generated from appvia/terraform-aws-module-template
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
246 lines (227 loc) · 10 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
variable "amazon_side_asn" {
description = "The ASN for the transit gateway."
type = number
validation {
condition = var.amazon_side_asn >= 64512 && var.amazon_side_asn <= 65534
error_message = "The ASN must be in the private range of 64512 to 65534."
}
}
variable "prefix_lists" {
description = "Provides the ability to provision prefix lists, and share them with other accounts."
type = list(object({
name = string
entry = list(object({
address_family = optional(string, "IPv4")
cidr = string
description = string
max_entries = number
}))
}))
default = []
}
variable "prefix_ram_principals" {
description = "The list of organizational units or accounts to share the prefix lists with."
type = list(string)
default = []
}
variable "services" {
description = "A collection of features and services associated with this connectivity domain."
type = object({
egress = optional(object({
network = object({
# Defines the configuration for an egress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the egress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the egress network. Defaults to null.
name = optional(string, "egress")
# The name of the egress network. Defaults to 'egress'.
private_netmask = optional(number, 28)
# The netmask to use for the private network. Defaults to 28.
public_netmask = optional(number, 28)
# The netmask to use for the public network. Defaults to 28.
transit_gateway_routes = optional(map(string), {
private = "10.0.0.0/8"
public = "10.0.0.0/8"
})
# The transit gateway route tables entries for the egress network.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
dns = optional(object({
# The list of organizational units or accounts to share the domain rule with.
resolver_name = optional(string, "dns-resolver")
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "central-dns")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
}),
domain_rules = optional(list(object({
ram_share_name = optional(string, "central-dns")
# The name of the domain rule - this is mapped to the resource share name
ram_principals = optional(map(string), {})
# The name of the resolver to use. Defaults to 'dns-resolver'.
rules = list(object({
name = string
# The name of the rule - the ram share name is domain.name + "-" + rule.name
# The list of domain rules to apply to the domain.
domain = string
# The domain to apply the rule to.
targets = optional(list(string), [])
# The list of targets to apply the rule to - defaults to local resolver.
}))
})), [])
}), null)
endpoints = optional(object({
# Defines the configuration for the endpoints network.
network = object({
# Defines the configuration for the endpoints network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the endpoints network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the endpoints network. Defaults to null.
name = optional(string, "endpoints")
# The name of the endpoints network. Defaults to 'endpoints'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
sharing = optional(object({
# Defines the configuration for the sharing network via AWS RAM
principals = optional(list(string), [])
# The list of organizational units or accounts to share the endpoints resolvers rules with. Defaults to an empty list.
}), null)
services = optional(map(object({
# Defines the configuration for the private endpoints in the shared network.
private_dns_enabled = optional(bool, true)
# Whether private DNS is enabled. Defaults to true.
service_type = optional(string, "Interface")
# The type of service, i.e. Gateway or Interface. Defaults to 'Interface'
service = string
# The name of the service i.e. ec2, ec2messages, ssm, ssmmessages, logs, kms, secretsmanager, s3.awsamazon.com
policy = optional(string, null)
# An optional IAM policy to use for the endpoint. Defaults to null.
})), {
ec2messages = {
service = "ec2messages"
},
ssm = {
service = "ssm"
},
ssmmessages = {
service = "ssmmessages"
},
})
}), null)
ingress = optional(object({
# Defines the configuration for the ingress network.
network = object({
# Defines the configuration for the ingress network.
availability_zones = optional(number, 2)
# The number of availablity zones to use for the ingress network. Defaults to 2.
ipam_pool_id = optional(string, null)
# The ID of the IPAM pool to use for the ingress network. Defaults to null.
name = optional(string, "ingress")
# The name of the ingress network. Defaults to 'ingress'.
private_netmask = number
# The netmask to use for the private network. Required, ensure space for enough aws services.
public_netmask = number
# The netmask to use for the public network. Required, ensure space for enough aws services.
vpc_cidr = optional(string, null)
# The CIDR block to use for the VPC. Defaults to null, required when not using IPAM
vpc_netmask = optional(string, null)
# The netmask to use for the VPC. Defaults to null, required when using IPAM
})
}), null)
})
default = {}
}
variable "connectivity_config" {
description = "The type of connectivity options for the transit gateway."
type = object({
inspection_with_all = optional(object({
# The name of the inbound route table. Defaults to 'inbound'.
network = optional(object({
# Defines the configuration for the inspection network.
availability_zones = number
# The number of availablity zones to use for the inspection network. Required. Must match the
# number of availability zones you use in the organization, due to symmetric routing requirements.
name = optional(string, "inspection")
# The name of the inspection network. Defaults to 'inspection'.
private_netmask = optional(number, 24)
# The netmask to use for the private network. Defaults to 24
vpc_cidr = optional(string, "100.64.0.0/21")
# The CIDR block to use for the VPC. Defaults to carrier-grade NAT space.
}), null)
return_route_table_name = optional(string, "inspection-return")
}), null)
trusted = optional(object({
# Defines the configuration for the trusted routing
trusted_attachments = optional(map(string), {})
# The list of transit gateway attachments to trust e.g can see all the other untrusted networks. Defaults to an empty list.
trusted_route_table_name = optional(string, "trusted")
# The name of the trusted route table. Defaults to 'trusted'.
trusted_core_route_table_name = optional(string, "trusted-core")
}), null)
})
}
variable "description" {
description = "The description of the transit gateway to provision."
type = string
}
variable "enable_dns_support" {
description = "Whether DNS support is enabled."
type = bool
default = true
}
variable "enable_external_principals" {
description = "Whether to enable external principals in the RAM share."
type = bool
default = true
}
variable "enable_multicast_support" {
description = "Whether multicast support is enabled."
type = bool
default = false
}
variable "enable_vpn_ecmp_support" {
description = "Whether VPN Equal Cost Multipath Protocol support is enabled."
type = bool
default = false
}
variable "name" {
description = "The name of the transit gateway to provision."
type = string
default = "tgw"
}
variable "ram_share_name" {
description = "The name of the RAM share to create for the transit gateway."
type = string
default = "tgw-ram-share"
}
variable "ram_share_principals" {
description = "The list of organizational units or accounts to share the transit gateway with."
type = list(string)
default = []
}
variable "tags" {
description = "A map of tags to add to all resources."
type = map(string)
}