-
Notifications
You must be signed in to change notification settings - Fork 4
/
variables.tf
365 lines (302 loc) · 12.6 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
variable "region" {
type = string
description = "Required : The AWS Region to deploy the VPC to"
}
variable "vpc-cidrs" {
description = "Required : List of CIDRs to apply to the VPC."
type = list(string)
default = ["10.0.0.0/21"]
}
variable "acctnum" {
description = "Required : AWS Account Number"
}
variable "name-vars" {
description = "Required : Map with two keys account and name. Names of elements are created based on these values."
type = map(string)
}
variable "tags" {
type = map(string)
description = "Optional : A map of tags to assign to the resource."
default = {}
}
variable "subnet-tags" {
type = map(map(string))
description = "Optional : A map of maps of tags to assign to specifc subnet resource. The key but be the same as the key in variable subnets."
default = { }
}
variable "resource-tags" {
type = map(map(string))
description = "Optional : A map of maps of tags to assign to specifc resources. The key must be one of the following: aws_vpc, aws_vpn_gateway, aws_subnet, aws_network_acl, aws_internet_gateway, aws_cloudwatch_log_group, aws_vpc_dhcp_options, aws_route_table."
default = { }
}
/* VPC Variables */
variable "vpc-name" {
description = "Optional : Override the calculated VPC name"
default = true
}
variable "enable_dns_support" {
description = "Optional : A boolean flag to enable/disable DNS support in the VPC. Defaults true."
default = true
}
variable "enable_dns_hostnames" {
description = "Optional : A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false."
default = true
}
variable "default_reverse_zones" {
description = "Optional : Deploy Route53 Reverse Lookup Zones as /24s. Defaults to false"
default = false
}
variable "shared_resolver_rule" {
description = "Optional : Deploy Route53 resolver rules. Defaults to false"
default = false
}
variable "exclude_resolver_rule_ids" {
description = "Optional : A list of resolve rule IDs to exclude from the resolve rule associations."
type = list(string)
default = []
}
variable "route53_resolver_endpoint" {
type = string
description = "Optional : A boolean flag to enable/disable Route53 Resolver Endpoint. Defaults false."
default = false
}
variable "route53_resolver_endpoint_cidr_blocks" {
type = list(string)
description = "Optional : A list of the source CIDR blocks to allow to commuicate with the Route53 Resolver Endpoint. Defaults 0.0.0.0/0."
default = ["0.0.0.0/0"]
}
variable "route53_resolver_endpoint_subnet" {
type = string
description = "Optional : The subnet to install Route53 Resolver Endpoint , the default is mgt but must exist as a key in the variable subnets."
default = "mgt"
}
variable "route53_outbound_endpoint" {
type = string
description = "Optional : A boolean flag to enable/disable Route53 Outbound Endpoint. Defaults false."
default = false
}
variable "forward_rules" {
type = list
description = "List of Forward Rules"
default = []
}
variable "instance_tenancy" {
type = string
description = "Optional : A tenancy option for instances launched into the VPC."
default = "default"
}
/* Subnet Variables */
variable "subnets" {
type = map(string)
description = "Optional : Keys are used for subnet names and values are the subnets for the various layers. These will be divided by the number of AZs based on ceil(log(length(var.zones[var.region]),2)). 'pub' is the only special name used for the public subnet and must be specified first."
default = {
pub = "10.0.0.0/24"
web = "10.0.1.0/24"
app = "10.0.2.0/24"
db = "10.0.3.0/24"
mgt = "10.0.4.0/24"
}
}
variable "fixed-subnets" {
type = map(list(string))
description = "Optional : Keys must match subnet-order and values are the list of subnets for each AZ. The number of subnets specified in each list needs to match the number of AZs. 'pub' is the only special name used."
default = { }
}
variable "fixed-name" {
type = map(list(string))
description = "Optional : Keys must match subnet-order and values are the name of subnets for each AZ. The number of subnets specified in each list needs to match the number of AZs. 'pub' is the only special name used."
default = { }
}
variable "subnet-order" {
type = list(string)
description = "Required : Order in which subnets are created. Changes can cause recreation issues when subnets are added when something precedes other subnets. Must include all key names."
}
/* DHCP options */
variable "domain_name" {
description = "Optional : DNS search domains for DHCP Options"
default = "ec2.internal"
}
variable "domain_name_servers" {
description = "Optional : DNS Servers for DHCP Options"
default = ["AmazonProvidedDNS"]
}
variable "ntp_servers" {
description = "Optional : NTP Servers for DHCP Options"
default = []
}
/* Start Network ACL Variables */
variable "bypass_ingress_rules" {
description = "Optional : Permit ingress Source|Port or Source|StartPort-EndPort for example 10.0.0.0/8|22 or 10.0.0.0/8|20-21"
type = list(string)
default = []
}
variable "bypass_egress_rules" {
description = "Optional : Permit egress Source|Port or Source|StartPort-EndPort for example 10.0.0.0/8|22 or 10.0.0.0/8|20-21"
type = list(string)
default = []
}
variable "block_ports" {
description = "Optional : Ports to block both inbound and outbound"
type = list(string)
default = ["20-21", "22", "23", "137-139", "445", "1433", "1521", "3306", "3389", "5439", "5432"]
}
variable "ingress_block" {
description = "Optional : CIDR blocks to block inbound"
type = list(string)
default = []
}
variable "egress_block" {
description = "Optional : CIDR blocks to block outbound"
type = list(string)
default = []
}
/* Direct Connect Gateway */
variable "dx_bgp_default_route" {
description = "Optional : A boolean flag that indicates that the default gateway will be advertised via bgp over Direct Connect and causes the script to not deploy NAT Gateways."
default = false
}
variable "enable_pub_route_propagation" {
description = "Optional : A boolean flag that indicates that the routes should be propagated to the pub routing table. Defaults to False."
default = false
}
variable "dx_gateway_id" {
description = "Optional : specify the Direct Connect Gateway ID to associate the VGW with."
default = false
}
variable "transit_gateway_id" {
description = "Optional : specify the Transit Gateway ID within the same account to associate the VPC with."
default = false
}
variable "appliance_mode_support" {
description = "(Optional) Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: disable, enable. Default value: disable."
default = "disable"
}
variable "transit_gateway_routes" {
type = list(string)
description = "Optional : specify the networks to route to the Transit Gateway"
default = []
}
/* Endpoint Configuration */
variable "enable-s3-endpoint" {
description = "Optional : Enable the S3 Endpoint"
default = false
}
variable "enable-dynamodb-endpoint" {
description = "Optional : Enable the DynamoDB Endpoint"
default = false
}
variable "private_endpoints" {
description = "List of Maps for private AWS Endpoints Keys: name[Name of Resource IE: s3-endpoint], subnet[Name of the subnet group for the Endpoint IE: web], service[The Service IE: com.amazonaws.<REGION>.execute-api, <REGION> will be replaced with VPC Region], security_group[sg id to apply, if more than one is needed they should be | delimited]"
default = []
}
/* Peer Links */
variable "peer_requester" {
description = "Optional : Map of Peer Link Name with a value of [Peer AWS Account Number]|[Peer VPC_ID]|[Peer VPC CIDR]|[allow_remote_vpc_dns_resolution]. This only creates the requester half of the connection. Since maps our lexically prepend the VPC name with a alpha character so they flow alphabetically, for example a-peerlink1, b-peerlink2, etc."
type = map(string)
default = {}
}
variable "peer_accepter" {
description = "Optional : Map of Peer Link Name with a value of [vpc_peering_connection_id]|[Peer VPC CIDR]. This only creates the accepter half of the connection. Since maps our lexically prepend the VPC name with a alpha character so they flow alphabetically, for example a-peerlink1, b-peerlink2, etc."
type = map(string)
default = {}
}
/* NAT Gateway */
variable "deploy_natgateways" {
description = "Optional : Set to true to deploy NAT gateways if pub subnet is created"
default = false
}
/* VPC Flow Logs */
variable "enable_flowlog" {
description = "Optional : A boolean flag to enable/disable VPC flowlogs."
default = false
}
variable "flow_log_destination_type" {
description = "Optional : Type of flow log destination. Can be s3 or cloud-watch-logs. Defaults to S3."
type = string
default = "cloud-watch-logs"
}
variable "flow_log_traffic_type" {
description = "Optional : The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL."
type = string
default = "ALL"
}
variable "flow_log_max_aggregation_interval" {
description = "Optional : The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. Defaults to 600."
type = number
default = 600
}
variable "cloudwatch_retention_in_days" {
description = "Optional : Number of days to keep logs within the cloudwatch log_group. The default is 7 days."
default = "7"
}
variable "flow_log_format" {
description = "VPC flow log format."
default = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id} $${pkt-src-aws-service} $${pkt-dst-aws-service} $${flow-direction} $${traffic-path}"
}
variable "flow_log_filter" {
description = "CloudWatch subscription filter to match flow logs."
default = ""
}
variable "flow_log_destination_arn" {
description = "Optional : Required if enable_flowlog = true and destination type s3. The ARN of the CloudWatch log group or S3 bucket where VPC Flow Logs will be pushed. If this ARN is a S3 bucket the appropriate permissions need to be set on that bucket's policy. When create_flow_log_cloudwatch_log_group is set to false this argument must be provided."
type = string
default = ""
}
variable "aws_lambda_function_name" {
description = "Optional : Lambda function name to call when sending to logs to an external SEIM."
default = "none"
}
variable "flow_log_file_format" {
description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`."
type = string
default = "plain-text"
}
variable "flow_log_hive_compatible_partitions" {
description = "(Optional) Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3."
type = bool
default = false
}
variable "flow_log_per_hour_partition" {
description = "(Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries."
type = bool
default = false
}
variable "amazonaws-com" {
description = "Optional : Ability to change principal for flowlogs from amazonaws.com to amazonaws.com.cn."
default = "amazonaws.com"
}
/* Site-to-Site VPN Connections */
variable "vpn_connections" {
type = map(map(string))
description = "Optional : A map of a map with the settings for each VPN. The key will be the name of the VPN"
default = { }
}
variable "default_vpn_connections" {
type = map(string)
description = "Do not use: This defines the default values for each map entry in vpn_connections. Do not override this."
default = {
static_routes_only = false
destination_cidr_blocks = ""
tunnel1_inside_cidr = null
tunnel1_preshared_key = null
tunnel2_inside_cidr = null
tunnel2_preshared_key = null
}
}
variable "egress_only_internet_gateway" {
description = "Optional : Deploy egress_only_internet_gateway instead of aws_internet_gateway"
default = false
}
/* Setup Gateway Load Balancer Endpoint */
variable "deploy_gwep" {
description = "Optional : Setup Gateway Load Balancer Endpoint components"
default = false
}
variable "gwep_subnet" {
description = "Optional : CIDR Blocked used for the Gateway Endpoints"
default = ""
}
variable "gwep_service_name" {
description = "Optional : Service Name for Gateway Endpoint"
default = ""
}