This repository contains a comprehensive collection of production-ready and security-hardened Terraform modules for AWS infrastructure provisioning. Each module is designed to be modular, maintainable, and follows AWS security best practices with security-by-default configurations.
- aws-terraform-core-vpc: Core VPC infrastructure setup
- aws-terraform-vpc: Standard VPC configuration
- aws-terraform-peering: VPC peering connections
- aws-terraform-tgw: Transit Gateway configuration
- aws-terraform-vpn: VPN connection setup
- aws-terraform-ec2: EC2 instance provisioning (๐ Security: Encryption enabled by default)
- aws-terraform-eks: Elastic Kubernetes Service cluster setup (๐ Security: Private API endpoint by default)
- aws-terraform-s3: S3 bucket configuration
- aws-terraform-dynamodb: DynamoDB tables
- aws-terraform-rds: Relational Database Service
- aws-terraform-rds-aurora: Amazon Aurora cluster setup
- aws-terraform-redis: ElastiCache Redis configuration
- aws-terraform-accounts: AWS account management
- aws-terraform-acm: AWS Certificate Manager
- aws-terraform-cloudtrail: CloudTrail logging
- aws-terraform-iam: IAM resource management (๐ Comprehensive documentation)
- account: Account-level IAM settings
- assumable-role: Cross-account role assumption
- groups: IAM group management
- policies: Custom IAM policies
- roles: IAM roles
- service-accounts: Service account configuration
- users: IAM user management (๐ Security: Access keys disabled by default)
- aws-terraform-scp: Service Control Policies for AWS Organizations (๐ Full documentation)
- aws-terraform-apigw: API Gateway setup
- aws-terraform-eventbridge: EventBridge/CloudWatch Events
- aws-terraform-sns: Simple Notification Service
- Security-by-default: All modules now use secure defaults
- Encryption: EC2 instances have encryption enabled by default
- Access Control: EKS clusters use private endpoints by default
- IAM Security: Access key creation disabled by default to prevent credential exposure
- Complete Coverage: All 20 modules now have comprehensive documentation
- Usage Examples: Detailed examples with security best practices
- Security Guidance: Clear security considerations and recommendations
- Version Constraints: All modules have consistent Terraform and provider versions
- Code Quality: 100% formatted and validated code
- Consistent Structure: Standardized module organization
Each module follows a consistent structure:
module-name/
โโโ README.md # ๐ Comprehensive module documentation
โโโ main.tf # ๐๏ธ Main module logic
โโโ variables.tf # โ๏ธ Input variables with secure defaults
โโโ outputs.tf # ๐ค Output values for integration
โโโ versions.tf # ๐ง Provider version constraints (โ
All modules)
Each module can be used by referencing it in your Terraform configuration:
module "example" {
source = "git::https://git@github.com/cloudon-one/aws-terraform-modules.git//aws-terraform-<service>?ref=main"
# Module specific variables
# ...
}module "secure_ec2" {
source = "./aws-terraform-ec2"
instances = [
{
name = "web-server"
ami = "ami-0abcdef1234567890"
instance_type = "t3.medium"
availability_zone = "us-west-2a"
subnet_id = "subnet-12345678"
private_ip = "10.0.1.10"
associate_public_ip_address = "false"
ebs_block_device = []
tags = {
Environment = "production"
Encrypted = "true"
}
}
]
# ๐ Security: Encryption enabled by default
enable_root_block_device_encryption = true
enable_ebs_encryption = true
kms_key_id = "alias/my-key" # Optional: Use customer-managed key
}module "secure_eks" {
source = "./aws-terraform-eks"
cluster_name = "production-cluster"
eks_version = "1.27"
iam_role_arn = "arn:aws:iam::123456789012:role/eks-cluster-role"
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# ๐ Security: Private API endpoint by default
cluster_endpoint_public_access = false # Default: false
cluster_endpoint_private_access = true # Default: true
# Only allow specific CIDRs if public access is needed
cluster_endpoint_public_access_cidrs = ["10.0.0.0/16"]
eks_managed_node_groups = [
{
name = "workers"
instance_types = ["t3.medium"]
min_size = 1
max_size = 3
desired_size = 2
ami_type = "AL2_x86_64"
capacity_type = "ON_DEMAND"
access_entries = []
tags = {
Environment = "production"
}
}
]
}module "secure_iam_user" {
source = "./aws-terraform-iam/users"
name = "developer"
create_iam_user_login_profile = true
create_iam_access_key = false # ๐ Default: false (secure)
password_reset_required = true
policy_arns = [
"arn:aws:iam::aws:policy/PowerUserAccess"
]
tags = {
Team = "development"
Environment = "dev"
}
}- Terraform >= 1.0 (โ Enforced in all modules)
- AWS Provider ~> 5.0 (โ Standardized across all modules)
- Valid AWS credentials configured
- Appropriate IAM permissions for the resources being created
This repository implements security-by-default principles:
- EC2 Encryption: Root and EBS volumes encrypted automatically
- EKS Private Access: API endpoints private by default
- IAM Security: No access keys created by default
- Version Pinning: All provider versions constrained
- Input Validation: Comprehensive variable validation
Each module provides security configuration options:
# Enable/disable security features as needed
enable_encryption = true # Default: true
public_access = false # Default: false
access_keys = false # Default: false- Review Defaults: Understand the secure defaults before overriding
- Use Private Resources: Prefer private subnets and endpoints
- Enable Encryption: Use customer-managed KMS keys when possible
- Limit Access: Use least privilege principles
- Monitor Changes: Enable CloudTrail for all AWS accounts
| Module | Documentation | Version Constraints | Outputs | Security |
|---|---|---|---|---|
| aws-terraform-accounts | โ | โ | โ | โ |
| aws-terraform-acm | โ | โ | โ | โ |
| aws-terraform-apigw | โ | โ | โ | โ |
| aws-terraform-cloudtrail | โ | โ | โ | โ |
| aws-terraform-core-vpc | โ | โ | โ | โ |
| aws-terraform-dynamodb | โ | โ | โ | โ |
| aws-terraform-ec2 | โ | โ | โ | ๐ Enhanced |
| aws-terraform-eks | โ | โ | โ | ๐ Enhanced |
| aws-terraform-eventbridge | โ | โ | โ | โ |
| aws-terraform-iam | ๐ New | โ | ๐ New | ๐ Enhanced |
| aws-terraform-peering | โ | โ | โ | โ |
| aws-terraform-rds | โ | โ | โ | โ |
| aws-terraform-rds-aurora | โ | โ | โ | โ |
| aws-terraform-redis | โ | โ | โ | โ |
| aws-terraform-s3 | โ | โ | โ | โ |
| aws-terraform-scp | ๐ New | โ | โ | โ |
| aws-terraform-sns | โ | โ | โ | โ |
| aws-terraform-tgw | โ | โ | โ | โ |
| aws-terraform-vpc | โ | โ | โ | โ |
| aws-terraform-vpn | โ | โ | โ | โ |
Legend:
- โ Complete
- ๐ Recently Added/Updated
- ๐ Security Enhanced
We welcome contributions! Please follow our security-first approach:
- Security Review: All changes undergo security review
- Secure Defaults: New features should be secure by default
- Documentation: Security implications must be documented
- Testing: Include security-focused tests
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes following our patterns:
- Add comprehensive documentation
- Include security considerations
- Add version constraints
- Provide usage examples
- Run validation:
terraform fmt -recursive . && terraform validate - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
# Format code
terraform fmt -recursive .
# Validate all modules
find . -name "*.tf" -path "./aws-terraform-*" -exec dirname {} \; | sort -u | xargs -I {} terraform -chdir={} validate
# Check documentation
./scripts/check-docs.sh # If available- Module Documentation: Check the specific module's README first
- Security Questions: Review the Security Best Practices section
- Issues: Open an issue with detailed information
- Discussions: Use GitHub Discussions for questions
When reporting issues, please include:
- Module name and version
- Terraform version
- AWS Provider version
- Security context (if applicable)
- Minimal reproduction case
For new features or enhancements:
- Explain the use case
- Consider security implications
- Provide implementation ideas
- Follow existing patterns
- Enhanced Security: Additional security hardening options
- Compliance: SOC 2, PCI DSS, and GDPR compliance helpers
- Monitoring: Integrated observability and alerting
- Automation: Pre-commit hooks and automated testing
- Examples: Real-world usage examples and patterns
- 100% Security Coverage: All modules follow security best practices
- Complete Documentation: Comprehensive docs for all modules
- Community Driven: Active community contributions and feedback
- Production Ready: Enterprise-grade reliability and support
This project is licensed under the MIT License - see the LICENSE file for details.
- Built with security-first principles
- Inspired by AWS Well-Architected Framework
- Community-driven development
- Continuous security improvements
| Module | Description | Key Features |
|---|---|---|
| aws-terraform-iam | Complete IAM management | ๐ Comprehensive docs, ๐ Secure defaults |
| aws-terraform-scp | Service Control Policies | ๐ Full documentation, Policy examples |
| aws-terraform-ec2 | EC2 instances | ๐ Encryption by default |
| aws-terraform-eks | EKS clusters | ๐ Private endpoints by default |
| aws-terraform-s3 | S3 buckets | Public access blocked |
| aws-terraform-vpc | VPC networking | Flexible subnet configuration |
| And 14 more... | Complete documentation |
๐ก Tip: Each module README contains detailed usage examples, security considerations, and best practices.
