generated from Worklytics/psoxy-example-aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
variables.tf
312 lines (271 loc) · 12.1 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
variable "gcp_project_id" {
type = string
description = "id of GCP project that will host psoxy instance"
}
variable "gcp_terraform_sa_account_email" {
type = string
description = "Email of GCP service account that will be used to provision GCP resources. Leave 'null' to use application default for you environment."
default = null
validation {
condition = var.gcp_terraform_sa_account_email == null || can(regex(".*@.*\\.iam\\.gserviceaccount\\.com$", var.gcp_terraform_sa_account_email))
error_message = "The gcp_terraform_sa_account_email value should be a valid GCP service account email address."
}
}
variable "environment_name" {
type = string
description = "Qualifier to append to names/ids of resources for psoxy. If not empty, A-Za-z0-9 or - characters only. Max length 10. Useful to distinguish between deployments into same GCP project."
default = ""
validation {
condition = can(regex("^[A-z0-9\\-]{0,20}$", var.environment_name))
error_message = "The environment_id must be 0-20 chars of [A-z0-9\\-] only."
}
}
variable "config_parameter_prefix" {
type = string
description = "A prefix to give to all config parameters (GCP Secret Manager Secrets) created/consumed by this module. If omitted, and `environment_id` provided, that will be used."
default = ""
}
variable "default_labels" {
type = map(string)
description = "Labels to apply to all resources created by this configuration. Intended to be analogous to AWS providers `default_tags`."
default = {}
validation {
condition = alltrue([for k, v in var.default_labels : can(regex("^[a-z][a-z0-9-_]{0,62}$", k))])
error_message = "GCP label keys must start with a lowercase letter, can contain lowercase letters, numbers, underscores and dashes only and must be no longer than 63 characters."
}
validation {
condition = alltrue([for k, v in var.default_labels : can(regex("^[a-z0-9-_]{0,63}$", v))])
error_message = "GCP label values must contain only lowercase letters, numbers, underscores and dashes only and be no longer than 63 characters."
}
validation {
condition = length(var.default_labels) <= 64
error_message = "GCP resources cannot have more than 64 labels."
}
}
variable "worklytics_host" {
type = string
description = "host of worklytics instance where tenant resides. (e.g. intl.worklytics.co for prod; but may differ for dev/staging)"
default = "intl.worklytics.co"
}
variable "worklytics_sa_emails" {
type = list(string)
description = "service accounts for your organization's Worklytics instances (list supported for test/dev scenarios)"
}
variable "psoxy_base_dir" {
type = string
description = "the path where your psoxy repo resides"
validation {
condition = can(regex(".*\\/$", var.psoxy_base_dir))
error_message = "The psoxy_base_dir value should end with a slash."
}
validation {
condition = can(regex("^[^~].*$", var.psoxy_base_dir))
error_message = "The psoxy_base_dir value should be absolute path (not start with ~)."
}
}
variable "deployment_bundle" {
type = string
description = "path to deployment bundle to use (if not provided, will build one). Can be GCS url, eg 'gs://artifacts-bucket/psoxy-0.4.28.zip'."
default = null
validation {
condition = var.deployment_bundle == null || var.deployment_bundle != ""
error_message = "`deployment_bundle`, if non-null, must be non-empty string."
}
}
variable "force_bundle" {
type = bool
description = "whether to force build of deployment bundle, even if it already exists"
default = false
}
variable "install_test_tool" {
type = bool
description = "whether to install the test tool (can be 'false' if Terraform not running from a machine where you intend to run tests of your Psoxy deployment)"
default = true
}
variable "gcp_principals_authorized_to_test" {
type = list(string)
description = "list of GCP principals authorized to test this deployment - eg 'user:[email protected]', 'group:[email protected]'; if omitted, up to you to configure necessary perms for people to test if desired."
default = []
}
variable "general_environment_variables" {
type = map(string)
description = "environment variables to add for all connectors"
default = {}
}
variable "pseudonymize_app_ids" {
type = string
description = "if set, will set value of PSEUDONYMIZE_APP_IDS environment variable to this value for all sources"
default = true
}
variable "email_canonicalization" {
type = string
description = "defines how email address are processed prior to hashing, hence which are considered 'canonically equivalent'; one of 'STRICT' (default and most standard compliant) or 'IGNORE_DOTS' (probably most in line with user expectations)"
default = "IGNORE_DOTS"
}
variable "gcp_region" {
type = string
description = "Region in which to provision GCP resources, if applicable"
default = "us-central1"
}
variable "replica_regions" {
type = list(string)
description = "DEPRECATED; use `gcp_secret_replica_locations`. List of locations to which to replicate secrets. See https://cloud.google.com/secret-manager/docs/locations"
default = null
}
variable "gcp_secret_replica_locations" {
type = list(string)
description = "List of locations to which to replicate GCP Secret Manager secrets. See https://cloud.google.com/secret-manager/docs/locations"
default = [
"us-central1",
"us-west1",
]
validation {
condition = length(var.gcp_secret_replica_locations) > 0
error_message = "`gcp_secret_replica_locations` must be non-empty list."
}
}
variable "custom_artifacts_bucket_name" {
type = string
description = "name of bucket to use for custom artifacts, if you want something other than default. Ignored if you pass gcs url for `deployment_bundle`."
default = null
}
variable "enabled_connectors" {
type = list(string)
description = "list of ids of connectors to enabled; see modules/worklytics-connector-specs"
}
variable "non_production_connectors" {
type = list(string)
description = "connector ids in this list will be in development mode (not for production use"
default = []
}
variable "bulk_input_expiration_days" {
type = number
description = "Number of days after which objects in the bucket will expire"
default = 30
}
variable "bulk_sanitized_expiration_days" {
type = number
description = "Number of days after which objects in the bucket will expire. This should match the amount of historical data you wish for Worklytics to analyze (eg, typically multiple years)."
default = 1805 # 5 years; intent is 'forever', but some upperbound in case bucket is forgotten
}
variable "custom_api_connector_rules" {
type = map(string)
description = "map of connector id --> YAML file with custom rules"
default = {}
}
variable "custom_bulk_connectors" {
type = map(object({
source_kind = string
display_name = optional(string, "Custom Bulk Connector")
input_bucket_name = optional(string) # allow override of default bucket name
sanitized_bucket_name = optional(string) # allow override of default bucket name
worklytics_connector_id = optional(string, "bulk-import-psoxy")
worklytics_connector_name = optional(string, "Custom Bulk Data via Psoxy")
rules = optional(object({
pseudonymFormat = optional(string, "URL_SAFE_TOKEN")
columnsToRedact = optional(list(string)) # columns to remove from CSV
columnsToInclude = optional(list(string)) # if you prefer to include only an explicit list of columns, rather than redacting those you don't want
columnsToPseudonymize = optional(list(string)) # columns to pseudonymize
columnsToDuplicate = optional(map(string)) # columns to create copy of; name --> new name
columnsToRename = optional(map(string)) # columns to rename: original name --> new name; renames applied BEFORE pseudonymization
fieldsToTransform = optional(map(object({
newName = string
transforms = optional(list(map(string)), [])
})))
}))
rules_file = optional(string)
settings_to_provide = optional(map(string), {})
example_file = optional(string)
}))
description = "specs of custom bulk connectors to create"
default = {
# "custom-survey" = {
# source_kind = "survey"
# rules = {
# columnsToRedact = []
# columnsToPseudonymize = [
# "employee_id", # primary key
# # "employee_email", # if exists
# ]
# }
# }
}
}
variable "custom_bulk_connector_rules" {
type = map(object({
pseudonymFormat = optional(string, "URL_SAFE_TOKEN")
columnsToRedact = optional(list(string), []) # columns to remove from CSV
columnsToInclude = optional(list(string)) # if you prefer to include only an explicit list of columns, rather than redacting those you don't want
columnsToPseudonymize = optional(list(string), []) # columns to pseudonymize
columnsToDuplicate = optional(map(string)) # columns to create copy of; name --> new name
columnsToRename = optional(map(string)) # columns to rename: original name --> new name; renames applied BEFORE pseudonymization
fieldsToTransform = optional(map(object({
newName = string
transforms = optional(list(map(string)), [])
})))
}))
description = "map of connector id --> rules object"
default = {
# hris = {
# columnsToRedact = []
# columnsToPseudonymize = [
# "EMPLOYEE_ID",
# "EMPLOYEE_EMAIL",
# "MANAGER_ID",
# "MANAGER_EMAIL"
# ]
# columnsToRename = {
# # original --> new
# "workday_id" = "employee_id"
# }
# columnsToInclude = [
# ]
}
}
variable "custom_bulk_connector_arguments" {
type = map(object({
available_memory_mb = optional(number)
# what else to add here?
}))
description = "map of connector id --> arguments object, to override defaults for bulk connector instances"
default = {}
}
# build lookup tables to JOIN data you receive back from Worklytics with your original data.
# - `join_key_column` should be the column you expect to JOIN on, usually 'employee_id'
# - `columns_to_include` is an optional a list of columns to include in the lookup table,
# e.g. if the data you're exporting TO worklytics contains more columns than
# you want to have in the lookup table, you can limit to an explicit list
# - `sanitized_accessor_names` is an optional list of GCP principals, by email with qualifier, eg:
# `user:alice@worklytics`, `group:[email protected]`, or
# `serviceAccount:[email protected]`
variable "lookup_tables" {
type = map(object({
source_connector_id = string
join_key_column = string
columns_to_include = optional(list(string))
sanitized_accessor_principals = optional(list(string))
expiration_days = optional(number)
output_bucket_name = optional(string) # allow override of default bucket name
}))
description = "Lookup tables to build from same source input as another connector, output to a distinct bucket. The original `join_key_column` will be preserved, "
default = {
# "lookup-hris" = {
# source_connector_id = "hris",
# join_key_column = "employee_id",
# columns_to_include = null
# sanitized_accessor_principals = [
# # ADD LIST OF GCP PRINCIPALS HERE
# ],
# }
}
}
variable "todos_as_outputs" {
type = bool
description = "whether to render TODOs as outputs (useful if you're using Terraform Cloud/Enterprise, or somewhere else where the filesystem is not readily accessible to you)"
default = false
}
variable "todos_as_local_files" {
type = bool
description = "whether to render TODOs as flat files"
default = true
}