variable "country" { description = "Country identifier" type = string } variable "region" { description = "Region identifier" type = string } variable "auth_approle_backend" { description = "Map of AppRole auth backends to create" type = map(object({ listing_visibility = optional(string) default_lease_ttl = optional(string) max_lease_ttl = optional(string) })) default = {} } variable "auth_approle_role" { description = "Map of AppRole roles to create" type = map(object({ approle_name = string mount_path = string token_ttl = optional(number) token_max_ttl = optional(number) bind_secret_id = optional(bool, false) secret_id_ttl = optional(number) token_bound_cidrs = optional(list(string), []) alias_metadata = optional(map(string)) use_deterministic_role_id = optional(bool, true) })) default = {} } variable "auth_ldap_backend" { description = "Map of LDAP auth backends to create" type = map(object({ userdn = string userattr = optional(string, "uid") upndomain = optional(string) discoverdn = optional(bool, false) groupdn = optional(string) groupfilter = optional(string) groupattr = optional(string, "cn") alias_metadata = optional(map(string)) username_as_alias = optional(bool, true) listing_visibility = optional(string) default_lease_ttl = optional(string) max_lease_ttl = optional(string) })) default = {} } variable "auth_ldap_group" { description = "Map of LDAP groups to create" type = map(object({ groupname = string backend = string })) default = {} } variable "auth_kubernetes_backend" { description = "Map of Kubernetes auth backends to create" type = map(object({ kubernetes_host = string disable_iss_validation = optional(bool, true) use_annotations_as_alias_metadata = optional(bool, true) listing_visibility = optional(string) default_lease_ttl = optional(string) max_lease_ttl = optional(string) })) default = {} } variable "auth_kubernetes_role" { description = "Map of Kubernetes auth roles to create" type = map(object({ role_name = string backend = string bound_service_account_names = list(string) bound_service_account_namespaces = list(string) token_ttl = optional(number, 3600) audience = optional(string, "vault") })) default = {} } variable "kv_secret_backend" { description = "Map of KV secret engines to create" type = map(object({ type = optional(string, "kv-v2") description = optional(string) version = optional(string, "2") max_versions = optional(number) })) default = {} } variable "transit_secret_backend" { description = "Map of Transit secret engines to create" type = map(object({ description = optional(string) default_lease_ttl_seconds = optional(number, 3600) max_lease_ttl_seconds = optional(number, 86400) })) default = {} } variable "transit_secret_backend_key" { description = "Map of Transit keys to create" type = map(object({ name = string backend = string type = optional(string, "aes256-gcm96") deletion_allowed = optional(bool, false) derived = optional(bool, false) exportable = optional(bool, false) allow_plaintext_backup = optional(bool, false) auto_rotate_period = optional(string) })) default = {} } variable "ssh_secret_backend" { description = "Map of SSH secret engines to create" type = map(object({ description = optional(string) max_lease_ttl_seconds = optional(number, 315360000) generate_signing_key = optional(bool) key_type = optional(string, "ssh-rsa") })) default = {} } variable "ssh_secret_backend_role" { description = "Map of SSH roles to create" type = map(object({ name = string backend = string key_type = optional(string, "ca") algorithm_signer = optional(string, "rsa-sha2-256") ttl = optional(number, 315360000) allow_host_certificates = optional(bool, false) allow_user_certificates = optional(bool, false) allowed_domains = optional(string) allow_subdomains = optional(bool, false) allow_bare_domains = optional(bool, false) })) default = {} } variable "pki_secret_backend" { description = "Map of PKI secret engines to create" type = map(object({ description = optional(string) max_lease_ttl_seconds = optional(number, 315360000) common_name = string issuer_name = string ttl = optional(number, 315360000) format = optional(string, "pem") issuing_certificates = optional(list(string), []) crl_distribution_points = optional(list(string), []) ocsp_servers = optional(list(string), []) enable_templating = optional(bool, false) default_issuer_ref = optional(string) default_follows_latest_issuer = optional(bool, false) crl_expiry = optional(string, "72h") crl_disable = optional(bool, false) ocsp_disable = optional(bool, false) auto_rebuild = optional(bool, false) enable_delta = optional(bool, false) delta_rebuild_interval = optional(string) })) default = {} } variable "pki_secret_backend_role" { description = "Map of PKI roles to create" type = map(object({ name = string backend = string allow_ip_sans = optional(bool, false) allowed_domains = optional(list(string), []) allow_subdomains = optional(bool, false) allow_glob_domains = optional(bool, false) allow_bare_domains = optional(bool, false) enforce_hostnames = optional(bool, false) allow_any_name = optional(bool, false) max_ttl = optional(number) key_bits = optional(number, 4096) country = optional(list(string), []) use_csr_common_name = optional(bool, false) use_csr_sans = optional(bool, false) })) default = {} } variable "pki_mount_only" { description = "Map of PKI mounts to create (without certificate generation)" type = map(object({ description = optional(string) max_lease_ttl_seconds = optional(number, 315360000) issuer_ref = optional(string, "default") issuing_certificates = optional(list(string), []) crl_distribution_points = optional(list(string), []) ocsp_servers = optional(list(string), []) enable_templating = optional(bool, false) default_issuer_ref = optional(string) default_follows_latest_issuer = optional(bool, false) crl_expiry = optional(string, "72h") crl_disable = optional(bool, false) ocsp_disable = optional(bool, false) auto_rebuild = optional(bool, false) enable_delta = optional(bool, false) delta_rebuild_interval = optional(string) })) default = {} } variable "consul_secret_backend" { description = "Map of Consul secret engines to create" type = map(object({ description = optional(string) address = string bootstrap = optional(bool, false) scheme = optional(string, "https") ca_cert = optional(string) client_cert = optional(string) client_key = optional(string) default_lease_ttl_seconds = optional(number) max_lease_ttl_seconds = optional(number) })) default = {} } variable "consul_secret_backend_role" { description = "Map of Consul roles to create" type = map(object({ name = string backend = string consul_roles = optional(list(string), []) ttl = optional(number) max_ttl = optional(number) local = optional(bool, false) })) default = {} } variable "kubernetes_secret_backend" { description = "Map of Kubernetes secret engines to create" type = map(object({ description = optional(string) default_lease_ttl_seconds = optional(number, 600) max_lease_ttl_seconds = optional(number, 86400) kubernetes_host = string disable_local_ca_jwt = optional(bool, false) })) default = {} } variable "kubernetes_secret_backend_role" { description = "Map of Kubernetes secret backend roles to create" type = map(object({ name = string backend = string allowed_kubernetes_namespaces = optional(list(string), ["*"]) kubernetes_role_type = optional(string, "Role") extra_labels = optional(map(string), {}) })) default = {} } variable "policy_auth_map" { description = "Map of auth mounts -> auth roles -> policy names" type = map(map(list(string))) default = {} } variable "policy_rules_map" { description = "Map of policy names to their rules" type = map(list(object({ path = string capabilities = list(string) }))) default = {} }