-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
139 lines (119 loc) · 4.64 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
variable "namespace" {
description = "Namespace relative to the provider namespace. Vault Enterprise only"
type = string
default = null
validation {
condition = var.namespace != null ? (
!startswith(var.namespace, "/") && !endswith(var.namespace, "/")
) : true
error_message = "Namespace cannot begin or end with \"\""
}
}
variable "path" {
description = "Path to mount the JWT Auth backend"
type = string
default = "jwt"
}
variable "auth_description" {
description = "Description of the JWT Auth Backend"
type = string
default = "Terraform Cloud"
}
variable "auth_token_issuer" {
description = "Token issuer of JWT token"
type = string
default = "https://app.terraform.io"
validation {
condition = startswith(var.auth_token_issuer, "https://") && !endswith(var.auth_token_issuer, "/")
error_message = "Token issuer URI should start with https:// and not end with a slash"
}
}
variable "auth_tune" {
description = "Auth mount tune settings"
type = object({
default_lease_ttl = optional(string)
max_lease_ttl = optional(string)
audit_non_hmac_response_keys = optional(list(string))
audit_non_hmac_request_keys = optional(list(string))
listing_visibility = optional(string)
passthrough_request_headers = optional(list(string))
allowed_response_headers = optional(list(string))
token_type = optional(string)
})
default = null
}
variable "bound_audiences" {
description = "List of audiences to be allowed for JWT auth roles"
type = list(string)
default = ["tfc.workload.identity"]
}
variable "workspaces" {
description = "List of workspaces to provide access to. Use * for wildcard. If wildcard is used, identity management cannot be enabled"
type = map(map(list(string))) # First Key is Organisation name, second Key is Project
}
variable "role_name_format" {
description = "Format string to generate role namess. The first parameter is the organization, and the second is the workspace name"
type = string
default = "%[1]s-%[2]s-%[3]s"
}
variable "claim_mappings" {
description = "Mapping of claims to metadata"
type = map(string)
default = {
terraform_run_phase = "terraform_run_phase"
terraform_workspace_id = "terraform_workspace_id"
terraform_organization_id = "terraform_organization_id"
terraform_organization_name = "terraform_organization_name"
terraform_run_id = "terraform_run_id"
terraform_full_workspace = "terraform_full_workspace"
}
}
variable "token_policies" {
description = "Default token policies to apply to all roles"
type = list(string)
default = []
}
variable "token_ttl" {
description = "The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
type = number
default = 600
}
variable "token_max_ttl" {
description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
type = number
default = 600
}
variable "token_explicit_max_ttl" {
description = "If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal."
type = number
default = 600
}
variable "enable_identity_management" {
description = "Enable Identity Entity management. This only works if workspace names contains no wildcard"
type = bool
default = true
}
variable "identity_name_format" {
description = "Identity name format string. The first parameter is the organization, and the second is the workspace name"
type = string
default = "tfc-%[1]s-%[2]s-%[3]s"
}
variable "tfc_project_support_match" {
description = "The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*'"
type = string
default = "*"
}
variable "tfc_default_project" {
description = "Name of TFC Default Project"
type = string
default = "Default Project"
}
variable "enable_global_identity" {
description = "Enable Identity Entity management globally. This creates a single entity for all workspaces per organization"
type = bool
default = false
validation {
condition = var.enable_global_identity != var.enable_identity_management
error_message = "Global Identity management can only be enabled if Identity management is disabled"
}
}