment**: Will decide based on Network Requirements | ||
|
|
||
| ### `custom_resource_tags` (map(string)) | ||
| - **Description**: Map of custom tags to apply to resources. | ||
| - **Default**: `{}` | ||
|
|
||
| ### `ecr_account` (string) | ||
| - **Description**: The AWS Account ID containing the ECR repositories for the CSS Console and Agent images. | ||
| - **Default**: `null` | ||
|
|
||
| ### `enable_large_file_scanning` (bool) | ||
| - **Description**: Enable scanning for files too large for the normal agent. | ||
| - **Default**: `false` | ||
|
|
||
| ### `event_bridge_role_name` (string) | ||
| - **Description**: Optional Role name for AWS EventBridge execution. | ||
| - **Default**: `null` | ||
| - **Comment**: `<Census Aligned Role Name>` | ||
|
|
||
| ### `internal_lb` (bool) | ||
| - **Description**: Specify if the load balancer should be internal. | ||
| - **Default**: `false` | ||
| - **Comment**: Will decide based on Network Requirements | ||
|
|
||
| ### lb_cert_arn (string) | ||
| - **Description**: The certificate arn to use for the load balancer. Required if `configure_load_balancer` is true | ||
| - **Default**: `null` | ||
|
|
||
| ### lb_subnet_a_id (string) | ||
| - **Description**: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. ** Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** | ||
| - **Default**: `null` | ||
|
|
||
| ### lb_subnet_b_id (string) | ||
| - **Description**: A subnet in your VPC in which the Load Balancer can be placed. Ensure this subnet allows outbound internet traffic. **Subnet B must be different from Subnet A and should be in a different Availability Zones. Leave blank to use same subnet as Console. If specified, must be in same AZ as Console subnet. ** | ||
| - **Default**: `null` | ||
|
|
||
| ### parameter_prefix (string) | ||
| - **Description**: Prefix for SSM Parameters | ||
| - **Default**: `CloudStorageSecConsole' | ||
| - **Comment**: `<Census Aligned Prefix>` | ||
|
|
||
| ### quarantine_bucket_prefix (string) | ||
| - **Description**: Prefix for the quarantine bucket | ||
| - **Default**: `"cloudstoragesecquarantine"` | ||
| - **Comment**: `<Census Aligned Prefix>` | ||
|
|
||
|
|
||
| ### service_name (string) | ||
| - **Description**: A prefix to place on resources that this Terraform template creates. May be overriden if there is an organizational standard for resource name prefixes that needs to be followed. values: any string, but should be short to avoid possibly attempting to create resources with names that exceed the max allowed length | ||
| - **Default**: `CloudStorageSec` | ||
| - **Comment**: `<Census Aligned Prefix>` | ||
| - **Comment**: This may not be aligned with the type of prefixes want to implement. Including for further review if necessary | ||
|
|
||
| ### set_log_group_retention_policy (bool) | ||
| - **Description**: Whether we should set a retention policy on CSS created log groups. AWS Landing Zone Accelerator environments must set this to false. | ||
| - **Default**: `true` | ||
|
|
||
| ### sns_cmk_key_arn (string) | ||
| - **Description**: Optional ARN for the CMK that should be used for the AWS KMS encryption for Notifications SNS topic. Cloud Storage Security Console and Agent IAM Roles will be given permission to use this key. | ||
| - **Default**: `null` | ||
|
|
||
| ### sns_topic_policy_override_policy_documents list(string) | ||
| - **Description**: List of IAM policy documents that are merged together into the default SNS 'Notifications' Topic. Passed in via `override_policy_documents` in `aws_iam_policy_document` data source. Users should omit definition of the `resources` attribute in statement(s) as the module will set resources to target only the 'Notifications' SNS topic. [IAM Policy documents # Override policy docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#override_policy_documents) | ||
| - **Default**: `[]` | ||
|
|
||
| ### trusted_load_balancer_network (string) | ||
| - **Description**: If you are using your own load balancer or other appliance to forward traffic to the Console, enter the trusted IP address range (CIDR notation) that will be routing traffic to the Console. Leave blank if you are not supplying your own load balancer. | ||
| - **Default**: `` |