generated from libre-devops/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
152 lines (146 loc) · 4.29 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
variable "full_certificate_permissions" {
type = list(string)
description = "All the available permissions for key access"
default = [
"Backup",
"Create",
"Delete",
"DeleteIssuers",
"Get",
"GetIssuers",
"Import",
"List",
"ListIssuers",
"ManageContacts",
"ManageIssuers",
"Purge",
"Recover",
"Restore",
"SetIssuers",
"Update"
]
}
variable "full_key_permissions" {
type = list(string)
description = "All the available permissions for key access"
default = [
"Backup",
"Create",
"Decrypt",
"Delete",
"Encrypt",
"Get",
"Import",
"List",
"Purge",
"Recover",
"Restore",
"Sign",
"UnwrapKey",
"Update",
"Verify",
"WrapKey"
]
}
variable "full_secret_permissions" {
type = list(string)
description = "All the available permissions for key access"
default = [
"Backup",
"Delete",
"Get",
"List",
"Purge",
"Recover",
"Restore",
"Set"
]
}
variable "full_storage_permissions" {
type = list(string)
description = "All the available permissions for key access"
default = [
"Backup",
"Delete",
"DeleteSAS",
"Get",
"GetSAS",
"List",
"ListSAS",
"Purge",
"Recover",
"RegenerateKey",
"Restore",
"Set",
"SetSAS",
"Update"
]
}
variable "give_current_client_full_access" {
type = bool
description = "If you use your current client as the tenant id, do you wish to give it full access to the keyvault? this aids automation, and is thus enable by default for this module. Disable for better security by setting to false"
default = false
}
variable "key_vaults" {
description = "A list of key vaults to create"
type = list(object({
name = string
location = string
rg_name = string
sku_name = optional(string, "standard")
tenant_id = optional(string)
enabled_for_deployment = optional(bool, true)
enabled_for_disk_encryption = optional(bool, true)
enabled_for_template_deployment = optional(bool, true)
soft_delete_retention_days = optional(number)
public_network_access_enabled = optional(bool)
enable_rbac_authorization = optional(bool, true)
purge_protection_enabled = optional(bool, false) # Easier for automation
access_policy = optional(list(object({
tenant_id = string
object_id = string
key_permissions = list(string)
secret_permissions = list(string)
storage_permissions = list(string)
})))
network_acls = optional(object({
bypass = string
default_action = string
ip_rules = list(string)
virtual_network_subnet_ids = list(string)
}))
contact = optional(list(object({
email = string
name = optional(string)
phone = optional(string)
})))
create_diagnostic_settings = optional(bool, false)
diagnostic_settings_enable_all_logs_and_metrics = optional(bool, false)
diagnostic_settings = optional(object({
diagnostic_settings_name = optional(string)
storage_account_id = optional(string)
eventhub_name = optional(string)
eventhub_authorization_rule_id = optional(string)
law_id = optional(string)
law_destination_type = optional(string, "Dedicated")
partner_solution_id = optional(string)
enabled_log = optional(list(object({
category = optional(string)
category_group = optional(string)
})), [])
metric = optional(list(object({
category = string
enabled = optional(bool, true)
})), [])
enable_all_logs = optional(bool, false)
enable_all_metrics = optional(bool, false)
}), null)
tags = map(string)
}))
default = []
}
variable "use_current_client" {
type = bool
description = "If you wish to use the current client config or not"
default = true
}