forked from defenseunicorns/delivery-aws-iac
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
331 lines (277 loc) · 9.75 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
###########################################################
################## Global Settings ########################
variable "region" {
description = "The AWS region to deploy into"
type = string
}
variable "name_prefix" {
description = "The prefix to use when naming all resources"
type = string
default = "ex-complete"
validation {
condition = length(var.name_prefix) <= 20
error_message = "The name prefix cannot be more than 20 characters"
}
}
variable "iam_role_permissions_boundary" {
description = "ARN of the policy that is used to set the permissions boundary for IAM roles"
type = string
default = null
}
variable "aws_admin_usernames" {
description = "A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin"
type = list(string)
default = []
}
variable "create_aws_auth_configmap" {
description = "Determines whether to create the aws-auth configmap. NOTE - this is only intended for scenarios where the configmap does not exist (i.e. - when using only self-managed node groups). Most users should use `manage_aws_auth_configmap`"
type = bool
default = false
}
variable "manage_aws_auth_configmap" {
description = "Determines whether to manage the aws-auth configmap"
type = bool
default = false
}
variable "tags" {
description = "A map of tags to apply to all resources"
type = map(string)
default = {}
}
variable "kms_key_deletion_window" {
description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days."
type = number
default = 7
}
variable "access_log_expire_days" {
description = "Number of days to wait before deleting access logs"
type = number
default = 30
}
variable "enable_sqs_events_on_access_log_access" {
description = "If true, generates an SQS event whenever on object is created in the Access Log bucket, which happens whenever a server access log is generated by any entity. This will potentially generate a lot of events, so use with caution."
type = bool
default = false
}
variable "eks_use_mfa" {
description = "Use MFA for auth_eks_role"
type = bool
}
###########################################################
#################### VPC Config ###########################
variable "vpc_cidr" {
description = "The CIDR block for the VPC"
type = string
}
variable "secondary_cidr_blocks" {
description = "A list of secondary CIDR blocks for the VPC"
type = list(string)
default = []
}
variable "num_azs" {
description = "The number of AZs to use"
type = number
default = 3
}
###########################################################
#################### EKS Config ###########################
variable "eks_worker_tenancy" {
description = "The tenancy of the EKS worker nodes"
type = string
default = "default"
}
variable "cluster_version" {
description = "Kubernetes version to use for EKS cluster"
type = string
# renovate: datasource=endoflife-date depName=amazon-eks versioning=loose extractVersion=^(?<version>.*)-eks.+$
default = "1.27"
}
variable "cluster_endpoint_public_access" {
description = "Whether to enable private access to the EKS cluster"
type = bool
default = false
}
variable "enable_eks_managed_nodegroups" {
description = "Enable managed node groups"
type = bool
}
variable "enable_self_managed_nodegroups" {
description = "Enable self managed node groups"
type = bool
}
variable "dataplane_wait_duration" {
description = "The duration to wait for the EKS cluster to be ready before creating the node groups"
type = string
default = "30s"
}
###########################################################
################## EKS Addons Config ######################
variable "cluster_addons" {
description = <<-EOD
Nested of eks native add-ons and their associated parameters.
See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_add-on for supported values.
See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/complete/main.tf#L44-L60 for upstream example.
to see available eks marketplace addons available for your cluster's version run:
aws eks describe-addon-versions --kubernetes-version $k8s_cluster_version --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table
EOD
type = any
default = {}
}
variable "create_kubernetes_resources" {
description = "If true, kubernetes resources related to non-marketplace addons to will be created"
type = bool
default = true
}
variable "create_ssm_parameters" {
description = "Create SSM parameters for values from eks blueprints addons"
type = bool
default = true
}
#----------------AWS EBS CSI Driver-------------------------
variable "enable_amazon_eks_aws_ebs_csi_driver" {
description = "Enable EKS Managed AWS EBS CSI Driver add-on"
type = bool
default = false
}
variable "enable_gp3_default_storage_class" {
description = "Enable gp3 as default storage class"
type = bool
default = false
}
variable "storageclass_reclaim_policy" {
description = "Reclaim policy for gp3 storage class, valid options are Delete and Retain"
type = string
default = "Delete"
}
#----------------Metrics Server-------------------------
variable "enable_metrics_server" {
description = "Enable metrics server add-on"
type = bool
default = false
}
variable "metrics_server" {
description = "Metrics Server config for aws-ia/eks-blueprints-addon/aws"
type = any
default = {}
}
#----------------AWS Node Termination Handler-------------------------
variable "enable_aws_node_termination_handler" {
description = "Enable AWS Node Termination Handler add-on"
type = bool
default = false
}
variable "aws_node_termination_handler" {
description = "AWS Node Termination Handler config for aws-ia/eks-blueprints-addon/aws"
type = any
default = {}
}
#----------------Cluster Autoscaler-------------------------
variable "enable_cluster_autoscaler" {
description = "Enable Cluster autoscaler add-on"
type = bool
default = false
}
variable "cluster_autoscaler" {
description = "Cluster Autoscaler Helm Chart config"
type = any
default = {}
}
#----------------Enable_EFS_CSI-------------------------
variable "enable_amazon_eks_aws_efs_csi_driver" {
description = "Enable EFS CSI add-on"
type = bool
default = false
}
variable "aws_efs_csi_driver" {
description = "AWS EFS CSI Driver helm chart config"
type = any
default = {}
}
variable "reclaim_policy" {
description = "Reclaim policy for EFS storage class, valid options are Delete and Retain"
type = string
default = "Delete"
}
#----------------AWS Loadbalancer Controller-------------------------
variable "enable_aws_load_balancer_controller" {
description = "Enable AWS Loadbalancer Controller add-on"
type = bool
default = false
}
variable "aws_load_balancer_controller" {
description = "AWS Loadbalancer Controller Helm Chart config"
type = any
default = {}
}
#----------------k8s Secret Store CSI Driver-------------------------
variable "enable_secrets_store_csi_driver" {
description = "Enable k8s Secret Store CSI Driver add-on"
type = bool
default = false
}
variable "secrets_store_csi_driver" {
description = "k8s Secret Store CSI Driver Helm Chart config"
type = any
default = {}
}
###########################################################
################## Bastion Config #########################
variable "enable_bastion" {
description = "If true, a bastion will be created"
type = bool
default = true
}
variable "bastion_tenancy" {
description = "The tenancy of the bastion"
type = string
default = "default"
}
variable "bastion_instance_type" {
description = "value for the instance type of the EKS worker nodes"
type = string
default = "m5.xlarge"
}
variable "bastion_ssh_user" {
description = "The SSH user to use for the bastion"
type = string
default = "ec2-user"
}
variable "bastion_ssh_password" {
description = "The SSH password to use for the bastion if SSM authentication is used"
type = string
default = "my-password"
}
variable "zarf_version" {
description = "The version of Zarf to use"
type = string
default = ""
}
############################################################################
####################### DUBBD Add-on Dependencies ########################
variable "keycloak_enabled" {
description = "Enable Keycloak dedicated nodegroup"
type = bool
default = false
}
############################################################################
################## Lambda Password Rotation Config #########################
variable "users" {
description = "This needs to be a list of users that will be on your ec2 instances that need password changes."
type = list(string)
default = []
}
variable "cron_schedule_password_rotation" {
description = "Schedule for password change function to run on"
type = string
default = "cron(0 0 1 * ? *)"
}
variable "slack_notification_enabled" {
description = "enable slack notifications for password rotation function. If enabled a slack webhook url will also need to be provided for this to work"
type = bool
default = false
}
variable "slack_webhook_url" {
description = "value"
type = string
default = null
}