OpenTofu Modules¶
All infrastructure is managed with OpenTofu 1.9 using reusable modules. Each module lives in tofu/modules/<name>/ and is consumed by account-level configurations in tofu/accounts/nhc/.
Module Inventory¶
| Module | Purpose | Source |
|---|---|---|
| VPC | VPC with public/private subnets, NAT, IGW | modules/vpc |
| EC2 | EC2 instance with SG, EBS, auto-recovery alarm | modules/ec2 |
| RDS | RDS instance with encryption, backups, SG | modules/rds |
| ALB | Application Load Balancer with HTTPS listener | modules/alb |
| S3 | S3 bucket with encryption, versioning, logging | modules/s3 |
| KMS | KMS CMK with key rotation | modules/kms |
| ElastiCache | Redis replication group with encryption | modules/elasticache |
| ECR | Container image repository | modules/ecr |
| ASG | Auto Scaling Group (gated for migration) | modules/asg |
| WAF | WAF v2 web ACL with rate limiting | modules/waf |
| Backup | AWS Backup vault and plan | modules/backup |
| CloudTrail | API audit trail with S3 logging | modules/cloudtrail |
| GuardDuty | Threat detection | modules/guardduty |
| Security Hub | Compliance posture | modules/securityhub |
| AWS Config | Configuration compliance | modules/config |
| IAM | IAM roles and instance profiles | modules/iam |
| Identity Center | SSO via IAM Identity Center | modules/identity-center |
Usage Pattern¶
module "ec2_django" {
source = "../../modules/ec2"
name = "${var.environment}-nhc-django"
ami_id = var.ec2_ami_id
instance_type = var.ec2_instance_type
subnet_id = module.vpc.private_subnet_ids[1]
vpc_id = module.vpc.vpc_id
kms_key_arn = module.kms_ebs.key_arn
iam_instance_profile = module.iam.ec2_ssm_instance_profile_name
root_volume_size = 30
tags = local.common_tags
}