-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
181 lines (153 loc) · 5.44 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
variable "notification" {
description = "The configuration for how to send notifications."
type = object({
email = optional(object({
addresses = list(string)
}), null)
slack = optional(object({
lambda_name = optional(string, "alarms-notifications")
webhook_url = string
}), null)
teams = optional(object({
webhook_url = string
}), null)
})
}
variable "enable_administrator_sso_activity" {
description = "The boolean flag whether the administrator_sso_activity alarm is enabled or not."
type = bool
default = true
}
variable "enable_breakglass_activity" {
description = "The boolean flag whether the breakglass_logins alarm is enabled or not."
type = bool
default = true
}
variable "enable_unauthorized_api_calls" {
description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not."
type = bool
default = true
}
variable "enable_no_mfa_console_signin" {
description = "The boolean flag whether the no_mfa_console_signin alarm is enabled or not."
type = bool
default = true
}
variable "enable_mfa_console_signin_allow_sso" {
description = "The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored."
type = bool
default = false
}
variable "enable_root_usage" {
description = "The boolean flag whether the root_usage alarm is enabled or not."
type = bool
default = true
}
variable "enable_iam_changes" {
description = "The boolean flag whether the iam_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_cloudtrail_cfg_changes" {
description = "The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_console_signin_failures" {
description = "The boolean flag whether the console_signin_failures alarm is enabled or not."
type = bool
default = true
}
variable "enable_disable_or_delete_cmk" {
description = "The boolean flag whether the disable_or_delete_cmk alarm is enabled or not."
type = bool
default = true
}
variable "enable_s3_bucket_policy_changes" {
description = "The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_aws_config_changes" {
description = "The boolean flag whether the aws_config_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_security_group_changes" {
description = "The boolean flag whether the security_group_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_nacl_changes" {
description = "The boolean flag whether the nacl_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_network_gw_changes" {
description = "The boolean flag whether the network_gw_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_route_table_changes" {
description = "The boolean flag whether the route_table_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_vpc_changes" {
description = "The boolean flag whether the vpc_changes alarm is enabled or not."
type = bool
default = true
}
variable "enable_organizations_changes" {
description = "The boolean flag whether the organizations_changes alarm is enabled or not."
type = bool
default = true
}
variable "sns_topic_name" {
description = "The name of the SNS topic to create for alarms."
type = string
default = "cis-benchmark-alarms"
}
variable "create_sns_topic" {
description = "The boolean flag whether to create the SNS topic for alarms."
type = bool
default = true
}
variable "cloudtrail_log_group_name" {
description = "The name of the CloudTrail log group to filter on."
type = string
default = "aws-controltower/CloudTrailLogs"
}
variable "alarm_namespace" {
description = "The cloudwatch alarm namespace."
type = string
default = "cis-benchmark"
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
}
variable "accounts_id_to_name_parameter_arn" {
description = "The ARN of the parameter that contains the account ID to name mapping. This ARN will be attached to lambda execution role as a resource, therefore a valid resource must exist. e.g 'arn:aws:ssm:eu-west-2:0123456778:parameter/myorg/configmaps/accounts_id_to_name_mapping' to enable the lambda retrieve values from ssm."
type = string
default = null
validation {
condition = var.accounts_id_to_name_parameter_arn == null ? true : can(regex("^arn:[^:]+:ssm:[a-z0-9-]+:[0-9]{12}:parameter/.+$", var.accounts_id_to_name_parameter_arn))
error_message = "The accounts_id_to_name_parameter_arn must be a valid SSM parameter ARN."
}
}
variable "cloudwatch_log_group_retention" {
description = "The retention period for the cloudwatch log group (for lambda function logs) in days"
type = string
default = "0"
}
variable "identity_center_start_url" {
description = "The start URL of your Identity Center instance"
type = string
default = null
}
variable "identity_center_role" {
description = "The name of the role to use when redirecting through Identity Center"
type = string
default = null
}