-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvariables.tf
177 lines (151 loc) · 8.01 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# ------------------------------------------------------------------------------
# Required parameters
#
# You must provide a value for each of these parameters.
# ------------------------------------------------------------------------------
variable "cdm_cloudwatch_bucket_name" {
description = "The name of the S3 bucket that will receive logs from CloudWatch so that they can later be ingested by CDM (e.g. \"cdm-cloudwatch-logs\")."
nullable = false
type = string
}
variable "cdm_cidr" {
description = "The CIDR block on the CDM end of the site-to-site VPN tunnel (e.g. \"10.201.0.0/16\")."
nullable = false
type = string
}
variable "cdm_cloudtrail_assume_role_policy_description" {
description = "The description to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., \"The IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data in the AccountName account.\")."
nullable = false
type = string
}
variable "cdm_cloudtrail_assume_role_policy_name" {
description = "The name to associate with the IAM policy that allows the CDM user to assume the IAM role that allows access to the CDM CloudTrail data (e.g., \"ACCTNAME-AssumeCdmCloudTrail\")."
nullable = false
type = string
}
variable "cdm_dns_ips" {
description = "The DNS server IPs for the CDM environment (e.g. [\"100.200.75.25\", \"100.200.100.50\"])."
nullable = false
type = list(string)
}
variable "cdm_domains" {
description = "The domains for the CDM environment (e.g. [\"thulsa.example.com\", \"doom.example.com\", \"222.111.10.in-addr.arpa\"]). The first domain listed should be the main CDM domain, as it will be used as an additional search domain for DNS lookups."
nullable = false
type = list(string)
}
variable "cdm_tunnel_ip" {
description = "The IP address of the site-to-site VPN tunnel endpoint on the CDM side (e.g. \"100.200.75.25\")."
nullable = false
type = string
}
variable "cdm_user_name" {
description = "The user name of the CDM user who will assume the role to access the CloudTrail data."
nullable = false
type = string
}
variable "cdm_vpn_preshared_key" {
description = "The pre-shared key to use for setting up the site-to-site VPN connection between the COOL and CDM. This must be a string of 36 characters, which can include alphanumerics, periods, and underscores (e.g. \"abcdefghijklmnopqrstuvwxyz01234567._\")."
nullable = false
type = string
}
# ------------------------------------------------------------------------------
# Optional parameters
#
# These parameters have reasonable defaults.
# ------------------------------------------------------------------------------
variable "aws_region" {
default = "us-east-1"
description = "The AWS region where the Shared Services account resides (e.g. \"us-east-1\")."
nullable = false
type = string
}
variable "cloudwatch_logs_sqs_queue_name" {
default = "cdm-cloudwatch-logs"
description = "The name of the SQS queue that will receive CloudWatch log events when objects are added to the CDM S3 bucket (e.g. \"cdm-cloudwatch-logs\"). Note that this name will be appended with \"-dead-letter\" to create the name of the SQS dead-letter queue that receives events that could not be delivered to the main queue."
nullable = false
type = string
}
variable "cloudwatch_logs_sns_topic_name" {
default = "cdm-cloudwatch-logs"
description = "The name of the SNS topic that will receive notifications from the CDM S3 bucket when objects are added to it (e.g. \"cdm-cloudwatch-logs\")."
nullable = false
type = string
}
variable "cloudwatch_policy_description" {
default = "Allows read access to the specific CloudWatch log streams in which CDM is interested."
description = "The description to associate with the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested."
nullable = false
type = string
}
variable "cloudwatch_policy_instances" {
default = []
description = "Each string corresponds to the name of an instance, which itself corresponds to a CloudWatch log stream to which CDM is to be allowed read access. (The name of the instance should be as it appears in the CloudWatch log stream; in some cases this is the FQDN and in others it is just the hostname.) The selected CloudWatch log groups in which these streams reside are defined by the variable cloudwatch_policy_log_groups."
nullable = false
type = list(string)
}
variable "cloudwatch_policy_log_groups" {
default = []
description = "Each string corresponds to the name of a CloudWatch log group for which CDM is to be allowed read access for selected CloudWatch log streams. The selected CloudWatch log streams inside these log groups to which CDM is to be allowed access are defined by the variable cloudwatch_policy_log_streams."
nullable = false
type = list(string)
}
variable "cloudwatch_policy_name" {
default = "CdmCloudWatchReadOnly"
description = "The name to assign the IAM policy that allows read access to the specific CloudWatch log streams in which CDM is interested."
nullable = false
type = string
}
variable "cloudwatch_to_firehose_role_description" {
default = "The IAM policy/role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM."
description = "The description to associate with the IAM policy and role that allows CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM."
nullable = false
type = string
}
variable "cloudwatch_to_firehose_role_name" {
default = "CdmCloudWatchLogsToFirehose"
description = "The name to assign the IAM policy and role that allow CloudWatch to deliver CDM log events to the Firehose delivery stream that will send them to an S3 bucket for ingestion into CDM."
nullable = false
type = string
}
variable "firehose_delivery_stream_name" {
default = "cdm-cloudwatch-logs"
description = "The name to assign the Firehose delivery stream that will receive the CloudWatch log events and send them to the CDM S3 bucket."
nullable = false
type = string
}
variable "firehose_to_s3_role_description" {
default = "The IAM policy/role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM."
description = "The description to associate with the IAM policy and role that allows Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM."
nullable = false
type = string
}
variable "firehose_to_s3_role_name" {
default = "CdmFirehoseToS3"
description = "The name to assign the IAM policy and role that allow Firehose to deliver CDM log events to the S3 bucket where they will be ingested into CDM."
nullable = false
type = string
}
variable "provisionaccount_role_name" {
default = "ProvisionAccount"
description = "The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account."
nullable = false
type = string
}
variable "provisioncdm_policy_description" {
default = "Allows provisioning of the CDM layer in the Shared Services account."
description = "The description to associate with the IAM policy that allows provisioning of the CDM layer in the Shared Services account."
nullable = false
type = string
}
variable "provisioncdm_policy_name" {
default = "ProvisionCdm"
description = "The name to assign the IAM policy that allows provisioning of the CDM layer in the Shared Services account."
nullable = false
type = string
}
variable "tags" {
default = {}
description = "Tags to apply to all AWS resources created."
nullable = false
type = map(string)
}