165 lines
5.0 KiB
HCL
165 lines
5.0 KiB
HCL
# === General ===
|
|
|
|
variable "resource_name_prefix" {
|
|
type = string
|
|
description = "Resource name prefix used for tagging and naming AWS resources"
|
|
default = "prod"
|
|
}
|
|
|
|
variable "vault_version" {
|
|
type = string
|
|
description = "Vault version"
|
|
default = "1.15.5"
|
|
}
|
|
|
|
variable "aws_region" {
|
|
type = string
|
|
description = "AWS region where Vault will be deployed"
|
|
default = "eu-north-1"
|
|
}
|
|
|
|
variable "role_arn" {
|
|
type = string
|
|
description = "The assumed role to use for this project."
|
|
}
|
|
|
|
variable "key_name" {
|
|
description = "(Optional) key pair to use for SSH access to instance"
|
|
type = string
|
|
default = "Vault"
|
|
}
|
|
|
|
variable "common_tags" {
|
|
type = map(string)
|
|
description = "(Optional) Map of common tags for all taggable AWS resources."
|
|
default = {
|
|
"project" = "vault"
|
|
}
|
|
}
|
|
|
|
|
|
# === config ===
|
|
|
|
variable "instance_type" {
|
|
type = string
|
|
description = "The instance type to use for Vault nodes"
|
|
default = "t3.micro"
|
|
}
|
|
|
|
variable "shared_san" {
|
|
type = string
|
|
description = "This is a shared server name that the certs for all Vault nodes contain. This is the same value you will supply as input to the Vault installation module for the leader_tls_servername variable."
|
|
}
|
|
|
|
variable "lb_type" {
|
|
description = "The type of load balancer to provision; network or application."
|
|
type = string
|
|
default = "application"
|
|
|
|
validation {
|
|
condition = contains(["application", "network"], var.lb_type)
|
|
error_message = "The variable lb_type must be one of: application, network."
|
|
}
|
|
}
|
|
|
|
variable "node_count" {
|
|
type = number
|
|
description = "**Required** Number of Vault nodes to deploy in ASG"
|
|
default = 2
|
|
}
|
|
|
|
# === user supplied variables ===
|
|
|
|
variable "user_supplied_ami_id" {
|
|
type = string
|
|
description = "**Optional** User-provided AMI ID to use with Vault instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
|
|
default = "ami-0506d6d51f1916a96"
|
|
}
|
|
|
|
# variable "user_supplied_iam_role_name" {
|
|
# type = string
|
|
# description = "**Optional** User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal."
|
|
# default = null
|
|
# }
|
|
|
|
variable "user_supplied_kms_key_arn" {
|
|
type = string
|
|
description = "**Optional** User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal"
|
|
default = null
|
|
}
|
|
|
|
# variable "user_supplied_userdata_path" {
|
|
# type = string
|
|
# description = "**Optional** File path to custom userdata script being supplied by the user"
|
|
# default = null
|
|
# }
|
|
|
|
# === VPC ===
|
|
|
|
variable "azs" {
|
|
description = "availability zones to use in AWS region"
|
|
type = list(string)
|
|
default = [
|
|
"eu-north-1a",
|
|
"eu-north-1b",
|
|
]
|
|
}
|
|
|
|
variable "allowed_inbound_cidrs_lb" {
|
|
type = list(string)
|
|
description = "**Required** CIDR blocks to allow inbound traffic to the load balancer"
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
variable "allowed_inbound_cidrs_ssh" {
|
|
type = list(string)
|
|
description = "**Required** CIDR blocks to allow inbound SSH traffic to the Vault instances"
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
# === Certs ===
|
|
variable "ssl_policy" {
|
|
type = string
|
|
description = "**Required** The SSL policy to use for the load balancer"
|
|
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
|
|
}
|
|
|
|
variable "lb_health_check_path" {
|
|
type = string
|
|
description = "The endpoint to check for Vault's health status."
|
|
default = "/v1/sys/health?activecode=200&standbycode=200&sealedcode=200&uninitcode=200"
|
|
}
|
|
|
|
variable "kms_key_deletion_window" {
|
|
type = number
|
|
default = 7
|
|
description = "**Required**Duration in days after which the key is deleted after destruction of the resource (must be between 7 and 30 days)."
|
|
}
|
|
|
|
# === Supplied by ./modules/networking ===
|
|
|
|
# variable "secrets_manager_arn" {
|
|
# type = string
|
|
# description = "**Supplied by module/networking** **Required** Secrets manager ARN where TLS cert info is stored"
|
|
# }
|
|
|
|
variable "leader_tls_servername" {
|
|
type = string
|
|
description = "**Supplied by module/networking** **Required** One of the shared DNS SAN used to create the certs use for mTLS"
|
|
}
|
|
|
|
# variable "lb_certificate_arn" {
|
|
# type = string
|
|
# description = "**Supplied by module/networking** **Required** ARN of TLS certificate imported into ACM for use with LB listener"
|
|
# }
|
|
|
|
# variable "vpc_id" {
|
|
# type = string
|
|
# description = "**Supplied by module/networking** **Required** VPC ID where Vault will be deployed"
|
|
# }
|
|
|
|
# variable "private_subnet_ids" {
|
|
# type = list(string)
|
|
# description = "**Supplied by module/networking** **Required** Subnet IDs to deploy Vault into"
|
|
# }
|