generated from appvia/terraform-aws-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvariables.tf
More file actions
464 lines (427 loc) · 16.5 KB
/
variables.tf
File metadata and controls
464 lines (427 loc) · 16.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
variable "access_entries" {
description = "Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions."
type = map(object({
## The list of kubernetes groups to associate the principal with
kubernetes_groups = optional(list(string), [])
## The list of kubernetes users to associate the principal with
principal_arn = string
## The list of kubernetes users to associate the principal with
policy_associations = optional(map(object({
## The policy arn to associate with the principal
policy_arn = string
## The access scope for the policy i.e. cluster or namespace
access_scope = object({
## The namespaces to apply the policy to
namespaces = optional(list(string), [])
## The type of access scope i.e. cluster or namespace
type = optional(string, "cluster")
})
})))
}))
default = null
}
variable "aws_prometheus" {
description = "The AWS Prometheus configuration"
type = object({
## Indicates if we should enable the managed Prometheus
enable = optional(bool, false)
## Collection of workspaces to provide permissions to i.e. arn:aws:prometheus:*:*:workspace/*
workspaces = optional(list(string), ["arn:aws:prometheus:*:*:workspace/*"])
## The service account to deploy the AWS Prometheus to
service_account = optional(string, "prometheus")
## The namespace to deploy the AWS Prometheus to
namespace = optional(string, "prometheus")
})
default = {}
}
variable "ebs_csi_driver" {
description = "The EBS CSI driver configuration"
type = object({
## Indicates if we should enable the EBS CSI driver
enable = optional(bool, false)
## The KMS key ARNs to allow the EBS CSI driver to manage encrypted volumes
kms_key_arns = optional(list(string), [])
## The version of the EBS CSI driver
version = optional(string, "v1.51.0-eksbuild.1")
## The service account to deploy the EBS CSI driver to
service_account = optional(string, "ebs-csi-controller-sa")
## The namespace to deploy the EBS CSI driver to
namespace = optional(string, "kube-system")
})
default = {}
}
variable "registries" {
description = "Provision pull-through cache for registries"
type = map(object({
## The name of the registry
name = string
## The URL of the registry
url = string
## Optional credentials arn to use for the registry
credentials_arn = optional(string, null)
## Optional credentials to use for the registry
credentials = optional(object({
## Name of the secret to provision in aws secrets manager
secret_name = optional(string, null)
## The username to use for the registry
username = string
## The password to use for the registry
password = string
}), null)
}))
default = {}
}
variable "efs_csi_driver" {
description = "The EFS CSI driver configuration"
type = object({
## Indicates if we should enable the EFS CSI driver
enable = optional(bool, false)
## The version of the EFS CSI driver
version = optional(string, "v1.6.0-eksbuild.1")
## The service account to deploy the EFS CSI driver to
service_account = optional(string, "efs-csi-controller-sa")
## The namespace to deploy the EFS CSI driver to
namespace = optional(string, "kube-system")
})
default = {}
}
variable "addons" {
description = "Map of EKS addons to enable"
type = map(object({
## The name of the EKS addon
name = optional(string)
## Indicates if we should deploy the EKS addon before the compute nodes
before_compute = optional(bool, false)
## Indicates if we should use the most recent version of the EKS addon
most_recent = optional(bool, true)
## The version of the EKS addon
addon_version = optional(string)
## The configuration values for the EKS addon
configuration_values = optional(string)
## The pod identity association for the EKS addon
pod_identity_association = optional(list(object({
## The role ARN for the EKS addon pod identity association
role_arn = string
## The service account for the EKS addon
service_account = string
})))
## Indicates if we should preserve the EKS addon
preserve = optional(bool, true)
## The resolve conflicts on create for the EKS addon
resolve_conflicts_on_create = optional(string, "OVERWRITE")
## The resolve conflicts on update for the EKS addon
resolve_conflicts_on_update = optional(string, "OVERWRITE")
## The service account role ARN for the EKS addon
service_account_role_arn = optional(string, null)
## The timeouts for the EKS addon
timeouts = optional(object({
## The timeout for the EKS addon create
create = optional(string, "10m")
## The timeout for the EKS addon update
update = optional(string, "10m")
## The timeout for the EKS addon delete
delete = optional(string, "10m")
}), {})
## The tags for the EKS addon
tags = optional(map(string), {})
}))
default = null
}
variable "pod_identity" {
description = "The pod identity configuration"
type = map(object({
## Indicates if we should enable the pod identity
enabled = optional(bool, true)
## The namespace to deploy the pod identity to
description = optional(string, null)
## The service account to deploy the pod identity to
service_account = optional(string, null)
## The managed policy ARNs to attach to the pod identity
managed_policy_arns = optional(map(string), {})
## The permissions boundary ARN to use for the pod identity
permissions_boundary_arn = optional(string, null)
## The namespace to deploy the pod identity to
namespace = optional(string, null)
## The name of the pod identity role
name = optional(string, null)
## Additional policy statements to attach to the pod identity role
policy_statements = optional(list(object({
## The statement ID
sid = optional(string, null)
## The actions to allow
actions = optional(list(string), [])
## The resources to allow
resources = optional(list(string), [])
## The effect to allow
effect = optional(string, null)
})), [])
}))
default = {}
}
variable "terranetes" {
description = "The Terranetes platform configuration"
type = object({
## Indicates if we should enable the Terranetes platform
enable = optional(bool, false)
## The namespace to deploy the Terranetes platform to
namespace = optional(string, "terraform-system")
## The service account to deploy the Terranetes platform to
service_account = optional(string, "terranetes-executor")
## The permissions boundary ARN to use for the Terranetes platform
permissions_boundary_arn = optional(string, null)
## Managed policies to attach to the Terranetes platform
managed_policy_arns = optional(map(string), {
"AdministratorAccess" = "arn:aws:iam::aws:policy/AdministratorAccess"
})
})
default = {}
}
variable "external_dns" {
description = "The External DNS configuration"
type = object({
## Indicates if we should enable the External DNS platform
enable = optional(bool, false)
## The namespace to deploy the External DNS platform to
namespace = optional(string, "external-dns")
## The service account to deploy the External DNS platform to
service_account = optional(string, "external-dns")
## The route53 zone ARNs to attach to the External DNS platform
hosted_zone_arns = optional(list(string), ["arn:aws:route53:::hostedzone/*"])
})
default = {}
}
variable "external_secrets" {
description = "The External Secrets configuration"
type = object({
## Indicates if we should enable the External Secrets platform
enable = optional(bool, false)
## The namespace to deploy the External Secrets platform to
namespace = optional(string, "external-secrets")
## The service account to deploy the External Secrets platform to
service_account = optional(string, "external-secrets")
## The secrets manager ARNs to attach to the External Secrets platform
secrets_manager_arns = optional(list(string), ["arn:aws:secretsmanager:::secret/*"])
## The SSM parameter ARNs to attach to the External Secrets platform
ssm_parameter_arns = optional(list(string), ["arn:aws:ssm:::parameter/eks/*"])
})
default = {}
}
variable "aws_eks_ack" {
description = "The AWS EKS ACK Controller configuration"
type = object({
## Indicates if we should enable the AWS EKS ACK Controller platform
enable = optional(bool, true)
## The namespace to deploy the AWS EKS ACK Controller platform to
namespace = optional(string, "ack-system")
## The service account to deploy the AWS EKS ACK Controller platform to
service_account = optional(string, "ack-eks-controller")
## Managed policies to attach to the AWS EKS ACK Controller platform
managed_policy_arns = optional(map(string), {})
})
default = {}
}
variable "aws_ack_iam" {
description = "The AWS ACK IAM configuration"
type = object({
## Indicates if we should enable the AWS ACK IAM platform
enable = optional(bool, true)
## The namespace to deploy the AWS ACK IAM platform to
namespace = optional(string, "ack-system")
## The service account to deploy the AWS ACK IAM platform to
service_account = optional(string, "ack-iam-controller")
## Managed policies to attach to the AWS ACK IAM platform
managed_policy_arns = optional(map(string), {
"admin" = "arn:aws:iam::aws:policy/IAMFullAccess"
})
})
default = {}
}
variable "cloudwatch_observability" {
description = "The CloudWatch Observability configuration"
type = object({
## Indicates if we should enable the CloudWatch Observability platform
enable = optional(bool, false)
## The namespace to deploy the CloudWatch Observability platform to
namespace = optional(string, "cloudwatch-observability")
## The service account to deploy the CloudWatch Observability platform to
service_account = optional(string, "cloudwatch-observability")
})
default = {}
}
variable "kubecosts_agent" {
description = "The Kubecost Agent configuration"
type = object({
## Indicates if we should enable the Kubecost Agent platform
enable = optional(bool, false)
## The namespace to deploy the Kubecost Agent platform to
namespace = optional(string, "kubecost")
## The service account to deploy the Kubecost Agent platform to
service_account = optional(string, "kubecost-agent")
## The ARN of the federated bucket to use for the Kubecost Agent platform
federated_bucket_arn = string
})
default = null
}
variable "kubecosts" {
description = "The Kubecost configuration"
type = object({
## Indicates if we should enable the Kubecost platform
enable = optional(bool, false)
## The namespace to deploy the Kubecost platform to
namespace = optional(string, "kubecost")
## The service account to deploy the Kubecost platform to
service_account = optional(string, "kubecost")
## Fedarate storage configuration
federated_storage = optional(object({
## Indicates if we should create the federated bucket
create_bucket = optional(bool, false)
## KMS key ARN to use for the federated bucket
kms_key_arn = optional(string, null)
## The ARN of the federated bucket to use for the Kubecost platform
federated_bucket_arn = optional(string, null)
## List of principals to allowed to write to the federated bucket
allowed_principals = optional(list(string), [])
}), {})
## Cloud Costs feature
cloud_costs = optional(object({
## Indicates if we should enable cloud costs via Athena
enable = optional(bool, false)
## The ARN of the S3 bucket for Cost and Usage Report (CUR) data
cur_bucket_arn = optional(string, null)
## The ARN of the S3 bucket for Athena query results
athena_bucket_arn = optional(string, null)
## The name of the Athena database for CUR data
athena_database_name = optional(string, null)
## The ARN of the Athena table for CUR data
athena_table_name = optional(string, null)
}), {})
})
default = null
}
variable "cluster_name" {
description = "Name of the Kubenetes cluster"
type = string
}
variable "cluster_enabled_log_types" {
description = "List of log types to enable for the EKS cluster."
type = list(string)
default = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
}
variable "create_kms_key" {
description = "Whether to create a KMS key for the EKS cluster."
type = bool
default = true
}
variable "enable_public_access" {
description = "Whether to enable public access to the EKS API server endpoint."
type = bool
default = false
}
variable "enable_private_access" {
description = "Whether to enable private access to the EKS API server endpoint."
type = bool
default = true
}
variable "enable_cluster_creator_admin_permissions" {
description = "Whether to enable cluster creator admin permissions (else create access entries for the cluster creator)"
type = bool
default = false
}
variable "enable_irsa" {
description = "Whether to enable IRSA for the EKS cluster."
type = bool
default = true
}
variable "endpoint_public_access_cidrs" {
description = "List of CIDR blocks which can access the Amazon EKS API server endpoint."
type = list(string)
default = ["0.0.0.0/0"]
}
variable "security_group_additional_rules" {
description = "List of additional security group rules to add to the cluster security group created"
type = any
default = {}
}
variable "kubernetes_version" {
description = "Kubernetes version for the EKS cluster"
type = string
default = "1.34"
}
variable "node_pools" {
description = "Collection of nodepools to create via auto-mote karpenter"
type = list(string)
default = ["system"]
}
variable "kms_key_administrators" {
description = "A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available."
type = list(string)
default = []
}
variable "kms_key_users" {
description = "A list of IAM ARNs for EKS key users."
type = list(string)
default = []
}
variable "kms_key_service_users" {
description = "A list of IAM ARNs for EKS key service users."
type = list(string)
default = []
}
variable "node_security_group_additional_rules" {
description = "List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source."
type = any
default = {}
}
variable "tags" {
description = "Tags to apply to all resources"
type = map(string)
}
variable "private_subnet_ids" {
description = "List of private subnet IDs, if you want to use existing subnets"
type = list(string)
}
variable "vpc_id" {
description = "ID of the VPC where the EKS cluster will be created"
type = string
}
variable "cert_manager" {
description = "The cert-manager configuration"
type = object({
## Indicates if we should enable the cert-manager platform
enable = optional(bool, false)
## The namespace to deploy the cert-manager platform to
namespace = optional(string, "cert-manager")
## The service account to deploy the cert-manager platform to
service_account = optional(string, "cert-manager")
## Route53 zone id to use for the cert-manager platform
hosted_zone_arns = optional(list(string), ["arn:aws:route53:::hostedzone/*"])
})
default = {}
}
variable "argocd" {
description = "The ArgoCD configuration"
type = object({
## Indicates if we should enable the ArgoCD platform
enable = optional(bool, false)
## The namespace to deploy the ArgoCD platform to
namespace = optional(string, "argocd")
## The service account to deploy the ArgoCD platform to
service_account = optional(string, "argocd")
})
default = {}
}
variable "hub_account_roles_prefix" {
description = "The prefix of the roles we are permitted to assume via the argocd pod identity"
type = string
default = "argocd-cross-account-*"
}
variable "hub_account_role" {
description = "Indicates we should create a cross account role for the hub to assume"
type = string
default = "argocd-pod-identity-hub"
}
variable "hub_account_id" {
description = "The AWS account ID of the hub account"
type = string
default = null
}