230 lines
9.9 KiB
HCL
230 lines
9.9 KiB
HCL
# vpc
|
|
variable "vpc_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using vpc resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new vpc resources.
|
|
The default is 'create', which requires a vpc_name and vpc_cidr to be provided.
|
|
When selecting a vpc, the vpc_name must be provided and a vpc that has a tag "Name" with the given name must exist.
|
|
When skipping a vpc, the subnet, security group, and load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.vpc_use_strategy)
|
|
error_message = "The vpc_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "vpc_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the VPC to create or select.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "vpc_cidr" {
|
|
type = string
|
|
description = <<-EOT
|
|
This value sets the default private IP space for the created VPC.
|
|
WARNING: AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively).
|
|
This means that every VPC has 5 IP addresses that cannot be assigned to subnets, and every subnet assigned has 5 IP addresses that cannot be used.
|
|
If you attempt to generate a VPC that has no usable addresses you will get an "invalid CIDR" error from AWS.
|
|
If you attempt to generate a subnet that uses one of the addresses reserved by AWS in the VPC's CIDR, you will get an "invalid CIDR" error from AWS.
|
|
EOT
|
|
default = "10.0.0.0/16"
|
|
}
|
|
|
|
# subnet
|
|
variable "subnet_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using subnet resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new subnet resources.
|
|
The default is 'create', which requires a subnet_name and subnet_cidr to be provided.
|
|
When selecting a subnet, the subnet_name must be provided and a subnet with the tag "Name" with the given name must exist.
|
|
When skipping a subnet, the security group and load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.subnet_use_strategy)
|
|
error_message = "The subnet_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "subnets" {
|
|
type = map(object({
|
|
cidr = string,
|
|
availability_zone = string,
|
|
public = bool,
|
|
}))
|
|
description = <<-EOT
|
|
A map of subnet objects to create or select.
|
|
The key is the name of the subnet, and the value is an object with the following keys:
|
|
cidr: the cidr of the subnet to create
|
|
availability_zone: the availability zone to create the subnet in
|
|
public: set this to true to enable the subnet to have public IP addresses
|
|
WARNING: AWS reserves the first four IP addresses and the last IP address in any CIDR block for its own use (cumulatively).
|
|
This means that every VPC has 5 IP addresses that cannot be assigned to subnets, and every subnet assigned has 5 IP addresses that cannot be used.
|
|
If you attempt to generate a subnet that has no usable addresses you will get an "invalid CIDR" error from AWS.
|
|
If you attempt to generate a subnet that uses one of the addresses reserved by AWS in the VPC's CIDR, you will get an "invalid CIDR" error from AWS.
|
|
When skipping a subnet, the security group and load balancer will also be skipped (automatically).
|
|
When selecting a subnet:
|
|
- the name (key) must be provided and a subnet with the tag "Name" with the given name must exist.
|
|
- the values for cidr, availability_zone, and public will be ignored.
|
|
When creating subnets, any values not supplied will be generated by the module.
|
|
- the name will match the vpc name
|
|
- The availability zone will be whatever the default is for your account.
|
|
- The cidr will be generated based on the VPC's cidr and the number of subnets you are creating.
|
|
- The public flag will be set to false.
|
|
If you are expecting high availability, make sure there are at least three availability zones in the region you are deploying to.
|
|
WARNING! The key for this argument must not be derived from a resource, it must be static.
|
|
EOT
|
|
default = { "default" = {
|
|
cidr = "", # will be generated based on the vpc cidr
|
|
availability_zone = "", # just get the first one
|
|
public = false,
|
|
} }
|
|
}
|
|
|
|
# security group
|
|
variable "security_group_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using security group resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new security group resources.
|
|
The default is 'create'.
|
|
When selecting a security group, the security_group_name must be provided and a security group with the given name must exist.
|
|
When skipping a security group, the load balancer will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.security_group_use_strategy)
|
|
error_message = "The security_group_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "security_group_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the ec2 security group to create or select.
|
|
When choosing the "create" or "select" strategy, this is required.
|
|
When choosing the "skip" strategy, this is ignored.
|
|
When selecting a security group, the security_group_name must be provided and a security group with the given name must exist.
|
|
When creating a security group, the name will be used to tag the resource, and security_group_type is required.
|
|
The types are located in modules/security_group/types.tf.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "security_group_type" {
|
|
type = string
|
|
description = <<-EOT
|
|
The type of the ec2 security group to create.
|
|
We provide opinionated options for the user to select from.
|
|
Leave this blank if you would like to select a security group rather than generate one.
|
|
The types are located in ./modules/security_group/types.tf.
|
|
If specified, must be one of: project, egress, or public.
|
|
EOT
|
|
default = "project"
|
|
validation {
|
|
condition = contains(["project", "egress", "public"], var.security_group_type)
|
|
error_message = "The security_group_type value must be one of 'project', 'egress', or 'public'."
|
|
}
|
|
}
|
|
|
|
# load balancer
|
|
variable "load_balancer_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using load balancer resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new load balancer resources.
|
|
The default is 'create'.
|
|
When selecting a load balancer, the load_balancer_name must be provided and a load balancer with the "Name" tag must exist.
|
|
When skipping a load balancer, the domain will also be skipped (automatically).
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.load_balancer_use_strategy)
|
|
error_message = "The load_balancer_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "load_balancer_name" {
|
|
type = string
|
|
description = <<-EOT
|
|
The name of the Load Balancer, there must be a 'Name' tag on it to be found.
|
|
When generating a load balancer, this will be added as a tag to the resource.
|
|
This tag is how we will find it again in the future.
|
|
If a domain and a load balancer name is given, we will create a domain record pointing to the load balancer.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "load_balancer_access_cidrs" {
|
|
type = map(object({
|
|
port = number
|
|
cidrs = list(string)
|
|
protocol = string
|
|
}))
|
|
description = <<-EOT
|
|
A map of access information objects.
|
|
The port is the port to expose on the load balancer.
|
|
The cidrs is a list of external cidr blocks to allow access to the load balancer.
|
|
The protocol is the network protocol to expose on, this can be 'udp' or 'tcp'.
|
|
Example:
|
|
{
|
|
test = {
|
|
port = 443
|
|
cidrs = ["1.1.1.1/32"]
|
|
protocol = "tcp"
|
|
}
|
|
}
|
|
EOT
|
|
default = null
|
|
}
|
|
|
|
# domain
|
|
variable "domain_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using domain resources:
|
|
'skip' to disable,
|
|
'select' to use existing,
|
|
or 'create' to generate new domain resources.
|
|
The default is 'create', which requires a domain name to be provided.
|
|
When selecting a domain, the domain must be provided and a domain with the matching name must exist.
|
|
When adding a domain, it will be attached to all load balancer ports with a certificate for secure access.
|
|
EOT
|
|
default = "create"
|
|
validation {
|
|
condition = contains(["skip", "select", "create"], var.domain_use_strategy)
|
|
error_message = "The domain_use_strategy value must be one of 'skip', 'select', or 'create'."
|
|
}
|
|
}
|
|
variable "domain" {
|
|
type = string
|
|
description = <<-EOT
|
|
The domain name to retrieve or create.
|
|
Part of creating the domain is assigning it to the load balancer and generating a tls certificate.
|
|
This should enable secure connections for your project.
|
|
To make use of this feature, you must generate load balancer target group associations in other further stages.
|
|
We output the arn of the load balancer for this purpose.
|
|
EOT
|
|
default = ""
|
|
}
|
|
variable "cert_use_strategy" {
|
|
type = string
|
|
description = <<-EOT
|
|
Strategy for using certs:
|
|
'skip' to skip,
|
|
'select' to select an existing cert,
|
|
or 'create' to generate a new cert.
|
|
The cert created will be for the domain specified, it will be saved in an iam_server_certificate.
|
|
You can add the certificate to the server or use it when configuring services.
|
|
To select a cert, it must have a name prefixed with the domain specified.
|
|
EOT
|
|
default = "skip"
|
|
}
|