terraform-vault/modules/vault_cluster/variables.tf

variable "country" {
  description = "Country identifier"
  type        = string
}

variable "region" {
  description = "Region identifier"
  type        = string
}

variable "auth_approle_backend" {
  description = "Map of AppRole auth backends to create"
  type = map(object({
    listing_visibility = optional(string)
    default_lease_ttl  = optional(string)
    max_lease_ttl      = optional(string)
  }))
  default = {}
}

variable "auth_approle_role" {
  description = "Map of AppRole roles to create"
  type = map(object({
    approle_name              = string
    mount_path                = string
    token_ttl                 = optional(number)
    token_max_ttl             = optional(number)
    bind_secret_id            = optional(bool, false)
    secret_id_ttl             = optional(number)
    token_bound_cidrs         = optional(list(string), [])
    alias_metadata            = optional(map(string))
    use_deterministic_role_id = optional(bool, true)
  }))
  default = {}
}

variable "auth_ldap_backend" {
  description = "Map of LDAP auth backends to create"
  type = map(object({
    userdn             = string
    userattr           = optional(string, "uid")
    upndomain          = optional(string)
    discoverdn         = optional(bool, false)
    groupdn            = optional(string)
    groupfilter        = optional(string)
    groupattr          = optional(string, "cn")
    alias_metadata     = optional(map(string))
    username_as_alias  = optional(bool, true)
    listing_visibility = optional(string)
    default_lease_ttl  = optional(string)
    max_lease_ttl      = optional(string)
  }))
  default = {}
}

variable "auth_ldap_group" {
  description = "Map of LDAP groups to create"
  type = map(object({
    groupname = string
    backend   = string
  }))
  default = {}
}

variable "auth_kubernetes_backend" {
  description = "Map of Kubernetes auth backends to create"
  type = map(object({
    kubernetes_host                   = string
    disable_iss_validation            = optional(bool, true)
    use_annotations_as_alias_metadata = optional(bool, true)
    listing_visibility                = optional(string)
    default_lease_ttl                 = optional(string)
    max_lease_ttl                     = optional(string)
  }))
  default = {}
}

variable "auth_kubernetes_role" {
  description = "Map of Kubernetes auth roles to create"
  type = map(object({
    role_name                        = string
    backend                          = string
    bound_service_account_names      = list(string)
    bound_service_account_namespaces = list(string)
    token_ttl                        = optional(number, 3600)
    audience                         = optional(string, "vault")
  }))
  default = {}
}

variable "kv_secret_backend" {
  description = "Map of KV secret engines to create"
  type = map(object({
    type         = optional(string, "kv-v2")
    description  = optional(string)
    version      = optional(string, "2")
    max_versions = optional(number)
  }))
  default = {}
}

variable "transit_secret_backend" {
  description = "Map of Transit secret engines to create"
  type = map(object({
    description               = optional(string)
    default_lease_ttl_seconds = optional(number, 3600)
    max_lease_ttl_seconds     = optional(number, 86400)
  }))
  default = {}
}

variable "transit_secret_backend_key" {
  description = "Map of Transit keys to create"
  type = map(object({
    name                   = string
    backend                = string
    type                   = optional(string, "aes256-gcm96")
    deletion_allowed       = optional(bool, false)
    derived                = optional(bool, false)
    exportable             = optional(bool, false)
    allow_plaintext_backup = optional(bool, false)
    auto_rotate_period     = optional(string)
  }))
  default = {}
}

variable "ssh_secret_backend" {
  description = "Map of SSH secret engines to create"
  type = map(object({
    description           = optional(string)
    max_lease_ttl_seconds = optional(number, 315360000)
    generate_signing_key  = optional(bool)
    key_type              = optional(string, "ssh-rsa")
  }))
  default = {}
}

variable "ssh_secret_backend_role" {
  description = "Map of SSH roles to create"
  type = map(object({
    name                    = string
    backend                 = string
    key_type                = optional(string, "ca")
    algorithm_signer        = optional(string, "rsa-sha2-256")
    ttl                     = optional(number, 315360000)
    allow_host_certificates = optional(bool, false)
    allow_user_certificates = optional(bool, false)
    allowed_domains         = optional(string)
    allow_subdomains        = optional(bool, false)
    allow_bare_domains      = optional(bool, false)
  }))
  default = {}
}

variable "pki_secret_backend" {
  description = "Map of PKI secret engines to create"
  type = map(object({
    description                   = optional(string)
    max_lease_ttl_seconds         = optional(number, 315360000)
    common_name                   = string
    issuer_name                   = string
    ttl                           = optional(number, 315360000)
    format                        = optional(string, "pem")
    issuing_certificates          = optional(list(string), [])
    crl_distribution_points       = optional(list(string), [])
    ocsp_servers                  = optional(list(string), [])
    enable_templating             = optional(bool, false)
    default_issuer_ref            = optional(string)
    default_follows_latest_issuer = optional(bool, false)
    crl_expiry                    = optional(string, "72h")
    crl_disable                   = optional(bool, false)
    ocsp_disable                  = optional(bool, false)
    auto_rebuild                  = optional(bool, false)
    enable_delta                  = optional(bool, false)
    delta_rebuild_interval        = optional(string)
  }))
  default = {}
}

variable "pki_secret_backend_role" {
  description = "Map of PKI roles to create"
  type = map(object({
    name                = string
    backend             = string
    allow_ip_sans       = optional(bool, false)
    allowed_domains     = optional(list(string), [])
    allow_subdomains    = optional(bool, false)
    allow_glob_domains  = optional(bool, false)
    allow_bare_domains  = optional(bool, false)
    enforce_hostnames   = optional(bool, false)
    allow_any_name      = optional(bool, false)
    max_ttl             = optional(number)
    key_bits            = optional(number, 4096)
    country             = optional(list(string), [])
    use_csr_common_name = optional(bool, false)
    use_csr_sans        = optional(bool, false)
  }))
  default = {}
}

variable "pki_mount_only" {
  description = "Map of PKI mounts to create (without certificate generation)"
  type = map(object({
    description                   = optional(string)
    max_lease_ttl_seconds         = optional(number, 315360000)
    issuer_ref                    = optional(string, "default")
    issuing_certificates          = optional(list(string), [])
    crl_distribution_points       = optional(list(string), [])
    ocsp_servers                  = optional(list(string), [])
    enable_templating             = optional(bool, false)
    default_issuer_ref            = optional(string)
    default_follows_latest_issuer = optional(bool, false)
    crl_expiry                    = optional(string, "72h")
    crl_disable                   = optional(bool, false)
    ocsp_disable                  = optional(bool, false)
    auto_rebuild                  = optional(bool, false)
    enable_delta                  = optional(bool, false)
    delta_rebuild_interval        = optional(string)
  }))
  default = {}
}

variable "consul_secret_backend" {
  description = "Map of Consul secret engines to create"
  type = map(object({
    description               = optional(string)
    address                   = string
    bootstrap                 = optional(bool, false)
    bootstrap_token           = optional(string)
    scheme                    = optional(string, "https")
    ca_cert                   = optional(string)
    client_cert               = optional(string)
    client_key                = optional(string)
    default_lease_ttl_seconds = optional(number)
    max_lease_ttl_seconds     = optional(number)
  }))
  default = {}
}

variable "consul_secret_backend_role" {
  description = "Map of Consul roles to create"
  type = map(object({
    name         = string
    backend      = string
    consul_roles = optional(list(string), [])
    ttl          = optional(number)
    max_ttl      = optional(number)
    local        = optional(bool, false)
    datacenters  = optional(list(string))
    description  = optional(string)
    service_identities = optional(list(object({
      service_name = string
      datacenters  = optional(list(string))
    })))
    node_identities = optional(list(object({
      node_name  = string
      datacenter = string
    })))
  }))
  default = {}
}

variable "consul_backend_aliases" {
  description = "Map of consul backend names to sanitized provider aliases"
  type        = map(string)
  default     = {}
}

variable "kubernetes_secret_backend" {
  description = "Map of Kubernetes secret engines to create"
  type = map(object({
    description               = optional(string)
    default_lease_ttl_seconds = optional(number, 600)
    max_lease_ttl_seconds     = optional(number, 86400)
    kubernetes_host           = string
    disable_local_ca_jwt      = optional(bool, false)
  }))
  default = {}
}

variable "kubernetes_secret_backend_role" {
  description = "Map of Kubernetes secret backend roles to create"
  type = map(object({
    name                          = string
    backend                       = string
    allowed_kubernetes_namespaces = optional(list(string), ["*"])
    kubernetes_role_type          = optional(string, "Role")
    extra_labels                  = optional(map(string), {})
  }))
  default = {}
}

variable "policy_auth_map" {
  description = "Map of auth mounts -> auth roles -> policy names"
  type        = map(map(list(string)))
  default     = {}
}

variable "policy_rules_map" {
  description = "Map of policy names to their rules"
  type = map(list(object({
    path         = string
    capabilities = list(string)
  })))
  default = {}
}