145 lines
3.7 KiB
HCL
145 lines
3.7 KiB
HCL
# === General ===
|
|
|
|
variable "resource_name_prefix" {
|
|
type = string
|
|
description = "Resource name prefix used for tagging and naming AWS resources"
|
|
}
|
|
|
|
variable "vault_version" {
|
|
type = string
|
|
description = "Vault version"
|
|
default = "1.15.5"
|
|
}
|
|
|
|
variable "aws_region" {
|
|
type = string
|
|
description = "AWS region where Vault will be deployed"
|
|
default = "eu-north-1"
|
|
}
|
|
|
|
variable "aws_profile" {
|
|
type = string
|
|
description = "The AWS Profile to use for this project."
|
|
default = "tf_dev"
|
|
|
|
}
|
|
|
|
|
|
# === config ===
|
|
|
|
variable "ami_id" {
|
|
type = string
|
|
description = "The AMI ID to use for Vault instances"
|
|
default = "value"
|
|
}
|
|
variable "instance_type" {
|
|
type = string
|
|
description = "The instance type to use for Vault nodes"
|
|
default = "t3.micro"
|
|
}
|
|
variable "lb_type" {
|
|
description = "The type of load balancer to provision: network or application."
|
|
type = string
|
|
}
|
|
|
|
variable "node_count" {
|
|
type = number
|
|
description = "Number of Vault nodes to deploy in ASG"
|
|
default = 2
|
|
}
|
|
|
|
# === Certs ===
|
|
variable "ssl_policy" {
|
|
type = string
|
|
description = "The SSL policy to use for the load balancer"
|
|
default = "ELBSecurityPolicy-TLS-1-2-2017-01"
|
|
}
|
|
variable "secrets_manager_arn" {
|
|
type = string
|
|
description = "Secrets manager ARN where TLS cert info is stored"
|
|
}
|
|
|
|
variable "leader_tls_servername" {
|
|
type = string
|
|
description = "One of the shared DNS SAN used to create the certs use for mTLS"
|
|
}
|
|
|
|
variable "lb_certificate_arn" {
|
|
type = string
|
|
description = "ARN of TLS certificate imported into ACM for use with LB listener"
|
|
}
|
|
|
|
variable "kms_key_deletion_window" {
|
|
type = number
|
|
description = "The duration in days after which the key is deleted after destruction of the resource"
|
|
default = 7
|
|
}
|
|
|
|
variable "lb_health_check_path" {
|
|
type = string
|
|
description = "The path to use for the health check"
|
|
default = "/v1/sys/health"
|
|
}
|
|
|
|
# === VPC ===
|
|
|
|
variable "allowed_inbound_cidrs_lb" {
|
|
type = list(string)
|
|
description = "CIDR blocks to allow inbound traffic to the load balancer"
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
variable "allowed_inbound_cidrs_ssh" {
|
|
type = list(string)
|
|
description = "CIDR blocks to allow inbound SSH traffic to the Vault instances"
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
variable "vpc_id" {
|
|
type = string
|
|
description = "VPC ID where Vault will be deployed"
|
|
}
|
|
|
|
variable "private_subnet_ids" {
|
|
type = list(string)
|
|
description = "Subnet IDs to deploy Vault into"
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# === user supplied variables ===
|
|
|
|
variable "user_supplied_ami_id" {
|
|
type = string
|
|
description = "(Optional) User-provided AMI ID to use with Vault instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
|
|
default = null
|
|
}
|
|
|
|
variable "user_supplied_iam_role_name" {
|
|
type = string
|
|
description = "(Optional) User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal."
|
|
default = null
|
|
}
|
|
|
|
variable "user_supplied_kms_key_arn" {
|
|
type = string
|
|
description = "(Optional) User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal"
|
|
default = null
|
|
}
|
|
|
|
variable "user_supplied_userdata_path" {
|
|
type = string
|
|
description = "(Optional) File path to custom userdata script being supplied by the user"
|
|
default = null
|
|
}
|