Ben Vincent
66119e5207
All checks were successful
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes - fix pre-commit errors/warnings: - missing required_version - missing required_providers - fixed terraform_deprecated_interpolation - removed terraform_unused_declarations
307 lines
10 KiB
HCL
307 lines
10 KiB
HCL
variable "country" {
|
|
description = "Country identifier"
|
|
type = string
|
|
}
|
|
|
|
variable "region" {
|
|
description = "Region identifier"
|
|
type = string
|
|
}
|
|
|
|
variable "auth_approle_backend" {
|
|
description = "Map of AppRole auth backends to create"
|
|
type = map(object({
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_approle_role" {
|
|
description = "Map of AppRole roles to create"
|
|
type = map(object({
|
|
approle_name = string
|
|
mount_path = string
|
|
token_ttl = optional(number)
|
|
token_max_ttl = optional(number)
|
|
bind_secret_id = optional(bool, false)
|
|
secret_id_ttl = optional(number)
|
|
token_bound_cidrs = optional(list(string), [])
|
|
alias_metadata = optional(map(string))
|
|
use_deterministic_role_id = optional(bool, true)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_ldap_backend" {
|
|
description = "Map of LDAP auth backends to create"
|
|
type = map(object({
|
|
userdn = string
|
|
userattr = optional(string, "uid")
|
|
upndomain = optional(string)
|
|
discoverdn = optional(bool, false)
|
|
groupdn = optional(string)
|
|
groupfilter = optional(string)
|
|
groupattr = optional(string, "cn")
|
|
alias_metadata = optional(map(string))
|
|
username_as_alias = optional(bool, true)
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_ldap_group" {
|
|
description = "Map of LDAP groups to create"
|
|
type = map(object({
|
|
groupname = string
|
|
backend = string
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_kubernetes_backend" {
|
|
description = "Map of Kubernetes auth backends to create"
|
|
type = map(object({
|
|
kubernetes_host = string
|
|
disable_iss_validation = optional(bool, true)
|
|
use_annotations_as_alias_metadata = optional(bool, true)
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_kubernetes_role" {
|
|
description = "Map of Kubernetes auth roles to create"
|
|
type = map(object({
|
|
role_name = string
|
|
backend = string
|
|
bound_service_account_names = list(string)
|
|
bound_service_account_namespaces = list(string)
|
|
token_ttl = optional(number, 3600)
|
|
token_max_ttl = optional(number, 86400)
|
|
audience = optional(string, "vault")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "kv_secret_backend" {
|
|
description = "Map of KV secret engines to create"
|
|
type = map(object({
|
|
type = optional(string, "kv-v2")
|
|
description = optional(string)
|
|
version = optional(string, "2")
|
|
max_versions = optional(number)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "transit_secret_backend" {
|
|
description = "Map of Transit secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
default_lease_ttl_seconds = optional(number, 3600)
|
|
max_lease_ttl_seconds = optional(number, 86400)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "transit_secret_backend_key" {
|
|
description = "Map of Transit keys to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
type = optional(string, "aes256-gcm96")
|
|
deletion_allowed = optional(bool, false)
|
|
derived = optional(bool, false)
|
|
exportable = optional(bool, false)
|
|
allow_plaintext_backup = optional(bool, false)
|
|
auto_rotate_period = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "ssh_secret_backend" {
|
|
description = "Map of SSH secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
generate_signing_key = optional(bool)
|
|
key_type = optional(string, "ssh-rsa")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "ssh_secret_backend_role" {
|
|
description = "Map of SSH roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
key_type = optional(string, "ca")
|
|
algorithm_signer = optional(string, "rsa-sha2-256")
|
|
ttl = optional(number, 315360000)
|
|
allow_host_certificates = optional(bool, false)
|
|
allow_user_certificates = optional(bool, false)
|
|
allowed_domains = optional(string)
|
|
allow_subdomains = optional(bool, false)
|
|
allow_bare_domains = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_secret_backend" {
|
|
description = "Map of PKI secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
common_name = string
|
|
issuer_name = string
|
|
ttl = optional(number, 315360000)
|
|
format = optional(string, "pem")
|
|
issuing_certificates = optional(list(string), [])
|
|
crl_distribution_points = optional(list(string), [])
|
|
ocsp_servers = optional(list(string), [])
|
|
enable_templating = optional(bool, false)
|
|
default_follows_latest_issuer = optional(bool, false)
|
|
crl_expiry = optional(string, "72h")
|
|
crl_disable = optional(bool, false)
|
|
ocsp_disable = optional(bool, false)
|
|
auto_rebuild = optional(bool, false)
|
|
enable_delta = optional(bool, false)
|
|
delta_rebuild_interval = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_secret_backend_role" {
|
|
description = "Map of PKI roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
allow_ip_sans = optional(bool, false)
|
|
allowed_domains = optional(list(string), [])
|
|
allow_subdomains = optional(bool, false)
|
|
allow_glob_domains = optional(bool, false)
|
|
allow_bare_domains = optional(bool, false)
|
|
enforce_hostnames = optional(bool, false)
|
|
allow_any_name = optional(bool, false)
|
|
max_ttl = optional(number)
|
|
key_bits = optional(number, 4096)
|
|
country = optional(list(string), [])
|
|
use_csr_common_name = optional(bool, false)
|
|
use_csr_sans = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_mount_only" {
|
|
description = "Map of PKI mounts to create (without certificate generation)"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
issuing_certificates = optional(list(string), [])
|
|
crl_distribution_points = optional(list(string), [])
|
|
ocsp_servers = optional(list(string), [])
|
|
enable_templating = optional(bool, false)
|
|
default_issuer_ref = optional(string)
|
|
default_follows_latest_issuer = optional(bool, false)
|
|
crl_expiry = optional(string, "72h")
|
|
crl_disable = optional(bool, false)
|
|
ocsp_disable = optional(bool, false)
|
|
auto_rebuild = optional(bool, false)
|
|
enable_delta = optional(bool, false)
|
|
delta_rebuild_interval = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_secret_backend" {
|
|
description = "Map of Consul secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
address = string
|
|
bootstrap = optional(bool, false)
|
|
bootstrap_token = optional(string)
|
|
scheme = optional(string, "https")
|
|
ca_cert = optional(string)
|
|
client_cert = optional(string)
|
|
client_key = optional(string)
|
|
default_lease_ttl_seconds = optional(number)
|
|
max_lease_ttl_seconds = optional(number)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_secret_backend_role" {
|
|
description = "Map of Consul roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
consul_roles = optional(list(string), [])
|
|
ttl = optional(number)
|
|
max_ttl = optional(number)
|
|
local = optional(bool, false)
|
|
datacenters = optional(list(string))
|
|
description = optional(string)
|
|
service_identities = optional(list(object({
|
|
service_name = string
|
|
datacenters = optional(list(string))
|
|
})))
|
|
node_identities = optional(list(object({
|
|
node_name = string
|
|
datacenter = string
|
|
})))
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_backend_aliases" {
|
|
description = "Map of consul backend names to sanitized provider aliases"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "kubernetes_secret_backend" {
|
|
description = "Map of Kubernetes secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
default_lease_ttl_seconds = optional(number, 600)
|
|
max_lease_ttl_seconds = optional(number, 86400)
|
|
kubernetes_host = string
|
|
disable_local_ca_jwt = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "kubernetes_secret_backend_role" {
|
|
description = "Map of Kubernetes secret backend roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
allowed_kubernetes_namespaces = optional(list(string), ["*"])
|
|
kubernetes_role_type = optional(string, "Role")
|
|
extra_labels = optional(map(string), {})
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "policy_auth_map" {
|
|
description = "Map of auth mounts -> auth roles -> policy names"
|
|
type = map(map(list(string)))
|
|
default = {}
|
|
}
|
|
|
|
variable "policy_rules_map" {
|
|
description = "Map of policy names to their rules"
|
|
type = map(list(object({
|
|
path = string
|
|
capabilities = list(string)
|
|
})))
|
|
default = {}
|
|
}
|
|
|