This is a Terraform deployment for creating the Web Application Scanning (WAS) DynamoDB database tables in the COOL User Services account.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
| Name | Version |
|---|---|
| terraform | ~> 1.1 |
| aws | ~> 4.9 |
| Name | Version |
|---|---|
| aws | ~> 4.9 |
| aws.organizationsreadonly | ~> 4.9 |
| aws.userservicesprovisionaccount | ~> 4.9 |
| terraform | n/a |
No modules.
| Name | Type |
|---|---|
| aws_dynamodb_table.reports | resource |
| aws_dynamodb_table.stakeholders | resource |
| aws_iam_policy.provisionwasdb_policy | resource |
| aws_iam_policy.read_only | resource |
| aws_iam_policy.read_write | resource |
| aws_iam_role.read_only | resource |
| aws_iam_role.read_write | resource |
| aws_iam_role_policy_attachment.provisionwasdb_policy_attachment | resource |
| aws_iam_role_policy_attachment.read_only | resource |
| aws_iam_role_policy_attachment.read_write | resource |
| aws_caller_identity.current | data source |
| aws_caller_identity.userservices | data source |
| aws_iam_policy_document.provisionwasdb_policy_doc | data source |
| aws_iam_policy_document.read_only_doc | data source |
| aws_iam_policy_document.read_write_doc | data source |
| aws_iam_policy_document.users_account_assume_role_doc | data source |
| aws_organizations_organization.cool | data source |
| terraform_remote_state.master | data source |
| terraform_remote_state.userservices | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
| provisionwasdb_policy_description | The description to associate with the IAM policy that allows provisioning of the WAS DynamoDB tables in the User Services account. | string |
"Allows provisioning of the WAS DB in the User Services account." |
no |
| provisionwasdb_policy_name | The name to assign the IAM policy that allows provisioning of the WAS DynamoDB tables in the User Services account. | string |
"ProvisionWASDB" |
no |
| read_only_policy_role_description | The description to associate with the IAM policy and role that allows read-only access to the WAS DynamoDB tables in the User Services account. | string |
"Allows read-only access to the WAS DB in the User Services account." |
no |
| read_only_policy_role_name | The name to assign the IAM policy and role that allows read-only access to the WAS DynamoDB tables in the User Services account. | string |
"WAS-DB-ReadOnly" |
no |
| read_write_policy_role_description | The description to associate with the IAM policy and role that allows read-write access to the WAS DynamoDB tables in the User Services account. | string |
"Allows read-write access to the WAS DB in the User Services account." |
no |
| read_write_policy_role_name | The name to assign the IAM policy and role that allows read-write access to the WAS DynamoDB tables in the User Services account. | string |
"WAS-DB-ReadWrite" |
no |
| reports_table_name | The name of the reports DynamoDB table. | string |
"reports" |
no |
| reports_table_partition_key | The name of the reports DynamoDB table partition (hash) key. It's best to choose an attribute with a wide range of values that is likely to have evenly distributed access patterns. | string |
"id" |
no |
| reports_table_partition_key_type | The data type of the reports DynamoDB table partition (hash) key. See https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypeDescriptors for a list of valid values. |
string |
"S" |
no |
| reports_table_point_in_time_recovery | Whether to enable point-in-time recovery for the reports DynamoDB table. | bool |
false |
no |
| reports_table_read_capacity | The number of read units for the reports DynamoDB table. | number |
5 |
no |
| reports_table_sort_key | The name of the reports DynamoDB table sort (range) key. | string |
"" |
no |
| reports_table_sort_key_type | The data type of the reports DynamoDB table sort (range) key. See https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypeDescriptors for a list of valid values. |
string |
"S" |
no |
| reports_table_write_capacity | The number of write units for the reports DynamoDB table. | number |
5 |
no |
| stakeholders_table_name | The name of the stakeholders DynamoDB table. | string |
"stakeholders" |
no |
| stakeholders_table_partition_key | The name of the stakeholders DynamoDB table partition (hash) key. It's best to choose an attribute with a wide range of values that is likely to have evenly distributed access patterns. | string |
"id" |
no |
| stakeholders_table_partition_key_type | The data type of the stakeholders DynamoDB table partition (hash) key. See https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypeDescriptors for a list of valid values. |
string |
"S" |
no |
| stakeholders_table_point_in_time_recovery | Whether to enable point-in-time recovery for the stakeholders DynamoDB table. | bool |
false |
no |
| stakeholders_table_read_capacity | The number of read units for the stakeholders DynamoDB table. | number |
5 |
no |
| stakeholders_table_sort_key | The name of the stakeholders DynamoDB table sort (range) key. | string |
"" |
no |
| stakeholders_table_sort_key_type | The data type of the stakeholders DynamoDB table sort (range) key. See https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.NamingRulesDataTypes.html#HowItWorks.DataTypeDescriptors for a list of valid values. |
string |
"S" |
no |
| stakeholders_table_write_capacity | The number of write units for the stakeholders DynamoDB table. | number |
5 |
no |
| tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| read_only_role | The WAS database read-only role. |
| read_write_role | The WAS database read-write role. |
| reports_table | The WAS reports DynamoDB table. |
| stakeholders_table | The WAS stakeholders DynamoDB table. |
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, this is just the main directory.
Your first terraform apply will fail with an AccessDeniedException. This is
expected since the required policy is not attached to the account provisioning
role until after the first terraform apply. Simply run terraform apply
again and it should succeed.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.