-
Notifications
You must be signed in to change notification settings - Fork 0
/
globals.auto.tf
203 lines (174 loc) · 6.32 KB
/
globals.auto.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
#################
### Providers ###
#################
# This was setup with the latest release of terraform as of August 11, 2022
# You should use _exactly_ this version, not newer though because then anyone else using
# an older version will break
terraform {
# Updated as of June 29, 2023
required_version = "1.5.2"
required_providers {
# Latest as of June 29, 2023
aws = {
version = "~> 5.5.0"
}
local = {
source = "hashicorp/local"
}
# Latest as of June 29, 2023
random = {
version = "~> 3.5.1"
}
# Latest as of June 29, 2023
null = {
version = "~> 3.2.1"
}
# Latest as of June 29, 2023
external = {
version = "~> 2.3.1"
}
# Latest as of June 29, 2023
kubernetes = {
version = "~> 2.21.1"
}
# Latest as of June 29, 2023
# gitlab = {
# source = "gitlabhq/gitlab"
# version = "~> 16.1.0"
# }
# Add more here as/if needed...
}
}
#################
### Variables ###
#################
variable "aws_account_ids" {
type = map
description = "An list of the various AWS account ids, to more easily know across-account details for doing peered vpcs and such"
default = {
"master" = "invalid"
}
}
variable "global_cidrs" {
type = map
description = "An list of the various AWS environments and their CIDRs"
default = {
"master" = "0.0.0.0/16" # Use internal CIDRs, 10.x, 192.x, or 172.x. Google for "subnetting" and private CIDRs. Also always use /16 generally
}
}
variable "client_name_short" {
type = string
description = "The name of the client, customer, or subclient, should be 3 letters long"
}
variable "client_name" {
type = string
description = "The full name of the client, customer, or subclient, can be up to 16 characters long ideally, any longer may run into naming issues when creating certain resources"
}
# Do not use if you can... ideally use AWS SSM instead. May need for Windows instances though
# Note: recommended to store this key in a shared team storage in Keybase encrytped shared file storage
# variable "ssh_pub_key" {
# type = string
# description = "The path to your SSH public key (for use in ec2 instance creation)"
# }
variable "environment" {
type = string
description = "The name of the environment, eg dev, prod, staging, etc"
}
variable "subenvironment" {
type = string
description = "The name of the subenvironment, only use if relevant"
default = ""
}
# We set a default here because we're primarily in the region us-east-1 as a company
# This can of course be overridden in a folder if some multi-regional deployments happen
variable "aws_region" {
type = string
description = "AWS region (eg: us-east-2, eu-west-1, etc)"
default = "us-east-1"
}
# SHOULD BE THE SAME AS ABOVE, this is where our "terraform state" and global stacks live
# This one never changes, is hardcoded and (should) never be overwritten or defined as a different value
variable "master_aws_region" {
type = string
description = "AWS region (eg: us-east-1, eu-west-1, etc)"
default = "us-east-1"
}
# Slack URL
variable "slack_webhook_url" {
type = string
description = "Slack webhook URL"
default = "https://invalid-temp-replace-me.slack.com/services/XXXXXXXX/"
}
variable "slack_channel" {
type = string
description = "The channel to send the SNS-to-Slack notifications (alerts) to"
default = "monitoring"
}
# This is for a "global" KMS key created per account generally, for admins
variable "kms_key_administrator_iam_arns" {
description = "All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have rights to change who can access this extended log data."
type = list(string)
# example = ["arn:aws:iam::<aws-account-id>:user/<iam-user-name>"]
}
# And for users. usually copy/paste from above value for simpler setups
variable "kms_key_user_iam_arns" {
description = "All CloudTrail Logs will be encrypted with a KMS Key (a Customer Master Key) that governs access to write API calls older than 7 days and all read API calls. The IAM Users specified in this list will have read-only access to this extended log data."
type = list(string)
# example = ["arn:aws:iam::<aws-account-id>:user/<iam-user-name>"]
}
variable "global_users" {
description = "The list of users to create (no access granted besides requiring MFA)"
type = list
default = []
}
variable "admin_users" {
description = "The list of users to give admin to"
type = list
default = []
}
variable "billing_users" {
description = "The list of users to give billing to"
type = list
default = []
}
# Users to allow access to assume into dev developer role
variable "dev_developer_users" {
description = "The list of users to allow assuming into dev developer role"
type = list
default = []
}
# Users to allow access to assume into dev developer role
variable "dev_admin_users" {
description = "The list of users to allow assuming into dev admin role"
type = list
default = []
}
####################
### Data Sources ###
####################
# data "aws_availability_zones" "available" {}
# This is a helper we'll use often to get our AWS account id, used in ARNs and such
data "aws_caller_identity" "current" {}
# Generic ec2 assume role policy used in many IAM roles
data "aws_iam_policy_document" "ec2-assume-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
# This list was up-to-date as of November 29, 2022
# List was last updated from CloudFlare on April 8, 2021 - See: https://www.cloudflare.com/ips/
locals {
cloudflare_ips_ipv4 = [
"103.21.244.0/22", "103.22.200.0/22", "103.31.4.0/22", "104.16.0.0/13", "104.24.0.0/14", "108.162.192.0/18",
"131.0.72.0/22", "141.101.64.0/18", "162.158.0.0/15", "172.64.0.0/13", "173.245.48.0/20", "188.114.96.0/20",
"190.93.240.0/20", "197.234.240.0/22", "198.41.128.0/17"
]
cloudflare_ips_ipv6 = [
"2400:cb00::/32", "2606:4700::/32", "2803:f800::/32", "2405:b500::/32", "2405:8100::/32", "2a06:98c0::/29",
"2c0f:f248::/32"
]
}