Account Factory Configurations

Account factory configurations are located under the pipelines key in ./.gruntwork/config.yml

pipelines Options

access-control-repo-name

access-control-repo-namestringrequired

Name of the infrastructure-live-access-control repository

Example

pipelines:
  access-control-repo-name: infrastructure-live-access-control

account-baseline-disable-vpc-inputs

account-baseline-disable-vpc-inputsbooleanoptional

If set to true, the terragrunt.hcl generated for the VPC in new delegated accounts will not pass any inputs to the VPC module. This is useful for customers with custom VPC configurations: e.g., IPAM, transit subnets, private NAT, etc. All of this custom config can go into vpc-app.hcl in _envcommon directly in the customer's infra-live repo.

Default:false

Example

pipelines:
  account-baseline-disable-vpc-inputs: true

account-baseline-vpc-module-url

account-baseline-vpc-module-urlstringoptional

URL of the account baseline VPC module used by account factory

Default:git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc

Example

pipelines:
  account-baseline-vpc-module-url: git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc

account-baseline-vpc-module-version

account-baseline-vpc-module-versionstringoptional

Version of the account-baseline-vpc-module

Default:v0.48.1

Example

pipelines:
  account-baseline-vpc-module-version: v0.48.1

arch-catalog-base-path

arch-catalog-base-pathstringoptional

Default:./terraform-aws-architecture-catalog

Example

pipelines:
  arch-catalog-base-path: ./terraform-aws-architecture-catalog

arch-catalog-repo-url

arch-catalog-repo-urlstringrequired

URL of the architecture catalog repo used in templates

Example

pipelines:
  arch-catalog-repo-url: git@github.com:gruntwork-io/terraform-aws-architecture-catalog

arch-catalog-version

arch-catalog-versionstringrequired

Version of the arch-catalog-repo modules used in templates.

Example

pipelines:
  arch-catalog-version: v2.11.1

aws-security-repo-url

aws-security-repo-urlstringoptional

URL of the terraform-aws-security repo to use in delegated repositories

Default:git@github.com:gruntwork-io/terraform-aws-security.git

Example

pipelines:
  aws-security-repo-url: git@github.com:gruntwork-io/terraform-aws-security.git

aws-utilities-repo-url

aws-utilities-repo-urlstringoptional

URL of the terraform-aws-utilities repo to use in delegated repositories

Default:git@github.com:gruntwork-io/terraform-aws-utilities.git

Example

pipelines:
  aws-utilities-repo-url: git@github.com:gruntwork-io/terraform-aws-utilities.git

cis-service-catalog-repo-url

cis-service-catalog-repo-urlstringoptional

URL of the terraform-aws-cis-service-catalog repo to use in delegated repositories

Default:git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git

Example

pipelines:
  cis-service-catalog-repo-url: git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git

control-tower-modules-version

control-tower-modules-versionstringrequired

Version of the control-tower-repo modules used in templates

Example

pipelines:
  control-tower-modules-version: v0.7.5

control-tower-repo-url

control-tower-repo-urlstringoptional

URL of the terraform-aws-control-tower repo

Default:git@github.com:gruntwork-io/terraform-aws-control-tower.git

Example

pipelines:
  control-tower-repo-url: git@github.com:gruntwork-io/terraform-aws-control-tower.git

default-aws-region

default-aws-regionstringrequired

Default AWS region for infrastructure managed in this repository

Example

pipelines:
  default-aws-region: us-east-1

github-org

github-orgstringrequired

GitHub Organization this repository belongs to

Example

pipelines:
  github-org: acmecorp

infra-modules-repo-name

infra-modules-repo-namestringrequired

Name of the infrastructure-modules repository

Example

pipelines:
  infra-modules-repo-name: infrastructure-modules

infra-modules-release-version

infra-modules-release-versionstringrequired

Version of the infrastructure-modules modules used in templates

Example

pipelines:
  infra-modules-release-version: v0.1.0

logs-account-name

logs-account-namestringoptional

Override the folder for the logs account

Default:logs

Example

pipelines:
  logs-account-name: logs

management-account-name

management-account-namestringoptional

Override the folder for the management account

Default:management

Example

pipelines:
  management-account-name: management

module-security-version

module-security-versionstringrequired

Version of the aws-security-repo modules used in templates.

Example

pipelines:
  module-security-version: v0.73.2

security-account-name

security-account-namestringoptional

Override the folder for the security account

Default:security

Example

pipelines:
  security-account-name: security

shared-account-name

shared-account-namestringoptional

Override the folder for the shared account

Default:shared

Example

pipelines:
  shared-account-name: shared

single-account-baseline-template-path

single-account-baseline-template-pathstringoptional

Default:/templates/single-account-baseline

Enterprise Options

account-vending

account-vendingsequence(mapping)required

A sequence of account types mapped to their configurations see below. Valid types are sandbox and sdlc.

Example

pipelines:
  account-vending:
    sandbox:
      account-identifiers:
        - sandbox
    sdlc:
      account-identifiers:
        - dev
        - stage
        - prod

catalog-tags-location

catalog-tags-locationstringoptional

The full path to a tags.yml file for centrally managed tags, e.g. acme/repo/contents/path/to/tags.yml

Example

pipelines:
  catalog-tags-location: acmecorp/infrastructure-modules/contents/common_tags.yml

pipelines-read-token-name

pipelines-read-token-namestringoptional

The name of the PIPELINES_READ_TOKEN secret to use in delegated repositories

Example

pipelines:
  pipelines-read-token-name: PIPELINES_READ_TOKEN

Default:PIPELINES_READ_TOKEN

pipelines-workflow-location

pipelines-workflow-locationstringoptional

The location of the pipelines workflow to use for delegated repositories

Example

pipelines:
  pipelines-workflow-location: gruntwork-io/pipelines-workflows/.github/workflows/pipelines.yml@v3

Account Type Configuration

account-identifiers

account-identifierssequence(string)required

Sequence of account identifiers. Alphanumeric account identifiers only. On account requests, an account will be created for each specified identifier & the account name will include the identifier. e.g. "<ACCOUNT-FAMILY>-dev"

Example

pipelines:
  account-vending:
    sdlc:
      account-identifiers:
        - dev
        - stage
        - prod

catalog-repositories

catalog-repositoriessequence(string)optional

Sequence of repositories that contain infrastructure modules that can be easily leveraged as a catalog by delegated repositories vended by the infrastructure-root repository. For more information, see Terragrunt Catalog

Example

pipelines:
  account-vending:
    sdlc:
      catalog-repositories:
        - "github.com/acmecorp/infrastructure-modules//."

github-collaborators

github-collaboratorssequence(mapping)optional

Sequence of GitHub teams and their permissions automatically added to delegated repositories vended by the infrastructure-root repository. Valid permissions are: pull, triage, push, maintain and admin (in addition to custom roles if any exist) See GitHub Repository Roles

Example

pipelines:
  account-vending:
    sandbox:
      github-collaborators:
        - team: 'team-name'
          permission: pull

Deprecated Configuration Options

arch-catalog-repo-name

arch-catalog-repo-namestringdeprecated

Name of the architecture catalog - will be used if arch-catalog-repo-url is not present but should be removed in favor of arch-catalog-repo-url.

infra-modules-version

infra-modules-versionstringdeprecated

Version of infrastructure-modules - will be used if infra-modules-release-version is not present but should be removed in favor of infra-modules-release-version.