terraform-aws-mcaf-avm

Terraform module providing an AWS Account Vending Machine (AVM). This module sets up an AWS account with one or more Terraform Cloud/Enterprise (TFE) workspace(s) backed by a VCS project.

AWS SSO Configuration

In the account_settings variable, the SSO attributes (sso_email, sso_firstname and sso_lastname) will be used by AWS Service Catalog to provide initial access to the newly created account.

You should use the details from the AWS Control Tower Admin user.

How to use

Basic configuration

module "aws_account" {
  source = "github.com/schubergphilis/terraform-aws-mcaf-avm?ref=VERSION"

  name = "my-aws-account"

  account_settings = {
    create_email_address = true
    email                = "my-aws-account@email.com"
    environment          = "prod"
    organizational_unit  = "Production"
    sso_email            = "control-tower-admin@schubergphilis.com"
    sso_firstname        = "AWS Control Tower"
    sso_lastname         = "Admin"
  }

  tfe_workspace_settings = {
    global_remote_state       = false
    oauth_token_id            = var.oauth_token_id
    remote_state_consumer_ids = toset(["ws-aaaabbbbccccdddd", "ws-eeeeffffgggghhhh"]) # or null
    repository_identifier     = "schubergphilis/terraform-aws-mcaf-avm"
    terraform_organization    = "schubergphilis"
    terraform_version         = "1.0.6"
    working_directory         = "terraform" # or null
  }
}

Additional workspaces

module "aws_account" {
  source = "github.com/schubergphilis/terraform-aws-mcaf-avm?ref=VERSION"

  name = "my-aws-account"

  account_settings = {
    create_email_address = true
    email                = "my-aws-account@email.com"
    environment          = "prod"
    organizational_unit  = "Production"
    sso_email            = "control-tower-admin@schubergphilis.com"
    sso_firstname        = "AWS Control Tower"
    sso_lastname         = "Admin"
  }

  tfe_workspace_settings = {
    global_remote_state       = false
    oauth_token_id            = var.oauth_token_id
    remote_state_consumer_ids = toset(["ws-aaaabbbbccccdddd", "ws-eeeeffffgggghhhh"]) # or null
    repository_identifier     = "schubergphilis/terraform-aws-mcaf-avm"
    terraform_organization    = "schubergphilis"
    terraform_version         = "1.0.6"
    working_directory         = "terraform" # or null
  }

  additional_tfe_workspaces = [
    {
      agent_pool_id                  = null
      auto_apply                     = true
      branch                         = "master"
      clear_text_env_variables       = {}
      clear_text_hcl_variables       = {}
      clear_text_terraform_variables = {}
      create_repository              = false
      file_triggers_enabled          = true
      global_remote_state            = false
      name                           = "my-aws-account-baseline"
      oauth_token_id                 = var.oauth_token_id
      policy                         = null
      policy_arns                    = ["arn:aws:iam::aws:policy/AdministratorAccess"]
      remote_state_consumer_ids      = toset(["ws-aaaabbbbccccdddd", "ws-eeeeffffgggghhhh"]) # or null
      repository_identifier          = "schubergphilis/terraform-aws-mcaf-avm"
      sensitive_env_variables        = {}
      sensitive_hcl_variables        = {}
      sensitive_terraform_variables  = {}
      slack_notification_triggers    = []
      slack_notification_url         = null
      ssh_key_id                     = null
      terraform_organization         = "schubergphilis"
      terraform_version              = "1.0.6"
      trigger_prefixes               = null
      username                       = null
      working_directory              = "terraform" # or null
    }
  ]
}

Requirements

Name	Version
terraform	>= 0.13
tfe	>= 0.25.0

Providers

Name	Version
aws.account	n/a

Modules

Name	Source	Version
account	github.com/schubergphilis/terraform-aws-mcaf-account	v0.4.0
additional_tfe_workspaces	github.com/schubergphilis/terraform-aws-mcaf-workspace	v0.6.0
tfe_workspace	github.com/schubergphilis/terraform-aws-mcaf-workspace	v0.6.0

Resources

Name	Type
aws_iam_account_alias.alias	resource

Inputs

Name	Description	Type	Default	Required
account_settings	Account settings	object({ alias_prefix = string create_email_address = string email = string environment = string organizational_unit = string sso_email = string sso_firstname = string sso_lastname = string })	n/a	yes
name	Name of the account	string	n/a	yes
tags	A mapping of tags to assign to resource	map(string)	n/a	yes
additional_tfe_workspaces	Additional TFE Workspaces	map(object({ agent_pool_id = string auto_apply = bool branch = string clear_text_env_variables = map(string) clear_text_hcl_variables = map(string) clear_text_terraform_variables = map(string) execution_mode = string file_triggers_enabled = bool global_remote_state = bool oauth_token_id = string policy = string policy_arns = list(string) remote_state_consumer_ids = set(string) repository_identifier = string sensitive_env_variables = map(string) sensitive_hcl_variables = map(object({ sensitive = string })) sensitive_terraform_variables = map(string) slack_notification_triggers = list(string) slack_notification_url = string ssh_key_id = string terraform_organization = string terraform_version = string trigger_prefixes = list(string) username = string working_directory = string }))	{}	no
region	The default region of the account	string	"eu-west-1"	no
tfe_workspace_agent_pool_id	Agent pool ID	string	null	no
tfe_workspace_auto_apply	Whether to automatically apply changes when a Terraform plan is successful	bool	false	no
tfe_workspace_branch	The Git branch to trigger the TFE workspace for	string	"master"	no
tfe_workspace_clear_text_env_variables	An optional map with clear text environment variables	map(string)	{}	no
tfe_workspace_clear_text_hcl_variables	An optional map with clear text HCL Terraform variables	map(string)	{}	no
tfe_workspace_clear_text_terraform_variables	An optional map with clear text Terraform variables	map(string)	{}	no
tfe_workspace_execution_mode	Which TFE workspace execution mode to use	string	"remote"	no
tfe_workspace_file_triggers_enabled	Whether to filter runs based on the changed files in a VCS push	bool	true	no
tfe_workspace_name	Custom workspace name (overrides var.name)	string	null	no
tfe_workspace_policy	The policy to attach to the pipeline user	string	null	no
tfe_workspace_policy_arns	A set of policy ARNs to attach to the pipeline user	list(string)	[ "arn:aws:iam::aws:policy/AdministratorAccess" ]	no
tfe_workspace_sensitive_env_variables	An optional map with sensitive environment variables	map(string)	{}	no
tfe_workspace_sensitive_hcl_variables	An optional map with sensitive HCL Terraform variables	map(object({ sensitive = string }))	{}	no
tfe_workspace_sensitive_terraform_variables	An optional map with sensitive Terraform variables	map(string)	{}	no
tfe_workspace_settings	TFE Workspaces settings	object({ global_remote_state = bool oauth_token_id = string remote_state_consumer_ids = set(string) repository_identifier = string terraform_organization = string terraform_version = string working_directory = string })	null	no
tfe_workspace_slack_notification_triggers	The triggers to send to Slack	list(string)	[ "run:created", "run:planning", "run:needs_attention", "run:applying", "run:completed", "run:errored" ]	no
tfe_workspace_slack_notification_url	The Slack Webhook URL to send notification to	string	null	no
tfe_workspace_ssh_key_id	The SSH key ID to assign to the workspace	string	null	no
tfe_workspace_trigger_prefixes	List of repository-root-relative paths which should be tracked for changes	list(string)	[ "modules" ]	no

Outputs

Name	Description
additional_tfe_workspace	Map of additional TFE workspaces containing name and workspace ID
id	The AWS account ID
tfe_workspace_id	The TFE workspace ID