forked from cloudposse/terraform-aws-security-group
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
174 lines (159 loc) · 7.31 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
variable "target_security_group_id" {
type = list(string)
description = <<-EOT
The ID of an existing Security Group to which Security Group rules will be assigned.
The Security Group's name and description will not be changed.
Not compatible with `inline_rules_enabled` or `revoke_rules_on_delete`.
If not provided (the default), this module will create a security group.
EOT
default = []
validation {
condition = length(var.target_security_group_id) < 2
error_message = "Only 1 security group can be targeted."
}
}
variable "security_group_name" {
type = list(string)
description = <<-EOT
The name to assign to the security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix.
EOT
default = []
validation {
condition = length(var.security_group_name) < 2
error_message = "Only 1 security group name can be provided."
}
}
variable "security_group_description" {
type = string
description = <<-EOT
The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced.
EOT
default = "Managed by Terraform"
}
variable "create_before_destroy" {
type = bool
description = <<-EOT
Set `true` to enable terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are importing an existing security group
that you do not want replaced and therefore need full control over its name.
Note that changing this value will always cause the security group to be replaced.
EOT
default = true
}
variable "preserve_security_group_id" {
type = bool
description = <<-EOT
When `false` and `create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the README for further discussion.
EOT
default = false
}
variable "allow_all_egress" {
type = bool
description = <<-EOT
A convenience that adds to the rules specified elsewhere a rule that allows all egress.
If this is false and no egress rules are specified via `rules` or `rule-matrix`, then no egress will be allowed.
EOT
default = true
}
variable "rules" {
type = list(any)
description = <<-EOT
A list of Security Group rule objects. All elements of a list must be exactly the same type;
use `rules_map` if you want to supply multiple lists of different types.
The keys and values of the Security Group rule objects are fully compatible with the `aws_security_group_rule` resource,
except for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique
and known at "plan" time.
To get more info see the `security_group_rule` [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule).
___Note:___ The length of the list must be known at plan time.
This means you cannot use functions like `compact` or `sort` when computing the list.
EOT
default = []
}
variable "rules_map" {
type = any
description = <<-EOT
A map-like object of lists of Security Group rule objects. All elements of a list must be exactly the same type,
so this input accepts an object with keys (attributes) whose values are lists so you can separate different
types into different lists and still pass them into one input. Keys must be known at "plan" time.
The keys and values of the Security Group rule objects are fully compatible with the `aws_security_group_rule` resource,
except for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique
and known at "plan" time.
To get more info see the `security_group_rule` [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule).
EOT
default = {}
}
variable "rule_matrix" {
# rule_matrix is independent of the `rules` input.
# Only the rules specified in the `rule_matrix` object are applied to the subjects specified in `rule_matrix`.
# The `key` attributes are optional, but if supplied, must be known at plan time or else
# you will get an error from Terraform. If the value is triggering an error, just omit it.
# Schema:
# {
# # these top level lists define all the subjects to which rule_matrix rules will be applied
# key = unique key (for stability from plan to plan)
# source_security_group_ids = list of source security group IDs to apply all rules to
# cidr_blocks = list of ipv4 CIDR blocks to apply all rules to
# ipv6_cidr_blocks = list of ipv6 CIDR blocks to apply all rules to
# prefix_list_ids = list of prefix list IDs to apply all rules to
# self = # set "true" to apply the rules to the created or existing security group
#
# # each rule in the rules list will be applied to every subject defined above
# rules = [{
# key = "unique key"
# type = "ingress"
# from_port = 433
# to_port = 433
# protocol = "tcp"
# description = "Allow HTTPS ingress"
# }]
type = any
description = <<-EOT
A convenient way to apply the same set of rules to a set of subjects. See README for details.
EOT
default = []
}
variable "security_group_create_timeout" {
type = string
description = "How long to wait for the security group to be created."
default = "10m"
}
variable "security_group_delete_timeout" {
type = string
description = <<-EOT
How long to retry on `DependencyViolation` errors during security group deletion from
lingering ENIs left by certain AWS services such as Elastic Load Balancing.
EOT
default = "15m"
}
variable "revoke_rules_on_delete" {
type = bool
description = <<-EOT
Instruct Terraform to revoke all of the Security Group's attached ingress and egress rules before deleting
the security group itself. This is normally not needed.
EOT
default = false
}
variable "vpc_id" {
type = string
description = "The ID of the VPC where the Security Group will be created."
}
variable "inline_rules_enabled" {
type = bool
description = <<-EOT
NOT RECOMMENDED. Create rules "inline" instead of as separate `aws_security_group_rule` resources.
See [#20046](https://github.com/hashicorp/terraform-provider-aws/issues/20046) for one of several issues with inline rules.
See [this post](https://github.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) for details on the difference between inline rules and rule resources.
EOT
default = false
}