Optional
values: { Optional
configDir: stringOptional
validateConfig: booleanReadonly
acceleratorAccelerator Metadata Configuration Creates a bucket in the logging account to enable accelerator metadata collection
acceleratorMetadata:
enable: true
account: Logging
Readonly
backupBackup Vaults Configuration
To generate vaults, you need to provide below value for this parameter.
backup:
vaults:
- name: MyBackUpVault
deploymentTargets:
organizationalUnits:
- Root
Readonly
centralizeTo indicate workload accounts should utilize the cdk-assets S3 buckets in the management account, you need to provide below value for this parameter.
centralizeCdkBuckets:
enable: true
Readonly
cloudwatchCloudWatchLogs retention in days, accelerator's custom resource lambda function logs retention period is configured based on this value.
Readonly
controlAWS ControlTower configuration
To indicate environment has control tower enabled, you need to provide below value for this parameter.
controlTower:
enable: true
Readonly
enabledList of AWS Region names where accelerator will be deployed. Home region must be part of this list.
To add us-west-2 along with home region for accelerator deployment, you need to provide below value for this parameter.
enabledRegions:
- *HOME_REGION
- us-west-2
Readonly
homeAccelerator home region name. The region where accelerator pipeline deployed.
To use us-east-1 as home region for the accelerator, you need to provide below value for this parameter. Note: Variable HOME_REGION created for future usage of home region in the file
homeRegion: &HOME_REGION us-east-1
Readonly
limitsAWS Service Quota - Limit configuration
To enable limits within service quota, you need to provide below value for this parameter.
``` limits: - serviceCode: lambda quotaCode: L-2ACBD22F value: 2000 deploymentTargets: - organizationalUnits: root accounts:
Readonly
loggingAccelerator logging configuration
To enable organization trail and session manager logs sending to S3, you need to provide below value for this parameter.
logging:
account: LogArchive
cloudtrail:
enable: false
organizationTrail: false
cloudtrailInsights:
apiErrorRateInsight: true
apiCallRateInsight: true
sessionManager:
sendToCloudWatchLogs: false
sendToS3: true
cloudwatchLogs:
dynamicPartitioning: logging/dynamic-partition.json
Readonly
managementThis role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
Examples:
Readonly
reportsReport configuration
To enable budget report along with cost and usage report, you need to provide below value for this parameter.
reports:
costAndUsageReport:
compression: Parquet
format: Parquet
reportName: accelerator-cur
s3Prefix: cur
timeUnit: DAILY
refreshClosedReports: true
reportVersioning: CREATE_NEW_REPORT
budgets:
- name: accel-budget
timeUnit: MONTHLY
type: COST
amount: 2000
includeUpfront: true
includeTax: true
includeSupport: true
includeSubscription: true
includeRecurring: true
includeOtherSubscription: true
includeDiscount: true
includeCredit: false
includeRefund: false
useBlended: false
useAmortized: false
unit: USD
notification:
- type: ACTUAL
thresholdType: PERCENTAGE
threshold: 90
comparisonOperator: GREATER_THAN
subscriptionType: EMAIL
address: myemail+pa-budg@example.com
Readonly
snsSNS Topics Configuration
To send CloudWatch Alarms and SecurityHub notifications you will need to configure at least one SNS Topic For SecurityHub notification you will need to set the deployment target to Root in order to receive notifications from all accounts
snsTopics:
deploymentTargets:
organizationalUnits:
- Root
topics:
- name: Security
emailAddresses:
- SecurityNotifications@example.com
Readonly
ssmSSM Inventory Configuration
EC2 prerequisites Connectivity prerequisites
ssmInventory:
enable: true
deploymentTargets:
organizationalUnits:
- Infrastructure
Readonly
terminationWhether to enable termination protection for this stack.
Static
Readonly
FILENAMEGlobal configuration file name, this file must be present in accelerator config repository
Private
checkPrivate
checkPrivate
getPrivate
getPrivate
isPrivate
validatePrivate
validateFunction to validate existence of budget deployment target OUs Make sure deployment target OUs are part of Organization config file
Private
validateFunction to validate budget notification email address
Private
validateFunction to validate existence of central logs bucket region in enabled region list CentralLogs bucket region name must part of pipeline enabled region
Private
validateValidate s3 resource policy file existence
Private
validateValidate s3 resource policy file existence
Private
validatePrivate
validateValidate CloudWatch Logs replication
Private
validateFunction to validate CloudWatch Logs Dynamic Partition and enforce format, key-value provided
Private
validateValidate Cloudwatch logs exclusion inputs
Private
validatePrivate
validatePrivate
validateFunction to validate S3 lifecycle rules Central Log Bucket
Private
validateFunction to validate S3 lifecycle rules for Cost Reporting
Private
validateFunction to validate existence of logging target account name Make sure deployment target accounts are part of account config file
Private
validatePrivate
validateStatic
loadLoad from file in given directory
Optional
validateConfig: booleanStatic
loadLoad from string content
Generated using TypeDoc
Accelerator global configuration