-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathvariables.tf
619 lines (501 loc) · 22.9 KB
/
variables.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
##############################################################################
# Account Variables
##############################################################################
variable "ibmcloud_api_key" {
description = "The IBM Cloud platform API key needed to deploy IAM enabled resources."
type = string
sensitive = true
}
variable "prefix" {
description = "A unique identifier for resources that is prepended to resources that are provisioned. Must begin with a lowercase letter and end with a lowercase letter or number. Must be 16 or fewer characters."
type = string
validation {
error_message = "Prefix must begin with a lowercase letter and contain only lowercase letters, numbers, and - characters. Prefixes must end with a lowercase letter or number and be 16 or fewer characters."
condition = can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix)) && length(var.prefix) <= 16
}
}
variable "ssh_public_key" {
description = "Public SSH Key for VSI creation. Must be an RSA key with a key size of either 2048 bits or 4096 bits (recommended). Must be a valid SSH key that does not already exist in the deployment region."
type = string
default = null
validation {
error_message = "Public SSH Key must be a valid ssh rsa public key."
condition = var.ssh_public_key == null || can(regex("ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} ?([^@]+@[^@]+)?", var.ssh_public_key))
}
}
variable "existing_ssh_key_name" {
description = "The name of the public ssh key which already exists."
type = string
default = null
}
variable "region" {
description = "Region where VPC will be created. To find your VPC region, use `ibmcloud is regions` command to find available regions."
type = string
}
variable "tags" {
description = "List of resource tags to apply to resources created by this module."
type = list(string)
default = []
}
##############################################################################
##############################################################################
# VPC Variables
##############################################################################
variable "network_cidr" {
description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
type = string
default = "10.0.0.0/8"
}
variable "vpcs" {
description = "List of VPCs to create. The first VPC in this list will always be considered the `management` VPC, and will be where the VPN Gateway is connected. VPCs names can only be a maximum of 16 characters and can only contain lowercase letters, numbers, and - characters. VPC names must begin with a lowercase letter and end with a lowercase letter or number."
type = list(string)
default = ["management", "workload"]
validation {
error_message = "VPCs names can only be a maximum of 16 characters and can only contain lowercase letters, numbers, and - characters. Names must also begin with a lowercase letter and end with a lowercase letter or number."
condition = length([
for name in var.vpcs :
name if length(name) > 16 || !can(regex("^([a-z]|[a-z][-a-z0-9]*[a-z0-9])$", name))
]) == 0
}
}
variable "enable_transit_gateway" {
description = "Create transit gateway"
type = bool
default = true
}
variable "transit_gateway_global" {
description = "Connect to the networks outside the associated region. Will only be used if transit gateway is enabled."
type = bool
default = false
}
variable "add_atracker_route" {
description = "Atracker can only have one route per zone. use this value to disable or enable the creation of atracker route"
type = bool
default = true
}
##############################################################################
##############################################################################
# Key Management Variables
##############################################################################
variable "hs_crypto_instance_name" {
description = "Specify the name of the Hyper Protect Crypto Services instance for key management. Leave as null to use the Key Protect service."
type = string
default = null
}
variable "hs_crypto_resource_group" {
description = "For Hyper Protect Crypto Services (HPCS), specify the name of the resource group for the instance in `hs_crypto_instance_name`. Leave as null for the `Default` resource group or if not using HPCS."
type = string
default = null
}
##############################################################################
##############################################################################
# COS Variables
##############################################################################
variable "use_random_cos_suffix" {
description = "Add a random 8 character string to the end of each cos instance, bucket, and key."
type = bool
default = true
}
##############################################################################
##############################################################################
# Virtual Server Variables
##############################################################################
variable "vsi_image_name" {
description = "VSI image name. Use the IBM Cloud CLI command `ibmcloud is images` to see availabled images."
type = string
default = "ibm-ubuntu-24-04-6-minimal-amd64-2"
}
variable "vsi_instance_profile" {
description = "VSI image profile. Use the IBM Cloud CLI command `ibmcloud is instance-profiles` to see available image profiles."
type = string
default = "cx2-4x8"
}
variable "vsi_per_subnet" {
description = "Number of Virtual Servers to create on each VSI subnet."
type = number
default = 1
}
##############################################################################
##############################################################################
# Cluster Variables
##############################################################################
variable "cluster_zones" {
description = "Number of zones to provision clusters for each VPC. At least one zone is required. Can be 1, 2, or 3 zones."
type = number
default = 3
validation {
error_message = "Cluster can be provisioned only across 1, 2, or 3 zones."
condition = var.cluster_zones > 0 && var.cluster_zones < 4
}
}
variable "kube_version" {
description = "The version of the OpenShift cluster that should be provisioned (format 4.x). This is only used during initial cluster provisioning, but ignored for future updates. Supports passing the string 'default' (current IKS default recommended version). If no value is passed, it will default to 'default'."
type = string
default = "default"
}
variable "flavor" {
description = "Machine type for cluster. Use the IBM Cloud CLI command `ibmcloud ks flavors` to find valid machine types"
type = string
default = "bx2.16x64"
}
variable "secondary_storage" {
description = "Optionally specify a secondary storage option to attach to all cluster worker nodes. This value is immutable and can't be changed after provisioning. Use the IBM Cloud CLI command ibmcloud ks flavors to find valid options, e.g ibmcloud ks flavor get --flavor bx2.16x64 --provider vpc-gen2 --zone us-south-1."
type = string
default = null
}
variable "workers_per_zone" {
description = "Number of workers in each zone of the cluster. OpenShift requires at least 2 workers."
type = number
default = 2
}
variable "entitlement" {
description = "Reduces the cost of additional OCP in OpenShift clusters. If you do not have an entitlement, leave as null. Use Cloud Pak with OCP License entitlement to create the OpenShift cluster. Specify `cloud_pak` only if you use the cluster with a Cloud Pak that has an OpenShift entitlement. The value is set only when the cluster is created."
type = string
default = null
}
variable "wait_till" {
description = "To avoid long wait times when you run your Terraform code, you can specify the stage when you want Terraform to mark the cluster resource creation as completed. Depending on what stage you choose, the cluster creation might not be fully completed and continues to run in the background. However, your Terraform code can continue to run without waiting for the cluster to be fully created. Supported args are `MasterNodeReady`, `OneWorkerNodeReady`, and `IngressReady`"
type = string
default = "IngressReady"
validation {
error_message = "`wait_till` value must be one of `MasterNodeReady`, `OneWorkerNodeReady`, or `IngressReady`."
condition = contains([
"MasterNodeReady",
"OneWorkerNodeReady",
"IngressReady"
], var.wait_till)
}
}
# Exposing these two variables is necessary since GitHub Runtime cannot execute the verify_worker_network_readiness script during the upgrade test. We can remove these variables once we enable the ability to run upgrade tests through Schematics.
variable "verify_worker_network_readiness" {
type = bool
description = "By setting this to true, a script will run kubectl commands to verify that all worker nodes can communicate successfully with the master. If the runtime does not have access to the kube cluster to run kubectl commands, this should be set to false."
default = true
}
variable "use_private_endpoint" {
type = bool
description = "Set this to true to force all api calls to use the IBM Cloud private endpoints."
default = true
}
##############################################################################
##############################################################################
# F5 Variables
##############################################################################
variable "add_edge_vpc" {
description = "Create an edge VPC. This VPC will be dynamically added to the list of VPCs in `var.vpcs`. Conflicts with `create_f5_network_on_management_vpc` to prevent overlapping subnet CIDR blocks."
type = bool
default = false
}
variable "create_f5_network_on_management_vpc" {
description = "Set up bastion on management VPC. This value conflicts with `add_edge_vpc` to prevent overlapping subnet CIDR blocks."
type = bool
default = false
}
variable "provision_teleport_in_f5" {
description = "Provision teleport VSI in `bastion` subnet tier of F5 network if able."
type = bool
default = false
}
variable "vpn_firewall_type" {
description = "Bastion type if provisioning bastion. Can be `full-tunnel`, `waf`, or `vpn-and-waf`."
type = string
default = null
validation {
error_message = "Bastion type must be `full-tunnel`, `waf`, `vpn-and-waf` or `null`."
condition = (
# if bastion type is null
var.vpn_firewall_type == null
# return true
? true
# otherwise check list
: contains(["full-tunnel", "waf", "vpn-and-waf"], var.vpn_firewall_type)
)
}
}
variable "f5_image_name" {
description = "Image name for f5 deployments. Must be null or one of `f5-bigip-15-1-5-1-0-0-14-all-1slot`,`f5-bigip-15-1-5-1-0-0-14-ltm-1slot`, `f5-bigip-16-1-2-2-0-0-28-ltm-1slot`,`f5-bigip-16-1-2-2-0-0-28-all-1slot`,`f5-bigip-16-1-3-2-0-0-4-ltm-1slot`,`f5-bigip-16-1-3-2-0-0-4-all-1slot`,`f5-bigip-17-0-0-1-0-0-4-ltm-1slot`,`f5-bigip-17-0-0-1-0-0-4-all-1slot`]."
type = string
default = "f5-bigip-17-0-0-1-0-0-4-all-1slot"
validation {
error_message = "Invalid F5 image name. Must be null or one of `f5-bigip-15-1-5-1-0-0-14-all-1slot`,`f5-bigip-15-1-5-1-0-0-14-ltm-1slot`, `f5-bigip-16-1-2-2-0-0-28-ltm-1slot`,`f5-bigip-16-1-2-2-0-0-28-all-1slot`,`f5-bigip-16-1-3-2-0-0-4-ltm-1slot`,`f5-bigip-16-1-3-2-0-0-4-all-1slot`,`f5-bigip-17-0-0-1-0-0-4-ltm-1slot`,`f5-bigip-17-0-0-1-0-0-4-all-1slot`]."
condition = var.f5_image_name == null ? true : contains(["f5-bigip-15-1-5-1-0-0-14-all-1slot", "f5-bigip-15-1-5-1-0-0-14-ltm-1slot", "f5-bigip-16-1-2-2-0-0-28-ltm-1slot", "f5-bigip-16-1-2-2-0-0-28-all-1slot", "f5-bigip-16-1-3-2-0-0-4-ltm-1slot", "f5-bigip-16-1-3-2-0-0-4-all-1slot", "f5-bigip-17-0-0-1-0-0-4-ltm-1slot", "f5-bigip-17-0-0-1-0-0-4-all-1slot"], var.f5_image_name)
}
}
variable "f5_instance_profile" {
description = "F5 vsi instance profile. Use the IBM Cloud CLI command `ibmcloud is instance-profiles` to see available image profiles."
type = string
default = "cx2-4x8"
}
variable "hostname" {
description = "The F5 BIG-IP hostname"
type = string
default = "f5-ve-01"
}
variable "domain" {
description = "The F5 BIG-IP domain name"
type = string
default = "local"
}
variable "tmos_admin_password" {
description = "admin account password for the F5 BIG-IP instance"
type = string
sensitive = true
default = null
validation {
error_message = "Value for tmos_password must be at least 15 characters, contain one numeric, one uppercase, and one lowercase character."
condition = var.tmos_admin_password == null ? true : (
length(var.tmos_admin_password) >= 15
&& can(regex("[A-Z]", var.tmos_admin_password))
&& can(regex("[a-z]", var.tmos_admin_password))
&& can(regex("[0-9]", var.tmos_admin_password))
)
}
}
variable "license_type" {
description = "How to license, may be 'none','byol','regkeypool','utilitypool'"
type = string
default = "none"
validation {
error_message = "License type may be one of 'none','byol','regkeypool','utilitypool'."
condition = contains(["none", "byol", "regkeypool", "utilitypool"], var.license_type)
}
}
variable "byol_license_basekey" {
description = "Bring your own license registration key for the F5 BIG-IP instance"
type = string
default = null
}
variable "license_host" {
description = "BIGIQ IP or hostname to use for pool based licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_username" {
description = "BIGIQ username to use for the pool based licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_password" {
description = "BIGIQ password to use for the pool based licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_pool" {
description = "BIGIQ license pool name of the pool based licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_sku_keyword_1" {
description = "BIGIQ primary SKU for ELA utility licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_sku_keyword_2" {
description = "BIGIQ secondary SKU for ELA utility licensing of the F5 BIG-IP instance"
type = string
default = null
}
variable "license_unit_of_measure" {
description = "BIGIQ utility pool unit of measurement"
type = string
default = "hourly"
}
variable "do_declaration_url" {
description = "URL to fetch the f5-declarative-onboarding declaration"
type = string
default = "null"
}
variable "as3_declaration_url" {
description = "URL to fetch the f5-appsvcs-extension declaration"
type = string
default = "null"
}
variable "ts_declaration_url" {
description = "URL to fetch the f5-telemetry-streaming declaration"
type = string
default = "null"
}
variable "phone_home_url" {
description = "The URL to POST status when BIG-IP is finished onboarding"
type = string
default = "null"
}
variable "template_source" {
description = "The terraform template source for phone_home_url_metadata"
type = string
default = "f5devcentral/ibmcloud_schematics_bigip_multinic_declared"
}
variable "template_version" {
description = "The terraform template version for phone_home_url_metadata"
type = string
default = "20210201"
}
variable "app_id" {
description = "The terraform application id for phone_home_url_metadata"
type = string
default = "null"
}
variable "tgactive_url" {
type = string
description = "The URL to POST L3 addresses when tgactive is triggered"
default = ""
}
variable "tgstandby_url" {
description = "The URL to POST L3 addresses when tgstandby is triggered"
type = string
default = "null"
}
variable "tgrefresh_url" {
description = "The URL to POST L3 addresses when tgrefresh is triggered"
type = string
default = "null"
}
variable "enable_f5_management_fip" {
description = "Enable F5 management interface floating IP. Conflicts with `enable_f5_external_fip`, VSI can only have one floating IP per instance."
type = bool
default = false
}
variable "enable_f5_external_fip" {
description = "Enable F5 external interface floating IP. Conflicts with `enable_f5_management_fip`, VSI can only have one floating IP per instance."
type = bool
default = false
}
##############################################################################
##############################################################################
# Teleport VSI Variables
##############################################################################
variable "teleport_management_zones" {
description = "Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value."
type = number
default = 0
validation {
error_message = "Teleport Management Zones can only be 0, 1, 2, or 3."
condition = var.teleport_management_zones >= 0 && var.teleport_management_zones < 4
}
}
variable "use_existing_appid" {
description = "Use an existing appid instance. If this is false, one will be automatically created."
type = bool
default = false
}
variable "appid_name" {
description = "Name of appid instance."
type = string
default = "appid"
}
variable "appid_resource_group" {
description = "Resource group for existing appid instance. This value is ignored if a new instance is created."
type = string
default = null
}
variable "teleport_instance_profile" {
description = "Machine type for Teleport VSI instances. Use the IBM Cloud CLI command `ibmcloud is instance-profiles` to see available image profiles."
type = string
default = "cx2-4x8"
}
variable "teleport_vsi_image_name" {
description = "Teleport VSI image name. Use the IBM Cloud CLI command `ibmcloud is images` to see availabled images."
type = string
default = "ibm-ubuntu-24-04-6-minimal-amd64-2"
}
variable "teleport_license" {
description = "The contents of the PEM license file"
type = string
default = null
}
variable "https_cert" {
description = "The https certificate used by bastion host for teleport"
type = string
default = null
}
variable "https_key" {
description = "The https private key used by bastion host for teleport"
type = string
default = null
}
variable "teleport_hostname" {
description = "The name of the instance or bastion host"
type = string
default = null
}
variable "teleport_domain" {
description = "The domain of the bastion host"
type = string
default = null
}
variable "teleport_version" {
description = "Version of Teleport Enterprise to use"
type = string
default = "7.1.0"
}
variable "message_of_the_day" {
description = "Banner message that is exposed to the user at authentication time"
type = string
default = null
}
variable "teleport_admin_email" {
description = "Email for teleport vsi admin."
type = string
default = null
}
##############################################################################
##############################################################################
# s2s variables
##############################################################################
variable "skip_kms_block_storage_s2s_auth_policy" {
description = "Whether to skip the creation of a service-to-service authorization policy between block storage and the key management service."
type = bool
default = false
}
variable "skip_all_s2s_auth_policies" {
description = "Whether to skip the creation of all of the service-to-service authorization policies. If setting to true, policies must be in place on the account before provisioning."
type = bool
default = false
}
##############################################################################
##############################################################################
# KMS and App ID variables
##############################################################################
variable "service_endpoints" {
description = "Service endpoints. Can be `public`, `private`, or `public-and-private`"
type = string
default = "public-and-private"
validation {
error_message = "Service endpoints can only be `public`, `private`, or `public-and-private`."
condition = contains(["public", "private", "public-and-private"], var.service_endpoints)
}
}
##############################################################################
##############################################################################
# Override JSON
##############################################################################
variable "override" {
description = "Override default values with custom JSON template. This uses the file `override.json` to allow users to create a fully customized environment."
type = bool
default = false
}
variable "override_json_string" {
description = "Override default values with a JSON object. Any JSON other than an empty string overrides other configuration changes. You can use the [landing zone configuration tool](https://terraform-ibm-modules.github.io/landing-zone-config-tool/#/home) to create the JSON."
type = string
default = ""
}
##############################################################################
##############################################################################
# Schematics Output
##############################################################################
# tflint-ignore: terraform_naming_convention
variable "IC_SCHEMATICS_WORKSPACE_ID" {
default = ""
type = string
description = "leave blank if running locally. This variable will be automatically populated if running from an IBM Cloud Schematics workspace"
}
##############################################################################
##############################################################################
# CBR variables
##############################################################################
variable "existing_vpc_cbr_zone_id" {
type = string
description = "ID of the existing CBR (Context-based restrictions) network zone, with context set to the VPC. This zone is used in a CBR rule, which allows traffic to flow only from the landing zone VPCs to specific cloud services."
default = null
}
##############################################################################