-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
206 lines (175 loc) · 7.42 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# General
variable "name" {
type = string
description = "VPC name."
}
# VPC
variable "main_cidr_block" {
type = string
description = "Main IPv4 CIDR block for the VPC."
validation {
condition = try(regex("^([1-9]|([1-9][0-9])|(1[0-9][0-9])|(2[0-4][0-9])|(25[0-5]))[.]((0|[1-9]|([1-9][0-9])|(1[0-9][0-9])|(2[0-4][0-9])|(25[0-5]))[.]){2}(0|[1-9]|([1-9][0-9])|(1[0-9][0-9])|(2[0-4][0-9])|(25[0-5]))/((1[6-9])|(2[0-8]))$", var.main_cidr_block) != "", false)
error_message = "Invalid main IPv4 CIDR block for VPC. Netmask must be between /28 and /16."
}
}
variable "instance_tenancy" {
type = string
description = "Tenancy of instances launched into the VPC. Dedicated or host tenancy cost at least 2$/h."
default = "default"
validation {
condition = contains(["default", "dedicated", "host"], var.instance_tenancy)
error_message = "Invalid VPC tenancy."
}
}
variable "enable_dns_support" {
type = bool
description = "Whether to enable DNS support in the VPC."
default = true
}
variable "enable_dns_hostnames" {
type = bool
description = "Whether to enable DNS hostnames in the VPC."
default = true
}
variable "ipv6_cidr_block" {
type = bool
description = "Whether to request an Amazon-provider IPv6 CIDR block with /56 prefix length for the VPC."
default = false
validation {
condition = !var.ipv6_cidr_block
error_message = "IPv6 is not yet supported."
}
}
# Subnets
variable "availability_zones_count" {
type = number
description = "Number of Availability Zones to use for VPC subnets."
default = 3
}
variable "subnetting_algorithm" {
type = string
description = <<EOF
Algorithm type for subnetting the VPC IPv4 CIDR blocks.
Supported algorithms:
* nowaste - Use the whole CIDR block, leaving no subnet addresses unused.
It attempts an equal split. When the number of subnets is not a power of 2, the last subnets will have bigger prefix lengths
Ie. Less usable host IPs
* equalsplit - The subnets will be split equally - ie. same prefix length
This will result in unused subnet addresses when the number of requested subnets is not a power of 2.
EOF
default = "nowaste"
validation {
condition = contains(["nowaste", "equalsplit"], var.subnetting_algorithm)
error_message = "Invalid subnetting algorithm. Valid values: nowaste, equalsplit."
}
}
variable "subnets" {
type = object({
private = list(string)
public = list(string)
})
description = <<EOT
List of IPv4 CIDR blocks to use for each subnet, both private and public.
The # of subnets created is not decide by the length of the `private` & `public` lists, but rather the value of `availability_zones_count`,
but no more than the number of AZs available in the AWS Region where the VPC is created.
ie. min(var.availability_zones_count, length(data.aws_availability_zones.available.names))
If `private_subnets_only` is `true`, the `public` list can be passed as null or empty list.
By default, this variables is `null`, which means the subnets are computed by the internal algorithms, controlled by `subnetting_algorithm` variable.
EOT
default = null
}
variable "private_subnets_only" {
type = bool
description = "Whether to create only private subnets from VPC IPv4 CIDR block."
default = false
}
# Network ACLs
variable "empty_network_acls" {
type = bool
description = "Do not create default allow all traffic rule in network ACLs."
default = false
}
# NAT Gateways & Internet Gateway
variable "nat_gateway_setup" {
type = string
description = "NAT Gateway setup. Available options: one-az, failover, ha"
default = "ha"
validation {
condition = contains(["one-az", "failover", "ha"], var.nat_gateway_setup)
error_message = "NAT Gateway setups available are: one-az, failover, ha."
}
}
variable "force_internet_gateway" {
type = bool
description = "Force creation of an Internet Gateway for a VPC with only private subnets. Required if an AWS Global Accelerator is pointing to a private resource in the VPC."
default = false
}
# VPC Endpoints
variable "create_vpc_gateway_endpoints" {
type = bool
description = "Create VPC Endpoints (Gateway) for S3 & DynamoDB services."
default = true
}
# VPC Flow Logs
variable "flow_logs_config" {
# type = object({
# destination = string
# retention = optional(number)
# aggregation_interval = optional(number)
# log_format = optional(string)
# kms_key_id = optional(string)
# s3_tiering = optional(object({
# archive_access = optional(number)
# deep_archive_access = optional(number)
# }))
# })
type = any # Because map values have different types.
description = <<EOF
Config block for VPC Flow Logs. It must be a map with the following optional keys: destination, retention, aggregation_interval, kms_key_id.
Properties allowed values:
destination => "cloud-watch-logs" or "s3"
Default: "cloud-watch-logs"
retention => 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0 (indefinetely)
Default: 30 (days)
Valid only for CloudWatch destination
aggregation_interval => 60 or 600
Default: 600
log_format => Check AWS documentation
kms_key_id => ARN of a CMK in AWS KMS
Default: AWS managed key
s3_tiering => configuration for S3 Intelligent-Tiering
Default: Archive access after 90 days & Deep Archive Access after 180 days
Pass this as `null` or with both properties set to 0 to disable S3 Intelligent-Tiering
archive_access => Days after which data is tiered to ARCHIVE_ACCESS
Default: 90
Pass as 0 to disable ARCHIVE_ACCESS tiering
deep_archive_access => Days after which data is tiered to DEEP_ARCHIVE_ACCESS
Default: 180
Pass as 0 to disable DEEP_ARCHIVE_ACCESS tiering
Pass the variable as null to disable flow logs.
EOF
default = {} #null
validation {
condition = try(length([
for k in keys(var.flow_logs_config) : true
if contains(["destination", "retention", "aggregation_interval", "log_format", "kms_key_id", "s3_tiering"], k)
]) == length(var.flow_logs_config), var.flow_logs_config == null)
error_message = "Invalid key present in flow logs config."
}
# validation {
# condition = contains(["cloud-watch-logs", "s3"], var.flow_logs_config.destination)
# error_message = "VPC flow logs destination must be either cloud-watch-logs or s3."
# }
# validation {
# condition = try(contains([1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0], var.flow_logs_config.retention), true)
# error_message = "Invalid retention period for VPC flow logs in CloudWatch destination."
# }
# validation {
# condition = try(contains([60, 600], var.flow_logs_config.aggregation_interval), true)
# error_message = "Invalid aggregation interval for VPC flow logs."
# }
}
variable "tags" {
type = map(string)
description = "Common tags for all resources created by this module. Reserved tag keys: Name, net/type"
}