247 lines
9.6 KiB
HCL
247 lines
9.6 KiB
HCL
# vpc
|
|
variable "vpc_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using vpc resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new vpc resources.
|
|
VPC CIDRs are no longer required, and will be generated automatically.
|
|
When selecting a vpc, the vpc_name must be provided and a vpc that has a tag "Name" with the given name must exist.
|
|
When skipping a vpc, the subnet, security group, and load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.vpc_use_strategy)
|
|
error_message = "The vpc_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "vpc_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the VPC to create or select.
|
|
EOT
|
|
default = "default"
|
|
}
|
|
variable "vpc_type" {
|
|
type = string
|
|
description = <<-EOT
|
|
The type of CIDR block to use for the VPC.
|
|
Options are:
|
|
ipv4: Deploy an IPv4 only VPC.
|
|
ipv6: Deploy an IPv6 Native VPC, IPv4 won't be compatible and changing to dualstack will require new VPC/subnets/load balancer/security groups.
|
|
dualstack: Deploy a dualstack VPC, this will be native IPv4 with additional IPv6 support.
|
|
dualstack doesn't enable using all IPv6 features, it simply deploys IPv6 addresses and enables IPv6 traffic.
|
|
moving from dualstack to IPv6 will require new VPC/subnets/load balancer/security groups.
|
|
EOT
|
|
default = "ipv4"
|
|
}
|
|
variable "vpc_zones" {
|
|
type = list(string)
|
|
description = <<-EOT
|
|
The availability zones to deploy subnets to within the VPC.
|
|
The VPC should span these zones, this informs the subnet creation strategy.
|
|
The default is to use the first availability zone found in the region.
|
|
Only one subnet will be created per availability zone.
|
|
This should be the name of the zone, not its id. eg. 'us-west-2a' not 'usw2-az2'.
|
|
EOT
|
|
default = []
|
|
}
|
|
variable "vpc_public" {
|
|
type = bool
|
|
description = <<-EOT
|
|
Whether to assign a public IP address to instances using subnets.
|
|
This is not an EIP, that should be handled at a different level, eg. when generating an ec2 instance.
|
|
EOT
|
|
default = false
|
|
}
|
|
|
|
# subnet
|
|
variable "subnet_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using subnet resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new subnet resources.
|
|
The default is 'create', which requires a subnet_name to be provided.
|
|
When selecting a subnet, the subnet_name must be provided and a subnet with the tag "Name" with the given name must exist.
|
|
When skipping a subnet, the security group and load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.subnet_use_strategy)
|
|
error_message = "The subnet_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
|
|
variable "subnet_names" {
|
|
type = list(string)
|
|
description = <<-EOT
|
|
The names to use for the subnets to select or create.
|
|
Required when not skipping subnets.
|
|
When creating, the number of subnet_names must match the number of vpc_zones.
|
|
Only one subnet can be provisioned per zone, this is to align with load balancer mappings.
|
|
EOT
|
|
default = []
|
|
}
|
|
|
|
# security group
|
|
variable "security_group_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using security group resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new security group resources.
|
|
The default is 'create'.
|
|
When selecting a security group, the security_group_name must be provided and a security group with the given name must exist.
|
|
When skipping a security group, the load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.security_group_use_strategy)
|
|
error_message = "The security_group_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "security_group_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the ec2 security group to create or select.
|
|
When choosing the "create" or "select" strategy, this is required.
|
|
When choosing the "skip" strategy, this is ignored.
|
|
When selecting a security group, the security_group_name must be provided and a security group with the given name must exist.
|
|
When creating a security group, the name will be used to tag the resource, and security_group_type is required.
|
|
The types are located in modules/security_group/types.tf.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "security_group_type" {
|
|
type = string
|
|
description = <<-EOT
|
|
The type of the ec2 security group to create.
|
|
We provide opinionated options for the user to select from.
|
|
Leave this blank if you would like to select a security group rather than generate one.
|
|
The types are located in ./modules/security_group/types.tf.
|
|
If specified, must be one of: project, egress, or public.
|
|
EOT
|
|
default = "project"
|
|
validation {
|
|
condition = contains(["project", "egress", "public"], var.security_group_type)
|
|
error_message = "The security_group_type value must be one of 'project', 'egress', or 'public'."
|
|
}
|
|
}
|
|
|
|
# load balancer
|
|
variable "load_balancer_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using load balancer resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new load balancer resources.
|
|
The default is 'create'.
|
|
When selecting a load balancer, the load_balancer_name must be provided and a load balancer with the "Name" tag must exist.
|
|
When skipping a load balancer, the domain will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.load_balancer_use_strategy)
|
|
error_message = "The load_balancer_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "load_balancer_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the Load Balancer, there must be a 'Name' tag on it to be found.
|
|
When generating a load balancer, this will be added as a tag to the resource.
|
|
This tag is how we will find it again in the future.
|
|
If a domain and a load balancer name is given, we will create a domain record pointing to the load balancer.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "load_balancer_access_cidrs" {
|
|
type = map(object({
|
|
port = number
|
|
ip_family = string
|
|
cidrs = list(string)
|
|
protocol = string
|
|
target_name = string
|
|
}))
|
|
description = <<-EOT
|
|
A map of access information objects.
|
|
The port is the port to expose on the load balancer.
|
|
The cidrs is a list of external cidr blocks to allow access to the load balancer.
|
|
The protocol is the network protocol to expose on, this can be 'udp' or 'tcp'.
|
|
The target_name must be unique per region per account,
|
|
can have a maximum of 32 characters,
|
|
must contain only alphanumeric characters or hyphens,
|
|
and must not begin or end with a hyphen.
|
|
Example:
|
|
{
|
|
test = {
|
|
port = 443
|
|
cidrs = ["1.1.1.1/32"]
|
|
ip_family = "ipv4"
|
|
protocol = "tcp"
|
|
target_name = "test-target-123abc"
|
|
}
|
|
}
|
|
EOT
|
|
default = null
|
|
}
|
|
|
|
# domain
|
|
variable "domain_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using domain resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new domain resources.
|
|
The default is 'create', which requires a domain name to be provided.
|
|
When selecting a domain, the domain must be provided and a domain with the matching name must exist.
|
|
When adding a domain, it will be attached to all load balancer ports with a certificate for secure access.
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.domain_use_strategy)
|
|
error_message = "The domain_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "domain_zone" {
|
|
type = string
|
|
description = <<-EOT
|
|
The domain zone to use for generating the domain.
|
|
This is only required when using the 'create' domain_use_strategy.
|
|
The domain zone must already exist in AWS.
|
|
WARNING! Domain zones can take up to 24 hours to propagate, this is why we don't include them.
|
|
Required when not using 'skip' as the domain_use_strategy.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "domain" {
|
|
type = string
|
|
description = <<-EOT
|
|
The domain name to retrieve or create.
|
|
Part of creating the domain is assigning it to the load balancer and generating a tls certificate.
|
|
This should enable secure connections for your project.
|
|
To make use of this feature, you must generate load balancer target group associations in other further stages.
|
|
We output the arn of the load balancer for this purpose.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "cert_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using certs:
|
|
'skip' to skip,
|
|
'select' to select an existing cert,
|
|
or 'create' to generate a new cert.
|
|
The cert created will be for the domain specified, it will be saved in an iam_server_certificate.
|
|
You can add the certificate to the server or use it when configuring services.
|
|
To select a cert, it must have a name prefixed with the domain specified.
|
|
EOT
|
|
default = "skip"
|
|
}
|