diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..2705490
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,19 @@
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+max_line_length = 120
+trim_trailing_whitespace = true
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[{Makefile,**.mk}]
+indent_style = tab
diff --git a/.github/.templatesyncignore b/.github/.templatesyncignore
new file mode 100644
index 0000000..e988577
--- /dev/null
+++ b/.github/.templatesyncignore
@@ -0,0 +1,5 @@
+README.md
+.github/workflows/*
+.terraform-docs.yml
+docs/20-badges.md
+*.tf
diff --git a/.github/pull_request-template.md b/.github/pull_request-template.md
new file mode 100644
index 0000000..60761ad
--- /dev/null
+++ b/.github/pull_request-template.md
@@ -0,0 +1,21 @@
+
+
+
+## What it solves
+
+...
+
+## How this PR fixes it
+
+...
+
+## Readiness Checklist
+
+### Author/Contributor
+- [ ] If documentation is needed for this change, has that been included in this pull request
+- [ ] Pull request title is brief and descriptive (for a changelog entry)
+
+### Reviewing Maintainer
+- [ ] Label as `breaking` if this is a large fundamental change
+- [ ] Label as either `automation`, `bug`, `documentation`, or `enhancement`
+- [ ] Label as `bump:patch`, `bump:minor`, or `bump:major` if this PR should create a new release
diff --git a/.github/workflows/linter.yaml b/.github/workflows/linter.yaml
new file mode 100644
index 0000000..79f6699
--- /dev/null
+++ b/.github/workflows/linter.yaml
@@ -0,0 +1,122 @@
+---
+################
+## Run linter ##
+################
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Lint
+on:
+ push:
+ branches: [ main ]
+ pull_request:
+ branches: [ main ]
+
+##########################
+# Prevent duplicate jobs #
+##########################
+concurrency:
+ group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+ pull-requests: write
+
+###############
+# Run the job #
+###############
+jobs:
+ ##########
+ # TF fmt #
+ ##########
+ tf-fmt:
+ name: FMT
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ #####################
+ # Run Terraform fmt #
+ #####################
+ - name: Terraform fmt
+ uses: dflook/terraform-fmt-check@v1.29.1
+
+ ##########
+ # TFLint #
+ ##########
+ tf-lint:
+ name: TFLint
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ #################
+ # Cache plugins #
+ #################
+ - name: Cache plugin dir
+ uses: actions/cache@v3.0.11
+ with:
+ path: ~/.tflint.d/plugins
+ key: ${{ matrix.os }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+ ################
+ # Setup TFLint #
+ ################
+ - name: Setup TFLint
+ uses: terraform-linters/setup-tflint@v2
+ with:
+ tflint_version: v0.42.2
+
+ ###############
+ # Init TFLint #
+ ###############
+ - name: Init TFLint
+ run: tflint --init
+
+ ##############
+ # Run TFLint #
+ ##############
+ - name: Run TFLint
+ run: tflint -f compact
+
+ ###########
+ # TF docs #
+ ###########
+ tf-docs:
+ name: Docs
+ if: ${{ github.event_name == 'pull_request' }}
+ permissions:
+ contents: write
+ pull-requests: write
+
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+
+ ####################
+ # Update README.md #
+ ####################
+ - name: Terraform docs
+ uses: terraform-docs/gh-actions@v1.0.0
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+ config-file: .terraform-docs.yml
+ git-push: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 0000000..a66b5c7
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,96 @@
+---
+#####################
+## Create releases ##
+#####################
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Release
+on:
+ push:
+ branches: [ main ]
+ tags: [ 'v*.*.*' ]
+ pull_request:
+ types: [ labeled ]
+
+#################
+# Start the job #
+#################
+jobs:
+ ###############
+ # Steps below #
+ ###############
+ create-release:
+ name: Create Release
+ if: github.event.action != 'labeled'
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ ###################################
+ # Bump version depending on label #
+ ###################################
+ - name: Bump version
+ if: "!startsWith(github.ref, 'refs/tags/')"
+ id: bumpr
+ uses: haya14busa/action-bumpr@v1
+
+ ###################
+ # Update the tags #
+ ###################
+ - name: Update tag
+ if: "!steps.bumpr.outputs.skip"
+ uses: haya14busa/action-update-semver@v1
+ with:
+ tag: ${{ steps.bumpr.outputs.next_version }}
+
+ ################
+ # Get tag name #
+ ################
+ - name: Get tag name
+ id: tag
+ uses: haya14busa/action-cond@v1
+ with:
+ cond: "${{ startsWith(github.ref, 'refs/tags/') }}"
+ if_true: ${{ github.ref }}
+ if_false: ${{ steps.bumpr.outputs.next_version }}
+
+ ##################
+ # Create release #
+ ##################
+ - name: Create release
+ uses: softprops/action-gh-release@v1
+ if: "steps.tag.outputs.value != ''"
+ with:
+ name: Release ${{ steps.tag.outputs.value }}
+ body: ${{ steps.bumpr.outputs.message }}
+ tag_name: ${{ steps.tag.outputs.value }}
+ draft: false
+ prerelease: false
+
+ ###########################
+ # Release preview comment #
+ ###########################
+ release-check:
+ if: github.event.action == 'labeled'
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ #######################
+ # Post status comment #
+ #######################
+ - name: Post bumpr status comment
+ uses: haya14busa/action-bumpr@v1
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
new file mode 100644
index 0000000..528ee15
--- /dev/null
+++ b/.github/workflows/semantic-pr.yaml
@@ -0,0 +1,73 @@
+---
+#####################
+## Run Semantic PR ##
+#####################
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Semantic PR
+on:
+ pull_request:
+ types: [ opened, edited, synchronize ]
+
+##########################
+# Prevent duplicate jobs #
+##########################
+concurrency:
+ group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+permissions:
+ contents: read
+ pull-requests: write
+
+###############
+# Run the job #
+###############
+jobs:
+ ###############
+ # Semantic PR #
+ ###############
+ semantic-pr:
+ name: Validate PR
+ runs-on: ubuntu-latest
+ timeout-minutes: 5
+ steps:
+ ############
+ # Check PR #
+ ############
+ - name: Check PR
+ id: lint-pr-title
+ uses: amannn/action-semantic-pull-request@v5.0.2
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ #############################
+ # Add PR comment with error #
+ #############################
+ - name: Add PR error comment
+ uses: marocchino/sticky-pull-request-comment@v2.3.0
+ if: always() && (steps.lint-pr-title.outputs.error_message != null)
+ with:
+ header: pr-title-lint-error
+ message: |
+ We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/) and it looks like your proposed title needs to be adjusted.
+
+ Details:
+
+ ```
+ ${{ steps.lint-pr-title.outputs.error_message }}
+ ```
+
+ ################################
+ # Delete PR comment with error #
+ ################################
+ - name: Delete PR error comment
+ uses: marocchino/sticky-pull-request-comment@v2.3.0
+ if: ${{ steps.lint_pr_title.outputs.error_message == null }}
+ with:
+ header: pr-title-lint-error
+ delete: true
diff --git a/.github/workflows/sync-templates.yaml b/.github/workflows/sync-templates.yaml
new file mode 100644
index 0000000..dfa10ab
--- /dev/null
+++ b/.github/workflows/sync-templates.yaml
@@ -0,0 +1,63 @@
+---
+#########################
+## Sync template files ##
+#########################
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Sync templates
+on:
+ workflow_dispatch: # Trigger manually
+ schedule:
+ - cron: "0 0 1 * *" # Run at 00:00 on the first day of every month
+
+##########################
+# Prevent duplicate jobs #
+##########################
+concurrency:
+ group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+###############
+# Run the job #
+###############
+jobs:
+ ###############
+ # Sync labels #
+ ###############
+ sync-labels:
+ name: Sync labels
+ runs-on: ubuntu-latest
+ steps:
+ ##################################
+ # Sync labels with template Repo #
+ ##################################
+ - name: Sync labels
+ uses: EndBug/label-sync@v2.3.1
+ with:
+ config-file: https://gist.githubusercontent.com/Ic3w0lf/f5520c5f19d7098966f692c120f7a197/raw/75b134f76fbc55e2e64bd66f04e571d6d74b815e/terraform-aws-module-labels.yaml
+
+ #######################
+ # Sync template files #
+ #######################
+ sync-template-files:
+ name: Sync template files
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ #######################
+ # Sync template files #
+ #######################
+ - name: actions-template-sync
+ uses: AndreasAugustin/actions-template-sync@v0.7.3
+ with:
+ github_token: ${{ secrets.GITHUB_TOKEN }}
+ source_repo_path: geekcell/terraform-aws-module-template
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
new file mode 100644
index 0000000..1d0cd87
--- /dev/null
+++ b/.github/workflows/validate.yaml
@@ -0,0 +1,46 @@
+---
+##################
+## Run validate ##
+##################
+
+#
+# Documentation:
+# https://help.github.com/en/articles/workflow-syntax-for-github-actions
+#
+
+name: Validate
+on:
+ push:
+ branches: [ main ]
+ pull_request:
+ branches: [ main ]
+
+##########################
+# Prevent duplicate jobs #
+##########################
+concurrency:
+ group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+ cancel-in-progress: true
+
+###############
+# Run the job #
+###############
+jobs:
+ ###############
+ # TF validate #
+ ###############
+ tf-validate:
+ name: Validate
+ runs-on: ubuntu-latest
+ steps:
+ ############################
+ # Checkout the source code #
+ ############################
+ - name: Checkout Code
+ uses: actions/checkout@v3.1.0
+
+ ##########################
+ # Run Terraform validate #
+ ##########################
+ - name: Terraform validate
+ uses: dflook/terraform-validate@v1.29.1
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2485c8f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,32 @@
+# Local .terraform directories
+**/.terraform
+
+# Terraform lockfile
+.terraform.lock.hcl
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# IDE
+.idea
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..e7c9291
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,16 @@
+repos:
+ - repo: https://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.76.0
+ hooks:
+ - id: terraform_docs
+ - id: terraform_fmt
+ - id: terraform_validate
+ exclude: '^[^/]+$'
+ - id: terraform_tflint
+ exclude: ^examples/
+
+ - repo: https://github.com/pre-commit/pre-commit-hooks
+ rev: v4.3.0
+ hooks:
+ - id: trailing-whitespace
+ - id: end-of-file-fixer
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..ba774e5
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,46 @@
+formatter: "md table"
+header-from: main.tf
+
+recursive:
+ # Enable this if your module has submodules
+ enabled: true
+
+content: |-
+ {{ include "docs/10-header.md" }}
+
+ {{ include "docs/20-badges.md" }}
+
+ {{ .Header }}
+
+ {{ .Inputs }}
+
+ {{ .Outputs }}
+
+ {{ .Providers }}
+
+ ## Resources
+ {{ range .Module.Resources }}
+ - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
+ {{- end }}
+
+ # Examples
+ ### Full
+ ```hcl
+ {{ include "examples/full/main.tf" }}
+ ```
+
+ ### Minimum
+ ```hcl
+ {{ include "examples/minimum/main.tf" }}
+ ```
+
+output:
+ file: "README.md"
+ mode: inject
+ template: |-
+
+ {{ .Content }}
+
+
+settings:
+ lockfile: false
diff --git a/.tflint.hcl b/.tflint.hcl
new file mode 100644
index 0000000..db94b46
--- /dev/null
+++ b/.tflint.hcl
@@ -0,0 +1,10 @@
+plugin "terraform" {
+ enabled = true
+ preset = "all"
+}
+
+plugin "aws" {
+ enabled = true
+ version = "0.18.0"
+ source = "github.com/terraform-linters/tflint-ruleset-aws"
+}
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..c844c70
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "{}"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright 2017-2020 Cloud Posse, LLC
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..8567b26
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,43 @@
+.DEFAULT_GOAL = help
+
+TEMPLATE_REPO := https://github.com/geekcell/template-terraform-module.git
+UPDATABLE_TEMPLATE_FILES := .github/ docs/logo.md .editorconfig .gitignore .pref-commit-config.yaml .terraform-docs.yml .tflint.hcl LICENSE Makefile
+
+#########
+# SETUP #
+#########
+.PHONY: setup/run
+setup/run: setup/install-tools pre-commit/install-hooks ## Install and setup necessary tools
+
+.PHONY: setup/install-tools
+setup/install-tools: # Install required tools
+ifeq (, $(shell which brew))
+ @echo "No brew in $$PATH. Currently only brew is supported for installing tools."
+else
+ @brew install pre-commit terraform terraform-docs tflint
+endif
+
+.PHONY: setup/update-template
+setup/update-template: ## Pull the latest template files from the main repo
+ @git config remote.terraform-module-template.url >&- || git remote add terraform-module-template $(TEMPLATE_REPO)
+ @git fetch terraform-module-template main
+ @git checkout -p terraform-module-template/main $(UPDATABLE_TEMPLATE_FILES)
+
+##############
+# PRE-COMMIT #
+##############
+.PHONY: pre-commit/install-hooks
+pre-commit/install-hooks: ## Install pre-commit git hooks script
+ @git init
+ @pre-commit install
+
+.PHONY: pre-commit/run-all
+pre-commit/run-all: ## Run pre-commit against all files
+ @pre-commit run -a
+
+########
+# HELP #
+########
+.PHONY: help
+help: ## Shows this help
+ @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_\-\.\/]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..11bb43a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,78 @@
+
+[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/)
+
+### Code Quality
+[![License](https://img.shields.io/github/license/geekcell/terraform-aws-account-defaults)](https://github.com/geekcell/terraform-aws-account-defaults/blob/master/LICENSE)
+[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-account-defaults?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-account-defaults/releases)
+[![Release](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml)
+[![Validate](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml)
+[![Lint](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml)
+
+### Security
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=INFRASTRUCTURE+SECURITY)
+
+#### Cloud
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.3)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.3)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GCP+V1.1)
+
+##### Container
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes_16)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.6)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_eks_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+EKS+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gke_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GKE+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.5)
+
+#### Data protection
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=SOC2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=ISO27001)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=NIST-800-53)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=HIPAA)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=FEDRAMP+%28MODERATE%29)
+
+# Terraform AWS Account Defaults
+
+This module takes care of some general account-wide settings in the running AWS account. See the documentation for
+each module for more information. All modules are enabled by default.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [enable\_cloudwatch\_defaults](#input\_enable\_cloudwatch\_defaults) | Enable the Cloudwatch submodule. | `bool` | `true` | no |
+| [enable\_iam\_account\_password\_policy](#input\_enable\_iam\_account\_password\_policy) | Enable the IAM Account Password Policy submodule. | `bool` | `true` | no |
+| [enable\_s3\_defaults](#input\_enable\_s3\_defaults) | Enable the S3 submodule. | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+
+## Providers
+
+No providers.
+
+## Resources
+
+
+# Examples
+### Full
+```hcl
+module "full" {
+ source = "../../"
+
+ enable_s3_defaults = true
+ enable_cloudwatch_defaults = true
+ enable_iam_account_password_policy = true
+}
+```
+
+### Minimum
+```hcl
+module "minimum" {
+ source = "../../"
+}
+```
+
diff --git a/docs/10-header.md b/docs/10-header.md
new file mode 100644
index 0000000..3843bbf
--- /dev/null
+++ b/docs/10-header.md
@@ -0,0 +1 @@
+[![Geek Cell GmbH](https://raw.githubusercontent.com/geekcell/.github/main/geekcell-github-banner.png)](https://www.geekcell.io/)
diff --git a/docs/20-badges.md b/docs/20-badges.md
new file mode 100644
index 0000000..69732ca
--- /dev/null
+++ b/docs/20-badges.md
@@ -0,0 +1,31 @@
+### Code Quality
+[![License](https://img.shields.io/github/license/geekcell/terraform-aws-account-defaults)](https://github.com/geekcell/terraform-aws-account-defaults/blob/master/LICENSE)
+[![GitHub release (latest tag)](https://img.shields.io/github/v/release/geekcell/terraform-aws-account-defaults?logo=github&sort=semver)](https://github.com/geekcell/terraform-aws-account-defaults/releases)
+[![Release](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/release.yaml)
+[![Validate](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/validate.yaml)
+[![Lint](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml/badge.svg)](https://github.com/geekcell/terraform-aws-account-defaults/actions/workflows/linter.yaml)
+
+### Security
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=INFRASTRUCTURE+SECURITY)
+
+#### Cloud
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_aws_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AWS+V1.3)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_azure_13)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+AZURE+V1.3)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gcp)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GCP+V1.1)
+
+##### Container
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes_16)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.6)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_eks_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+EKS+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_gke_11)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+GKE+V1.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/cis_kubernetes)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=CIS+KUBERNETES+V1.5)
+
+#### Data protection
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=SOC2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=PCI-DSS+V3.2.1)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=ISO27001)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=NIST-800-53)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=HIPAA)
+[![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/geekcell/terraform-aws-account-defaults/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=geekcell%2Fterraform-aws-account-defaults&benchmark=FEDRAMP+%28MODERATE%29)
diff --git a/examples/full/main.tf b/examples/full/main.tf
new file mode 100644
index 0000000..3ebba4e
--- /dev/null
+++ b/examples/full/main.tf
@@ -0,0 +1,7 @@
+module "full" {
+ source = "../../"
+
+ enable_s3_defaults = true
+ enable_cloudwatch_defaults = true
+ enable_iam_account_password_policy = true
+}
diff --git a/examples/minimum/main.tf b/examples/minimum/main.tf
new file mode 100644
index 0000000..ca6431f
--- /dev/null
+++ b/examples/minimum/main.tf
@@ -0,0 +1,3 @@
+module "minimum" {
+ source = "../../"
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..63c2caa
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,20 @@
+/**
+ * # Terraform AWS Account Defaults
+ *
+ * This module takes care of some general account-wide settings in the running AWS account. See the documentation for
+ * each module for more information. All modules are enabled by default.
+ */
+module "s3" {
+ count = var.enable_s3_defaults ? 1 : 0
+ source = "./modules/s3"
+}
+
+module "cloudwatch" {
+ count = var.enable_cloudwatch_defaults ? 1 : 0
+ source = "./modules/cloudwatch"
+}
+
+module "iam_account_password_policy" {
+ count = var.enable_iam_account_password_policy ? 1 : 0
+ source = "./modules/iam_password_policy"
+}
diff --git a/modules/cloudwatch/.terraform-docs.yml b/modules/cloudwatch/.terraform-docs.yml
new file mode 100644
index 0000000..ba5f612
--- /dev/null
+++ b/modules/cloudwatch/.terraform-docs.yml
@@ -0,0 +1,13 @@
+content: |-
+ {{ .Header }}
+
+ {{ .Inputs }}
+
+ {{ .Outputs }}
+
+ {{ .Providers }}
+
+ ## Resources
+ {{ range .Module.Resources }}
+ - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
+ {{- end }}
diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md
new file mode 100644
index 0000000..baf4eb4
--- /dev/null
+++ b/modules/cloudwatch/README.md
@@ -0,0 +1,33 @@
+
+# Terraform AWS Account Defaults Cloudwatch
+
+Each RDS instance writes its OS metrics to the same Cloudwatch Log Group. This is automatically created by AWS and
+is therefore not under control with Terraform. Since the data in it gets very large very quickly, we want to at least
+configure retention of the data.
+
+It is not possible to encrypt this Cloudwatch Log Group, otherwise AWS RDS will not be able to write to it because
+they do not have access to the AWS KMS. But we want to set the retention\_in\_days in Terraform.
+
+How to import when already exists
+terraform import 'aws\_cloudwatch\_log\_group.rds\_log\_group' 'RDSOSMetrics'
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days](#input\_cloudwatch\_log\_group\_rdsosmetrics\_retention\_in\_days) | The number of days log events are kept in CloudWatch Logs for the default RDSOSMetrics group. | `number` | `365` | no |
+
+## Outputs
+
+No outputs.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+- resource.aws_cloudwatch_log_group.rdsosmetrics (modules/cloudwatch/main.tf#14)
+
diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf
new file mode 100644
index 0000000..77ebd0b
--- /dev/null
+++ b/modules/cloudwatch/main.tf
@@ -0,0 +1,17 @@
+/**
+* # Terraform AWS Account Defaults Cloudwatch
+*
+* Each RDS instance writes its OS metrics to the same Cloudwatch Log Group. This is automatically created by AWS and
+* is therefore not under control with Terraform. Since the data in it gets very large very quickly, we want to at least
+* configure retention of the data.
+*
+* It is not possible to encrypt this Cloudwatch Log Group, otherwise AWS RDS will not be able to write to it because
+* they do not have access to the AWS KMS. But we want to set the retention_in_days in Terraform.
+*
+* How to import when already exists
+* terraform import 'aws_cloudwatch_log_group.rds_log_group' 'RDSOSMetrics'
+*/
+resource "aws_cloudwatch_log_group" "rdsosmetrics" {
+ name = "RDSOSMetrics"
+ retention_in_days = var.cloudwatch_log_group_rdsosmetrics_retention_in_days
+}
diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf
new file mode 100644
index 0000000..9fe135a
--- /dev/null
+++ b/modules/cloudwatch/variables.tf
@@ -0,0 +1,5 @@
+variable "cloudwatch_log_group_rdsosmetrics_retention_in_days" {
+ description = "The number of days log events are kept in CloudWatch Logs for the default RDSOSMetrics group."
+ default = 365
+ type = number
+}
diff --git a/modules/cloudwatch/versions.tf b/modules/cloudwatch/versions.tf
new file mode 100644
index 0000000..8ad760d
--- /dev/null
+++ b/modules/cloudwatch/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.3"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+}
diff --git a/modules/iam_password_policy/.terraform-docs.yml b/modules/iam_password_policy/.terraform-docs.yml
new file mode 100644
index 0000000..ba5f612
--- /dev/null
+++ b/modules/iam_password_policy/.terraform-docs.yml
@@ -0,0 +1,13 @@
+content: |-
+ {{ .Header }}
+
+ {{ .Inputs }}
+
+ {{ .Outputs }}
+
+ {{ .Providers }}
+
+ ## Resources
+ {{ range .Module.Resources }}
+ - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
+ {{- end }}
diff --git a/modules/iam_password_policy/README.md b/modules/iam_password_policy/README.md
new file mode 100644
index 0000000..1392f28
--- /dev/null
+++ b/modules/iam_password_policy/README.md
@@ -0,0 +1,34 @@
+
+# Terraform AWS Account Defaults IAM Account Password Policy
+
+Sets a strong default password policy for the AWS account. Should be compliant with most cloud security monitoring
+tools.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [iam\_account\_password\_policy\_allow\_users\_to\_change\_password](#input\_iam\_account\_password\_policy\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | `true` | no |
+| [iam\_account\_password\_policy\_hard\_expiry](#input\_iam\_account\_password\_policy\_hard\_expiry) | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset). | `bool` | `false` | no |
+| [iam\_account\_password\_policy\_max\_password\_age](#input\_iam\_account\_password\_policy\_max\_password\_age) | The number of days that an user password is valid. | `number` | `90` | no |
+| [iam\_account\_password\_policy\_minimum\_password\_length](#input\_iam\_account\_password\_policy\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | `14` | no |
+| [iam\_account\_password\_policy\_password\_reuse\_prevention](#input\_iam\_account\_password\_policy\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | `24` | no |
+| [iam\_account\_password\_policy\_require\_lowercase\_characters](#input\_iam\_account\_password\_policy\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | `true` | no |
+| [iam\_account\_password\_policy\_require\_numbers](#input\_iam\_account\_password\_policy\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | `true` | no |
+| [iam\_account\_password\_policy\_require\_symbols](#input\_iam\_account\_password\_policy\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | `true` | no |
+| [iam\_account\_password\_policy\_require\_uppercase\_characters](#input\_iam\_account\_password\_policy\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+- resource.aws_iam_account_password_policy.main (modules/iam_password_policy/main.tf#7)
+
diff --git a/modules/iam_password_policy/main.tf b/modules/iam_password_policy/main.tf
new file mode 100644
index 0000000..bee6f72
--- /dev/null
+++ b/modules/iam_password_policy/main.tf
@@ -0,0 +1,19 @@
+/**
+* # Terraform AWS Account Defaults IAM Account Password Policy
+*
+* Sets a strong default password policy for the AWS account. Should be compliant with most cloud security monitoring
+* tools.
+*/
+resource "aws_iam_account_password_policy" "main" {
+ allow_users_to_change_password = var.iam_account_password_policy_allow_users_to_change_password
+ hard_expiry = var.iam_account_password_policy_hard_expiry
+
+ max_password_age = var.iam_account_password_policy_max_password_age
+ password_reuse_prevention = var.iam_account_password_policy_password_reuse_prevention
+
+ minimum_password_length = var.iam_account_password_policy_minimum_password_length
+ require_lowercase_characters = var.iam_account_password_policy_require_lowercase_characters
+ require_uppercase_characters = var.iam_account_password_policy_require_uppercase_characters
+ require_numbers = var.iam_account_password_policy_require_numbers
+ require_symbols = var.iam_account_password_policy_require_symbols
+}
diff --git a/modules/iam_password_policy/variables.tf b/modules/iam_password_policy/variables.tf
new file mode 100644
index 0000000..53806c6
--- /dev/null
+++ b/modules/iam_password_policy/variables.tf
@@ -0,0 +1,53 @@
+variable "iam_account_password_policy_allow_users_to_change_password" {
+ description = "Whether to allow users to change their own password."
+ default = true
+ type = bool
+}
+
+variable "iam_account_password_policy_hard_expiry" {
+ description = "Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)."
+ default = false
+ type = bool
+}
+
+variable "iam_account_password_policy_max_password_age" {
+ description = "The number of days that an user password is valid."
+ default = 90
+ type = number
+}
+
+variable "iam_account_password_policy_password_reuse_prevention" {
+ description = "The number of previous passwords that users are prevented from reusing."
+ default = 24
+ type = number
+}
+
+variable "iam_account_password_policy_minimum_password_length" {
+ description = "Minimum length to require for user passwords."
+ default = 14
+ type = number
+}
+
+variable "iam_account_password_policy_require_lowercase_characters" {
+ description = "Whether to require lowercase characters for user passwords."
+ default = true
+ type = bool
+}
+
+variable "iam_account_password_policy_require_uppercase_characters" {
+ description = "Whether to require uppercase characters for user passwords."
+ default = true
+ type = bool
+}
+
+variable "iam_account_password_policy_require_numbers" {
+ description = "Whether to require numbers for user passwords."
+ default = true
+ type = bool
+}
+
+variable "iam_account_password_policy_require_symbols" {
+ description = "Whether to require symbols for user passwords."
+ default = true
+ type = bool
+}
diff --git a/modules/iam_password_policy/versions.tf b/modules/iam_password_policy/versions.tf
new file mode 100644
index 0000000..8ad760d
--- /dev/null
+++ b/modules/iam_password_policy/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.3"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+}
diff --git a/modules/s3/.terraform-docs.yml b/modules/s3/.terraform-docs.yml
new file mode 100644
index 0000000..ba5f612
--- /dev/null
+++ b/modules/s3/.terraform-docs.yml
@@ -0,0 +1,13 @@
+content: |-
+ {{ .Header }}
+
+ {{ .Inputs }}
+
+ {{ .Outputs }}
+
+ {{ .Providers }}
+
+ ## Resources
+ {{ range .Module.Resources }}
+ - {{ .GetMode }}.{{ .Spec }} ({{ .Position.Filename }}#{{ .Position.Line }})
+ {{- end }}
diff --git a/modules/s3/README.md b/modules/s3/README.md
new file mode 100644
index 0000000..e678fdd
--- /dev/null
+++ b/modules/s3/README.md
@@ -0,0 +1,30 @@
+
+# Terraform AWS Account Defaults S3
+
+With AWS S3 it was standard that every bucket is public, we would of course like to prevent this
+directly and configure it directly in the account. Sets the default S3 bucket ACLs and policies for the account
+to block any public access. A security best practice.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [s3\_account\_public\_access\_block\_public\_acls](#input\_s3\_account\_public\_access\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this account. | `bool` | `true` | no |
+| [s3\_account\_public\_access\_block\_public\_policy](#input\_s3\_account\_public\_access\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this account. | `bool` | `true` | no |
+| [s3\_account\_public\_access\_ignore\_public\_acls](#input\_s3\_account\_public\_access\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this account. | `bool` | `true` | no |
+| [s3\_account\_public\_access\_restrict\_public\_buckets](#input\_s3\_account\_public\_access\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this account. | `bool` | `true` | no |
+
+## Outputs
+
+No outputs.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 4.0 |
+
+## Resources
+
+- resource.aws_s3_account_public_access_block.main (modules/s3/main.tf#8)
+
diff --git a/modules/s3/main.tf b/modules/s3/main.tf
new file mode 100644
index 0000000..a77ba42
--- /dev/null
+++ b/modules/s3/main.tf
@@ -0,0 +1,13 @@
+/**
+* # Terraform AWS Account Defaults S3
+*
+* With AWS S3 it was standard that every bucket is public, we would of course like to prevent this
+* directly and configure it directly in the account. Sets the default S3 bucket ACLs and policies for the account
+* to block any public access. A security best practice.
+*/
+resource "aws_s3_account_public_access_block" "main" {
+ block_public_acls = var.s3_account_public_access_block_public_acls
+ block_public_policy = var.s3_account_public_access_block_public_policy
+ ignore_public_acls = var.s3_account_public_access_ignore_public_acls
+ restrict_public_buckets = var.s3_account_public_access_restrict_public_buckets
+}
diff --git a/modules/s3/variables.tf b/modules/s3/variables.tf
new file mode 100644
index 0000000..63169c4
--- /dev/null
+++ b/modules/s3/variables.tf
@@ -0,0 +1,23 @@
+variable "s3_account_public_access_block_public_acls" {
+ description = "Whether Amazon S3 should block public ACLs for this account."
+ default = true
+ type = bool
+}
+
+variable "s3_account_public_access_block_public_policy" {
+ description = "Whether Amazon S3 should block public bucket policies for this account."
+ default = true
+ type = bool
+}
+
+variable "s3_account_public_access_ignore_public_acls" {
+ description = "Whether Amazon S3 should ignore public ACLs for this account."
+ default = true
+ type = bool
+}
+
+variable "s3_account_public_access_restrict_public_buckets" {
+ description = "Whether Amazon S3 should restrict public bucket policies for this account."
+ default = true
+ type = bool
+}
diff --git a/modules/s3/versions.tf b/modules/s3/versions.tf
new file mode 100644
index 0000000..8ad760d
--- /dev/null
+++ b/modules/s3/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.3"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 4.0"
+ }
+ }
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/test/.gitignore b/test/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..f3203ad
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,20 @@
+## S3 PUBLIC ACCESS
+variable "enable_s3_defaults" {
+ description = "Enable the S3 submodule."
+ default = true
+ type = bool
+}
+
+## CLOUDWATCH
+variable "enable_cloudwatch_defaults" {
+ description = "Enable the Cloudwatch submodule."
+ default = true
+ type = bool
+}
+
+## IAM ACCOUNT PASSWORD POLICY
+variable "enable_iam_account_password_policy" {
+ description = "Enable the IAM Account Password Policy submodule."
+ default = true
+ type = bool
+}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..e6b4cbd
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+ required_version = "~> 1.3"
+}