-
Notifications
You must be signed in to change notification settings - Fork 179
/
Copy pathvariables.tf
219 lines (184 loc) · 6.68 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
terraform {
required_version = ">= 0.12"
}
variable "region" {
type = string
default = "us-east4"
description = "Region in which to create the cluster and run Vault."
}
variable "project" {
type = string
default = ""
description = "Project ID where Terraform is authenticated to run to create additional projects. If provided, Terraform will create the GKE and Vault cluster inside this project. If not given, Terraform will generate a new project."
}
variable "project_prefix" {
type = string
default = "vault-"
description = "String value to prefix the generated project ID with."
}
variable "billing_account" {
type = string
description = "Billing account ID."
}
variable "org_id" {
type = string
description = "Organization ID."
}
variable "kubernetes_instance_type" {
type = string
default = "n1-standard-2"
description = "Instance type to use for the nodes."
}
variable "service_account_iam_roles" {
type = list(string)
default = [
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
]
description = "List of IAM roles to assign to the service account."
}
variable "service_account_custom_iam_roles" {
type = list(string)
default = []
description = "List of arbitrary additional IAM roles to attach to the service account on the Vault nodes."
}
variable "project_services" {
type = list(string)
default = [
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"container.googleapis.com",
"compute.googleapis.com",
"iam.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
]
description = "List of services to enable on the project."
}
variable "storage_bucket_roles" {
type = list(string)
default = [
"roles/storage.legacyBucketReader",
"roles/storage.objectAdmin",
]
description = "List of storage bucket roles."
}
#
# KMS options
# ------------------------------
variable "kms_key_ring_prefix" {
type = string
default = "vault-"
description = "String value to prefix the generated key ring with."
}
variable "kms_key_ring" {
type = string
default = ""
description = "String value to use for the name of the KMS key ring. This exists for backwards-compatability for users of the existing configurations. Please use kms_key_ring_prefix instead."
}
variable "kms_crypto_key" {
type = string
default = "vault-init"
description = "String value to use for the name of the KMS crypto key."
}
#
# Kubernetes options
# ------------------------------
variable "kubernetes_nodes_per_zone" {
type = number
default = 1
description = "Number of nodes to deploy in each zone of the Kubernetes cluster. For example, if there are 4 zones in the region and num_nodes_per_zone is 2, 8 total nodes will be created."
}
variable "kubernetes_daily_maintenance_window" {
type = string
default = "06:00"
description = "Maintenance window for GKE."
}
variable "kubernetes_logging_service" {
type = string
default = "logging.googleapis.com/kubernetes"
description = "Name of the logging service to use. By default this uses the new Stackdriver GKE beta."
}
variable "kubernetes_monitoring_service" {
type = string
default = "monitoring.googleapis.com/kubernetes"
description = "Name of the monitoring service to use. By default this uses the new Stackdriver GKE beta."
}
variable "kubernetes_network_ipv4_cidr" {
type = string
default = "10.0.96.0/22"
description = "IP CIDR block for the subnetwork. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
}
variable "kubernetes_pods_ipv4_cidr" {
type = string
default = "10.0.92.0/22"
description = "IP CIDR block for pods. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
}
variable "kubernetes_secrets_crypto_key" {
type = string
default = "kubernetes-secrets"
description = "Name of the KMS key to use for encrypting the Kubernetes database."
}
variable "kubernetes_services_ipv4_cidr" {
type = string
default = "10.0.88.0/22"
description = "IP CIDR block for services. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
}
variable "kubernetes_masters_ipv4_cidr" {
type = string
default = "10.0.82.0/28"
description = "IP CIDR block for the Kubernetes master nodes. This must be exactly /28 and cannot overlap with any other IP CIDR ranges."
}
variable "kubernetes_master_authorized_networks" {
type = list(object({
display_name = string
cidr_block = string
}))
default = [
{
display_name = "Anyone"
cidr_block = "0.0.0.0/0"
},
]
description = "List of CIDR blocks to allow access to the Kubernetes master's API endpoint. This is specified as a slice of objects, where each object has a display_name and cidr_block attribute. The default behavior is to allow anyone (0.0.0.0/0) access to the endpoint. You should restrict access to external IPs that need to access the Kubernetes cluster."
}
variable "kubernetes_release_channel" {
type = string
default = "REGULAR"
}
# This is an option used by the kubernetes provider, but is part of the Vault
# security posture.
variable "vault_source_ranges" {
type = list(string)
default = ["0.0.0.0/0"]
description = "List of addresses or CIDR blocks which are allowed to connect to the Vault IP address. The default behavior is to allow anyone (0.0.0.0/0) access. You should restrict access to external IPs that need to access the Vault cluster."
}
#
# Vault options
# ------------------------------
variable "num_vault_pods" {
type = number
default = 3
description = "Number of Vault pods to run. Anti-affinity rules spread pods across available nodes. Please use an odd number for better availability."
}
variable "vault_container" {
type = string
default = "vault:1.2.1"
description = "Name of the Vault container image to deploy. This can be specified like \"container:version\" or as a full container URL."
}
variable "vault_init_container" {
type = string
default = "sethvargo/vault-init:1.0.0"
description = "Name of the Vault init container image to deploy. This can be specified like \"container:version\" or as a full container URL."
}
variable "vault_recovery_shares" {
type = string
default = "1"
description = "Number of recovery keys to generate."
}
variable "vault_recovery_threshold" {
type = string
default = "1"
description = "Number of recovery keys required for quorum. This must be less than or equal to \"vault_recovery_keys\"."
}