HC-vault-on-aws-FORK/variables.tf

# REQUIRED VARIABLES

# SSL Certificate for HTTPS Access

variable "domain_name" {
  description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager.  Example: secrets.examples.com.  Do not include the protocol (i.e. https://)."
  type = string
}

# EC2 - General

variable "ec2_key_pair_name" {
  description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment.  Needs to be made separately."
  type = string
}

# OPTIONAL VARIABLES

# Organization

variable "main_project_tag" {
  description = "Tag that will be attached to all resources."
  type = string
  default = "vault-deployment"
}

# AWS Provider

variable "aws_profile" {
  description = "The AWS Profile to use for this project."
  type = string
  default = "default"
}

variable "aws_default_region" {
  description = "The default AWS region to deploy the Vault infrastructure to."
  type = string
  default = "eu-north-1"
}

# Vault Version

variable "vault_version" {
  description = "Version of vault to use."
  type = string
  default = "1.15.5"
}

variable "bastion_instance_type" {
  description = "The EC2 instance size of the bastion server."
  type = string
  default = "t3.micro"
}

# Operator Mode
## Turning this on will enable NAT and Bastion to access the Vault Instances

variable "operator_mode" {
  description = "Enable a NAT Gateway and Bastion for operator access into the Vault Instances."
  type = bool
  default = true
}

# Private Deploy
## Turning this on will make it so that the Vault Deployemnt is only available through VPC peering

variable "private_mode" {
  description = "Whether or not the Vault deployment should be private."
  type = bool
  default = false
}

## A VPC in the SAME AWS Account and REGION as your Vault deployment.  The VPCs MUST have "enable dns hostnames" active AND cannot use the same CIDR block as the Vault VPC.
variable "peered_vpc_ids" {
  description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."
  type = list(string)
  default = []
}

# Allowed Traffic
## What IP Address ranges (via CIDR) are allowed to access your vault?

variable "allowed_traffic_cidr_blocks" {
  description = "List of CIDR blocks allowed to send requests to your vault endpoint.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
  type = list(string)
  default = ["0.0.0.0/0"]
}

variable "allowed_traffic_cidr_blocks_ipv6" {
  description = "List of IPv6 CIDR blocks allowed to send requests to your vault endpoint.  Defaults to EVERYWHERE.  Set to an empty list if not required."
  type = list(string)
  default = ["::/0"]
}

## What IP Address range can access your bastion server?
variable "allowed_bastion_cidr_blocks" {
  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to EVERYWHERE.  You should probably limit this to your organization IP or VPC CIDR."
  type = list(string)
  default = ["0.0.0.0/0"]
}

variable "allowed_bastion_cidr_blocks_ipv6" {
  description = "List of CIDR blocks allowed to access your Bastion.  Defaults to none."
  type = list(string)
  default = []
}

# AWS VPC

variable "vpc_cidr" {
  description = "Cidr block for the VPC.  Using a /16 or /20 Subnet Mask is recommended."
  type = string
  default = "10.255.0.0/20"
}

variable "vpc_instance_tenancy" {
  description = "Tenancy for instances launched into the VPC."
  type = string
  default = "default"
}

variable "vpc_tags" {
  description = "Additional tags to add to the VPC and its resources."
  type = map(string)
  default = {}
}

# VPC Subnets

variable "vpc_public_subnet_count" {
  description = "The number of public subnets to create.  Cannot exceed the number of AZs in your selected region.  2 is more than enough."
  type = number
  default = 2
}

variable "vpc_private_subnet_count" {
  description = "The number of private subnets to create.  Cannot exceed the number of AZs in your selected region."
  type = number
  default = 2
}

# EC2 - Vault Instance Launch Template

variable "vault_instance_type" {
  description = "The EC2 instance size of the vault instances."
  type = string
  default = "t3.small"
}

# EC2 - Vault Instance AutoScaling Group

variable "vault_instance_count" {
  description = "The number of EC2 instances to launch as vault instances.  Should be no less than 2."
  type = number
  default = 2
}


# EC2 - AMI

variable "use_latest_ami" {
  description = "Whether or not to use the latest version.  Defaults to false and uses a version that is known to work with this deployment."
  type = bool
  default = false
}

variable "ami_id" {
  description = "The AMI ID to use for the Vault instances. Defaults to Debian 12 x86_64."
  type = string
  default = "ami-0506d6d51f1916a96"
}

# DynamoDB

variable "dynamodb_table_name" {
  description = "Name of the DynamoDB Table used for the Vault Storage Backend."
  type = string
  default = "vault_storage"
}

# KMS

variable "kms_tags" {
  description = "Tags for the KMS key used to seal and unseal the Vault."
  type = map(string)
  default = {}
}
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`# REQUIRED VARIABLES`

			`# SSL Certificate for HTTPS Access`

			`variable "domain_name" {`
			`description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager. Example: secrets.examples.com. Do not include the protocol (i.e. https://)."`
			`type = string`
			`}`

			`# EC2 - General`

			`variable "ec2_key_pair_name" {`
			`description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."`
			`type = string`
			`}`

			`# OPTIONAL VARIABLES`

initial commit 2020-04-10 02:37:14 +00:00			`# Organization`

			`variable "main_project_tag" {`
			`description = "Tag that will be attached to all resources."`
			`type = string`
			`default = "vault-deployment"`
			`}`

			`# AWS Provider`

			`variable "aws_profile" {`
			`description = "The AWS Profile to use for this project."`
			`type = string`
			`default = "default"`
			`}`

			`variable "aws_default_region" {`
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`description = "The default AWS region to deploy the Vault infrastructure to."`
initial commit 2020-04-10 02:37:14 +00:00			`type = string`
changing vars, defaults - ver, instance type 2024-02-29 17:31:44 +00:00			`default = "eu-north-1"`
initial commit 2020-04-10 02:37:14 +00:00			`}`

added s3 bucket and associated policies 2020-04-12 21:13:58 +00:00			`# Vault Version`

			`variable "vault_version" {`
			`description = "Version of vault to use."`
			`type = string`
changing vars, defaults - ver, instance type 2024-02-29 17:31:44 +00:00			`default = "1.15.5"`
added s3 bucket and associated policies 2020-04-12 21:13:58 +00:00			`}`

Bastion instance type to variable, defaulting t3.micro 2024-02-29 19:05:35 +00:00			`variable "bastion_instance_type" {`
			`description = "The EC2 instance size of the bastion server."`
			`type = string`
			`default = "t3.micro"`
			`}`

reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`# Operator Mode`
			`## Turning this on will enable NAT and Bastion to access the Vault Instances`

			`variable "operator_mode" {`
			`description = "Enable a NAT Gateway and Bastion for operator access into the Vault Instances."`
			`type = bool`
			`default = true`
			`}`

			`# Private Deploy`
			`## Turning this on will make it so that the Vault Deployemnt is only available through VPC peering`

			`variable "private_mode" {`
			`description = "Whether or not the Vault deployment should be private."`
			`type = bool`
			`default = false`
			`}`

			`## A VPC in the SAME AWS Account and REGION as your Vault deployment. The VPCs MUST have "enable dns hostnames" active AND cannot use the same CIDR block as the Vault VPC.`
			`variable "peered_vpc_ids" {`
			`description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."`
			`type = list(string)`
			`default = []`
			`}`

			`# Allowed Traffic`
			`## What IP Address ranges (via CIDR) are allowed to access your vault?`

			`variable "allowed_traffic_cidr_blocks" {`
			`description = "List of CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."`
			`type = list(string)`
			`default = ["0.0.0.0/0"]`
			`}`

			`variable "allowed_traffic_cidr_blocks_ipv6" {`
			`description = "List of IPv6 CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. Set to an empty list if not required."`
			`type = list(string)`
			`default = ["::/0"]`
			`}`

			`## What IP Address range can access your bastion server?`
			`variable "allowed_bastion_cidr_blocks" {`
			`description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."`
			`type = list(string)`
			`default = ["0.0.0.0/0"]`
			`}`

			`variable "allowed_bastion_cidr_blocks_ipv6" {`
			`description = "List of CIDR blocks allowed to access your Bastion. Defaults to none."`
			`type = list(string)`
			`default = []`
			`}`

initial commit 2020-04-10 02:37:14 +00:00			`# AWS VPC`

			`variable "vpc_cidr" {`
			`description = "Cidr block for the VPC. Using a /16 or /20 Subnet Mask is recommended."`
			`type = string`
			`default = "10.255.0.0/20"`
			`}`

			`variable "vpc_instance_tenancy" {`
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`description = "Tenancy for instances launched into the VPC."`
initial commit 2020-04-10 02:37:14 +00:00			`type = string`
			`default = "default"`
			`}`

			`variable "vpc_tags" {`
			`description = "Additional tags to add to the VPC and its resources."`
			`type = map(string)`
			`default = {}`
			`}`

			`# VPC Subnets`

			`variable "vpc_public_subnet_count" {`
			`description = "The number of public subnets to create. Cannot exceed the number of AZs in your selected region. 2 is more than enough."`
			`type = number`
			`default = 2`
			`}`

			`variable "vpc_private_subnet_count" {`
			`description = "The number of private subnets to create. Cannot exceed the number of AZs in your selected region."`
			`type = number`
			`default = 2`
			`}`

launch template and auto scaling group 2020-04-14 01:31:14 +00:00			`# EC2 - Vault Instance Launch Template`

			`variable "vault_instance_type" {`
			`description = "The EC2 instance size of the vault instances."`
			`type = string`
changing vars, defaults - ver, instance type 2024-02-29 17:31:44 +00:00			`default = "t3.small"`
launch template and auto scaling group 2020-04-14 01:31:14 +00:00			`}`

			`# EC2 - Vault Instance AutoScaling Group`

			`variable "vault_instance_count" {`
			`description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."`
			`type = number`
			`default = 2`
			`}`

wip with load balancers pre IPv6 2020-04-10 22:34:32 +00:00
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`# EC2 - AMI`
wip with load balancers pre IPv6 2020-04-10 22:34:32 +00:00
Fixing ami id, porting to debian 2024-02-29 18:29:13 +00:00			`variable "use_latest_ami" {`
			`description = "Whether or not to use the latest version. Defaults to false and uses a version that is known to work with this deployment."`
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`type = bool`
			`default = false`
updated for ipv6, completion of load balancer 2020-04-10 23:01:13 +00:00			`}`

Fixing ami id, porting to debian 2024-02-29 18:29:13 +00:00			`variable "ami_id" {`
debian 12 not 11 :facepalm: 2024-02-29 18:40:39 +00:00			`description = "The AMI ID to use for the Vault instances. Defaults to Debian 12 x86_64."`
Fixing ami id, porting to debian 2024-02-29 18:29:13 +00:00			`type = string`
			`default = "ami-0506d6d51f1916a96"`
			`}`

reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`# DynamoDB`
initial commit 2020-04-10 02:37:14 +00:00
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`variable "dynamodb_table_name" {`
			`description = "Name of the DynamoDB Table used for the Vault Storage Backend."`
			`type = string`
			`default = "vault_storage"`
completed private deploy options 2020-04-14 23:13:50 +00:00			`}`

reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`# KMS`
completed private deploy options 2020-04-14 23:13:50 +00:00
reorganize variables, add outputs, add license, add variable examples 2020-04-17 01:03:53 +00:00			`variable "kms_tags" {`
			`description = "Tags for the KMS key used to seal and unseal the Vault."`
			`type = map(string)`
			`default = {}`
completed private deploy options 2020-04-14 23:13:50 +00:00			`}`