AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
							variable "tags" {
  type = map
  default = { } 
}

variable "cloudtrail_key_arn" {
  # Unfortunately, if we use the alias, it modifies it every time, so we have to grab the actual arn
  type = string
}

# ----------------------------------
# Below this line are variables inherited from higher levels, so they
# do not need to be explicitly passed to this module.
variable "standard_tags" { type = map }
variable "account_list" { type = list }
variable "aws_account_id" { type = string }
variable "aws_partition" { type = string }
variable "aws_region" { type = string }
variable "environment" { type = string }
variable "key_pairs" { type = map }
variable "c2_accounts" { type = map }

# Calculate some local variables
locals {
  logging_environment = var.environment == "common" ? "prod" : var.environment # common logs to prod
  c2_account = var.c2_accounts[var.aws_partition]
  is_c2 = var.aws_account_id == local.c2_account ? true : false
}

# Carried over from TF11, may not be used or accurate:
variable "alarm_namespace" {
  description = "The namespace in which all alarms are set up."
  default     = "dps-alarm-benchmark"
}

variable "cloudtrail_log_group_name" {
  description = "The name of the CloudWatch Logs group to which CloudTrail events are delivered."
  default     = "aws-cis-logs"
}

variable "sns_topic_name" {
  description = "The name of the SNS Topic which will be notified when any alarm is performed."
  default     = "dps-alarm"
}

variable "sqs_queue_name" {
  description = "The name of the SQS queue to receive alerts from cloudwatch"
  default     = "dps-alarm-sqs"
}

variable "resource_name_prefix" {
  description = "All the resources will be prefixed with this varible"
  default     = "aws-cis"
}

variable "lambda_timeout" {
  description = "Default timeout of lambda fucntions"
  default     = 180
}

variable "lambda_dry_run" {
  description = "Sets DRY_RUN environment variable for all lambda functions"
  default     = false
}

variable "lambda_aggressive" {
  description = "Sets AGGRESSIVE mode as true for lambda fucntions"
  default     = true
}

variable "lambda_mfa_checker_user_prefix" {
  description = "Comma separated list of prefixes that mfa checker lambda helper will ignore"
  default     = ""
}

variable "lambda_mfa_checker_user_suffix" {
  description = "Comma separated list of suffixes that mfa checker lambda helper will ignore"
  default     = ""
}

variable "lambda_user_inactivity_limit" {
  description = "Disable inactive users more than N days"
  default     = 90
}

variable "lambda_access_key_age_max" {
  description = "Expire access keys after N days"
  default     = 90
}

variable "lambda_access_key_age_notify" {
  description = "Start to send notifications for expiring keys N before"
  default     = 7
}

variable "lambda_cron_schedule" {
  description = "Default Cron schedule for lambda helpers"
  default     = "cron(0 6 * * ? *)"
}

variable "temp_artifacts_dir" {
  description = "The path for creating the zip file"
  default     = "/tmp/terraform-aws-cis-fundatentals/artifacts"
}

variable "iam_require_uppercase_characters" {
  description = "Require at least one uppercase letter in passwords"
  default     = true
}

variable "iam_require_lowercase_characters" {
  description = "Require at least one lowercase letter in passwords"
  default     = true
}

variable "iam_require_symbols" {
  description = "Require at least one symbol in passwords"
  default     = true
}

variable "iam_require_numbers" {
  description = "Require at least one number in passwords"
  default     = true
}

variable "iam_minimum_password_length" {
  description = "Require minimum lenght of password"
  default     = 14
}

variable "iam_password_reuse_prevention" {
  description = "Prevent password reuse N times"
  default     = 24
}

variable "iam_max_password_age" {
  description = "Passwords expire in N days"
  default     = 90
}

variable "iam_allow_users_to_change_password" {
  description = "Can users change their own password"
  default     = true
}

variable "iam_hard_expiry" {
  description = "Everyone needs hard reset for expired passwords"
  default     = true
}

variable "billing_s3_bucket_policy" {
  description = "Custom S3 bucket policy for billing logs. The default policy will be used if not defined"
  default     = ""
}

# The default policy will be used if this left empty
variable "cloudtrail_kms_policy" {
  description = "KMS policy for Cloudtrail logs."
  default     = ""
}

# "ReadOnly", "WriteOnly", "All".
variable "clodtrail_event_selector_type" {
  description = "Log type for event selectors"
  default     = "All"
}