generated from cloudposse/terraform-example-module
-
-
Notifications
You must be signed in to change notification settings - Fork 29
/
variables.tf
202 lines (174 loc) · 6.32 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
variable "client_cidr" {
type = string
description = "Network CIDR to use for clients"
}
variable "logging_enabled" {
type = bool
default = false
description = "Enables or disables Client VPN Cloudwatch logging."
}
variable "authentication_type" {
type = string
default = "certificate-authentication"
description = <<-EOT
One of `certificate-authentication` or `federated-authentication`
EOT
validation {
condition = contains(["certificate-authentication", "federated-authentication"], var.authentication_type)
error_message = "VPN client authentication type must one be one of: certificate-authentication, federated-authentication."
}
}
variable "organization_name" {
type = string
description = "Name of organization to use in private certificate"
}
variable "retention_in_days" {
type = number
description = "Number of days you want to retain log events in the log group"
default = "30"
}
variable "logging_stream_name" {
type = string
description = "Names of stream used for logging"
}
variable "saml_metadata_document" {
default = null
description = "Optional SAML metadata document. Must include this or `saml_provider_arn`"
type = string
}
variable "saml_provider_arn" {
default = null
description = "Optional SAML provider ARN. Must include this or `saml_metadata_document`"
type = string
validation {
error_message = "Invalid SAML provider ARN."
condition = (
var.saml_provider_arn == null ||
try(length(regexall(
"^arn:[^:]+:iam::(?P<account_id>\\d{12}):saml-provider\\/(?P<provider_name>[\\w+=,\\.@-]+)$",
var.saml_provider_arn
)) > 0,
false
))
}
}
variable "additional_routes" {
default = []
description = "A list of additional routes that should be attached to the Client VPN endpoint"
type = list(object({
destination_cidr_block = string
description = string
target_vpc_subnet_id = string
}))
}
variable "associated_subnets" {
type = list(string)
description = "List of subnets to associate with the VPN endpoint"
}
variable "authorization_rules" {
# type = list(object({
# name = string
# access_group_id = string
# authorize_all_groups = bool
# description = string
# target_network_cidr = string
# }))
type = list(map(any))
description = "List of objects describing the authorization rules for the client vpn"
default = []
}
variable "vpc_id" {
type = string
description = "ID of VPC to attach VPN to"
}
variable "ca_common_name" {
default = null
type = string
description = "Unique Common Name for CA self-signed certificate"
}
variable "root_common_name" {
default = null
type = string
description = "Unique Common Name for Root self-signed certificate"
}
variable "server_common_name" {
default = null
type = string
description = "Unique Common Name for Server self-signed certificate"
}
variable "export_client_certificate" {
default = false
sensitive = true
type = bool
description = "Flag to determine whether to export the client certificate with the VPN configuration"
}
variable "client_conf_tmpl_path" {
default = null
type = string
description = "Path to template file of vpn client exported configuration. Path is relative to $${path.module}"
}
variable "dns_servers" {
default = []
type = list(string)
validation {
condition = can(
[
for server_ip in var.dns_servers : regex(
"^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
server_ip
)
]
)
error_message = "IPv4 addresses must match the appropriate format xxx.xxx.xxx.xxx."
}
description = "Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the connecting device is used."
}
variable "split_tunnel" {
default = false
type = bool
description = "Indicates whether split-tunnel is enabled on VPN endpoint. Default value is false."
}
variable "secret_path_format" {
description = <<-EOT
The path format to use when writing secrets to the certificate backend.
The certificate secret path will be computed as `format(var.secret_path_format, var.name, var.secret_extensions.certificate)`
and the private key path as `format(var.secret_path_format, var.name, var.secret_extensions.private_key)`.
Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret paths for the self-signed certificate's
PEM file and private key will be `/example-self-signed-cert.pem` and `/example-self-signed-cert.key`, respectively.
This variable can be overridden in order to create more specific certificate backend paths.
EOT
type = string
default = "/%s.%s"
validation {
condition = can(substr(var.secret_path_format, 0, 1) == "/")
error_message = "The secret path format must contain a leading slash."
}
}
variable "self_service_portal_enabled" {
description = "Specify whether to enable the self-service portal for the Client VPN endpoint"
type = bool
default = false
}
variable "self_service_saml_provider_arn" {
description = "The ARN of the IAM SAML identity provider for the self service portal if type is federated-authentication."
type = string
default = null
}
variable "session_timeout_hours" {
description = "The maximum session duration is a trigger by which end-users are required to re-authenticate prior to establishing a VPN session. Default value is 24. Valid values: 8 | 10 | 12 | 24"
type = string
default = "24"
validation {
condition = contains(["8", "10", "12", "24"], var.session_timeout_hours)
error_message = "The maximum session duration must one be one of: 8, 10, 12, 24."
}
}
variable "transport_protocol" {
description = "Transport protocol used by the TLS sessions."
type = string
default = "udp"
validation {
condition = contains(["udp", "tcp"], var.transport_protocol)
error_message = "Invalid protocol type must be one of: udp, tcp."
}
}