From 459edea2bceeaf7a087328ebfb1171fd8835c68f Mon Sep 17 00:00:00 2001 From: matthieu42morin Date: Fri, 1 Mar 2024 22:57:59 +0100 Subject: [PATCH] vars update --- variables.tf | 155 +++++++++++++++++++++++++++------------------------ 1 file changed, 83 insertions(+), 72 deletions(-) diff --git a/variables.tf b/variables.tf index 75f00e2..75941b1 100644 --- a/variables.tf +++ b/variables.tf @@ -3,6 +3,7 @@ variable "resource_name_prefix" { type = string description = "Resource name prefix used for tagging and naming AWS resources" + default = "vault" } variable "vault_version" { @@ -21,124 +22,134 @@ variable "aws_profile" { type = string description = "The AWS Profile to use for this project." default = "tf_dev" - } +variable "key_name" { + type = string + default = "Vault" + description = "(Optional) key pair to use for SSH access to instance" +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = { + "project" = "vault" + } +} # === config === -variable "ami_id" { - type = string - description = "The AMI ID to use for Vault instances" - default = "value" -} variable "instance_type" { type = string description = "The instance type to use for Vault nodes" default = "t3.micro" } +variable "additional_lb_target_groups" { + type = list(string) + description = "(Optional) List of load balancer target groups to associate with the Vault cluster. These target groups are _in addition_ to the LB target group this module provisions by default." + default = [] +} + variable "lb_type" { - description = "The type of load balancer to provision: network or application." + description = "The type of load balancer to provision; network or application." type = string + default = "application" + + validation { + condition = contains(["application", "network"], var.lb_type) + error_message = "The variable lb_type must be one of: application, network." + } } variable "node_count" { type = number - description = "Number of Vault nodes to deploy in ASG" + description = "**Required** Number of Vault nodes to deploy in ASG" default = 2 } -# === Certs === -variable "ssl_policy" { +# === user supplied variables === + +variable "user_supplied_ami_id" { type = string - description = "The SSL policy to use for the load balancer" - default = "ELBSecurityPolicy-TLS-1-2-2017-01" -} -variable "secrets_manager_arn" { - type = string - description = "Secrets manager ARN where TLS cert info is stored" + description = "**Required** User-provided AMI ID to use with Vault instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable." + default = "ami-0506d6d51f1916a96" } -variable "leader_tls_servername" { +variable "user_supplied_iam_role_name" { type = string - description = "One of the shared DNS SAN used to create the certs use for mTLS" + description = "**Required** User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal." + default = null } -variable "lb_certificate_arn" { +variable "user_supplied_kms_key_arn" { type = string - description = "ARN of TLS certificate imported into ACM for use with LB listener" + description = "**Required** User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal" + default = null } -variable "kms_key_deletion_window" { - type = number - description = "The duration in days after which the key is deleted after destruction of the resource" - default = 7 -} - -variable "lb_health_check_path" { - type = string - description = "The path to use for the health check" - default = "/v1/sys/health" +variable "user_supplied_userdata_path" { + type = string + description = "**Required** File path to custom userdata script being supplied by the user" + default = "./temp/userdata.sh" } # === VPC === variable "allowed_inbound_cidrs_lb" { type = list(string) - description = "CIDR blocks to allow inbound traffic to the load balancer" + description = "**Required** CIDR blocks to allow inbound traffic to the load balancer" default = ["0.0.0.0/0"] } variable "allowed_inbound_cidrs_ssh" { type = list(string) - description = "CIDR blocks to allow inbound SSH traffic to the Vault instances" + description = "**Required** CIDR blocks to allow inbound SSH traffic to the Vault instances" default = ["0.0.0.0/0"] } +# === Certs === +variable "ssl_policy" { + type = string + description = "**Required** The SSL policy to use for the load balancer" + default = "ELBSecurityPolicy-TLS-1-2-2017-01" +} + +variable "lb_health_check_path" { + type = string + description = "The endpoint to check for Vault's health status." + default = "/v1/sys/health?activecode=200&standbycode=200&sealedcode=200&uninitcode=200" +} + +variable "kms_key_deletion_window" { + type = number + default = 7 + description = "**Required**Duration in days after which the key is deleted after destruction of the resource (must be between 7 and 30 days)." +} + +# === Supplied by ./modules/vpc-secrets === + +variable "secrets_manager_arn" { + type = string + description = "**Supplied by module/vpc-secrets** **Required** Secrets manager ARN where TLS cert info is stored" +} + +variable "leader_tls_servername" { + type = string + description = "**Supplied by module/vpc-secrets** **Required** One of the shared DNS SAN used to create the certs use for mTLS" +} + +variable "lb_certificate_arn" { + type = string + description = "**Supplied by module/vpc-secrets** **Required** ARN of TLS certificate imported into ACM for use with LB listener" +} + variable "vpc_id" { type = string - description = "VPC ID where Vault will be deployed" + description = "**Supplied by module/vpc-secrets** **Required** VPC ID where Vault will be deployed" } variable "private_subnet_ids" { type = list(string) - description = "Subnet IDs to deploy Vault into" -} - - - - - - - - - - - - - -# === user supplied variables === - -variable "user_supplied_ami_id" { - type = string - description = "(Optional) User-provided AMI ID to use with Vault instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable." - default = null -} - -variable "user_supplied_iam_role_name" { - type = string - description = "(Optional) User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal." - default = null -} - -variable "user_supplied_kms_key_arn" { - type = string - description = "(Optional) User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal" - default = null -} - -variable "user_supplied_userdata_path" { - type = string - description = "(Optional) File path to custom userdata script being supplied by the user" - default = null + description = "**Supplied by module/vpc-secrets** **Required** Subnet IDs to deploy Vault into" }