Skip to main content

Account Factory Configurations

Account factory configurations are located under the pipelines key in ./.gruntwork/config.yml

pipelines Options

access-control-repo-name

Name of the infrastructure-live-access-control repository

Example
pipelines:
access-control-repo-name: infrastructure-live-access-control

account-baseline-disable-vpc-inputs

If set to true, the terragrunt.hcl generated for the VPC in new delegated accounts will not pass any inputs to the VPC module. This is useful for customers with custom VPC configurations: e.g., IPAM, transit subnets, private NAT, etc. All of this custom config can go into vpc-app.hcl in _envcommon directly in the customer's infra-live repo.

false
Example
pipelines:
account-baseline-disable-vpc-inputs: true

account-baseline-vpc-module-url

URL of the account baseline VPC module used by account factory

git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc
Example
pipelines:
account-baseline-vpc-module-url: git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git//modules/networking/vpc

account-baseline-vpc-module-version

Version of the account-baseline-vpc-module

v0.48.1
Example
pipelines:
account-baseline-vpc-module-version: v0.48.1

arch-catalog-base-path

./terraform-aws-architecture-catalog
Example
pipelines:
arch-catalog-base-path: ./terraform-aws-architecture-catalog

arch-catalog-repo-url

arch-catalog-repo-urlstringrequired

URL of the architecture catalog repo used in templates

Example
pipelines:
arch-catalog-repo-url: git@github.com:gruntwork-io/terraform-aws-architecture-catalog

arch-catalog-version

arch-catalog-versionstringrequired

Version of the arch-catalog-repo modules used in templates.

Example
pipelines:
arch-catalog-version: v2.11.1

aws-security-repo-url

aws-security-repo-urlstringoptional

URL of the terraform-aws-security repo to use in delegated repositories

git@github.com:gruntwork-io/terraform-aws-security.git
Example
pipelines:
aws-security-repo-url: git@github.com:gruntwork-io/terraform-aws-security.git

aws-utilities-repo-url

URL of the terraform-aws-utilities repo to use in delegated repositories

git@github.com:gruntwork-io/terraform-aws-utilities.git
Example
pipelines:
aws-utilities-repo-url: git@github.com:gruntwork-io/terraform-aws-utilities.git

cis-service-catalog-repo-url

URL of the terraform-aws-cis-service-catalog repo to use in delegated repositories

git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git
Example
pipelines:
cis-service-catalog-repo-url: git@github.com:gruntwork-io/terraform-aws-cis-service-catalog.git

control-tower-modules-version

Version of the control-tower-repo modules used in templates

Example
pipelines:
control-tower-modules-version: v0.7.5

control-tower-repo-url

URL of the terraform-aws-control-tower repo

git@github.com:gruntwork-io/terraform-aws-control-tower.git
Example
pipelines:
control-tower-repo-url: git@github.com:gruntwork-io/terraform-aws-control-tower.git

default-aws-region

default-aws-regionstringrequired

Default AWS region for infrastructure managed in this repository

Example
pipelines:
default-aws-region: us-east-1

github-org

github-orgstringrequired

GitHub Organization this repository belongs to

Example
pipelines:
github-org: acmecorp

infra-modules-repo-name

Name of the infrastructure-catalog (previously referred to as infrastructure-modules) repository

Example
pipelines:
infra-modules-repo-name: infrastructure-modules

infra-modules-release-version

Version of the infrastructure-catalog (previously referred to as infrastructure-modules) modules used in templates

Example
pipelines:
infra-modules-release-version: v0.1.0

logs-account-name

logs-account-namestringoptional

Override the folder for the logs account

logs
Example
pipelines:
logs-account-name: logs

management-account-name

Override the folder for the management account

management
Example
pipelines:
management-account-name: management

module-security-version

Version of the aws-security-repo modules used in templates.

Example
pipelines:
module-security-version: v0.73.2

security-account-name

security-account-namestringoptional

Override the folder for the security account

security
Example
pipelines:
security-account-name: security

shared-account-name

shared-account-namestringoptional

Override the folder for the shared account

shared
Example
pipelines:
shared-account-name: shared

single-account-baseline-template-path

/templates/single-account-baseline

Enterprise Options

account-vending

account-vendingsequence(mapping)required

A sequence of account types mapped to their configurations see below. Valid types are sandbox and sdlc.

Example
pipelines:
account-vending:
sandbox:
account-identifiers:
- sandbox
sdlc:
account-identifiers:
- dev
- stage
- prod

catalog-tags-location

catalog-tags-locationstringoptional

The full path to a tags.yml file for centrally managed tags, e.g. acme/repo/contents/path/to/tags.yml

Example
pipelines:
catalog-tags-location: acmecorp/infrastructure-catalog/contents/common_tags.yml

pipelines-read-token-name

The name of the PIPELINES_READ_TOKEN secret to use in delegated repositories

Example
pipelines:
pipelines-read-token-name: PIPELINES_READ_TOKEN
PIPELINES_READ_TOKEN

pipelines-workflow-location

The location of the pipelines workflow to use for delegated repositories

Example
pipelines:
pipelines-workflow-location: gruntwork-io/pipelines-workflows/.github/workflows/pipelines.yml@v3

Account Type Configuration

account-identifiers

account-identifierssequence(string)required

Sequence of account identifiers. Alphanumeric account identifiers only. On account requests, an account will be created for each specified identifier & the account name will include the identifier. e.g. "<ACCOUNT-FAMILY>-dev"

Example
pipelines:
account-vending:
sdlc:
account-identifiers:
- dev
- stage
- prod

catalog-repositories

catalog-repositoriessequence(string)optional

Sequence of repositories that contain infrastructure modules that can be easily leveraged as a catalog by delegated repositories vended by the infrastructure-root repository. For more information, see Terragrunt Catalog

Example
pipelines:
account-vending:
sdlc:
catalog-repositories:
- "github.com/acmecorp/infrastructure-catalog//."

github-collaborators

github-collaboratorssequence(mapping)optional

Sequence of GitHub teams and their permissions automatically added to delegated repositories vended by the infrastructure-root repository. Valid permissions are: pull, triage, push, maintain and admin (in addition to custom roles if any exist) See GitHub Repository Roles

Example
pipelines:
account-vending:
sandbox:
github-collaborators:
- team: 'team-name'
permission: pull

Deprecated Configuration Options

arch-catalog-repo-name

arch-catalog-repo-namestringdeprecated

Name of the architecture catalog - will be used if arch-catalog-repo-url is not present but should be removed in favor of arch-catalog-repo-url.

infra-modules-version

infra-modules-versionstringdeprecated

Version of infrastructure-catalog (previously referred to as infrastructure-modules) - will be used if infra-modules-release-version is not present but should be removed in favor of infra-modules-release-version.