forked from hashicorp/terraform-aws-terraform-enterprise
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
550 lines (470 loc) · 16 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Common
# ------
variable "acm_certificate_arn" {
type = string
description = "ACM certificate ARN to use with load balancer"
}
variable "ami_id" {
type = string
default = null
description = "AMI ID to use for TFE instances"
}
variable "asg_tags" {
type = map(string)
description = <<DESC
(Optional) Map of tags only used for the autoscaling group. If you are using the AWS provider's default_tags,
please note that it tags every taggable resource except for the autoscaling group, therefore this variable may
be used to duplicate the key/value pairs in the default_tags if you wish.
DESC
default = {}
}
variable "aws_access_key_id" {
default = null
description = <<-EOD
The identity of the access key which TFE will use to authenticate with S3. This value requires var.
aws_secret_access_key and var.object_storage_iam_user to also be set.
EOD
type = string
}
variable "aws_secret_access_key" {
default = null
description = <<-EOD
The secret access key which TFE will use to authenticate with S3. This value requires var.aws_secret_access_key and
var.object_storage_iam_user to also be set.
EOD
type = string
}
variable "distribution" {
type = string
description = "(Required) What is the OS distribution of the instance on which Terraoform Enterprise will be deployed?"
validation {
condition = contains(["rhel", "ubuntu"], var.distribution)
error_message = "Supported values for distribution are 'rhel' or 'ubuntu'."
}
}
variable "domain_name" {
type = string
description = "Domain for creating the Terraform Enterprise subdomain on."
}
variable "friendly_name_prefix" {
type = string
description = "(Required) Friendly name prefix used for tagging and naming AWS resources."
}
variable "instance_type" {
default = "m5.xlarge"
description = "The instance type of EC2 instance(s) to create."
type = string
}
variable "object_storage_iam_user" {
default = null
description = <<-EOD
The IAM user that will be authorized to access the S3 storage bucket which holds Terraform Enterprise runtime data.
This value requires var.aws_access_key_id and var.aws_secret_access_key to also be set. The values of those variables
must represent an access key that is associated with this user.
EOD
type = object({ arn = string })
}
variable "vm_certificate_secret_id" {
default = null
type = string
description = <<-EOD
A Secrets Manager secret ARN which contains the Base64 encoded version of a PEM encoded public certificate for the Virtual
Machine Scale Set.
EOD
}
variable "vm_key_secret_id" {
default = null
type = string
description = <<-EOD
A Secrets Manager secret ARN which contains the Base64 encoded version of a PEM encoded private key for the Virtual Machine
Scale Set.
EOD
}
# Redis
# -----
variable "redis_cache_size" {
type = string
default = "cache.m4.large"
description = "Redis instance size."
}
variable "redis_encryption_in_transit" {
type = bool
description = "Determine whether Redis traffic is encrypted in transit."
default = false
}
variable "redis_encryption_at_rest" {
type = bool
description = "Determine whether Redis data is encrypted at rest."
default = false
}
variable "redis_engine_version" {
type = string
default = "5.0.6"
description = "Redis enginer version."
}
variable "redis_parameter_group_name" {
type = string
default = "default.redis5.0"
description = "Redis parameter group name."
}
variable "redis_use_password_auth" {
type = bool
description = "Determine if a password is required for Redis."
default = false
}
# Postgres
# --------
variable "db_backup_retention" {
type = number
description = "The days to retain backups for. Must be between 0 and 35"
default = 0
}
variable "db_backup_window" {
type = string
description = "The daily time range (in UTC) during which automated backups are created if they are enabled"
default = null
}
variable "db_size" {
type = string
default = "db.m4.xlarge"
description = "PostgreSQL instance size."
}
variable "postgres_engine_version" {
type = string
default = "12.8"
description = "PostgreSQL version."
}
# Userdata
# --------
variable "bypass_preflight_checks" {
default = false
type = bool
description = "Allow the TFE application to start without preflight checks."
}
variable "custom_agent_image_tag" {
default = null
type = string
description = <<-EOD
Configure the docker image for handling job execution within TFE. This can either be the
standard image that ships with TFE or a custom image that includes extra tools not present
in the default one.
EOD
}
variable "custom_image_tag" {
default = null
type = string
description = <<-EOD
The name and tag for your alternative Terraform build worker image in the format <name>:<tag>.
Default is 'hashicorp/build-worker:now'.
EOD
}
variable "disk_path" {
default = null
description = "The pathname of the directory in which Terraform Enterprise will store data on the compute instances."
type = string
}
variable "iact_subnet_list" {
default = []
description = "A list of CIDR masks that configure the ability to retrieve the IACT from outside the host."
type = list(string)
}
variable "iact_subnet_time_limit" {
default = 60
description = "The time limit that requests from the subnets listed can request the IACT, as measured from the instance creation in minutes."
type = number
}
variable "metrics_endpoint_enabled" {
default = null
type = bool
description = <<-EOD
(Optional) Metrics are used to understand the behavior of Terraform Enterprise and to
troubleshoot and tune performance. Enable an endpoint to expose container metrics.
Defaults to false.
EOD
}
variable "metrics_endpoint_port_http" {
default = null
type = number
description = <<-EOD
(Optional when metrics_endpoint_enabled is true.) Defines the TCP port on which HTTP metrics
requests will be handled.
Defaults to 9090.
EOD
}
variable "metrics_endpoint_port_https" {
default = null
type = string
description = <<-EOD
(Optional when metrics_endpoint_enabled is true.) Defines the TCP port on which HTTPS metrics
requests will be handled.
Defaults to 9091.
EOD
}
variable "operational_mode" {
default = "external"
description = <<-EOD
A special string to control the operational mode of Terraform Enterprise. Valid values are: "external" for External
Services mode; "disk" for Mounted Disk mode.
EOD
type = string
validation {
condition = contains(["external", "disk"], var.operational_mode)
error_message = "The operational_mode value must be one of: \"external\"; \"disk\"."
}
}
variable "tfe_license_file_location" {
default = "/etc/terraform-enterprise.rli"
type = string
description = "The path on the TFE instance to put the TFE license."
}
variable "tls_bootstrap_cert_pathname" {
default = null
type = string
description = "The path on the TFE instance to put the certificate. ex. '/var/lib/terraform-enterprise/certificate.pem'"
}
variable "tls_bootstrap_key_pathname" {
default = null
type = string
description = "The path on the TFE instance to put the key. ex. '/var/lib/terraform-enterprise/key.pem'"
}
# Network
# -------
variable "admin_dashboard_ingress_ranges" {
type = list(string)
description = "(Optional) List of CIDR ranges that are allowed to acces the admin dashboard. Only used for standalone installations."
default = ["0.0.0.0/0"]
}
variable "deploy_vpc" {
type = bool
description = "(Optional) Boolean indicating whether to deploy a VPC (true) or not (false)."
default = true
}
variable "network_cidr" {
type = string
description = "(Optional) CIDR block for VPC."
default = "10.0.0.0/16"
}
variable "network_id" {
default = null
description = "The identity of the VPC in which resources will be deployed."
type = string
}
variable "network_private_subnet_cidrs" {
type = list(string)
description = "(Optional) List of private subnet CIDR ranges to create in VPC."
default = ["10.0.32.0/20", "10.0.48.0/20"]
}
variable "network_private_subnets" {
default = []
description = "A list of the identities of the private subnetworks in which resources will be deployed."
type = list(string)
}
variable "network_public_subnet_cidrs" {
type = list(string)
description = "(Optional) List of public subnet CIDR ranges to create in VPC."
default = ["10.0.0.0/20", "10.0.16.0/20"]
}
variable "network_public_subnets" {
default = []
description = "A list of the identities of the public subnetworks in which resources will be deployed."
type = list(string)
}
# TFE Instance(s)
# ---------------
variable "iam_role_policy_arns" {
default = []
description = "A set of Amazon Resource Names of IAM role policies to be attached to the TFE IAM role."
type = set(string)
}
variable "key_name" {
default = null
description = "The name of the key pair to be used for SSH access to the EC2 instance(s)."
type = string
}
variable "node_count" {
type = number
default = 2
description = "The number of nodes you want in your autoscaling group (1 for standalone, 2 for active-active configuration)"
validation {
condition = var.node_count <= 5
error_message = "The node_count value must be less than or equal to 5."
}
}
variable "pg_extra_params" {
default = null
type = string
description = <<-EOF
Parameter keywords of the form param1=value1¶m2=value2 to support additional options that
may be necessary for your specific PostgreSQL server. Allowed values are documented on the
PostgreSQL site. An additional restriction on the sslmode parameter is that only the require,
verify-full, verify-ca, and disable values are allowed.
EOF
}
variable "release_sequence" {
default = null
type = number
description = "Terraform Enterprise release sequence"
}
variable "ssl_policy" {
type = string
default = "ELBSecurityPolicy-2016-08"
description = "SSL policy to use on ALB listener"
}
variable "tfe_subdomain" {
type = string
default = "tfe"
description = "Subdomain for accessing the Terraform Enterprise UI."
}
# KMS & Secrets Manager
# ---------------------
variable "ca_certificate_secret_id" {
default = null
type = string
description = <<-EOD
A Secrets Manager secret ARN to the secret which contains the Base64 encoded version of
a PEM encoded public certificate of a certificate authority (CA) to be trusted by the EC2
instance(s). This argument is only required if TLS certificates in the deployment are not
issued by a well-known CA.
EOD
}
variable "kms_key_arn" {
type = string
description = "KMS key arn for AWS KMS Customer managed key."
}
variable "tfe_license_secret_id" {
type = string
description = "The Secrets Manager secret ARN under which the Base64 encoded Terraform Enterprise license is stored."
}
# Load Balancer
# -------------
variable "load_balancing_scheme" {
default = "PRIVATE"
description = "Load Balancing Scheme. Supported values are: \"PRIVATE\"; \"PRIVATE_TCP\"; \"PUBLIC\"."
type = string
validation {
condition = contains(["PRIVATE", "PRIVATE_TCP", "PUBLIC"], var.load_balancing_scheme)
error_message = "The load_balancer value must be one of: \"PRIVATE\"; \"PRIVATE_TCP\"; \"PUBLIC\"."
}
}
# Proxy Settings
# --------------
variable "no_proxy" {
type = list(string)
description = "(Optional) List of IP addresses to not proxy"
default = []
}
variable "proxy_ip" {
type = string
description = "(Optional) IP address of existing web proxy to route TFE traffic through."
default = null
}
variable "proxy_port" {
default = null
type = string
description = "Port that the proxy server will use"
}
variable "trusted_proxies" {
default = []
description = <<-EOD
A list of IP address ranges which will be considered safe to ignore when evaluating the IP addresses of requests like
those made to the IACT endpoint.
EOD
type = list(string)
}
# Air-gapped Installations ONLY
# -----------------------------
variable "airgap_url" {
default = null
type = string
description = <<-EOD
The URL of the storage bucket object that comprises an airgap package. This is only used in development
environments when bootstapping the TFE instance with the airgap package. You would not use this for an
actual airgapped environment.
EOD
}
variable "tfe_license_bootstrap_airgap_package_path" {
default = null
type = string
description = <<-EOD
(Required if air-gapped installation) The URL of a Replicated airgap package for Terraform
Enterprise. The suggested path is "/var/lib/ptfe/ptfe.airgap".
EOD
}
# Mounted Disk Installations ONLY
# -------------------------------
variable "ebs_delete_on_termination" {
type = bool
default = true
description = "(Optional if Mounted Disk installation) Whether the volume should be destroyed on instance termination."
}
variable "ebs_device_name" {
type = string
default = "xvdcc"
description = "(Required if Mounted Disk installation) The name of the device to mount."
}
variable "ebs_iops" {
type = number
default = 3000
description = "(Optional if Mounted Disk installation) The amount of provisioned IOPS. This must be set with a volume_type of 'io1'."
}
variable "ebs_renamed_device_name" {
type = string
default = "nvme1n1"
description = <<-EOD
(Required if Mounted Disk installation) The device name that AWS renames the ebs_device_name to.
See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html for more details.
EOD
}
variable "ebs_volume_size" {
type = number
default = 200
description = "(Optional if Mounted Disk installation) The size of the volume in gigabytes."
}
variable "ebs_volume_type" {
type = string
default = "io1"
description = "(Optional if Mounted Disk installation) The type of volume."
validation {
condition = contains(["standard", "gp2", "gp3", "st1", "sc1", "io1"], var.ebs_volume_type)
error_message = "The ebs_volume_type value must be one of: 'standard', 'gp2', 'gp3', 'st1', 'sc1', 'io1'."
}
}
# External Vault ONLY
# -------------------
variable "extern_vault_addr" {
default = null
type = string
description = "(Required if var.extern_vault_enable = true) URL of external Vault cluster."
}
variable "extern_vault_enable" {
default = false
type = bool
description = "(Optional) Indicate if an external Vault cluster is being used. Set to 1 if so."
}
variable "extern_vault_namespace" {
default = null
type = string
description = "(Optional if var.extern_vault_enable = true) The Vault namespace"
}
variable "extern_vault_path" {
default = "auth/approle"
type = string
description = "(Optional if var.extern_vault_enable = true) Path on the Vault server for the AppRole auth. Defaults to auth/approle."
}
variable "extern_vault_role_id" {
default = null
type = string
description = "(Required if var.extern_vault_enable = true) AppRole RoleId to use to authenticate with the Vault cluster."
}
variable "extern_vault_secret_id" {
default = null
type = string
description = "(Required if var.extern_vault_enable = true) AppRole SecretId to use to authenticate with the Vault cluster."
}
variable "extern_vault_token_renew" {
default = 3600
type = number
description = "(Optional if var.extern_vault_enable = true) How often (in seconds) to renew the Vault token."
}