Terraform Sandbox Landing Zones

Description

The purpose of this module to be provision a sandbox environment for developers to experiment with AWS resources. The module provisions a VPC, subnets, security groups, and other resources to allow developers to experiment with AWS resources in a safe and secure manner. We also provision a nuke service to automatically clean up resources from the accounts.

The intention of the module is to provisioned once per account, per region.

Usage

You can find an example of how to use this module below

provider "aws" {
  alias  = "test_sandbox"a
  region = var.region

  assume_role_with_web_identity {
    role_arn                = "arn:aws:iam::${var.aws_accounts["ho-sandbox"]}:role/${local.managed_role_name}"
    session_name            = var.provider_session_name
    web_identity_token_file = var.provider_web_identity_token_file
  }
}

module "test_sandbox" {
  source = "github.com/appvia/terraform-aws-landing-zone-sandbox?ref=main"

  environment = "Sandbox"
  owner       = "Solutions"
  product     = "Sandbox"
  region      = var.region
  tags        = var.tags

  anomaly_detection = {
    enable_default_monitors = true
  }

  providers = {
    aws.tenant     = aws.test_sandbox
    aws.identity   = aws.identity
    aws.network    = aws.network
    aws.management = aws.management
  }
}

Update Documentation

The terraform-docs utility is used to generate this README. Follow the below steps to update:

1. Make changes to the .terraform-docs.yml file
2. Fetch the terraform-docs binary (https://terraform-docs.io/user-guide/installation/)
3. Run terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .

Providers

Name	Version
aws.tenant	>= 5.0.0

Inputs

Name	Description	Type	Default	Required
git_repository	The git repository called this module	string	n/a	yes
owner	The owner of the product, and injected into all resource tags	string	n/a	yes
region	The region we are provisioning the resources for the landing zone	string	n/a	yes
tags	A collection of tags to apply to resources	map(string)	n/a	yes
cost_center	The cost center of the product, and injected into all resource tags	string	null	no
dns	A collection of DNS zones to provision and associate with networks	map(object({ comment = optional(string, "Managed by zone created by terraform") # A comment associated with the DNS zone network = string # A list of network names to associate with the DNS zone private = optional(bool, true) # A flag indicating if the DNS zone is private or public }))	{}	no
networks	A collection of networks to provision within the designated region	map(object({ firewall = optional(object({ capacity = number # The capacity of the firewall rule group rules_source = string # The content of the suracata rules ip_sets = map(list(string)) # A map of IP sets to apply to the firewall rule ie. WEBSERVERS = ["100.0.0.0/16"] port_sets = map(list(number)) # A map of port sets to apply to the firewall rule ie. WEBSERVERS = [80, 443] domains_whitelist = list(string) }), null) subnets = map(object({ cidr = optional(string, null) # The CIDR block of the subnet netmask = optional(number, 0) })) vpc = object({ availability_zones = optional(string, 2) # The availability zone in which to provision the network, defaults to 2 cidr = optional(string, null) # The CIDR block of the VPC network if not using IPAM enable_private_endpoints = optional(list(string), []) # An optional list of private endpoints to associate with the network i.e ["s3", "dynamodb"] enable_shared_endpoints = optional(bool, true) # Indicates if the network should accept shared endpoints enable_transit_gateway = optional(bool, true) # A flag indicating if the network should be associated with the transit gateway enable_transit_gateway_appliance_mode = optional(bool, false) # A flag indicating if the transit gateway should be in appliance mode enable_default_route_table_association = optional(bool, true) # A flag indicating if the default route table should be associated with the network enable_default_route_table_propagation = optional(bool, true) # A flag indicating if the default route table should be propagated to the network ipam_pool_name = optional(string, null) # The name of the IPAM pool to use for the network nat_gateway_mode = optional(string, "none") # The NAT gateway mode to use for the network, defaults to none netmask = optional(number, 0) # The netmask of the VPC network if using IPAM transit_gateway_routes = optional(map(string), null) # A list of routes to associate with the transit gateway, optional }) }))	{}	no
notifications	A collection of notifications to send to users	object({ email = optional(object({ addresses = list(string) # A list of email addresses to send notifications to }), { addresses = [] }) slack = optional(object({ webhook_url = string # The slack webhook_url to send notifications to }), { webhook_url = "" }) })	{ "email": { "addresses": [] }, "slack": { "webhook_url": "" } }	no
nuke	Indicates we should enable the automatic cleanup so resources	object({ enable = optional(bool, false) # A flag indicating if the nuke should be enabled enable_dry_run = optional(bool, true) # A flag indicating if the nuke should be enabled exclude = optional(list(string), []) # A list of resources to exclude from the nuke schedule = optional(string, "cron(0 10 ? * FRI *)") # The schedule to run the dry run on schedule_dry_run = optional(string, "cron(0 9 ? * MON *)") # The schedule to run the nuke on configuration = optional(string, null) # Optional configuration file to use for the nuke filters = optional(list(object({ property = string # The property to filter on type = string # The type of filter to apply value = string # The value to filter on })), []) ## A list of filters of additional filters to apply to the nuke. Note, these ## are only referenced when no configuration variable is defined - so the account ## is using the default configuration })	{ "enable": true, "enable_dry_run": true, "exclude": [], "filters": [], "schedule": "cron(0 10 ? * FRI *)", "schedule_dry_run": "cron(0 9 ? * MON *)" }	no
rbac	Provides the ability to associate one of more groups with a sso role in the account	map(object({ users = optional(list(string), []) # A list of users to associate with the developer role groups = optional(list(string), []) # A list of groups to associate with the developer role }))	{}	no
service_control_policies	Provides the ability to associate one of more service control policies with an account	map(object({ name = string # The policy name to associate with the account policy = string # The policy document to associate with the account }))	{}	no

Outputs

Name	Description
account_id	The account id where the pipeline is running
networks	A map of the network name to network details
private_hosted_zones_by_id	A map of the hosted zone name to id
vpc_ids	A map of the network name to vpc id