aws-ia
diff --git a/‎.tfsec/launch_configuration_imdsv2_tfchecks.json‎
Lines changed: 0 additions & 39 deletions b/‎.tfsec/launch_configuration_imdsv2_tfchecks.json‎
Lines changed: 0 additions & 39 deletions
diff --git a/‎.tfsec/launch_template_imdsv2_tfchecks.json‎
Lines changed: 0 additions & 39 deletions b/‎.tfsec/launch_template_imdsv2_tfchecks.json‎
Lines changed: 0 additions & 39 deletions
diff --git a/‎.tfsec/no_launch_config_tfchecks.json‎
Lines changed: 0 additions & 27 deletions b/‎.tfsec/no_launch_config_tfchecks.json‎
Lines changed: 0 additions & 27 deletions
diff --git a/‎.tfsec/sg_no_embedded_egress_rules_tfchecks.json‎
Lines changed: 0 additions & 27 deletions b/‎.tfsec/sg_no_embedded_egress_rules_tfchecks.json‎
Lines changed: 0 additions & 27 deletions
diff --git a/‎.tfsec/sg_no_embedded_ingress_rules_tfchecks.json‎
Lines changed: 0 additions & 27 deletions b/‎.tfsec/sg_no_embedded_ingress_rules_tfchecks.json‎
Lines changed: 0 additions & 27 deletions
diff --git a/‎README.md‎
Lines changed: 39 additions & 20 deletions b/‎README.md‎
Lines changed: 39 additions & 20 deletions
diff --git a/‎main.tf‎
Lines changed: 55 additions & 0 deletions b/‎main.tf‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎outputs.tf‎
Lines changed: 19 additions & 0 deletions b/‎outputs.tf‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎variables.tf‎
Lines changed: 42 additions & 0 deletions b/‎variables.tf‎
Lines changed: 42 additions & 0 deletions
@@ -1,4 +1,3 @@
-<!-- BEGIN_TF_DOCS -->
 # Creating modules for AWS I&A Organization
 
 This repo template is used to seed Terraform Module templates for the [AWS I&A GitHub organization](https://github.com/aws-ia). Usage of this template is allowed per included license. PRs to this template will be considered but are not guaranteed to be included. Consider creating an issue to discuss a feature you want to include before taking the time to create a PR.
@@ -63,31 +62,51 @@ For best practices and information on developing with Terraform, see the [I&A Mo
 
 The I&A team uses AWS CodeBuild to perform continuous integration (CI) within the organization. Our CI uses the a repo's `.pre-commit-config.yaml` file as well as some other checks. All PRs with other CI will be rejected. See our [FAQ](https://aws-ia.github.io/standards-terraform/faq/#are-modules-protected-by-ci-automation) for more details.
 
-## Requirements
+### Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0, < 5.0.0 |
-| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 0.24.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4 |
 
-## Providers
+### Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
 
-## Modules
+### Modules
 
 No modules.
 
-## Resources
-
-No resources.
-
-## Inputs
-
-No inputs.
-
-## Outputs
-
-No outputs.
-<!-- END_TF_DOCS -->
+### Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_health_check.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource |
+| [aws_shield_protection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection) | resource |
+| [aws_shield_protection_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection_group) | resource |
+| [aws_shield_protection_health_check_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection_health_check_association) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aggregation"></a> [aggregation](#input\_aggregation) | Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | A friendly name for the Protection you are creating. | `string` | n/a | yes |
+| <a name="input_pattern"></a> [pattern](#input\_pattern) | The criteria to use to choose the protected resources for inclusion in the group. | `string` | n/a | yes |
+| <a name="input_protection_group_id"></a> [protection\_group\_id](#input\_protection\_group\_id) | The name of the protection group. | `string` | n/a | yes |
+| <a name="input_resource_arn"></a> [resource\_arn](#input\_resource\_arn) | The ARN (Amazon Resource Name) of the resource to be protected. | `string` | n/a | yes |
+| <a name="input_health_check_configuration"></a> [health\_check\_configuration](#input\_health\_check\_configuration) | Amazon Route53 Health Check Configuration to be associated to AWS Shield Advanced Protection. | `map(any)` | `null` | no |
+| <a name="input_resource_type"></a> [resource\_type](#input\_resource\_type) | The resource type to include in the protection group. This is required if `pattern` is set to BY\_RESOURCE\_TYPE. Otherwise this must be not set. Defaults to `null` | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Key-value map of resource tags. Defaults to `{}` | `map(string)` | `{}` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_route53_health_check"></a> [route53\_health\_check](#output\_route53\_health\_check) | Amazon Route53 Health Check Configuration. |
+| <a name="output_shied_protection"></a> [shied\_protection](#output\_shied\_protection) | AWS Shield Advanced Protection and assigned resources. |
+| <a name="output_shied_protection_group"></a> [shied\_protection\_group](#output\_shied\_protection\_group) | Group of protected resources to be collectivelly handled by AWS Shield Advanced. |
+| <a name="output_shield_protection_health_check_association"></a> [shield\_protection\_health\_check\_association](#output\_shield\_protection\_health\_check\_association) | Association between an Amazon Route53 Health Check and an AWS Shield Advanced protected resource. |
@@ -0,0 +1,55 @@
+locals {
+  tags = {
+    Repository = "https://github.com/aws-ia/terraform-aws-shield-advanced"
+  }
+}
+
+##################################################
+# Shield Advanced Protection
+##################################################
+resource "aws_shield_protection" "this" {
+  name         = var.name
+  resource_arn = var.resource_arn
+  tags = merge(
+    local.tags,
+    var.tags
+  )
+}
+
+resource "aws_shield_protection_group" "this" {
+  protection_group_id = var.protection_group_id
+  aggregation         = var.aggregation
+  pattern             = var.pattern
+  members             = [var.resource_arn]
+  resource_type       = var.resource_type
+  tags = merge(
+    local.tags,
+    var.tags
+  )
+
+  depends_on = [aws_shield_protection.this]
+}
+
+##################################################
+# Health Check
+##################################################
+resource "aws_route53_health_check" "this" {
+  for_each          = var.health_check_configuration
+  ip_address        = each.value.resource_ip
+  port              = each.value.health_check_port
+  type              = each.value.health_check_type
+  resource_path     = each.value.health_check_path
+  failure_threshold = each.value.health_check_threshold
+  request_interval  = each.value.health_check_interval
+
+  tags = merge(
+    local.tags,
+    var.tags
+  )
+}
+
+resource "aws_shield_protection_health_check_association" "this" {
+  for_each             = aws_route53_health_check.this
+  health_check_arn     = aws_route53_health_check.this[each.key].arn
+  shield_protection_id = aws_shield_protection.this.id
+}
@@ -0,0 +1,19 @@
+output "shied_protection" {
+  description = "AWS Shield Advanced Protection and assigned resources."
+  value       = aws_shield_protection.this
+}
+
+output "shied_protection_group" {
+  description = "Group of protected resources to be collectivelly handled by AWS Shield Advanced."
+  value       = aws_shield_protection_group.this
+}
+
+output "route53_health_check" {
+  description = "Amazon Route53 Health Check Configuration."
+  value       = aws_route53_health_check.this
+}
+
+output "shield_protection_health_check_association" {
+  description = "Association between an Amazon Route53 Health Check and an AWS Shield Advanced protected resource."
+  value       = aws_shield_protection_health_check_association.this
+}
@@ -0,0 +1,42 @@
+variable "name" {
+  description = "A friendly name for the Protection you are creating."
+  type        = string
+}
+
+variable "resource_arn" {
+  description = "The ARN (Amazon Resource Name) of the resource to be protected."
+  type        = string
+}
+
+variable "protection_group_id" {
+  description = "The name of the protection group."
+  type        = string
+}
+
+variable "aggregation" {
+  description = "Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events."
+  type        = string
+}
+
+variable "pattern" {
+  description = "The criteria to use to choose the protected resources for inclusion in the group."
+  type        = string
+}
+
+variable "resource_type" {
+  description = "The resource type to include in the protection group. This is required if `pattern` is set to BY_RESOURCE_TYPE. Otherwise this must be not set. Defaults to `null`"
+  type        = string
+  default     = null
+}
+
+variable "health_check_configuration" {
+  description = "Amazon Route53 Health Check Configuration to be associated to AWS Shield Advanced Protection."
+  type        = map(any)
+  default     = null
+}
+
+variable "tags" {
+  description = "Key-value map of resource tags. Defaults to `{}`"
+  type        = map(string)
+  default     = {}
+}