Optional
landingOptional
values: IGlobalConfigReadonly
acceleratorAccelerator Metadata Configuration Creates a bucket in the logging account to enable accelerator metadata collection
acceleratorMetadata:
enable: true
account: Logging
Readonly
acceleratorAccelerator Settings Configuration Allows setting additional properties for accelerator
acceleratorSettings:
maxConcurrentStacks: 250
Readonly
backupBackup Vaults Configuration
To generate vaults, you need to provide below value for this parameter.
backup:
vaults:
- name: MyBackUpVault
deploymentTargets:
organizationalUnits:
- Root
Readonly
cdkAWS CDK options configuration. This lets you customize the operation of the CDK within LZA, specifically:
centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA.
useManagementAccessRole: Enabling this option modifies CDK operations to use the IAM role specified in the managementAccountAccessRole
option in global-config.yaml
rather than the default roles created by CDK. Default CDK roles will still be created, but will remain unused. Any stacks previously deployed by LZA will retain their associated execution role. For more information on these roles, please see here.
cdkOptions:
centralizeBuckets: true
useManagementAccessRole: true
Readonly
centralizeDeprecated
NOTICE: The configuration of CDK buckets is being moved to cdkOptions in the Global Config. This block is deprecated and will be removed in a future release
To indicate workload accounts should utilize the cdk-assets S3 buckets in the management account, you need to provide below value for this parameter.
centralizeCdkBuckets:
enable: true
Readonly
cloudwatchGlobal CloudWatch Logs retention in days configuration.
This retention setting will be applied to all CloudWatch log groups created by the accelerator. Additionally, this retention setting will be applied to any CloudWatch log groups that already exist in the target environment if the log group's retention setting is LOWER than this configured value.
Readonly
controlAWS Control Tower Landing Zone configuration
To indicate environment has control tower enabled, you need to provide below value for this parameter.
controlTower:
enable: true
Readonly
enabledList of AWS Region names where accelerator will be deployed. Home region must be part of this list.
To add us-west-2 along with home region for accelerator deployment, you need to provide below value for this parameter.
enabledRegions:
- *HOME_REGION
- us-west-2
Readonly
externalExternalLandingZoneResourcesConfig.
centralizeBuckets: Enabling this option modifies the CDK bootstrap process to utilize a single S3 bucket per region located in the management account for CDK assets generated by LZA. Otherwise, CDK will create a new S3 bucket in every account and every region supported by LZA.
externalLandingZoneResources:
importExternalLandingZoneResources: false
Readonly
homeAccelerator home region name. The region where accelerator pipeline deployed.
To use us-east-1 as home region for the accelerator, you need to provide below value for this parameter. Note: Variable HOME_REGION created for future usage of home region in the file
homeRegion: &HOME_REGION us-east-1
SSM IAM Role Parameters to be loaded for session manager policy attachments
Readonly
lambdaAWS Lambda Function environment variables encryption configuration options.
You can decide to use AWS KMS CMK or AWS managed key for Lambda function environment variables encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt function environment variables.
You can use deploymentTargets
to control target accounts and regions for the given useCMK
configuration.
For more information please see here
lambda:
encryption:
useCMK: true
deploymentTargets:
organizationalUnits:
- Root
Readonly
limitsAWS Service Quota - Limit configuration
To enable limits within service quota, you need to provide below value for this parameter.
limits:
- serviceCode: lambda
quotaCode: L-2ACBD22F
desiredValue: 2000
deploymentTargets:
organizationalUnits:
- Infrastructure
Readonly
loggingAccelerator logging configuration
To enable organization trail and session manager logs sending to S3, you need to provide below value for this parameter.
logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
cloudtrailInsights:
apiErrorRateInsight: true
apiCallRateInsight: true
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
cloudwatchLogs:
dynamicPartitioning: logging/dynamic-partition.json
Readonly
managementThis role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
Examples:
Readonly
reportsReport configuration
To enable budget report along with cost and usage report, you need to provide below value for this parameter.
reports:
costAndUsageReport:
compression: Parquet
format: Parquet
reportName: accelerator-cur
s3Prefix: cur
timeUnit: DAILY
refreshClosedReports: true
reportVersioning: CREATE_NEW_REPORT
budgets:
- name: accel-budget
timeUnit: MONTHLY
type: COST
amount: 2000
includeUpfront: true
includeTax: true
includeSupport: true
includeSubscription: true
includeRecurring: true
includeOtherSubscription: true
includeDiscount: true
includeCredit: false
includeRefund: false
useBlended: false
useAmortized: false
unit: USD
notifications:
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 90
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: myemail+pa-budg@example.com
Readonly
s3AWS S3 global configuration options.
You can decide to create AWS KMS CMK for AWS S3 server side encryption. When this property is undefined, the solution will deploy AWS KMS CMK to encrypt AWS S3 bucket.
You can use deploymentTargets
to control target accounts and regions for the given createCMK
configuration.
This configuration is not applicable to LogArchive's central logging region, because the solution deployed CentralLogs bucket always encrypted with AWS KMS CMK.
This configuration is not applicable to the Management account Asset bucket in the home region. This bucket will always have a key generated and applied to the bucket if it is created.
This configuration is not applicable to the assets S3 bucket if the bucket is created. This bucket will always have a key generated and applied.
For more information please see here
s3:
createCMK: true
deploymentTargets:
organizationalUnits:
- Root
Readonly
snsSNS Topics Configuration
To send CloudWatch Alarms and SecurityHub notifications you will need to configure at least one SNS Topic For SecurityHub notification you will need to set the deployment target to Root in order to receive notifications from all accounts
snsTopics:
deploymentTargets:
organizationalUnits:
- Root
topics:
- name: Security
emailAddresses:
- SecurityNotifications@example.com
Readonly
ssmSSM Inventory Configuration
EC2 prerequisites Connectivity prerequisites
ssmInventory:
enable: true
deploymentTargets:
organizationalUnits:
- Infrastructure
Readonly
ssmSSM parameter configurations
Create SSM parameters through the LZA. Parameters can be deployed to Organizational Units or Accounts using deploymentTargets
ssmParameters:
- deploymentTargets:
organizationalUnits:
- Workloads
parameters:
- name: WorkloadParameter
path: /my/custom/path/variable
value: 'MySSMParameterValue'
Readonly
tagsCustom Tags for all resources created by Landing Zone Accelerator that can be tagged.
tags:
- key: Environment
value: Dev
- key: ResourceOwner
value: AcmeApp
- key: CostCenter
value: '123'
Readonly
terminationWhether to enable termination protection for this stack.
Static
Readonly
FILENAMEGlobal configuration file name, this file must be present in accelerator config repository
Private
downloadASEAStacksPrivate
downloadPrivate
findPrivate
getPrivate
getPrivate
getOptional
s3Private
loadIAMRoleSSMParametersPrivate
loadPrivate
readStatic
loadLoad from file in given directory
Optional
replacementsConfig: ReplacementsConfigStatic
loadLoad from string content
Static
loadLoads the file raw with default replacements placeholders just to get the management account access role. This is required to get the Role name that can be assumed to load the replacements, so cannot be done using the normal loading method. This is abstracted away so that this method of loading is not accidentally used to partially load config files.
Generated using TypeDoc
Accelerator global configuration