forked from hashicorp/terraform-aws-vault-starter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
149 lines (124 loc) · 4.7 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/**
* Copyright © 2014-2022 HashiCorp, Inc.
*
* This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/.
*
*/
variable "allowed_inbound_cidrs_lb" {
type = list(string)
description = "(Optional) List of CIDR blocks to permit inbound traffic from to load balancer"
default = null
}
variable "allowed_inbound_cidrs_ssh" {
type = list(string)
description = "(Optional) List of CIDR blocks to permit for SSH to Vault nodes"
default = null
}
variable "additional_lb_target_groups" {
type = list(string)
description = "(Optional) List of load balancer target groups to associate with the Vault cluster. These target groups are _in addition_ to the LB target group this module provisions by default."
default = []
}
variable "common_tags" {
type = map(string)
description = "(Optional) Map of common tags for all taggable AWS resources."
default = {}
}
variable "instance_type" {
type = string
default = "m5.xlarge"
description = "EC2 instance type"
}
variable "key_name" {
type = string
default = null
description = "(Optional) key pair to use for SSH access to instance"
}
variable "kms_key_deletion_window" {
type = number
default = 7
description = "Duration in days after which the key is deleted after destruction of the resource (must be between 7 and 30 days)."
}
variable "leader_tls_servername" {
type = string
description = "One of the shared DNS SAN used to create the certs use for mTLS"
}
variable "lb_certificate_arn" {
type = string
description = "ARN of TLS certificate imported into ACM for use with LB listener"
}
variable "lb_deregistration_delay" {
type = string
description = "Amount time, in seconds, for Vault LB target group to wait before changing the state of a deregistering target from draining to unused."
default = 300
}
variable "lb_health_check_path" {
type = string
description = "The endpoint to check for Vault's health status."
default = "/v1/sys/health?activecode=200&standbycode=200&sealedcode=200&uninitcode=200"
}
variable "lb_type" {
description = "The type of load balancer to provision; network or application."
type = string
default = "application"
validation {
condition = contains(["application", "network"], var.lb_type)
error_message = "The variable lb_type must be one of: application, network."
}
}
variable "node_count" {
type = number
default = 5
description = "Number of Vault nodes to deploy in ASG"
}
variable "permissions_boundary" {
description = "(Optional) IAM Managed Policy to serve as permissions boundary for created IAM Roles"
type = string
default = null
}
variable "private_subnet_ids" {
type = list(string)
description = "Subnet IDs to deploy Vault into"
}
variable "resource_name_prefix" {
type = string
description = "Resource name prefix used for tagging and naming AWS resources"
}
variable "secrets_manager_arn" {
type = string
description = "Secrets manager ARN where TLS cert info is stored"
}
variable "ssl_policy" {
type = string
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
description = "SSL policy to use on LB listener"
}
variable "user_supplied_ami_id" {
type = string
description = "(Optional) User-provided AMI ID to use with Vault instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
default = null
}
variable "user_supplied_iam_role_name" {
type = string
description = "(Optional) User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal."
default = null
}
variable "user_supplied_kms_key_arn" {
type = string
description = "(Optional) User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal"
default = null
}
variable "user_supplied_userdata_path" {
type = string
description = "(Optional) File path to custom userdata script being supplied by the user"
default = null
}
variable "vault_version" {
type = string
default = "1.11.0"
description = "Vault version"
}
variable "vpc_id" {
type = string
description = "VPC ID where Vault will be deployed"
}