// open_source
OpenTofu Modules
Reusable OpenTofu modules for AWS infrastructure with security-first defaults, Checkov and Trivy validation, and consistent patterns across all modules
This is my collection of reusable OpenTofu modules for provisioning AWS infrastructure. Each module follows a consistent design philosophy emphasizing security, validation, and minimal configuration to get production-ready resources deployed quickly.
Design Philosophy
- Security-first: All modules are validated with Checkov and Trivy to catch misconfigurations before deployment
- Sensible defaults: Modules work out of the box with secure defaults while remaining configurable for advanced use cases
- Consistent patterns: Every module follows the same structure, naming conventions, and input/output patterns
- Well-tested: Automated CI pipelines validate modules on every change
Common Patterns
All modules in this collection share these conventions:
- OpenTofu >= 1.9 required
- AWS Provider ~> 6 compatibility
- MIT Licensed for unrestricted use
- Standard variable naming (
name_prefix,tags, etc.) - Outputs designed for composability between modules
Usage
Browse the individual modules below for specific documentation, input variables, and usage examples.
// modules
AWS DynamoDB
OpenTofu module for provisioning AWS DynamoDB tables with global secondary indexes, multi-region replication, point-in-time recovery, and KMS encryption
AWS ECR
OpenTofu module for provisioning AWS ECR repositories with image scanning on push, tag immutability, lifecycle policies, and IAM-based push access control
AWS EventBridge Target
OpenTofu module for provisioning AWS EventBridge rules and targets with event pattern matching, dead-letter queue support, and configurable retry policies
AWS Global Accelerator
OpenTofu module for provisioning AWS Global Accelerator with static anycast IPs, listener management, endpoint groups, and S3 flow logs
AWS Hosted Domain
OpenTofu module for provisioning AWS Route53 hosted zones with DNSSEC, query logging, multiple DNS record types, and subdomain delegation support
AWS IAM Role
OpenTofu module for creating AWS IAM roles with inline policies, managed policy attachments, flexible assume role configuration, and permission boundaries
AWS KMS Key
OpenTofu module for provisioning AWS KMS keys with alias, anti-lockout policy, custom key policies, rotation, and multi-region support
AWS Lambda
OpenTofu module for provisioning AWS Lambda functions with CloudWatch logs, IAM roles, VPC support, and both zip and container image deployments
AWS Log Group Queries
OpenTofu module for creating reusable CloudWatch Log Insights saved queries across multiple log groups with folder-based organization
AWS S3
OpenTofu module for provisioning AWS S3 buckets with server-side encryption, access logging, versioning, and lifecycle policies for automatic object management
AWS Scheduled Lambda
OpenTofu module for provisioning scheduled AWS Lambda functions triggered by EventBridge cron or rate expressions with VPC and Secrets Manager support
AWS Secrets Manager
OpenTofu module for provisioning AWS Secrets Manager secrets with resource policies, optional KMS encryption, and automatic Lambda-based rotation
AWS SQS
OpenTofu module for provisioning AWS SQS standard and FIFO queues with dead-letter queue support, KMS encryption, and high-throughput mode
AWS VPC
OpenTofu module for provisioning AWS VPCs with public and private subnets, NAT gateways, DNS firewall, VPC endpoints, and optional load balancer