Accelerator global configuration

Hierarchy

  • GlobalConfig

Implements

Constructors

Properties

acceleratorMetadata: undefined | AcceleratorMetadataConfig = undefined

Accelerator Metadata Configuration Creates a bucket in the logging account to enable accelerator metadata collection

Example

acceleratorMetadata:
enable: true
account: Logging
acceleratorSettings: undefined | AcceleratorSettingsConfig = undefined

Accelerator Settings Configuration Allows setting additional properties for accelerator

Example

acceleratorSettings:
maxConcurrentStacks: 250
backup: undefined | BackupConfig = undefined

Backup Vaults Configuration

To generate vaults, you need to provide below value for this parameter.

Example

backup:
vaults:
- name: MyBackUpVault
deploymentTargets:
organizationalUnits:
- Root
cdkOptions: cdkOptionsConfig = ...

AWS CDK options configuration. This lets you customize the operation of the CDK within LZA, specifically:

centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA. useManagementAccessRole: Enabling this option modifies CDK operations to use the IAM role specified in the managementAccountAccessRole option in global-config.yaml rather than the default roles created by CDK. Default CDK roles will still be created, but will remain unused. Any stacks previously deployed by LZA will retain their associated execution role. For more information on these roles, please see here.

Example

cdkOptions:
centralizeBuckets: true
useManagementAccessRole: true
centralizeCdkBuckets: undefined | centralizeCdkBucketsConfig = undefined

Deprecated

NOTICE: The configuration of CDK buckets is being moved to cdkOptions in the Global Config. This block is deprecated and will be removed in a future release

See

cdkOptionsConfig

To indicate workload accounts should utilize the cdk-assets S3 buckets in the management account, you need to provide below value for this parameter.

Example

centralizeCdkBuckets:
enable: true
cloudwatchLogRetentionInDays: 3653 = 3653

Global CloudWatch Logs retention in days configuration.

Remarks

This retention setting will be applied to all CloudWatch log groups created by the accelerator. Additionally, this retention setting will be applied to any CloudWatch log groups that already exist in the target environment if the log group's retention setting is LOWER than this configured value.

controlTower: ControlTowerConfig = ...

AWS Control Tower Landing Zone configuration

To indicate environment has control tower enabled, you need to provide below value for this parameter.

Example

controlTower:
enable: true
enabledRegions: ("af-south-1" | "ap-east-1" | "ap-south-1" | "ap-south-2" | "ap-southeast-1" | "ap-southeast-2" | "ap-southeast-3" | "ap-northeast-1" | "ap-northeast-2" | "ap-northeast-3" | "ca-central-1" | "eu-central-1" | "eu-central-2" | "eu-west-1" | "eu-west-2" | "eu-west-3" | "eu-north-1" | "eu-south-1" | "eu-south-2" | "me-central-1" | "me-south-1" | "sa-east-1" | "us-east-1" | "us-east-2" | "us-west-1" | "us-west-2" | "cn-north-1" | "cn-northwest-1" | "us-gov-west-1" | "us-gov-east-1" | "us-iso-east-1" | "us-iso-west-1" | "us-isob-east-1" | "ap-southeast-4" | "il-central-1" | "ca-west-1")[] = []

List of AWS Region names where accelerator will be deployed. Home region must be part of this list.

To add us-west-2 along with home region for accelerator deployment, you need to provide below value for this parameter.

Example

enabledRegions:
- *HOME_REGION
- us-west-2
externalLandingZoneResources: undefined | externalLandingZoneResourcesConfig = undefined

ExternalLandingZoneResourcesConfig.

centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA.

Example

externalLandingZoneResources:
importExternalLandingZoneResources: false
homeRegion: string = ''

Accelerator home region name. The region where accelerator pipeline deployed.

To use us-east-1 as home region for the accelerator, you need to provide below value for this parameter. Note: Variable HOME_REGION created for future usage of home region in the file

Example

homeRegion: &HOME_REGION us-east-1
iamRoleSsmParameters: {
    account: string;
    parametersByPath: {
        [key: string]: string;
    };
    region: string;
}[] = []

SSM IAM Role Parameters to be loaded for session manager policy attachments

lambda: undefined | LambdaConfig = undefined

AWS Lambda Function environment variables encryption configuration options.

Remarks

You can decide to use AWS KMS CMK or AWS managed key for Lambda function environment variables encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt function environment variables. You can use deploymentTargets to control target accounts and regions for the given useCMK configuration.

For more information please see here

Example

lambda:
encryption:
useCMK: true
deploymentTargets:
organizationalUnits:
- Root
limits: undefined | ServiceQuotaLimitsConfig[] = undefined

AWS Service Quota - Limit configuration

To enable limits within service quota, you need to provide below value for this parameter.

Example

limits:
- serviceCode: lambda
quotaCode: L-2ACBD22F
desiredValue: 2000
deploymentTargets:
organizationalUnits:
- Infrastructure
logging: LoggingConfig = ...

Accelerator logging configuration

To enable organization trail and session manager logs sending to S3, you need to provide below value for this parameter.

Example

logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
cloudtrailInsights:
apiErrorRateInsight: true
apiCallRateInsight: true
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
cloudwatchLogs:
dynamicPartitioning: logging/dynamic-partition.json
managementAccountAccessRole: string = ''

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

Examples:

  • AWSControlTowerExecution
  • OrganizationAccountAccessRole
reports: undefined | ReportConfig = undefined

Report configuration

To enable budget report along with cost and usage report, you need to provide below value for this parameter.

Example

reports:
costAndUsageReport:
compression: Parquet
format: Parquet
reportName: accelerator-cur
s3Prefix: cur
timeUnit: DAILY
refreshClosedReports: true
reportVersioning: CREATE_NEW_REPORT
budgets:
- name: accel-budget
timeUnit: MONTHLY
type: COST
amount: 2000
includeUpfront: true
includeTax: true
includeSupport: true
includeSubscription: true
includeRecurring: true
includeOtherSubscription: true
includeDiscount: true
includeCredit: false
includeRefund: false
useBlended: false
useAmortized: false
unit: USD
notifications:
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 90
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: myemail+pa-budg@example.com
s3: undefined | S3GlobalConfig = undefined

AWS S3 global configuration options.

Remarks

You can decide to create AWS KMS CMK for AWS S3 server side encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt AWS S3 bucket. You can use deploymentTargets to control target accounts and regions for the given createCMK configuration. This configuration is not applicable to LogArchive's central logging region, because the solution deployed CentralLogs bucket always encrypted with AWS KMS CMK. This configuration is not applicable to the Management account Asset bucket in the home region. This bucket will always have a key generated and applied to the bucket if it is created. This configuration is not applicable to the assets S3 bucket if the bucket is created. This bucket will always have a key generated and applied.

For more information please see here

Example

s3:
createCMK: true
deploymentTargets:
organizationalUnits:
- Root
snsTopics: undefined | SnsConfig = undefined

SNS Topics Configuration

To send CloudWatch Alarms and SecurityHub notifications you will need to configure at least one SNS Topic For SecurityHub notification you will need to set the deployment target to Root in order to receive notifications from all accounts

Example

snsTopics:
deploymentTargets:
organizationalUnits:
- Root
topics:
- name: Security
emailAddresses:
- SecurityNotifications@example.com
ssmInventory: undefined | SsmInventoryConfig = undefined

SSM Inventory Configuration

EC2 prerequisites Connectivity prerequisites

Example

ssmInventory:
enable: true
deploymentTargets:
organizationalUnits:
- Infrastructure
ssmParameters: undefined | SsmParametersConfig[]

SSM parameter configurations

Create SSM parameters through the LZA. Parameters can be deployed to Organizational Units or Accounts using deploymentTargets

Example

ssmParameters:
- deploymentTargets:
organizationalUnits:
- Workloads
parameters:
- name: WorkloadParameter
path: /my/custom/path/variable
value: 'MySSMParameterValue'
tags: Tag[] = []

Custom Tags for all resources created by Landing Zone Accelerator that can be tagged.

Example

tags:
- key: Environment
value: Dev
- key: ResourceOwner
value: AcmeApp
- key: CostCenter
value: '123'
terminationProtection: true = true

Whether to enable termination protection for this stack.

FILENAME: "global-config.yaml" = 'global-config.yaml'

Global configuration file name, this file must be present in accelerator config repository

Methods

  • Parameters

    • props: {
          mapping: ASEAMappings;
          mappingBucket: string;
          s3Client: S3;
          tempDirectory: string;
      }
      • mapping: ASEAMappings
      • mappingBucket: string
      • s3Client: S3
      • tempDirectory: string

    Returns Promise<string[]>

  • Parameters

    • props: {
          bucket: string;
          relativePath: string;
          s3Client: S3;
          tempDirectory: string;
      }
      • bucket: string
      • relativePath: string
      • s3Client: S3
      • tempDirectory: string

    Returns Promise<string>

  • Parameters

    Returns Promise<string[]>

  • Parameters

    • region: string
    • assumeRoleCredential: AssumeRoleCommandOutput

    Returns SSMClient

  • Parameters

    • path: string
    • ssmClient: SSMClient

    Returns Promise<{
        [key: string]: string;
    }>

  • Parameters

    • props: {
          bucket: string;
          objectKey: string;
          s3Client?: S3;
      }
      • bucket: string
      • objectKey: string
      • Optional s3Client?: S3

    Returns Promise<undefined | {
        body: string;
        path: string;
    }>

  • Returns string[]

  • Parameters

    • region: string
    • partition: string
    • prefix: string
    • accounts: string[]
    • managementAccountId: string
    • isOrgEnabled: boolean

    Returns Promise<void>

  • Parameters

    • ssmPath: string
    • account: string
    • region: string
    • partition: string
    • managementAccountId: string

    Returns Promise<{
        account: string;
        parametersByPath: {
            [key: string]: string;
        };
        region: string;
    }>

  • Parameters

    • filePath: string

    Returns any

  • Parameters

    • partition: string
    • prefix: string

    Returns Promise<void>

  • Parameters

    • region: string
    • partition: string
    • prefix: string
    • accounts: string[]

    Returns Promise<void>

  • Parameters

    • mappingFilePath: string

    Returns Promise<any>

  • Load from string content

    Parameters

    • content: string

    Returns undefined | GlobalConfig

  • Loads the file raw with default replacements placeholders just to get the management account access role. This is required to get the Role name that can be assumed to load the replacements, so cannot be done using the normal loading method. This is abstracted away so that this method of loading is not accidentally used to partially load config files.

    Parameters

    • dir: string

    Returns GlobalConfig

Generated using TypeDoc