Skip to content

volocloud_tenancy_account_aws

Volocloud Tenancy Account configuration.

Example Usage

# Create AWS Application Subscriptions on top of Landing Zone
resource "volocloud_tenancy_account_aws" "example" {
  account_id = volocloud_account.example.account_id
  configuration = {
    abbreviation                = "expl"
    aws_account_close_on_delete = false
    backup = {
      restore_testing = {
        enabled = true
      }
    }
    regions = {
      home = {
        primary = {
          location = "ap-southeast-2"
          network = {
            enabled = true
          }
          region = "apse2"
        }
      }
    }
    securityhub = {
      enabled = true
      standards = {
        aws_foundational_security_best_practices = {
          controls = {
            "iam.6" = {
              disable_control = true
              disable_reason  = "We have virtual MFA and don't plan to have hardware MFA."
            }
          }
          enabled = true
          version = "v1.0.0"
        }
        cis_aws_foundations_benchmark = {
          controls = {
            "1.6" = {
              disable_control = true
              disable_reason  = "We have virtual MFA and don't plan to have hardware MFA."
            }
          }
          enabled = true
          version = "v1.4.0"
        }
      }
    }
    vpc_template = "standard"
  }
  environment = "dev"
  name        = "example"
  tenancy_id  = volocloud_tenancy_aws.example.tenancy_id
}

Schema

Required

  • account_id (String) Volocloud Account ID associated with this tenancy_account.
  • configuration (Attributes) It contains tenancy_account configuration. (see below for nested schema)
  • environment (String) Environment for the tenancy_account. MUST be one of dev, test, qa or prod.
  • name (String) Volocloud tenancy_account Name.
  • tenancy_id (String) Volocloud Tenancy ID.

Optional

  • trigger_update (String) This attribute provides a mechanism to trigger an update on the tenancy_account resouce when there is no change to the other attributes.

Read-Only

  • id (String) ID of the resource computed from the account_id, tenancy_id and tenancy_account_id separated by : .
  • resources (Map of String) These are all the resources created in the tenancy_account.
  • tenancy_account_id (String) Volocloud Tenancy Account ID.

Nested Schema for configuration

Required:

  • abbreviation (String) This abbreviation will be used to uniquily identify resources created. Only applies to resources that require Azure global uniqueness.
  • alternate_contacts (Attributes Map) Configuration of AWS Account alternate contacts. (see below for nested schema)
  • primary_contact (Attributes) Configuration of AWS Account primary contact. (see below for nested schema)
  • regions (Attributes) Defines which regions to deploy into. (see below for nested schema)
  • securityhub (Attributes) Manages the Security Hub Configuration for AWS Account. (see below for nested schema)

Optional:

  • auditmanager_assessments (Attributes List) A list of Audit Manager assessments. For more info about assessments see AWS documentation. (see below for nested schema)
  • aws_account_close_on_delete (Boolean) If true, this will close the AWS account on resource deletion, beginning the 90-day suspension period. Otherwise, the account will just be unenrolled from Control Tower. Defaults to false.
  • aws_account_org_unit (Attributes) Provides details for deploying this account in a particular Org Unit. If not provided, the account will be deployed in the default environment workloads OU created by Volo Cloud Foundations. (see below for nested schema)
  • backup (Attributes) AWS Backup configuration settings for the local account. (see below for nested schema)
  • budgets (Attributes List) A list of budget objects. (see below for nested schema)
  • ebs_encryption_by_default (Boolean) Whether or not default EBS encryption is enabled. Defaults to true.
  • s3_account_public_access_block (Attributes) Manages S3 account-level Public Access Block configuration. (see below for nested schema)
  • ssm_patch_policies (Attributes List) Systems Manager patch policies associated with with this AWS account. (see below for nested schema)
  • ssm_resource_scheduler (Attributes List) A list of AWS SSM QuickSetup Resource Scheduler schedules. For more info about resource scheduler see AWS documentation. (see below for nested schema)
  • sso_permission_sets (Attributes List) AWS Identity Center custom permission sets associated with this AWS account. The object name MUST be unique across this account and any OU level definitions. (see below for nested schema)
  • vpc (Attributes) Configuration for the account VPC. (see below for nested schema)

Nested Schema for configuration.alternate_contacts

Required:

  • email (String) An email address for the alternate contact.
  • name (String) Name of the alternate contact.
  • phone (String) Phone number for the alternate contact.
  • title (String) Title for the alternate contact.

Nested Schema for configuration.primary_contact

Required:

  • address_line_1 (String) The first line of the primary contact address.
  • city (String) The city of the primary contact address.
  • country_code (String) The ISO-3166 two-letter country code for the primary contact address.
  • full_name (String) The full name of the primary contact address.
  • phone (String) The phone number of the primary contact information. The number will be validated and, in some countries, checked for activation.
  • postal_code (String) The postal code of the primary contact address.

Optional:

  • address_line_2 (String) The second line of the primary contact address, if any.
  • address_line_3 (String) The third line of the primary contact address, if any.
  • company_name (String) The name of the company associated with the primary contact information, if any.
  • district_or_county (String) The district or county of the primary contact address, if any.
  • state_or_region (String) The state or region of the primary contact address. If the mailing address is within the United States (US), the value in this field can be either a two character state code (for example, NJ) or the full state name (for example, New Jersey). This field is required in the following countries: US, CA, GB, DE, JP, IN, and BR.
  • website_url (String) The URL of the website associated with the primary contact information, if any.

Nested Schema for configuration.regions

Required:

Optional:

  • other (Attributes List) A list of Non-Home geographies containing a pair of primary/secondary regions in each geography. (see below for nested schema)

Nested Schema for configuration.regions.home

Required:

Optional:

Nested Schema for configuration.regions.home.primary

Required:

  • location (String) The Aws location of the region. Possible values are [af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].
  • network (Attributes) This information is used to deploy a network in this tenancy account associated with the landing zone. (see below for nested schema)
  • region (String) The Aws region code of the location. Possible values are [afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].

Nested Schema for configuration.regions.home.primary.network

Required:

  • enabled (Boolean) If enabled, it will deploy a network in this tenancy account associated with the landing zone.

Optional:

  • ip_address_mask (Number) The base IP Network Mask for this tenancy account. If provided, it MUST be between 22 and 26. Check the documentation for the VPC template to make sure you create the correct network mask. Defaults to 24.

Warning

Changing this value causes the VPC to be re-created. CANNOT be changed after creation without destroying everything running on top of the VPC.

Nested Schema for configuration.regions.home.secondary

Required:

  • location (String) The Aws location of the region. Possible values are [af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].
  • network (Attributes) This information is used to deploy a network in this tenancy account associated with the landing zone. (see below for nested schema)
  • region (String) The Aws region code of the location. Possible values are [afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].

Nested Schema for configuration.regions.home.secondary.network

Required:

  • enabled (Boolean) If enabled, it will deploy a network in this tenancy account associated with the landing zone.

Optional:

  • ip_address_mask (Number) The base IP Network Mask for this tenancy account. If provided, it MUST be between 22 and 26. Check the documentation for the VPC template to make sure you create the correct network mask. Defaults to 24.

Warning

Changing this value causes the VPC to be re-created. CANNOT be changed after creation without destroying everything running on top of the VPC.

Nested Schema for configuration.regions.other

Required:

Optional:

Nested Schema for configuration.regions.other.primary

Required:

  • location (String) The Aws location of the region. Possible values are [af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].
  • network (Attributes) This information is used to deploy a network in this tenancy account associated with the landing zone. (see below for nested schema)
  • region (String) The Aws region code of the location. Possible values are [afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].

Nested Schema for configuration.regions.other.primary.network

Required:

  • enabled (Boolean) If enabled, it will deploy a network in this tenancy account associated with the landing zone.

Optional:

  • ip_address_mask (Number) The base IP Network Mask for this tenancy account. If provided, it MUST be between 22 and 26. Check the documentation for the VPC template to make sure you create the correct network mask. Defaults to 24.

Warning

Changing this value causes the VPC to be re-created. CANNOT be changed after creation without destroying everything running on top of the VPC.

Nested Schema for configuration.regions.other.secondary

Required:

  • location (String) The Aws location of the region. Possible values are [af-south-1 ap-east-1 ap-east-2 ap-northeast-1 ap-northeast-2 ap-northeast-3 ap-southeast-1 ap-southeast-2 ap-southeast-3 ap-southeast-4 ap-southeast-5 ap-southeast-6 ap-southeast-7 ap-south-1 ap-south-2 ca-central-1 ca-west-1 cn-north-1 cn-northwest-1 eu-central-1 eu-central-2 eu-north-1 eu-south-1 eu-south-2 eu-west-1 eu-west-2 eu-west-3 il-central-1 me-central-1 me-south-1 mx-central-1 sa-east-1 us-east-1 us-east-2 us-gov-east-1 us-gov-west-1 us-west-1 us-west-2].
  • network (Attributes) This information is used to deploy a network in this tenancy account associated with the landing zone. (see below for nested schema)
  • region (String) The Aws region code of the location. Possible values are [afso1 apea1 apea2 apne1 apne2 apne3 apse1 apse2 apse3 apse4 apse5 apse6 apse7 apso1 apso2 cace1 cawe1 cnno1 cnnw1 euce1 euce2 euno1 euso1 euso2 euwe1 euwe2 euwe3 ilce1 mece1 meso1 mxce1 saea1 usea1 usea2 usge1 usgw1 uswe1 uswe2].

Nested Schema for configuration.regions.other.secondary.network

Required:

  • enabled (Boolean) If enabled, it will deploy a network in this tenancy account associated with the landing zone.

Optional:

  • ip_address_mask (Number) The base IP Network Mask for this tenancy account. If provided, it MUST be between 22 and 26. Check the documentation for the VPC template to make sure you create the correct network mask. Defaults to 24.

Warning

Changing this value causes the VPC to be re-created. CANNOT be changed after creation without destroying everything running on top of the VPC.

Nested Schema for configuration.securityhub

Required:

  • enabled (Boolean) Enables Security Hub for this AWS Account.

Optional:

  • standards (Attributes) Manages Security Hub Standards and their controls for this AWS Organization. (see below for nested schema)

Nested Schema for configuration.securityhub.standards

Optional:

  • aws_foundational_security_best_practices (Attributes) Manages Security Hub AWS Foundational Security Best Practices standard. Defaults to {"controls":<null>,"enabled":true,"version":"v1.0.0"}. (see below for nested schema)
  • aws_resource_tagging_standard (Attributes) Manages Security Hub AWS Resource Tagging Standard standard. Defaults to {"controls":<null>,"enabled":true,"version":"v1.0.0"}. (see below for nested schema)
  • cis_aws_foundations_benchmark (Attributes) Manages Security Hub CIS AWS Foundations Benchmark standard. Defaults to {"controls":<null>,"enabled":true,"version":"v5.0.0"}. (see below for nested schema)
  • nist_special_publication_800_171 (Attributes) Manages Security Hub NIST Special Publication 800-171 standard. (see below for nested schema)
  • nist_special_publication_800_53 (Attributes) Manages Security Hub NIST Special Publication 800-53 standard. (see below for nested schema)
  • pci_dss (Attributes) Manages Security Hub PCI DSS standard. (see below for nested schema)

Nested Schema for configuration.securityhub.standards.aws_foundational_security_best_practices

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • enabled (Boolean) Enables this Security Hub AWS Foundational Security Best Practices standard in the AWS Organization. Defaults to true.
  • version (String) Standard version. Valid versions: v1.0.0. Defaults to v1.0.0.

Nested Schema for configuration.securityhub.standards.aws_foundational_security_best_practices.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.securityhub.standards.aws_resource_tagging_standard

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • enabled (Boolean) Enables this Security Hub AWS Resource Tagging Standard standard in the AWS Organization. Defaults to true.
  • version (String) Standard version. Valid versions: v1.0.0. Defaults to v1.0.0.

Nested Schema for configuration.securityhub.standards.aws_resource_tagging_standard.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.securityhub.standards.cis_aws_foundations_benchmark

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • enabled (Boolean) Enables this Security Hub CIS AWS Foundations Benchmark standard in the AWS Organization. Defaults to true.
  • version (String) Standard version. Valid versions: v1.4.0, v3.0.0 or v5.0.0. Defaults to v5.0.0.

Nested Schema for configuration.securityhub.standards.cis_aws_foundations_benchmark.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.securityhub.standards.nist_special_publication_800_171

Required:

  • enabled (Boolean) Enables this Security Hub NIST Special Publication 800-171 standard in the AWS Organization.

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • version (String) Standard version. Valid versions: revision_2. Defaults to revision_2.

Nested Schema for configuration.securityhub.standards.nist_special_publication_800_171.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.securityhub.standards.nist_special_publication_800_53

Required:

  • enabled (Boolean) Enables this Security Hub NIST Special Publication 800-53 standard in the AWS Organization.

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • version (String) Standard version. Valid versions: revision_5. Defaults to revision_5.

Nested Schema for configuration.securityhub.standards.nist_special_publication_800_53.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.securityhub.standards.pci_dss

Required:

  • enabled (Boolean) Enables this Security Hub PCI DSS standard in the AWS Organization.

Optional:

  • controls (Attributes Map) A map of object to disable control(s) part of this standard. The map keys MUST be the all lowercase control id. For control id see AWS Documentation. (see below for nested schema)
  • version (String) Standard version. Valid versions: v3.2.1 or v4.0.1. Defaults to v4.0.1.

Nested Schema for configuration.securityhub.standards.pci_dss.controls

Required:

  • disable_control (Boolean) If true, the control will be disabled.
  • disable_reason (String) Provides a reason why the control has been disabled.

Nested Schema for configuration.auditmanager_assessments

Required:

  • framework (Attributes) Provides the name of an enabled framework to create the assessment from. (see below for nested schema)

Optional:

  • owners (List of String) AWS IAM role(s) to be configured as the owners of the assessment. If not provided, the default owners will be used.

Nested Schema for configuration.auditmanager_assessments.framework

Optional:

  • aws_managed (String) Must match one of the aws_managed frameworks map keys defined under the audit account.

Nested Schema for configuration.aws_account_org_unit

Required:

  • id (String) AWS Organizations org unit id where to place the account.
  • name (String) AWS Organizations org unit name where to place the account.

Nested Schema for configuration.backup

Optional:

  • policies (Attributes) Configuration settings for built-in backup policies. (see below for nested schema)
  • restore_testing (Attributes) If enabled, it will create a restore testing plan with multiple resource type selections. (see below for nested schema)
  • vault_lock (Attributes) Configuration settings for the AWS Organization Backup Vault lock. (see below for nested schema)
  • vault_notifications (Attributes List) Configuration settings for the AWS Organization Backup Vault notifications. (see below for nested schema)

Nested Schema for configuration.backup.policies

Optional:

Nested Schema for configuration.backup.policies.daily

Optional:

  • backup_complete_window_minutes (Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to 1 day.
  • backup_start_window_minutes (Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to 60 minutes.
  • copy_to_region (String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in the regions attribute.
  • delete_after_days (Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than move_to_cold_storage_after_days.
  • move_to_cold_storage_after_days (Number) Specifies the number of days after creation that a recovery point is moved to cold storage.
  • opt_in_to_archive_for_supported_resources (Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
  • schedule_expression (String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 11 PM every day.
  • schedule_expression_timezone (String) This is the timezone in which the schedule expression is set. By default, schedule_expression is in UTC. You can modify this to a specified timezone.
  • selection_tag (String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST be true.

Nested Schema for configuration.backup.policies.monthly

Optional:

  • backup_complete_window_minutes (Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to 1 day.
  • backup_start_window_minutes (Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to 60 minutes.
  • copy_to_region (String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in the regions attribute.
  • delete_after_days (Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than move_to_cold_storage_after_days.
  • move_to_cold_storage_after_days (Number) Specifies the number of days after creation that a recovery point is moved to cold storage.
  • opt_in_to_archive_for_supported_resources (Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
  • schedule_expression (String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 2 AM every first day of month.
  • schedule_expression_timezone (String) This is the timezone in which the schedule expression is set. By default, schedule_expression is in UTC. You can modify this to a specified timezone.
  • selection_tag (String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST be true.

Nested Schema for configuration.backup.policies.weekly

Optional:

  • backup_complete_window_minutes (Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to 1 day.
  • backup_start_window_minutes (Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to 60 minutes.
  • copy_to_region (String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in the regions attribute.
  • delete_after_days (Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than move_to_cold_storage_after_days.
  • move_to_cold_storage_after_days (Number) Specifies the number of days after creation that a recovery point is moved to cold storage.
  • opt_in_to_archive_for_supported_resources (Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
  • schedule_expression (String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 12 AM every Sunday.
  • schedule_expression_timezone (String) This is the timezone in which the schedule expression is set. By default, schedule_expression is in UTC. You can modify this to a specified timezone.
  • selection_tag (String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST be true.

Nested Schema for configuration.backup.policies.yearly

Optional:

  • backup_complete_window_minutes (Number) A value in minutes after a backup job is successfully started before it must be completed or it will be canceled by AWS Backup. Defaults to 1 day.
  • backup_start_window_minutes (Number) A value in minutes after a backup is scheduled before a job will be canceled if it doesn't start successfully. If this value is included, it must be at least 60 minutes to avoid errors. Defaults to 60 minutes.
  • copy_to_region (String) Creates a copy action in the backup plan that will copy the backup to the organization backup vault specified by region. The specified region MUST have been defined in the regions attribute.
  • delete_after_days (Number) Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than move_to_cold_storage_after_days.
  • move_to_cold_storage_after_days (Number) Specifies the number of days after creation that a recovery point is moved to cold storage.
  • opt_in_to_archive_for_supported_resources (Boolean) This setting will instruct your backup plan to transition supported resources to archive (cold) storage tier in accordance with your lifecycle settings.
  • schedule_expression (String) A cron expression in UTC specifying when AWS Backup initiates a backup job. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 4 AM every Jan 1st.
  • schedule_expression_timezone (String) This is the timezone in which the schedule expression is set. By default, schedule_expression is in UTC. You can modify this to a specified timezone.
  • selection_tag (String) Specifies the tag key name to search for on resources to add to the backup plan. The value of this tag MUST be true.

Nested Schema for configuration.backup.restore_testing

Optional:

  • enabled (Boolean) If true, enables the AWS Backup restore testing plan for supported resources. Defaults to true.
  • protected_resource_selection_tags (Attributes List) A list of conditions that you define for resources in your restore testing plan using tags. Filters the values of your tagged resources for only those resources that you tagged with the same value. (see below for nested schema)
  • protected_resource_selection_types (List of String) The type of AWS resource included in a restore testing selection.
  • recovery_point_selection (Attributes) Configuration of recovery points for AWS Backup restore testing plan. (see below for nested schema)
  • schedule_expression (String) A cron expression in UTC specifying when AWS Backup initiates a restore test. For more information about AWS cron expressions, see Cron expressions reference for Rules in the Amazon CloudWatch Events User Guide. If not specified, the policy will have a default start time at 1 AM on the 15th of every month.
  • schedule_expression_timezone (String) This is the timezone in which the schedule expression is set. By default, schedule_expression is in UTC. You can modify this to a specified timezone.

Nested Schema for configuration.backup.restore_testing.protected_resource_selection_tags

Optional:

  • tag_key (String) The selection tag key. Defaults to RestoreTestingEnabled.
  • tag_value (String) The selection tag value. Defaults to true.

Nested Schema for configuration.backup.restore_testing.recovery_point_selection

Optional:

  • algorithm (String) Acceptable values include LATEST_WITHIN_WINDOW or RANDOM_WITHIN_WINDOW.
  • recovery_point_types (List of String) Acceptable values include CONTINUOUS and SNAPSHOT.
  • selection_window_days (Number) Accepted values are integers from 1 to 365.

Nested Schema for configuration.backup.vault_lock

Optional:

  • changeable_for_days (Number) The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.
  • max_retention_days (Number) The maximum retention period that the vault retains its recovery points. Defaults to 90.

Warning

Changing this value causes the backup vault to be re-created. CANNOT be changed after creation without destroying the backup vault and its data.

  • min_retention_days (Number) The minimum retention period that the vault retains its recovery points. Defaults to 1.

Warning

Changing this value causes the backup vault to be re-created. CANNOT be changed after creation without destroying the backup vault and its data.

Nested Schema for configuration.backup.vault_notifications

Required:

Optional:

  • events (List of String) An array of events that indicate the status of jobs to back up resources to the backup vault.
  • filter_policy (String) JSON String with the filter policy that will be used in the SNS subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.

Nested Schema for configuration.backup.vault_notifications.recipients

Optional:

  • email (List of String) List of email addresses.

Nested Schema for configuration.budgets

Required:

  • name (String) The name of a budget. The name must be unique within an account. MUST be lowercase alphanumeric or dash between 1 and 64 characters.
  • time_unit (String) The length of time until a budget resets the actual and forecasted spend. Valid values are: MONTHLY | QUARTERLY | ANNUALLY | DAILY.
  • type (String) Specifies whether this budget tracks costs, usage, RI utilization, RI coverage, Savings Plans utilization, or Savings Plans coverage.

Optional:

  • auto_adjust_data (Attributes) The parameters that determine the budget amount for an auto-adjusting budget. (see below for nested schema)
  • cost_filters (Attributes List) A list of cost filters. Refer to AWS CostFilter documentation and API Documentation for further detail. (see below for nested schema)
  • cost_types (List of String) A list of cost types included in a budget, such as tax and subscriptions. Defaults to ["include_credit","include_discount","include_other_subscription","include_recurring","include_refund","include_subscription","include_support","include_tax","include_upfront"].
  • limit (Attributes) Object containing budget limit. Only one of limit and planned_limits MUST be defined. (see below for nested schema)
  • notifications (Attributes List) A list of objects containing Budget Notifications. (see below for nested schema)
  • planned_limits (Attributes List) Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation. Only one of limit and planned_limits MUST be defined. (see below for nested schema)
  • tags (Map of String) Map of tags assigned to the resource.
  • time_period (Attributes) The period of time that's covered by a budget. If you create your budget and don't specify a start date, AWS defaults to the start of your chosen time period (DAILY, MONTHLY, QUARTERLY, or ANNUALLY). For example, if you created your budget on January 24, 2018, chose DAILY, and didn't set a start date, AWS set your start date to 01/24/18 00:00 UTC. If you chose MONTHLY, AWS set your start date to 01/01/18 00:00 UTC. If you didn't specify an end date, AWS set your end date to 06/15/87 00:00 UTC. (see below for nested schema)

Nested Schema for configuration.budgets.auto_adjust_data

Required:

  • auto_adjust_type (String) The string that defines whether your budget auto-adjusts based on historical or forecasted data.

Optional:

  • historical_options (Attributes) The string that defines whether your budget auto-adjusts based on historical or forecasted data. See further details in AWS Documentation. (see below for nested schema)
  • last_auto_adjust_time (String) The last time that your budget was auto-adjusted. MUST be in timestamp format.

Nested Schema for configuration.budgets.auto_adjust_data.historical_options

Required:

  • budget_adjustment_period (Number) The number of budget periods included in the moving-average calculation that determines your auto-adjusted budget amount.

Optional:

  • lookback_available_periods (Number) The integer that describes how many budget periods in your BudgetAdjustmentPeriod are included in the calculation of your current budget limit. If the first budget period in your BudgetAdjustmentPeriod has no cost data, then that budget period isn’t included in the average that determines your budget limit. You can’t set your own LookBackAvailablePeriods. The value is automatically calculated from the budget_adjustment_period and your historical cost data.

Nested Schema for configuration.budgets.cost_filters

Required:

  • name (String) The name of the cost filter. Valid values are: AZ | BillingEntity | CostCategory | InstanceType | InvoicingEntity | LegalEntityName | LinkedAccount | Operation | PurchaseType | Region | Service | TagKeyValue | UsageType | UsageTypeGroup.
  • values (List of String) The list of values used for filtering.

Nested Schema for configuration.budgets.limit

Required:

  • amount (String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.
  • unit (String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.

Nested Schema for configuration.budgets.notifications

Required:

  • comparison_operator (String) Comparison operator to use to evaluate the condition. Valid values are: EQUAL_TO | GREATER_THAN | LESS_THAN.
  • email_addresses (List of String) Lost of email addresses to notify.
  • threshold (String) Threshold when the notification should be sent.
  • threshold_type (String) What kind of threshold is defined. Valid values are: ABSOLUTE_VALUE | PERCENTAGE.
  • type (String) Comparison operator to use to evaluate the condition. Valid values are: ACTUAL | FORECASTED.

Nested Schema for configuration.budgets.planned_limits

Required:

  • amount (String) The cost or usage amount that's associated with a budget forecast, actual spend, or budget threshold.
  • start_time (String) The start time of the budget limit. Format: 2017-01-01_12:00.
  • unit (String) The unit of measurement that's used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.

Nested Schema for configuration.budgets.time_period

Optional:

  • end (String) The end of the time period covered by the budget. Format: 2017-01-01_12:00.
  • start (String) The start of the time period covered by the budget. Format: 2017-01-01_12:00.

Nested Schema for configuration.s3_account_public_access_block

Optional:

  • block_public_acls (Boolean) Optional) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true.
  • block_public_policy (Boolean) Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true.
  • ignore_public_acls (Boolean) Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true.
  • restrict_public_buckets (Boolean) Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true.

Nested Schema for configuration.ssm_patch_policies

Optional:

  • attach_iam_policy_to_instance_profile (Boolean) If true, the AWS System Manager Quick Setup attaches policies to instances profiles already associated with the target EC2 instances. Defaults to true.
  • name (String) A name for the patch policy. The value you provide is applied to target Amazon EC2 instances as a tag. MUST be lowercase alphanumeric or dash between 1 and 32 characters. Defaults to patch-policy.

Warning

This value cannot be changed on update. You MUST disabled entire patch_policy capability in the environment and re-add it with a new name.

  • patch_baseline (Attributes) Patch baseline to be used in the policy. ONLY one of custom or use_default can be specified. Defaults to use_default. (see below for nested schema)
  • patch_operation (Attributes) Patch install/scan operation scheduling. Defaults to below object. (see below for nested schema)
  • rate_control (Attributes) You can control the execution of an association on your nodes by specifying a concurrency value and an error threshold. Defaults to below object. (see below for nested schema)
  • reboot (String) Determines whether instances are rebooted after patches are installed. Valid values are NoReboot | RebootIfNeeded. Defaults to NoReboot.

Nested Schema for configuration.ssm_patch_policies.patch_baseline

Optional:

  • custom (List of String) A list of JSON objects (string encoded) containing the information for the patch baselines to include in your patch policy. Conflicts with use_default. For more info check AWS Documentation.
  • use_default (Boolean) If true, the selected patch baselines are all AWS provided. Conflicts with custom.

Nested Schema for configuration.ssm_patch_policies.patch_operation

Optional:

Nested Schema for configuration.ssm_patch_policies.patch_operation.install

Required:

  • cron (String) A cron expression that is used as the schedule for when target EC2 instances install available patches.

Optional:

  • next_interval (Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults to true.

Nested Schema for configuration.ssm_patch_policies.patch_operation.scan

Optional:

  • cron (String) A cron expression that is used as the schedule for when target EC2 instances install available patches. Defaults to cron(0 1 * * ? *).
  • next_interval (Boolean) If true, the target EC2 instances should scan for available patches and install at the next cron interval. Defaults to true.

Nested Schema for configuration.ssm_patch_policies.rate_control

Optional:

  • concurrency (Number) Concurrency helps to limit the impact on your nodes by allowing you to specify that only a certain number of nodes can process an association at one time. You can specify as a percentage of the target set of nodes. Defaults to 10.
  • error_threshold (Number) An error threshold specifies how many association executions are allowed to fail before Systems Manager sends a command to each node configured with that association. The command stops the association from running until the next scheduled execution. You can specify as a percentage of the target set. Defaults to 2.

Nested Schema for configuration.ssm_resource_scheduler

Required:

  • name (String) The name of the quicksetup resource scheduler schedule. MUST be unique across all schedules assigned at the same level (OU or Account). MUST must be lowercase alphanumeric or dash between 1 and 32 characters
  • schedule (Attributes) Input parameters required to create the iCalendar formatted string containing the schedule you want Change Manager to use. For more details about iCalendar strings see here. (see below for nested schema)
  • selection (Attributes) The key/value pair for tagging instances you want to target with this schedule. (see below for nested schema)

Optional:

  • tags (Map of String) You can use tags to search and filter your Quick Setup Configuration managers.

Nested Schema for configuration.ssm_resource_scheduler.schedule

Required:

  • end_time (String) This is used to specify the time of day for the END operation part of the schedule.
  • recurrence_rule (Attributes) This is used to identify properties that contain a recurrence rule specification. (see below for nested schema)
  • start_time (String) This is used to specify the time of day for the START operation part of the schedule.

Optional:

  • timezone (String) Specifies the Time Zone, as defined in the public-domain TZ database [TZDB], which should be used, the possible values are defined here. Defaults to UTC.

Nested Schema for configuration.ssm_resource_scheduler.schedule.recurrence_rule

Required:

  • byday (List of String) This specifies a list of days of the week. Possible values are SU indicates Sunday, MO indicates Monday, TU indicates Tuesday, WE indicates Wednesday, TH indicates Thursday, FR indicates Friday and SA indicates Saturday.

Optional:

  • frequency (String) This identifies the type of recurrence rule. Possible values are WEEKLY. Defaults to WEEKLY
  • interval (Number) This contains a positive integer representing at which intervals the recurrence rule repeats. Defaults to 1.

Nested Schema for configuration.ssm_resource_scheduler.selection

Required:

  • tag_key (String) The tag key assigned to the instances you want to target.
  • tag_value (String) The value of the tag key assigned to the instances you want to target.

Nested Schema for configuration.sso_permission_sets

Required:

  • iam_policies (Attributes) AWS IAM policies to attach to the permission set. It supports a list of custom iam policy arns, the name of a managed policy or a session manager tag pair. (see below for nested schema)
  • name (String) The name of the permission set. MUST must be lowercase alphanumeric or dash between 1 and 20 characters.

Optional:

  • description (String) Description for the permission set.
  • duration (Number) Permission set session duration (in hours) before the user requires to re-authenticate. If not provided it will default to 8 hours.

Nested Schema for configuration.sso_permission_sets.iam_policies

Optional:

  • custom (Map of String) A map of IAM policies, JSON encoded, to assign to the new permission set.
  • managed (Map of String) A map of aws managed policy ARNS to assign their policies to the new permission set.
  • session_manager (Attributes) If defined, this will allow Session Manager permissions for the provider tag pair. (see below for nested schema)

Nested Schema for configuration.sso_permission_sets.iam_policies.session_manager

Required:

  • tag_key (String) The tag key assigned to the instances you want to target.
  • tag_value (String) The value of the tag key assigned to the instances you want to target.

Nested Schema for configuration.vpc

Optional:

  • deployment_architecture (Attributes) Network deployment architecture specific to this acocunt. This is used in combination with the organization network_deployment_architectures attribute. (see below for nested schema)
  • enable_dns_hostnames (Boolean) A boolean flag to enable/disable DNS hostnames in the VPC. Defaults to true.
  • enable_dns_support (Boolean) A boolean flag to enable/disable DNS support in the VPC. Defaults to true.
  • instance_tenancy (String) A tenancy option for instances launched into the VPC. Default is default, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option is dedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.
  • network_firewall (Attributes) Configuration settings for AWS Network Firewall service. MUST be deployed only if the VPC template supports distributed architecture. (see below for nested schema)

Nested Schema for configuration.vpc.deployment_architecture

Optional:

  • egress_enabled (Boolean) If true, enables account local egress access to internet. Defaults to false.
  • ingress_enabled (Boolean) If true, enables account local ingress access from internet. Defaults to false.
  • private_endpoints (Attributes) Configuration for AWS Services that support private endpoints configuration in the VPC. The subnet where these private endpoints are created is predetermined by the selected VPC template. For standard it will use app_tier subnet. For web_tier_only it will use the only available subnet. (see below for nested schema)
  • template (String) The VPC template determines what nacls, routing tables, routes and subnets are going to be created in the VPC. Defaults to standard. Possible values are:
    • standard_centralized: Creates 2 tier subnets (private app_tier, private data_tier) with centralized public web_tier running in network account accessed using centralized Transit Gateway deployment. The minimum network mask for the VPC MUST be /24.
    • standard_centralized_and_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be /23.
    • standard_distributed: Creates 3 tier subnets (public web_tier, private app_tier, private data_tier) with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be /24.
    • web_tier_centralized_and_distributed: Create 1 public web_tier subnet with 1 extra subnet to support centralized Transit Gateway deployment and 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be /24.
    • web_tier_distributed: Create 1 public web_tier subnet with 1 extra subnet to support distributed deployment with account firewall. The minimum network mask for the VPC MUST be /25.

Warning

Changing this value causes the VPC to be re-created. CANNOT be changed after creation without destroying everything running on top of the VPC first.

Nested Schema for configuration.vpc.deployment_architecture.private_endpoints

Optional:

  • enabled (Boolean) If true, enables account local private endpoints for supported services. Defaults to false.
  • gateway_services (List of String) List of AWS services to create private endpoints of type gateway in the local account private endpoints VPC. For more details see AWS documentation. Valid values are: dynamodb | s3.
  • interface_services (List of String) List of AWS services to create private endpoints of type interface in the local/network account private endpoints VPC. The service name is derived from this ![aws-services-privatelink-support]https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html, by taking the service name after the region part. Valid values are: [access-analyzer account acm-pca airflow.api api-fips env env-fips ops analytics-omics appconfig appconfigdata appmesh appmesh-envoy-management apprunner apprunner.requests applicationinsights application-autoscaling application-signals appstream.api appstream.streaming app-integrations apptest aps aps-workspaces arsenal-discovery athena auditmanager autoscaling autoscaling-plans awsconnector b2bi backup backup-gateway batch bcm-data-exports bedrock bedrock-agent bedrock-agent-runtime bedrock-runtime billing billingconductor braket cassandra cassandra-fips cases ce cleanrooms cleanrooms-ml cloudcontrolapi cloudcontrolapi-fips clouddirectory cloudformation cloudhsmv2 cloudtrail codeartifact.api codeartifact.repositories codebuild codebuild-fips codecommit codecommit-fips codeconnections.api codedeploy codedeploy-commands-secure codeguru-profiler codeguru-reviewer codepipeline codestar-connections.api codewhisperer comprehend comprehendmedical compute-optimizer config connect-campaigns console controlcatalog control-storage-omics cost-optimization-hub databrew dataexchange datasync data-servicediscovery data-servicediscovery-fips deadline.management deadline.scheduling deviceadvisor.iot devops-guru dicom-medical-imaging discovery dms dms-fips drs ds ds-data dynamodb dynamodb-fips ebs ec2 ec2messages ec2-fips ecr.api ecr.dkr ecs ecs-agent ecs-telemetry eks eks-auth elasticbeanstalk elasticbeanstalk-health elasticfilesystem elasticfilesystem-fips elasticloadbalancing elasticache elasticache-fips elasticmapreduce email-smtp emr-containers emr-serverless emr-serverless-services.livy emrwal.prod entityresolution events evidently evidently-dataplane execute-api experiments finspace finspace-api fis forecast forecast-fips forecastquery forecastquery-fips frauddetector freetier fsx fsx-fips git-codecommit git-codecommit-fips glue glue.dashboard grafana grafana-workspace greengrass groundstation guardduty guardduty-data guardduty-data-fips guardduty-fips healthlake iam identitystore imagebuilder inspector2 inspector-scan internetmonitor internetmonitor-fips iotfleetwise iotroborunner iotsitewise.api iotsitewise.data iottwinmaker.api iottwinmaker.data iotwireless.api iot.data iot.credentials iot.fleethub.api kafka kafka-fips kendra kendra-ranking kinesis-firehose kinesis-streams kinesis-streams-fips kms kms-fips lakeformation lambda launchwizard license-manager license-manager-fips license-manager-linux-subscriptions license-manager-linux-subscriptions-fips license-manager-user-subscriptions lightsail logs lookoutequipment lookoutmetrics lookoutvision lorawan.cups lorawan.lns m2 macie2 managedblockchain-query managedblockchain.bitcoin.mainnet managedblockchain.bitcoin.testnet mediaconnect medical-imaging memory-db memorydb-fips migrationhub-orchestrator migrationhub-strategy mgn models-v2-lex monitoring mq neptune-graph neptune-graph-data neptune-graph-fips network-firewall network-firewall-fips networkflowmonitor networkflowmonitorreports networkmonitor notebook observabilityadmin organizations organizations-fips outposts panorama partner-app payment-cryptography.controlplane payment-cryptography.dataplane pca-connector-ad pca-connector-scep pcs pcs-fips personalize personalize-events personalize-runtime pi pi-fips pinpoint pinpoint-sms-voice-v2 pipes pipes-data pipes-fips polly pricing.api private-networks profile proton q qapps qbusiness qldb.session quicksight-website ram rbin refactor-spaces rds rds-data redshift redshift-fips redshift-serverless redshift-serverless-fips redshift-data redshift-data-fips rekognition rekognition-fips repostspace resource-groups resource-groups-fips robomaker rolesanywhere rum rum-dataplane runtime-medical-imaging runtime-v2-lex s3 s3tables s3-global.accesspoint s3-outposts sagemaker.api sagemaker-data-science-assistant sagemaker.api-fips sagemaker.featurestore-runtime sagemaker.metrics sagemaker.runtime sagemaker.runtime-fips savingsplans schemas scn secretsmanager securityhub securitylake securitylake-fips serverlessrepo servicecatalog servicecatalog-appregistry servicediscovery servicediscovery-fips service.user-subscriptions signin simspaceweaver snow-device-management sns social-messaging sqs ssm ssm-contacts ssm-incidents ssm-quicksetup ssmmessages states storagegateway storage-omics streaming-rekognition streaming-rekognition-fips sts studio swf swf-fips sync-states synthetics synthetics-fips tagging tags-omics tax textract textract-fips thinclient.api timestream.ingest-cell timestream.query-cell timestream-influxdb timestream-influxdb-fips tnb transcribe transcribestreaming transfer transfer.server translate trustedadvisor verifiedpermissions voiceid vpc-lattice wellarchitected wisdom workflows-omics workmail workspaces workspaces-web workspaces-web-fips xray].

Nested Schema for configuration.vpc.network_firewall

Required:

  • enabled (Boolean) If true, creates AWS Network Firewalls in each AZ.

Optional:

  • vendor (Attributes) The vendor of the network firewall and it's associated settings. Defaults to aws. (see below for nested schema)

Nested Schema for configuration.vpc.network_firewall.vendor

Optional:

Nested Schema for configuration.vpc.network_firewall.vendor.aws

Optional:

Nested Schema for configuration.vpc.network_firewall.vendor.aws.managed_rule_groups

Optional:

  • domain_lists (List of String) AWS Network Firewall managed domain and IP rule groups block HTTP/HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets.
  • threat_signatures (List of String) AWS Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats.

Import

Import is supported using the following syntax:

$ terraform import volocloud_tenancy_account_aws.example <resource ID>

Note

The format is: "account_id:tenancy_id:tenancy_account_id"