forked from cloudposse/terraform-aws-vpn-connection
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvariables.tf
255 lines (211 loc) · 10.4 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
variable "vpc_id" {
type = string
description = "The ID of the VPC to which the Virtual Private Gateway will be attached"
default = null
}
variable "vpn_gateway_amazon_side_asn" {
type = number
description = "The Autonomous System Number (ASN) for the Amazon side of the VPN gateway. If you don't specify an ASN, the Virtual Private Gateway is created with the default ASN"
default = 64512
}
variable "customer_gateway_bgp_asn" {
description = "The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN)"
default = 65000
}
variable "customer_gateway_ip_address" {
type = string
description = "The IP address of the gateway's Internet-routable external interface"
}
variable "route_table_ids" {
type = list(string)
description = "The IDs of the route tables for which routes from the Virtual Private Gateway will be propagated"
default = []
}
variable "vpn_connection_static_routes_only" {
type = bool
description = "If set to `true`, the VPN connection will use static routes exclusively. Static routes must be used for devices that don't support BGP"
default = false
}
variable "vpn_connection_static_routes_destinations" {
type = list(string)
description = "List of CIDR blocks to be used as destination for static routes. Routes to destinations will be propagated to the route tables defined in `route_table_ids`"
default = []
}
variable "vpn_connection_local_ipv4_network_cidr" {
type = string
description = "The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection."
default = "0.0.0.0/0"
}
variable "vpn_connection_remote_ipv4_network_cidr" {
type = string
description = "The IPv4 CIDR on the AWS side of the VPN connection."
default = "0.0.0.0/0"
}
variable "vpn_connection_log_retention_in_days" {
type = number
description = "Specifies the number of days you want to retain log events."
default = 30
}
variable "vpn_connection_tunnel1_dpd_timeout_action" {
type = string
description = "The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart."
default = "clear"
}
variable "vpn_connection_tunnel1_ike_versions" {
type = list(string)
description = "The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2."
default = []
}
variable "vpn_connection_tunnel1_inside_cidr" {
type = string
description = "The CIDR block of the inside IP addresses for the first VPN tunnel"
default = null
}
variable "vpn_connection_tunnel1_phase1_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16."
default = []
}
variable "vpn_connection_tunnel1_phase2_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16."
default = []
}
variable "vpn_connection_tunnel1_phase1_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512."
default = []
}
variable "vpn_connection_tunnel1_phase2_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512."
default = []
}
variable "vpn_connection_tunnel1_phase1_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24."
default = []
}
variable "vpn_connection_tunnel1_phase2_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24."
default = []
}
variable "vpn_connection_tunnel1_preshared_key" {
type = string
description = "The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_)"
default = null
}
variable "vpn_connection_tunnel1_startup_action" {
type = string
description = "The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start."
default = "add"
}
variable "vpn_connection_tunnel1_cloudwatch_log_enabled" {
type = bool
description = "value"
default = null
}
variable "vpn_connection_tunnel1_cloudwatch_log_group_arn" {
type = string
description = "value"
default = null
}
variable "vpn_connection_tunnel1_cloudwatch_log_output_format" {
type = string
description = "value"
default = null
}
variable "vpn_connection_tunnel2_dpd_timeout_action" {
type = string
description = "The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart."
default = "clear"
}
variable "vpn_connection_tunnel2_ike_versions" {
type = list(string)
description = "The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2."
default = []
}
variable "vpn_connection_tunnel2_inside_cidr" {
type = string
description = "The CIDR block of the inside IP addresses for the second VPN tunnel"
default = null
}
variable "vpn_connection_tunnel2_phase1_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16."
default = []
}
variable "vpn_connection_tunnel2_phase2_encryption_algorithms" {
type = list(string)
description = "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16."
default = []
}
variable "vpn_connection_tunnel2_phase1_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512."
default = []
}
variable "vpn_connection_tunnel2_phase2_integrity_algorithms" {
type = list(string)
description = "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512."
default = []
}
variable "vpn_connection_tunnel2_phase1_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24."
default = []
}
variable "vpn_connection_tunnel2_phase2_dh_group_numbers" {
type = list(string)
description = "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24."
default = []
}
variable "vpn_connection_tunnel2_preshared_key" {
type = string
description = "The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero. Allowed characters are alphanumeric characters, periods(.) and underscores(_)"
default = null
}
variable "vpn_connection_tunnel2_startup_action" {
type = string
description = "The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start."
default = "add"
}
variable "vpn_connection_tunnel2_cloudwatch_log_enabled" {
type = bool
description = "value"
default = null
}
variable "vpn_connection_tunnel2_cloudwatch_log_group_arn" {
type = string
description = "value"
default = null
}
variable "vpn_connection_tunnel2_cloudwatch_log_output_format" {
type = string
description = "value"
default = null
}
variable "existing_transit_gateway_id" {
type = string
default = ""
description = "Existing Transit Gateway ID. If provided, the module will not create a Virtual Private Gateway but instead will use the transit_gateway. For setting up transit gateway we can use the cloudposse/transit-gateway/aws module and pass the output transit_gateway_id to this variable."
}
variable "transit_gateway_enabled" {
type = bool
default = false
description = "Set to true to enable VPN connection to transit gateway and then pass in the existing_transit_gateway_id"
}
variable "transit_gateway_route_table_id" {
type = string
default = null
description = "The ID of the route table for the transit gateway that you want to associate + propogate the VPN connection's TGW attachment"
}
variable "transit_gateway_routes" {
type = map(object({
blackhole = optional(bool, false)
destination_cidr_block = string
}))
description = "A map of transit gateway routes to create on the given TGW route table (via `transit_gateway_route_table_id`) for the created VPN Attachment. Use the key in the map to describe the route."
default = {}
}