generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvariables.tf
648 lines (545 loc) · 24.5 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
########################################################################################################################
# Account Variables
########################################################################################################################
variable "security_resource_group_name" {
type = string
description = "The name of the security resource group to create."
default = "security-rg"
validation {
condition = length(coalesce(var.security_resource_group_name, "null")) <= 40
error_message = "`security_resource_group_name` must be 40 characters or less."
}
}
variable "existing_security_resource_group_name" {
type = string
description = "The name of the existing resource group to use for security resources, takes precedence over `security_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_security_resource_group_name, "null")) <= 40
error_message = "`existing_security_resource_group_name` must be 40 characters or less."
}
}
variable "audit_resource_group_name" {
type = string
description = "The name of the audit resource group to create."
default = "audit-rg"
validation {
condition = length(coalesce(var.audit_resource_group_name, "null")) <= 40
error_message = "`existing_audit_resource_group_name` must be 40 characters or less."
}
}
variable "existing_audit_resource_group_name" {
type = string
description = "The name of the existing resource group to use for audit resources, takes precedence over `audit_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_audit_resource_group_name, "null")) <= 40
error_message = "`audit_resource_group_name` must be 40 characters or less."
}
}
variable "observability_resource_group_name" {
type = string
description = "The name of the observability resource group to create. Required if `var.provision_atracker_cos` is true and `var.existing_observability_resource_group_name` is not provided."
default = "observability-rg"
validation {
condition = length(coalesce(var.observability_resource_group_name, "null")) <= 40
error_message = "`observability_resource_group_name` must be 40 characters or less."
}
}
variable "existing_observability_resource_group_name" {
type = string
description = "The name of the existing resource group to use for observability resources, takes precedence over `observability_resource_group_name`. Required if `var.provision_atracker_cos` is true and `var.observability_resource_group_name` is not provided."
default = null
validation {
condition = length(coalesce(var.existing_observability_resource_group_name, "null")) <= 40
error_message = "`existing_observability_resource_group_name` must be 40 characters or less."
}
}
variable "management_resource_group_name" {
type = string
description = "The name of the management resource group to create."
default = "management-plane-rg"
validation {
condition = length(coalesce(var.management_resource_group_name, "null")) <= 40
error_message = "`management_resource_group_name` must be 40 characters or less."
}
}
variable "existing_management_resource_group_name" {
type = string
description = "The name of the existing resource group to use for management resources, takes precedence over `management_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_management_resource_group_name, "null")) <= 40
error_message = "`existing_management_resource_group_name` must be 40 characters or less."
}
}
variable "workload_resource_group_name" {
type = string
description = "The name of the workload resource group to create."
default = "workload-rg"
validation {
condition = length(coalesce(var.workload_resource_group_name, "null")) <= 40
error_message = "`workload_resource_group_name` must be 40 characters or less."
}
}
variable "existing_workload_resource_group_name" {
type = string
description = "The name of the existing resource group to use for workload resources, takes precedence over `workload_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_workload_resource_group_name, "null")) <= 40
error_message = "`existing_workload_resource_group_name` must be 40 characters or less."
}
}
variable "edge_resource_group_name" {
type = string
description = "The name of the edge resource group to create."
default = "edge-rg"
validation {
condition = length(coalesce(var.edge_resource_group_name, "null")) <= 40
error_message = "`edge_resource_group_name` must be 40 characters or less."
}
}
variable "existing_edge_resource_group_name" {
type = string
description = "The name of the existing resource group to use for edge resources, takes precedence over `edge_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_edge_resource_group_name, "null")) <= 40
error_message = "`existing_edge_resource_group_name` must be 40 characters or less."
}
}
variable "devops_resource_group_name" {
type = string
description = "The name of the devops resource group to create."
default = "devops-tools-rg"
validation {
condition = length(coalesce(var.devops_resource_group_name, "null")) <= 40
error_message = "`devops_resource_group_name` must be 40 characters or less."
}
}
variable "existing_devops_resource_group_name" {
type = string
description = "The name of the existing resource group to use for devops resources, takes precedence over `devops_resource_group_name`."
default = null
validation {
condition = length(coalesce(var.existing_devops_resource_group_name, "null")) <= 40
error_message = "`existing_devops_resource_group_name` must be 40 characters or less."
}
}
variable "skip_iam_account_settings" {
type = bool
description = "Set to true to skip the IAM account settings being applied to the account"
default = false
}
variable "access_token_expiration" {
type = string
description = "Defines the access token expiration in seconds, has no effect when `skip_iam_account_settings` is true."
default = "3600"
}
variable "active_session_timeout" {
type = number
description = "Specify how long (seconds) a user is allowed to work continuously in the account, has no effect when `skip_iam_account_settings` is true."
default = 86400
}
variable "allowed_ip_addresses" {
type = list(any)
description = "List of the IP addresses and subnets from which IAM tokens can be created for the account, has no effect when `skip_iam_account_settings` is true."
default = []
}
variable "api_creation" {
type = string
description = "When restriction is enabled, only users, including the account owner, assigned the User API key creator role on the IAM Identity Service can create API keys. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value), has no effect when `skip_iam_account_settings` is true."
default = "RESTRICTED"
}
variable "enforce_allowed_ip_addresses" {
type = bool
description = "Whether the IP address restriction is enforced. Set the value to `false` to test the impact of the restriction on your account, once the impact of the restriction has been observed set the value to `true`."
default = true
}
variable "inactive_session_timeout" {
type = string
description = "Specify how long (seconds) a user is allowed to stay logged in the account while being inactive/idle, has no effect when `skip_iam_account_settings` is true."
default = "7200"
}
variable "max_sessions_per_identity" {
type = string
description = "Defines the maximum allowed sessions per identity required by the account. Supports any whole number greater than '0', or 'NOT_SET' to unset account setting and use service default, has no effect when `skip_iam_account_settings` is true."
default = "NOT_SET"
}
variable "mfa" {
type = string
description = "Specify Multi-Factor Authentication method in the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users), has no effect when `skip_iam_account_settings` is true."
default = "TOTP4ALL"
}
variable "public_access_enabled" {
type = bool
description = "Enable/Disable public access group in which resources are open anyone regardless if they are member of your account or not, has no effect when `skip_iam_account_settings` is true."
default = false
}
variable "refresh_token_expiration" {
type = string
description = "Defines the refresh token expiration in seconds, has no effect when `skip_iam_account_settings` is true."
default = "259200"
}
variable "serviceid_creation" {
type = string
description = "When restriction is enabled, only users, including the account owner, assigned the Service ID creator role on the IAM Identity Service can create service IDs, has no effect when `skip_iam_account_settings` is true. Allowed values are 'RESTRICTED', 'NOT_RESTRICTED', or 'NOT_SET' (to 'unset' a previous set value)."
default = "RESTRICTED"
}
variable "shell_settings_enabled" {
type = bool
description = "Enable global shell settings to all users in the account, has no effect when `skip_iam_account_settings` is true."
default = false
}
variable "skip_cloud_shell_calls" {
type = bool
description = "Skip Cloud Shell calls in the account, has no effect when `skip_iam_account_settings` is true."
default = false
}
variable "user_mfa" {
type = set(object({
iam_id = string
mfa = string
}))
description = "Specify Multi-Factor Authentication method for specific users the account. Supported valid values are 'NONE' (No MFA trait set), 'TOTP' (For all non-federated IBMId users), 'TOTP4ALL' (For all users), 'LEVEL1' (Email based MFA for all users), 'LEVEL2' (TOTP based MFA for all users), 'LEVEL3' (U2F MFA for all users). Example of format is available here > https://github.com/terraform-ibm-modules/terraform-ibm-iam-account-settings#usage, has no effect when `skip_iam_account_settings` is true."
default = []
}
variable "user_mfa_reset" {
type = bool
description = "Set to true to delete all user MFA settings configured in the targeted account, and ignoring entries declared in var user_mfa, has no effect when `skip_iam_account_settings` is true."
default = false
}
########################################################################################################################
# COS Variables
########################################################################################################################
variable "provision_atracker_cos" {
type = bool
description = "Enable to create an Atracker route and COS instance + bucket."
default = false
}
variable "region" {
type = string
description = "Region to provision the COS resources created by this solution."
default = "us-south"
}
variable "skip_cos_kms_auth_policy" {
type = bool
description = "Whether to enable creating an IAM authoriation policy between the IBM Cloud Object Storage instance and the Key Management service instance of the CRN provided in `kms_key_crn`. This variable has no effect if `provision_atracker_cos` is false."
default = false
}
variable "cos_plan" {
type = string
description = "Plan of the COS instance created by the module"
default = "standard"
}
variable "cos_instance_name" {
type = string
description = "The name to give the cloud object storage instance that will be provisioned by this module, required if 'var.provision_atracker_cos' is true."
default = null
validation {
condition = var.cos_instance_name == null ? true : length(var.cos_instance_name) <= 180
error_message = "`cos_instance_name` must be 180 characters or less"
}
validation {
condition = var.cos_instance_name == null ? true : length(regexall("^([^[:ascii:]]|[a-zA-Z0-9-._: ])+$", var.cos_instance_name)) > 0
error_message = "`cos_instance_name` must match the following regex pattern: \"^([^[:ascii:]]|[a-zA-Z0-9-._: ])+$\""
}
}
variable "resource_tags" {
type = list(string)
description = "A list of tags applied to the COS resources created by the module."
default = []
}
variable "cos_instance_access_tags" {
type = list(string)
description = "A list of Access Tags applied to the created COS instance."
default = []
}
variable "cos_bucket_name" {
type = string
description = "The name to give the newly provisioned COS bucket which will be used for Activity Tracker logs, required if 'var.provision_atracker_cos' is true."
default = null
validation {
condition = var.cos_bucket_name == null ? true : (length(var.cos_bucket_name) >= 3)
error_message = "`cos_bucket_name` must be 3 or more characters long"
}
validation {
condition = var.cos_bucket_name == null ? true : (length(var.cos_bucket_name) <= 63)
error_message = "`cos_bucket_name` must be 63 or less characters long"
}
validation {
condition = var.cos_bucket_name == null ? true : length(regexall("^[a-z0-9][a-z0-9-]+[a-z0-9]$", var.cos_bucket_name)) > 0
error_message = "`cos_bucket_name` must match the following regex pattern: \"^[a-z0-9][a-z0-9]+[a-z0-9]$\""
}
}
variable "cos_bucket_access_tags" {
type = list(string)
description = "A list of Access Tags applied to the created bucket."
default = []
}
variable "cos_bucket_expire_enabled" {
type = bool
description = "A flag to control expiry rule on the bucket."
default = false
}
variable "cos_bucket_expire_days" {
type = number
description = "Number of days before expiry."
default = 365
}
variable "cos_bucket_object_versioning_enabled" {
type = bool
description = "A flag to control object versioning on the bucket."
default = false
}
variable "kms_key_crn" {
type = string
description = "CRN of the KMS key to use to encrypt the data in the COS bucket, required if 'var.provision_atracker_cos' is true."
default = null
}
variable "cos_bucket_management_endpoint_type" {
description = "The type of endpoint for the IBM terraform provider to use to manage the bucket. (public, private or direct)"
type = string
default = "public"
validation {
condition = contains(["public", "private", "direct"], var.cos_bucket_management_endpoint_type)
error_message = "The specified management_endpoint_type_for_bucket is not a valid selection!"
}
}
variable "cos_bucket_storage_class" {
type = string
description = "COS Bucket storage class type"
default = "smart"
}
variable "cos_bucket_archive_enabled" {
type = bool
description = "Set as true to enable archiving on the COS bucket."
default = false
}
variable "cos_bucket_archive_days" {
type = number
description = "Number of days to archive objects in the bucket."
default = 20
}
variable "cos_bucket_archive_type" {
type = string
description = "Type of archiving to use on bucket."
default = "Glacier"
}
variable "cos_bucket_retention_enabled" {
type = bool
description = "Retention enabled for COS bucket."
default = false
}
variable "cos_bucket_retention_default" {
description = "Specifies default duration of time an object that can be kept unmodified for COS bucket."
type = number
default = 90
}
variable "cos_bucket_retention_maximum" {
description = "Specifies maximum duration of time an object that can be kept unmodified for COS bucket."
type = number
default = 350
}
variable "cos_bucket_retention_minimum" {
description = "Specifies minimum duration of time an object must be kept unmodified for COS bucket."
type = number
default = 90
}
variable "cos_bucket_retention_permanent" {
description = "Specifies a permanent retention status either enable or disable for COS bucket."
type = bool
default = false
}
variable "cos_bucket_cbr_rules" {
type = list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
})))
}))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
}))
description = "COS Bucket CBR Rules"
default = []
}
variable "cos_instance_cbr_rules" {
type = list(object({
description = string
account_id = string
rule_contexts = list(object({
attributes = optional(list(object({
name = string
value = string
})))
}))
enforcement_mode = string
tags = optional(list(object({
name = string
value = string
})), [])
operations = optional(list(object({
api_types = list(object({
api_type_id = string
}))
})))
}))
description = "CBR Rules for the COS instance."
default = []
}
########################################################################################################################
# ATracker Variables
########################################################################################################################
variable "skip_atracker_cos_iam_auth_policy" {
type = bool
description = "Set to true to skip the creation of an IAM authorization policy that permits the Activity Tracker service Object Writer access to the Cloud Object Storage instance provisioned by this module. NOTE: If skipping, you must ensure the auth policy exists on the account before running the module."
default = false
}
variable "cos_target_name" {
type = string
description = "Name of the COS Target for Activity Tracker, required if 'var.provision_atracker_cos' is true."
default = null
}
variable "activity_tracker_route_name" {
type = string
description = "Name of the route for the Activity Tracker, required if 'var.provision_atracker_cos' is true."
default = null
}
variable "activity_tracker_locations" {
type = list(string)
description = "Location of the route for the Activity Tracker, logs from these locations will be sent to the specified target. Supports passing individual regions, as well as `global` and `*`."
default = ["*", "global"]
}
########################################################################################################################
# Trusted Profile Variables
########################################################################################################################
variable "provision_trusted_profile_projects" {
type = bool
description = "Controls whether the Trusted Profile for Projects is provisioned."
default = true
}
variable "trusted_profile_name" {
type = string
description = "Name of the trusted profile, required if `provision_trusted_profile_projects` is true."
default = null
}
variable "trusted_profile_description" {
type = string
description = "Description of the trusted profile."
default = "Trusted Profile for Projects access"
}
variable "trusted_profile_roles" {
type = list(string)
description = "List of roles given to the trusted profile."
default = ["Administrator"]
}
########################################################################################################################
# CBR Variables
########################################################################################################################
variable "provision_cbr" {
type = bool
description = "Whether to enable the creation of context-based restriction rules and zones in the module. Default is false."
default = false
}
variable "cbr_prefix" {
type = string
description = "String to use as the prefix for all context-based restriction resources, default is `account-infra-base` if `provision_cbr` is set to true."
default = "acct-infra-base"
}
variable "cbr_allow_cos_to_kms" {
type = bool
description = "Whether to enable the rule that allows Object Storage to access the key management service. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_block_storage_to_kms" {
type = bool
description = "Whether to enable the rule that allows Block Storage for VPC to access the key management service. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_roks_to_kms" {
type = bool
description = "Whether to enable the rule that allows Red Hat OpenShift to access the key management service. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_icd_to_kms" {
type = bool
description = "Whether to enable the rule that allows IBM cloud databases to access the key management service. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_event_streams_to_kms" {
type = bool
description = "Whether to enable the rule that allows Event Streams to access the key management service. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_vpcs_to_container_registry" {
type = bool
description = "Whether to enable the rule that allows Virtual Private Clouds to access Container Registry. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_vpcs_to_cos" {
type = bool
description = "Whether to enable the rule that allows Virtual Private Clouds to access Object Storage. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_vpcs_to_iam_groups" {
type = bool
description = "Whether to enable the rule that allows Virtual Private Clouds to access IAM groups. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_vpcs_to_iam_access_management" {
type = bool
description = "Whether to enable the rule that allows Virtual Private Clouds to IAM access management. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_at_to_cos" {
type = bool
description = "Whether to enable the rule that allows Activity Tracker to access Object Storage. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_iks_to_is" {
type = bool
description = "Whether to enable the rule that allows the Kubernetes Service to access VPC Infrastructure Services. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_is_to_cos" {
type = bool
description = "Whether to enable the rule that allows VPC Infrastructure Services to access Object Storage. Default is true if `provision_cbr` is set to true."
default = true
}
variable "cbr_allow_scc_to_cos" {
type = bool
description = "Set rule for SCC (Security and Compliance Center) to COS. Default is true if `provision_cbr` is true."
default = true
}
variable "cbr_kms_service_targeted_by_prewired_rules" {
type = list(string)
description = "IBM Cloud offers two distinct Key Management Services (KMS): Key Protect and Hyper Protect Crypto Services (HPCS). This variable determines the specific KMS service to which the pre-configured rules are applied. Use the value 'key-protect' to specify the Key Protect service, and 'hs-crypto' for the Hyper Protect Crypto Services (HPCS). Default is `[\"hs-crypto\"]` if `provision_cbr` is set to true."
default = ["hs-crypto"]
}
variable "cbr_target_service_details" {
type = map(object({
description = optional(string)
target_rg = optional(string)
instance_id = optional(string)
enforcement_mode = string
tags = optional(list(string))
region = optional(string)
geography = optional(string)
global_deny = optional(bool, true)
}))
description = "Details of the target service for which a rule is created. The key is the service name."
default = {}
}