-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvariables.tf
More file actions
109 lines (91 loc) · 3.58 KB
/
variables.tf
File metadata and controls
109 lines (91 loc) · 3.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
variable "role_name" {
description = "Name for the GitHub deployer IAM role."
type = string
default = "lambdacron-template-github-deployer"
}
variable "role_description" {
description = "Description for the GitHub deployer IAM role."
type = string
default = "Role assumed by GitHub Actions in a separate deployment repository to deploy infrastructure built from the lambdacron template."
}
variable "max_session_duration" {
description = "Maximum assumed-role session duration in seconds."
type = number
default = 3600
validation {
condition = var.max_session_duration >= 3600 && var.max_session_duration <= 43200
error_message = "max_session_duration must be between 3600 and 43200 seconds."
}
}
variable "github_oidc_provider_arn" {
description = "ARN for the IAM OIDC provider backing token.actions.githubusercontent.com."
type = string
default = null
nullable = true
}
variable "github_repository" {
description = "GitHub repository in owner/repo form for the separate deployment repository that will use this bootstrap module."
type = string
validation {
condition = can(regex("^[^/]+/[^/]+$", var.github_repository))
error_message = "github_repository must be in owner/repo format."
}
}
variable "github_ref" {
description = "Git ref that may assume the deploy role."
type = string
default = "refs/heads/main"
validation {
condition = startswith(var.github_ref, "refs/")
error_message = "github_ref must start with refs/."
}
}
variable "github_workflow_filename" {
description = "Workflow filename under .github/workflows/ in the separate deployment repository that may assume the deploy role."
type = string
default = "deploy.yaml"
validation {
condition = !strcontains(var.github_workflow_filename, "/")
error_message = "github_workflow_filename must be a file name, not a path."
}
}
variable "github_audience" {
description = "OIDC audience expected in GitHub-issued tokens."
type = string
default = "sts.amazonaws.com"
}
variable "github_actions_secrets" {
description = "Sensitive map of additional GitHub Actions secrets to create, keyed by secret name."
type = map(string)
sensitive = true
default = {}
validation {
condition = alltrue([
for key in keys(var.github_actions_secrets) : !contains(["AWS_DEPLOY_ROLE_ARN", "TF_STATE_BUCKET", "TF_STATE_TABLE"], key)
])
error_message = "github_actions_secrets cannot manage AWS_DEPLOY_ROLE_ARN, TF_STATE_BUCKET, or TF_STATE_TABLE."
}
}
variable "extra_permission_sets" {
description = "Optional extra permission sets to union with the required template permission sets."
type = set(string)
default = []
}
variable "additional_policy_arns" {
description = "Additional pre-existing managed policy ARNs to attach to the role."
type = list(string)
default = []
}
variable "allowed_resource_name_prefixes" {
description = "Allowed resource name prefixes for deployer-managed resources. Set this to the application-specific naming prefixes used by the downstream deployment repository."
type = set(string)
validation {
condition = length(var.allowed_resource_name_prefixes) > 0 && alltrue([for prefix in var.allowed_resource_name_prefixes : length(trimspace(prefix)) > 0])
error_message = "allowed_resource_name_prefixes must contain at least one non-empty prefix."
}
}
variable "tags" {
description = "Tags applied to created IAM resources."
type = map(string)
default = {}
}