volocloud_tenancy_aws
Example Usage
data "volocloud_tenancy_aws" "example" {
account_id = "00000000-0000-0000-0000-000000000000"
tenancy_id = "00000000-0000-0000-0000-000000000000"
}
Schema
Required
account_id(String) Volocloud Account ID.tenancy_id(String) Volocloud Tenancy ID.
Read-Only
configuration(Attributes) It contains tenancy configuration. (see below for nested schema)id(String) ID of the resource computed from the account_id and tenancy_id separated by : .name(String) Volocloud Tenancy Nameresources(Map of String) These are all the resources created in the tenancy.
Nested Schema for configuration
Required:
accounts(Attributes) Configuration details for AWS Accounts part of tenancy. (see below for nested schema)organization(Attributes) AWS services configuration applicable at AWS Organization level. (see below for nested schema)regions(Attributes) Defines which regions to deploy into. (see below for nested schema)
Optional:
idp(Attributes) Configuration details for AWS Identity Center SSO. (see below for nested schema)
Read-Only:
abbreviation(String) This abbreviation will be used to uniquily identify resources created. Only applies to resources that require AWS global uniqueness.assume_role_arn(String) The Volo bootstrap Role ARN created from the AWS CloudFormation Template provided by the volocloud provider account resource.assume_role_external_id(String) The Volo AWS External ID created by the volocloud provider account resource.dns_domain(String) DNS domain to be used as the root DNS for the AWS tenancy. private dns subdomains will be created based on this.email(String) Email address for the root user of the provisioned AWS Accounts part of this tenancy. Must support subaddressing (+ sign) and be max 42 chars.environments(List of String) List of environments deployed part of the tenancy.tags(Map of String) Key-value map of resource tags for all the tenancy resources.
Nested Schema for configuration.accounts
Required:
audit(Attributes) Provides details for configuring audit resources. (see below for nested schema)log_archive(Attributes) Provides details for configuring log archive resources. (see below for nested schema)management(Attributes) Provides details for configuring management resources. (see below for nested schema)network(Attributes) Provides details for configuring network resources. (see below for nested schema)shared_services(Attributes) Provides details for configuring shared services resources. (see below for nested schema)
Nested Schema for configuration.accounts.audit
Required:
alternate_contacts(Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)primary_contact(Attributes) Configuration of AWS Account primary contact. (see below for nested schema)securityhub(Attributes) Manages the Security Hub Configuration for AWS Organization. (see below for nested schema)
Optional:
auditmanager(Attributes) Provides a resource to manage AWS Audit Manager for this AWS Organization. (see below for nested schema)backup(Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)budgets(Attributes List) A list of budget objects. (see below for nested schema)config(Attributes) AWS Config Conformance Packs Rules deployed for this AWS account only. (see below for nested schema)ebs_encryption_by_default(Boolean) Whether or not default EBS encryption is enabled. Defaults totrue.guardduty(Attributes) Provides a resource to manage Amazon GuardDuty for this AWS Organization. (see below for nested schema)inspector(Attributes) Provides a resource to managed AWS Inspector for this AWS Organization. (see below for nested schema)s3_account_public_access_block(Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with with this AWS account. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with this AWS account. The object name MUST be unique across this account and any OU level definitions. (see below for nested schema)vpc(Attributes) Configuration for the account VPC. (see below for nested schema)
Nested Schema for configuration.accounts.audit.alternate_contacts
Required:
email(String) An email address for the alternate contact.name(String) Name of the alternate contact.phone(String) Phone number for the alternate contact.title(String) Title for the alternate contact.
Nested Schema for configuration.accounts.audit.primary_contact
Required:
address_line_1(String) The first line of the primary contact address.city(String) The city of the primary contact address.country_code(String) The ISO-3166 two-letter country code for the primary contact address.full_name(String) The full name of the primary contact address.phone(String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.postal_code(String) The postal code of the primary contact address.
Optional:
address_line_2(String) The second line of the primary contact address, if any.address_line_3(String) The third line of the primary contact address, if any.company_name(String) The name of the company associated with the primary contact information, if any.district_or_county(String) The district or county of the primary contact address, if any.state_or_region(String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example,NJ) or the full state name (for example,New Jersey). This field is required in the following countries:US, CA, GB, DE, JP, IN, and BR.website_url(String) The URL of the website associated with the primary contact information, if any.
Nested Schema for configuration.accounts.audit.securityhub
Required:
enabled(Boolean) Enables Security Hub for this AWS Organization and the core AWS Accounts.
Optional:
notifications(Attributes) Settings for configuring email based notifications for SecurityHub using SNS. (see below for nested schema)standards(Attributes) Manages Security Hub Standards and their controls for this AWS Organization. (see below for nested schema)
Nested Schema for configuration.accounts.audit.securityhub.notifications
Required:
subscribers(Attributes List) A list of notification objects for receiving SecurityHub alerts. (see below for nested schema)
Optional:
findings_pattern(String) SecurityHub event rule findings pattern to configure which events are sent to the SNS topic, formatted as JSON string. The SecurityHub event rule and findings format can be found in AWS documentation: [Configuring an EventBridge rule for automatically sent findings]https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-all-findings.html. Only one findings pattern can be configured for all events generated by SecurityHub. Defaults to all new and active findings.
Nested Schema for configuration.accounts.audit.securityhub.notifications.subscribers
Required:
emails(List of String) Specifies a list of email addresses to send the budget notification to when the threshold is exceeded.
Optional:
filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details. If not provided, all messages received by the SNS Topic will be forwarded to subscribers.
Nested Schema for configuration.accounts.audit.securityhub.standards
Optional:
aws_foundational_security_best_practices(Attributes) Manages Security HubAWS Foundational Security Best Practicesstandard. Defaults to{"controls":<null>,"enabled":true,"version":"v1.0.0"}. (see below for nested schema)aws_resource_tagging_standard(Attributes) Manages Security HubAWS Resource Tagging Standardstandard. Defaults to{"controls":<null>,"enabled":true,"version":"v1.0.0"}. (see below for nested schema)cis_aws_foundations_benchmark(Attributes) Manages Security HubCIS AWS Foundations Benchmarkstandard. Defaults to{"controls":<null>,"enabled":true,"version":"v5.0.0"}. (see below for nested schema)nist_special_publication_800_171(Attributes) Manages Security HubNIST Special Publication 800-171standard. (see below for nested schema)nist_special_publication_800_53(Attributes) Manages Security HubNIST Special Publication 800-53standard. (see below for nested schema)pci_dss(Attributes) Manages Security HubPCI DSSstandard. (see below for nested schema)
Nested Schema for configuration.accounts.audit.securityhub.standards.aws_foundational_security_best_practices
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)enabled(Boolean) Enables this Security HubAWS Foundational Security Best Practicesstandard in the AWS Organization. Defaults totrue.version(String) Standard version. Valid versions:v1.0.0. Defaults tov1.0.0.
Nested Schema for configuration.accounts.audit.securityhub.standards.aws_foundational_security_best_practices.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.securityhub.standards.aws_resource_tagging_standard
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)enabled(Boolean) Enables this Security HubAWS Resource Tagging Standardstandard in the AWS Organization. Defaults totrue.version(String) Standard version. Valid versions:v1.0.0. Defaults tov1.0.0.
Nested Schema for configuration.accounts.audit.securityhub.standards.aws_resource_tagging_standard.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.securityhub.standards.cis_aws_foundations_benchmark
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)enabled(Boolean) Enables this Security HubCIS AWS Foundations Benchmarkstandard in the AWS Organization. Defaults totrue.version(String) Standard version. Valid versions:v1.4.0,v3.0.0orv5.0.0. Defaults tov5.0.0.
Nested Schema for configuration.accounts.audit.securityhub.standards.cis_aws_foundations_benchmark.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.securityhub.standards.nist_special_publication_800_171
Required:
enabled(Boolean) Enables this Security HubNIST Special Publication 800-171standard in the AWS Organization.
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)version(String) Standard version. Valid versions:revision_2. Defaults torevision_2.
Nested Schema for configuration.accounts.audit.securityhub.standards.nist_special_publication_800_171.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.securityhub.standards.nist_special_publication_800_53
Required:
enabled(Boolean) Enables this Security HubNIST Special Publication 800-53standard in the AWS Organization.
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)version(String) Standard version. Valid versions:revision_5. Defaults torevision_5.
Nested Schema for configuration.accounts.audit.securityhub.standards.nist_special_publication_800_53.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.securityhub.standards.pci_dss
Required:
enabled(Boolean) Enables this Security HubPCI DSSstandard in the AWS Organization.
Optional:
controls(Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)version(String) Standard version. Valid versions:v3.2.1orv4.0.1. Defaults tov4.0.1.
Nested Schema for configuration.accounts.audit.securityhub.standards.pci_dss.controls
Required:
disable_control(Boolean) If true, the control will be disabled.disable_reason(String) Provides a reason why the control has been disabled.
Nested Schema for configuration.accounts.audit.auditmanager
Optional:
assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)enabled(Boolean) Enables Audit Manager for this AWS Organization. Defaults totrue.frameworks(Attributes) Audit Manager provides prebuilt frameworks that structure and automate assessments for a given compliance standard or regulation. Frameworks include a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to the requirements of the specified compliance standard or regulation. You can also customize frameworks and controls to support internal audits according to your specific requirements. (see below for nested schema)notifications(Attributes) Settings for configuring email based notifications for Audit Manager using SNS. (see below for nested schema)settings(Attributes) Audit Manager (select) settings as described in docs. Only allows update toderegistration_policyandevidence_finder. Default toderegistration_policy = "DEFAULT"andevidence_finder.enabled = false. (see below for nested schema)
Nested Schema for configuration.accounts.audit.auditmanager.assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.accounts.audit.auditmanager.assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.accounts.audit.auditmanager.frameworks
Optional:
aws_managed(Attributes Map) AWS Audit Manager supports AWS Managed Frameworks out of the box. Possible values for the map keys are:aws_waf_v10: AWS Audit Manager provides a prebuilt standard framework that supports the AWS Well-Architected Framework v10.acsc_essential_eight: AWS Audit Manager provides a prebuilt standard framework that supports the Australian Cyber Security Center (ACSC) Essential Eight.acsc_ism: AWS Audit Manager provides a prebuilt standard framework that supports the Australian Cyber Security Center (ACSC) Information Security Manual (ISM).aws_foundational_security_best_practices: AWS Audit Manager provides a prebuilt standard framework that supports the AWS Foundational Security Best Practices.aws_generative_ai_best_practices_v2: AWS Audit Manager provides a prebuilt standard framework to help you gain visibility into how your generative AI implementation on Amazon Bedrock and Amazon SageMaker is working against AWS recommended best practices.aws_license_manager: AWS Audit Manager provides a prebuilt AWS License Manager framework to assist you with your audit preparation.aws_operational_best_practices: AWS Audit Manager provides a prebuilt AWS Operational Best Practices (OBP) framework to assist you with your audit preparation.cccs_medium_cloud_control: AWS Audit Manager provides a prebuilt standard framework that supports the Canadian Centre for Cyber Security (CCCS) Medium Cloud Control.cis_aws_benchmark_v1_4_level1: The CIS AWS Benchmark v1.4.0 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services.cis_aws_benchmark_v1_4_level1and2: The CIS AWS Benchmark v1.4.0 provides prescriptive guidance for configuring security options for a subset of Amazon Web Services.cis_v8_0_ig1: AWS Audit Manager provides a prebuilt standard framework that supports the CIS Critical Security Controls version 8.0 , Implementation Group 1.eu_gmp_annex_11_v1: AWS Audit Manager provides a prebuilt framework that supports the EudraLex - The Rules Governing Medicinal Products in the European Union (EU) - Volume 4: Good Manufacturing Practice (GMP) Medicinal Products for Human and Veterinary Use - Annex 11.fedramp_r4: AWS Audit Manager provides a prebuilt standard framework that supports the Federal Risk And Authorization Management Program (FedRAMP) Security Baseline Controls r4.gdpr: AWS Audit Manager provides a prebuilt standard framework that supports the General Data Protection Regulation (GDPR) 2016.glba: AWS Audit Manager provides a prebuilt framework that supports the Gramm-Leach-Bliley Act (GLBA).hipaa_omnibus: AWS Audit Manager provides a prebuilt standard framework that supports the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule.hipaa_security: AWS Audit Manager provides a prebuilt standard framework that supports the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: Feb 2003.iso_iec_27001_2013_annex_a: AWS Audit Manager provides a prebuilt standard framework that supports the International Organization for standardization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 Annex A.nist_sp_800_171_r2: AWS Audit Manager provides a prebuilt standard framework that supports NIST 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.nist_sp_800_53_r5: AWS Audit Manager provides a prebuilt framework that supports the NIST 800-53 Rev 5: Security and Privacy Controls for Information Systems and Organizations.nist_csf_v1_1: AWS Audit Manager provides a prebuilt framework that supports the NIST Cybersecurity Framework (CSF) v1.1.pci_dss_v4_0: AWS Audit Manager provides a prebuilt framework that supports the Payment Card Industry Data Security Standard (PCI DSS) v4.0.ssae_18_soc_2: AWS Audit Manager provides a prebuilt standard framework that supports the Statement on Standards for Attestations Engagement (SSAE) No. 18, Service Organizations Controls (SOC) Report 2.title_21_cfr_part_11: AWS Audit Manager provides a prebuilt standard framework that supports Title 21 of the Code of Federal Regulations (CFR) Part 11, Electronic records; Electronic Signatures - Scope and Application 24 May 2023.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.audit.auditmanager.frameworks.aws_managed
Required:
enabled(Boolean) Enables the AWS Managed Framework.
Nested Schema for configuration.accounts.audit.auditmanager.notifications
Required:
subscribers(Attributes List) A list of notification objects for receiving Audit Manager alerts. (see below for nested schema)
Nested Schema for configuration.accounts.audit.auditmanager.notifications.subscribers
Required:
emails(List of String) Specifies a list of email addresses to send the budget notification to when the threshold is exceeded.
Optional:
filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details. If not provided, all messages received by the SNS Topic will be forwarded to subscribers.
Nested Schema for configuration.accounts.audit.auditmanager.settings
Optional:
data_retention_policy(String) Configures the data rentention policy when Audit Managed is disabled. For more details check AWS documentation. For delegated admin scenario AWS has a limitation and can only useDEFAULT. Defaults toDEFAULT.evidence_finder(Attributes) Evidence finder provides a powerful way to search for evidence in Audit Manager. Instead of browsing deeply nested evidence folders to find what you're looking for, you can now use evidence finder to quickly query your evidence. For more details check AWS documentation. (see below for nested schema)
Nested Schema for configuration.accounts.audit.auditmanager.settings.evidence_finder
Optional:
enabled(Boolean) If true, enables evidence finder. Defaults tofalse.
Warning
When you use this attribute to disable evidence finder,
Audit Manager deletes the event data store that's used to query your evidence data.
As a result, you can't re-enable evidence finder and use the feature again.
Your only alternative is to disable and then re-enable Audit Manager.
Nested Schema for configuration.accounts.audit.backup
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)restore_testing(Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.accounts.audit.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.accounts.audit.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.audit.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.audit.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.audit.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.audit.backup.restore_testing
Optional:
enabled(Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults totrue.protected_resource_selection_tags(Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)protected_resource_selection_types(List of String) The type of AWS resource included in a restore testing selection.recovery_point_selection(Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.
Nested Schema for configuration.accounts.audit.backup.restore_testing.protected_resource_selection_tags
Optional:
tag_key(String) The selection tag key. Defaults toRestoreTestingEnabled.tag_value(String) The selection tag value. Defaults totrue.
Nested Schema for configuration.accounts.audit.backup.restore_testing.recovery_point_selection
Optional:
algorithm(String) Acceptable values includeLATEST_WITHIN_WINDOWorRANDOM_WITHIN_WINDOW.recovery_point_types(List of String) Acceptable values includeCONTINUOUSandSNAPSHOT.selection_window_days(Number) Accepted values are integers from 1 to 365.
Nested Schema for configuration.accounts.audit.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
Nested Schema for configuration.accounts.audit.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.accounts.audit.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.accounts.audit.budgets
Required:
name(String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.time_unit(String) The length of time until a budget resets the actual and forecasted spend. Valid values are:MONTHLY | QUARTERLY | ANNUALLY | DAILY.type(String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.
Optional:
auto_adjust_data(Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)cost_filters(Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)cost_types(List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].limit(Attributes) Object containing budget limit. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)notifications(Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)planned_limits(Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)tags(Map of String) Map of tags assigned to the resource.time_period(Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to06/15/87 00:00 UTC. (see below for nested schema)
Nested Schema for configuration.accounts.audit.budgets.auto_adjust_data
Required:
auto_adjust_type(String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.
Optional:
historical_options(Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)last_auto_adjust_time(String) The last time that your budget was auto-adjusted. MUST be in timestamp format.
Nested Schema for configuration.accounts.audit.budgets.auto_adjust_data.historical_options
Required:
budget_adjustment_period(Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.
Optional:
lookback_available_periods(Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from thebudget_adjustment_periodand your historical cost data.
Nested Schema for configuration.accounts.audit.budgets.cost_filters
Required:
name(String) The name of the cost filter. Valid values are:AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.values(List of String) The list of values used for filtering.
Nested Schema for configuration.accounts.audit.budgets.limit
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.audit.budgets.notifications
Required:
comparison_operator(String) Comparison operator to use to evaluate the condition. Valid values are:EQUAL_TO | GREATER_THAN | LESS_THAN.email_addresses(List of String) Lost of email addresses to notify.threshold(String) Threshold when the notification should be sent.threshold_type(String) What kind of threshold is defined. Valid values are:ABSOLUTE_VALUE | PERCENTAGE.type(String) Comparison operator to use to evaluate the condition. Valid values are:ACTUAL | FORECASTED.
Nested Schema for configuration.accounts.audit.budgets.planned_limits
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.start_time(String) The start time of the budget limit. Format:2017-01-01_12:00.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.audit.budgets.time_period
Optional:
end(String) The end of the time period covered by the budget. Format:2017-01-01_12:00.start(String) The start of the time period covered by the budget. Format:2017-01-01_12:00.
Nested Schema for configuration.accounts.audit.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.accounts.audit.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.audit.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.audit.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.audit.guardduty
Optional:
auto_enable_organization_members(Boolean) Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. Defaults to true.detector_features(List of String) Provides a resource to manage Amazon GuardDuty organization configuration features. Possible values are:ebs_malware_protection,eks_audit_logs,eks_runtime_monitoring,eks_runtime_monitoring_addon_management,lambda_network_logs,rds_login_events,s3_data_events. Theeks_runtime_monitoring_addon_managementis used only ifeks_runtime_monitoringis present as well.enabled(Boolean) Enables Guardduty for this AWS Organization.finding_publishing_frequency(String) Specifies the frequency of notifications sent for subsequent finding occurrences.Valid values:FIFTEEN_MINUTES,ONE_HOUR,SIX_HOURS.threatiplist(List of String) Provides a resource to manage a GuardDuty ThreatIntelSet.trustiplist(List of String) Provides a resource to manage a GuardDuty IPSet.
Nested Schema for configuration.accounts.audit.inspector
Optional:
enabled(Boolean) Enables Inspector for this AWS Organization.organization_configuration(Attributes) AWS Inpector Organization Configuration. (see below for nested schema)
Nested Schema for configuration.accounts.audit.inspector.organization_configuration
Optional:
auto_enable(List of String) List of Inpector scans to auto-enable at Organization level.
Nested Schema for configuration.accounts.audit.s3_account_public_access_block
Optional:
block_public_acls(Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.block_public_policy(Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.ignore_public_acls(Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.restrict_public_buckets(Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.
Nested Schema for configuration.accounts.audit.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.accounts.audit.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.accounts.audit.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.accounts.audit.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.audit.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.audit.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.accounts.audit.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.accounts.audit.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.accounts.audit.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.accounts.audit.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.audit.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.accounts.audit.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.accounts.audit.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.audit.vpc
Optional:
deployment_architecture(Attributes) Network deployment architecture specific to this acocunt. This is used in combination with the organizationnetwork_deployment_architecturesattribute. (see below for nested schema)enable_dns_hostnames(Boolean) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults totrue.enable_dns_support(Boolean) A boolean flag to enable/disable DNS support in the VPC. Defaults totrue.enabled(Boolean) A boolean flag to enable/disable the VPC. Defaults totrue.instance_tenancy(String) A tenancy option for instances launched into the VPC. Default isdefault, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option isdedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.network_firewall(Attributes) Configuration settings for AWS Network Firewall service. MUST be deployed only if the VPC template supports distributed architecture. (see below for nested schema)
Nested Schema for configuration.accounts.audit.vpc.deployment_architecture
Optional:
egress_enabled(Boolean) If true, enables account local egress access to internet. Defaults tofalse.ingress_enabled(Boolean) If true, enables account local ingress access from internet. Defaults tofalse.private_endpoints(Attributes) Configuration for AWS Services that support private endpoints configuration in the VPC. The subnet where these private endpoints are created is predetermined by the selected VPC template. For standard it will use app_tier subnet. For web_tier_only it will use the only available subnet. (see below for nested schema)template(String) The VPC template determines what nacls, routing tables, routes and subnets are going to be created in the VPC. Defaults tostandard. Possible values are:standard_centralized: Creates 2 tier subnets (private app_tier, private data_tier) with centralized public web_tier running in network account accessed using centralized Transit Gateway deployment. The minimum network mask for the VPC MUST be/24.standard_centralized_and_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/23.standard_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/24.web_tier_centralized_and_distributed: Create 1 public web_tier subnet with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/24.web_tier_distributed: Create 1 public web_tier subnet with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/25.
Warning
Changing this value causes the VPC to be re-created.
CANNOT be changed after creation without destroying everything running on top of the VPC first.
Nested Schema for configuration.accounts.audit.vpc.deployment_architecture.private_endpoints
Optional:
enabled(Boolean) If true, enables account local private endpoints for supported services. Defaults tofalse.gateway_services(List of String) List of AWS services to create private endpoints of type gateway in the local account private endpoints VPC. For more details see AWS documentation. Valid values are:dynamodb | s3.interface_services(List of String) List of AWS services to create private endpoints of type interface in the local/network account private endpoints VPC. The service name is derived from this ![aws-services-privatelink-support]https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html, by taking the service name after the region part. Valid values are:[access-analyzer account acm-pca airflow.api api-fips env env-fips ops analytics-omics appconfig appconfigdata appmesh appmesh-envoy-management apprunner apprunner.requests applicationinsights application-autoscaling application-signals appstream.api appstream.streaming app-integrations apptest aps aps-workspaces arsenal-discovery athena auditmanager autoscaling autoscaling-plans awsconnector b2bi backup backup-gateway batch bcm-data-exports bedrock bedrock-agent bedrock-agent-runtime bedrock-runtime billing billingconductor braket cassandra cassandra-fips cases ce cleanrooms cleanrooms-ml cloudcontrolapi cloudcontrolapi-fips clouddirectory cloudformation cloudhsmv2 cloudtrail codeartifact.api codeartifact.repositories codebuild codebuild-fips codecommit codecommit-fips codeconnections.api codedeploy codedeploy-commands-secure codeguru-profiler codeguru-reviewer codepipeline codestar-connections.api codewhisperer comprehend comprehendmedical compute-optimizer config connect-campaigns console controlcatalog control-storage-omics cost-optimization-hub databrew dataexchange datasync data-servicediscovery data-servicediscovery-fips deadline.management deadline.scheduling deviceadvisor.iot devops-guru dicom-medical-imaging discovery dms dms-fips drs ds ds-data dynamodb dynamodb-fips ebs ec2 ec2messages ec2-fips ecr.api ecr.dkr ecs ecs-agent ecs-telemetry eks eks-auth elasticbeanstalk elasticbeanstalk-health elasticfilesystem elasticfilesystem-fips elasticloadbalancing elasticache elasticache-fips elasticmapreduce email-smtp emr-containers emr-serverless emr-serverless-services.livy emrwal.prod entityresolution events evidently evidently-dataplane execute-api experiments finspace finspace-api fis forecast forecast-fips forecastquery forecastquery-fips frauddetector freetier fsx fsx-fips git-codecommit git-codecommit-fips glue glue.dashboard grafana grafana-workspace greengrass groundstation guardduty guardduty-data guardduty-data-fips guardduty-fips healthlake iam identitystore imagebuilder inspector2 inspector-scan internetmonitor internetmonitor-fips iotfleetwise iotroborunner iotsitewise.api iotsitewise.data iottwinmaker.api iottwinmaker.data iotwireless.api iot.data iot.credentials iot.fleethub.api kafka kafka-fips kendra kendra-ranking kinesis-firehose kinesis-streams kinesis-streams-fips kms kms-fips lakeformation lambda launchwizard license-manager license-manager-fips license-manager-linux-subscriptions license-manager-linux-subscriptions-fips license-manager-user-subscriptions lightsail logs lookoutequipment lookoutmetrics lookoutvision lorawan.cups lorawan.lns m2 macie2 managedblockchain-query managedblockchain.bitcoin.mainnet managedblockchain.bitcoin.testnet mediaconnect medical-imaging memory-db memorydb-fips migrationhub-orchestrator migrationhub-strategy mgn models-v2-lex monitoring mq neptune-graph neptune-graph-data neptune-graph-fips network-firewall network-firewall-fips networkflowmonitor networkflowmonitorreports networkmonitor notebook observabilityadmin organizations organizations-fips outposts panorama partner-app payment-cryptography.controlplane payment-cryptography.dataplane pca-connector-ad pca-connector-scep pcs pcs-fips personalize personalize-events personalize-runtime pi pi-fips pinpoint pinpoint-sms-voice-v2 pipes pipes-data pipes-fips polly pricing.api private-networks profile proton q qapps qbusiness qldb.session quicksight-website ram rbin refactor-spaces rds rds-data redshift redshift-fips redshift-serverless redshift-serverless-fips redshift-data redshift-data-fips rekognition rekognition-fips repostspace resource-groups resource-groups-fips robomaker rolesanywhere rum rum-dataplane runtime-medical-imaging runtime-v2-lex s3 s3tables s3-global.accesspoint s3-outposts sagemaker.api sagemaker-data-science-assistant sagemaker.api-fips sagemaker.featurestore-runtime sagemaker.metrics sagemaker.runtime sagemaker.runtime-fips savingsplans schemas scn secretsmanager securityhub securitylake securitylake-fips serverlessrepo servicecatalog servicecatalog-appregistry servicediscovery servicediscovery-fips service.user-subscriptions signin simspaceweaver snow-device-management sns social-messaging sqs ssm ssm-contacts ssm-incidents ssm-quicksetup ssmmessages states storagegateway storage-omics streaming-rekognition streaming-rekognition-fips sts studio swf swf-fips sync-states synthetics synthetics-fips tagging tags-omics tax textract textract-fips thinclient.api timestream.ingest-cell timestream.query-cell timestream-influxdb timestream-influxdb-fips tnb transcribe transcribestreaming transfer transfer.server translate trustedadvisor verifiedpermissions voiceid vpc-lattice wellarchitected wisdom workflows-omics workmail workspaces workspaces-web workspaces-web-fips xray].
Nested Schema for configuration.accounts.audit.vpc.network_firewall
Required:
enabled(Boolean) If true, creates AWS Network Firewalls in each AZ.
Optional:
vendor(Attributes) The vendor of the network firewall and it's associated settings. Defaults toaws. (see below for nested schema)
Nested Schema for configuration.accounts.audit.vpc.network_firewall.vendor
Optional:
aws(Attributes) Settings for AWS Network Firewall. (see below for nested schema)
Nested Schema for configuration.accounts.audit.vpc.network_firewall.vendor.aws
Optional:
managed_rule_groups(Attributes) Settings for AWS Managed Rule Groups. (see below for nested schema)
Nested Schema for configuration.accounts.audit.vpc.network_firewall.vendor.aws.managed_rule_groups
Optional:
domain_lists(List of String) AWS Network Firewall managed domain and IP rule groups block HTTP/HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets.threat_signatures(List of String) AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats.
Nested Schema for configuration.accounts.log_archive
Required:
alternate_contacts(Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)primary_contact(Attributes) Configuration of AWS Account primary contact. (see below for nested schema)
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)backup(Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)budgets(Attributes List) A list of budget objects. (see below for nested schema)config(Attributes) AWS Config Conformance Packs Rules deployed for this AWS account only. (see below for nested schema)ebs_encryption_by_default(Boolean) Whether or not default EBS encryption is enabled. Defaults totrue.s3_account_public_access_block(Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with this AWS account. The object name MUST be unique across this account and any OU level definitions. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.alternate_contacts
Required:
email(String) An email address for the alternate contact.name(String) Name of the alternate contact.phone(String) Phone number for the alternate contact.title(String) Title for the alternate contact.
Nested Schema for configuration.accounts.log_archive.primary_contact
Required:
address_line_1(String) The first line of the primary contact address.city(String) The city of the primary contact address.country_code(String) The ISO-3166 two-letter country code for the primary contact address.full_name(String) The full name of the primary contact address.phone(String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.postal_code(String) The postal code of the primary contact address.
Optional:
address_line_2(String) The second line of the primary contact address, if any.address_line_3(String) The third line of the primary contact address, if any.company_name(String) The name of the company associated with the primary contact information, if any.district_or_county(String) The district or county of the primary contact address, if any.state_or_region(String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example,NJ) or the full state name (for example,New Jersey). This field is required in the following countries:US, CA, GB, DE, JP, IN, and BR.website_url(String) The URL of the website associated with the primary contact information, if any.
Nested Schema for configuration.accounts.log_archive.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.accounts.log_archive.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.accounts.log_archive.backup
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)restore_testing(Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.log_archive.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.log_archive.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.log_archive.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.log_archive.backup.restore_testing
Optional:
enabled(Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults totrue.protected_resource_selection_tags(Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)protected_resource_selection_types(List of String) The type of AWS resource included in a restore testing selection.recovery_point_selection(Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.
Nested Schema for configuration.accounts.log_archive.backup.restore_testing.protected_resource_selection_tags
Optional:
tag_key(String) The selection tag key. Defaults toRestoreTestingEnabled.tag_value(String) The selection tag value. Defaults totrue.
Nested Schema for configuration.accounts.log_archive.backup.restore_testing.recovery_point_selection
Optional:
algorithm(String) Acceptable values includeLATEST_WITHIN_WINDOWorRANDOM_WITHIN_WINDOW.recovery_point_types(List of String) Acceptable values includeCONTINUOUSandSNAPSHOT.selection_window_days(Number) Accepted values are integers from 1 to 365.
Nested Schema for configuration.accounts.log_archive.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
Nested Schema for configuration.accounts.log_archive.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.accounts.log_archive.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.accounts.log_archive.budgets
Required:
name(String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.time_unit(String) The length of time until a budget resets the actual and forecasted spend. Valid values are:MONTHLY | QUARTERLY | ANNUALLY | DAILY.type(String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.
Optional:
auto_adjust_data(Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)cost_filters(Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)cost_types(List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].limit(Attributes) Object containing budget limit. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)notifications(Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)planned_limits(Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)tags(Map of String) Map of tags assigned to the resource.time_period(Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to06/15/87 00:00 UTC. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.budgets.auto_adjust_data
Required:
auto_adjust_type(String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.
Optional:
historical_options(Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)last_auto_adjust_time(String) The last time that your budget was auto-adjusted. MUST be in timestamp format.
Nested Schema for configuration.accounts.log_archive.budgets.auto_adjust_data.historical_options
Required:
budget_adjustment_period(Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.
Optional:
lookback_available_periods(Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from thebudget_adjustment_periodand your historical cost data.
Nested Schema for configuration.accounts.log_archive.budgets.cost_filters
Required:
name(String) The name of the cost filter. Valid values are:AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.values(List of String) The list of values used for filtering.
Nested Schema for configuration.accounts.log_archive.budgets.limit
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.log_archive.budgets.notifications
Required:
comparison_operator(String) Comparison operator to use to evaluate the condition. Valid values are:EQUAL_TO | GREATER_THAN | LESS_THAN.email_addresses(List of String) Lost of email addresses to notify.threshold(String) Threshold when the notification should be sent.threshold_type(String) What kind of threshold is defined. Valid values are:ABSOLUTE_VALUE | PERCENTAGE.type(String) Comparison operator to use to evaluate the condition. Valid values are:ACTUAL | FORECASTED.
Nested Schema for configuration.accounts.log_archive.budgets.planned_limits
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.start_time(String) The start time of the budget limit. Format:2017-01-01_12:00.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.log_archive.budgets.time_period
Optional:
end(String) The end of the time period covered by the budget. Format:2017-01-01_12:00.start(String) The start of the time period covered by the budget. Format:2017-01-01_12:00.
Nested Schema for configuration.accounts.log_archive.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.log_archive.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.log_archive.s3_account_public_access_block
Optional:
block_public_acls(Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.block_public_policy(Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.ignore_public_acls(Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.restrict_public_buckets(Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.
Nested Schema for configuration.accounts.log_archive.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.accounts.log_archive.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.accounts.log_archive.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.management
Required:
alternate_contacts(Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)primary_contact(Attributes) Configuration of AWS Account primary contact. (see below for nested schema)
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)backup(Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)budgets(Attributes List) A list of budget objects. (see below for nested schema)config(Attributes) AWS Config Conformance Packs Rules deployed for this AWS account only. (see below for nested schema)ebs_encryption_by_default(Boolean) Whether or not default EBS encryption is enabled. Defaults totrue.s3_account_public_access_block(Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)
Nested Schema for configuration.accounts.management.alternate_contacts
Required:
email(String) An email address for the alternate contact.name(String) Name of the alternate contact.phone(String) Phone number for the alternate contact.title(String) Title for the alternate contact.
Nested Schema for configuration.accounts.management.primary_contact
Required:
address_line_1(String) The first line of the primary contact address.city(String) The city of the primary contact address.country_code(String) The ISO-3166 two-letter country code for the primary contact address.full_name(String) The full name of the primary contact address.phone(String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.postal_code(String) The postal code of the primary contact address.
Optional:
address_line_2(String) The second line of the primary contact address, if any.address_line_3(String) The third line of the primary contact address, if any.company_name(String) The name of the company associated with the primary contact information, if any.district_or_county(String) The district or county of the primary contact address, if any.state_or_region(String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example,NJ) or the full state name (for example,New Jersey). This field is required in the following countries:US, CA, GB, DE, JP, IN, and BR.website_url(String) The URL of the website associated with the primary contact information, if any.
Nested Schema for configuration.accounts.management.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.accounts.management.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.accounts.management.backup
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)restore_testing(Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.accounts.management.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.accounts.management.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.management.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.management.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.management.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.management.backup.restore_testing
Optional:
enabled(Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults totrue.protected_resource_selection_tags(Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)protected_resource_selection_types(List of String) The type of AWS resource included in a restore testing selection.recovery_point_selection(Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.
Nested Schema for configuration.accounts.management.backup.restore_testing.protected_resource_selection_tags
Optional:
tag_key(String) The selection tag key. Defaults toRestoreTestingEnabled.tag_value(String) The selection tag value. Defaults totrue.
Nested Schema for configuration.accounts.management.backup.restore_testing.recovery_point_selection
Optional:
algorithm(String) Acceptable values includeLATEST_WITHIN_WINDOWorRANDOM_WITHIN_WINDOW.recovery_point_types(List of String) Acceptable values includeCONTINUOUSandSNAPSHOT.selection_window_days(Number) Accepted values are integers from 1 to 365.
Nested Schema for configuration.accounts.management.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
Nested Schema for configuration.accounts.management.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.accounts.management.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.accounts.management.budgets
Required:
name(String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.time_unit(String) The length of time until a budget resets the actual and forecasted spend. Valid values are:MONTHLY | QUARTERLY | ANNUALLY | DAILY.type(String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.
Optional:
auto_adjust_data(Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)cost_filters(Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)cost_types(List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].limit(Attributes) Object containing budget limit. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)notifications(Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)planned_limits(Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)tags(Map of String) Map of tags assigned to the resource.time_period(Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to06/15/87 00:00 UTC. (see below for nested schema)
Nested Schema for configuration.accounts.management.budgets.auto_adjust_data
Required:
auto_adjust_type(String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.
Optional:
historical_options(Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)last_auto_adjust_time(String) The last time that your budget was auto-adjusted. MUST be in timestamp format.
Nested Schema for configuration.accounts.management.budgets.auto_adjust_data.historical_options
Required:
budget_adjustment_period(Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.
Optional:
lookback_available_periods(Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from thebudget_adjustment_periodand your historical cost data.
Nested Schema for configuration.accounts.management.budgets.cost_filters
Required:
name(String) The name of the cost filter. Valid values are:AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.values(List of String) The list of values used for filtering.
Nested Schema for configuration.accounts.management.budgets.limit
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.management.budgets.notifications
Required:
comparison_operator(String) Comparison operator to use to evaluate the condition. Valid values are:EQUAL_TO | GREATER_THAN | LESS_THAN.email_addresses(List of String) Lost of email addresses to notify.threshold(String) Threshold when the notification should be sent.threshold_type(String) What kind of threshold is defined. Valid values are:ABSOLUTE_VALUE | PERCENTAGE.type(String) Comparison operator to use to evaluate the condition. Valid values are:ACTUAL | FORECASTED.
Nested Schema for configuration.accounts.management.budgets.planned_limits
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.start_time(String) The start time of the budget limit. Format:2017-01-01_12:00.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.management.budgets.time_period
Optional:
end(String) The end of the time period covered by the budget. Format:2017-01-01_12:00.start(String) The start of the time period covered by the budget. Format:2017-01-01_12:00.
Nested Schema for configuration.accounts.management.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.accounts.management.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.management.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.management.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.management.s3_account_public_access_block
Optional:
block_public_acls(Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.block_public_policy(Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.ignore_public_acls(Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.restrict_public_buckets(Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.
Nested Schema for configuration.accounts.network
Required:
alternate_contacts(Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)aws_account_close_on_delete(Boolean) Iftrue, this will close the AWS account on resource deletion, beginning the 90-day suspension period. Otherwise, the account will just be unenrolled from Control Tower.primary_contact(Attributes) Configuration of AWS Account primary contact. (see below for nested schema)
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)backup(Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)budgets(Attributes List) A list of budget objects. (see below for nested schema)cloud_wan(Attributes) Cloud WAN architecture. Conflicts withtransit_gateway. (see below for nested schema)config(Attributes) AWS Config Conformance Packs Rules deployed for this AWS account only. (see below for nested schema)dns_resolver(Attributes) AWS Private DNS Resolver configuration. (see below for nested schema)dns_zones(Attributes) AWS DNS Zones for public and private DNS object. (see below for nested schema)ebs_encryption_by_default(Boolean) Whether or not default EBS encryption is enabled. Defaults to true.s3_account_public_access_block(Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with with this AWS account. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with this AWS account. The object name MUST be unique across this account and any OU level definitions. (see below for nested schema)transit_gateway(Attributes) Region Hub and Spoke centralized architecture, with multi regional support. (see below for nested schema)virtual_private_gateway(Attributes) VPN gateway for distributed architecture. It is ignored if centralized architecture with transit gateway is enabled. (see below for nested schema)vpc(Attributes) Configuration for the VPC(s) deployed in the Hub. (see below for nested schema)vpc_ipam(Attributes) Configuration for VPC IPAM service deployed in the Hub. (see below for nested schema)vpn(Attributes) Wrapper for the configuration of 2 types of VPN: client and site-to-site. (see below for nested schema)
Nested Schema for configuration.accounts.network.alternate_contacts
Required:
email(String) An email address for the alternate contact.name(String) Name of the alternate contact.phone(String) Phone number for the alternate contact.title(String) Title for the alternate contact.
Nested Schema for configuration.accounts.network.primary_contact
Required:
address_line_1(String) The first line of the primary contact address.city(String) The city of the primary contact address.country_code(String) The ISO-3166 two-letter country code for the primary contact address.full_name(String) The full name of the primary contact address.phone(String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.postal_code(String) The postal code of the primary contact address.
Optional:
address_line_2(String) The second line of the primary contact address, if any.address_line_3(String) The third line of the primary contact address, if any.company_name(String) The name of the company associated with the primary contact information, if any.district_or_county(String) The district or county of the primary contact address, if any.state_or_region(String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example,NJ) or the full state name (for example,New Jersey). This field is required in the following countries:US, CA, GB, DE, JP, IN, and BR.website_url(String) The URL of the website associated with the primary contact information, if any.
Nested Schema for configuration.accounts.network.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.accounts.network.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.accounts.network.backup
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)restore_testing(Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.accounts.network.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.accounts.network.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.network.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.network.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.network.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.network.backup.restore_testing
Optional:
enabled(Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults totrue.protected_resource_selection_tags(Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)protected_resource_selection_types(List of String) The type of AWS resource included in a restore testing selection.recovery_point_selection(Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.
Nested Schema for configuration.accounts.network.backup.restore_testing.protected_resource_selection_tags
Optional:
tag_key(String) The selection tag key. Defaults toRestoreTestingEnabled.tag_value(String) The selection tag value. Defaults totrue.
Nested Schema for configuration.accounts.network.backup.restore_testing.recovery_point_selection
Optional:
algorithm(String) Acceptable values includeLATEST_WITHIN_WINDOWorRANDOM_WITHIN_WINDOW.recovery_point_types(List of String) Acceptable values includeCONTINUOUSandSNAPSHOT.selection_window_days(Number) Accepted values are integers from 1 to 365.
Nested Schema for configuration.accounts.network.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
Nested Schema for configuration.accounts.network.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.accounts.network.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.accounts.network.budgets
Required:
name(String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.time_unit(String) The length of time until a budget resets the actual and forecasted spend. Valid values are:MONTHLY | QUARTERLY | ANNUALLY | DAILY.type(String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.
Optional:
auto_adjust_data(Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)cost_filters(Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)cost_types(List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].limit(Attributes) Object containing budget limit. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)notifications(Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)planned_limits(Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)tags(Map of String) Map of tags assigned to the resource.time_period(Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to06/15/87 00:00 UTC. (see below for nested schema)
Nested Schema for configuration.accounts.network.budgets.auto_adjust_data
Required:
auto_adjust_type(String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.
Optional:
historical_options(Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)last_auto_adjust_time(String) The last time that your budget was auto-adjusted. MUST be in timestamp format.
Nested Schema for configuration.accounts.network.budgets.auto_adjust_data.historical_options
Required:
budget_adjustment_period(Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.
Optional:
lookback_available_periods(Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from thebudget_adjustment_periodand your historical cost data.
Nested Schema for configuration.accounts.network.budgets.cost_filters
Required:
name(String) The name of the cost filter. Valid values are:AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.values(List of String) The list of values used for filtering.
Nested Schema for configuration.accounts.network.budgets.limit
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.network.budgets.notifications
Required:
comparison_operator(String) Comparison operator to use to evaluate the condition. Valid values are:EQUAL_TO | GREATER_THAN | LESS_THAN.email_addresses(List of String) Lost of email addresses to notify.threshold(String) Threshold when the notification should be sent.threshold_type(String) What kind of threshold is defined. Valid values are:ABSOLUTE_VALUE | PERCENTAGE.type(String) Comparison operator to use to evaluate the condition. Valid values are:ACTUAL | FORECASTED.
Nested Schema for configuration.accounts.network.budgets.planned_limits
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.start_time(String) The start time of the budget limit. Format:2017-01-01_12:00.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.network.budgets.time_period
Optional:
end(String) The end of the time period covered by the budget. Format:2017-01-01_12:00.start(String) The start of the time period covered by the budget. Format:2017-01-01_12:00.
Nested Schema for configuration.accounts.network.cloud_wan
Optional:
enabled(Boolean) If true, deploys a Cloud WAN architecture. Defaults tofalse
Nested Schema for configuration.accounts.network.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.accounts.network.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.network.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.network.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.network.dns_resolver
Optional:
enabled(Boolean) Is AWS Private Resolver DNS enabled?forwarding_domains(Attributes List) Provides a list of objects to configure outbound conditional forwarding. (see below for nested schema)
Nested Schema for configuration.accounts.network.dns_resolver.forwarding_domains
Required:
dns_domain(String) DNS domain for conditional forwarding.dns_servers(List of String) List of DNS servers that are authoritative for the domain.
Nested Schema for configuration.accounts.network.dns_zones
Optional:
private_subdomains(Attributes) Object contains the private DNS domain for each environment. (see below for nested schema)public_domains(List of String) List contains the public DNS domains.
Nested Schema for configuration.accounts.network.dns_zones.private_subdomains
Optional:
dev(String) The subdomain name for creating the DEV environment private dns zone.prod(String) The subdomain name for creating the PROD environment private dns zone.qa(String) The subdomain name for creating the QA environment private dns zone.test(String) The subdomain name for creating the TEST environment private dns zone.
Nested Schema for configuration.accounts.network.s3_account_public_access_block
Optional:
block_public_acls(Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.block_public_policy(Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.ignore_public_acls(Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.restrict_public_buckets(Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.
Nested Schema for configuration.accounts.network.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.accounts.network.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.accounts.network.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.accounts.network.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.network.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.network.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.accounts.network.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.accounts.network.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.accounts.network.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.accounts.network.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.network.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.accounts.network.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.accounts.network.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.network.transit_gateway
Optional:
aws_side_asn(Number) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is64512to65534for 16-bit ASNs and4200000000to4294967294for 32-bit ASNs. Extra AWS Regions will increment by 1. Defaults to64600.enabled(Boolean) If true, deploys a Hub and Spoke architecture based on AWS Transit Gateway. Defaults totrue.separate_non_prod(Boolean) If true, deploys a dedicated Routing Table on the AWS Transit Gateway for non-prod environments. All other services required to create a functional architecture will be duplicated for non-prod environments. Defaults tofalse.
Warning
This value requires an increase in VPC per Region service quota and it will only take effect
after the quota is increased. As such, it's recommended to be set to true after the initial
tenancy resource is deployed and confirmation that network account has
VPC per Region service quota increased from default.
Nested Schema for configuration.accounts.network.virtual_private_gateway
Optional:
aws_side_asn(Number) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is64512to65534for 16-bit ASNs and4200000000to4294967294for 32-bit ASNs. Extra AWS Regions will increment by 1. Defaults to64700.enabled(Boolean) If true, deploys a Virtual Private Gateway in the egress VPC. Defaults tofalse.
Nested Schema for configuration.accounts.network.vpc
Optional:
enable_dns_hostnames(Boolean) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults totrue.enable_dns_support(Boolean) A boolean flag to enable/disable DNS support in the VPC. Defaults totrue.instance_tenancy(String) A tenancy option for instances launched into the VPC. Default isdefault, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option isdedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.nat_gateway(Attributes) Provides details for configuring AWS NAT Gateway service for egress traffic. Should be disabled ifnetwork_firewallis enabled. (see below for nested schema)network_firewall(Attributes) Provides details for configuring Network Firewall capability using AWS Network Firewall service or a 3rd party firewall. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpc.nat_gateway
Optional:
enabled(Boolean) Is AWS NAT Gateway service enabled? Defaults totrue.
Nested Schema for configuration.accounts.network.vpc.network_firewall
Required:
deployment(Attributes) Specifies deployment architecture for network firewall. (see below for nested schema)enabled(Boolean) if true, deploys network firewall(s) as per defined deployment.
Optional:
vendor(Attributes) The vendor of the network firewall and it's associated settings. Defaults toaws. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpc.network_firewall.deployment
Optional:
egress(Boolean) If true, deploys network firewall(s) in the egress VPC. If transit gateway has separate routing tables enabled, it will create separate network firewall in prod and nonprod egress VPCs. Cannot be enabled at the same time asinspectionand MUST be enabled ifinspectionis disabled.ingress(Boolean) If true, deploys network firewall(s) in the ingress VPC. If transit gateway has separate routing tables enabled, it will create separate network firewall in prod and nonprod ingress VPCs. Cannot be enabled at the same time asinspection.inspection(Boolean) If true, deploys an inspection VPC using AWS Network Firewall. Requires that the vendor of the firewall to beaws. Cannot be enabled at the same time asegressandingressand doesn't support separate nonprod transit gateway route table.
Nested Schema for configuration.accounts.network.vpc.network_firewall.vendor
Optional:
aws(Attributes) Settings for AWS Network Firewall. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpc.network_firewall.vendor.aws
Optional:
managed_rule_groups(Attributes) Settings for AWS Managed Rule Groups. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpc.network_firewall.vendor.aws.managed_rule_groups
Optional:
domain_lists(List of String) AWS Network Firewall managed domain and IP rule groups block HTTP/HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets.threat_signatures(List of String) AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats.
Nested Schema for configuration.accounts.network.vpc_ipam
Optional:
enabled(Boolean) Is VPC IPAM enabled? Defaults totrue.
Nested Schema for configuration.accounts.network.vpn
Optional:
client(Attributes) Configuration for AWS VPN Client service deployed in the Hub. (see below for nested schema)s2s(Attributes) Configuration for Site-to-Site VPN setup. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.client
Required:
endpoints(Attributes Map) Map of Client VPN endpoints for each AWS region. Possible values for the map keys are the region codes associated with Aws supported locations and enabled at tenancy level. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.client.endpoints
Required:
prod(Attributes List) Manages a Client VPN endpoint for production environment (or all environments if transit gateway is not enabled or it is enabled but doesn't have separate routing tables). (see below for nested schema)
Optional:
nonprod(Attributes List) Manages a Client VPN endpoint for all non production environments. This is only applicable if transit gateway is enabled has separate routing tables enabled. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.client.endpoints.prod
Required:
authentication(Attributes) Information about the authentication method to be used to authenticate clients. (see below for nested schema)cidr_block(String) The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the CIDR(s) provided in the regions object at tenancy level. The address range cannot be changed after the Client VPN endpoint has been created. The CIDR block should be /22 or greater.name(String) The name of the Client VPN Endpoint. MUST be lowercase alphanumeric characters, dash and underscore with maximum legth of 64. Will be used withconfiguration.dns_domainas FQDN for issuing the endpoint ACM server certificate.
Optional:
availability_zones(List of String) How many AZs to use for VPN Client Endpoint? The list MUST contain at least 1 element and MUST be defined as values in the organization network architecture deployments. Defaults to["1"].connection_log_enabled(Boolean) Indicates whether connection logging is enabled. Defaults totrue.login_banner_text(String) Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.self_service_portal(String) Specify whether to enable the self-service portal for the Client VPN endpoint. Values can beenabledordisabled. Defaults todisabled.session_timeout_hours(Number) The maximum session duration is a trigger by which end-users are required to re-authenticate prior to establishing a VPN session. Valid values:8 | 10 | 12 | 24. Defaults to24.split_tunnel(Attributes) Indicates whether split-tunnel is enabled. (see below for nested schema)tags(Map of String) Key-value map of resource tags for all the tenancy resources.transport_protocol(String) The transport protocol to be used by the VPN session. Valid values:tcp | udp. Defaults toudp.use_aws_dns_servers(Boolean) Use AWS VPC DNS servers for DNS resolution. Iffalse, the DNS address of the connecting device is used. Defaults totrue.use_aws_public_static_ip(Boolean) If true and split tunnel if NOT enabled, it will create static public IP addresses for VPN Client Endpoint using AWS Elastic IPs. Defaults tofalse.vpn_port(Number) The port number for the Client VPN endpoint. Valid values are443 | 1194. Defaults to443.
Nested Schema for configuration.accounts.network.vpn.client.endpoints.prod.authentication
Optional:
directory_service(Attributes) Active Directory authentication using AWS Directory Service. (see below for nested schema)federated(Attributes) Federated authentication via SAML 2.0. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.client.endpoints.prod.authentication.directory_service
Required:
enabled(Boolean) If true, configures the endpoint with an Active Directory authentication.
Nested Schema for configuration.accounts.network.vpn.client.endpoints.prod.authentication.federated
Required:
enabled(Boolean) If true, configures the endpoint with a Federated SAML 2.0 authentication.saml_metadata_document(String) A base64 encoded XML document generated by an identity provider (IdP) that supports SAML 2.0 for the purpose of authentication VPN Client users. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see About SAML 2.0-based federation in the IAM User Guide
Optional:
self_service_saml_metadata_document(String) A base64 encoded XML document generated by an identity provider (IdP) that supports SAML 2.0 for the purpose of using the VPN Client self-service portal (MUST be provided ifself_service_portalisenabledand should be different than thesaml_metadata_document). The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see About SAML 2.0-based federation in the IAM User Guide
Nested Schema for configuration.accounts.network.vpn.client.endpoints.prod.split_tunnel
Optional:
enabled(Boolean) If true, enables split tunnel for the Client VPN endpoint. Defaults totrue.routes(List of String) Add custom routes to the split-tunnel routing table. By default, only the AWS region CIDR where the endpoint resides is added.
Nested Schema for configuration.accounts.network.vpn.client.endpoints.nonprod
Required:
authentication(Attributes) Information about the authentication method to be used to authenticate clients. (see below for nested schema)cidr_block(String) The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the CIDR(s) provided in the regions object at tenancy level. The address range cannot be changed after the Client VPN endpoint has been created. The CIDR block should be /22 or greater.name(String) The name of the Client VPN Endpoint. MUST be lowercase alphanumeric characters, dash and underscore with maximum legth of 64. Will be used withconfiguration.dns_domainas FQDN for issuing the endpoint ACM server certificate.
Optional:
availability_zones(List of String) How many AZs to use for VPN Client Endpoint? The list MUST contain at least 1 element and MUST be defined as values in the organization network architecture deployments. Defaults to["1"].connection_log_enabled(Boolean) Indicates whether connection logging is enabled. Defaults totrue.login_banner_text(String) Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.self_service_portal(String) Specify whether to enable the self-service portal for the Client VPN endpoint. Values can beenabledordisabled. Defaults todisabled.session_timeout_hours(Number) The maximum session duration is a trigger by which end-users are required to re-authenticate prior to establishing a VPN session. Valid values:8 | 10 | 12 | 24. Defaults to24.split_tunnel(Attributes) Indicates whether split-tunnel is enabled. (see below for nested schema)tags(Map of String) Key-value map of resource tags for all the tenancy resources.transport_protocol(String) The transport protocol to be used by the VPN session. Valid values:tcp | udp. Defaults toudp.use_aws_dns_servers(Boolean) Use AWS VPC DNS servers for DNS resolution. Iffalse, the DNS address of the connecting device is used. Defaults totrue.use_aws_public_static_ip(Boolean) If true and split tunnel if NOT enabled, it will create static public IP addresses for VPN Client Endpoint using AWS Elastic IPs. Defaults tofalse.vpn_port(Number) The port number for the Client VPN endpoint. Valid values are443 | 1194. Defaults to443.
Nested Schema for configuration.accounts.network.vpn.client.endpoints.nonprod.authentication
Optional:
directory_service(Attributes) Active Directory authentication using AWS Directory Service. (see below for nested schema)federated(Attributes) Federated authentication via SAML 2.0. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.client.endpoints.nonprod.authentication.directory_service
Required:
enabled(Boolean) If true, configures the endpoint with an Active Directory authentication.
Nested Schema for configuration.accounts.network.vpn.client.endpoints.nonprod.authentication.federated
Required:
enabled(Boolean) If true, configures the endpoint with a Federated SAML 2.0 authentication.saml_metadata_document(String) A base64 encoded XML document generated by an identity provider (IdP) that supports SAML 2.0 for the purpose of authentication VPN Client users. The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see About SAML 2.0-based federation in the IAM User Guide
Optional:
self_service_saml_metadata_document(String) A base64 encoded XML document generated by an identity provider (IdP) that supports SAML 2.0 for the purpose of using the VPN Client self-service portal (MUST be provided ifself_service_portalisenabledand should be different than thesaml_metadata_document). The document includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. You must generate the metadata document using the identity management software that is used as your organization's IdP. For more information, see About SAML 2.0-based federation in the IAM User Guide
Nested Schema for configuration.accounts.network.vpn.client.endpoints.nonprod.split_tunnel
Optional:
enabled(Boolean) If true, enables split tunnel for the Client VPN endpoint. Defaults totrue.routes(List of String) Add custom routes to the split-tunnel routing table. By default, only the AWS region CIDR where the endpoint resides is added.
Nested Schema for configuration.accounts.network.vpn.s2s
Required:
connections(Attributes Map) Map of VPN connections for each AWS region. Possible values for the map keys are the region codes associated with Aws supported locations and enabled at tenancy level. (see below for nested schema)gateway_attachment(Attributes) Site-to-Site VPN connection(s) attachment to AWS gateway type (TGW/VPG). (see below for nested schema)
Optional:
customer_gateway(Attributes) Settings required for setting up customer gateways. (see below for nested schema)direct_connect(Attributes) Site-to-Site VPN connection(s) over Direct Connect. The direct connect setup MUST be enabled in the account. Either the Transit Gateway or Virtual Private Gateway attachment MUST be enabled as well. For more details about this architecture, see AWS Direct Connect or AWS Direct Connect + AWS Transit Gateway. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.s2s.connections
Required:
prod(Attributes List) Manages a Site-to-Site VPN connection between an AWS gateway type (TGW/VPG) and an on-premises network for production environment (or all environment if transit gateway doesn't have separate routing tables). (see below for nested schema)
Optional:
nonprod(Attributes List) Manages a Site-to-Site VPN connection between an AWS gateway type (TGW/VPG) and an on-premises network for all non production environments. This is only applicable if transit gateway has separate routing tables enabled. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod
Required:
gateway(Attributes) Creates a customer gateway inside a VPC. These objects can be connected to VPN gateways via VPN connections, and allow you to establish tunnels between your network and the VPC. (see below for nested schema)
Optional:
local_ipv4_network_cidr(String) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to0.0.0.0/0.local_ipv6_network_cidr(String) The IPv46 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to::/0.remote_ipv4_network_cidr(String) The IPv4 CIDR on the AWS side of the VPN connection. Defaults to0.0.0.0/0.remote_ipv6_network_cidr(String) The IPv46 CIDR on the AWS side of the VPN connection. Defaults to::/0.tags(Map of String) AWS tags to be applied on resources created for VPN connection(s).tunnels(Attributes Map) Tunnel settings for the VPN connection. Possible values for the map keys aretunnel1ortunnel2. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod.gateway
Required:
address_space(List of String) The list of string CIDRs representing the address space(s) on the customer gateway (on-premises) side. Will be configured as static route(s).device_name(String) A name for the customer gateway device.ip_address(String) The IPv4 address for the customer gateway device's outside interface.
Optional:
bgp_asn(Number) The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). Valid values are from1to4294967295, with certain values reserved. Changing the value will force creation of a new customer gateway resource. If provided, will overwrite theaws_side_asn.certificate_authentication_enabled(Boolean) Indicates if the customer gateway will use certificate based authentication. If true, it requires the AWS Private CA setup.device_index(Number) Unique (positive) number identifying this gateway across all gateways in the region. Changing the value will force creation of a new customer gateway resource. This MUST be provided if the bgp_asn attribute is not provided as it is used to compute theaws_side_asn. Conflicts withbgp_asn.static_routes_only(Boolean) Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP. Defaults tofalse.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod.tunnels
Optional:
dpd_timeout_action(String) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values areclear | none | restart. Defaults toclear.dpd_timeout_seconds(Number) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than30. Defaults to30.enable_tunnel_lifecycle_control(Boolean) Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Defaults tofalse.ike_versions(List of String) The IKE versions that are permitted for the VPN tunnel(s). Valid values areikev1 | ikev2. Defaults to["ikev2"].inside_ipv4_cidr(String) The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.inside_ipv6_cidr(String) The range of inside IPv6 addresses for the first VPN tunnel. Supports only Transit Gateway setup. Valid value is a size /126 CIDR block from the local fd00::/8 range.logging(Attributes) Options for sending VPN tunnel logs to CloudWatch. (see below for nested schema)phase1(Attributes) Wrapper for IKE phase 1 options. (see below for nested schema)phase2(Attributes) Wrapper for IKE phase 2 options. (see below for nested schema)preshared_key(String, Sensitive) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).rekey_fuzz_percentage(Number) The percentage of the rekey window for the VPN tunnel(s) (determined by rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100. Defaults to100.rekey_margin_time_seconds(Number) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value forrekey_fuzz_percentage. Valid value is between60and half ofphase2_lifetime_seconds. Defaults to540.replay_window_size(Number) The number of packets in an IKE replay window for the VPN tunnel(s). Valid value is between64and2048. Defaults to1024.startup_action(String) The action to take when the establishing the tunnel(s) for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values areadd | start. Defaults toadd.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod.tunnels.logging
Optional:
enabled(Boolean) If true, enables VPN tunnel logging feature. Defaults totrue.format(String) Set log format. Possible values are:json | text. Defaults tojson.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod.tunnels.phase1
Optional:
dh_group_numbers(List of Number) List of one or more Diffie-Hellman group numbers that are permitted for the VPN tunnel(s) for phase 1 IKE negotiations. Valid values are2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. Defaults to[14].encryption_algorithms(List of String) List of one or more encryption algorithms that are permitted for the first VPN tunnel(s) for phase 1 IKE negotiations. Valid values areAES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. Defaults to["AES256-GCM-16"].integrity_algorithms(List of String) List of one or more integrity algorithms that are permitted for the VPN tunnel(s) for phase 1 IKE negotiations. Valid values areSHA1 | SHA2-256 | SHA2-384 | SHA2-512. Defaults to["SHA2-256"].lifetime_seconds(Number) The lifetime for phase 1 of the IKE negotiation for the VPN tunnel(s), in seconds. Valid value is between900and28800. Defaults to28800.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.prod.tunnels.phase2
Optional:
dh_group_numbers(List of Number) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. Defaults to[14].encryption_algorithms(List of String) List of one or more encryption algorithms that are permitted for the first VPN tunnel(s) for phase 2 IKE negotiations. Valid values areAES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. Defaults to["AES256"].integrity_algorithms(List of String) List of one or more integrity algorithms that are permitted for the VPN tunnel(s) for phase 2 IKE negotiations. Valid values areSHA1 | SHA2-256 | SHA2-384 | SHA2-512. Defaults to["SHA2-256"].lifetime_seconds(Number) The lifetime for phase 1 of the IKE negotiation for the VPN tunnel(s), in seconds. Valid value is between900and3600. Defaults to3600.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod
Required:
gateway(Attributes) Creates a customer gateway inside a VPC. These objects can be connected to VPN gateways via VPN connections, and allow you to establish tunnels between your network and the VPC. (see below for nested schema)
Optional:
local_ipv4_network_cidr(String) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to0.0.0.0/0.local_ipv6_network_cidr(String) The IPv46 CIDR on the customer gateway (on-premises) side of the VPN connection. Defaults to::/0.remote_ipv4_network_cidr(String) The IPv4 CIDR on the AWS side of the VPN connection. Defaults to0.0.0.0/0.remote_ipv6_network_cidr(String) The IPv46 CIDR on the AWS side of the VPN connection. Defaults to::/0.tags(Map of String) AWS tags to be applied on resources created for VPN connection(s).tunnels(Attributes Map) Tunnel settings for the VPN connection. Possible values for the map keys aretunnel1ortunnel2. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod.gateway
Required:
address_space(List of String) The list of string CIDRs representing the address space(s) on the customer gateway (on-premises) side. Will be configured as static route(s).device_name(String) A name for the customer gateway device.ip_address(String) The IPv4 address for the customer gateway device's outside interface.
Optional:
bgp_asn(Number) The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN). Valid values are from1to4294967295, with certain values reserved. Changing the value will force creation of a new customer gateway resource. If provided, will overwrite theaws_side_asn.certificate_authentication_enabled(Boolean) Indicates if the customer gateway will use certificate based authentication. If true, it requires the AWS Private CA setup.device_index(Number) Unique (positive) number identifying this gateway across all gateways in the region. Changing the value will force creation of a new customer gateway resource. This MUST be provided if the bgp_asn attribute is not provided as it is used to compute theaws_side_asn. Conflicts withbgp_asn.static_routes_only(Boolean) Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP. Defaults tofalse.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod.tunnels
Optional:
dpd_timeout_action(String) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values areclear | none | restart. Defaults toclear.dpd_timeout_seconds(Number) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than30. Defaults to30.enable_tunnel_lifecycle_control(Boolean) Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Defaults tofalse.ike_versions(List of String) The IKE versions that are permitted for the VPN tunnel(s). Valid values areikev1 | ikev2. Defaults to["ikev2"].inside_ipv4_cidr(String) The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.inside_ipv6_cidr(String) The range of inside IPv6 addresses for the first VPN tunnel. Supports only Transit Gateway setup. Valid value is a size /126 CIDR block from the local fd00::/8 range.logging(Attributes) Options for sending VPN tunnel logs to CloudWatch. (see below for nested schema)phase1(Attributes) Wrapper for IKE phase 1 options. (see below for nested schema)phase2(Attributes) Wrapper for IKE phase 2 options. (see below for nested schema)preshared_key(String, Sensitive) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).rekey_fuzz_percentage(Number) The percentage of the rekey window for the VPN tunnel(s) (determined by rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between0and100. Defaults to100.rekey_margin_time_seconds(Number) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value forrekey_fuzz_percentage. Valid value is between60and half ofphase2_lifetime_seconds. Defaults to540.replay_window_size(Number) The number of packets in an IKE replay window for the VPN tunnel(s). Valid value is between64and2048. Defaults to1024.startup_action(String) The action to take when the establishing the tunnel(s) for the VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values areadd | start. Defaults toadd.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod.tunnels.logging
Optional:
enabled(Boolean) If true, enables VPN tunnel logging feature. Defaults totrue.format(String) Set log format. Possible values are:json | text. Defaults tojson.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod.tunnels.phase1
Optional:
dh_group_numbers(List of Number) List of one or more Diffie-Hellman group numbers that are permitted for the VPN tunnel(s) for phase 1 IKE negotiations. Valid values are2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. Defaults to[14].encryption_algorithms(List of String) List of one or more encryption algorithms that are permitted for the first VPN tunnel(s) for phase 1 IKE negotiations. Valid values areAES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. Defaults to["AES256-GCM-16"].integrity_algorithms(List of String) List of one or more integrity algorithms that are permitted for the VPN tunnel(s) for phase 1 IKE negotiations. Valid values areSHA1 | SHA2-256 | SHA2-384 | SHA2-512. Defaults to["SHA2-256"].lifetime_seconds(Number) The lifetime for phase 1 of the IKE negotiation for the VPN tunnel(s), in seconds. Valid value is between900and28800. Defaults to28800.
Nested Schema for configuration.accounts.network.vpn.s2s.connections.nonprod.tunnels.phase2
Optional:
dh_group_numbers(List of Number) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24. Defaults to[14].encryption_algorithms(List of String) List of one or more encryption algorithms that are permitted for the first VPN tunnel(s) for phase 2 IKE negotiations. Valid values areAES128 | AES256 | AES128-GCM-16 | AES256-GCM-16. Defaults to["AES256"].integrity_algorithms(List of String) List of one or more integrity algorithms that are permitted for the VPN tunnel(s) for phase 2 IKE negotiations. Valid values areSHA1 | SHA2-256 | SHA2-384 | SHA2-512. Defaults to["SHA2-256"].lifetime_seconds(Number) The lifetime for phase 1 of the IKE negotiation for the VPN tunnel(s), in seconds. Valid value is between900and3600. Defaults to3600.
Nested Schema for configuration.accounts.network.vpn.s2s.gateway_attachment
Optional:
transit(Attributes) Attaches the VPN connection(s) to a Transit Gateway. Centralized network architecture and transit gateway setup MUST be enabled. It suports with or without direct connect setup. For more details about these architectures, see AWS Transit Gateway + AWS Site-to-Site VPN or AWS Direct Connect + AWS Transit Gateway + AWS Site-to-Site VPN. (see below for nested schema)virtual_private(Attributes) Attaches the VPN connection(s) to a Virtual Private Gateway. Distributed network architecture MUST be enabled. It suports with or without direct connect setup. For more details about these architectures, see AWS Site-to-Site VPN or AWS Direct Connect + AWS Site-to-Site VPN. (see below for nested schema)
Nested Schema for configuration.accounts.network.vpn.s2s.gateway_attachment.transit
Required:
enabled(Boolean) If true, attaches the VPN connection(s) to the Transit Gateway.
Optional:
enable_acceleration(Boolean) Indicate whether to enable acceleration for the VPN connection attached to the TGW.tunnel_inside_ip_version(String) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values areipv4 | ipv6. Defaults toipv4.
Nested Schema for configuration.accounts.network.vpn.s2s.gateway_attachment.virtual_private
Required:
enabled(Boolean) If true, attaches the VPN connection(s) to the Virtual Private gateway in the ingress VPC.
Nested Schema for configuration.accounts.network.vpn.s2s.customer_gateway
Optional:
aws_side_asn(Number) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is64512to65534for 16-bit ASNs and4200000000to4294967294for 32-bit ASNs. Changing the value will force creation of a new customer gateway resource. Each customer gateway provided will be assigned an asn by incrementing this number by 1 up to the total gateways specified in themax_connections_per_region. Defaults to65000.
Read-Only:
max_connections_per_region(Number) The maximum number of AWS Customer Gateways that can be created in a region. This is used to calculate the aws_side_asn for other regions. Changing this value after create will cause the AWS Customer Gateway ASN numbers to change which will force new resource(s) (the customer gateway and any dependent resource like VPN connection) to be created. Defaults to50.
Nested Schema for configuration.accounts.network.vpn.s2s.direct_connect
Required:
enabled(Boolean) If true, creates the VPN connection(s) over Direct Connect.
Optional:
outside_ip_address_type(String) Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values arePrivateIpv4|PublicIpv4. Defaults toPublicIpv4.
Nested Schema for configuration.accounts.shared_services
Required:
alternate_contacts(Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)aws_account_close_on_delete(Boolean) Iftrue, this will close the AWS account on resource deletion, beginning the 90-day suspension period. Otherwise, the account will just be unenrolled from Control Tower.primary_contact(Attributes) Configuration of AWS Account primary contact. (see below for nested schema)
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)backup(Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)budgets(Attributes List) A list of budget objects. (see below for nested schema)config(Attributes) AWS Config Conformance Packs Rules deployed for this AWS account only. (see below for nested schema)directory_service(Attributes) AWS Directory Service configuration settings for the Organization. When enabled, provide directory parameters forADConnector | MicrosoftAD | SimpleAD. (see below for nested schema)ebs_encryption_by_default(Boolean) Whether or not default EBS encryption is enabled. Defaults totrue.s3_account_public_access_block(Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with this AWS account. The object name MUST be unique across this account and any OU level definitions. (see below for nested schema)systems_manager(Attributes) Configuration settings for AWS Systems Manager. Defaults to below object. (see below for nested schema)vpc(Attributes) Configuration for the account VPC. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.alternate_contacts
Required:
email(String) An email address for the alternate contact.name(String) Name of the alternate contact.phone(String) Phone number for the alternate contact.title(String) Title for the alternate contact.
Nested Schema for configuration.accounts.shared_services.primary_contact
Required:
address_line_1(String) The first line of the primary contact address.city(String) The city of the primary contact address.country_code(String) The ISO-3166 two-letter country code for the primary contact address.full_name(String) The full name of the primary contact address.phone(String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.postal_code(String) The postal code of the primary contact address.
Optional:
address_line_2(String) The second line of the primary contact address, if any.address_line_3(String) The third line of the primary contact address, if any.company_name(String) The name of the company associated with the primary contact information, if any.district_or_county(String) The district or county of the primary contact address, if any.state_or_region(String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example,NJ) or the full state name (for example,New Jersey). This field is required in the following countries:US, CA, GB, DE, JP, IN, and BR.website_url(String) The URL of the website associated with the primary contact information, if any.
Nested Schema for configuration.accounts.shared_services.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.accounts.shared_services.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.accounts.shared_services.backup
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)restore_testing(Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.shared_services.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.shared_services.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.shared_services.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.accounts.shared_services.backup.restore_testing
Optional:
enabled(Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults totrue.protected_resource_selection_tags(Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)protected_resource_selection_types(List of String) The type of AWS resource included in a restore testing selection.recovery_point_selection(Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis in UTC. You can modify this to a specified timezone.
Nested Schema for configuration.accounts.shared_services.backup.restore_testing.protected_resource_selection_tags
Optional:
tag_key(String) The selection tag key. Defaults toRestoreTestingEnabled.tag_value(String) The selection tag value. Defaults totrue.
Nested Schema for configuration.accounts.shared_services.backup.restore_testing.recovery_point_selection
Optional:
algorithm(String) Acceptable values includeLATEST_WITHIN_WINDOWorRANDOM_WITHIN_WINDOW.recovery_point_types(List of String) Acceptable values includeCONTINUOUSandSNAPSHOT.selection_window_days(Number) Accepted values are integers from 1 to 365.
Nested Schema for configuration.accounts.shared_services.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Warning
Changing this value causes the backup vault to be re-created.
CANNOT be changed after creation without destroying the backup vault and its data.
Nested Schema for configuration.accounts.shared_services.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.accounts.shared_services.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.accounts.shared_services.budgets
Required:
name(String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.time_unit(String) The length of time until a budget resets the actual and forecasted spend. Valid values are:MONTHLY | QUARTERLY | ANNUALLY | DAILY.type(String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.
Optional:
auto_adjust_data(Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)cost_filters(Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)cost_types(List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].limit(Attributes) Object containing budget limit. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)notifications(Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)planned_limits(Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one oflimitandplanned_limitsMUST be defined. (see below for nested schema)tags(Map of String) Map of tags assigned to the resource.time_period(Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to06/15/87 00:00 UTC. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.budgets.auto_adjust_data
Required:
auto_adjust_type(String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.
Optional:
historical_options(Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)last_auto_adjust_time(String) The last time that your budget was auto-adjusted. MUST be in timestamp format.
Nested Schema for configuration.accounts.shared_services.budgets.auto_adjust_data.historical_options
Required:
budget_adjustment_period(Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.
Optional:
lookback_available_periods(Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from thebudget_adjustment_periodand your historical cost data.
Nested Schema for configuration.accounts.shared_services.budgets.cost_filters
Required:
name(String) The name of the cost filter. Valid values are:AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.values(List of String) The list of values used for filtering.
Nested Schema for configuration.accounts.shared_services.budgets.limit
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.shared_services.budgets.notifications
Required:
comparison_operator(String) Comparison operator to use to evaluate the condition. Valid values are:EQUAL_TO | GREATER_THAN | LESS_THAN.email_addresses(List of String) Lost of email addresses to notify.threshold(String) Threshold when the notification should be sent.threshold_type(String) What kind of threshold is defined. Valid values are:ABSOLUTE_VALUE | PERCENTAGE.type(String) Comparison operator to use to evaluate the condition. Valid values are:ACTUAL | FORECASTED.
Nested Schema for configuration.accounts.shared_services.budgets.planned_limits
Required:
amount(String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.start_time(String) The start time of the budget limit. Format:2017-01-01_12:00.unit(String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
Nested Schema for configuration.accounts.shared_services.budgets.time_period
Optional:
end(String) The end of the time period covered by the budget. Format:2017-01-01_12:00.start(String) The start of the time period covered by the budget. Format:2017-01-01_12:00.
Nested Schema for configuration.accounts.shared_services.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.shared_services.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.accounts.shared_services.directory_service
Required:
enabled(Boolean) If true, enable AWS Directory Service and deploy one or more directories.
Optional:
ad_connector(Attributes) Parameters for deploying AWS AD Connector directory. (see below for nested schema)tags(Map of String) A map of tags to assign to the AWS Directory Service resources.
Nested Schema for configuration.accounts.shared_services.directory_service.ad_connector
Required:
aws_secrets_manager_secret_name(String) The AWS Secrets Manager Secret Name previously created in the shared services account and containing the required credentials for AD Connector to work. The secret MUST be JSON encoded and contain at least the service_account key and it's user_name/user_password attributes. If radius is enabled, it needs to have a radius key containing the secret. The secret name can contain ASCII letters, numbers, and the following characters:/_+=.@-. Example:{"radius":null,"service_account":{"user_name":null,"user_password":null}}dns_server_ips(List of String) The DNS IP addresses of the domain to connect to.name(String) The fully qualified name for the directory, such as corp.example.com.
Optional:
description(String) A textual description for the directory.radius_settings(Attributes) Manages a directory's multi-factor authentication (MFA) using a Remote Authentication Dial In User Service (RADIUS) server. (see below for nested schema)size(String) The size of the directory. Valid values:Large | Small. Defaults toSmall.
Nested Schema for configuration.accounts.shared_services.directory_service.ad_connector.radius_settings
Required:
display_label(String) Display label.port(Number) The port that your RADIUS server is using for communications. Your radius server and the network path to it MUST allow inbound traffic over this port from the AWS Directory Service servers.retries(Number) The maximum number of times that communication with the RADIUS server is attempted.servers(List of String) An array of strings that contains the fully qualified domain name (FQDN) or IP addresses of the RADIUS server endpoints, or the FQDN or IP addresses of your RADIUS server load balancer.timeout(Number) The amount of time, in seconds, to wait for the RADIUS server to respond.
Optional:
authentication_protocol(String) The protocol specified for your RADIUS endpoints. Valid values:CHAP | MS-CHAPv1 | MS-CHAPv2 | PAP.
Nested Schema for configuration.accounts.shared_services.s3_account_public_access_block
Optional:
block_public_acls(Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.block_public_policy(Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults totrue.ignore_public_acls(Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.restrict_public_buckets(Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.
Nested Schema for configuration.accounts.shared_services.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.accounts.shared_services.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.shared_services.systems_manager
Optional:
quick_setup(Attributes) AWS Systems Manager QuickSetup configuration settings for the Organization. Defaults to below object. (see below for nested schema)session_preferences(Attributes) Preferences for AWS Systems Manager Session Manager. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup
Optional:
enabled(Boolean) If true, the AWS Systems Manager QuickSetup Integrated Systems Manager console for the Organization will be deployed. Defaults totrue.ops_center(Attributes) AWS Systems Manager QuickSetup Ops Center settings for the Organization. Supports the following configurations:- Delegated administrator account.
Defaults to (see below for nested schema)
- Delegated administrator account.
patch_policy(Attributes) AWS Systems Manager QuickSetup Patch Policy settings for the Organization. Supports the following configurations:- Scan for missing patches.
- Update nodes based on default patch baselines.
- Patching log output.
- Nodes: All managed nodes.
- The number or percentage of nodes to run the patch policy on at the same time.
- The number or percentage of nodes to permit errors on before the patch policy fails.
- IAM permissions for instance management and patching using Systems Manager.
Defaults to (see below for nested schema)
resource_scheduler(Attributes) AWS Systems Manager QuickSetup Resource Schedule settings for the Organization. Supports the following configurations:- Target all instances with provider tag pair.
- Targeted instances will be started and stopped as per provided schedule.
Defaults to (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.ops_center
Optional:
enabled(Boolean) If true, the AWS Systems Manager QuickSetup Ops Center will be deployed. Defaults tofalse.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy
Optional:
enabled(Boolean) If true, the AWS Systems Manager QuickSetup Patch Policies will be deployed as defined in the OUs/Accounts input. Defaults totrue.policies(Attributes List) Systems Manager patch policies associated with with this AWS account. (see below for nested schema)s3_log_enabled(Boolean) If true, the command output logs are sent to Amazon S3. Defaults totrue.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.patch_policy.policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.resource_scheduler
Optional:
enabled(Boolean) If true, the AWS Systems Manager QuickSetup Resource Scheduler will be deployed as defined in the OUs/Accounts input. Defaults totrue.schedules(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.resource_scheduler.schedules
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.resource_scheduler.schedules.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.resource_scheduler.schedules.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.accounts.shared_services.systems_manager.quick_setup.resource_scheduler.schedules.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.accounts.shared_services.systems_manager.session_preferences
Optional:
encryption(Boolean) If true, encrypt Session Manager session data. Defaults totrue.idle_session_timeout(Number) The amount of time to allow a user to be inactive before the system ends a session. You can modify this setting to specify that a session times out between1and60minutes of inactivity. Defaults to15.logging(Attributes) Configure session logging destinations. (see below for nested schema)max_session_duration(Number) The maximum duration of a session before it ends. The value you specify for maximum session duration must be between1and1,440minutes. Defaults to480minutes.run_as(Attributes) Turn on Run As support for Linux and macOS managed nodes. If you choose, you can authenticate sessions using the credentials of an operating system (OS) user account, or a domain user for instances joined to an Active Directory. (see below for nested schema)shell_profile(Attributes) By allowing configurable shell profiles, you can customize preferences within sessions such as shell preferences, environment variables, working directories, and running multiple commands when a session is started. For more details check AWS Documentation. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.systems_manager.session_preferences.logging
Optional:
cloudwatch(Boolean) If true, send session logs to CloudWatch Logs in the local account. Defaults totrue.
Read-Only:
s3(Boolean) Send session logs to S3 bucket in log archive account. This is alwaystrueand CANNOT be changed.
Nested Schema for configuration.accounts.shared_services.systems_manager.session_preferences.run_as
Required:
enabled(Boolean) If true, Run As support for Linux and macOS managed nodes will be turned on.
Optional:
default_user(String) The name of the OS user account that you want to use to start sessions. Using this option, all sessions are run by the same OS user for all users in your AWS account who connect using Session Manager.
Nested Schema for configuration.accounts.shared_services.systems_manager.session_preferences.shell_profile
Optional:
linux(String) Specify the environment variables, shell preferences, or commands you want to run when your session starts, formated as a string, where each command is separated by;or here doc properly escapped. Defaults totimestamp=$(date '+%Y-%m-%dT%H:%M:%SZ');user=$(whoami);echo $timestamp && echo "Welcome $user"'!' && echo "Note that all session activity is being logged.".windows(String) Specify the environment variables, shell preferences, or commands you want to run when your session starts, formated as a string, where each command is separated by;or here doc properly escapped. Defaults to$timestamp = (Get-Date).ToString("yyyy-MM-ddTH:mm:ssZ");$splitName = (whoami).Split("\");$user = $splitName[1];Write-Host $timestamp;Write-Host "Welcome $user!";Write-Host "Note that all session activity is being logged.".
Nested Schema for configuration.accounts.shared_services.vpc
Optional:
deployment_architecture(Attributes) Network deployment architecture specific to this acocunt. This is used in combination with the organizationnetwork_deployment_architecturesattribute. (see below for nested schema)enable_dns_hostnames(Boolean) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults totrue.enable_dns_support(Boolean) A boolean flag to enable/disable DNS support in the VPC. Defaults totrue.enabled(Boolean) A boolean flag to enable/disable the VPC. Defaults totrue.instance_tenancy(String) A tenancy option for instances launched into the VPC. Default isdefault, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option isdedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.network_firewall(Attributes) Configuration settings for AWS Network Firewall service. MUST be deployed only if the VPC template supports distributed architecture. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.vpc.deployment_architecture
Optional:
egress_enabled(Boolean) If true, enables account local egress access to internet. Defaults tofalse.ingress_enabled(Boolean) If true, enables account local ingress access from internet. Defaults tofalse.private_endpoints(Attributes) Configuration for AWS Services that support private endpoints configuration in the VPC. The subnet where these private endpoints are created is predetermined by the selected VPC template. For standard it will use app_tier subnet. For web_tier_only it will use the only available subnet. (see below for nested schema)template(String) The VPC template determines what nacls, routing tables, routes and subnets are going to be created in the VPC. Defaults tostandard. Possible values are:standard_centralized: Creates 2 tier subnets (private app_tier, private data_tier) with centralized public web_tier running in network account accessed using centralized Transit Gateway deployment. The minimum network mask for the VPC MUST be/24.standard_centralized_and_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/23.standard_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/24.web_tier_centralized_and_distributed: Create 1 public web_tier subnet with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/24.web_tier_distributed: Create 1 public web_tier subnet with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be/25.
Warning
Changing this value causes the VPC to be re-created.
CANNOT be changed after creation without destroying everything running on top of the VPC first.
Nested Schema for configuration.accounts.shared_services.vpc.deployment_architecture.private_endpoints
Optional:
enabled(Boolean) If true, enables account local private endpoints for supported services. Defaults tofalse.gateway_services(List of String) List of AWS services to create private endpoints of type gateway in the local account private endpoints VPC. For more details see AWS documentation. Valid values are:dynamodb | s3.interface_services(List of String) List of AWS services to create private endpoints of type interface in the local/network account private endpoints VPC. The service name is derived from this ![aws-services-privatelink-support]https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html, by taking the service name after the region part. Valid values are:[access-analyzer account acm-pca airflow.api api-fips env env-fips ops analytics-omics appconfig appconfigdata appmesh appmesh-envoy-management apprunner apprunner.requests applicationinsights application-autoscaling application-signals appstream.api appstream.streaming app-integrations apptest aps aps-workspaces arsenal-discovery athena auditmanager autoscaling autoscaling-plans awsconnector b2bi backup backup-gateway batch bcm-data-exports bedrock bedrock-agent bedrock-agent-runtime bedrock-runtime billing billingconductor braket cassandra cassandra-fips cases ce cleanrooms cleanrooms-ml cloudcontrolapi cloudcontrolapi-fips clouddirectory cloudformation cloudhsmv2 cloudtrail codeartifact.api codeartifact.repositories codebuild codebuild-fips codecommit codecommit-fips codeconnections.api codedeploy codedeploy-commands-secure codeguru-profiler codeguru-reviewer codepipeline codestar-connections.api codewhisperer comprehend comprehendmedical compute-optimizer config connect-campaigns console controlcatalog control-storage-omics cost-optimization-hub databrew dataexchange datasync data-servicediscovery data-servicediscovery-fips deadline.management deadline.scheduling deviceadvisor.iot devops-guru dicom-medical-imaging discovery dms dms-fips drs ds ds-data dynamodb dynamodb-fips ebs ec2 ec2messages ec2-fips ecr.api ecr.dkr ecs ecs-agent ecs-telemetry eks eks-auth elasticbeanstalk elasticbeanstalk-health elasticfilesystem elasticfilesystem-fips elasticloadbalancing elasticache elasticache-fips elasticmapreduce email-smtp emr-containers emr-serverless emr-serverless-services.livy emrwal.prod entityresolution events evidently evidently-dataplane execute-api experiments finspace finspace-api fis forecast forecast-fips forecastquery forecastquery-fips frauddetector freetier fsx fsx-fips git-codecommit git-codecommit-fips glue glue.dashboard grafana grafana-workspace greengrass groundstation guardduty guardduty-data guardduty-data-fips guardduty-fips healthlake iam identitystore imagebuilder inspector2 inspector-scan internetmonitor internetmonitor-fips iotfleetwise iotroborunner iotsitewise.api iotsitewise.data iottwinmaker.api iottwinmaker.data iotwireless.api iot.data iot.credentials iot.fleethub.api kafka kafka-fips kendra kendra-ranking kinesis-firehose kinesis-streams kinesis-streams-fips kms kms-fips lakeformation lambda launchwizard license-manager license-manager-fips license-manager-linux-subscriptions license-manager-linux-subscriptions-fips license-manager-user-subscriptions lightsail logs lookoutequipment lookoutmetrics lookoutvision lorawan.cups lorawan.lns m2 macie2 managedblockchain-query managedblockchain.bitcoin.mainnet managedblockchain.bitcoin.testnet mediaconnect medical-imaging memory-db memorydb-fips migrationhub-orchestrator migrationhub-strategy mgn models-v2-lex monitoring mq neptune-graph neptune-graph-data neptune-graph-fips network-firewall network-firewall-fips networkflowmonitor networkflowmonitorreports networkmonitor notebook observabilityadmin organizations organizations-fips outposts panorama partner-app payment-cryptography.controlplane payment-cryptography.dataplane pca-connector-ad pca-connector-scep pcs pcs-fips personalize personalize-events personalize-runtime pi pi-fips pinpoint pinpoint-sms-voice-v2 pipes pipes-data pipes-fips polly pricing.api private-networks profile proton q qapps qbusiness qldb.session quicksight-website ram rbin refactor-spaces rds rds-data redshift redshift-fips redshift-serverless redshift-serverless-fips redshift-data redshift-data-fips rekognition rekognition-fips repostspace resource-groups resource-groups-fips robomaker rolesanywhere rum rum-dataplane runtime-medical-imaging runtime-v2-lex s3 s3tables s3-global.accesspoint s3-outposts sagemaker.api sagemaker-data-science-assistant sagemaker.api-fips sagemaker.featurestore-runtime sagemaker.metrics sagemaker.runtime sagemaker.runtime-fips savingsplans schemas scn secretsmanager securityhub securitylake securitylake-fips serverlessrepo servicecatalog servicecatalog-appregistry servicediscovery servicediscovery-fips service.user-subscriptions signin simspaceweaver snow-device-management sns social-messaging sqs ssm ssm-contacts ssm-incidents ssm-quicksetup ssmmessages states storagegateway storage-omics streaming-rekognition streaming-rekognition-fips sts studio swf swf-fips sync-states synthetics synthetics-fips tagging tags-omics tax textract textract-fips thinclient.api timestream.ingest-cell timestream.query-cell timestream-influxdb timestream-influxdb-fips tnb transcribe transcribestreaming transfer transfer.server translate trustedadvisor verifiedpermissions voiceid vpc-lattice wellarchitected wisdom workflows-omics workmail workspaces workspaces-web workspaces-web-fips xray].
Nested Schema for configuration.accounts.shared_services.vpc.network_firewall
Required:
enabled(Boolean) If true, creates AWS Network Firewalls in each AZ.
Optional:
vendor(Attributes) The vendor of the network firewall and it's associated settings. Defaults toaws. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.vpc.network_firewall.vendor
Optional:
aws(Attributes) Settings for AWS Network Firewall. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.vpc.network_firewall.vendor.aws
Optional:
managed_rule_groups(Attributes) Settings for AWS Managed Rule Groups. (see below for nested schema)
Nested Schema for configuration.accounts.shared_services.vpc.network_firewall.vendor.aws.managed_rule_groups
Optional:
domain_lists(List of String) AWS Network Firewall managed domain and IP rule groups block HTTP/HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets.threat_signatures(List of String) AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats.
Nested Schema for configuration.organization
Required:
backup(Attributes) AWS Backup configuration settings for the AWS Organization. (see below for nested schema)
Optional:
compute_optimizer(Attributes) Manages AWS Compute Optimizer enrollment for AWS Organization. Defaults to below object (see below for nested schema)config(Attributes) AWS Config Conformance Packs and Rules deployed at AWS organization level, for all accounts in the organization. (see below for nested schema)controltower(Attributes) Settings for Controltower Landing Zone. (see below for nested schema)cost_optimization_hub(Attributes) Manages AWS Cost Optimization Hub enrollment for AWS Organization. Defaults to below object (see below for nested schema)network_deployment_architectures(Attributes) Network deployment architectures for the AWS organization. The centralized patterns will determine what resources are created in the network account and how AWS organization accounts and their VPC will interact with the network account VPC. The distributed patterns, if enabled, could be used in an account VPC part of the AWS organization. (see below for nested schema)password_policy(Attributes) Manages Password Policy for the AWS Account. (see below for nested schema)policy_types(List of String) The policy type that you want to enable. You can specify one of the following values:AISERVICES_OPT_OUT_POLICY,BACKUP_POLICY,TAG_POLICY. TheSERVICE_CONTROL_POLICYis enabled by AWS Control Tower and cannot be disabled by this resource. Defaults toBACKUP_POLICY.private_certificate_authority(Attributes) AWS Private Certificate Authority hierarchy deployed at AWS organization level, for all accounts in the organization. (see below for nested schema)reuse_existing(Attributes) Reuse existing AWS Organizations and AWS Identity Center enabled in the provided management account. The AWS Organization must have ALL enabled features and the AWS Identity Center MUST be integrated with the organization. (see below for nested schema)
Nested Schema for configuration.organization.backup
Required:
enabled(Boolean) If true, will create Backup Vault in the Shared Services account that will be used for a centralized copy of each local backup vault.
Optional:
policies(Attributes) Configuration settings for built-in backup policies. (see below for nested schema)report_plan_templates(List of String) Backup Report Plan Templates.vault_lock(Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)vault_notifications(Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)
Nested Schema for configuration.organization.backup.policies
Optional:
daily(Attributes) Built-in daily backup policy. (see below for nested schema)monthly(Attributes) Built-in monthly backup policy. (see below for nested schema)weekly(Attributes) Built-in weekly backup policy. (see below for nested schema)yearly(Attributes) Built-in yearly backup policy. (see below for nested schema)
Nested Schema for configuration.organization.backup.policies.daily
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis inUTC. This CANNOT be modified at this stage.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.organization.backup.policies.monthly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis inUTC. This CANNOT be modified at this stage.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.organization.backup.policies.weekly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis inUTC. This CANNOT be modified at this stage.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.organization.backup.policies.yearly
Optional:
backup_complete_window_minutes(Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to1day.backup_start_window_minutes(Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to60minutes.copy_to_region(String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in theregionsattribute.delete_after_days(Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater thanmove_to_cold_storage_after_days.move_to_cold_storage_after_days(Number) Specifies the number of days after creation that a recovery point is moved to cold storage.opt_in_to_archive_for_supported_resources(Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.schedule_expression(String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.schedule_expression_timezone(String) This is the timezone in which the schedule expression is set. By default,schedule_expressionis inUTC. This CANNOT be modified at this stage.selection_tag(String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST betrue.
Nested Schema for configuration.organization.backup.vault_lock
Optional:
changeable_for_days(Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.max_retention_days(Number) The maximum retention period that the vault retains its recovery points. Defaults to90.min_retention_days(Number) The minimum retention period that the vault retains its recovery points. Defaults to1.
Nested Schema for configuration.organization.backup.vault_notifications
Required:
recipients(Attributes) The recipients of the specified Backup Vault events. (see below for nested schema)
Optional:
events(List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.filter_policy(String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
Nested Schema for configuration.organization.backup.vault_notifications.recipients
Optional:
email(List of String) List of email addresses.
Nested Schema for configuration.organization.compute_optimizer
Optional:
enabled(Boolean) If true, enables AWS Compute Optimizer for all accounts in the AWS Organization. Defaults totruepreferences(Attributes Map) AWS Compute Optimizer recommendation preferences for each resource type defined as the map keys. Valid keys are:auto_scaling_group | ec2_instance | rds_instance. (see below for nested schema)
Nested Schema for configuration.organization.compute_optimizer.preferences
Optional:
enhanced_infrastructure_metrics(String) The status of the enhanced infrastructure metrics recommendation preference. Valid values are:Active | Inactive.external_metrics_preference(Attributes) The provider of the external metrics recommendation preference. (see below for nested schema)inferred_workload_types(String) The status of the inferred workload types recommendation preference. Valid values are:Active | Inactive.look_back_period(String) The preference to control the number of days the utilization metrics of the AWS resource are analyzed. Valid values are:DAYS_14 | DAYS_32 | DAYS_93.preferred_resource(Attributes) The preference to control which resource type values are considered when generating rightsizing recommendations. (see below for nested schema)savings_estimation_mode(String) The status of the savings estimation mode preference. Valid values are:AfterDiscounts | BeforeDiscounts.utilization_preferences(Attributes List) The preference to control the resource's CPU utilization threshold, CPU utilization headroom, and memory utilization headroom. (see below for nested schema)
Nested Schema for configuration.organization.compute_optimizer.preferences.external_metrics_preference
Required:
source(String) The source options for external metrics preferences. Valid values are:Datadog | Dynatrace | Instana | NewRelic.
Nested Schema for configuration.organization.compute_optimizer.preferences.preferred_resource
Required:
name(String) The type of preferred resource to customize. Valid values are:Ec2InstanceTypes.
Optional:
exclude_list(List of String) The preferred resource type values to exclude from the recommendation candidates. If this isn't specified, all supported resources are included by default.include_list(List of String) The preferred resource type values to include in the recommendation candidates. You can specify the exact resource type value, such as "m5.large", or use wild card expressions, such as "m5". If this isn't specified, all supported resources are included by default.
Nested Schema for configuration.organization.compute_optimizer.preferences.utilization_preferences
Required:
metric_name(String) The name of the resource utilization metric name to customize. Valid values are:CpuUtilization | MemoryUtilization.metric_parameters(Attributes) The parameters to set when customizing the resource utilization thresholds. (see below for nested schema)
Nested Schema for configuration.organization.compute_optimizer.preferences.utilization_preferences.metric_parameters
Required:
headroom(String) The headroom value in percentage used for the specified metric parameter. Valid values are:PERCENT_0 | PERCENT_10 | PERCENT_20 | PERCENT_30.
Optional:
threshold(String) The threshold value used for the specified metric parameter. You can only specify the threshold value forCpuUtilization. Valid values are:P90 | P95 | P99_5.
Nested Schema for configuration.organization.config
Optional:
conformance_packs(Attributes) This resource configures the AWS Config Conformance packs provided by AWS here. Please read the AWS guidance before deploying. (see below for nested schema)
Nested Schema for configuration.organization.config.conformance_packs
Optional:
operational(Attributes Map) AWS Config Conformance Packs for Operational Best Practices. Possible values for the key of the map are:abs_ccigv2_material: Operational Best Practices for ABS CCIGv2 Material Conformance Pack. See more details about this pack in AWS documentation.abs_ccigv2_standard: Operational Best Practices for ABS CCIGv2 Standard Conformance Pack. See more details about this pack in AWS documentation.acsc_essential8: Operational Best Practices for ACSC Essential 8 Conformance Pack. See more details about this pack in AWS documentation.acsc_ism: Operational Best Practices for ACSC ISM Conformance Pack. See more details about this pack in AWS documentation.ai_and_ml: Operational Best Practices for AI and ML Conformance Pack. See more details about this pack in AWS documentation.api_gateway: Operational Best Practices for Amazon API Gateway Conformance Pack. See more details about this pack in AWS documentation.apra_cpg_234: Operational Best Practices for APRA CPG 234 Conformance Pack. See more details about this pack in AWS documentation.asset_management: Operational Best Practices for Asset Management Conformance Pack. See more details about this pack in AWS documentation.backup: Operational Best Practices for AWS Backup Conformance Pack. See more details about this pack in AWS documentation.bcp_and_dr: Operational Best Practices for BCP and DR Conformance Pack. See more details about this pack in AWS documentation.bnm_rmit: Operational Best Practices for BNM RMiT Conformance Pack. See more details about this pack in AWS documentation.cccs_medium: Operational Best Practices for Canadian Centre for Cyber Security (CCCS) Medium Cloud Control Profile Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_high: Operational Best Practices for Esquema Nacional de Seguridad (ENS) High Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_low: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Low Conformance Pack. See more details about this pack in AWS documentation.ccn_ens_medium: Operational Best Practices for Esquema Nacional de Seguridad (ENS) Medium Conformance Pack. See more details about this pack in AWS documentation.cis: Operational Best Practices for CIS Conformance Pack. See more details about this pack in AWS sample.cis_aws_v1_4_level1: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cis_aws_v1_4_level2: Operational Best Practices for CIS AWS Foundations Benchmark v1.4 Level 2 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig1: Operational Best Practices for CIS Critical Security Controls v8 IG1 Conformance Pack. See more details about this pack in AWS documentation.cis_critical_security_controls_v8_ig2: Operational Best Practices for CIS Critical Security Controls v8 IG2 Conformance Pack. See more details about this pack in AWS documentationcis_critical_security_controls_v8_ig3: Operational Best Practices for CIS Critical Security Controls v8 IG3 Conformance Pack. See more details about this pack in AWS documentation.cis_top20: Operational Best Practices for CIS Top 20 Conformance Pack. See more details about this pack in AWS documentation.cisa_cyber_essentials: Operational Best Practices for CISA Cyber Essentials Conformance Pack. See more details about this pack in AWS documentation.cjis: Operational Best Practices for Criminal Justice Information Services (CJIS) Conformance Pack. See more details about this pack in AWS documentation.cloudwatch: Operational Best Practices for Amazon CloudWatch Conformance Pack. See more details about this pack in AWS documentation.cmmc_level1: Operational Best Practices for CMMC Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level2: Operational Best Practices for CMMC Level 2 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level3: Operational Best Practices for CMMC Level 3 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level4: Operational Best Practices for CMMC Level 4 Conformance Pack. See more details about this pack in AWS documentation.cmmc_level5: Operational Best Practices for CMMC Level 5 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level1: Operational Best Practices for CMMC 2.0 Level 1 Conformance Pack. See more details about this pack in AWS documentation.cmmc_2_0_level2: Operational Best Practices for CMMC 2.0 Level 2 Conformance Pack. See more details about this pack in AWS documentation.compute_services: Operational Best Practices for Compute Services Conformance Pack. See more details about this pack in AWS documentation.data_resiliency: Operational Best Practices for Data Resiliency Conformance Pack. See more details about this pack in AWS documentation.database_services: Operational Best Practices for Databases Services Conformance Pack. See more details about this pack in AWS documentation.datalakes_and_analytics_services: Operational Best Practices for Data Lakes and Analytics Services Conformance Pack. See more details about this pack in AWS documentation.devops: Operational Best Practices for DevOps Conformance Pack. See more details about this pack in AWS documentation.dynamodb: Operational Best Practices for Amazon DynamoDB Conformance Pack. See more details about this pack in AWS documentation.ec2: Operational Best Practices for EC2 Conformance Pack. See more details about this pack in AWS documentation.encryption_and_keys: Operational Best Practices for Encryption and Key Management Conformance Pack. See more details about this pack in AWS documentation.enisa_cybersecurity_guide: Operational Best Practices for ENISA Cybersecurity guide for SMEs Conformance Pack. See more details about this pack in AWS documentation.fda_21cfr_part_11: Operational Best Practices for FDA Title 21 CFR Part 11 Conformance Pack. See more details about this pack in AWS documentationfedramp_highpart1: Operational Best Practices for FedRAMP (High Part 1) Conformance Pack. See more details about this pack in AWS documentation.fedramp_highpart2: Operational Best Practices for FedRAMP (High Part 2) Conformance Pack. See more details about this pack in AWS documentation.fedramp_low: Operational Best Practices for FedRAMP(Low) Conformance Pack. See more details about this pack in AWS documentation.fedramp_moderate: Operational Best Practices for FedRAMP(Moderate) Conformance Pack. See more details about this pack in AWS documentation.ffiec: Operational Best Practices for FFIEC Conformance Pack. See more details about this pack in AWS documentation.germany_c5: Operational Best Practices for Germany Cloud Computing Compliance Criteria Catalog (C5) Conformance Pack. See more details about this pack in AWS documentation.glba: Operational Best Practices for Gramm Leach Bliley Act (GLBA) Conformance Pack. See more details about this pack in AWS documentation.gxp_eu_annex_11: Operational Best Practices for GxP EU Annex 11 Conformance Pack. See more details about this pack in AWS documentation.hipaa_security: Operational Best Practices for HIPAA Security Conformance Pack. See more details about this pack in AWS documentation.iam: Operational Best Practices for AWS Identity And Access Management Conformance Pack. See more details about this pack in AWS documentation.irs_1075: Operational Best Practices for IRS 1075 Conformance Pack. See more details about this pack in AWS documentation.kisms: Operational Best Practices for K-ISMS Conformance Pack. See more details about this pack in AWS documentation.load_balancing: Operational Best Practices for Load Balancing Conformance Pack. See more details about this pack in AWS documentation.logging: Operational Best Practices for Logging Conformance Pack. See more details about this pack in AWS documentation.management_governance_services: Operational Best Practices for Management and Governance Services Conformance Pack. See more details about this pack in AWS documentation.mas_notice_655: Operational Best Practices for MAS Notice 655 Conformance Pack. See more details about this pack in AWS documentation.mas_trmg: Operational Best Practices for MAS TRMG Conformance Pack. See more details about this pack in AWS documentation.monitoring: Operational Best Practices for Monitoring Conformance Pack. See more details about this pack in AWS documentation.nbc_trmg: Operational Best Practices for NBC TRMG Conformance Pack. See more details about this pack in AWS documentation.ncsc_caf: Operational Best Practices for NCSC Cyber Assesment Framework Conformance Pack. See more details about this pack in AWS documentation.ncsc_cloudsec_principles: Operational Best Practices for NCSC Cloud Security Principles Conformance Pack. See more details about this pack in AWS documentation.nerc_cip_bcsi: Operational Best Practices for NERC CIP BCSI Conformance Pack. See more details about this pack in AWS documentation.networking_services: Operational Best Practices for Networking and Content Delivery Services Conformance Pack. See more details about this pack in AWS documentation.nist_csf: Operational Best Practices for NIST CSF Conformance Pack. See more details about this pack in AWS documentation.nist_privacy_framework_v1: Operational Best Practices for NIST Privacy Framework v1.0 Conformance Pack. See more details about this pack in AWS documentation.nist_800_53_rev_5: Operational Best Practices for NIST 800-53 rev 5 Conformance Pack. See more details about this pack in AWS documentation.nist_800_171: Operational Best Practices for NIST 800 171 Conformance Pack. See more details about this pack in AWS documentation.nist_800_172: Operational Best Practices for NIST 800 172 Conformance Pack. See more details about this pack in AWS documentation.nist_800_181: Operational Best Practices for NIST 800 181 Conformance Pack. See more details about this pack in AWS documentation.nist_1800_25: Operational Best Practices for NIST 1800 25 Conformance Pack. See more details about this pack in AWS documentation.nydfs_23_nycrr_500: Operational Best Practices for NYDFS 23 Conformance Pack. See more details about this pack in AWS documentation.nzism: Operational Best Practices for NZISM Conformance Pack. See more details about this pack in AWS documentation.pci_dss: Operational Best Practices for PCI DSS Conformance Pack. See more details about this pack in AWS documentation.publicly_accessible_resources: Operational Best Practices for Publicly Accessible Resources Conformance Pack. See more details about this pack in AWS documentation.rbi_bcsf_ucb: Operational Best Practices for RBI Cyber Security Framework for UCBs Conformance Pack. See more details about this pack in AWS documentation.rbi_md_itf: Operational Best Practices for RBI MD-ITF Conformance Pack. See more details about this pack in AWS documentation.security_services: Operational Best Practices for Security, Identity, and Compliance Services Conformance Pack. See more details about this pack in AWS documentation.serverless_services: Operational Best Practices for Serverless Conformance Pack. See more details about this pack in AWS documentation.storage_services: Operational Best Practices for Storage Services Conformance Pack. See more details about this pack in AWS documentation.swift_csp: Operational Best Practices for SWIFT CSP Conformance Pack. See more details about this pack in AWS documentation.s3: Operational Best Practices for Amazon S3 Conformance Pack. See more details about this pack in AWS documentation.well_architected_reliability_pillar: Operational Best Practices for AWS Well-Architected Framework Reliability Pillar Conformance Pack. See more details about this pack in AWS documentation.well_architected_security_pillar: Operational Best Practices for AWS Well-Architected Framework Security Pillar Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
security(Attributes Map) AWS Config Conformance Packs for Security Best Practices. Possible values for the key of the map are:autoscaling: Security Best Practices for AWS Auto Scaling Conformance Pack. See more details about this pack in AWS documentation.cloudfront: Security Best Practices for Amazon CloudFront Conformance Pack. See more details about this pack in AWS documentation.cloudtrail: Security Best Practices for AWS CloudTrail Conformance Pack. See more details about this pack in AWS documentation.codebuild: Security Best Practices for AWS CodeBuild Conformance Pack. See more details about this pack in AWS documentation.ecr: Security Best Practices for Amazon ECR Conformance Pack. See more details about this pack in AWS documentation.ecs: Security Best Practices for Amazon Elastic Container Service (Amazon ECS) Conformance Pack. See more details about this pack in AWS documentation.efs: Security Best Practices for Amazon Elastic File System (Amazon EFS) Conformance Pack. See more details about this pack in AWS documentation.eks: Security Best Practices for Amazon Elastic Kubernetes Service (Amazon EKS) Conformance Pack. See more details about this pack in AWS documentation.lambda: Security Best Practices for AWS Lambda Conformance Pack. See more details about this pack in AWS documentation.network_firewall: Security Best Practices for AWS Network Firewall Conformance Pack. See more details about this pack in AWS documentation.opensearch: Security Best Practices for Amazon OpenSearch Service Conformance Pack. See more details about this pack in AWS documentation.rds: Security Best Practices for Amazon Relational Database Service (Amazon RDS) Conformance Pack. See more details about this pack in AWS documentation.redshift: Security Best Practices for Amazon Redshift Conformance Pack. See more details about this pack in AWS documentation.sagemaker: Security Best Practices for Amazon SageMaker Conformance Pack. See more details about this pack in AWS documentation.secrets_manager: Security Best Practices for AWS Secrets Manager Conformance Pack. See more details about this pack in AWS documentation.waf: Security Best Practices for AWS WAF Conformance Pack. See more details about this pack in AWS documentation.- The value associated with these keys is the object. (see below for nested schema)
Nested Schema for configuration.organization.config.conformance_packs.operational
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.organization.config.conformance_packs.security
Required:
enabled(Boolean) Enables the Conformance Pack.
Optional:
parameters(Map of String) The keys of the map are the parameters defined in the yaml file found in the AWS documentation linked to the Conformance Pack's description. The value of the map is a string that is supported by the parameter in the key. If no parameters are defined, the default values defined in the yaml file.
Nested Schema for configuration.organization.controltower
Optional:
access_management(Boolean) If enabled, AWS Control Tower will create a new AWS Identity Center instance integrated with the AWS Organization and will create/manage SSO roles and permion sets. It MUST betrueif there is no AWS Organization/AWS Identity Center to reuse. It SHOULD befalseif AWS Organizations/AWS Identity Center are reused or after tenancy has been created and either sso attribute is defined or you want to use the tenancy managed identity center groups. Defaults totrue.central_logging(Attributes) Settings for S3 bucket(s) used for central logging. (see below for nested schema)landing_zone_version(String) AWS ControlTower Landing Zone version. Defaults to3.3org_units(Attributes) Configuration for AWS ControlTower Organization Units. (see below for nested schema)security(Attributes) Settings for security. (see below for nested schema)
Nested Schema for configuration.organization.controltower.central_logging
Optional:
retention_days(Map of Number) Configures retention in days for provided S3 bucket.reuse_existing(Attributes) Reuse AWS Account for Log Archive. (see below for nested schema)
Nested Schema for configuration.organization.controltower.central_logging.reuse_existing
Required:
enabled(Boolean) If enabled, it reuses an existing AWS Account for Log Archive.
Optional:
account_id(String) AWS Account ID to use for Log Archive. MUST be provided ifenabled = true.
Nested Schema for configuration.organization.controltower.org_units
Optional:
decommissioned(String) The custom name to use for Decommissioned OU.sandbox(String) The name for the Sandbox OU. This is only available at CREATE stage and cannot be changed after as the AWS Control Tower APIs doesn't support this update. Defaults toSandboxes.security(Attributes) The security OU created by Volo Cloud Foundations tenancy resource. (see below for nested schema)tenancy(Attributes) Configuration for custom/default Organization Units created under the tenancy OU. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.security
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)name(String) The name for the Security OU. This is only available at CREATE stage and cannot be changed after as the AWS Control Tower API doesn't support this update. Defaults toSecurity.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.security.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.security.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.security.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.security.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.security.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.security.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)custom(Attributes Map) Defines custom AWS Control Tower Organization Units to create under the tenancy root managed by this Landing Zone alongside the default OUs. It supports 3 nested levels under tenancy root. (see below for nested schema)default(Attributes) Default OUs created by Volo Cloud Foundations tenancy resource. (see below for nested schema)name(String) The name for the Tenancy OU. Defaults toTenancy.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. Supports 2 more levels of nesting. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.custom.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default
Optional:
platform(Attributes) The platform OUs created by Volo Cloud Foundations tenancy resource. (see below for nested schema)workloads(Attributes) The workload environment OUs created by Volo Cloud Foundations tenancy resource. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes) Child OUs to create under platform OU. (see below for nested schema)name(String) The name for the platform OU. Defaults toPlatform.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple levels (multiple OUs and/or AWS Accounts), its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. If a permission set is defined at multiple levels (multiple OUs and/or AWS Accounts), its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous
Optional:
connectivity(Attributes) The connectivity OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)management(Attributes) The management OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the connectivity OU. Defaults toConnectivity.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.connectivity.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the management OU. Defaults toManagement.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.child_ous.management.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.platform.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes) Child OUs to create under workloads OU. (see below for nested schema)name(String) The name for the workloads OU. Defaults toWorkloads.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous
Optional:
dev(Attributes) The dev environment OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)prod(Attributes) The prod environment OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)qa(Attributes) The qa environment OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)test(Attributes) The test environment OU created by Volo Cloud Foundations tenancy resource. It supports a map of custom OUs to be created as children of this OU. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the dev environment OU. Defaults toDevelopment.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.dev.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the prod environment OU. Defaults toProduction.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.prod.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the qa environment OU. Defaults toPre-Production.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.qa.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)child_ous(Attributes Map) Child OUs to create under this OU. (see below for nested schema)name(String) The name for the test environment OU. Defaults toTest.ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous
Required:
name(String) The name of the new OU to create.
Optional:
auditmanager_assessments(Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)ssm_patch_policies(Attributes List) Systems Manager patch policies associated with all AWS accounts in this OU. (see below for nested schema)ssm_resource_scheduler(Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)sso_permission_sets(Attributes List) AWS Identity Center custom permission sets associated with all AWS accounts in this OU. If a permission set is defined at multiple OU levels its attributes (e.g. name, iam_policies, etc) MUST be the same at all levels. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.auditmanager_assessments
Required:
framework(Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)
Optional:
owners(List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.auditmanager_assessments.framework
Optional:
aws_managed(String) Must match one of the aws_managed frameworks map keys defined under the audit account.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.child_ous.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.child_ous.test.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.default.workloads.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies
Optional:
attach_iam_policy_to_instance_profile(Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults totrue.name(String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults topatch-policy.
Warning
This value cannot be changed on update.
You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.
patch_baseline(Attributes) Patch baseline to be used in the policy. ONLY one ofcustomoruse_defaultcan be specified. Defaults touse_default. (see below for nested schema)patch_operation(Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)rate_control(Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)reboot(String) Determines whether instances are rebooted after patches are installed. Valid values areNoReboot | RebootIfNeeded. Defaults toNoReboot.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies.patch_baseline
Optional:
custom(List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts withuse_default. For more info check AWS Documentation.use_default(Boolean) If true, the selected patch baselines are all AWS provided. Conflicts withcustom.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies.patch_operation
Optional:
install(Attributes) Install patch operation scheduling. (see below for nested schema)scan(Attributes) Scan patch operation scheduling. Defaults to below object. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies.patch_operation.install
Required:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches.
Optional:
next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies.patch_operation.scan
Optional:
cron(String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults tocron(0 1 * * ? *).next_interval(Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults totrue.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_patch_policies.rate_control
Optional:
concurrency(Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to10.error_threshold(Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to2.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_resource_scheduler
Required:
name(String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 charactersschedule(Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)selection(Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)
Optional:
tags(Map of String) You can use tags to search and filter your Quick Setup Configuration managers.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_resource_scheduler.schedule
Required:
end_time(String) This is used to specify the time of day for the END operation part of the schedule.recurrence_rule(Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)start_time(String) This is used to specify the time of day for the START operation part of the schedule.
Optional:
timezone(String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults toUTC.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_resource_scheduler.schedule.recurrence_rule
Required:
byday(List of String) This specifies a list of days of the week. Possible values areSUindicates Sunday,MOindicates Monday,TUindicates Tuesday,WEindicates Wednesday,THindicates Thursday,FRindicates Friday andSAindicates Saturday.
Optional:
frequency(String) This identifies the type of recurrence rule. Possible values areWEEKLY. Defaults toWEEKLYinterval(Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to1.
Nested Schema for configuration.organization.controltower.org_units.tenancy.ssm_resource_scheduler.selection
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.org_units.tenancy.sso_permission_sets
Required:
iam_policies(Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)name(String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.
Optional:
description(String) Description for the permission set.duration(Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to8hours.
Nested Schema for configuration.organization.controltower.org_units.tenancy.sso_permission_sets.iam_policies
Optional:
custom(Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.managed(Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.session_manager(Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)
Nested Schema for configuration.organization.controltower.org_units.tenancy.sso_permission_sets.iam_policies.session_manager
Required:
tag_key(String) The tag key assigned to the instances you want to target.tag_value(String) The value of the tag key assigned to the instances you want to target.
Nested Schema for configuration.organization.controltower.security
Optional:
reuse_existing(Attributes) Reuse AWS Account for Audit. (see below for nested schema)
Nested Schema for configuration.organization.controltower.security.reuse_existing
Required:
enabled(Boolean) If enabled, it reuses an existing AWS Account for Audit.
Optional:
account_id(String) AWS Account ID to use for Audit. MUST be provided ifenabled = true.
Nested Schema for configuration.organization.cost_optimization_hub
Optional:
enabled(Boolean) If true, enables AWS Cost Optimization Hub for all accounts in the AWS Organization. Defaults totrue.preferences(Attributes) AWS Cost Optimization Hub preferences. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.cost_optimization_hub.preferences
Optional:
member_account_discount_visibility(String) Customize whether the member accounts can see the "After Discounts" savings estimates. Valid values are:All | None. Defaults toAll.savings_estimation_mode(String) Customize how estimated monthly savings are calculated. Valid values are:BeforeDiscounts | AfterDiscounts. Defaults toBeforeDiscounts.
Nested Schema for configuration.organization.network_deployment_architectures
Optional:
centralized(Attributes) Configuration for deployment of centralized architecture patterns in the network account. (see below for nested schema)distributed(Attributes) Configuration for deployment of distributed architecture patterns in the AWS organization accounts. (see below for nested schema)
Nested Schema for configuration.organization.network_deployment_architectures.centralized
Optional:
availability_zones(List of String) How many AZs to use for network account VPC(s)? The list MUST contain either 2 or 3 elements. It can be combination of any 2 items or all items from list:[1, 2, 3]. Defaults to[1, 2].egress(Attributes) Configuration for deployment of centralized egress architecture. (see below for nested schema)ingress(Attributes) Configuration for deployment of centralized ingress architecture. (see below for nested schema)private_endpoints(Attributes) Configuration for deployment of centralized private endpoints architecture. (see below for nested schema)
Nested Schema for configuration.organization.network_deployment_architectures.centralized.egress
Optional:
enabled(Boolean) Allows deployment of centralized egress architecture. Defaults to true.
Nested Schema for configuration.organization.network_deployment_architectures.centralized.ingress
Optional:
enabled(Boolean) Allows deployment of centralized ingress architecture. Defaults totrue.
Nested Schema for configuration.organization.network_deployment_architectures.centralized.private_endpoints
Optional:
enabled(Boolean) Allows deployment of centralized private endpoints architecture. Defaults totrue.interface_services(List of String) List of AWS services to create private endpoints of type interface in the network account private endpoints VPC. The service name is derived from this aws-services-privatelink-support, by taking the service name after the region part. Valid values are:[access-analyzer account acm-pca airflow.api api-fips env env-fips ops analytics-omics appconfig appconfigdata appmesh appmesh-envoy-management apprunner apprunner.requests applicationinsights application-autoscaling application-signals appstream.api appstream.streaming app-integrations apptest aps aps-workspaces arsenal-discovery athena auditmanager autoscaling autoscaling-plans awsconnector b2bi backup backup-gateway batch bcm-data-exports bedrock bedrock-agent bedrock-agent-runtime bedrock-runtime billing billingconductor braket cassandra cassandra-fips cases ce cleanrooms cleanrooms-ml cloudcontrolapi cloudcontrolapi-fips clouddirectory cloudformation cloudhsmv2 cloudtrail codeartifact.api codeartifact.repositories codebuild codebuild-fips codecommit codecommit-fips codeconnections.api codedeploy codedeploy-commands-secure codeguru-profiler codeguru-reviewer codepipeline codestar-connections.api codewhisperer comprehend comprehendmedical compute-optimizer config connect-campaigns console controlcatalog control-storage-omics cost-optimization-hub databrew dataexchange datasync data-servicediscovery data-servicediscovery-fips deadline.management deadline.scheduling deviceadvisor.iot devops-guru dicom-medical-imaging discovery dms dms-fips drs ds ds-data dynamodb dynamodb-fips ebs ec2 ec2messages ec2-fips ecr.api ecr.dkr ecs ecs-agent ecs-telemetry eks eks-auth elasticbeanstalk elasticbeanstalk-health elasticfilesystem elasticfilesystem-fips elasticloadbalancing elasticache elasticache-fips elasticmapreduce email-smtp emr-containers emr-serverless emr-serverless-services.livy emrwal.prod entityresolution events evidently evidently-dataplane execute-api experiments finspace finspace-api fis forecast forecast-fips forecastquery forecastquery-fips frauddetector freetier fsx fsx-fips git-codecommit git-codecommit-fips glue glue.dashboard grafana grafana-workspace greengrass groundstation guardduty guardduty-data guardduty-data-fips guardduty-fips healthlake iam identitystore imagebuilder inspector2 inspector-scan internetmonitor internetmonitor-fips iotfleetwise iotroborunner iotsitewise.api iotsitewise.data iottwinmaker.api iottwinmaker.data iotwireless.api iot.data iot.credentials iot.fleethub.api kafka kafka-fips kendra kendra-ranking kinesis-firehose kinesis-streams kinesis-streams-fips kms kms-fips lakeformation lambda launchwizard license-manager license-manager-fips license-manager-linux-subscriptions license-manager-linux-subscriptions-fips license-manager-user-subscriptions lightsail logs lookoutequipment lookoutmetrics lookoutvision lorawan.cups lorawan.lns m2 macie2 managedblockchain-query managedblockchain.bitcoin.mainnet managedblockchain.bitcoin.testnet mediaconnect medical-imaging memory-db memorydb-fips migrationhub-orchestrator migrationhub-strategy mgn models-v2-lex monitoring mq neptune-graph neptune-graph-data neptune-graph-fips network-firewall network-firewall-fips networkflowmonitor networkflowmonitorreports networkmonitor notebook observabilityadmin organizations organizations-fips outposts panorama partner-app payment-cryptography.controlplane payment-cryptography.dataplane pca-connector-ad pca-connector-scep pcs pcs-fips personalize personalize-events personalize-runtime pi pi-fips pinpoint pinpoint-sms-voice-v2 pipes pipes-data pipes-fips polly pricing.api private-networks profile proton q qapps qbusiness qldb.session quicksight-website ram rbin refactor-spaces rds rds-data redshift redshift-fips redshift-serverless redshift-serverless-fips redshift-data redshift-data-fips rekognition rekognition-fips repostspace resource-groups resource-groups-fips robomaker rolesanywhere rum rum-dataplane runtime-medical-imaging runtime-v2-lex s3 s3tables s3-global.accesspoint s3-outposts sagemaker.api sagemaker-data-science-assistant sagemaker.api-fips sagemaker.featurestore-runtime sagemaker.metrics sagemaker.runtime sagemaker.runtime-fips savingsplans schemas scn secretsmanager securityhub securitylake securitylake-fips serverlessrepo servicecatalog servicecatalog-appregistry servicediscovery servicediscovery-fips service.user-subscriptions signin simspaceweaver snow-device-management sns social-messaging sqs ssm ssm-contacts ssm-incidents ssm-quicksetup ssmmessages states storagegateway storage-omics streaming-rekognition streaming-rekognition-fips sts studio swf swf-fips sync-states synthetics synthetics-fips tagging tags-omics tax textract textract-fips thinclient.api timestream.ingest-cell timestream.query-cell timestream-influxdb timestream-influxdb-fips tnb transcribe transcribestreaming transfer transfer.server translate trustedadvisor verifiedpermissions voiceid vpc-lattice wellarchitected wisdom workflows-omics workmail workspaces workspaces-web workspaces-web-fips xray].
Nested Schema for configuration.organization.network_deployment_architectures.distributed
Optional:
availability_zones(List of String) How many AZs to use for all VPCs (except network account)? The list MUST contain either 2 or 3 elements. It can be combination of any 2 items or all items from list:[1, 2, 3]. Defaults to[1, 2].egress_enabled(Boolean) Allows deployment of distributed egress architecture. Defaults tofalse.ingress_enabled(Boolean) Allows deployment of distributed ingress architecture. Defaults tofalse.private_endpoints_enabled(Boolean) Allows deployment of distributed private endpoints architecture. Defaults tofalse.
Nested Schema for configuration.organization.password_policy
Optional:
allow_users_to_change_password(Boolean) Whether to allow users to change their own password. Defaults to true.hard_expiry(Boolean) Whether users are prevented from setting a new password after their password has expired (i.e., require administrator reset). Defaults to false.max_password_age(Number) The number of days that an user password is valid. Defaults to 90.minimum_password_length(Number) Minimum length to require for user passwords. Defaults to 14.password_reuse_prevention(Number) The number of previous passwords that users are prevented from reusing. Defaults to 24.require_lowercase_characters(Boolean) Whether to require lowercase characters for user passwords.. Defaults to true.require_numbers(Boolean) Whether to require numbers for user passwords. Defaults to true.require_symbols(Boolean) Whether to require symbols for user passwords. Defaults to true.require_uppercase_characters(Boolean) Whether to require uppercase characters for user passwords. Defaults to true.
Nested Schema for configuration.organization.private_certificate_authority
Required:
configuration(Attributes) AWS Private Certificate Authority configuration. (see below for nested schema)
Optional:
certificate_validity(Number) Validity period of the certificate, in days. Validity period can be from 2010 days (5.5 years) to 4015 days (11 years). The CA cannot issue certificates for subordinates with their validity period exceeding the root CA validatidy period. Defaults to4000.enabled(Boolean) Whether the certificate authority is enabled or disabled. Defaults totrue. Can only be disabled if the CA is in anACTIVEstate.subordinates(Attributes List) Level 2 subordinates CA under root. At least one subordinate MUST be specified and supports up to 20 subordinates. (see below for nested schema)tags(Map of String) Key-value map of user-defined tags that are attached to the certificate authority.
Read-Only:
usage_mode(String) The AWS Private Certificate Authority type. This can only beGENERAL_PURPOSEand cannot be changed.
Nested Schema for configuration.organization.private_certificate_authority.configuration
Required:
subject(Attributes) Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified. (see below for nested schema)
Optional:
key_algorithm(String) Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation. Defaults toRSA_4096.key_storage_security_standard(String) Cryptographic key management compliance standard used for handling CA keys. Valid values:FIPS_140_2_LEVEL_2_OR_HIGHERandFIPS_140_2_LEVEL_3_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. Defaults toFIPS_140_2_LEVEL_3_OR_HIGHER.permanent_deletion_time_in_days(Number) Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days. Defaults to30days.revocation_configuration(Attributes) Nested argument containing revocation configuration. (see below for nested schema)signing_algorithm(String) Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation. Defaults toSHA512WITHRSA.
Nested Schema for configuration.organization.private_certificate_authority.configuration.subject
Required:
common_name(String) Fully qualified domain name (FQDN) associated with the certificate subject. Must contain alphanumeric, dash, space, period and underscore characters and be less than or equal to 64 characters in length.
Optional:
standard_attributes(Attributes) Standard attributes for ASN1Subject. See available attributes in ACM PCA Documentation. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.configuration.subject.standard_attributes
Optional:
country(String) Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.distinguished_name_qualifier(String) Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.generation_qualifier(String) Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.given_name(String) First name. Must be less than or equal to 16 characters in length.initials(String) Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.locality(String) Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.organization(String) Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.organizational_unit(String) Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.pseudonym(String) Typically a shortened version of a longergiven_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.state(String) State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.surname(String) Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.title(String) Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
Nested Schema for configuration.organization.private_certificate_authority.configuration.revocation_configuration
Optional:
crl(Attributes) Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. (see below for nested schema)ocsp(Attributes) Nested argument containing configuration of the custom OCSP responder endpoint. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.configuration.revocation_configuration.crl
Optional:
custom_cname(String) Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored. Must be less than or equal to 128 characters in length.enabled(Boolean) Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults tofalse.expiration_in_days(Number) Number of days until a certificate expires. Must be between 1 and 5000. Defaults to365days.
Nested Schema for configuration.organization.private_certificate_authority.configuration.revocation_configuration.ocsp
Optional:
custom_cname(String) CNAME specifying a customized OCSP domain. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored.enabled(Boolean) Boolean value that specifies whether a custom OCSP responder is enabled. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates
Required:
configuration(Attributes) AWS Private Certificate Authority configuration. (see below for nested schema)
Optional:
certificate_validity(Number) Validity period of the certificate, in days. Validity period can be from 915 days (2.5 years) to 1915 days (5.25 years). Defaults to1900.connector(Attributes) AWS ACM PCA Connector configuration for this subordinate CA. (see below for nested schema)enabled(Boolean) Whether the certificate authority is enabled or disabled. Defaults totrue. Can only be disabled if the CA is in anACTIVEstate.issued_certificate_template(String) The template to use for the certificates issued by the subordinate CA. Valid values are:BlankEndEntityCertificate_APIPassthrough/V1,BlankEndEntityCertificate_APICSRPassthrough/V1,EndEntityCertificate/V1,EndEntityClientAuthCertificate/V1,EndEntityServerAuthCertificate/V1. Defaults toBlankEndEntityCertificate_APICSRPassthrough/V1.organization_share_enabled(Boolean) Whether the certificate authority is shared with the AWS Organization. Defaults totrue.subordinates(Attributes List) Level 3 subordinates CA under level 2 subordinate of typeGENERAL_PURPOSE. If provided, at least one subordinate MUST be specified and supports up to 20 subordinates. Conflicts withissued_certificate_template. (see below for nested schema)tags(Map of String) Key-value map of user-defined tags that are attached to the certificate authority.usage_mode(String) The AWS Private Certificate Authority type. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE. Defaults toGENERAL_PURPOSE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration
Required:
subject(Attributes) Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified. (see below for nested schema)
Optional:
key_algorithm(String) Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation. Defaults toRSA_4096.key_storage_security_standard(String) Cryptographic key management compliance standard used for handling CA keys. Valid values:FIPS_140_2_LEVEL_2_OR_HIGHERandFIPS_140_2_LEVEL_3_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. Defaults toFIPS_140_2_LEVEL_3_OR_HIGHER.permanent_deletion_time_in_days(Number) Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days. Defaults to30days.revocation_configuration(Attributes) Nested argument containing revocation configuration. (see below for nested schema)signing_algorithm(String) Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation. Defaults toSHA512WITHRSA.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration.subject
Required:
common_name(String) Fully qualified domain name (FQDN) associated with the certificate subject. Must contain alphanumeric, dash, space, period and underscore characters and be less than or equal to 64 characters in length.
Optional:
standard_attributes(Attributes) Standard attributes for ASN1Subject. See available attributes in ACM PCA Documentation. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration.subject.standard_attributes
Optional:
country(String) Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.distinguished_name_qualifier(String) Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.generation_qualifier(String) Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.given_name(String) First name. Must be less than or equal to 16 characters in length.initials(String) Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.locality(String) Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.organization(String) Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.organizational_unit(String) Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.pseudonym(String) Typically a shortened version of a longergiven_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.state(String) State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.surname(String) Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.title(String) Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration.revocation_configuration
Optional:
crl(Attributes) Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. (see below for nested schema)ocsp(Attributes) Nested argument containing configuration of the custom OCSP responder endpoint. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration.revocation_configuration.crl
Optional:
custom_cname(String) Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored. Must be less than or equal to 128 characters in length.enabled(Boolean) Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults tofalse.expiration_in_days(Number) Number of days until a certificate expires. Must be between 1 and 5000. Defaults to365days.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.configuration.revocation_configuration.ocsp
Optional:
custom_cname(String) CNAME specifying a customized OCSP domain. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored.enabled(Boolean) Boolean value that specifies whether a custom OCSP responder is enabled. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector
Optional:
ad(Attributes) Create a Connector for AD associated with this subordinate CA. (see below for nested schema)scep(Attributes) Create a Connector for SCEP associated with this subordinate CA. Eithergeneral_purposeorintuneMUST be configured. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad
Required:
directory(Attributes) The AWS Directory Service to use for the PCA connector. (see below for nested schema)enabled(Boolean) Whether Connector for Active Directory is enabled or disabled.templates(Attributes List) A list of templates to create for the PCA connector. (see below for nested schema)
Optional:
tags(Map of String) Key-value map of user-defined tags to use for the PCA connector.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.directory
Required:
id(String) The AWS Directory Service directory ID to use for the PCA connector.
Warning
Changing this value causes the PCA connector to be replaced.
This will destroy and recreate the connector resource.
type(String) The AWS Directory Service directory type to use for the PCA connector. Valid values:ADConnector,MicrosoftAD,SimpleAD.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates
Required:
group_access_control(Attributes List) List of group access control entries. Allow or deny Active Directory groups from enrolling and/or autoenrolling with the template based on the group security identifiers (SIDs). (see below for nested schema)name(String) Name of the templates. Template names must be unique.
Warning
Changing this value causes the template to be replaced.
This will destroy and recreate the template resource.
Optional:
definition(Attributes) Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. Defaults to v4 template (see below for nested schema)reenroll_all_certificate_holders(Boolean) This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.
Warning
This is a disruptive operation during updates.
All certificate holders will be re-enrolled and receive new certificates.
tags(Map of String) Key-value map of user-defined tags to use for the PCA connector template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.group_access_control
Required:
display_name(String) Name of the Active Directory group. This name does not need to match the group name in Active Directory.security_identifier(String) Security identifier (SID) of the group object from Active Directory. The SID starts withS-. If changed it will replace the template.
Optional:
access_rights(Attributes) Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.group_access_control.access_rights
Optional:
auto_enroll(String) Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment. Defaults toALLOW.enroll(String) Allow or deny an Active Directory group from enrolling certificates issued against a template. Defaults toALLOW.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition
Optional:
v2(Attributes) v2 template schema that uses Legacy Cryptographic Providers. (see below for nested schema)v3(Attributes) (see below for nested schema)v4(Attributes) V4 template schema that uses either Legacy Cryptographic Providers or Key Storage Providers. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)private_key_attributes(Attributes) Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers. (see below for nested schema)private_key_flags(Attributes) Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key. (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.private_key_attributes
Optional:
crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE.minimal_key_length(Number) Set the minimum key length of the private key. Minimum1.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2003 | WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported.strong_key_protection_required(Boolean) Require user input when using the private key for enrollment.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v2.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)hash_algorithm(String) Specifies the hash algorithm used to hash the private key. Valid values:SHA256 | SHA384 | SHA512.private_key_attributes(Attributes) Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers. (see below for nested schema)private_key_flags(Attributes) Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used. (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.private_key_attributes
Optional:
algorithm(String) Defines the algorithm used to generate the private key. Valid values:RSA | ECDH_P256 | ECDH_P384 | ECDH_P521.crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE.key_usage_property(Attributes) The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. (see below for nested schema)minimal_key_length(Number) Set the minimum key length of the private key.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.private_key_attributes.key_usage_property
Optional:
property_flags(Attributes) You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both. (see below for nested schema)property_type(String) You can specify all key usages using property typeALL. You can use property type or property flags but not both.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.private_key_attributes.key_usage_property.property_flags
Optional:
decrypt(Boolean) Allows key for encryption and decryption.key_agreement(Boolean) Allows key exchange without encryption.sign(Boolean) Allow key use for digital signature.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported.require_alternate_signature_algorithm(Boolean) Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.strong_key_protection_required(Boolean) Requirer user input when using the private key for enrollment.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v3.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)hash_algorithm(String) Specifies the hash algorithm used to hash the private key. Valid values:SHA256 | SHA384 | SHA512. Defaults toSHA512.private_key_attributes(Attributes) Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags. Defaults to below object (see below for nested schema)private_key_flags(Attributes) Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if the same key should be used for renewal. Defaults to below object (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.private_key_attributes
Optional:
algorithm(String) Defines the algorithm used to generate the private key. Valid:ECDH_P256 | ECDH_P384 | ECDH_P521 | RSA. Defaults toRSA.crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE. Defaults toKEY_EXCHANGE.key_usage_property(Attributes) The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. Defaults to below object (see below for nested schema)minimal_key_length(Number) Set the minimum key length of the private key. Defaults to2048.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.private_key_attributes.key_usage_property
Optional:
property_flags(Attributes) You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both. (see below for nested schema)property_type(String) You can specify all key usages using property typeALL. You can use property type or property flags but not both. Defaults toALL.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.private_key_attributes.key_usage_property.property_flags
Optional:
decrypt(Boolean) Allows key for encryption and decryption.key_agreement(Boolean) Allows key exchange without encryption.sign(Boolean) Allow key use for digital signature.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016. Defaults toWINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported. Defaults tofalse.require_alternate_signature_algorithm(Boolean) Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format. Defaults tofalse.require_same_key_renewal(Boolean) Renew certificate using the same private key. Defaults tofalse.strong_key_protection_required(Boolean) Require user input when using the private key for enrollment. Defaults tofalse.use_legacy_provider(Boolean) Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.ad.templates.definition.v4.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.scep
Optional:
general_purpose(Attributes) Create a Connector for General-purpose SCEP associated with this subordinate CA. (see below for nested schema)intune(Attributes) Create a Connector for Microsoft Intune SCEP associated with this subordinate CA. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.scep.general_purpose
Required:
enabled(Boolean) Whether the Connector for General-purpose SCEP is enabled or disabled.
Optional:
challenge_validity(Number) A period in days for the challenge password to be valid. A new challenge password will be replaced after this period when this resource triggers an update for the first time. The renewal is not automated. Defaults to365.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.connector.scep.intune
Required:
azure_application_id(String) The application (client) ID from your Microsoft Entra ID app registration.enabled(Boolean) Whether the Connector for Microsoft Intune SCEP is enabled or disabled.
Optional:
domain(String) The primary domain from your Microsoft Entra ID app registration.tenant_id(String) The directory (tenant) ID from your Microsoft Entra ID app registration.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates
Required:
configuration(Attributes) AWS Private Certificate Authority configuration. (see below for nested schema)
Optional:
certificate_validity(Number) Validity period of the certificate, in days. Validity period can be from 395 days (13 months) to 815 days (2.25 years). Defaults to800.connector(Attributes) AWS ACM PCA Connector configuration for this subordinate CA. (see below for nested schema)enabled(Boolean) Whether the certificate authority is enabled or disabled. Defaults totrue. Can only be disabled if the CA is in anACTIVEstate.issued_certificate_template(String) The template to use for the certificates issued by the subordinate CA. Valid values are:BlankEndEntityCertificate_APIPassthrough/V1,BlankEndEntityCertificate_APICSRPassthrough/V1,EndEntityCertificate/V1,EndEntityClientAuthCertificate/V1,EndEntityServerAuthCertificate/V1. Defaults toBlankEndEntityCertificate_APICSRPassthrough/V1.organization_share_enabled(Boolean) Whether the certificate authority is shared with the AWS Organization. Defaults totrue.tags(Map of String) Key-value map of user-defined tags that are attached to the certificate authority.usage_mode(String) The AWS Private Certificate Authority type. Valid values:GENERAL_PURPOSEandSHORT_LIVED_CERTIFICATE. Defaults toGENERAL_PURPOSE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration
Required:
subject(Attributes) Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified. (see below for nested schema)
Optional:
key_algorithm(String) Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation. Defaults toRSA_4096.key_storage_security_standard(String) Cryptographic key management compliance standard used for handling CA keys. Valid values:FIPS_140_2_LEVEL_2_OR_HIGHERandFIPS_140_2_LEVEL_3_OR_HIGHER. Supported standard for each region can be found in the Storage and security compliance of AWS Private CA private keys Documentation. Defaults toFIPS_140_2_LEVEL_3_OR_HIGHER.permanent_deletion_time_in_days(Number) Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days. Defaults to30days.revocation_configuration(Attributes) Nested argument containing revocation configuration. (see below for nested schema)signing_algorithm(String) Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation. Defaults toSHA512WITHRSA.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration.subject
Required:
common_name(String) Fully qualified domain name (FQDN) associated with the certificate subject. Must contain alphanumeric, dash, space, period and underscore characters and be less than or equal to 64 characters in length.
Optional:
standard_attributes(Attributes) Standard attributes for ASN1Subject. See available attributes in ACM PCA Documentation. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration.subject.standard_attributes
Optional:
country(String) Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.distinguished_name_qualifier(String) Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.generation_qualifier(String) Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.given_name(String) First name. Must be less than or equal to 16 characters in length.initials(String) Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.locality(String) Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.organization(String) Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.organizational_unit(String) Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.pseudonym(String) Typically a shortened version of a longergiven_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.state(String) State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.surname(String) Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.title(String) Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration.revocation_configuration
Optional:
crl(Attributes) Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. (see below for nested schema)ocsp(Attributes) Nested argument containing configuration of the custom OCSP responder endpoint. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration.revocation_configuration.crl
Optional:
custom_cname(String) Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored. Must be less than or equal to 128 characters in length.enabled(Boolean) Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults tofalse.expiration_in_days(Number) Number of days until a certificate expires. Must be between 1 and 5000. Defaults to365days.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.configuration.revocation_configuration.ocsp
Optional:
custom_cname(String) CNAME specifying a customized OCSP domain. This will be used to create the correct CNAME entry in the production environment private DNS zone if exists, otherwise it's ignored.enabled(Boolean) Boolean value that specifies whether a custom OCSP responder is enabled. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector
Optional:
ad(Attributes) Create a Connector for AD associated with this subordinate CA. (see below for nested schema)scep(Attributes) Create a Connector for SCEP associated with this subordinate CA. Eithergeneral_purposeorintuneMUST be configured. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad
Required:
directory(Attributes) The AWS Directory Service to use for the PCA connector. (see below for nested schema)enabled(Boolean) Whether Connector for Active Directory is enabled or disabled.templates(Attributes List) A list of templates to create for the PCA connector. (see below for nested schema)
Optional:
tags(Map of String) Key-value map of user-defined tags to use for the PCA connector.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.directory
Required:
id(String) The AWS Directory Service directory ID to use for the PCA connector.
Warning
Changing this value causes the PCA connector to be replaced.
This will destroy and recreate the connector resource.
type(String) The AWS Directory Service directory type to use for the PCA connector. Valid values:ADConnector,MicrosoftAD,SimpleAD.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates
Required:
group_access_control(Attributes List) List of group access control entries. Allow or deny Active Directory groups from enrolling and/or autoenrolling with the template based on the group security identifiers (SIDs). (see below for nested schema)name(String) Name of the templates. Template names must be unique.
Warning
Changing this value causes the template to be replaced.
This will destroy and recreate the template resource.
Optional:
definition(Attributes) Template configuration to define the information included in certificates. Define certificate validity and renewal periods, certificate request handling and enrollment options, key usage extensions, application policies, and cryptography settings. Defaults to v4 template (see below for nested schema)reenroll_all_certificate_holders(Boolean) This setting allows the major version of a template to be increased automatically. All members of Active Directory groups that are allowed to enroll with a template will receive a new certificate issued using that template.
Warning
This is a disruptive operation during updates.
All certificate holders will be re-enrolled and receive new certificates.
tags(Map of String) Key-value map of user-defined tags to use for the PCA connector template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.group_access_control
Required:
display_name(String) Name of the Active Directory group. This name does not need to match the group name in Active Directory.security_identifier(String) Security identifier (SID) of the group object from Active Directory. The SID starts withS-. If changed it will replace the template.
Optional:
access_rights(Attributes) Permissions to allow or deny an Active Directory group to enroll or autoenroll certificates issued against a template. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.group_access_control.access_rights
Optional:
auto_enroll(String) Allow or deny an Active Directory group from autoenrolling certificates issued against a template. The Active Directory group must be allowed to enroll to allow autoenrollment. Defaults toALLOW.enroll(String) Allow or deny an Active Directory group from enrolling certificates issued against a template. Defaults toALLOW.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition
Optional:
v2(Attributes) v2 template schema that uses Legacy Cryptographic Providers. (see below for nested schema)v3(Attributes) (see below for nested schema)v4(Attributes) V4 template schema that uses either Legacy Cryptographic Providers or Key Storage Providers. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)private_key_attributes(Attributes) Private key attributes allow you to specify the minimal key length, key spec, and cryptographic providers for the private key of a certificate for v2 templates. V2 templates allow you to use Legacy Cryptographic Service Providers. (see below for nested schema)private_key_flags(Attributes) Private key flags for v2 templates specify the client compatibility, if the private key can be exported, and if user input is required when using a private key. (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.private_key_attributes
Optional:
crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE.minimal_key_length(Number) Set the minimum key length of the private key. Minimum1.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2003 | WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported.strong_key_protection_required(Boolean) Require user input when using the private key for enrollment.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v2.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)hash_algorithm(String) Specifies the hash algorithm used to hash the private key. Valid values:SHA256 | SHA384 | SHA512.private_key_attributes(Attributes) Private key attributes allow you to specify the algorithm, minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v3 templates. V3 templates allow you to use Key Storage Providers. (see below for nested schema)private_key_flags(Attributes) Private key flags for v3 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, and if an alternate signature algorithm should be used. (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.private_key_attributes
Optional:
algorithm(String) Defines the algorithm used to generate the private key. Valid values:RSA | ECDH_P256 | ECDH_P384 | ECDH_P521.crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE.key_usage_property(Attributes) The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. (see below for nested schema)minimal_key_length(Number) Set the minimum key length of the private key.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.private_key_attributes.key_usage_property
Optional:
property_flags(Attributes) You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both. (see below for nested schema)property_type(String) You can specify all key usages using property typeALL. You can use property type or property flags but not both.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.private_key_attributes.key_usage_property.property_flags
Optional:
decrypt(Boolean) Allows key for encryption and decryption.key_agreement(Boolean) Allows key exchange without encryption.sign(Boolean) Allow key use for digital signature.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2008 | WINDOWS_SERVER_2008_R2 | WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported.require_alternate_signature_algorithm(Boolean) Reguires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format.strong_key_protection_required(Boolean) Requirer user input when using the private key for enrollment.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v3.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4
Required:
certificate_validity(Attributes) Certificate validity describes the validity and renewal periods of a certificate. (see below for nested schema)
Optional:
enrollment_flags(Attributes) Enrollment flags describe the enrollment settings for certificates such as using the existing private key and deleting expired or revoked certificates. Defaults to below object (see below for nested schema)extensions(Attributes) Extensions describe the key usage extensions and application policies for the template. Defaults to below object (see below for nested schema)general_flags(Attributes) General flags describe whether the template is used for computers or users and if the template can be used with autoenrollment. Defaults to below object (see below for nested schema)hash_algorithm(String) Specifies the hash algorithm used to hash the private key. Valid values:SHA256 | SHA384 | SHA512. Defaults toSHA512.private_key_attributes(Attributes) Private key attributes allow you to specify the minimal key length, key spec, key usage, and cryptographic providers for the private key of a certificate for v4 templates. V4 templates allow you to use either Key Storage Providers or Legacy Cryptographic Service Providers. You specify the cryptography provider category in private key flags. Defaults to below object (see below for nested schema)private_key_flags(Attributes) Private key flags for v4 templates specify the client compatibility, if the private key can be exported, if user input is required when using a private key, if an alternate signature algorithm should be used, and if the same key should be used for renewal. Defaults to below object (see below for nested schema)subject_name_flags(Attributes) Subject name flags describe the subject name and subject alternate name that is included in a certificate. Defaults to below object (see below for nested schema)superseded_templates(List of String) List of templates in Active Directory that are superseded by this template.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.certificate_validity
Required:
renewal_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)validity_period(Attributes) Renewal period is the period of time before certificate expiration when a new certificate will be requested. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.certificate_validity.renewal_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.certificate_validity.validity_period
Required:
period(Number) The numeric value for the validity period. Must be a number between1and8766000.period_type(String) The unit of time. Valid values:DAYS, HOURS, MONTHS, WEEKS, YEARS.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.enrollment_flags
Optional:
enable_key_reuse_on_nt_token_keyset_storage_full(Boolean) Allow renewal using the same key. Defaults tofalse.include_symmetric_algorithms(Boolean) Include symmetric algorithms allowed by the subject. Defaults tofalse.no_security_extension(Boolean) This flag instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. This addresses a Windows Kerberos elevation-of-privilege vulnerability. Defaults tofalse.remove_invalid_certificate_from_personal_store(Boolean) Delete expired or revoked certificates instead of archiving them. Defaults tofalse.user_interaction_required(Boolean) Require user interaction when the subject is enrolled and the private key associated with the certificate is used. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.extensions
Optional:
application_policies(Attributes) Application policies specify what the certificate is used for and its purpose. Defaults to below object (see below for nested schema)key_usage(Attributes) The key usage extension defines the purpose (e.g., encipherment, signature, certificate signing) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.extensions.application_policies
Optional:
critical(Boolean) Marks the application policy extension as critical. Defaults tofalse.policies(Attributes List) Application policies describe what the certificate can be used for. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.extensions.application_policies.policies
Optional:
policy_object_identifier(String) The object identifier (OID) of an application policy.policy_type(String) The type of application policy. Valid values:ALL_APPLICATION_POLICIES | ANY_PURPOSE | ATTESTATION_IDENTITY_KEY_CERTIFICATE | CERTIFICATE_REQUEST_AGENT | CLIENT_AUTHENTICATION | CODE_SIGNING | CTL_USAGE | DIGITAL_RIGHTS | DIRECTORY_SERVICE_EMAIL_REPLICATION | DISALLOWED_LIST | DNS_SERVER_TRUST | DOCUMENT_ENCRYPTION | DOCUMENT_SIGNING | DYNAMIC_CODE_GENERATOR | EARLY_LAUNCH_ANTIMALWARE_DRIVER | EMBEDDED_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | ENCLAVE | ENCRYPTING_FILE_SYSTEM | ENDORSEMENT_KEY_CERTIFICATE | FILE_RECOVERY | HAL_EXTENSION | IP_SECURITY_END_SYSTEM | IP_SECURITY_IKE_INTERMEDIATE | IP_SECURITY_TUNNEL_TERMINATION | IP_SECURITY_USER | ISOLATED_USER_MODE | KDC_AUTHENTICATION | KERNEL_MODE_CODE_SIGNING | KEY_PACK_LICENSES | KEY_RECOVERY | KEY_RECOVERY_AGENT | LICENSE_SERVER_VERIFICATION | LIFETIME_SIGNING | MICROSOFT_PUBLISHER | MICROSOFT_TIME_STAMPING | MICROSOFT_TRUST_LIST_SIGNING | OCSP_SIGNING | OEM_WINDOWS_SYSTEM_COMPONENT_VERIFICATION | PLATFORM_CERTIFICATE | PREVIEW_BUILD_SIGNING | PRIVATE_KEY_ARCHIVAL | PROTECTED_PROCESS_LIGHT_VERIFICATION | PROTECTED_PROCESS_VERIFICATION | QUALIFIED_SUBORDINATION | REVOKED_LIST_SIGNER | ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION | ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION | ROOT_PROGRAM_NO_OSCP_FAILOVER_TO_CRL | ROOT_LIST_SIGNER | SECURE_EMAIL | SERVER_AUTHENTICATION | SMART_CARD_LOGIN | SPC_ENCRYPTED_DIGEST_RETRY_COUNT | SPC_RELAXED_PE_MARKER_CHECK | TIME_STAMPING | WINDOWS_HARDWARE_DRIVER_ATTESTED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_EXTENDED_VERIFICATION | WINDOWS_HARDWARE_DRIVER_VERIFICATION | WINDOWS_HELLO_RECOVERY_KEY_ENCRYPTION | WINDOWS_KITS_COMPONENT | WINDOWS_RT_VERIFICATION | WINDOWS_SOFTWARE_EXTENSION_VERIFICATION | WINDOWS_STORE | WINDOWS_SYSTEM_COMPONENT_VERIFICATION | WINDOWS_TCB_COMPONENT | WINDOWS_THIRD_PARTY_APPLICATION_COMPONENT | WINDOWS_UPDATE.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.extensions.key_usage
Optional:
critical(Boolean) Sets the key usage extension to critical. Defaults totrue.usage_flags(Attributes) The key usage flags represent the purpose (e.g., encipherment, signature) of the key contained in the certificate. Defaults to below object (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.extensions.key_usage.usage_flags
Optional:
data_encipherment(Boolean) DataEncipherment is asserted when the subject public key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher. Defaults tofalse.digital_signature(Boolean) The digitalSignature is asserted when the subject public key is used for verifying digital signatures. Defaults totrue.key_agreement(Boolean) KeyAgreement is asserted when the subject public key is used for key agreement. Defaults tofalse.key_encipherment(Boolean) KeyEncipherment is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. Defaults totrue.non_repudiation(Boolean) NonRepudiation is asserted when the subject public key is used to verify digital signatures. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.general_flags
Optional:
auto_enrollment(Boolean) Allows certificate issuance using autoenrollment. Set to TRUE to allow autoenrollment. Defaults totrue.machine_type(Boolean) Defines if the template is for machines or users. Set to TRUE if the template is for machines. Set to FALSE if the template is for users. Defaults totrue.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.private_key_attributes
Optional:
algorithm(String) Defines the algorithm used to generate the private key. Valid:ECDH_P256 | ECDH_P384 | ECDH_P521 | RSA. Defaults toRSA.crypto_providers(List of String) Defines the cryptographic providers used to generate the private key.key_spec(String) Defines the purpose of the private key. Valid values:KEY_EXCHANGE | SIGNATURE. Defaults toKEY_EXCHANGE.key_usage_property(Attributes) The key usage property defines the purpose of the private key contained in the certificate. You can specify specific purposes using property flags or all by using property type ALL. Defaults to below object (see below for nested schema)minimal_key_length(Number) Set the minimum key length of the private key. Defaults to2048.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.private_key_attributes.key_usage_property
Optional:
property_flags(Attributes) You can specify key usage for encryption, key agreement, and signature. You can use property flags or property type but not both. (see below for nested schema)property_type(String) You can specify all key usages using property typeALL. You can use property type or property flags but not both. Defaults toALL.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.private_key_attributes.key_usage_property.property_flags
Optional:
decrypt(Boolean) Allows key for encryption and decryption.key_agreement(Boolean) Allows key exchange without encryption.sign(Boolean) Allow key use for digital signature.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.private_key_flags
Optional:
client_version(String) Defines the minimum client compatibility. Valid values:WINDOWS_SERVER_2012 | WINDOWS_SERVER_2012_R2 | WINDOWS_SERVER_2016. Defaults toWINDOWS_SERVER_2016.exportable_key(Boolean) Allows the private key to be exported. Defaults tofalse.require_alternate_signature_algorithm(Boolean) Requires the PKCS #1 v2.1 signature format for certificates. You should verify that your CA, objects, and applications can accept this signature format. Defaults tofalse.require_same_key_renewal(Boolean) Renew certificate using the same private key. Defaults tofalse.strong_key_protection_required(Boolean) Require user input when using the private key for enrollment. Defaults tofalse.use_legacy_provider(Boolean) Specifies the cryptographic service provider category used to generate private keys. Set to TRUE to use Legacy Cryptographic Service Providers and FALSE to use Key Storage Providers. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.ad.templates.definition.v4.subject_name_flags
Optional:
require_common_name(Boolean) Include the common name in the subject name. Defaults tofalse.require_directory_path(Boolean) Include the directory path in the subject name. Defaults totrue.require_dns_as_cn(Boolean) Include the DNS as common name in the subject name. Defaults tofalse.require_email(Boolean) Include the subject's email in the subject name. Defaults tofalse.san_require_directory_guid(Boolean) Include the globally unique identifier (GUID) in the subject alternate name. Defaults tofalse.san_require_dns(Boolean) Include the DNS in the subject alternate name. Defaults totrue.san_require_domain_dns(Boolean) Include the domain DNS in the subject alternate name. Defaults totrue.san_require_email(Boolean) Include the subject's email in the subject alternate name. Defaults tofalse.san_require_spn(Boolean) Include the service principal name (SPN) in the subject alternate name. Defaults tofalse.san_require_upn(Boolean) Include the user principal name (UPN) in the subject alternate name. Defaults tofalse.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.scep
Optional:
general_purpose(Attributes) Create a Connector for General-purpose SCEP associated with this subordinate CA. (see below for nested schema)intune(Attributes) Create a Connector for Microsoft Intune SCEP associated with this subordinate CA. (see below for nested schema)
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.scep.general_purpose
Required:
enabled(Boolean) Whether the Connector for General-purpose SCEP is enabled or disabled.
Optional:
challenge_validity(Number) A period in days for the challenge password to be valid. A new challenge password will be replaced after this period when this resource triggers an update for the first time. The renewal is not automated. Defaults to365.
Nested Schema for configuration.organization.private_certificate_authority.subordinates.subordinates.connector.scep.intune
Required:
azure_application_id(String) The application (client) ID from your Microsoft Entra ID app registration.enabled(Boolean) Whether the Connector for Microsoft Intune SCEP is enabled or disabled.
Optional:
domain(String) The primary domain from your Microsoft Entra ID app registration.tenant_id(String) The directory (tenant) ID from your Microsoft Entra ID app registration.
Nested Schema for configuration.organization.reuse_existing
Required:
identity_store_id(String) AWS Identity Center Identity Store ID deployed in the provided AWS management account.organization_id(String) AWS Organizations Organization ID deployed in the provided AWS management account.
Nested Schema for configuration.regions
Required:
home(Attributes) Home geography containing a pair of primary/secondary regions. (see below for nested schema)
Optional:
other(Attributes List) A list of Non-Home geographies containing a pair of primary/secondary regions in each geography. (see below for nested schema)
Nested Schema for configuration.regions.home
Required:
primary(Attributes) Primary Aws Region details. (see below for nested schema)
Optional:
secondary(Attributes) Secondary Aws Region details. (see below for nested schema)
Nested Schema for configuration.regions.home.primary
Required:
location(String) The Aws location of the region. Possible values are[af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].network(Attributes) This information is used to deploy a network on top of the landing zone. A lot of other services depend on this. (see below for nested schema)region(String) The Aws region code of the location. Possible values are[afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].
Nested Schema for configuration.regions.home.primary.network
Required:
enabled(Boolean) If enabled, it will deploy a network on top of the landing zone.
Optional:
ip_schema(Attributes) (see below for nested schema)
Nested Schema for configuration.regions.home.primary.network.ip_schema
Optional:
address(String) The base IP Network for the entire region (e.g. x.x.x.x). It will be used to perform IPAM for the tenancy and it's tenancy accounts. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to172.16.0.0.environments(Attributes) The Network CIDR configuration for environments. (see below for nested schema)mask(Number) The base IP Network Mask for the entire region (e.g.16). It will be used to perform IPAM for the tenancy and it's tenancy accounts. It MUST be between8and18. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to16
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments
Optional:
core(Attributes) The IP CIDR for environment. (see below for nested schema)dev(Attributes) The IP CIDR for environment. (see below for nested schema)prod(Attributes) The IP CIDR for environment. (see below for nested schema)qa(Attributes) The IP CIDR for environment. (see below for nested schema)test(Attributes) The IP CIDR for environment. (see below for nested schema)
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments.core
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments.dev
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments.prod
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments.qa
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.primary.network.ip_schema.environments.test
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.secondary
Required:
location(String) The Aws location of the region. Possible values are[af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].network(Attributes) This information is used to deploy a network on top of the landing zone. A lot of other services depend on this. (see below for nested schema)region(String) The Aws region code of the location. Possible values are[afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].
Nested Schema for configuration.regions.home.secondary.network
Required:
enabled(Boolean) If enabled, it will deploy a network on top of the landing zone.
Optional:
ip_schema(Attributes) (see below for nested schema)
Nested Schema for configuration.regions.home.secondary.network.ip_schema
Optional:
address(String) The base IP Network for the entire region (e.g. x.x.x.x). It will be used to perform IPAM for the tenancy and it's tenancy accounts. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to172.16.0.0.environments(Attributes) The Network CIDR configuration for environments. (see below for nested schema)mask(Number) The base IP Network Mask for the entire region (e.g.16). It will be used to perform IPAM for the tenancy and it's tenancy accounts. It MUST be between8and18. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to16
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments
Optional:
core(Attributes) The IP CIDR for environment. (see below for nested schema)dev(Attributes) The IP CIDR for environment. (see below for nested schema)prod(Attributes) The IP CIDR for environment. (see below for nested schema)qa(Attributes) The IP CIDR for environment. (see below for nested schema)test(Attributes) The IP CIDR for environment. (see below for nested schema)
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments.core
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments.dev
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments.prod
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments.qa
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.home.secondary.network.ip_schema.environments.test
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other
Required:
primary(Attributes) Primary Aws Region details. (see below for nested schema)
Optional:
secondary(Attributes) Secondary Aws Region details. (see below for nested schema)
Nested Schema for configuration.regions.other.primary
Required:
location(String) The Aws location of the region. Possible values are[af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].network(Attributes) This information is used to deploy a network on top of the landing zone. A lot of other services depend on this. (see below for nested schema)region(String) The Aws region code of the location. Possible values are[afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].
Nested Schema for configuration.regions.other.primary.network
Required:
enabled(Boolean) If enabled, it will deploy a network on top of the landing zone.
Optional:
ip_schema(Attributes) (see below for nested schema)
Nested Schema for configuration.regions.other.primary.network.ip_schema
Optional:
address(String) The base IP Network for the entire region (e.g. x.x.x.x). It will be used to perform IPAM for the tenancy and it's tenancy accounts. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to172.16.0.0.environments(Attributes) The Network CIDR configuration for environments. (see below for nested schema)mask(Number) The base IP Network Mask for the entire region (e.g.16). It will be used to perform IPAM for the tenancy and it's tenancy accounts. It MUST be between8and18. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to16
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments
Optional:
core(Attributes) The IP CIDR for environment. (see below for nested schema)dev(Attributes) The IP CIDR for environment. (see below for nested schema)prod(Attributes) The IP CIDR for environment. (see below for nested schema)qa(Attributes) The IP CIDR for environment. (see below for nested schema)test(Attributes) The IP CIDR for environment. (see below for nested schema)
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments.core
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments.dev
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments.prod
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments.qa
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.primary.network.ip_schema.environments.test
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.secondary
Required:
location(String) The Aws location of the region. Possible values are[af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].network(Attributes) This information is used to deploy a network on top of the landing zone. A lot of other services depend on this. (see below for nested schema)region(String) The Aws region code of the location. Possible values are[afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].
Nested Schema for configuration.regions.other.secondary.network
Required:
enabled(Boolean) If enabled, it will deploy a network on top of the landing zone.
Optional:
ip_schema(Attributes) (see below for nested schema)
Nested Schema for configuration.regions.other.secondary.network.ip_schema
Optional:
address(String) The base IP Network for the entire region (e.g. x.x.x.x). It will be used to perform IPAM for the tenancy and it's tenancy accounts. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to172.16.0.0.environments(Attributes) The Network CIDR configuration for environments. (see below for nested schema)mask(Number) The base IP Network Mask for the entire region (e.g.16). It will be used to perform IPAM for the tenancy and it's tenancy accounts. It MUST be between8and18. CANNOT be changed after creation without destroying everything running on top of the network. Defaults to16
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments
Optional:
core(Attributes) The IP CIDR for environment. (see below for nested schema)dev(Attributes) The IP CIDR for environment. (see below for nested schema)prod(Attributes) The IP CIDR for environment. (see below for nested schema)qa(Attributes) The IP CIDR for environment. (see below for nested schema)test(Attributes) The IP CIDR for environment. (see below for nested schema)
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments.core
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments.dev
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments.prod
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments.qa
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.regions.other.secondary.network.ip_schema.environments.test
Optional:
address(String) The base IP Network for the environment. CANNOT be changed after creation without destroying everything running on top of the network.mask(Number) The base IP Network Mask for the environment. It MUST be between10and20. CANNOT be changed after creation without destroying everything running on top of the network.
Nested Schema for configuration.idp
Optional:
external(Attributes) IdP details for AWS Identity Center SSO. You need to manually configure the AWS Identity Center to use an external identity provider for this to work. Manually exchange the required info (SAML metadata and certificate) between external IdP and AWS Identity Center. (see below for nested schema)internal(Attributes) Configuration for AWS Identity Center to act as IdP. (see below for nested schema)sp(Attributes) AWS Identity Center SSO Service Provider details to configure with provided external IdP. Since SP details are not known when idp (external) block is run for the first time, fill in with dummy information to create AWS Identity Center external IdP setup and update with correct values for a subsequent run. (see below for nested schema)
Nested Schema for configuration.idp.external
Optional:
microsoft_entra_id(Attributes) Details required to setup Microsoft Entra ID as IdP. Includes creating AWS Single-Sign-On Enterprise Application, SSO and SCIM setup, groups per AWS account and association with AWS Identity Center permission sets. The client id required appropriate permissions. (see below for nested schema)
Nested Schema for configuration.idp.external.microsoft_entra_id
Optional:
notification_email_addresses(List of String) Provides a list of emails to receive notifications from the service principal associated with the AWS Single-Sign-On Enterprise Application.owners(List of String) Provides a list of Microsoft Entra ID UPNs that would be configured as owners of the AWS Single-Sign-On Enterprise Application.
Nested Schema for configuration.idp.internal
Required:
enabled(Boolean) If enabled, configures AWS Identity Center to act as IdP for AWS Organizations.
Nested Schema for configuration.idp.sp
Required:
acs_url(String) AWS Identity Center Assertion Consumer Service URL.login_url(String) AWS Identity Center Access Portal Login URL.scim_endpoint(String) AWS Identity Center SCIM Endpoint.sp_url(String) AWS Identity Center Service Provider URL.